Archive for the ‘Tactics’ Category
Spies Using Social Media? No. Way. *Eyeroll*
THIS rather breathlessly hyperbolic report on JTRIG using social media and hacking to spy on, or manipulate people, governments, and movements as well as gather INTEL on them had me eyerolling. Yes, this is new in that social media is new as is the Internet and hacking but really, the techniques of manipulating populaces for political and espionage advantage are nothing new. The spy agencies out in the world perform these PSYOPS and disinformation operations all the time and in the olden days kids they used to manipulate the press, then TV and the press, then INFOTAINMENT. There is nothing new here…
What you all have to realize is that now YOU are more easily hackable, your information more able to be stolen or accessed by writ of law, or YOU give it away by using applications that have been expressly created to give the agencies access to you as in this URL shortener that GCHQ used on the protesters in the Arab Spring. You all have to realize that unless you are code auditing everything you use on the net, then you too could easily fall prey to information leakage or outright compromise if you are a target of the “community” at large.
I would also like you all to take note that those who may support Wikileaks, or be a member of say Anonymous also were targeted and used in this operation by GCHQ as well so if you are an Anon, you too have been targeted rather directly (like the citation of Topiary’s conversations) so you too are not safe even if you are trying to use good OPSEC, which, it turned out, and I have written about in the past, you were not. Oddly enough though, the Snowden leaks on JTRIG also show how the same issues are at play for those operators within NSA/GCHQ as well. Trying to keep sock accounts straight, know the language and the patter, as well as the political issues is problematic when you are doing things on a larger scale (trust me I know) so at least you have that going for you right?
Heh.
Wake up people.
OPSEC… Live it.
Dr. K.
Sun Tzu and The Art of Cyber-War
A mgbkf zugx sbw nrkl wqvrkvuj!
Sun Tzu and The Art of Cyber-War
A while back I decided to throw my hat in the ring for RSAC and Shmoo. I made neither’s list of presentations but I thought this still was worth putting out there for people to see. I had been talking with Jericho and Josh Corman about cyber war because of their presentation at Brucon and this idea popped up in my head because Jericho had pointed out too many people cite Sun Tzu poorly in these types of presentations. Well Jericho is right and often times not many of the tenets of Sun Tzu make it into the presentations. On average you will see maybe one or two and that’s it but The Art of War has many other chapters and quotes that map to general warfare and that includes Cyber-War (so called) Generally however the overall tactics put forth by the Art of War are applicable because this is warfare we are talking about no matter the landscape (electronic) that we are fighting it in. You still have adversaries looking to defeat one another using guile and force today just as in the day of Sun Tzu. The real issue comes down to reading between the lines of the old text and applying the ideas to the modern landscape of the electron, the malware, and the phishing attack.
All of these efforts though will lead to the age old means of kinetic warfare and this is what people seem to not understand so well today. War is war and eventually its all going to be about the guns and bombs and not so much just about the data being stolen or messed with. We have a problem today in the semantic of war in the digital age that needs to be cleared up for the general populace. I hope that this tutorial will not only be historical but also give the reader the tools needed to understand that cyber-war is not the end all be all, it is in fact just a precursor to the type of war that has been waged since man could pick up a rock and throw it.
China, Sun Tzu, & APT
On another level though, I find it amazing that more people have not had the light bulb go on about our situation today with regard to Chinese hacking and espionage. What we have seen is not cyber-war yet but the prelude, the reconnaissance to carry out war and that is all. The Chinese (and others) have begun mapping our networks, prodding our defenses, and assessing our overall readiness by using digital attacks on private and governmental networks and systems. Think of it all as spying and not just one for war footing alone. There is of course the industrial espionage as well but in the case of China in particular they are all means to an end. The “Thousand Grains of Sand” approach is doctrine in China as is the mindset they have always had having had masters like Sun Tzu as their teachers. Look at this slide deck and then take a step back and look at the APT-1 report as well as others. Note that the Chinese military is the state and that the PLA is just an arm of the military unlike in the US where the military is a little more separated and at the behest of POTUS.
