(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Weaponized Code’ Category

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments


Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?


PLC Controlers, Stuxnet, and Kinetic Attacks: Blackhat 2011

with one comment

Since the advent of Stuxnet, the problem of SCADA (PLC) systems and their control vulnerabilities has become the focus of the world. In that this seems to be the new flavor of the day because someone (A nation state actor) decided to use those known vulnerabilities (at least 10 years worth of them) to exploit the Siemens systems at Natanz and Bushehr nuclear facilities in Iran we now have a new form of terrorist attack as Cofer Black pointed out in the keynote to Blackhat.

Dillon Beresford presented a talk on the Siemens 7 system vulnerabilities at Blackhat yesterday and did a great engineering job on the Siemens PLC system 7 attacks. However, in being so close to the subject, at least in the presentation, he seemed ill equipped to understand some of the ramifications of the exploit that was used against Iran and the amount of work that had to go into it to pull it off.

I say this because of the offhand comment that a single actor (hacker in a basement) could in fact have come up with the exploit code and he is technically right. He has singly come up with more exploit code and plugins to Metasploit to prove it, but, the attack on Iran was more complex than just exploit code for a Siemens 7 PLC. This too seemed to elude him in the statement that he did no understand the reasoning for the pivot point of the Windows machines that were infected with the worm that injected the code into the system 7.

The reasons for the attack vector pivot point is simply this;

The actors who created this exploit(s) wanted to be able to infect non connected systems at key hardened facilities that they did not have access to. Facilities that may have had regular network connections that might allow access to the worm and thus infect not only one site but many and not just the PLC systems themselves. This attack was multi purpose and needed to be persistent for a long time in order to carry out its mission goal.

And the goals seem pretty evident now:

Have the centrifuges eat themselves

Have the product from the centrifuges be compromised and thus put Iran’s nuclear program even further back.

The fact is, that the exploit code for the PLC’s was small in comparison to the amount of work and 0day that went into the worm itself. This is a key feature of the attack and something that Beresford seemed to miss. The worm was indeed the delivery system and it was likely carried into the Bushehr facility by a contractor (my thought is Russian as they were working on the Iranian program and had access) on a USB stick. Once inside, the malware had the ability to detect, spread, and inject the exploit code specific to the Siemens PLC systems at those facilities.

This brings me to a second point on all of this. The intelligence needed to know exactly what systems the Iranians had was something only a nation state actor could really have the resources to gather. This was in fact a nation state attack from all the signs of it. That it used exploits for SCADA systems that were known to be vulnerable for some time is the only twist. However, that twist had been used in the past and as long ago as the Reagan era.

An attack on a Russian pipeline was eventually disclosed by the CIA as a worm that attacked the systems of the pipeline (i.e. the PLC’s controlling the pressure of the gas) and caused a 3 kiloton explosion. This worm was likely created by the CIA and used to help dismantle the USSR.. Well at least cause some heavy damage to a pipeline that was in contention at the very least. So, this type of attack is NOT NEW. It was a quietly known vector of attack as far back (publically) as 2004 when it was revealed to the public at large, but much longer known about in intelligence circles.

The short and long, the exploits may be new in some cases, but, the type of attack is not at all.

The real difference today though is that we have the hacker community out there able to get their hands on code easily and even perhaps the PLC systems themselves to create even more exploits. Add to this that many SCADA systems have been connected to the Internet (as they should NEVER BE) ripe for attack and we have a big problem. However, the proof of concept now is out there, the exploit code is available and all it will take is an aggressor tenacious enough to write the malware to have another Stuxnet type attack on less hardened systems. An attack that could bring down the grid, cause the poop factory to explode and leak into our drinking water, or, like in Russia, have our pipelines explode in 3 kiloton explosions.

This Dillon is the key point and I know you get that. So, lets extrapolate further, how about in future conferences we have more of what Dillon did. He went to Siemens and gave them the exploit code and showed them the problems. They, unlike many companies, are taking up the challenge and not trying to hide the problems but instead are actively working on them to re-mediate. The next step is to go to EVERY PLC maker (wink wink Big O and the Administration.. Oh DHS maybe?) and bitch slap them into doing something about the problems? As Dillon pointed out, these systems are pretty open and inter-operable, so the code is likely to be just as bad everywhere.

