Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Tradecraft’ Category

IMPORTANT SECURITY TIPS: Security Tips for Jihobbyists At Majahden

with 5 comments

Security Tips for Majahden2 Users and Jihobbyists

Important Security Tips from Majahden:

The boys at Majahden have been learning lately about how psyops, hacking, disinformation, and being pwn3d works. I suppose since Osama went to live in a pineapple under the sea, they have been taking stock of just how much information they are leaking on the boards out there on the internets. There have been a spate of timely deaths in the AQ camp of late as well as a few arrests, but really, the intelligence coup of finding OBL and whacking him has all the jihobbyists worried that they will be next.

Of course they should be worried, but not only because OBL was popped. You see, we have been inside their shit for some time now and they just did not know it I guess. I have written in the past about sites that I have been poking at and digging through and I know in the case of Al-faloja (may it rest un-peacefully) I was able to get quite a bit of data from them. Since Al-Faloja fell down and went boom, there have been many site re-vamps by many a phpBB admin but they still seem to be on the whole, lacking the skills to really secure their shit.

Oopsies!

So, from their sooper sekret squirrel lair we have the following text from the above screen shot on majahden entitled “Important Security Tips” From this post I can say that they have been learning though. The tips are good and if followed it will make it just a teensy bit harder to track them and eventually have them picked up. Here are some good ones:

  • Trust no one: See a new member asking all kinds of questions about going to jihad? Be wary of them they may be spies
  • Use internet cafe’s to log in and post to the boards because they can track your IP address
  • DO NOT use just one internet cafe! Move around and make sure that you go outside your usual area (where you live)
  • Use a PROXY at the cafe!
  • Be careful though at the cafe because they are on the lookout for swarthy types like us!
  • NEVER give out your real information to ANY forum! (i.e. Bday, phone, etc)
  • Beware of files published to the forums! They could be malware!
  • Beware of popup installs like Java on the boards, they are not proper and likely a means to compromise you!
  • Beware people asking you to email them from the forum (use the message program on the board)
  • DO NOT RE-USE PASSWORDS!
  • Be careful what information (personal) you put on the site
  • Be careful about posting anecdotes about seeing this or that imam speak (places you in a place and a time)

AND Finally, in the FUNNIEST note of the list;

  • This is not a dating site! You want to make friends do that separately from the jihadi forums.

*snort*

In all, these warnings are good solid rules of the road for anyone going anywhere on the internet never mind on a jihadi board being audited by the likes of moi. Just from a privacy standpoint these types of suggestions are valid as well and should be the standard for anyone not wanting their identity stolen or their stuff hacked easily. This however, is pretty new to all of these guys and are the rudiments of SECOPS for them. Up til now, they have been not following any of these precepts, and to have to say this is not a dating site? Well, that kinda says it all to me hehe.

Meanwhile another tasty tidbit came up from the same site and this one is a little more interesting. The above screen cap is for a posting called “Deceptive methods to extract information” and it covers primarily the idea of snitches being placed in cells at camps to elicit information from jihadi’s. Now, this is nothing new to anyone who has had a diet of movies or TV here in the US, but perhaps it is a new one for these guys. Informants in the form of turncoat prisoners or actual agents from the likes of the CIA etc, have been standard operations to get information without the enemy knowing it.

This post is written by someone though who has had first hand experience with being detained. They go on to describe very specific scenarios and methods to evade giving up information to the “birds” as they are calling them.  (I think they mean stool pigeons) The writer gives suggestions on how to detect the turncoats and or to deal with the interrogators methods in trying to cajole information from them. All in all, this is an interesting read that comes across as someone who has had direct experience and understands PSYOPS.

The Take Away:

These posts and others within the site have me thinking that they are starting to become a bit more sophisticated in their efforts online. There are numerous tutorials now on chaining Tor and proxy-ing as well as the use of crypto and other security oriented programs. TNT_ON has been busy posting more tutorials as well as lauding Younis Tsouli (aka irhabi007, now in jail) as the progenitor of the jihadi hacking scene. All I can really say is that it is maturing and we need to step up our efforts with regard to them.

With the new invigoration within the cyber-jihadi community since OBL’s great pineapple adventure, they have taken up the gauntlet not only to hack but to wage a cyber-propaganda campaign like never before. Presently, the jihadi’s on Majahden and other sites have been spinning up and creating numerous Facebook sites that conform to standards that will fly under the FB radar (FB has been pulling sites down just about as fast as they could put them up) this has become the new “stealth jihad” They are making the effort now to have innocent front pages that lead to many other more hidden pages containing hardcore jihadi content. This is something that was being espoused last year on the boards and is now coming into acceptance as the main modus operandi. This way they can have their content and not get it 0wned or taken down by the likes of Facebook or Blogspot.

Since the advent of the LulzSec crew, it just seems that we all have been focused elsewhere.. Time to wake up and go back to working these fools. I say it is time to start a program of 0day infected dox that will be downloaded from all those sharing sites that these guys love. Remember the whole cupcake thing with Inspire? I say we do it en masse for as many sites as we can. Added to this, we should also be using many more approaches such as PSYOPS, Disinformation, and all out penetration of their servers… No matter where they sit.