Sun Tzu said it best in The Art of War;
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
It’s time to be more introspective about ourselves as well as the adversary and Sun Tzu is a good way to get there.
K.
OpCARTEL: Kids, Trust Me… YOU ARE NOT Up To This Operation
Killing Pablo:
Ok kids, before you were old enough to understand, there was a guy named Pablo Escobar. He was a bad guy who pretty much single handedly provided the US with cocaine that powered the 80’s debauchery. Pablo was the progenitor of the Zeta model of narco-trafficking that you guys are claiming to have data on and want to tangle with. Let me tell you now in no uncertain terms how I feel about #OpCartel…
YOU ARE NOT READY
Plain and simple, these guys are not just some namby pamby government following laws who will try to arrest you. No, these guys will hire blackhats of their own, find you, and KILL you in the most horrific ways. Need I remind you of the bloggers who got whacked recently? I don’t think you all want to be the next to be swinging under an overpass with a Mexican Necktie do you?
It took major government and military operations to kill Pablo and his cartel. You guys dropping information on the low end mules and lackeys will do nothing but interrupt operations currently ongoing as well as put yourselves into the cross-hairs of the Zeta killing machine. At the very least, you need to do your homework on these guys and NOT announce things on the internet before you do anything, this is just asking for a whacking.
Have you not been listening?
INTELOPS:
First off, if you want to gather intel on these guys or you have it, then make sure you vet it out and insure its the real deal. If you have sources, you need to protect them and if you have hacked access, you need to insure that you can’t be traced back. The big thing though, is to KNOW YOUR TARGET! How much do you really know about the Zetas? How much do you know about the politics of the area? The players both inside and outside the cartel? This group just doesn’t have low level people, they also have high ranking political connections as well. You mess with them, then you have governmental assets and pressure as well to deal with.
So.. What do you know about Los Zetas?
Los Zetas:
Los Zetas and La Familia Michoacana are a narco ring comprised of about 30 ex Mexican Special Forces deserters who decided that narco trafficking was a much better choice than just being ordinary special operators. This group has been one of the bloodiest and boldest in their massacres of opposing groups or individuals. In short, they are not people to tangle with unless you are a government with a special operations group of your own. Much of their infrastructure is already known (see pdf file at the top here) so, dropping some of the data you propose might just serve to get others killed and not damage the organization much at all.
Though, if you did have tasty information, perhaps you could pass it along to the authorities? If not, then maybe Mata Zetas?
Mata Zeta:
Los Matas Zetas is another paramilitary group (Zeta Killers) that has sprung up recently and in fact could be governmentally sponsored. Either way, this group is out to whack the Zetas. Now, were you in posession of data that could be used by them to combat the Zeta’s maybe you could find a conduit to get that to them… Secretly. I am pretty sure though, that these guys, if not sponsored by the government (Mexico and the US) would then just become the next narco trafficking group in line to stop the power vacuum once the Zeta’s have been taken out of the equation.
The basic idea though is this: Use the enemy of your enemy as your friend to destroy your enemy. Get it?
OPSEC:
Ok, so, here we are and you guys have laid claim to the idea of the operation. Then, once people started threatening, you dropped it. Then others like Sabu said it was all a PSYOP and there are things going on in the background still.
Oy vey…
Look, overall you have to follow OPSEC on any operation like this and so far you have been a big FAIL on that account. It’s akin to saying to your enemy;
“I’m attacking at dawn.. From the East… With planes.. Vintage WWI planes…”
What were you thinking?
Obviously you weren’t thinking about OPSEC. You have seen me write about this in the past and you surely have heard Jester talk about it too. It is a key precept to special warfare and you guys just are not ready for prime time here. Unless you follow some basic security measures you will end up dead. So pay attention.. If there was any merit to this operation in the first place.
