Archive for the ‘The Art of War’ Category
The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!
That’s it? All we get is this stinkin garbage file?
Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.
Within the torrent file the following parting words were sent:
Friends around the globe,
We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.
For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.
While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.
Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.
So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.
Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.
Let it flow…
Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?
The Files:
So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.
Whoopee.
All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?
Not that I have seen.
In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.
Leaving So Soon?
So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.
You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.
However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.
Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.
Your Legacy:
Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.
Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’
So where was I?… Oh yeah..
In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.
So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.
Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.
… And those lulz will also be epic fail.
K.
The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage
黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.
Beginnings:
Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.
Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.
From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..
The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.
Motivations for APT Attacks:
Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.
This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.
State vs. Non State Actors:
The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.
There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.
In the end, they all are state actors I think just by the nature of the regime.
Techniques:
In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing‘
Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.
Moving Forward:
Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.
But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:
More to come…
K.
The PrimorisEra Affair: Paradigms In Social Networking and SECOPS
EDIT 5.24.2011
As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.
See below:
K.
From Wired:
It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.
Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.
“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”
This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.
Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.
Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.
Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.
Time will tell.
Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983
The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.
There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?
So, people forget and really, this is still all relatively new isn’t it? There are no maps here.
Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.
Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?
Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.
Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.
We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.
I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.
Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….
Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.
For me it comes down to this;
1) If you sign up for these places hide as much of your data as you can.
2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.
3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.
4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.
5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.
6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.
7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!
Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.
K.
Rumblings On Stuxnet’s Potential for A Chernobyl Style Incident at Bushehr
A source called me over the weekend and alluded to some intel concerning the Bushehr nuclear plant with regard to Stuxnet. Of course you all out there are probably sick of hearing about Stuxnet (especially the infosec/IW community) but, I thought this was interesting and should drop a post. My source says that certain people in the know are worried about the whole stuxnet operation from the point of view that it was released into systems that, to the creators of the operation, were not completely understood. That is to say that Iran, being as hard to get intel on, may have had configurations or issues that the creators and implementors of Stuxnet did not account for and could indeed have caused a larger catastrophe with the malware.
This is now making the rounds quietly in certain areas of the media, but, I want to call your attention to this article that I found on payvand.com. In it, a nuclear expert speaks about the potential for a nuclear accident due to the design specs of the reactor at Bushehr and the fact that the Russians reported that they were removing the nuclear material from the reactor recently.
From: Dr. Sadeq Rabbani, Former Deputy of the Nuclear Energy Organization
The Russians claim that they were obliged to remove the fuel from the Bushehr nuclear reactor in order to replace a part that was installed during the time the Germans were managing the construction of the plant. It should be noted that according to the contract with Russia for construction of the Bushehr plant, the Russians replaced all inner parts of the reactor and presented a new design. In the German model, a vertical design was used, but the Russians adopted the horizontal model. This means that the created problem was not related to the inner parts of the German-designed reactor.
So the Russians were paid for the construction of the Bushehr reactor and have also changed the design. Now the problem is whether the Russians were wrong in their design. It is unlikely that the Russians were wrong in their design, because this is not the first plant that they have constructed, and their experience is valuable.
There remains only the Stuxnet virus that Iran denies has been able to affect the Bushehr facilitates. So, if we assume that the Iranian authorities are right, the Russians are playing with us by delaying the launch of the Bushehr plant, and want to continue to delay launching it.
My source, who has connections with various people in the know, says that there is a higher potential that since the German design and build was overtaken by the Russians, that they may in fact have introduced flaws within the system that “could” lead to a Chernobyl style event if something like Stuxnet had infected other PLC systems. Of course this is a blanket concern with malware on the level of Stuxnet anyway is it not? Of course, Stuxnet was particularly targeted to the Siemens systems for enrichment but, there is always a chance of undesired effects to potentially other systems.
This is not to say that there have been or are other systems that have been compromised by Stuxnet… That we know of.
Ostensibly, Stuxnet was aimed at the weapons facilities but, one must not think that the weapons facilities and the nuclear power program were kept apart by a firewall, for the lack of a better term. I am willing to bet that the two are connected both semantically as well as functionally, and in that, the systems that play a key role may have too. IF Stuxnet travelled to the Bushehr systems, what ‘could’ be the import here? Just as well, what would the design of the reactor play as a part to hastening a large nuclear accident?