But that’s just me… I also think that perhaps the NSA might have that already covered… One wonders…

At the very least, we should keep an eye on these sites.. If not for the lulz, then for taking them down once and for all.

K.

Lulz, Jester, and Counterintelligence On The Internet

with 8 comments

Escalation:

I once wrote a blog post about ‘escalation’ and it seems that my fears are coming true as the Lulz Boat keeps making waves across the Internet. Between Lulzsec, Jester, Anonymous, and now God knows who else, we are seeing a re-birth of the 90’s anarchy hacking. However, since so much has changed network wise since the 90’s its been amplified a thousand fold. What has spun out of all the hacking (hactivism, vigilantism, whatever you want to call it) is that we are seeing just how a counter-intelligence operation is carried out. Th3j35t3r and his friends at Web-Ninjas’s are carrying out this counter-intelligence program and posting their findings on Lulzsecexposed as well as on th3j35t3rs own site on word-press.

To date, their efforts have not seemed to have either slowed Lulzsec’s antics, nor generated any federal arrests of anyone involved. However, I think it important to note the methods being used here to attempt to put faces to names in the lulz crew.

The LulzSec Problem:

The problem with trying to track lulzsec members is primarily the technologies that they are using prevent getting a real idea of where and who they are. By using VPN technologies, proxies, and compromised systems in the wild, they have been able to keep their true identities from being exposed in a more meaningful way other than screen names. Due to the problems of digital attribution, the governments of the world cannot quite get their hands around who these people are nor, would they be able to prove such in a court of law at the present time without solid digital forensics on the end users machines.

In the case of Lulzsec and Anonymous, they are not using just one system but many types of systems to protect their anonymity. Thus, with the right tools and obfuscation, they feel impervious to attack from anyone, be they government, law enforcement, or the likes of Th3j35t3r. Tactically, they have the advantage in many ways and it would take one of two types of attacks, if not both simultaneously, to take the Lulzsec and Anonymous core group down. The attacks I mention are these:

1) A direct attack on their IRC servers that host the secret C&C channels

2) Insertion of ‘agent provocateurs’ into the C&C of Lulzsec and Anonymous (as recently alluded to with the FBI stat that one in 4 hackers are CI’s recently)

I actually would suggest that both avenues of attack would have the best effect along with a healthy program of disinformation and PSYOPS to keep the adversary unbalanced and malleable. Which leads me to my next section.. The methods of attack.

Counter-Intelligence:

An overall category, Counter-Intelligence ranges all of the afore-mentioned types of attacks. In the case of Lulzsec, anyone could be a member within the community that encompasses info-sec or anonymous. Hell, Jester could actually know some of these people in real life just as well as you the reader might and never know it if the member never talks about it. I imagine it’s kind of like Fight Club;

The first rule of Fight Club is, you do not talk about Fight Club. #2 – The second rule of Fight Club is, you DO NOT talk about Fight Club. 

If anyone talks, they could end up in some serious shit and in this case, disappeared pretty quickly if the governments in question get their hands on them. This is especially true now that they have hit the FBI and CIA with their attacks and derision… But I digress. The key here is that because no one knows who is who or is talking about it, it is very analogous to the idea of a mole hunt or counter intelligence operations that seek to locate spies within the community (such as within the CIA) There are whole divisions in the CIA and FBI as well as other places that are solely devoted to this type of war of attrition.

I believe that it is a counter-intelligence operation that will win the day though in the battle against Lulzsec or any other like minded adversary. Winning that battle will take the following types of sub operations as well.

PSYOPS & Disinformation:

PSYOPS and Disinformation work together to unbalance the adversary as well as spin the masses toward compliance or action. In the case of LulzSec, this type of activity is already ongoing with their own ‘Manifesto‘ and other publicity that they have put out. They want to spin opinion and generate adoration as well as fear, both of these are in evidence within the media cycle and the public’s perception of who and what they are. Where I am seeing both types of activity on Lulzsec’s part, I can also see within the actions of jester and the Web Ninja’s as well.

On the part of LulzSec, the following psychological operations and disinformation campaigns can be seen:

  • For each alleged ‘outing’ of a member, they make claims that these are not core members of their group (note, they do not make claim to the anonymous model of headless operations) such outed persons who can be connected to them are merely underlings in open IRC channels
  • Affecting accents and 4chan speak to attempt to hide their real patterns of writing and mannerisms
  • A claim to having battles with 4chan and /b/ as well as Anonymous while they seem much more aligned to them (distancing)
  • The use of agent provocateurs against Jester within his own coterie of followers and open IRC channel
  • The use of flash mobs (abuse) within Jester’s open IRC channel
  • Leveraging the fact that they are anonymous (in concept) and due to the technology today, virtually untouchable

On the part of Jester we have the following operational tactics used so far:

  • The outing of individuals believed to be core members of the group (no matter if correct, will prompt a reaction from Lulzsec that may be telling)
  • The use of agent provocateurs to place disinformation as well as gather intel on the adversary (Lulzsec) which can be seen in leaked IRC chat transcripts
  • The creation of analogous groups such as the Web Ninja’s to work against LulzSec
  • Leveraging the fact that he is just as anonymous (in concept) as they are and due to the technology today, virtually untouchable

It seems from both sides of the battle, that these types of actions are being used to mislead and gain the edge over the other. In the case of Jester, I am pretty sure that this is an overt thing. While, on the other hand, with Lulzsec, I see it as a reactionary set of measures to attempt to keep themselves from being exposed as to who and where they are. As this continues, I am willing to hazard that even more players are playing a part in this war, quietly, and those would be the government operatives looking for an in to take the Lulz down. Of course, the government has been pretty quiet about Lulzsec haven’t they? One wonders just what they are up to.. If anything at all.

Of course, the NSA may just be the dark horse here… And the Lulz won’t know what hit them.

Then it will be over.

Development of Sources:

One of the more tradecraft oriented things that must be going on is the use of sources or getting assets into positions to be inside the Lulz Boat. I am sure that there are players out there sidling up to the right users on the IRC boards in an attempt to get into the inner circle of LulzSec as well as Anonymous. These assets are likely to be working for the government but I can also see someone like Jester using the same tactic, if not posing himself as the asset. Due to the nature of the problems of tracking these people, this is the best way to get close to the Lulz and to gather raw intelligence on them. After all, even if not fully trusted, an asset can gather important data on the actions of the Lulz and be there when they make a crucial mistake.

The other side of that coin may be people who have been outed and were in fact affiliated with the Lulz. This is where the FBI has a forte in turning hackers into informants by allowing them to work for them instead of just being put in a hole somewhere. It has happened in the past (carders for example) and likely is the case in the Lulz affair. After all, some have been ‘vanned’ already in Anonymous circles and I have yet to hear about any real solid court cases being filed.. So.. One tends to think that there is a bit of cooperation going on with those who have been popped already for being suspected ‘anons’

In the case of the Lulz, we have yet to see or hear of anyone being taken into custody for being afiliated with the Lulz.. But, the day is young especially of late.

Habits Will Be Their Downfall:

Overall, I would say from what I have seen in IRC and in other data located out there on key user names, that human nature and habits will be the downfall of the Lulz. People have habits and these can be leveraged to attack them. No one is perfect and none of these people to my knowledge have been trained to avoid the pitfalls of habit that a trained operative would. Insofar as the Jester seems to have hit the mark in a few cases is telling that people are leaking data. Either the Lulz themselves have been careless (as they harp on password re-use, I harp on user name re-use) or they have indeed  been infiltrated by assets of the enemy, or, have decided to go down another less dangerous path in hopes of not being prosecuted.

Habitual behaviour too is not only action, but mannerisms, thought processes, and enunciation of motives. Just as coders tend to code in specific ways that can be used as ‘digital DNA’ so too can writing patterns, speech, etc even when attempted to be clothed in 4chan speak. As well, the habits of human nature to be trusting will too be their downfall. After all, unless this is a one person operation, there are many links in the chain that could and will be exploited. As people seem to be dropping off of the Lulz Boat (per Jester’s data) they will need new blood to keep the Lulz going, and that means that they will have to recruit, vet, and eventually trust someone…

And that is where the counter-intelligence operation will seal the deal… The phrase “Trust No One” just cannot be a reality in any operation. This is why they sometimes fail, because you trust the wrong person.

Over Reliance On Technology:

In the meantime, the Lulz seem to be relying quite a bit on technologies that are rapidly becoming susceptible to attacks by those who want to capture or stop them. The use of Anonymous proxies like Tor, while effective now, are also compromise-able from a few different perspectives. The technology may be solid, but the pressures legally on those who run them may in fact lead to compromise. Just as any of these avenues of anonymization that are out there could in fact be just honey-pots to capture data. A case in point would be Tor, which was a Navy project to begin with and anyone who has set up an exit node, can in fact sniff the traffic for data that may be helpful in getting a lock on a user.

Additionally, any other means of technology like cloud services that are hosting their data or facilitating anything the Lulz do, could potentially be compromised if the right people are involved *cough NSA cough* that have the latitude to do what they like. Given today’s surprising numbers of laws being passed that erode all of our rights to privacy, I should think that the days are numbered for the Lulz on the technical playground as the boys at Ft. Meade start getting their orders to lock and load.

Never trust so much in technologies that YOU do not run solely yourself.. Remember the government can make any company that MITM attacker and YOU the attacked.

The End:

In the end, I think that the Lulz have pointed out that ‘Elephant with its trunk in out collective coffee” but at what price? Will this change the paradigm and make the government care about security in a more cogent way? No. Instead they will come up with tougher laws and more ways to invade privacy by shortcutting the process. Sure, shit is out there and it is vulnerable, but you know what? It always will be. If it isn’t some very low hanging fruit like SQLi then it will be 0day. There will always be a way in. That is just the nature of things and the Lulz will have shifted paradigm.. Because truly, the Lulz will be on LulzSec, emotionally charged and sorry for their actions… While sitting in jail.