If we don’t.. We are likley to wake up one day to a big explosion and it may just be an accident.. Or, it could be another targeted attack like Stuxnet.


PS.. One small thing Dillon.. Please, attend Toastmasters. I think it would help you greatly. You speak too softly and did not enunciate.

Lulz, Jester, and Counterintelligence On The Internet

with 8 comments


I once wrote a blog post about ‘escalation’ and it seems that my fears are coming true as the Lulz Boat keeps making waves across the Internet. Between Lulzsec, Jester, Anonymous, and now God knows who else, we are seeing a re-birth of the 90’s anarchy hacking. However, since so much has changed network wise since the 90’s its been amplified a thousand fold. What has spun out of all the hacking (hactivism, vigilantism, whatever you want to call it) is that we are seeing just how a counter-intelligence operation is carried out. Th3j35t3r and his friends at Web-Ninjas’s are carrying out this counter-intelligence program and posting their findings on Lulzsecexposed as well as on th3j35t3rs own site on word-press.

To date, their efforts have not seemed to have either slowed Lulzsec’s antics, nor generated any federal arrests of anyone involved. However, I think it important to note the methods being used here to attempt to put faces to names in the lulz crew.

The LulzSec Problem:

The problem with trying to track lulzsec members is primarily the technologies that they are using prevent getting a real idea of where and who they are. By using VPN technologies, proxies, and compromised systems in the wild, they have been able to keep their true identities from being exposed in a more meaningful way other than screen names. Due to the problems of digital attribution, the governments of the world cannot quite get their hands around who these people are nor, would they be able to prove such in a court of law at the present time without solid digital forensics on the end users machines.

In the case of Lulzsec and Anonymous, they are not using just one system but many types of systems to protect their anonymity. Thus, with the right tools and obfuscation, they feel impervious to attack from anyone, be they government, law enforcement, or the likes of Th3j35t3r. Tactically, they have the advantage in many ways and it would take one of two types of attacks, if not both simultaneously, to take the Lulzsec and Anonymous core group down. The attacks I mention are these:

1) A direct attack on their IRC servers that host the secret C&C channels

2) Insertion of ‘agent provocateurs’ into the C&C of Lulzsec and Anonymous (as recently alluded to with the FBI stat that one in 4 hackers are CI’s recently)

I actually would suggest that both avenues of attack would have the best effect along with a healthy program of disinformation and PSYOPS to keep the adversary unbalanced and malleable. Which leads me to my next section.. The methods of attack.


An overall category, Counter-Intelligence ranges all of the afore-mentioned types of attacks. In the case of Lulzsec, anyone could be a member within the community that encompasses info-sec or anonymous. Hell, Jester could actually know some of these people in real life just as well as you the reader might and never know it if the member never talks about it. I imagine it’s kind of like Fight Club;

The first rule of Fight Club is, you do not talk about Fight Club. #2 – The second rule of Fight Club is, you DO NOT talk about Fight Club. 

If anyone talks, they could end up in some serious shit and in this case, disappeared pretty quickly if the governments in question get their hands on them. This is especially true now that they have hit the FBI and CIA with their attacks and derision… But I digress. The key here is that because no one knows who is who or is talking about it, it is very analogous to the idea of a mole hunt or counter intelligence operations that seek to locate spies within the community (such as within the CIA) There are whole divisions in the CIA and FBI as well as other places that are solely devoted to this type of war of attrition.

I believe that it is a counter-intelligence operation that will win the day though in the battle against Lulzsec or any other like minded adversary. Winning that battle will take the following types of sub operations as well.