The article above goes on to say that Dr. Rabbani does not believe that the design and implementation of the Bushehr reactor is likely to cause an issue. Others though have been saying the opposite. Including my source. All that is really known at this point are the following things;
- When Stuxnet hit Iran claimed that they were just fine! However, reports internally at the nuclear facilities and universities proved otherwise. That the malware was running rampant and they were trying and failing to exterminate it.
- The design and implementation of the nuclear reactor had been started by the Germans (Siemens) and then stopped for many years. Then the Russians picked up where the Germans left off. It is possible that the design changes and or builds on to previous versions could have flaws in them that might make for vulnerabilities.
- The Russians have removed the nuclear materials and the program is steadily losing ground to delay.
All in all, the unforeseen circumstances of malware like Stuxnet may indeed have caused issues at Bushehr, or, they could have been a calculated thing. Perhaps this is just Iran being careful out of paranoia as fallout from the incident. In either scenario, we win out in that the programs are being delayed. However, the worry that my source intoned was that they may not have considered the possibilities of collateral damage and just how bad they could be if the reactor had gone online and melted down. Of course, this is after seeing everything that is happening in Fukushima, so it’s on many minds.
My source went on to ask the question; “This would have to have a presidential order wouldn’t it as an operation?” The answer to that is yes. It is also quite likely that this operation was set forth by the previous administration (Bush) and, well, we know just how well thought out that presidency was huh? To my source, I say be careful in speaking about this. To all of you out there reading this I say keep your eyes peeled, there’s bound to be more fallout.
K.
Al Malahem’s Inspire 4: Crusades Rhetoric and Tactical Updates In A Feedback Loop
Al Malahem’s “Inspire 4” was released last night and this morning I procured a copy to go through. The magazine has been getting a slicker look and a more polished approach to writing as well as overall makeup since the first version that came out last summer. Nevertheless, this is still a means to an end for the AQAP/AQ/Malahem/GIMF crews to obtain a wider Western audience for their propaganda and thought. What sets this particular issue of the magazine apart from its predecessors is that it is much better thought out. The creators have used psychological precepts to craft a document that hopes to create a feedback loop in the reader, bringing them to Jihad and a unified ummah (people)
After some preliminaries, the magazine’s first article is by Samir Khan, a former US resident from NC, that is now ostensibly the creative director of Inspire. His piece sets the tone and begins the feedback loop. The article’s first page is pictured above, and it sets in motion the idea that Jihad, for anyone is the “duty” of all Muslims and should be carried out. Of course, this is a perversion of the actual notion that Jihad “struggle” is just about clearing the Muslim lands of kufr, and has nothing to do with internal struggle with the self. Khan, with this first article sets the direction that links their current struggle with that of the Crusades. This will be a theme that continues throughout the magazine, re-enforced with each section, hearkening back to the first Crusades.
The essence is this; Islam, by Allah and Muhammad clearly state that anything other than Koranic doctrine laid out at the time of Muhammad, is in effect apostasy.
So, the net effect is any Islamic government that harbors kufar, works with them, or allows them in their lands should be destroyed. Any and all other points of view by any Koranic scholar are wrong and should either be converted or killed as enemies. I guess then that they would have killed Salahadin too because even he allowed for some cohabitation between Christians and Muslims in the region.
Thus begins the feedback loop. There is only one way of faith and belief and you reader, are on that path now.
Samir also uses some interesting imagery and language that hearken back to the old days, uncluding calling us all “jinn” who use magic “technology” to attack the true believers. Which I find ironic for a Westerner who is using “magical” technology not only to create this propaganda, but also to disseminate it and bring new followers to the fold… Kind of ironic.
The next article is a short one from Adam Gadhan aka Azzam Al Amriki. This piece goes on to re-inforce what Samir has laid out for the reader. Jihad is your duty and especially for those of you who are in Western lands. Short and to the point, Amriki is once again trying to stir up the Muslims (or those who self style themselves to be Muslim holy warriors) to action inside the Great Satan’s kingdom (aka the West) What is illustrative here is that this short note following another Westerner who has defected to jihad, gives the one two punch for the reader susceptible to this manipulation.
Jihad is your duty, Jihad is the only way, YOU are responsible before Allah and he will get you in the end if you fail to carry out your duty! No paradise for you, instead he will mete out punishment.