K.

*EDIT* Oh and one more thing to add here as an afterthought. I may remind you all that as the laws are changing and the Patriot Act has been re-signed. The Lulz, having upped the ante, can easily be considered ‘Domestic Terrorists” This would place them in even a more precarious place because then, the legal gloves come off….

One man’s Domestic Terrorist is another man’s “Enemy Combatant”

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.

Beginnings:

Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.

Techniques:

In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…

K.

The Post Bin-Laden World

with 4 comments

Well, it finally happened. OBL is ostensibly dead, though we have no real proof of that for the masses to see, but we are being told as much and that there have been DNA matches made. As you are all being barraged with I am sure, the salient points of the operation are these:

  • OBL was not in the kush, but instead in a populated area situated about an hour outside of Islamabad Pakistan
  • The compound was built in 2005 and has been under surveillance for some time
  • The compound was located in an area that was off limits to the reapers and other drones, thus they thought they were secure
  • The compound was about half a mile away from the Pakistani military version of West Point
  • The courier that OBL trusted most was the one who led us to him. He was in turn alleged to have been outed by KSM in Gitmo under “interrogation” as well as others in CIA ghost sites
  • Once the CIA had the pseudonym it took about two years to actually get his real name and then to locate him
  • Once we had a lock on enough data to place OBL there, the go code was given to neutralise OBL (he was not to be captured)
  • SEAL Team SIX confiscated more than 3 computers from the premises and I am sure those have been sent already to the NSA for decrypt/forensics
  • OBL’s body and any photos of it have been deep six’d so as not to give the jihadi’s anything to work with for Nasheeds and other propaganda
  • It was old fashioned intelligence work and a SPECOPS team that eventually got him… Not just fancy drones and technology

All in all, Sunday was a good day for SPECOPS, the CIA, and the U.S. So, what does this mean though for the GWOT and for all of us now?

AQ’s Response:

So far, I have seen very little chatter on the jihadi boards whatsoever. In fact, it has been downright quiet out there. I think there is a mix of disbelief and a bit of fear out there that is keeping them quiet. Just as there has been no body provided or photo’s thereof, they all must be waiting on an announcement from AQ as to the loss. However, I don’t expect that announcement to be soon. I am sure Ayman has been scuttled off somewhere ‘safe’ and the rest of the thought leadership (what’s left that is) is wondering just where to go from here.

Much of the inactivity on the part of AQ also likely is due to their loss of computers that likely held A LOT of data that were taken by the SEAL’s at exfiltration. I would assume that much of what was left of their internal network has been compromised by this loss and when the systems are cracked and examined, there will be more raids coming. So, they all are likely bugging out, changing identities if possible and burning the rest of the network to prevent blowback.

Frankly, this is a real death blow to AQ itself no matter how autonomous the network cells have become. Though, OBL had been less the public face of things for some time with Ayman taking up the face roll. Time will tell just what happens to the AQ zeitgeist in its original form, but I think I already know what has happened, and it has been going on for some time…

In the end, I don’t expect a real response from AQ proper and if anything, I expect a feeble one from Ayman in a few days. Remember, Ayman is not well liked within many jihadi circles, so the succession of AQ is likely to have Ayman try, but I think in the end fail to be the new OBL.

AQAP and Anwar al-Awlaki the new thought leaders:

Meanwhile, I believe this is the new AQ. AQAP has been developing a base that includes the whole Inspire Magazine machine. Anwar Al-Awlaki has been the titular head of jihadi thought for some time now, but with the demise of OBL and AQ proper, he will be the lightning rod I suspect. I think also that we will be hearing from him very soon and with that audio, no doubt released by Al-Malahem, he will take the spot that OBL and Ayman did. Whether that will be at the behest or acquiescence of Ayman or not I cannot be sure.

Awlaki is frankly, the charismatic Americanized version of OBL that will be able to and has been, moving the western takfiri’s to jihad with his fiery speeches. With his team of younger, hipper, and technically savvy, he will have a better chance of activating the youth movements and gaining the respect of the older set.

AQ Attacks:

I frankly do not see any major attacks coming from AQ proper in the near future that would rival 9/11. However, I do see the potential for some attacks in Pakistan/Afghanistan/Iraq from operators using shahid attacks. I do believe though, that they will be working on larger scale attacks as they are patient and have a real desire now to avenge OBL.

Time will tell on this, but I do not think that operationally, AQ is in a position to really do anything of merit at this time. This is specifically so because OBL’s computers and data have been captured and as I said before, the networks are likely broken.

AQAP Attacks:

AQAP though, is an entity unto itself and I can see them putting together another parcel bomb plot pretty quickly. The last plot (the one with the toner cartridges) was put together in short order and had a very low cost, so I think if anyone, AQAP has a better chance of actuating a plan and carrying it off.

