Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Uncle Volodya’ Category

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

Spies Among US

leave a comment »

First of all, when it comes to espionage, nothing in Russia has changed. After all, the real leader of Russia, Vladimir Putin, was as a career KGB agent who came up through the ranks, and not by exhibiting democratic principles but rather by being a steadfast believer in communist ideology and the especially harsh methods of the Soviet regime with which we are all familiar. In fact, let’s not forget, no one presently in a senior leadershipposition in Russia came up through a nursery of democratic institutions, but rather through the vestiges of Stalin, Kruchev, Andropov, the NKVD and the KGB. Putin, true to his breeding, has surrounded himself with trusted KGB cronies who believe as he does at all levels. So don’t expect anything less from Russia than what they are: not our allies. The KGB had illegals in the United States under the Soviet system and the SVRstill does, according to most experts, under the Russian Federation. How many are here? No one knows, but one thing we can be sure of, this is one of their favored ways to penetrate a nation and have a presence there and they are not giving up on this technique.

But why you ask? After all, the Russians have satellites and they can intercept communications and break codes. Yes and more. However, the one thing that Russian intelligence will always rely on is a backup system to their technical expertise in case of war (hostilities). They always want to have a human in the loop who can have access to information and more importantly to other humans.

You see, an illegal that passes as an average American, can have access to things no satellite, phone intercept or diplomat can have access to—every day things, such as a car, a home, a library, neighborhood events, air shows on military bases, location of fiber cables, access to gasoline storage facilities, a basement to hide an accomplice, a neighbor’s son serving in the military, and so on. If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

Full article HERE

The above is a snippet from a Psychology Today article by a former FBI spycatcher. I bring it to you to perhaps clarify some of the news out there and maybe give some ancillary corroboration to the things I have been saying all along about the 11, now 12 “illegals” that were caught and so quickly deported recently.

It was surprising to see just how many people thought that since the Sov Bloc was gone that the new Russia would be spying on little ol’ us. I guess this says more about our culture than it does about theirs really. Just as the author says above, the Russians still have the “strong man” mentality inculcated within their culture and they are led by none other than Vladimir Putin, KGB down to his boxers… And still in charge. So why would it be so inconceivable that the Russians would have such illegals programs as well as other NOC operatives in country? Its certainly the case and always has been. It’s just that the people of the US are too busy thinking about the latest episode of the Hills instead of perhaps geopolitics huh.

Geopolitics and history aside, the article brings out a key point that I have made on more than a few occasions. HUMINT is ery important. This is something that we learned post 9/11 and have been trying to fix since we fucked it all up back in the 90’s (Sorry Bill Clinton) by reducing the HUMINT capabilities of the likes of the CIA in favor of technological means of spying (ala the NSA) We went too far in the other direction and got caught with our pants around our ankles because we did not have a man on the ground to give us good intel on the 19.

Then we have the 12 illegals pop up… and everyone is surprised that the Russians are spying on us as well as amazed at the old school tradecraft that they are using.

How antiquated…

Antiquated and still quite functional boys and girls.

Expanding it further out though, you can see in the passage that I like the most that;

If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

THIS is a key thing to pay attention to. Once you are in, you have so much access that you really don’t need all of the arcane spy vs spy stuff to get what you really want here. The illegals were a foothold group sent to burrow in and make lives so they could gather data and make friends. They would be, in states of serious distress between the countries, “inside men” the fifth column to attack the enemy from the inside… Say, does this remind you of anything going on recently? Say, oh Jihadi’s recruiting US citizens for Jihad?

Yep.

Situational Awareness is key.

The Consultant Was a Spy

leave a comment »

Heathfield was also pitching a software program he claimed to have developed, called FutureMap. He described it to sources and in writing as a program that would reside on a company’s internal computer network. Users could plug in variables such as election results and technological breakthroughs to see how events might affect their businesses and future strategies. A screen capture of FutureMap shows a timeline tracking events over the course of many years in a variety of categories, including “Energy and Environment” and “Medicine & Biogenetics.”

Sources who met with Heathfield about FutureMap now believe the software could have been used to steal corporate information and send it back to Russian intelligence officials without the companies’ knowledge. . . . . . Sources were unnerved by how sophisticated and polished Heathfield’s pitch was. If not for the FBI’s intervention, one source speculated, Heathfield could have made a successful sale, installed the software, and started sending information home. “If he had a few more customers and better marketing, he could have really pulled off something tremendous.” . . . .

Full article here:

Back when I was a road warrior for IBM, many people who knew me (friends and family) actually half thought that I was not an IBM employee, but some kind of spook. I have to admit that due to the nature of what I was doing I couldn’t really talk about exactly what I was doing, but I could tell them I was here or there etc.. Unlike real spooks. In the case of Heathfield, well, he turned out to be a real spook and gee, look at that, he was a self branded “consultant” whod’a thunk it huh?

