Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Daesh: Islamic Millenarians or Just Propaganda?

with one comment

Screenshot from 2015-02-18 17:09:48

A Cosmic War

A recent article in The Atlantic has staked the claim that daesh is a millenarian cult bent on bringing the apocalypse upon the world. The article uses recent materials from Dabiq (the daesh propaganda magazine) and cites interviews with the likes of Anjem Choudary to back it’s case that not only is the group Muslim (well that is a given right?) but also that they are battling to re-create the Caliphate to bring the end times upon us all. A great battle with Shaytan (شيطان‎,) and even Jesus will ensue and in the end the Caliphate will win and all kufr will be destroyed.

*hangs head*

After reading the article in it’s entirety I just had to sit back and wonder at the over simplification that just had been perpetrated on us all by this reporter. I think he frankly went to the George Bush school of Islamic Comprehension but I had to go back and read through all the issues of Dabiq to confirm or deny what the author was saying. Five issues of Dabiq later, I am still of the opinion that the article is off the mark where this is all concerned. I also believe that once again it is another classic case of a reporter writing about things without deep knowledge of them but yet speaking on them as if he were. Here are some salient facts that the Atlantic failed to talk about in this article;

  • Hadiths Versus Qu’ran: Much of what daesh uses as exhortations and rationalizations for their actions come from the Hadiths (prophetic traditions) which basically are a grouping of sayings written long after the prophet was gone. So much of what is there is subject to doubt because this is based on memory or just made up whole cloth to be companion pieces and re-enforce certain ideals. This of course is also coming from religion and all religions have their books which were written a long time after the people involved had passed on. So the use of these even further separated texts from their original oral traditions that finally got written down is reason enough to doubt their validity.
  • The Caliphate and Millenarian Prophecy: daesh seems to be only recently really interested in the millenarian slant on their battle with the kufr of the world and apostasy in general. In looking at their propaganda over the arc of their arrival and dominance it can be seen that this is a new feature. Specifically you can see this arc over the 5 issues of Dabiq magazine. This rhetoric over a cosmic war and the use of the eschatology concerning Rome, the Crusades, and the great battle with Shaytan (إبليس) frankly is only being leveraged now to give their base a boost as well as is a well thought out propaganda tool. The daesh want to recruit and they, unlike AQ/AQAP and Inspire found the right mix that has seemed to, in tandem with their actual taking of lands and creating a so called “caliphate” made all the difference in getting recruits to come to the new Afghanistan. This melange of things, rhetoric, tales of epic battles, use of ultra violent means, and the propganda generated from it is what daesh is about and using it, not necessarily I think do the core believe all that they are putting out there. I have yet to see Al Baghdadi speak on these things at all.
  • The Language of Crusades and Rome: Another bone to pick here that I have is that the claptrap of using Rome and the Crusades is that they post date the prophet by quite a long time. You can see that daesh is carefully cultivating a look and feel using key words and ideals that resonate with people concerning the wound that is the Crusades. Honestly, this is just a hot button use of terminology and imagery that Bush only exacerbated when he said “This crusade, this war on terrorism is going to take a while. ” I remember face-palming when he said this on live air. Now the daesh and their acolytes use this all the time as a rallying call evincing images of Salahuddin but removing any of his more temperate decisions or commands concerning the greater war on the lands of the ummah.
  • Propaganda Wars and Recruitment: The article fails to take into account that nothing daesh says should be taken at face value. The reporter goes on to talk to a few true believers (aka the deluded) in Britain and elsewhere but, as you can see, they are not in Syria are they? They are propaganda mouth pieces only and the fact of the matter is that all of what we have seen has been carefully created propaganda by the media wing Al Hayat. When reporters talk about daesh and all of what has been going on of late they always remark on the professional quality of the videos and other media being put out. Well, there you have it, it is propaganda and if you just believe that this is all that daesh is about, well, you have been fooled. This is all a means to an end to intimidate as well as recruit.
  • Politics, Power, and Money: No matter how much the daesh clothe their movement in the millenarian trappings that you see in Dabiq, this is not just about a cosmic war. This is about power and politics as well as money. The daesh are now trying to mint coins as well as raking in huge amounts from the oil fields that they have taken in Iraq. No doubt if the caliphate ever really normalizes you will see Baghdadi and his core living well somewhere, not in fact frugally with the people.
  • The Apostasy of daesh and Islamism: Finally, the daesh are the most apocryphal and apostatic group out there today. The use of the hadiths to rationalize their brutality is just a means to an end for control over the people. Fear of violence clothed in snippets of hadiths is apostasy in itself. They have carried out atrocities that Salahuddin would be shamed by never mind the prophet and if they TRULY believed in the teachings of the various books, then they would not be doing these things. So when the arguments start over Islamism/Jihadism and their book being the source of all the ills of the world much of it can be blamed on this one dimensional reporting in the Atlantic.

