Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Zen’ Category

ウェブ忍者が失敗する : Dox-ing, Disinformation, and The Fifth Battlespace

leave a comment »

Digital Ninja Fail: ウェブ忍者が失敗する

The recent arrests of alleged key members of LulzSec and Anonymous have been called into question by the ‘Web Ninja’s‘, a group of would be hackers who have been ‘DOX-ing” the anonymous hierarchy for some time now. Yesterday, they posted the following on their page concerning the arrest of a man from the Shetland Islands who is purported to be ‘Topiary‘ by the Met and SOCA.

Now, this is a bold statement for anyone who really knows what they are doing in the intelligence analysis field. So, it is my supposition that these guys have no clue about what they are doing by making bold assertions like this. The data they have is tenuous at best and by making such bold statements, I have to wonder if indeed the so called ‘Ninja’s” themselves might not be a tool of anonymous to in fact sow that disinformation.

Here are the facts as I see them;

  • To date, the federal authorities have not questioned anyone who was DOX’d by the Ninja’s that I am aware of
  • The individuals who were DOX’d that were investigated by the authorities were in fact outed by LulzSec/Anonymous themselves
  • Adrian Chen has spoken to the person that the Ninja’s have fingered and claims that he (said person) went to the authorities himself. So far he is still not a suspect.

So, taking into account these facts, I would have to say that the Ninja’s have failed in their stated mission so far and I would suffice to say that if they are indeed a part of a disinformation campaign, then that too has failed. After all, the police seem to be ignoring the data put on the interent by the likes of the Ninja’s in favour of other tried and true tactics. The primary tactic as I see it, is grab one individual and then get them to roll over on their compatriots in the face of massive jail time.

This pretty much works all the time as we, as human beings, are most willing to sacrifice others for the self. In the case of the likes of LulzSec skiddies, I would have to say that the ages of the players, and their generational tendencies will allow them to cut deals pretty quickly. It’s my assessment that they are in it for the self gratification and lulz, not for the altruism that the LulzSec and Anonymous press releases have been trying to have one believe. My assumption is that if indeed the 19 year old guy they popped in Scotland is involved with LulzSec, and is in fact Topiary, he will roll over soon enough.

I also believe that these are all untrained operatives and they have made and will make more mistakes. I am pretty sure that the alleged “leaderless” group has leaders AND that unlike a true guerrilla warfare cell, will know the other players personal details. Essentially, they have had no compartmentalisation and they will all fall eventually though interrogation and deal making. As I said before, the insider threat to the organisation is key here, and it was this idea I think the Ninja’s had.. Well, at least that was the original idea of the Ninja Warrior. They were spies who infiltrated the ranks and destroyed from within.

So far with these guys.. Not so much.

Welcome To Spook World: Disinformation Campaigns and Intelligence Analysis

Now, on the whole disinformation thing, I know that the Lulz and Anonymous have said that they are using disinformation as well to try and create a smoke screen. Frankly, all of the intelligence out there that is open source is suspect. Maltego map’s of end user names as I have shown in the past can be useful in gathering intelligence… Sometimes. For the most part, if a user keeps using a screen name in many places and ties that name to real data, then they can be tracked, but, it takes a lot of analysis and data gathering to do it. Though, many of the foot soldiers within the Anon movement are young and foolish enough to just keep using the same screen names for everything so there is a higher likelihood that the data being pulled up on Maltego and with Google searches is solid enough to make some justified conclusions.

With the more experienced people though, there has been some forethought and they have protected their identities as best they could. What became their real downfall was that they could not rise above petty infighting and dox-ing each other. Thus you have the start of the potential domino effect on the core group as well as anyone who has any peripheral affiliation with the Lulz. Be assured, those who have been pinched are giving up as many names as possible as well as whatever is on their hard drives, Anon hacker manuals or not. All of these scenarios lead to the conclusion of more arrests by the authorities and even more skiddies getting into legal trouble around the globe. Meanwhile though, if the core group has been smart, then perhaps the leaders will skate for a time, using the masses as canon fodder.

Gee kids.. Did you know that you were all expendable?