Of course, they may not succeed just like the last time. In some ways though, we got lucky on that one as the Saud’s got intel that they shared foiling the plot.

Lone Wolves:

This is the one I think most viable and worry about. The disparate crazy loners who have self radicalized to jihad are the ones likely to do something bonkers. These guys may not have the training, may not have the infrastructure, but, they make up for it all in sheer whack nutty-ness.

The one thing about this is that I suspect that these folks will be the ones here in the states. So soft targets will be a premium (malls, games, etc)

Moving Forward:

The next week is going to be interesting. As time goes on, and the AQ networks begin to settle, then I am sure we will see some response from them. Meanwhile, I will continue to monitor the boards and see what’s what.

I do though want to recommend that you all out there keep your wits about you as you are out and about in soft targets like malls, games, and other gathering places. If anything, its that lone wolf actor who may try something and those would be targets they would choose for maximum effect.

More when I have it.

K

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

Anonymous vs. Anonymous: Enough Hubris To Go Around

leave a comment »

The nameless revolution that calls itself Anonymous may be about to have its own, online civil war.

A hacker startup calling itself Backtrace Security–made up of individuals who formerly counted themselves as part of Anonymous’ loose digital collective–announced plans Friday to publish identifying information on a handful of active members of Anonymous. According to one source within the Backtrace group, it will release the names and instant messaging logs of dozens of Anonymous hackers who took part in attacks onPayPal, Mastercard, the security firm HBGaryWestboro Baptist Church, and the Marine officials responsible for the detainment of WikiLeaks source Bradley Manning.

That spokesman, who goes by the name Hubris and calls himself BackTrace’s “director of psychological operations,” tells me that the group (Backtrace calls itself a company, but Hubris says it’s still in the process of incorporating) aims to put an end to Anonymous “in its current form.” That form, Hubris argues, is a betrayal of its roots: Fun-loving, often destructive nihilism, not the political hacktivism Anonymous has focused on for much of the past year. “[Anonymous] has truly become moralfags,” says Hubris, using the term for hackers who focus on political and moral causes instead of amoral pranks. “Anonymous has never been about revolutions. It’s not about the betterment of mankind. It’s the Internet hate machine, or that’s what it’s supposed to be.”

The rest is HERE

“Cyberdouchery” it’s a term coined within the last year as far as I know for snake oil or hype mongers within the Infosec community. I have to say that this alleged group of ex-anon’s kinda fits the term for me. Whether it’s the reason that they state of being tired of Anonymous’ being moral fags, or the idea that they just want to get back to their troll roots, I pretty much just think its a publicity stunt. Of course, the darker side of me could see the way to believing that this is just some sort of psyop by person/persons unknown to get a reaction out of Anonymous.

I have written in the past about the herd mentality as well as convergence theory where it regards Anonymous. In each of those scenarios though, there is the idea that there are leaders. No matter the number of times Anonymous may say they are leaderless, I say that this is just impossible from the point both of these theories take. Even if someone is a leader for a day or minute, there is a leader, and there are followers, either anointed by the pack or by themselves. There are also the minions that do the work, such as the mods and the managers of the servers and systems. Those too could be seen as leaders within the infrastructure too. Now it seems though, that this new group is going to attempt to name leaders by use of social engineering and data collection.

… And that is what Aaron Barr wanted to do.. Well sorta… Then he shot himself in the foot with his own machine gun of hubris.

All in all though, this looks to be on the face of it, just an attempt at #LULZ by these folks at Backtrace. The use of the crystal palace image alone screams nearly the same shrill tune as using too many numbers in one’s nickname in leet terms. If you look closely though, you will see that they also claim to offer services such as “Cyber Espionage” *blink* Not counter intelligence nor counter cyber espionage, but cyber espionage. Just as they also offer cyber warfare and a host of other hot terms with cyber in them. That just reeks of the cyberdouchery I spoke of at the top of the post. So, in reality I don’t take this all too seriously.

I guess we will just have to wait and see what develops with this insurance file and the alleged outing that will happen…

There will be #lulz

K.

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

with one comment

Night Dragon Chinese hackers go after energy firms

Latest revelations from McAfee highlight large scale covert attacks emanating from the region
Phil Muncaster, V3.co.uk 10 Feb 2011

Just over a year after the Operation Aurora Chinese hacking revelations shook the world, security vendor McAfee has uncovered another large-scale, covert and targeted attack likely to have originated in the region, dubbed Night Dragon.

Dating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a competitive advantage to another party.

The attacks use methodical but far from sophisticated hacking techniques, according to McAfee’s European director of security strategy, Greg Day.

First the hackers compromise extranet web servers using a common SQL injection attack, allowing remote command execution.

Commonly available hacking tools are then uploaded to the compromised web servers, allowing access to the intranet and therefore sensitive desktop and internal servers.

Password cracking tools then allow the hackers to access further desktops and servers, while disabling Internet Explorer proxy settings allows direct communication from infected machines to the internet, said McAfee.