The fact is that the CIA often uses NOC agents in the role of consultants or reps for “front companies” or even legit companies as a cover for their NOC (Non Operational Cover) identities or “legends” They go into places under the guise of business like an Oil company that may in fact be the target of their collection activities. It’s an old trick and it always will be the case, there is nothing new here save that this guy was in fact perhaps peddling software that was pre-pwn3d and could tunnel the “clients” data out to mother Russia. A rather nifty idea really but again, nothing new.

So, won’t you now look on the new consultant as not only perhaps a Bob (oblique Office Space reference) but also maybe the next corporate spy?

THIS is what should happen but I am sure will not. You see, the vetting process for employing people oftentimes is too weak if at all in place at companies. All too many times people do not check references nor do they do the criminal background checks on new hires or prospectives. Never mind the fact that most of the time its easy enough to get onto a corporate facility with faked credentials or none at all and gain access to data, terminals, hardware etc. Hell, just how many places have a separate vlan or drop for internet access for visiting consultants or perspective clients?

Put it this way.. Can anyone just plug in and get a DHCP address on your network? If they can, well game over man.. Even more so if you have a weak AP system for wireless (can you saw WEP?) So that “consultant” whether or not they are meant to be there or have just socially engineered their way into the building may already be on your network and tunneling out gigs of data as you read this…

So one of them turned out to be a real bona fide Russian illegal WOOO HOOO! Worry about all the others out there from ever other land as well as corporate entity looking to steal your shit.

Pay attention! So can the DHL Guy, the I.T. Guy, The Mail Man, The Temp, The Plumber, Janitor, etc etc etc…

CoB

Russian Kulturny: Espionage Old School Meets the New Tech Comrade

with one comment

But many things shown even in bad movies are unfortunately true: Yes, the Russians like to wear fur hats, drink vodka, eat caviar, take pretty girls to the sauna. And, apart from some modern innovations like ad hoc networks, burst transmissions and steganography, the old proven tradecraft is pretty much the same. It is good and it normally works well (except in cases, when somebody is already being shadowed – then nothing works).

Boris Volodarsky: Former GRU Officer

Los Illegals.. Comrade…

With all of the hubub over the capture of the illegals, and of course all the rattling on about the “swallow” known as Anna Chapman, one has to cut through the dross to get to the real importance of the story. The fact is, that though the wall has fallen (long ago) and W looked into the “soul” of ol’ Pooty Poot and saw teddy bears and rainbows, the reality of it is that the “Bear” never went away or to sleep.

We are still a target, a rather rich one still, for collection of intelligence as well as corporate IP as Putin has pointed out in statements he has made over the years. It was Putin who actually said that Russia needed to step up its game in industrial espionage (I am paraphrasing) and created the means to do so within the new FSB *cough* KGB. This type of infiltration in hopes of collection never went away and I suspect that even with out own dismantling of the HUMINT departments of CIA, we still had a reasonable amount of assets and agents within Russia as they transitioned from the Sov bloc to today’s powerhouse of malware and Russian Mafia run state apparatus.

So, while reading all the news sites, it became clear to me that people really do not have a grasp of the realities surrounding the nature of espionage today. Everyone thinks that its all shiny technologies and protocols within the hacker scene that the next gen of spies are using and that old school techniques called “tradecraft” are outdated and useless.

Nope… It’s not just that. This is said rather well here by Boris again:

The public and writers alike do not really realise that this is NOT a film — a very large group of very experienced FBI agents and watchers spent a very considerable sum of taxpayers’ money and plenty of time to uncover a REAL group of the Russian undercover operators who brazenly operated in the United States, as they had been absolutely sure that no one would ever catch them because their education, training, intelligence tradition, and the belief that the wealth of the country behind them is much superior than the FBI. They forgot that the FBI of 2010 is much different from the Bureau of the 1950s.

It is highly likely that these agents were outed by a defector back in the 90’s. The defector was a Directorate S operative who worked within the UN in the NYC area and it is possible that he gave up the program. The FBI then was tasked with either finding them all blindly, or, they had at least one couple in their sites and steadily built their case by watching the illegals to get at their handlers. You see, the same logic applies to the FBI as does the perception of the KGB. The FBI is seen as slow witted and usually in the media, the blue sedan with guys in suits and sunglasses inside watching you ever so not subtly.

This is not necessarily the case as has been seen in some areas of the FBI’s counterintelligence unit. They really can do a good job at surveillance and counterintel collection.. They are not as bumpkin as they used to be in the 50’s… Nor the 80’s for that matter. Unfortunately though, it really took the Hanssen’s of the world to force them to be better.. But I digress..

Why Were They Here?