On another tac, I would like to speak about the potential of the disinformation campaigns being perpetrated by the authorities as well. Consider that the trained professionals out there who are hunting these characters (Topiary, Sabu, et al.) are also adept at using not only the technologies of the fifth battlespace, but also the training afforded them in ‘spook world’ This means disinformation campaigns, mole hunts, and insurgencies of their own, getting to the inner core of Anonymous and Lulz. Now, that there were six (alleged) lulzer’s it would be more difficult to do, especially if those LulzSec folks really do know one another (as they claim they do not, which, I just don’t buy.. Remember the compartmentalisation issue) The agent provocateur’s are out there I am sure and with each rung of the ladder, they get closer to the core group.

That is unless the core group falls apart on their own and DOX’s each other out. In the end, I am going to suggest that the authorities will use all of the tricks of the trade on the Anon/Lulz folks to bag them… And with concerted effort by government resources, they will get their men/women.

Untrained, Unruly, and Unprofessional Operators:

“Discretion is the better part of valour” as they say, and in the case of the Lulz and Anon crews, they seem to not have a clue. Perhaps the Lulz think that by being unruly and unpredictable to a certain amount, will be just the cover they need, but, I think that their lack of discretion will be their undoing as well as their hubris. Had many of these folks had some real training, they might have just stood down for a while (not just a week or so) after setting sail into the sunset.

As I have said before, it was a bad idea to recruit and have comm’s out in the open on IRC servers even if they had ‘invite only’ channels. As is being seen now, someone (jester perhaps) has taken down their servers again after other outages due to Ryan Cleary’s attack and pressure from the government on those connection sources that the Anon’s were using. I am sure the idea was to have a movement that could also serve as diversion for the core users as well as to LOIC, but this all failed in the end didn’t it? The LOIC is what has given the FBI the 1,000 IP addresses as a hit list, so to speak, that they are now using to collect people and charge them for the DD0S attacks.

Had these people been trained or not been so compulsive, they might have had more of a chance to keep this up for a much much longer time. As I write, the Lulz do continue, but they have slowed quite a bit since the arrests started again. This I think is because the cages are starting to get rattled and people are finally coming to the conclusion that some discretion is needed to not end up Bubba’s play pal in prison. It’s a learning curve, and likely going to be a painful one for the kiddies.

Unprofessional actions within this area of battle will end up with your being put in jail kids.

To end this section I would also like to add this thought. My assessment of the Lulz core group is this;

  • They were drunk on the power of their escapades
  • The more followers they had and more attention, the less risk averse they became
  • They seem to have compulsion disorders (don’t say it.. Aspergers!) that seem to not allow them to lay low (until now it seems)
  • The ego has eaten their id altogether
  • Base ages are within the teens with a couple over 20

Technical Issues Within The Fifth Battlespace:

Another BIG issue within this battlespace is the technology. The Anon’s and Lulz have been ascribing to the idea of “Proxies, we haz them! So we’re secure!” and to a certain extent they are right. There are always ways around that though and certainly leaks in data (such as the TOR leaks that have happened) that could lead someone to locate the end user behind the proxy, so they are not fool proof. Certainly not if the fool in question is some skiddie 12 year old using LOIC un-proxied and not obfuscated while they D0S Paypal.

The problem is that the technology could fail you as well as the untrained operative could make small and large mistakes that could lead authorities right back to their IP and home accts. On the other side of that equation is that when properly done, it is damn hard to prove a lot in hacking cases because of obfuscation, as well as mis-configured end systems that have been hit. I cannot tell you how many times I have seen incidents play out where the target systems had no logging on as well as being completely un-secured, thus leaving practically nothing for a forensics team to find and use.

Once again, this brings us back to the insider threat, whether they be the insider who decides to go turncoat, or, the agent provocateur (i.e. Jester and the Ninja’s as well as others from the authorities) who infiltrate the Lulz and then gut them from the inside. What it really boils all down to is that in the end, it will be the foibles of the Lulz core and the actions of spooks that will bring them down.. And I think they are learning that very fact now.

JIN; One Must Know The Enemies Mind To Be Victorious:

As a last note, I would like to say to the Ninja’s, you need to learn and practice your Kuji-in. It is obvious to me that you have failed on the ‘Jin’ (knowing the opponents mind) with your dox attempts. Until such time as I see people being hauled in that directly relate to your documents posted, then I am going to consider the following to be the case:

  1. DOX-ing is mostly useless and takes quite a bit of analysis before just releasing names
  2. The Feds are not taking your data as gospel, nor should the general public or media
  3. You yourselves may in fact be a tool of Anonymous/Lulz and as such, spewing disinformation
  4. You could be right, but by releasing it to the public at large, you are letting the Lulz know to destroy evidence and create obfuscation that will hinder arrests later.