The hackers then use the specific Remote Access Trojan or Remote Administration Tool (RAT) program to browse through email archives and other sensitive documents on various desktops, specifically targeting executives.

Night Dragon hackers also tried spear phishing techniques on mobile worker laptops and compromising corporate VPN accounts in order to get past the corporate firewall and conduct reconnaissance of specific computers.

Although there is no clear evidence that the attacks were carried out by the state, individuals or corporations, there are clear links to China, said McAfee.

For example, it was from several locations in China that individuals ” leveraged command-and-control servers on purchased hosted services in the US and compromised servers in the Netherlands”, said the security vendor in a white paper entitled Global Energy Cyberattacks: Night Dragon (PDF).

In addition, many of the tools used in the attacks, such as WebShell and ASPXSpy, are commonplace on Chinese hacker sites, while the RAT malware was found to communicate to its operator only during the nine to five working hours of Chinese local time.

McAfee said that researchers had seen evidence of Night Dragon attacks going back at least two years.

“Why is it only now coming to light? Well, the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility,” Day explained.

“Only really in the last few weeks have we been able to get enough intelligence together to join the dots up, so our goal now is to make the public aware.”

Day advised any company which suspects it may have been targeted to go back and look through anti-virus and network traffic logs to see whether systems have been compromised.

Low level day-to-day problems can often be tell-tale signs of a larger, more concerted attack, he added.

William Beer, a director in PricewaterhouseCooper’s OneSecurity practice argued that the revelations show that traditional defences just don’t work.

“The cost to oil, gas and petrochemical companies of this size could be huge, but important lessons can be learned to fend off further attacks,” he added.

“More investment and focus, as well as support and awareness of the security function, is required from business leaders. Across companies of any size and industry, investment in security measures pays for itself many times over.”

Lately there has been a bit of a hullabaloo about Night Dragon. Frankly, coming from where I do having been in the defense contracting sector, this is nothing new at all. In fact, this is just a logical progression in the “Thousand Grains of Sand” approach that the Chinese have regarding espionage, including the industrial variety. They are patient and they are persistent which makes their operations all the more successful against us.

The article above also has a pdf file from Mcaffee that is a watered down explanation of the modus operandi as well as unfortunately, comes off as a sales document for their AV products. Aside from this, the article and pdf make a few interesting points that are not really expanded upon.

1) The attacks are using the hacked systems/networks own admin access means to exfiltrate the data and escalate access into the core network. This has effectively bypassed the AV and other means of detection that might put a stop to a hack via malware.

2)  The data that the Chinese have exfiltrated was not elaborated on. Much of the data concerns future gas/oil discovery. This gives the Chinese a leg up on how to manipulate the markets as well as get their own foot in the door in places where new sources of energy are being mined for.

All in all, a pretty standard operation for the Chinese. The use of the low tek hacking to evade the tripwire of AV is rather clever, but then again many of us in the industry really don’t feel that AV is worth the coding cycles put into it. Nothing too special here really. Mostly though, this gives more insight into a couple of things;

1) The APT wasn’t just a Google thing

2) Energy is a top of the list thing, and given the state of affairs today with the Middle East and the domino effect going on with regime change, we should pay more attention.

Now, let me give you a hint at who is next… Can you say wheat? Yep, take a look at this last year’s wheat issues.. Wouldn’t be surprised if some of the larger combines didn’t have the same discoveries of malware and exfiltration going on.

K

SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC

with 5 comments

 

The establishment of a Corporate Information

Reconnaissance Cell (CIRC) will provide Hunton &

Williams LLP with a full spectrum capability set to

collect, analyze, and affect adversarial entities and

networks of interest.

From: Team Themis pdf


CIRC: The New Private Intelligence Wing of (insert company name here)

The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.

What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.

You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?

Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?

A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.

In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate

The Technology:

I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.

Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.

There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.

The ANONYMOUS names file

This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.

The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.

What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.

Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.

The INFOSEC Community, HBGary, and Spook Country:

Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.

HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.

So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”

There is no black and white. There is only gray now.

The Morals:

And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.

It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.

So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.

Conlcusion:

We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.

The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.

If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.

The only privacy you truly have, is that which you make for yourself. Keep your wits about you.

K.

HB Gary: Hubris, Bad Science, Poor Operational Methodology, and The HIVE MIND

with 2 comments

Algorithms, Social Networks, and COMINT:

When I had heard that HB Gary had been popped and their spool file was on PB I thought that it was unfortunate for them as a fairly well known company. Once the stories started coming out though with the emails being published online, I began to re-think it all. It seems that Aaron Barr really fucked the pooch on this whole thing. He primarily did so due to his own hubris, and for this I cannot fault Anonymous for their actions (within reason) in breaking HB Gary and Barr’s digital spine.