I think that there has been a basic misunderstanding in the press and the populace from reading poor press reports on the nature of the “illegals” program. Yes, they were tasked at times with getting data that could be readily available through open source (OSINT) channels such as the news or Google. However, their main task was to insert themselves into our culture, economy, and social strata in order to get “at” people of interest. Basically they were talent spotters.

These people got on to Linkedin and other social networks for the exact reason of making friends and gaining access to those who might be “of use” later on for their handlers and masters. They were facilitators really. You see, like the whole Robin Sage affair that is ongoing now, these folks already knew about the vulnerabilities within social networking and the social nature of human beings from the start. They were trained on this by the SVR and its not something that common people tend to think about. This is where the hacker world and the spy world meet (well they meet in many other places too but go with it for now) The hackers take advantage of the same flaws in our “systems” (cognitive as well as technical) to get what they want.

In this case, these illegals actually did gain some traction and some had access to potential sources that I think, had yet to be plumbed. Perhaps they were getting close to someone and this is what tripped the arrest cycle. Perhaps there are other more arcane reasons for that… As you may be seeing now that there is a prisoner swap with Russia in the works. Once again I direct you to Boris’ comments on their aegis:

What Russian intelligence in striving to get is secret information (political, economic, industrial, military, etc) and have a chance to influence decision-making and public opinion in favor of Russia. This is why agents are recruited or penetrated into sensitive or politically important targets.

The role of illegals is threefold:

  1. to act as cut-outs between important sources and the Centre (directly or via the SVR station);
  2. to serve as talent-spotters finding potential candidates for further intelligence cultivation and possible recruitment (a rather long and complex process, where the illegals only act at its early stage); and
  3. to establish the right contacts that would allow other intelligence operators (members of the SVR station) or the Centre (visiting intelligence officers under different covers, journalists, diplomats or scientists tasked by the SVR) to get intelligence information and/or receive favors that the Centre is interested in.

These illegals are really, like I said, facilitators for the real spies that are sent to our shores.They were practiced in the old school tradecraft of spying and were they not already under surveillance, they may not have been noticed at all by our counterintelligence services. Which brings me to another issue with all the reporting on this espionage round up.

Tradecraft VS High Tech Espionage:

As mentioned by Boris, the tradecraft angle is not only history for the SVR, KGB, or the GRU. Much as I believe that it is still in play for ALL of the intelligence services throughout the world. These practices are tired and true. They have been used to great effect by all spies and only are really heard about in books, film, or news stories like the ones today when the spies were busted.

Since the days of 007 on the screen, we have seen the Q branch and all their toys as a high profile part of “spying” when in reality there is some of that (see H. Kieth Melton’s books) but mostly, it has been the old school that has won the day for spies. The use of things like a Shortwave radio and a “One Time Pad” are still used today because they cannot easily be broken. The use of rapid burst radio transmissions too was a bit of a shock to me in the current case, but once I thought about it, the use of a rapid burst to a local “rezidentura” makes a lot of sense given the amount of RF we have placed into our landscape today. It would easily be lost in the noise and thus, a good way to go about secret communications.

Meanwhile, the use of “Brush Passes” “Chalking”, “Pass Phrases” and other old school techniques for communicating and passing intelligence never have lost their usefulness. Just because one can create an email dead drop on Gmail today pretty easily, does not infer that it is at all safer than meeting someone on the park bench, or leaving a postal stamp on a kiosk as a marker that “somethings up” These things hide within the static of every day life and often, because of “situational awareness” levels, go totally un-noticed. The other means via the “technology” of today’s internet is more circumspect because of so many factors. One of the primary of those being the hacking and cyberwar issues that are ongoing.

Even today, the news is full of “Perfect Citizen” an uber protection plan and technology that the NSA wants to use to protect the national infrastructure. How will it do this? By monitoring ALL of the traffic that it can and look for anomalous behavior. As the technology becomes more prevalent so too are the chances of your secret communications being discovered. It made sense that given the NSA’s power, the illegals and the SVR decided that old school was still the best bet. It was however, that the more technical approaches (i.e. netbooks, crypto, and adhoc networks) failed them, only proving my hypothesis above.

As an aside to LizzieB, the old bury the money under or near the bottle thing.. It still does work *heh*

The Final Analysis:

Much has yet to be told about these illegals as well as the reasons why this group was busted 10 years later. Why now? Why this sudden trade for spies? What tipped the FBI off to these spies in the first place? Was it indeed the defector I spoke of? We may never know. What we can deduce though, is this:

  • Spies never went away
  • Spies aren’t just stealing IP from corporations
  • Hey you, you with the access to the important people… You are a target
  • Technology does not always win the day, sometimes it is the weakest link
  • We have not seen the last of the SVR, KGB, Mossad, MI5 etc etc…
  • Russian spies do like their Vodka and sauna’s but they aren’t all Boris and Natasha caricatures

A full text of the cited Boris interview can be found HERE

CoB