Once You Name A Thing You Have Power Over It

I guess in the end this Atlantic article serves the purpose of the US and others who don’t have the wherewithal to take the time to understand Islam, the region, and its history to give them an understandable bogey man. After all, in looking at the US governments answers to daesh thus far I for one can see this simplification to be of use to them. It has been hard to troll the daesh as we have seen with the “Think again turn away” program by (@CEP) and a nuanced approach is, well, nuanced. Don’t get me wrong, this whole thing is as complex as it gets but if daesh wants to simplify it all to gather recruits with their cosmic war propaganda well then turn about is fair play right? So go ahead CEP, use this and troll the living daylights out of it.

Sadly though, I fear they won’t do this..

However, everyone should know that this is not just some epic battle of good and evil. Satan and Jesus. This is not a millenarian cult in the least bit at its core and to think so is just stupid. I hope at least that this article does not cause even more troubles with Islamophobia amongst the uninitiated and stir more hate. Frankly, as I have said on Twitter recently; “If you want to paint daesh as an apocalyptic cult you may as well also paint Christianity as well. I mean, they are the ones who wrote revelation right?” It’s not the book but those who use the book for their own agenda. In the case of daesh, they aren’t even using the book, they are just winging it.

K.

Written by Krypt3ia

2015/02/19 at 17:04

CYB3RC: The Cyber Caliphate, Newsweek, and DCITA

with 2 comments

qqq

The Cyber Caliphate Hacks Newsweek and DCITA:

Since the hack on the Pentagon’s CENTCOM Twitter feed and the dropping of dox from someone’s email/phone/machine the so called “CyberCaliphate” had been looking for another target and it seems that they did find a couple in the Newsweek Twitter feed and someone at DCITA (DC3) Defense Base group. On February 10th the Newsweek twitter feed began posting data from another hacked account within the military, albeit the Defense Base side of the house, that showed the Caliphate had culled FOUO data from the DCITA. The documents dumped in screen shot form show internal rosters of phone numbers, some org charts, and other mostly uninteresting documents that are not super secret though sensitive enough to be problematic.

DOCUMENTS LEAKED

newsweekhack

3

12

11

10

5

4

6

8

7

9

13

PS.. Dear feds, please don’t give me 10 years and a RICO conviction for just posting shit that is already in the open and is FOUO to start ok? *derp*

By problematic I mean that there are some tidbits in there like phone numbers and the types of jobs that these guys hold as well as who they work for, like the guy from the NSA who is signed up for classes. More at issue for me though is that if you look at the email addresses used you see that some of these guys are using YAHOO and GMAIL as their point of contacts! Why is this a problem? Well, because this is supposed to be a group tasked with the security of defense base companies like Pratt & Whitney, Lockheed, and others. Using GMAIL or YAHOO as their primary contact, hell, even a secondary places the information they hold potentially at risk from hacking… Like their shit being stolen and posted on a newly created website and a twitter feed right? This is TERRIBLE OPSEC and COMSEC kids!