It seems that Barr was labouring not only a flawed theory on tracking social networks, but also in that he planned on selling such a theory and application to the government. One notion was bad, and the other was worse. First off though, lets cover the science shall we? Barr wanted to track users on social networks and show connections that would lead to further data on the users. The extension that he was trying to make was obtaining actual real names, locations and affiliations from disparate sources (i.e. Facebook, Twitter, Myspace, IRC, etc) While this type of data gathering has been done in the past, it has not usually been culled from multiple sources automatically electronically and then strung together to form a coherent pattern. In short, Barr was wanting to create software/scripts to just scrape content, and then try to connect the dots based on statistics to tie people to an entity like Anonymous. The problem, and what Barr seemed to not comprehend, is that the Internet is a stochastic system, and as such it is impossible to do what he wanted with any kind of accuracy. At least in the way he wanted to do it, you see, it takes some investigation skills to make the connections that a scripted process cannot.

This can be seen directly from the article snippet below where the programmer calls Barr on his flawed logic in what he was doing and wanted to do.

From “How one man tracked down Anonymous and paid a heavy price

“Danger, Will Robinson!”

Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:

Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.

Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.

Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.

Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.

Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.

Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.

Barr: [redacted]

Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.

Barr: [some information redacted] On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!

Coder: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate. mmmm…..taco!

Aaron, I have news for you, the coder was right! Let the man eat his taco in peace! For God’s sake you were hanging your hat completely on scrape data from disparate social networks to tie people together within a deliberately anonymous body of individuals! Of course one could say that this is not an impossible feat, but, one would also say that it would take much more than just gathering statistical data of logins and postings, it would take some contextual investigation too. This was something Barr was not carrying out.

I actually know something about this type of activity as you all may know. I do perform scraping, but, without real context to understand the data (i.e. understanding the users, their goals, their MO, etc) then you really have no basis to predict what they are going to do or really their true affiliations. In the case of jihadi’s they often are congregating on php boards, so you can easily gather their patterns of friendship or communications just by the postings alone. Now, trying to tie these together with posts on other boards, unless the users use the same nick or email address, is nearly impossible.

Just how Aaron Barr was proposing to do this and get real usable data is beyond comprehension. It was thus that the data he did produce, and then leak to the press enraged Anonymous, who then hacked HB Gary and leaked the data in full claiming that none of the data was correct. Either way, Aaron got his clock cleaned not only from the hack (which now claims to have been partially a social engineering attack on the company) but also from the perspective of his faulty methodologies to harvest this data being published to the world by Anonymous.

OSINT, Counter-Intelligence, and Social Engineering:

The real ways to gather the intelligence on people like Anonymous’ core group is to infiltrate them. Aaron tried this at first, but failed to actually be convincing at it. The Anon’s caught on quickly to him and outed him with relish, they in fact used this as an advantage, spurring on their own efforts to engineer the hack on HB Gary. Without the right kind of mindset or training, one cannot easily insert themselves in a group like this and successfully pull of the role of mole or double agent.

In the case of Anonymous though, it is not impossible to pull this off. It would take time and patience. Patience it seems that Aaron Barr lacked as much as he did on scientific and mathematical method where this whole expedition was concerned. Where his method could have been successful would have only come from the insertion of an agent provocateur into the core group to gather intel and report back those connections. Without that, the process which Aaron was trying would have yielded some data, but to sift through it all with interviews by the FBI and other agencies would have become ponderous and useless in the end.

It is my belief that there is a core group of Anon’s as I have said before. Simply from a C&C structure, there has to be an operational core in order for there to be cohesion. This can be seen in any hive structure like bees, there are drones, and there is a queen. A simple infrastructure that works efficiently, and in the case of anon, I believe it is much the same. So, were one looking to infiltrate this core, they would have a bit of a time doing so, but, it could be done. Take out the core, and you take out the operational ability of the unit as a whole to be completely effective. To do this though, one should be able to understand and apply the precepts of counter intelligence warfare, something Barr failed to grasp.

In the end.. It bit him pretty hard in the ass because he was in a hurry to go to press and to sell the ideas to the military industrial complex. Funny though, the real boys and girls of the spook world would have likely told him the same thing I am saying here… No sale.

Oh well… Arron Icarus Barr flew too close to the anonymous sun on wings made from faulty mathematical designs and burned up on re-entry.

K.

OH NOES! THE MACIP’s WEREN’T PROTECTED! I Told You, Th3j35t3r Told You, But Did You Listen? Noooo.

with one comment


The FBI has joined in the hunt for those who participated in the retaliation attacks against companies that cut off services to Wikileaks, executing more than 40 search warrants across the United States on Thursday, the bureau announced.

In what seem to be timed raids, British police arrested five men Thursday morning who allegedly participated in the Anonymous group’s denial of service attacks on Visa, Mastercard, Paypal and Amazon in mid-December. Anonymous was seeking to bring attention to — and punish — the financial-service companies’ decisions to prohibit donations to Wikileaks. Amazon was targeted after it kicked Wikileaks off its web-hosting service.

OH NOES! THE MACIP’s WEREN’T PROTECTED!