PSYOPS & Disinformation:

PSYOPS and Disinformation work together to unbalance the adversary as well as spin the masses toward compliance or action. In the case of LulzSec, this type of activity is already ongoing with their own ‘Manifesto‘ and other publicity that they have put out. They want to spin opinion and generate adoration as well as fear, both of these are in evidence within the media cycle and the public’s perception of who and what they are. Where I am seeing both types of activity on Lulzsec’s part, I can also see within the actions of jester and the Web Ninja’s as well.

On the part of LulzSec, the following psychological operations and disinformation campaigns can be seen:

  • For each alleged ‘outing’ of a member, they make claims that these are not core members of their group (note, they do not make claim to the anonymous model of headless operations) such outed persons who can be connected to them are merely underlings in open IRC channels
  • Affecting accents and 4chan speak to attempt to hide their real patterns of writing and mannerisms
  • A claim to having battles with 4chan and /b/ as well as Anonymous while they seem much more aligned to them (distancing)
  • The use of agent provocateurs against Jester within his own coterie of followers and open IRC channel
  • The use of flash mobs (abuse) within Jester’s open IRC channel
  • Leveraging the fact that they are anonymous (in concept) and due to the technology today, virtually untouchable

On the part of Jester we have the following operational tactics used so far:

  • The outing of individuals believed to be core members of the group (no matter if correct, will prompt a reaction from Lulzsec that may be telling)
  • The use of agent provocateurs to place disinformation as well as gather intel on the adversary (Lulzsec) which can be seen in leaked IRC chat transcripts
  • The creation of analogous groups such as the Web Ninja’s to work against LulzSec
  • Leveraging the fact that he is just as anonymous (in concept) as they are and due to the technology today, virtually untouchable

It seems from both sides of the battle, that these types of actions are being used to mislead and gain the edge over the other. In the case of Jester, I am pretty sure that this is an overt thing. While, on the other hand, with Lulzsec, I see it as a reactionary set of measures to attempt to keep themselves from being exposed as to who and where they are. As this continues, I am willing to hazard that even more players are playing a part in this war, quietly, and those would be the government operatives looking for an in to take the Lulz down. Of course, the government has been pretty quiet about Lulzsec haven’t they? One wonders just what they are up to.. If anything at all.

Of course, the NSA may just be the dark horse here… And the Lulz won’t know what hit them.

Then it will be over.

Development of Sources:

One of the more tradecraft oriented things that must be going on is the use of sources or getting assets into positions to be inside the Lulz Boat. I am sure that there are players out there sidling up to the right users on the IRC boards in an attempt to get into the inner circle of LulzSec as well as Anonymous. These assets are likely to be working for the government but I can also see someone like Jester using the same tactic, if not posing himself as the asset. Due to the nature of the problems of tracking these people, this is the best way to get close to the Lulz and to gather raw intelligence on them. After all, even if not fully trusted, an asset can gather important data on the actions of the Lulz and be there when they make a crucial mistake.

The other side of that coin may be people who have been outed and were in fact affiliated with the Lulz. This is where the FBI has a forte in turning hackers into informants by allowing them to work for them instead of just being put in a hole somewhere. It has happened in the past (carders for example) and likely is the case in the Lulz affair. After all, some have been ‘vanned’ already in Anonymous circles and I have yet to hear about any real solid court cases being filed.. So.. One tends to think that there is a bit of cooperation going on with those who have been popped already for being suspected ‘anons’

In the case of the Lulz, we have yet to see or hear of anyone being taken into custody for being afiliated with the Lulz.. But, the day is young especially of late.

Habits Will Be Their Downfall:

Overall, I would say from what I have seen in IRC and in other data located out there on key user names, that human nature and habits will be the downfall of the Lulz. People have habits and these can be leveraged to attack them. No one is perfect and none of these people to my knowledge have been trained to avoid the pitfalls of habit that a trained operative would. Insofar as the Jester seems to have hit the mark in a few cases is telling that people are leaking data. Either the Lulz themselves have been careless (as they harp on password re-use, I harp on user name re-use) or they have indeed  been infiltrated by assets of the enemy, or, have decided to go down another less dangerous path in hopes of not being prosecuted.