The Attribution Games Begin:

Overall the data is mostly uninteresting as these things go. What is interesting though to me is the kerfuffle that Caliphate is causing and now the crazy attribution game that is going on out there trying to pin these hacks on someone. Originally when the first hack and dump happened the first person that everyone started pointing their collective fingers at was Junaid Hussain ( @AbuHussainIS ) but he actually denied being involved while laughing about the whole thing. Could Juny have something to do with it? Maybe, but he is in Syria and seems to have his own problems lately just trying to keep a twitter feed up. With this second hack and dump though another ersatz attribution wonk claimed that in fact the hacker in question was in fact an Algerian hacker going by the moniker PoTi-SaDz This reporter *cough* made some bold claims but provides no other proof than there is a commonality between the words on defacements made by the Team System DZ crew.

This guys contention is that because the imagery is similar in some of their defacements and the use of :”i Love ISIS” as a slogan clinches it that PoTi SaDz is the infamous Caliphate hacker. Well Matt, I have some other thoughts on that and you should pay attention. First off, please present a little more proof before you play the attribution game. Do you have a source? A snitch? Something other than some poor assumptions to make these claims? Let me give you some for instances here to consider after looking at these guys.

  • You claim that they stopped defacing in 2014 and that is incorrect (see screen shot below)
  • Have you seen the English used by these guys? It is broken and bespeaks someone who does not really speak it. Now go look at cyb3rc.com and tell me that isn’t a fluent speaker
  • PoTi-SaDz M.O. so far has only been defacements and shows no other skill sets to speak of in hacking other systems that might dump these kinds of files
  • Hahahaha funny thing.. PoTi calls ISIS alternately Da3sh hahaha Hey Matt, go read up on the word daesh and how ISIS hates that shit
  • Nothing on the Caliphate’s posts shows any of these confusions, this person(s) knows about ISIS and is at least on the face of it making a good show of being a supporter without the cluelessness of PoTi

SCREEN SHOTS

ordaesh

hamzaabdullah

potitalk

romamaps

2015DEFACEMENT

So once again, let’s not worry about who did the hacking! Instead let’s focus on how the hack happened in the first place! How did DCITA get powned in the first place? The hack so far looks to be low level, maybe someone’s email or a box that was insecure at the end user level who likely had stuff where they shouldn’t. The whole problem here is that everyone is all up in arms about CENTCOM’s and now DCITA’s stuff being hacked (ERMEGERD) by the daeshbags!

*hangs head*

Trust me people, it would be a better use of time trying to figure out how this shit happened to people who should know better than trying to chase down derpy low level hackers like Caliphate. Wake me when Caliphate hacks something important ok? Until then let me go back to important things like Twitter and watching others fiddle while their digital Rome burns to the ground. Meanwhile, PSSSSST DC3, WTF dudes? Stop this shit! You have important data to watch leave Lockheed’s network! Yeah, I remember fondly the JSF data exfil! Those were the days…

K.

Written by Krypt3ia

2015/02/12 at 14:34

OpISIS and CharlieHebdo: Whack-A-Mole Without A Plan

with one comment

opisis

Cyber WAR indeed… <Shakes head>

Since the Charlie Hebdo attacks it seems that Anonymous has finally become self aware about the online jihad that has been going on for years now. While I can laud their determination and willingness to… Help… I cannot agree with what they are doing with their blunderbuss approach to the taking down of ISIS online. You see kids there is more to all of this than just knocking off some poorly secured sites that the jihobbyists run to end the threat of daesh. Oh, and yeah, by the way call them daesh at least huh? If you do a little reading about them you will learn that daesh loosely translated from their Arabic acronym means “to crush under a boot” they don’t like it.

