Archive for the ‘The Short Con’ Category
JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?
AZIJ XXRZ HMCKIDACVA GZ UZZW!
The Legion of DOOM!
Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call” which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources” The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.
You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.
Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…
Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!
As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?
Makes you wonder huh?
DISINFORMATON & OPSEC
So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!
WE. ARE. DOOMED!
That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.
*SHUDDER*
The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;
- The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.
- The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!
- The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.
- As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.
There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.
- Right wing nutbag Eli Lake
- The “anonymous sources of intel”
- The “anonymous sources handlers”
These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?
Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?
*blink blink*
Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….
- The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
- So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
- HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!
Could it be that simple?
All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?
Right…
How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?
Political Wag The Dog
It seems after all once all the dust has settled that either one of two things happened here;
- Eli Lake did this on his own and played the system for hits on his paper’s page
- Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.
It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.
Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.
K.
The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!
That’s it? All we get is this stinkin garbage file?
Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.
Within the torrent file the following parting words were sent:
Friends around the globe,
We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.
For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.
While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.
Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.
So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.
Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.
Let it flow…
Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?
The Files:
So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.
Whoopee.
All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?
Not that I have seen.
In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.
Leaving So Soon?
So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.
You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.
However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.
Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.
Your Legacy:
Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.
Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’
So where was I?… Oh yeah..
In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.
So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.
Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.
… And those lulz will also be epic fail.
K.
Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept
So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.
The Robin Sage Affair:
Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.
The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.
In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.
Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.
Hardwired:
It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.
As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.
Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”
See where I am going with that?
So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.
We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.
Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;
“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”
Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.
“The Swallow” or “Honeytrap”
How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.
The Community:
So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.
Use this experience to teach others.
Object lesson learned.
Full CSO article HERE
CoB
Let’s File This Under: No Shit Sherlock
Internet-based attempts to steal U.S. military technology via defense contractors are on the rise, according to an annual Department of Defense analysis of data supplied by the defense industry.
Not only are network probes and intrusions on the increase, the Department of Defense said in the report, which it released late last month, but so are “bold and overt” requests for information made via e-mail and even social networks.
Information systems are the most-heavily targeted of military technologies, according to the report, closely followed by aeronautics. Efforts to get details on unmanned aerial vehicle technology are becoming so widespread that the report broke out a separate section about UAVs, finding that, there, too, foreign elements are looking for information on UAV IT systems.
Full Article HERE:
Yet again, this is not news per se.. This has been going on for some time at the defense contractors as well as other places of business. The Chinese are very adept at this.. Well sometimes not so “adpet” as much as persistent. Often they will send people on “knowledge exchanges” to get data from companies by simply asking for it nicely.
Often that is all it takes much to the chagrin of the companies that have been thieved from by such exploits. The new twist though has been the use of the social networking angle. Of course the APT is agile enough to figure out that this is a great way to socially engineer what they want from some shmuck online. Whats more, many of these companies may in fact NOT have any rules on their employees use of social media at the office, never mind any guidance of what not to publish personally about work.
Know what it’s gonna take to prevent this stuff?
Education of users!
GAH! I SAID IT!
Many are loathe to hear such things… But, that’s the key kids. I was thinking about it this morning as I listened to NPR’s second installment on cyberwar. Many of the problems we face today in the private sector where cyberwar is concerned stem from user issues as well as uneducated management. The combination of the two can be a potent recipe for major PWN.
When management doesn’t get security, and does not teach or mandate security principles for the EU’s, then you have a complete FAIL on security measures. So much so that in some cases I have been party to, servers are placed into environments un-patched and effectively pre-pwn3d by lack of due diligence and due care to secure them.
Suffice to say that in some cases these low end social engineering attacks are the least of their worries… But they trundle on developing more insecure homegrown apps and buying every COTS package that promises to secure the shit out of them but in reality does little to protect them. Without education of the users and management, you have a null sum game.
Anyway, back to the Chinese… Yes, they have been calling/emailing/Friend-ing for a while now to use the OSINT/Social Engineering/ Pretexting exploits that work ever so well on an innocently slumbering nation.
It’s not new. It’s just the news du jour… How about some education huh?
CoB
Two Dimensional Thinking on APT Matters
by Richard Bejtlich at Taosecurity
I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan’s tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says:
He is intelligent, but not experienced. His pattern indicates two-dimensional thinking.
I though this quote could describe many of the advanced persistent threat critics, particularly those who claim “it’s just espionage” or “there’s nothing new about this.” Consider this one last argument to change your mind. (Ha, like that will happen. For everyone else, this is how I arrive at my conclusions.)
I think the problem is APT critics are thinking in one or two dimensions at most, when really this issue has at least five. When you only consider one or two dimensions, of course the problem looks like nothing new. When you take a more complete look, it’s new.