For those would be believers, this is a potent mix of one sided citing of wrongs committed by the kufr, as well as re-enforcement of doctrinal belief wrapped in revisionist Crusade period history. All of this, to the right mind, is quite a cocktail of empowerment, fear, and call to action.
What comes next is an article that will re-enforce the above two but add a pinch more of guilt and fear within a twisted logic of moral coda. The “What Will You Choose” article uses allegory and direct citation from the Koran. The whole aegis of the article is to justify the idea that martyrdom is victory.
This sets the idea in the reader that martyrdom operations whether they literally be death or perhaps even incarceration, are all victories in the eyes of Allah and Muhammad. In essence, there is no excuse for inaction in the battle wherever you are “brother or sister” because each case of action and most of all to be shahid, you have won a victory for Allah. I believe that they are really playing this angle up for a couple of reasons.
1) They want westerners to step up, and in tandem with the other articles in Inspire 4, they are setting the reader up to have no choice
2) Suicide bombings in their eyes not only are victories for Allah, but they also make good propaganda fodder. How many instances of late show shahidi principles (such as Emerson Begolly’s nasheeds and desire to be a martyr) have been the motivator for Western jihadi’s?
The Messenger of Allah in ex-change to what he asked from theanşār did not promise them anything of this world. He only promised them paradise and paradise only comes after death. So would you want to die a natural death or die as a martyr?
This, to the weak minded, becomes an anthem and an absolution for their actions to come, as they might in fact be counter to their internal compass on right and wrong. Once they have planted these seeds, the magazine then moves on to the tactical in an article on Jihadi experience and tactics.
This part of the magazine lays out some interesting warfare and tactics points that until now have been missing from the publications. Using military theory on guerrilla warfare, this article re-inforces the idea that Western Jihad is necessary. Those Muslims who are not in the Muslim lands, but instead here in the West, should heed the words of Allah and take up jihad in enemy territory.
Are you seeing how these all play together?
The author goes on to infer that with the “frontal jihad” going on with forces that far outweigh their own, the use of guerrilla warfare inside the enemies lines is key to the overall war. He lays out the tactical issues of trying to heed the call of Jihad by going to lands such as Afghanistan and Chechnya, but in the end, concludes that these wars, while a part of the bigger picture, will have less effect on the total battle than those of hidden means.
There is American tyranny and des-potism in every field; the economic,military, human and political. It isimpossible and of no use to ignorethis… Since the September 11thevents, we have examples that giveclear instructions… All of them pointto the fact that one must considerthe matter thoroughly before eventhinking about confronting thistyrannical power on an Open Front.As long as the preconditions remainas they are, the most suitable methodfor the time being is to operatethrough secret resistance accordingto the principles of urban or ruralguerilla warfare, suitable for the cur-rent conditions. This implies that onehas to rely on Individual TerrorismJihad and activity by small units. Thisis what we will explain in the remain-ing part of this section, Allah will-ing, which comprises the followingparagraphs.
Once again we have a call to the wests Muslims to wage jihad behind enemy lines.
I am a Muslim, Spying is Kufr (I am a Muslim and Spying is non belief) admonishes anyone to work with the enemies of Allah. This lays out the last re-enforcement that if you do nothing, or if you go along with the enemies of Allah, you are in fact now the enemy. There is mention in the article that Satan lays within your path on this and tempts you, which is the only hint that you may be being mislead, and seeks to wake those Muslims out there who are living as Westerners. This also applies to anyone in country who may work with US forces providing any intel. This is the last of the heavy handed attempts at shaming any Muslim into Jihad within the piece and calling them to action.
The articles as laid out, create that feedback loop I spoke of above. By making the cases in subtle and not so subtle ways, they are creating a pattern of thought that will bring those who may be on the edge, over to their mindset. Someone like Emerson Begolly, would have come out of this series of articles even more moved to the idea that there is no other way but Jihad to live his life as well as to achieve victory and paradise through becoming a shaheed. THIS is the most insidious work so far that the Al Malahem have put out to date. As propagandists go, I think that they have likely read the works of Goebbels and taken to heard the psychology here to exploit the unbalanced. Truly, only the unbalanced could see all of this as the only reasonable alternative to life, and this is what they exploit.
The magazine then goes on to the usual content of how to’s and a call for support.