Anyway, back to what I was saying here. Look, I know you want to help (some of you that is) Others are looking for a quick fix and media attention, which hey, if Mandiant and Crowdstrike can do it so can you right? The main thing though is that if you are going to prosecute a war on terror then you should at least try to be helpful to the IC while you are at it okay? The second thing is that you are all fighting a battle you cannot win here and no matter how you try you are only getting in the way of things in reality. What do I mean? Well, let’s look at it this way;

If you take all the sites down for however long you will only force them to make other sites that are more under the radar. You will be also teaching them about security and you don’t want to be doing that do you? Say, did you see the article from Glenn Greenwald about how Iran learned from our Stuxnet attacks on them and are now a real threat? Yeah, see, it’s a double edged sword kids.

AnonOPS TASKINGS:

http://pastebin.com/RniQXzqx

http://pastebin.ca/2903248

http://pastebin.com/6nPeHM77

I have looked at all your plans and really only one site in the lists there was important to the jihobbyists as a platform of getting the word out. On the other front though, your Twitter war has been interesting to watch as well. Take it from one guy who has been doing this a while *cough jihaditwits cough* it is not really all about taking down the accounts. It’s about learning who the talkers are, who they talk to, and what the pipeline is for propaganda to take down, not just scatter-shot take-downs of accounts. Moreover let’s talk about doxing these guys and providing that to LE huh? I know, I sound like a broken record right? Look, we could use all the help we can get out there.

irhabs

Back to the Twitter war though, let’s talk about this a bit. You see that graphic above? Yeah, those are just a small sample of accounts that I have collected recently. There are ZILLIONS of these guys out there on twitter re-tweeting links to content from Syria and other places. Have you stopped them? What? You haven’t gotten them yet? Let me tell you, you won’t either. The sad fact is this is the biggest game of whack-a-mole there ever was. I recently stopped altogether because I had to take stock of what I was doing. Was it having any effect at all? Even with my targeting of players who were really plugged in was I having a positive effect? Well, I guess I was from the point that I got the fatwa’s and the warnings about the account but in the end I was kind of meh about it so I took a break. I am back though and I wanted to share with you my thoughts on your “digilante” war.

So here are my parting thoughts…

  • MMD, you gotta stop bein so derpy.
  • Anonymous, work smart and not just carpet bomb here
  • Share your dox with LE
  • If you are going to go after Twitter accounts make them count. QUALITY OVER QUANTITY PLEASE
  • Do your research and understand the propaganda war going on here kids. You knock out one channel they will open another
  • Understand that you are teaching these idiots! You will eventually make them smarter
  • It may feel like you are doing something but you really aren’t from the perspective of the GWOT
  • While you may feel like the propaganda war is being won by you, the reality is that they love to be martyrs so you are only going to make them work harder and gather more followers

With all that said, I am sure you will continue doing what you are doing. Even more so once the news cycles start stroking the collective ego’s involved. Just know that you are not stopping them. Stopping them is up to the governments of the world and the military forces that will eventually have to kill or capture them all.

K.

Written by Krypt3ia

2015/02/11 at 16:44

Posted in jihad, Jihobbyists

Sisyphus and The Attribution Rock

with one comment

Sisyphus-Image-01C

In the wake of the release that Anthem has been hacked I have been taking stock of where we are today where information security is concerned. It seems that if you just look at the industry through the lens of the news media, we are all under constant assault by so called advanced actors out to steal us blind, spy on us, or take our personal data by exotic means that are inscrutable. The realities though are far from the truth where it concerns the advanced nature of the attacks that play into the media and marketing blitzkriegs by companies like Crowdstrike or Mandiant/FireEye are hawking.

The realities are that today we have businesses selling intelligence wholesale to corporations that are not mature enough to use the data they are being sold. On average, the data being sold by these companies is nothing you cannot get from open source arena’s for free and on the whole are overly focused on attribution of groups and actors. While a mature organization might have use of these feeds and reports on various groups the average company out there today just cannot use the data because they lack the practices and people to truly understand the information as well as apply it to their orgs.