This Isn’t An Episode of Miami Vice:
Finally, I would like to say that this is not an episode of Miami Vice kids. YOU do not have a nickel plate .45, slip on shoes, and pastel shirts. This is reality and you are more than likely to run up against blackhats who will find you and one by one, these guys will hunt you down.
I know.. You’re an idea… No one can stop an idea…
I’m sorry, but your Idea will also not stop bullets and bad men with knives from cutting you to ribbons when they locate you. Unless you learn some tradecraft, go back to taking on corrupt corporations and paedophiles…
Though.. They too could also hire a hacker huh?
You guys are not ready for this…
K.
Al Qaeda: The Case of A More Diffuse and Autonomous Organisation
Succession:
Speculation on the successor to OBL has been rife within the news-o-sphere and I too have waded in and made my case for who I think will be next. I have however, come to some more conclusions since I wrote my post on succession post Osama. My current thinking is still aligned with my post from before, that Al-Awlaki will be the prominent figure in the AQ presence world wide. Where I would like to refine the statement is that I believe while Al-Awlaki will be the public face of AQ/AQAP/Jihad he may not be the operational leader. At least, not as one might think.
I think that AQ (The Base) has become such a disparate organisation, that there really are leaders plural with a figurehead (aka OBL before his demise) It seems from the intelligence drips and drabs coming out in the news, that OBL was in fact part of the plotting at least aspiration-ally, of projects up until he got the face full of lead. This is not to say that any of the plans that he laid out actually made it to operational cells out in the world. Nor had OBL been on the media very much in the last years to give anyone ideas. So, who is coming up with the plans that are being tried out? Who is actuating plots? AQAP has.
The reason that AQAP has been more active is that they are in the country of Yemen where they have a base of support and a fledgling government that poses no real threat. Since AQAP has a bit of a free hand there and a younger crew of jihadi’s headed by several Americans, they seem to me, to be the new jihadi zeitgeist. These are some of the reasons that I feel Al-Awlaki, who is charismatic and liked, would be a more logical choice to be the inspirational head of the global jihad, which happens to be primarily aimed at America. Who better to use as the face of this fight than a former citizen refuting the way of life in America and the West? Who better to reach out to those lone wolves in the states and radicalise them to the point of action?
The problem though on trying to lead AQ now is that the GWOT has indeed made it harder for there to be structured networks. As evidenced by the killing of OBL, the jihadists have learned and have been learning over the years of strikes, that to have a ‘network’ that has clear channels of command and control leads to their being picked off one at a time with Hellfire missiles shot from reapers. It was the physical act of meeting with as well as making calls to OBL by his couriers, that lead to his demise. It is this fact that I think AQ will take to heart and collectively try to leverage not only the internet even more, but also create a more splintered organisational structure on purpose. The franchise model +1 will be the modus operandi of the day because they now fear to communicate a little bit more since we took out Osama.
It is this franchise idea with small autonomous cells that are to be inspired to action, even to the point of ‘Lone Wolf” single cell actors, that will be the new GWOT’s target. Thus, going back to the idea of whoever would ‘lead’ AQ, would have to be like OBL in the area of charisma, affability, piety, and leading by example… And that would not be Ayman Zawahiri, nor I think some of the other operators mentioned in the news and in papers I have seen come across my screen on the subject. I think it would make more sense that the operators stay in the shadows to lead and create operations. Ayman is not liked, pedantic, and generally not someone that would be universally followed by the jihadi masses.
This too I think, is why the IS has been immediately attempting to step up attacks on Yemen and Anwar because they too feel that he is a likely choice for taking up where OBL left off. If not officially, at least by proxy of AQAP being the new force in Jihad, the one group who has acted on grander plans like the old AQ did. Anwar I think, is about to replace OBL on the FBI’s wanted list slot…
Unless they actually hit him with one of those missiles.