Ninja’s got results.. Not so much for ‘Web’ Ninjas. At least Jester, if his claims are true, is breaking their C&C channels lately.. Which has its own problematic issues.. Just like his meddling in the Jihadi area, but, that’s a story for another time.

K.

Musashi’s Last Duel: Sasaki Kojirō

leave a comment »

In April 13, 1612, Musashi (about age 30) fought his most famous duel, with Sasaki Kojirō, who wielded a nodachi. Musashi came late and unkempt to the appointed place — the remote island of Funajima, north of Kokura. The duel was short. Musashi killed his opponent with a bokken that he had carved from an oar while traveling to the island. Musashi fashioned it to be longer than the nodachi, making it closer to a modern suburito.

Musashi’s late arrival is controversial. Sasaki’s outraged supporters thought it was dishonorable and disrespectful while Musashi’s supporters thought it was a fair way to unnerve his opponent. Another theory is that Musashi timed the hour of his arrival to match the turning of the tide. The tide carried him to the island. After his victory, Musashi immediately jumped back in his boat and his flight from Sasaki’s vengeful allies was helped by the turning of the tide. Another theory states he waited for the sun to get in the right position. After he dodged a blow Sasaki was blinded by the sun. He briefly established a fencing school that same year.

Miyamoto Musashi’s last duel ends much like his first at age 13, but in this case he kills with less fury than he did on the occasion of his first duel. This last duel though was the epitome of his arts being perfected. The arts of not only swordsmanship, but also tactics.

It seems to me lately, that the art of tactics has been pretty much lost on our society. Perhaps its the Eastern mindset that we just lack here in the states, but, overall I think its a cultural thing more than anything. In Japan, the tactics of “business is war” have been practiced since post WWII, but here in the west (US) that only came to our collective consciousness in the 80’s when they started to kick our collective economic asses.

Of course now Japan is still in decline as an economic power while China rises. However, what I am aiming at here is not just about economics. I am actually attempting to further this thought process to the area of “cyberwar” and our predicaments where our national security is concerned.

Back to Musashi and on to Cyberwar:

Musashi was a consumate swordsman but like I said, also a great tactical warfare fighter. He created the two sword technique (“Ni-Ten Ichi Ryu”) that in the end, would be, in his hands, unbeatable. He used this technique in tandem with psychological warfare to unbalance his opponents and gain utter dominance. He had the tools to win the battle before it was really fought in essence.

The same can be said about cyber warfare. If you have the tools and the mindset, you can effectively render your opponent impotent and win the battle without actually needing to wage all out war. The Chinese tactician Sun Tzu said much the same in his treatise on war “The Art of War” and I feel that both of these men have much to say that should be applied to todays cyber threat-scape.

Throughout my career working in information security, I have always noticed a certain lack of understanding on the part of corporations as entities as well as that which comprise them. The people who run them where technical security is concerned are either not able to comprehend the issues at hand, or, more likely, to not really see these things as a real danger. Is it a lack of awareness or is it a lack of care? Perhaps a little of both. Whats more, in todays environment, I have seen companies accept risks that are known and should be mitigated because it would cost too much or burden the end users to fix them. This to my mind is not seeing and understanding the tactical threat-scape.

Musashi and Sun Tzu both taught being aware of the battle space, yourself, and your enemy. Japanese “salary men” still today use these tenets to wage business and are often successful at it. I suggest that we too apply these approaches to the work of information security, its application, and the process of teaching its precepts to everyone involved. After all, when individuals and companies cannot as a whole understand the basic threat that an un-secured network printer in a secured area presents, there is a fundamental disconnect that needs to be removed.

This is a failure to understand and be aware of your threat-scape… And it will lose the battle for you.

APT and Snake Oil Cure All’s

Within the last weeks I have seen a trend in twitter and in blogs on the internet from security practitioners about the APT and cyberwar problems. Howard Schmidt claimed that; “There is no cyberwar” and, as the new Tsar of the cyber area for this country, has been taken to task on this statement. I myself have written of my lack of faith in Howard’s understanding of not only the threat-scape, but also his own newly acquired title. The essence though here is that there are many pundits, salesmen, and interested parties looking to cash in or have their say on this. It’s really signal to noise at this point.