Clearly the business model today is intelligence centric and completely lacking in the areas of not only showing companies how to use their intelligence feeds to help in detection but also how to fortify their environments against the attacks to start. Richard Bejtlich was recently on a panel in front of the Senate when he made the comment that many times after his company Mandiant, had been on an engagement with a client they were once again compromised shortly after they left. This comment alone shows just how little these companies like Mandiant are having any effect on teaching these companies how to at least detect if not halt attacks. Attacks mind you, that are not necessarily advanced as the APT moniker implies.

Let’s face the fact that most attacks today do not come from exotic 0day and sneaky DMZ hacks. No, instead these hacks happen through social engineering and phishing attacks. Sure some hackers may be using 0day within their phish attacks but it has been my experience along with many others, that it does not require a 0day to hack a corporate network today. The problems with many corporations stem from a lack of security awareness as well as presence within the org to instil secure practices like patch management and employee awareness on what a phish looks like and how to detect them. Neither of these skills are things that Mandiant or Crowdstrike offers as a primary service. After all, if they did and it really caught on, where would they make their money?

Still however, it is not Mandiant or Crowdstrikes problem is it? They are in the business of incident response and threat intelligence right? No, the real issue here is that both of these companies perpetuate the idea that attribution is the key to stopping all your hacking woes and not so much about having the proper security infrastructure to mitigate these attacks. And by infrastructure I do not mean just hardware and software, I also mean people with skill sets and an organization that understands security from the CEO down. This is the primary issue that I have seen throughout my career in penetration testing and information security. Frankly, it is one of the biggest reasons that pentesters love doing what they do, the corporations make it easy for them because they don’t have a security mindset.

 I cannot tell you how many times over the years I have seen orgs that had grossly misconfigured systems as well as a lack of processes or policies that would mandate that things be run securely. Add this to the notion that these companies also lack real telemetry to track incursions and you have an org without any insight into how it operates as well as what traffic is going in and out of their domain. This is endemic in corporate America and anyone who tells you any different has an agenda to cover their own ass. Collectively corporate America should be totally afraid of what POTUS has proposed in the way of intelligence sharing and not because they should be worried about PII. The real fact of the matter is that they are all going to be worried that they will have to actually perform due diligence, spend money, and have actively operational security programs to feed that information to the sharing program to start.

I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place? These are questions I would be asking first say about Sony than who did it? Was it North Korea? Instead, let’s talk about the organizations failures in security and how they can better shore them up to stop the next attack instead of banging the attribution gong so loudly.

With the announcement today of approximately 80 million records being stolen from Anthem and the usual buzz words of advanced attack ringing in the air, I for one had to say something about the realities we face in security. Simply put, it is too often the case that organizations place security in the category of red headed step child and relegate them to the sub basement as a necessary annoyance. Security is a cost centre and is troublesome all of which is anathema to business as usual. Security causes things to perhaps move slower, make people take a little more time to think, and generally feel like a drag on the hyper-kinetic business model so many corporations feel they need to be today. As such it is always a battle to insure that basic security practices are carried out like patching and hardening of systems. It’s a sad truth and you all must have run into this if you are a blue team player.

How do we fix it all? I have no idea. All I do know is that we are losing the battle and it is not because China is hacking us all with advanced malware on par with Stuxnet. We all need to understand that what we see out of the media is hype and what we see out of the vendors is marketing and not necessarily what we really need. Until such time as all organizations out there understand security and it’s nuances we, the workers within the security field as blue team members will be Sisyphus.

Written by Krypt3ia

2015/02/05 at 19:07

Posted in Infosec

Threat Intelligence Report – December/January 2014/2015

with 2 comments

photo

Threat Intelligence Report – December/January 2014/2015

Contents

Executive Summary:

In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.

This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.

Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.

The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.

In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.

Global Threats:

The Sony Hack & New Norms in Intrusions

The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.

In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.

This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.

Assessment:

The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.

The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.

Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.

Reading Material:

http://www.usatoday.com/story/tech/2015/01/21/davos-world-economic-forum-cisco-hacking/22108665/

https://firstlook.org/theintercept/2014/12/24/fbi-warning/

http://www.cnbc.com/id/102351695

http://wvtf.org/post/sony-hack-highlights-global-underground-market-malware

The Government Response to Sony

As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.