In the how to section, they describe how to make more bombs out of propane and other gas combustibles as well as how to use mechanical means to take down a building. Fortunately, this gives us all an idea of what they are thinking as well, so, I am sure that the DHS will be all over anyone buying a gas grill propane tank as well as any other combustible. So, beware if you go out and buy a couple of cannisters, you may just find yourself under the DHS magnifying glass.
Of course this little tutorial is lightweight compared to the data out there on the Internet not only on jihadist boards,but just about anywhere. So really, this is a non starter for the most part. Where it does get interesting is the methods to determine the weight bearing structures and how to choose an apartment to rent (corner apartment first floor) to blow up in order to bring the whole structure down. Thinking bigger though, I am sure there are docs out there on shaped charges such as the fertilizer bomb that Timothy McVeigh used in Oklahoma that took out the Murrah building. So, this is just a small part of a bigger picture.
Finally, there was a new twist in the magazine that interests me the most. It is the call out to their brethren to “help” Al Malahem . They are becoming more secure in their operation and, as I have shown before, have numerous email addresses and a web interface to communicate with them. Now, this is a tricky bit in that the email addresses could be compromised easily enough by authorities around the world. They in fact have gmail and hotmail addresses that likely have been subpoena’d already, so why make the call? Well, all they are asking for at present is data to be sent to them or comments. So, no real data is likely being transmitted from them so why worry? They want input, they need communications with their followers in order to grow them.
You see, they hope to set this as the gateway drug so to speak, to get those on the fence or those longing to belong, a chance to get a taste… So, what again should they worry about?
//BEGIN
Lecf, xumu qf qphvs A bumzo hm dsdm jv. Om, nm zo xti aqkbzynm fraycawgm. Ypbu ylm klx nowtlgk xkig vbp vlsseecw gvi cktmkme bzi ugqubs iyl rzesa. B mmr aq hhrzl ai “kifarjfhxg” ms Pf Dpfrlsg. Ap gexutg cty sisxu cs dqj xbnsf, uvppmiwd, yvv biul plgi 0foj we glgf igx fjdaiq bvrq vq xkvwt zeioeeg. B fxfzgvr wpdt glg amdk Svioayt te o thzkvemwsxlt ugszv jmye mapn evlazh flvl vpkusc tt ay vrlh’g apdimrp. Xtxc kexi vvwsxqh tlr gqsuuob, wmzw qfclsxh epif. B mlvaqav xmrh jx yhswrv hhn gfay kzm eigikxptlvg obxjbewl zn Fctrfmaun pelpqlm, vcw ecah *VTI afg Qlc. Efdqz lme yaodw knfct trv kiq apsn wh glv dsdjvfnqku.
Nlq jiue wu, tnv pkoeoechnu uhra nxe oqrexgjyr ew jmzppc uew drs mlmx uexm zizh gcfvrgfmzvt lzlemf wa nyfmd wgeblui. Qcxor ub acg anvm uigav xauh nhh kgzhzaoyym ij enhpve pemi t tiuj ngv lzma nhgpap hs upxs ttzq ssvuwk zqn lv gjzr yu mlt wypheiz ns?
Dszxnhkpo gw tmcpy bb…
//END
*DM me for crypto type and key as usual*
In conclusion, Al Malahem has changed the game here with Inspire 4. The psyop war is on and we need to be on top of it.
CoB
Top 5 ways to destroy a company.. But Will They Sign Off On That?
I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”
The truth of the matter for me comes down to a few different factors:
- A lack of understanding the results that you present them
- A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
- A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client
Nickerson too gets to this and asks;
Well why does that happen?
- What we give them isn’t important. Managers don’t care about shells!
- They don’t care about what we care about!
What do they care about?
- The product line
- The Brand
- The Employees
- The Bottom Line
I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.
Top 5 ways to destroy a company
- Tarnish the brand
- Alter the product
- Attack the employees
- Effect financials directly
- ** Your turn! **
The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?
The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)
The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.
Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;
“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”
It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.
So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:
- Profile the business overall, where they are in the market, and their history
- Profile their business model and their product or products
- Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
- Profile the employees and C levels (are they engaged? Do they buy in on security?)
- Formulate scenarios that would cause varying levels of damage (targeting them)
- Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits
Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.
I think that is what he was driving at through all of the ranting…
So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.