Habitual behaviour too is not only action, but mannerisms, thought processes, and enunciation of motives. Just as coders tend to code in specific ways that can be used as ‘digital DNA’ so too can writing patterns, speech, etc even when attempted to be clothed in 4chan speak. As well, the habits of human nature to be trusting will too be their downfall. After all, unless this is a one person operation, there are many links in the chain that could and will be exploited. As people seem to be dropping off of the Lulz Boat (per Jester’s data) they will need new blood to keep the Lulz going, and that means that they will have to recruit, vet, and eventually trust someone…

And that is where the counter-intelligence operation will seal the deal… The phrase “Trust No One” just cannot be a reality in any operation. This is why they sometimes fail, because you trust the wrong person.

Over Reliance On Technology:

In the meantime, the Lulz seem to be relying quite a bit on technologies that are rapidly becoming susceptible to attacks by those who want to capture or stop them. The use of Anonymous proxies like Tor, while effective now, are also compromise-able from a few different perspectives. The technology may be solid, but the pressures legally on those who run them may in fact lead to compromise. Just as any of these avenues of anonymization that are out there could in fact be just honey-pots to capture data. A case in point would be Tor, which was a Navy project to begin with and anyone who has set up an exit node, can in fact sniff the traffic for data that may be helpful in getting a lock on a user.

Additionally, any other means of technology like cloud services that are hosting their data or facilitating anything the Lulz do, could potentially be compromised if the right people are involved *cough NSA cough* that have the latitude to do what they like. Given today’s surprising numbers of laws being passed that erode all of our rights to privacy, I should think that the days are numbered for the Lulz on the technical playground as the boys at Ft. Meade start getting their orders to lock and load.

Never trust so much in technologies that YOU do not run solely yourself.. Remember the government can make any company that MITM attacker and YOU the attacked.

The End:

In the end, I think that the Lulz have pointed out that ‘Elephant with its trunk in out collective coffee” but at what price? Will this change the paradigm and make the government care about security in a more cogent way? No. Instead they will come up with tougher laws and more ways to invade privacy by shortcutting the process. Sure, shit is out there and it is vulnerable, but you know what? It always will be. If it isn’t some very low hanging fruit like SQLi then it will be 0day. There will always be a way in. That is just the nature of things and the Lulz will have shifted paradigm.. Because truly, the Lulz will be on LulzSec, emotionally charged and sorry for their actions… While sitting in jail.


*EDIT* Oh and one more thing to add here as an afterthought. I may remind you all that as the laws are changing and the Patriot Act has been re-signed. The Lulz, having upped the ante, can easily be considered ‘Domestic Terrorists” This would place them in even a more precarious place because then, the legal gloves come off….

One man’s Domestic Terrorist is another man’s “Enemy Combatant”

From Lulz to Global Espionage: The Age of the Cracker

leave a comment »

It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks  have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.


Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”

Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.

After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.

What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…

Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.

Nation State Actors:

The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)

What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.

This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.

Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.

Industrial Espionage:

This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.

In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.

Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’

Criminal Gangs:

This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.

Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.

With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.

When The Players All Meet:

It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.

In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.

More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.

Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…


The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

with 13 comments

From Wikipedia

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of cyber espionage, but applies equally to other threats such as that of traditional espionage or attack.[1] Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[2]

Advanced Persistent Threats Are Not New: 先进的威胁不是持久性的新功能:

The news cycle has been abuzz again as to how China is capable of beating the pants off of us in the hacking sphere and that we should be worried. I say, this is not news in any way and those of you who read this blog should already know this fact. For those of you who are not so familiar with the DoD space, the knowledge of what has been called APT has been around for quite some time. In fact, the term was coined in 2006 by the Air Force, but the attack structure of how the Chinese and other state actors had been using similar tactics on DoD infrastructure goes back to the 90’s (Moonlight Maze, Titan Rain)

So, hello world outside of the insular DoD and Infosec sphere, They have been around quite a while. In fact, one could make the extension that the Chinese line of thought called “The Thousand Grains of Sand” has been around far longer and has been used as their model of espionage for a very long time. Obviously the connections can also be made to Sun Tzu and his precepts on warfare, which, just happen to involve a fair amount of espionage as the means to winning a war. It is little surprise to anyone who knows the Chinese mind and the teachings of Sun Tzu, that China would apply these same precepts to another battle space (cyberspace) the fifth domain as the US military calls it now.