Autonomous Cells:
Since the GWOT started and now the JSOC and the Kill/Capture program, AQ has been learning that to fight the battle they need to pivot the attacks. Just as hackers learned that it was best to use internal attacks by tricking people into clicking links in emails (phising) so too have the jiahdis in this battle space. Thus we have the idea of lone wolves and small cells of one to three members within them. The smaller the cell, and the more autonomous, the higher likelihood that they will be able to carry off a mission.
By leveraging the Internet, the propaganda machine that GIMF started, has been replaced by Al-Malahem and AQAP’s Inspire magazine. This trend is somewhat scary in many ways as the lone wolves out there may have some communications with AQ central (AQAP) but they likely will not be many. Instead, as data has shown us, the lone wolves out there so far (Nidal Hassan, Emerson Begolly, and others) radicalised by watching Youtube videos, chatting online with Paltalk, and reading jihadist writings on internet php boards. Rarely have these people had direct contact with the main players in AQ, though, Hassan did in fact email with Al-Awlaki.
Over all, I think that the decentralising of AQ will continue from the GWOT thus causing more splinter groups to pop up, see the model that AQAP has put together, and will emulate it. They will be harder to stamp out and they will be more of a percieved threat because they could be just about anyone. Irhabi 007 was a single prolific propagandist who worked out of his parents house in the UK. All he needed was the internet and some hacking skills and he was able to create a new paradigm of online jihad. Imagine now all of the next gen kids who are just as computer literate and just as moved to radical thought.
Jihad GEN 3:
Which brings me to the next generation of Jihad. Or should I say the next few generations of it? In watching the trending I have seen more and more younger recruits online and in jihadist videos. It has always been known that the Jihad starts at the Madrassa, but, it seems now that not only are the boys being trained from a young age, but so too the muslima. With the advent of the Chechen “Black Widows” and some of the rules being created by shura counsels, the girls too are now being trained from a young age to become shahid.
In the West though, the rationalisation process is more led by what media the jihadi/takfiri/kuffr has been able to align with. Perhaps they are going to mosque and getting some of the content in some cases, but mostly, it comes from the net. Just how many of these people are muslims from raising is unclear. Just as is how many come to Islam and then radicalise at some point as well. The one constant though in my mind is that they are likely mentally unbalanced or seeking attention in some way that is core to their being.
What form the next generation will take is still unclear. Perhaps the pivot toward trying to get Western recruits to become shahid will ultimately fail on the large scale. Though, I do expect there to be more unbalanced individuals attempting to carry out small attacks as mandated by AQ/AQAP for the cause. NO matter how small the explosion or the number of people killed, they will have fulfilled the mandate of a thousand cuts set out by OBL.
Chatter:
Currently, the chatter on the internet has started to amp up since the death of OBL. After AQ put out its announcement that he was martyred, the boards began to fill with prayers and threats. None of the threats have been credible but, we have seen a potential spike in action with at least one person attempting to get into the cockpit of a plane in flight last week. All of this chatter online and the reverberations from it, are likely to set in motion GEN3 and GEN2 actors within the AQ universe. It is time to keep our eyes open on the operations in play.
Talk of WMD’s and other key words have been seen on the boards and I fully expect that this will spin up even further as time goes by within the next few months toward September.
Time will tell.
K
The PrimorisEra Affair: Paradigms In Social Networking and SECOPS
EDIT 5.24.2011
As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.
See below:
K.
From Wired:
It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.
Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.
“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”
This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.
Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.
Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.
Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.
Time will tell.
Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983
The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.
There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?
So, people forget and really, this is still all relatively new isn’t it? There are no maps here.
Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.
Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?
Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.
Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.
We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.
I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.
Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….
Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.
For me it comes down to this;
1) If you sign up for these places hide as much of your data as you can.
2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.
3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.
4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.
5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.
6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.
7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!
Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.
K.