CoB
5 Reasons to Doubt Al-Qaeda Magazine’s Authenticity: Gives One Ideas, False Flag Anyone?
The 5 reasons:
(1) Bin Laden and Zawahiri are extremely secretive and issue statements rarely and directly to the media. It would be unusual for them to write for a third-party publication, especially one put out by the Yemen-based AQAP, with which they have little or no direct ties. However, it is possible that the magazine’s producers simply copied old statements they had made.
(2) The language of the magazine, such as “Make a bomb in the kitchen of your mom,” reflects either a poor command of English or a light-hearted sense of self-parody. AQAP is not known for either. Awlaki, whose location in Yemen makes his participation very plausible, is a native, fluent, and very articulate English speaker. His fiery English-language sermons are not funny.
(3) The magazine includes an essay by Abu Mu’sab al-Suri. But Suri, whose connection to al-Qaeda is uncertain, has been locked up in Guantanamo–and possibly a CIA black site–since 2005. However, as with bin Laden, it is possible the magazine simply copied old statements.
(4) Analysts tell me that the magazine PDF file either does not load properly or carries a trojan virus. This is unusual because al-Qaeda and AQAP have produced and disseminated such PDF publications many times without such problems. If the report was produced by U.S. counterintelligence, or if the U.S. operatives attached the virus to the original file, would the trojan really be so easily detectable by simple, consumer-grade virus scanners? Surely U.S. counterintelligence has less detectable viruses at their disposal.
(5) The web-based “jihadi” community itself seems suspicious. The report has received little attention on web forums, especially given its apparent importance. A publication including such high-profile figures would normally receive far more attention than it has so far.
Exploit or Ineptitude?
When this file came out I too had some issues with it not downloading fully from the myriad of uploader sites that the Jihadi’s had “ostensibly” uploaded it to. I attributed it to a lack of understanding on their part that the original had been corrupt somewhere along the line between sharing partners and propagated that way. However, given all of the data post release and some looking into, I think there are a couple of scenarios that might fit the bill;
1) The original was sent out to the trusted before going wide. Once sent wide, it was quickly infected with malware per persons unknown and propagated further on the internet.
2) The reason for the placement of the malware could be to sow distrust on the part of the jihadi’s trafficking in the data by persons unknown. This makes it an untrusted channel and more likely people will not download it too quickly in the future. I say this because the malware was easily detectable by current AV products. Had this been a program of the intelligence agencies, they would have indeed used 0day that was not detectable. The same could be said for certain factions of the hacking community who may have an interest in helping the other “community”
3) This was indeed some sort of poorly conceived exploit by some organization as the malware was easily detectable.. They screwed up.
I cannot say either way and I as yet, have not seen a copy of the “infected” file to prove out that it did indeed have malware embedded in it. The current version that I have on my server (linked above) is clean, but I believe that I have another dirty copy on another *nix box. I will check that later and amend this post once I have. All of this though does not lead me to believe that the magazine was part and parcel created by anyone else but a jihadist movement faction that offered it to AQAP.
You can go on the cues from above about the language and the other telltale clues that this is not a straight out work of GIMF or As Sahab. The writer of the article is right on this account in that the language would have been much better constructed by bi-lingual speakers of Arabic and English as you have seen in the past. The Al-Awlaki connection too may be there, but he likely did not have oversight directly of this magazine. In fact, when I pulled the metadata on the PDF file that I got hold of today, there was NONE in it. So it is hard to say who made the file at present. I will check again once I find that dirty copy I downloaded when it came out for metadata in situ.
As for Giving One Ideas..
All of this has given me ideas on perhaps how the information war should be waged against AQ and other online Jihadist movements if it already isn’t being done by the likes of the NSA. What if such PDF files were commonly compromised with 0day? The jihadists usually traffic pretty much only in PDF files nowadays. If you go to their sites you can’t even get a lock on the files there because they have uploaded them all to share sites all over the globe. So, who’s to say that there isn’t some governmental bodies out there with access to those .com .net sites and are infecting the files soon after the uploads happen?
I’d be doing that…
Hell, I’d be loading the files with malware for all the major OS’ out there not just Windows variants… Which, we know a good percentage of these online jihadi’s are using Windows as you may have seen in the posts I have made. The only problem then would be that if you are doing this to the downloaders, it leaves the creators still potentially unaffected.. How to get the creators boxes I wonder….