APT and Buzzword Bingo: APT和Buzzword的宾果:

Since the Aurora operation’s being publicised, the media and the Infosec industry have latched onto the term like a pit-bull on a gravy covered bone. Many companies have leveraged the term without really knowing the true meaning and have created a buzzword bingo game of epic proportions. All of these companies and pundits have over used the terminology, mainly incorrectly to start, and turned it into the boogey man du jour to make sales.

“The APT is out there.. Lurking.. Waiting to get into your networks and steal your data”

While this may be true for some, it is not true for all. Over the years the Chinese have made it their business to steal a lot of data. Some of it you would readily see as important militarily or for industrial espionage. Some of the data though, is more arcane to understand as to the reasons that they would make the efforts that they have to get it. Overall though, one must understand yet again, the Eastern mind (particularly the Chinese) to conclude that they seek many “soft power” means to effect their goals. This is the key fact to understand, so yes, your company that makes the next best widget might in fact be a target of the Chinese TRB (Technical Reconnaissance Bureau)

So, yes, you must be cognisant of the APT in any business that your company carries out online. However, one thing must be accepted by you and your company to judge how you will respond.

“The Advanced Persistent Threat, will in the end, most likely win and compromise your systems. Simply because as state actors, they have the means to do so and you, the tartget, will always have someone willing to click on a link and compromise their systems”

This must be accepted and understood before you even attempt to listen to any vendor who says they can help you with your APT problems. Just as well, one must clearly understand the players here to know the danger. The media has done a very poor job of elucidating for the general populace the meaning of APT and the subtleties of how the threats manifest and their greater meanings to us all. There is far more at stake here than just your data being exfiltrated to China and many more vectors of attack than your local desktop.

The Fall Of The Bear & The Rise of the Dragon: 作者:熊暨龙升降:

Since the Soviet Union’s demise in the 90’s the Chinese have seen their chance to become the pre-eminent power in the world that once was the USSR. Though Russia has rebounded, they still lack the critical mass that they once had as a super power. China though, with its billion people, and “Tiger Mother” nature, has swiftly garnered the hard and soft powers that it sees as necessary to being “the” superpower.

Where the USSR used to take more of a hard power stance with their military might, and a second seat KGB soft power espionage plan, the Chinese went the other way and saw the soft power attack as the way to go, even with a billion people as potential military recruits. Gone were the days of Mao and the hard power of the Chinese military, instead, the Chinese would lull the West into somnambulance and stealthily acquire superpower status. A status that they are closer and closer to each day.

China now owns much of our debt here in the US. They have made business “alliances” that have allowed access to not only money, but also to control over supply chains as well as proprietary data. Data that they have obtained through many means, including the APT model that everyone is all worked up about now. In short, they have made multiple pronged attacks against other countries with subtlety with a means to an end of gaining control over other nation states that will not require military means to defeat them.

Sun Tzu would be pleased at their understanding of “The Art of War

“For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”

It is this that the general populace and many within the Infosec community seem to not understand. There is much more at work here than some industrial espionage on the likes of Pratt & Whitney for JSF engine data. The Chinese have far more subtle plans that include many other areas than just the Information Warfare (IW) of stealing plans for jets.

The Thousand Grains of Sand: 沙千粮谷类:

The Advanced Persistent Threat of China has been around for quite a long time. Before there was the Internet and the ease of just FTP’ing RAR files to Hong Kong, there was the “Thousand Grains of Sand” approach to espionage. The metaphor here is that China believes that each grain of sand is important as well as it is nearly impossible to tell one grain from the other in a macro-verse. China would approach spying, whether it be industrial or other, by not only sending people here directly as spies, but also to call upon those who still had family in China to become agents. They would either be rewarded, praised, or threatened not so subtly by the state to effect their complicity.