Right now, there are at least several thousand kids in underoo’s frantically shredding documents and trying to wipe hard drives because the Feds have finally put the hammer down on Anonymous’ little DDoS attacks on anyone and everyone they feel needs the attention. They thought they were immune, they were naïve…

“With Great Hubris, comes great repercussions” one might say.. Well, hell I just did huh?

The LOIC as I reported before (link to previous post) was and is a flawed tool. Its coding was such that it did nothing to even to attempt to hide the IP addresses of the users who were connecting to IRC and performing the DDoS. Now, partially I think there was a good bit of ineptitude in the programming, but, I would also say there was a greater bit of stupidity on the part of everyone involved in the blowback that they are seeing come to fruition with these search warrants being carried out.

The stupid, as I like to say as an noun, for it has its own power and life today, was immense and dense within the LOIC user base as well as the C&C of Anonymous for allowing it to be used by unsuspecting “skiddies” The Anonymous leaders, will not be fessing up so soon I think and making acts of contrition for those who are being popped for using LOIC and downing sites. For this, they are doubly damned in my book because they ostensibly know better and willfully let the kids out there take the fall for their desire of troops on the digital front line.

And… As tacticians, either you are geniuses or, you are just a bunch of #FAIL. I am not sure which it is really.

So, now the Feds have served 40 warrants. Do you think that your advice that I wrote about before of saying that the machines were infected with LOIC is going to play? Or do you maybe think that the gubment is just that dumb and will say “ok” and walk away? Or, do you see those skiddies all going to court, bankrupting their families, destroying their futures, and generally losing any hope of a normal life as just payment for playing the game?

I guess what I am getting at is this; Was this a calculated risk or were you all just dumbasses?

Now, let me posit another little tactical glitch in your plans.. What if, some of the 40 warrants were on people who actually know who you are? Or know someone who knows who you really are? I mean, you are all about being anonymous, but, you seem to have failed on that account lately a bit. So, do you think that these kids, parents sitting next to them in the “box” are not going to quickly roll on you or someone they know who knows you?

Lets put it this way.. You are thinking “shit, they don’t know me, they only know my MACIP or my Hotmail address!” *blink* So you think that you have been so super slick that you haven’t screwed up somewhere and tied your real identity to such things? Yeah, trust me, you fucked up and the Feds are going to find that chink in the armor. Its only a matter of time before I expect to see more headlines that read “Anonymous leaders arrested”

… And when that day comes, I am gonna chuckle and cluck my tongue at you all….

“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability,” the FBI said in a press release. The FBI did not announce any arrests in conjunction with the searches.

See that cutline above? Yeah, that one saying that the FBI reminds everyone that it’s a crime to DDoS? Yeah, they kinda mean it. So, just how long will it be til  the 40 are arrested and arraigned? I dunno, but I can assure you, the PC’s have all been red flagged for the DOJ Cybercrimes lab and are likely already DD’d and being picked through as I write this. Oh yeah, you guys are fucked, fucked with a capital F. I also suspect that there will be more warrants being served on some more skiddies as February rolls by, so keep your eyes on the news kids. You may be seeing them knocking at your door on TV like a bad Geraldo Rivera show, LIVE!

Meh, it all matters not to you now. You all feel self delusionally empowered that you are making a difference with the LOIC…

Say, did you drop that whole other product that Jokey sabotaged your source on? I would if I were you, but wait, you aren’t that bright.. I mean, you couldn’t even protect your source from Jokey… Oh and BTW Jokey, WELL PLAYED! Props to you there even with our differences.

Where was I? … Oh yeah, the delusions of grandeur thing. You know that you are not solely the reasons for the things happening in Egypt and Tunisia right? Sure, there is an element I think on this idea that is true, but, you are not the “reason” for the revolts going on. Nope, they have been a long time in coming and frankly, one begets another. Egyptians looked at Tunisia in the news cycle and thought “FUCK! I am tired of the shit here, lets go protest!” and they have.

Let me tell you the secret kiddies, it’s not Twitter here, its BBC, Al-Jazeera, and other news sources on the radio that has incited these revolutions. Not you… Sorry. You see, that has been the history of the whole thing all along. Why do you think that revolutionaries take over the radio and TV stations first huh? They take command of the media to let the word out and stop the other guy’s propaganda to put their own out.

Wipe that spittle from the corner of your mouth and get your head off the school desk son! PAY ATTENTION!

I guess history escapes the new digital facey-space TMZ, Youtube generation… Anyway, back to the point. You are not playing the game well Anonymous. You are burning your troops and in the end, you will all get to see each other in court soon enough. You, like Assange, have become all too full of yourselves to realize that you are screwing the pooch and you are too blind to see it.

Next time you want a revolution.. Plan the security better.. AND for God’s sake read a little Sun Tzu!

EDIT It seems that my Alma Mater is now involved with the LOIC MACIP’S One of the morons at Uconn got popped as one of the 40 raids!

Derp Derp DURRR http://tinyurl.com/4p8bjkp

Krypt0s

Written by Krypt3ia

2011/01/29 at 11:24