I guess the question Is… is this already being done? If not.. Why not? Seems to me that we could get a pretty nice haul if you compromised all those down loaders boxes and set up a nice back channel server somewhere to aggregate all the data as well as do some escalation….
Maybe the government just needs a good copy of Core Impact huh?
CoB
Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran
According to ESET Virus Lab, the worm has been active for several days, lately in the U.S. and Iran withalmost 58 percent of all infections being reported in the United States, 30 percent in Iran and slightly over four percent in Russia. The cyber attacks in the U.S. and heightened activity of the worm in Iran come in the wake of persisting tensions between the two nations over nuclear ambitions of this Middle Eastern country.
“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short – this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.
An interesting angle to this story is how the worm spreads. “For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers,” said Randy Abrams, director of technical education at ESET in the U.S. “The ability to attack power grids throughout the world would be very appealing to terrorist groups,” concludes Abrams.
Full article HERE
Interesting choice of countries to attack… What would be the motivation for just those two countries in a targeted attack? Could there be some cross polinization due to the actions of one country on another? Lets say for instance, the Iran got infected by something they procured or had access to within the US? Or vice versa? My bet though, is that this is a targeted attack on the systems themselves and not country centric. Any country using like technology, likely has the new worm in their midst and may not know it.
Of course, just how many SCADA systems are prevalent today? As well, just how many have been connected to systems that face the internet in some way? That is the operative question I guess…
As for the contention that this is industrial espionage.. Well, I might think it is more groundwork for something else… Here it comes…
Cyber Warfare Oh my, I said it didn’t I huh.. The talk lately has been so back and forth between detractors and believers that no one really is getting “it” No matter what you call it, no matter who you want to attribute it to as attackers go, here is the proof of concept that even if it is not “happening successfully” yet, they are trying. That is the important thing to keep in mind. What people fail to understand is that the whole US grid need not be knocked out to make a cyber war or to be successful. All you really need is for the target of your choosing that will fulfill your desired outcome, to be taken down or subverted in whatever way you want it to be.
I am sure the bickering will continue and the government will look at this and think they have to create another agency or sub group to think about it more.. In the meantime though, we still have the problem of these systems perhaps being connected to networks that are not secure, whats worse, those networks may in fact be internet facing and thus able to be C&C’d from remote locations like mainland China.
Meanwhile….
More has come out about this 0day and the supervisory systems attack (I wonder if that is the only vuln attack here or is it just one of many coded into this effort?) It seems that the Siemens software and an old and well known SCADA password for it on the internet, has been coded into this and has been seen in the systems spoken of above.
IDG reported that Siemens issued a warning on Friday saying the virus targets clients using Simatic WinCC, one of the company’s industrial control system software offerings that runs on Windows. The virus strikes at a recently discovered Windows bug that affects every Microsoft operating system, including the recently released Windows 7.
The virus transmits itself through infected USBs. When the USB is plugged in to a computer, the virus copies itself into any other connected USBs and, if it recognizes Siemens’ software, it tries to log in to the computer using a default password.
Read more: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/07/19/BUBC1EDTIS.DTL#ixzz0uPyQ8AGn
Now this article has language from Siemens that alleges industrial espionage and not so much prelude to attacks on a networked system such as the grid. One wonders just what the straight story is here. In either case, the incursion of the worm and the accessing of a known pass/log to a SCADA system is not a good thing for those of us trying to protect said systems. Would not one looking at this on the face of it think that it was an attempt to gain a foothold as well as intel on SCADA systems for future use?
Better keep your eyes peeled…
Just sayin…
The Consultant Was a Spy
Heathfield was also pitching a software program he claimed to have developed, called FutureMap. He described it to sources and in writing as a program that would reside on a company’s internal computer network. Users could plug in variables such as election results and technological breakthroughs to see how events might affect their businesses and future strategies. A screen capture of FutureMap shows a timeline tracking events over the course of many years in a variety of categories, including “Energy and Environment” and “Medicine & Biogenetics.”
Sources who met with Heathfield about FutureMap now believe the software could have been used to steal corporate information and send it back to Russian intelligence officials without the companies’ knowledge. . . . . . Sources were unnerved by how sophisticated and polished Heathfield’s pitch was. If not for the FBI’s intervention, one source speculated, Heathfield could have made a successful sale, installed the software, and started sending information home. “If he had a few more customers and better marketing, he could have really pulled off something tremendous.” . . . .