Espionage has three motivations as the saying goes for those who become spies;

  • Greed
  • Altruism
  • Ego

I would add a fourth, “fear” in the case of China’s apparatus. Of course many other countries have used the honeytrap (aka swallows in China) to turn someone into a spy for them, but in China, the use of relatives has been prevalent too. By using all of these means though, the Chinese would insert their spies anywhere and everywhere, and they would be hard to find because they often were only taking small parts of the bigger picture and giving them to their handlers.

This too also became the modus operandi for the Advanced Persistent Threat that is the digital companion to old school espionage. By attacking many different systems and rooting them, they would have multiple launch points to exfiltrate data and keep a command and control over the compromised networks that they had worked hard at gaining entry to. One might even say that they are recruiting the employees of each and every target as unwilling spies by targeting them with spear-phishing attacks that keep their access ongoing.

It is by this method, that thousand grains of sand, they are able to parse the data into smaller RAR files with multiple access nodes and move the data out to their drop sites.

That is a thousand grains of sand that SIEM or IDS just can’t catch.

Threat Vectors: 威胁向量:

This brings me to the threat vectors that we all should consider where China is concerned:

  • Economic Targets
  • Military Targets
  • Infrastructure Targets
  • Supply Chain Targets
  • Media Targets
  • Industrial Base Targets
  • The Patent Process and Bureau
  • The Financial Systems (Stock Exchanges and Banking systems)
  • Political Targets

All of these entities are targets for not only cyber attacks but also soft power attacks (business alliances and deals, monetary controls etc) Any influence that serves the ends of the Chinese will be used to their ends. This truly is subtle in many ways and has been overlooked for a long time by the US and the populace in general. It just seems like we don’t think along these lines. Perhaps it is an Eastern mindset, perhaps it’s the fact that generally, we in the west just don’t understand the game of ‘Go’

Putting this into the perspective of the information security and hacking community, this means that all of the companies out there who are not doing the due diligence on security are more than likely easy pickings for not only the average cracker from Ukraine, but also the Chinese, who may in fact be using the companies systems to steal their data or, to use as a drop point for others data being stolen. It is a fundamental lack of understanding of the complexities of network and information security that generally, in the US, seems to be a malaise, and we are only now catching on to.

In the case of the Chinese, they have worked very hard at developing the skill sets and assets to leverage this lack of comprehension on our part and overtake and continue to infest systems here that they wish to exploit.

The Cyber War: 该网络战争:

Another fact that seems to be missing from the news cycle is that the APT/TGOF (Thousand Grains of Sand) approach that the Chinese have been using not only covers theft of data, but alternatively just having access to systems that they could use as a precursor to war or during an event. Such networks within the DoD (NIPRNET/SIPRNET) could be very useful in delaying supply chains from functioning well and or, inserting false data into them as a ruse or IW/PSYOP device to hobble the US military.

For that matter, the use this type of attack against any critical infrastructure would be a boon to deter if not outright stop the US from action against China should something erupt say, in Taiwan. By shutting down sections of the US power grid or other major areas of infrastructure, the Chinese or any other state actor, would have great leverage to give the US pause. If anything, the arrival of Stuxnet and the aftermath should at least give us something to think about as possibilities go. Some may say its inconceivable that such an attack could work or happen. Others though, would say that it is not so far fetched, especially given the machinations that China has shown to be attempting not only through network attacks, but also soft power attacks in political and economic vectors.

I will leave this topic with this question;

“How much of our technology today is made in China?”

All of this need not be involving anything near a war scenario either, they may just use these attacks to subtly manipulate the affected countries into actions that they desire. Soft power also means the ability to manipulate your target without really unhinging them. All of these attacks, whether they be full on or subtle will serve to affect the outcome of any military engagement without ever having to fire a shot. A well planned and executed plan could in fact win the war before it even begins. Of course on the other hand, these attacks could just be used as a first stage to a series of kinetic attacks by the agressor (i.e. cyber attacks in tandem with physical IED’s at critical sites for maximum effect and destruction)

Any way you look at it, unless we get our collective act together here in the ever increasingly networked world we live in, we will be at a great disadvantage, especially against such an aggressor as China.

