Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Wag The Dog’ Category

THE IRANIANS ARE KNOCKING! THE IRANIANS ARE KNOCKING!

with 4 comments

Iran-cyber-attackZOMG

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

“Mankdrake, come over here, the Redcoats are coming!”

THE IRANIANS ARE DDOS’ing OUR BANKS! UNCLE FRED CAN’T SEE HIS BANK ACCOUNTS OH THE HUMANITY!

The hue and cry over the DDoS that has been taking place since the summer on certain banks has been increasing over the last week and of course the secret squirrels and the hangers on who want to sell their wares and stories have been rife on the mainstream media. Of course the likes of Droopy Dawg (former Senator Lieberman) have also been making the rounds at podiums near you droning their dire warnings that Iran is double secretly “out to get us with cyber attacks”

Several of my contemporaries have posted articles this week pointing out that emperors all, have have no clothes on and yet, only within this small verse known as the INFOSEC community am I seeing this fact being leveled at all. It’s sad really that we the community in the know should be so marginalized by the media because we do not take the party line. Thusly the truth of the matter never reaches the unwashed masses and they live on in mortal fear and loathing over the great Muslim Shaitan that is Iran.

For us in the know though, we can only continue to say “No, that’s not what’s happening” to those who will listen or yell it out as I am here once again on my screed… Uhh.. I mean blog. Sad but true as well as for me at least cathartic to at least yell in ALL CAPS for a while. I feel better usually after a good screed here…

But I digress…

“What difference does it make if it’s true? If it’s a story and it breaks, they’re gonna run with it.”

Truth is something that media outlets and the government tell you they are giving you but really are they? In the case of the DDoS attacks on the banks there is no solid evidence as to any kind of attribution of who is doing it. This however has not stopped “government sources” and certain secret squirrels within the INFOSEC community *cough VENDORS cough* who are more than willing to tell you that it’s GOTTA be Iran. Why? well… Because.. IRAN DAMMIT! That’s about the sum of it right there. It is so because they say it is, we don’t need no stinkin proof or anything do we?

Now, had any of these people made the caveat that there is no real proof of this but my gut say’s it’s Iran that’d be ok but then again really? Really? That’s going to be an answer? If there is no proof then you say that there isn’t any and that you CANNOT say who did it. It’s simple really but instead we get the Iran angle because that is the party line for the saber rattling du jour right? Who am I kidding though right? After all according to Karl “Turdblossom” Rove back in the Bush administration “we make the reality” right? So the reality is, since it’s on the news and the secret squirrels have told us on background, that Iran is HACKING OUR BANKS!

*chuckle*

Hacking.. Ugh, that’s another issue altogether. The nomenclature is completely ignored by the media and the masses just eat it up because it has the word “hack” in it and that is god damned scary! Never mind that the DDoS really isn’t that harmful to anyone. Honestly, DDoS of the banks does not mean that they are down for the count. Sure they will lose some revenues while the sites are down but this is no nuclear strike or massive hack on the banking system that siphons trillions of dollars to Swiss accounts ala Dr. No. It’s all really much ado about nothing yet it is being flogged for the masses in one assumes is a preparatory campaign against Iran and nothing more.

“Can’t have a war without an enemy…You could have one, but it would be a very dull war…”

So yeah Iran is a repressive authoritarian theocratic government that treats its people poorly and seeks to engender itself as powerful to the global scene. They do have some technological know how and they are fixin on getting them some revenge but is a DDoS really going to be their raison d’etre? Think about it isn’t it laughable as a serious attack? Sure Anonymous does it but that isn’t all they have been doing right? THEY have actually been HACKING!

Good lord! I mean c’mon people! If you are gonna frame up Iran for some cyber shit at least do it with some serious hacks against corporations or infrastructure!! Oh, wait, I know, if they were to really do that then there’d be some real reasons for action right? Then perhaps the people might ask if what they are being sold is the truth or not right? Ahh that must be it right there huh? Just some DDoS, pay no attention, it’s not the end of the world.. Oh and IRAN IRAN IRAN CYBER CYBER CYBER!

*subliminal fear images flash across the screen as Anderson Cooper looks sternly into the camera*

Derp derp derp… So yeah, the government needs an enemy and attribution is soooo hard! It’s Iran.. No doubt about it. No, really, it’s a really complex attack! I mean no ordinary group of hackers or security folks could do this kind of thing! Well, except for those guys who have bitcoins and go to the darknet and rent some botnets.. Wait.. SHHHH… It’s IRAN! It HAS TO BE IRAN! IT’S A NATION STATE DDoS!

*takes drag on cig and looks through wayfarers*

You people make my ass twitch…

No no no no no, fuck freedom.