The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.

Assessment:

The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.

Reading Material:

http://gizmodo.com/obama-wants-hacking-to-be-a-form-of-racketeering-1679328607

http://www.huffingtonpost.com/2015/01/20/obama-hackers_n_6511700.html

http://www.ibtimes.com/obama-says-stricter-cybersecurity-laws-needed-combat-hackers-his-state-union-speech-1789336

Chaotic Actors: Lizard Squad

The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.

These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.

At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.

Assessment:

The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.

This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.

It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.

Reading Material:

http://www.gamespot.com/articles/psn-and-xbox-live-xmas-hackers-are-hacked/1100-6424778/

http://www.thebitbag.com/lizard-squad-hacker-identified-arrested-lizard-squad-client-details-leaked/108334

Skeleton Key Malware: Bypassing Domain Admin

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”

CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.

http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/

Assessment:

This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;

The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.

However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.

Reading Material:

http://www.zdnet.com/article/skeleton-key-malware-bypasses-authentication-on-corporate-networks/

https://threatpost.com/skeleton-key-malware-opens-door-to-espionage/110433

http://www.scmagazineuk.com/skeleton-key-malware-used-to-attack-global-hq-in-london/article/392432/

Internal Telemetry & Alerts

IDS Alerts

Phishing Attacks

Malware Trends

Log Correlation

Full report for download HERE: Report

Written by Krypt3ia

2015/01/21 at 21:00

DDoS Will Not Stop Daesh or AQ or AQAP

leave a comment »

irhabi 123

Anonymous Hackers Target Jihadist Twitter Accounts And Websites: Nine Down

Hackers ‘disable extremist website’

Charlie Hebdo: How ‘hacktivists’ and cyber-jihadis will wage a digital war

hyperbole

I have another word though for it all..

“Fuckery”

Ok, I have said this before and I guess it is time for me to say it again as all I see in the news today is hyperbolic bullshit about how Anon’s took down a jihadist site. For the record the site in question was the lowest of the low hanging fruit. It has been pwn3d three ways to Sunday and is mostly full of other agent provocateurs looking to hook themselves a stupid jihobbyist anyway. So really, what has Anon done by taking this site out of all the sites out there down?

Squat.

Look, if you guys want to do something of worth then you use all your doxing powers to locate all these fuckers online in these forums and pass it to the authorities ok? Failing that what you are only doing is managing to garner headlines by lackluster reporters looking for a story that will give them page clicks is all. It will mean fuck all to the jihad, the GWOT, and most of all it will NOT stop another attack by those loon wolf enough to do it. It’s a simple equation kids and I know you want to feel like you are doing something, which I laud you for, but do it smartly would you?

The same thing goes for the Twitter accounts. I tried to do this too and I was actually taking the time to single out the big players. You get them banned and they just come right back. However, when you DOX them with their real information they tend to get popped by authorities. So why not take the time and do some real work on stopping these fuckheads?

You all can be better than this. Evaluate the ops.. Is it for you or is it for the greater good?

Do some research: https://krypt3ia.wordpress.com/category/internet-jihad/

K.

Written by Krypt3ia

2015/01/12 at 16:53

Posted in jihad

I guess I am a “SONY Truther” are you?

leave a comment »

B6yt87uCEAAB2nD

Hoodie can be made on http://www.zazzle.com if so inclined.

The Evidence is Where?

Right, well James Comey (FBI) came out yesterday at a conference in NYC with what he might think is definitive proof that North Korea attacked and destroyed Sony digitally. Of course the reality is when you really look at what he said once again you are left saying “Uhh what?” In an article on the Daily Beast which I have captioned below Comey says that the proof that DPRK did it was in the form of IP addresses only DPRK has access to and uses. Sure, fine, I will buy that. So show me the logs and the IP addresses please?