Meet The Players: 满足玩家:

To bring this article full circle, I will now give you the known and suspected state actors that may have been running operations such as Aurora. The Chinese were ahead of the game in connecting not only with the People’s Liberation Army, but also the nascent hacker communities in their country. Using a combination of leveraging companies like Huawei to tap into their technical staff and the patriotism on the part of the PLA and the hacker communities, China has forged a solid directorate for electronic warfare and espionage.

The Chinese Military (PLA) —–> Leverage many corporations that the military actually has majority stock in to gain access to technology and assets

The Chinese Hacker Community —-> Sell and work for the PLA creating 0day and performing hacks for money as well as patriotism

Chinese Corporations —-> Often used as cutouts to gain access economically and intelligence wise to assets in other countries

Often, the corporations, which are many times, sponsored or majority owned by the PLA are the training grounds and the operative section for soft power operations for China. By using financial deals and alliances, China often attempts to gain the upper hand by having assets connections inside of companies that they wish to affect or to steal from. No longer is it needed to install spies within when the company is partially owned or has access granted because they are working “together”

It is the Chinese hacking community that is of most interest to many in my field however. Many of these people are still in universities and are often times motivated by their nationalistic tendencies ostensibly. Some of these groups have become actual companies producing security software or offering security services. Of course they are still likely to be assets for the PLA and probably the tip of the spear operators for China in operations. The reason for this simply would be that they are expendable in the sense of hacking as a nation state would cause international issues. Hacking as a hacking group though could be seen as their own initiative and they could be burned without losing face.

Within this amalgam of groups we then see the attack “teams” who crack the systems, then other teams perform recon, and still others, keep the access open and retrieve data. All in all, they have a slick operation and we would be wise to pay attention to how they operate.

I’m Afraid Our Lunch Has Already Been Eaten: 我怕我们的午餐已经被吃掉了:

So it is that I end here with the title above.  I think that we have become too lax in our stint as a superpower and frankly have dropped the ball. Our companies are unmotivated to do the right thing where security is concerned. Our government is clueless on how to deal with the technologies and overly ossified in it’s operations to even cut a budget for the country without nearly closing down. America has to collectively come to the conclusion that not only does China own much of our debt, but they have outplayed us continually in the game of soft power.

All too much of our infrastructure is unprotected while much too much of our manufacturing and R&D has gone out of the country.

In short, our lunch is being eaten and the Chinese also want our milk money. Unless we rectify things our time as a superpower are numbered.. In single digits. Meanwhile, the vendors out there and the media keep on spinning half tales and misinforming the public. We are on a verge here.. And it’s time to get our act together.


Reading Materials: 阅读材料:

Coolswallow: Hacker thought to be behind Aurora

The Green Army Chinese hacking group known to operate for the state Chinese hacking collective hacking collective and alleged security company aligned with PLA Chinese hacking group and security software maker aligned with PLA

NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009 (1)

The National Security Implications of Investments and Products from The PRC in the Telecommunications Sector

SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC

with 5 comments


The establishment of a Corporate Information

Reconnaissance Cell (CIRC) will provide Hunton &

Williams LLP with a full spectrum capability set to

collect, analyze, and affect adversarial entities and

networks of interest.

From: Team Themis pdf

CIRC: The New Private Intelligence Wing of (insert company name here)

The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.

What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.

You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?

Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?

A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.

In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate

The Technology:

I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.

Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.

There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.

The ANONYMOUS names file

This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.

The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.

What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.

Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.

The INFOSEC Community, HBGary, and Spook Country:

Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.

HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.

So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”

There is no black and white. There is only gray now.

The Morals:

And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.

It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.

So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.


We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.

The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.

If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.

The only privacy you truly have, is that which you make for yourself. Keep your wits about you.