- Offender. We know who the attacker is, and like many of you, I know this is not their first activity against foreign targets. I visited the country as an active duty Air Force intelligence officer in 1999. I got all the briefings, etc. etc. This is not the first time I’ve seen network activity from them. Wonderful
- Defender. We know the offender has targeted national governments and militaries, like any nation-state might. What’s different about APT is the breadth of their target base. Some criticize the Mandiant report for saying:The APT isn’t just a government problem; it isn’t just a defense contractor problem. The APT is everyone’s problem. No target is too small, or too obscure, or too well-defended. No organization is too large, two well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.The phrasing here may be misleading (i.e., APT is not attacking my dry cleaner) but the point is valid. Looking over the APT target list, the victims cover a broad sweep of organizations. This is certainly new.
- Means. Let’s talk espionage for a moment. Not everyone has the means to be a spy. You probably heard how effective the idiots who tried bugging Senator Landrieu’s office were. With computer network exploitation (at the very least), those with sufficient knowledge and connectivity can operate at nearly the same level as a professional spy. You don’t have to spend nearly as much time teaching tradecraft for CNE, compared to spycraft. You can often hire someone with private experience as a red teamer/pen tester and then just introduce them to your SOPs. Try hiring someone who has privately learned national-level spycraft.
- Motive. Besides “offender,” this is the second of the two dimensions that APT critics tend to fixate upon. Yes, bad people have tried to spy on other people for thousands of years. However, in some respects even this is new, because the offender has his hands in so many aspects of the victim’s centers of power. APT doesn’t only want military secrets; it wants diplomatic, AND economic, AND cultural, AND…
- Opportunity. Connectivity creates opportunity in the digital realm. Again, contrast the digital world with the analog world of espionage. It takes a decent amount of work to prepare, insert, handle, and remove human spies. The digital equivalent is unfortunately still trivial in comparison.
To summarize, I think a lot of APT critics are focused on offender and motive, and ignore defender, means, and opportunity. When you expand beyond two-dimensional thinking, you’ll see that APT is indeed new, without even considering technical aspects.
Actually, I disagree with Richard in a few ways. Mostly though, I think that the idea of the APT attacks on anything other than just military contractors as being new is a fallacy. This is especially true when you take into account the latest reports on the oil companies being hacked into years ago and only now being reported on or found.
You see you have to look at the “Thousand Grains of Sand” approach that China has taken and see it for what it is. This is not just military because “everything” affects everything else and the Chinese see this. After all, they invented “Go” So they think much more than two dimensionally from the start.
So, the reality is that this is not new. It’s only new to the masses because the mainstream media has picked up on this as well as the government and private companies.
Now, lets twist this another way.
Not only China has these capabilities. How about the avowed interest of Russia post Putin’s speech that pretty much outlines a program like that the PRC has. Surely too you cannot count the Israeli’s out of this game as they really were the biggest industrial espionage group for a while back in the 80’s. Of course they were using more HUMINT than anything else back then, but the paradigms change don’t they? You evolve to survive.
I respect Richard quite a bit, but here we differ. I am one of those saying that this is nothing new. I see it all over the news and hear it in the halls of power now post Google.
“OMG OMG OMG what will we do?”
How about this. We shore up our defenses by making smart choices in the personal and private spaces on information security. We teach our people more about the “loose lips sink ships” mentality from WWII and make them aware of their responsibilities.
Most of this attack happened through Facebook and social engineering exploits teamed up with good digital surveillance and data-mining. The social behaviors of individuals led to the clicking of the links or the lowering of defenses that allowed these attacks to occur.
We need to change the way we think in American business. The military already gets it with OPSEC etc, but that is a foreign word to most people in the work force at the fortune 500. The same rules apply but the playing field has changed and that is all.
We used to tell people to watch for folks without badges, some place still do. We try to educate them to not let people piggyback through the front door. It still happens. We lecture on physical security issues but human nature is strong and we generally want to be helpful. It is in this trait we fail in security awareness.
So, nowadays its not so much meeting someone at a bar and getting into trouble with a swallow. It’s
“Hey I’m your friend! Add me!” Or “Hey, I need that password again can you txt it to me?”
After that the “asset” is no longer needed. That is the paradigm change and no, its not so new.
What can we do? How about we start with some real rules on infosec for the masses. We already have SOX, how about we actually have some real audits with real implications on failure? Whatever happened to HIPAA? It still has no tooth and every day it seems I am seeing more stories on lost patient or user data? Wouldn’t a little hard drive encryption go along way? Or maybe some more tutorials on how NOT to lose your laptop in the back of a car.. In the open.
It’s simply this. Until we change the way we think and act, this type of attack will be used against us and succeed.
CoB
ZOMG China HACKED the US!
Olson told Threat Level that the attackers are “incredibly good” at finding new exploits and infecting the right people but that nothing he’d seen in the malware indicated they were above average in writing malicious code.
“The sophistication here is all about the fact they were able to target the right people using a previously unknown vulnerability,” he says.
Full article on Wired
OMG OMG OMG OMG CHINA used an 0-day to hack defense contractors and Silicon Valley!