So once again we are left with the media not taking the full measure of things and that even includes NPR which had a report this week that nearly gave me an aneurysm. Brian Krebs told me yesterday in fact that he declined an interview/comment on this because they were not really willing to hear the truth about this. By the way Brian KUDOS to you man. YOU are my new hero! I presume that others who lack a certain moral ethical compass will be blathering every chance they get and those people should be publicly taken to task for their perpetuation of this farce.

Of course others like Jeff Carr have been a voice of sanity on NPR and elsewhere in the past but you know what? Jeff’s logic and truth doesn’t make for bleeding headlines that will draw clicks for ad revenue will it? Marginalize those who tell the truth that is too dull to sell ad space is the way of it today. So on it goes, the media drumbeat will continue saying that Iran is at the heart of every little cyber hiccup that we have from now on. Iran is in good company with China now. Hey, at least China isn’t alone! Now China can just glibly point at Iran and Mahmoud saying “It was them!” and surely many in the government and the media will say AH HA!

My friends we are doomed. The truth no longer matters and I suppose it hasn’t for some time. I am a dinosaur I suppose to believe that there are truths out there that should be told. Could Iran be behind the attacks by using proxy orgs? Sure. Do we have definitive proof? No. That’s all that needs to be said. That is of course not what we are getting from the government and media today though.

Hmm how long til Glenn Beck or O’Rielly are “Cyber Experts” I wonder….

K.

Written by Krypt3ia

2013/01/11 at 20:32

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.

The Curious Case of Kellep Charles: A Ligatt Propaganda Story

with 3 comments

On January 1st another “press release” came out over the Internet claiming that Kellep Charles, by all accounts a certified and serious individual in the information security world, had been appointed to the board of directors at Ligatt Security. On the Ligatt site as seen above in cached form (the page is now a 404 error) it names Kellep as a new member of the board. Now, this is nothing new with regard to people being touted as being added to the board. However, in this case, Kellep himself as others before, did not know that he was on the board as you can see by his surprise in a tweet below:

It seems that Kellep may have indeed offered to work with Ligatt to “clean up his image” but no sooner had he done this, then the Ligatt PR machine went into action and posted on the site and newswire that they had a new board member. What is most insidious here is that Kellep, as I said above is a multiply certified and seemingly above board member of the security community who’s reputation could be sullied by working with Evans and Ligatt because of their misdeeds in the past. What’s more, it is VERY telling that Kellep states that he was willing to “advise” Ligatt to help “clean up their image”

*blink blink*

Ok, Kellep.. Over here, camera 3… Yeah, umm I appreciate your wanting to help Greggy, but, now do you see the real trouble with Greg and his little company? I suspect you do now, but here it is again… He is a charlatan and a con man as well as a bully. He will use anyone and anything to get him to be the center of attention as well as become a wealthy player.

You have been duped and he has tried to play upon your good name to better his ignominious one in the community at large.

Sorry man.

So, now the clean up goes on. Ligatt has seemingly redacted the press release from the Internet (can’t seem to locate a prnewswire release, his usual propaganda tool) but what Ligatt fails to learn is the same thing that every teenage girl on the Internet learns post getting blitzed and naked for the camera; “There is no redacting everything from the Internet” It’s out there buddy and there is no pulling this one back. This however brings up a key point in the Ligatt play book, and it is exceedingly relevant to today’s “wikileaked” world. You see, Ligatt is trying to pull his own version of 1984 by not only using classical propaganda routines, but also those of redaction and modern spin. The funniest thing though is that Gregory and Ligatt are so spectacularly BAD at it! With every “release” on PR news wire and elsewhere, Greg thinks that he can re-spin his Ligatt Security presence into what he perceives it to be in his own delusional world view;

That of a global juggernaut of computer security and that he is a player, a mover and shaker.

Oh Greggy… Polishing a turd will only get you a shiny turd.

As for Kellep, I am sorry that you got dragged into this whole mess. You do not deserve to be lambasted because of your kindness, but, here is the warning that might nudge you to keep your wits about you in this business. There’s a lot of snake oil salesmen out there and this guy is a prime example. So in future, if you decide that you want to give any counsel to Gregory, then I should think that that counsel be to come clean and really work toward being an “expert” instead of just playing one on TV.

If I see you at Shmoocon I will buy you a beer… Cuz dude, I think you’re gonna need one after this debacle is over.

*note* Stay tuned folks.. There’s a new board member John W. Jones (Martian Manhunter!) has been added to the esteemed list! I wonder if he knows? More to come….

EDIT! Hat tip to iAlbert who located a copy of the Press Release! See Greggy, you can’t redact the Intertubes!

CoB

Written by Krypt3ia

2011/01/05 at 15:03