#Stuxnet, Lying Liars Neener Neener Neener!

with 4 comments

I cruised some of the .ir range yesterday and came up with a non DNS site for the Iranian Nuclear program (and much much more.. but that is for another time and another post) The above picture is a capture from a post from one of those sites back in July. The translation is as follows:

Here’s the translation by an Iranian coworker: The Stuxnet attacks are still happening and the virus is getting updated continuously. It also says they are monitoring the attacks and try to control it. They were expecting to clean the virus in 1-2 month but the virus has a dynamic nature and since start of cleaning process 3 new version of virus is published. They are also organizing some groups that help industrial centers to clean the virus. Also a helpdesk center has been setup that provide further information about cleaning etc..

So it seems that they were hit pretty hard.. But you won’t hear that from them.. Unless you start to crawl their shit. Seriously, the sites out there are on average running on IIS6 and poorly constructed. It’s a wonder they have any capacity at all to fight off the least of the malware out on the Internet today!

Meanwhile… Back at the Security Ranch….

The FUD, Snark, and Stupid factors have amped up on the whole Stuxnet thing out there on the intertubes. Look folks, its happened before! There is nothing about this that is revolutionary! Might I cite a little story about a Russian Pipeline back in the 80’s?

Disguised as an automated system test, the software instructed a series of valves, turbines, and pumps to increase the pipeline’s pressure far beyond its capacity, putting considerable strain on the line’s many joints and welds over a period of time. One day [in 1982], somewhere in the cold loneliness of Siberia, the overexerted pipeline finally succumbed to the pressure.

As satellites for the North American Aerospace Defense Command (NORAD) watched from orbit, a massive explosion rocked the Siberian wilderness. The fireball had an estimated destructive power of three kilotons, or about 1/4 the strength of the Hiroshima bomb.

It would be fourteen years before the real cause of the event would be revealed. When investigators in the USSR eventually discovered that the event had been triggered by sabotaged software, the KGB leadership were furious, but unable to lodge any official protest regarding the deliberate defect since that would also expose their own large-scale espionage efforts.

Upon realizing that the CIA was serving imitation intelligence, the other recent problems with US-derived designs were no longer so mysterious. Given the dramatic results of the pipeline bug, all of the burgled Western technology was immediately cast under suspicion, a situation which mired the Soviet’s borrowed progress in a pit of uncertainty and suspicion.

I remember this story from back in the day… Well, the 90’s as someone told me about it being an actual attack on a system with code by the CIA. Yep, I believe they even made it a subplot in a Bond film during the Brosnan years too.. So, Stuxnet was likely an attack on someone’s directed systems. Iran denied having Siemens systems and in fact Siemens said they did not sell equipment to them! However, a shipment out of Dubai was captured and in it was Siemens equipment that was confiscated.. So..

Hmmm We ALL knew they had the equipment to code to. Just as this document shows their connection to Siemens as wanting or actually doing business with them.


Ok security community, time to get off the #Stuxnet FUD thing.. Here are the salient points and lets move on shall we?

  1. It was coded for a specific purpose for SCADA actions with Siemens PLC code
  2. Iran, India, Indonesia.. Well lets say “Asia” seems to have been affected the most
  3. We will NEVER know who made it.. Until it is declassified WAY WAY WAY in the future
  4. Iran’s nuclear facilities including Natanz are likely in paralysis still with it.
  5. All this one upsmanship on decoding and analysis is BS.. Finish the job before you go announcing shit at conferences
  6. Myrtus = Phallus in the eye.. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe. The end product here? Someone gave Iran an “Angry Pirate” with a circumcised penis!
  7. 19790509 = ANYTHING YOU WANT IT TO! It’s all subjective folks and just like Myrtus, likely a red herring!

Seriously, do you think that Israel is gonna put that much data into a code for the Iranians to latch onto substantiating that they did it? Ugh… Might as well paint a bullseye on their backs and pin a sign on that says “kick me”

To conclude, this is nothing new… It’s information warfare, only the means have changed with networked pc’s and new operating systems with 0days.

Give it up…


Written by Krypt3ia

2010/10/01 at 13:28