… And this is new how? No, really, this is new and deserves all of this attention as if it were incredible news? INCONCEIVABLE! Chinese hackers got us with crafted emails to important targeted people and got them to, no, don’t say it! Can it be true? TO CLICK ON THEIR LINKS OR FILES!!!! NOOOOOOO IMPOSSIBLE!
C’mon news media! C’mon Security Blogosphere! Where have you all been these last oh, at least 4 years? This is NOTHING new! So why all the fuss and why all the OMG I cannot believe this!
To top it off… ad Adobe 0-day surprises you all?
Really?
Shucks.. Say, would you all like to buy a bridge I just happen to own? Perhaps some nice land in Florida?
Let me tell you this is nothing new, nothing innovative and really, all of the security theater that is going to follow in posturing and news cycles will mean nothing. You want to know why? Because people are people and they are the weakest link in the security chain. Basically, its a social engineering exploit.
Click this link! It’s important! It’s from HR! It’s your new PDF version of that book that isn’t out yet! It’s PR0N!
CLICK CLICK CLICK CLICK!.. P0wn.
I have news for you all.. This is not new nor should it be getting all the attention out there that it is. I see this all the time and much of what has been going on is kept quiet by the companies out there being hit. That is, IF they actually catch on to the compromise. I mean geez, how do you think the Chinese got hold of all that data on the JSF from Lockheed huh? What was it 2.5 Gig of data passed out of their network before they caught on?
Nope, now had this exploit been targeted to attack mostly *NIX machines (servers) and had been infiltrated by a hapless technoween’s clicked PDF email.. THEN we would have something. This though… Meh. Face facts that we are just cyber challenged and the Chinese are using this to their advantage. After all, they created the game of “Go” A game most people here would say, “Uh game of what?”
Oh, and another thing.. Seems to me I remember there being charges leveled not too long ago by a Chinese company that Google stole their Pinyin code..
But.. Nah, that never would have happened.. Not Google!
Heh.
CoB
Art Imitating Movies?
Leonardo Notarbartolo strolls into the prison visiting room trailing a guard as if the guy were his personal assistant. The other convicts in this eastern Belgian prison turn to look. Notarbartolo nods and smiles faintly, the laugh lines crinkling around his blue eyes. Though he’s an inmate and wears the requisite white prisoner jacket, Notarbartolo radiates a sunny Italian charm. A silver Rolex peeks out from under his cuff, and a vertical strip of white soul patch drops down from his lower lip like an exclamation mark.
In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.
The loot was never found, but based on circumstantial evidence, Notarbartolo was sentenced to 10 years. He has always denied having anything to do with the crime and has refused to discuss his case with journalists, preferring to remain silent for the past six years.
Until now.
The rest HERE
Wired has just published a story on the web that it plans on publishing in their next paper edition on the “Antwerp Diamond Heist” of 2003. I write the title of “Art Imitating Movies” because this story reads much like the script for a “heist” film on par with The “Oceans” series of movies or “The Italian Job” *side note, I am listening to both scores as I read and write about this article**
This heist story brings in all the big plot lines that these films usually have. A group of con artists, technicians, and thugs, an impenitrable vault, and an elusive and as yet un-named mastermind with the funds and the connections to make it happen. Hell, they even had a scale model of the vault just like the movies!
The question is though; “Do we believe this story at all, in part or just a little?”
I for one believe the technical details as they can be seen in the crime scene photos as well as the police reports. Such things as how they defeated the light/heat sensor in the vault with a can of hair spray is a classic hack that has been done. Or perhaps the use of the polystyrene shield to prevent the heat sensor on the exterior from going off by “The Genius”
The working out of the code by watching a video taken by secreted cameras is a bit harder to conceive working, but, it could be done. Even the bypass of the internal electrical pulse and the electromagnetic plates was sheer simple genius that obviously the designers never thought low tech enough to discover their weakness.
Classic.. and well done gentlemen.
Now, how the story played out by the tale told by Leonardo Notabartolo has some interesting twists. The real truth of what happened to the “merch” may never be down. Diamonds are all too easy to traffic, cut, sell, disperse, that they are likely already in your friend “Tom’s” diamond engagement ring he got over at the mall for all we know.
The idea that these guys were played and played so handily really is the thing that trips alarms for me. The article contends that the face man (Notarbartolo), a known Mafia connected guy, who had been a thief since 8 years old, could be so easily duped just doesn’t play. Leonardo’s been around the block, he is no fool, but you are supposed to believe that he would go into a gig like this so trusting of his benefactor/facilitator?
I agree though, what a short con this would make! Imagine carrying off a con where you pocket 100 million in diamonds all the while you have used a talented crew of thieves to do your dirty work. Staggering really, yet so so elegant in play. This too also implies a very large conspiracy by the merchants at that facility. All of them would have to be on board for this to work. Keeping all their diamonds in their personal vaults, somehow shifting them to secure locations instead of being in the vault. Of course they have dirty dealings on a daily basis there no? Not inconceivable.
Overall, this story I think has yet to really play out. How it wil I cannot say…What can I say though… I admire their escapade.. Well sans the pound me in the ass prison part.
Krypt3ia 