Meanwhile, the anti-virus, NAC, SIM, and other vendors have begun their putsch to promote their products that can stop APT in their tracks. This has been of concern to many of the security wonks on the blogs too. You see, the fact is the APT is not a malware one trick pony that a behavior based or signature based model can always detect. The APT or Advanced Persistent Threat is not just the tools they use, but the people who create and use them… And they are more than likely familiar with the precepts of war that Sun Tzu and Musashi taught.

When the APT saw that their malware was being detected by AV, they looked at the threat-scape to them and adapted their stratagem to defeat it. The looked at the castle and saw that the weakness lay with the way things got out of the castle as well as the natures of those who live within. Just as I have written before about the War for Troy and the Trojan Horse, so too have the APT thought things through seeking the weaknesses and exploiting them. In the case of the APT, they basically saw that they could ex-filtrate the data out of the environment through the weak point of regular traffic. They basically stegged the flow with signal to noise.

So now, we have the vendors in a lather trying to sell solutions to a particular vector of attack while the APT will move on to look once more at the threat-scape and change the battle plan to once again evade their new “products” and go unseen while they take the data and win the battle. In essence, the vendors and the clients have failed to understand the nature of the APT and the battle space on a level that is key to winning. They lack the mind set it seems as a whole to this problem in favor of a quick fix solution that will “cure all”, much like the sideshow snake oil salesmen of old.

APT, Cyberwar, Government, and YOU

In the end, I am advocating that we as a whole begin to understand the threats and the technologies better and not be so reactive after the fact. Our government needs to understand the threats as well as the technologies in order to create appropriate responses and proactive measures to prevent us having to be reactive. So far, our governments answers have been lackluster to the point of the president having a big red easy button to shut down the internet should there be a threat. This is no answer, and thankfully it was struck from the bill this week.

The government also needs to listen to the experts in the field and employ them to help mitigate our vulnerabilities without the usual “Washington Two Step” that is so prevalent. This whole flap over Schmidt’s lack of understanding or using a company line to allay the fears of the masses is just one case in point. Schmidt needs to be able to speak the truth if he knows it as well as have a position that carries some gravitas. Thus far it seems that he is in fact a neuter.

Schmidt’s comment on cyberwar also needs to be looked at from the perspective of tactics. There is no cyberwar is not an answer. Cyberwar means more than actual physical warfare as well as it not should be merely perceived as espionage. Cyberwar is more than just malware and thievery, it’s a tactic in a larger warfare scheme and we as a country are still unable to comprehend this outside of certain military purviews. Where this really becomes an issue is that most of our infrastructure in this country is held privately and thus its up to the owner to protect them.. Or, not as the case has been.

Lastly, there is the element of you, the general public. Employees of those same companies that run the infrastructure. Private citizens who are on the same internet as the rest of the companies and countries who do not understand the precepts of computer security as well as OPSEC. How many people today have way too much of their lives open to the internet? How many of those now household machines you use to connect to the internet are not secure? Lack virus scanning utilities? Have kids as well as yourselves opening every e-card they get and wondering afterwards why their systems are now slow and their bank accounts drained?

The general public today is not aware of the precepts of security in computing never mind many of the issues surrounding their daily operation. They just turn them on and they work. Both of these knowledge bases should be inherently taught at some level just as you need a license to drive a car today. I say this because now, you and your machine could be just one in many systems that comprises a botnet that DDoS’s a government entity or a business at great cost or as a pre-cursor to other attacks. You, are a part of the problem and you must be cognizant of that fact.

End Game

In the final analysis I am just putting this article forth to those who would read it. Perhaps the Western mind is just inherently unable to understand Eastern thought. Perhaps we are just a fat and lazy self interested country who’s apathy and arrogance just gets in our way of comprehension. Who’s really to say? However, we as a country have to learn that the issues above must be learned about and proactively worked on. Otherwise someday we may find ourselves in the dark without power to run those nifty machines that we rely too much on. The same machines that the government relies on too and will also collapse should there be a successful attack against our infrastructure.

Now is the time for proactive moves…Do we have the fortitude to move forward?

Musashi went from being a 13 year old rage filled boy with a stick to a master swordsman and tactician. Can this country do the same and protect itself?