Full article here:
Back when I was a road warrior for IBM, many people who knew me (friends and family) actually half thought that I was not an IBM employee, but some kind of spook. I have to admit that due to the nature of what I was doing I couldn’t really talk about exactly what I was doing, but I could tell them I was here or there etc.. Unlike real spooks. In the case of Heathfield, well, he turned out to be a real spook and gee, look at that, he was a self branded “consultant” whod’a thunk it huh?
The fact is that the CIA often uses NOC agents in the role of consultants or reps for “front companies” or even legit companies as a cover for their NOC (Non Operational Cover) identities or “legends” They go into places under the guise of business like an Oil company that may in fact be the target of their collection activities. It’s an old trick and it always will be the case, there is nothing new here save that this guy was in fact perhaps peddling software that was pre-pwn3d and could tunnel the “clients” data out to mother Russia. A rather nifty idea really but again, nothing new.
So, won’t you now look on the new consultant as not only perhaps a Bob (oblique Office Space reference) but also maybe the next corporate spy?
THIS is what should happen but I am sure will not. You see, the vetting process for employing people oftentimes is too weak if at all in place at companies. All too many times people do not check references nor do they do the criminal background checks on new hires or prospectives. Never mind the fact that most of the time its easy enough to get onto a corporate facility with faked credentials or none at all and gain access to data, terminals, hardware etc. Hell, just how many places have a separate vlan or drop for internet access for visiting consultants or perspective clients?
Put it this way.. Can anyone just plug in and get a DHCP address on your network? If they can, well game over man.. Even more so if you have a weak AP system for wireless (can you saw WEP?) So that “consultant” whether or not they are meant to be there or have just socially engineered their way into the building may already be on your network and tunneling out gigs of data as you read this…
So one of them turned out to be a real bona fide Russian illegal WOOO HOOO! Worry about all the others out there from ever other land as well as corporate entity looking to steal your shit.
Pay attention! So can the DHL Guy, the I.T. Guy, The Mail Man, The Temp, The Plumber, Janitor, etc etc etc…
CoB
Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…
“Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US.
Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.”
Full article Here:
“We’ve been hacked! Oh wait, you’re in Paris… You can’t help us.. CLICK”
Color me not surprised to see that this talk was yanked off of the BlackHat schedule. This is specifically in light of the fact that the presenter is from Taiwan, a protectorate of China and likely if the talk went ahead, then the speaker and his company would have been sanctioned by the Chinese government. Though, it could be that there are other players here that may not want some bits of information out in the open but who’s to say at this juncture? Suffice to say that something in this iteration (and there have been others of this same talk given) got them spooked.
The other comment that struck me was the red text above that mirrors what I have been saying all along since the whole Google APT thing erupted onto the media stage here in the states.
This is nothing new.
The Chinese have been at this for some time just as other countries had been doing the same thing. It is just perhaps the scale and the persistence that has been the key to the difference here. The Chinese have the 1000 grains of sand approach that is culturally specific to them. They took that notion, the game of “Go” and and what they learned from Sun Tzu then applied it to their cyber warfare/inforwar stratagem. Its only a natural progression really given their culture and history. What really takes me aback is just how little the West (ala the US) seems to be so ignorant of this that it has me wondering just what navel they have been gazing at all of this time while the Chinese ate our collective lunches.
So here we are, months later after the Google revelations and years after the successful attacks that no one dare name for fear of national security or perhaps national egg on the collective national face with regard to incursions in the past on sensitive networks. You see, yes Virginia, there have been other incursions and much more has been stolen via networking infrastructure as well as HUMINT by the likes of China in the past. Its just that its either classified, hush hush, or, more likely, the targets have no idea that they had been compromised and their data stolen. It’s all just a matter of the security awareness that we have had.. Well, where that has been nationally has been in the toilet really, so extrapolate from that the amount of data that has been stolen ok? Lets use the JSF as an example of this as its been in the news.
Trending Lately.. APT+JSF = Chinese Love
Now, given that this type of talk has been the “du jour” lately on the security and government circuit, lets move the target further out and to the left a bit ok? I have been noticing something in the news that has direct connection to my last employer, so I will be judicious with my speech here.. How shall I start….
Ok… Lets name the players…
Lockheed Martin: Hacked and about 2TB of data taken out of the systems… Inclusive on the JSF project
(Undisclosed company that makes hot object integral to flight) : Nothing in the news…. wink wink nudge nudge..
The FAA: Hacked and back channeled through trusted networks into Lockheed and ostensibly other companies
The JSF itself.. Well the congress wants to keep the program afloat while the main military brass want to kill it. You see, its been compromised already and I suspect well enough, that the technical advantages that it was supposed to have, are pretty much gone now. You see, all those hacked systems and terabytes of data exfiltrated out were enough to compromise the security of the ship herself and give the enemy all they needed to defeat her “stealth” systems.
Somewhere in China there’s a hangar, a runway, and a Chinese version of the JSF sitting on the tarmac doing pre-flight I think.
So the latest scuttlebut out there with regard to the cost overruns and the problems with the JSF are just one part of the picture I think. Sure, there is political intrigue and backstabbing going on too, but, were I the military and my new uber plane was no longer uber, nor cost efficient, I would be killing it too and looking for something else to use in theater.
So how did this happen?
Causality: Trusted Networks, Poor Planning, Poor Technical and Procedural Security, and The Human Equation
The method of attack that compromised the networks in question involved a multi-layer strategy of social hacks as well as technical ones. The Chinese used the best of social engineering attacks with technical precision to compromise not only the more secured networks, but also to use trust relationships between companies working on the JSF to get the data they wanted. You see, all of these companies have to talk to each other to make this plane. This means that they will have networked connections either via VPN or directly within their infrastructures to pass data. By hitting the lesser secured network/company/individuals they can eventually escalate privilege or just hop right onto the networks that they want in a back door manner.
Hit the weakest point and leverage it.
In the case of the JSF, the terabytes of data were never really elaborated on but I can guess that not only was it flight traffic data, but integrally, the flight recording data concerning all of the systems on board as the plane was tested. Inclusive to this, if the APT got further into Lockheed and other companies that make the plane, they might have data on the level of actual CAD drawings of parts, chemical analysis and composition details, as well as the actual code written to operate the systems on board the plane for it to function.
In short, all of the pieces of the puzzle on how to make one.
Sure, there must be gaps, I am sure that they did not gain access to some ITAR/EAR data but, given the nature of the beast, they can infer on some things and in other areas perhaps get analogous or dual use technologies to fill in the gaps. The two terabytes are the only terabytes that we “know of” or shall I say allowed to be known of. It is highly likely that that data is not the only stuff to be taken. Its just a matter of finding out if it has.. And in some cases, they can’t even tell because of the poor security postures of those companies involved.
The reasons for these companies (with the exception of Lockheeds) lack of insight into their security is simply because they have not been corporately aware enough to care about it… Yet. Perhaps now they are getting better post the hacks on Lockheed and others, but it has been my experience that even after a big hack is exposed in the news, many corporate entities take a “it can’t happen to me” attitude and go on about BAU until they get popped and put on the news. What’s more, the Chinese know this and use it to their advantage utterly.
You see, its not just all about super technical networking. It’s also because they don’t even have solid policies, procedures, response plans, and other BASIC security measures in place or being tested and vetted regularly. This negates the super cool technical measures that they might have bought from the likes of IBM and CISCO because Johnny Bonehead C level exec says he MUST have a 4 character password and ADMIN access to his machine.
All against policy… If they do indeed have one on that…
Failure is imminent unless the sum of the parts are in working order. This means the dogma of policy, security education, incident response, RBAC, etc, the CIA triad are in place and have acceptance from the upper echelon of the company. All too often this is not the case and thus easy compromise occurs.
Circling Back To The BlackHat Talk:
Ok, circling back now after my diatribe… My bet is that both parties (China and US) did not want this talk to go on depending on the data that was within. Some red faces would likely have ensued and or would have given people ideas on where to attack in future also. It’s a win win for all concerned if the talk was made to go away and well, it did didn’t it? Unless this guy says he quits his job, moves away from Taiwan and then gives the talk anyway. I doubt that is going to happen though.
In the end, the cyber “war” has been going on for years… Well more like cyber “espionage” but in todays long view I see them as the same thing. After all, a good cyber warfare strategem includes compromise of key systems and data in order to make them useless at the right time.
The Cyber War has been raging since the 90’s. It’s just that the American people and media have only recently heard of the “internents” being vulnerable.
Wakey wakey…
CoB
Krypt3ia 