In a speech to a cybersecurity conference in New York, Comey took the unusual step of revealing previously classified intelligence that he says shows North Korea is to blame.

The new information consisited of Internet protocol addresses that Comey said are “exclusively used” by North Korea. Comey did not specify what those addresses are. The FBI’s case to date has hinged partly on Internet addresses it says were used in previous attacks by North Korea, and numerous experts have pointed out that hackers routinely use different addresses to mask their true location.

Comey’s new evidence struck some experts as inconclusive. “Short of the government disclosing the actual IP addresses, and those being in the netblock range of those known to be associated with North Korea or used by North Korea-backed actors, I simply can’t jump on the North Korea bandwagon,” Stuart McClure, the president and founder of cybersecurity company Cylance, told The Daily Beast. “We need more evidence.”

~ The Daily Beast

It gets better though, in Comey’s diatribe on this he goes on to talk about spear phishing emails that went to the CEO of SPE previously in September of last year that “may” have been pre-cursors to the attack that finally played out. This is of course very likely as a start of an attack and I can buy into that as I have seen the Chinese and others do the same thing. Hell, I have done the same thing on penetration tests!

FBI Director James Comey said on Wednesday that investigators have found spear-phishing emails that were sent to Sony employees as late as September. Such emails were the “likely vector” that the hackers used to get inside the company’s network, Comey said, from which they stole and deleted large amounts of data, including business emails and employee salaries.

So yes there are emails and they are spear phishing, which are likely to be in the dump that GOP put out when they dumped Lynton’s email spools (go check kids!) that we can look at the headers of. Perhaps that is what Comey want’s us all to do? I am not sure, in fact I really don’t care for Comey all that much as all I have seen out of him is dire hyperbole. Anyway he goes on from there to talk about the IP addresses that the government allegedly has;

In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy. Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using… were exclusively used by the North Koreans.

They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.

Wait, he is basing this all off of the emails and pastes? I have the emails and I saw no DPRK addresses in those headers from Yopmail and the servers in the EU. So where are these headers you are speaking of James? Do you have emails that we are not aware of? If so just please say so. Alternatively, does the government in fact have the logs from Pastebin on these posts where the alleged IP’s show up? If so, once again, show them. Show me the subpoena’s and show me the logs. Why not? I mean you guys aren’t prosecuting this in a court anywhere are you? You should be able to drop those dox on us all to prove your case right? If not why not? Please explain a bit more would you?

Like I have said many times already I can believe it was the work of DPRK or actors paid by them but really, give me a little substantiating information to go with it or just tell me everything is classified and HUMINT where I will  have nowhere to go. Instead you keep offering hollow statements of facts that just don’t really add up. It should not be this hard really. You are reacting as a nation against another nation with evidence that is what exactly? This is my big problem here with the cyberwars, we go to war footing on what? Supposition much? If the GOP fucked up and used their straight IP’s to do things and you are telling us that then show us the data. Give us an IP address within the two /24’s that they have and be done with it.

Truthers and Discrediting Language

As if the whole debacle wasn’t bad enough with a coy government we now have self serving talking heads like Tao (Bejtlich) now labelling anyone who wants to at least have a modicum of proof to be presented to the American people as “Truthers” See quote  below from Mr. Bait-Lick

“I don’t expect anything the FBI says will persuade Sony truthers,” Richard Bejtlich, the chief security strategist for cyber security company FireEye, told The Daily Beast. “The issue has more to do with truthers’ lack of trust in government, law enforcement, and the intelligence community. Whatever the FBI says, the truthers will create alternative hypotheses that try to challenge the ‘official story.’ Resistance to authority is embedded in the culture of much of the ‘hacker community,’ and reaction to the government’s stance on Sony attribution is just the latest example.”

~Richard Bejtlich

Firstly, FUCK YOU Richard.

Secondly, FUCK YOU Richard.

Thirdly, What the hell? Does questioning things for actual data to be presented cut into your business model? Oh yeah, right, it does Mr. Mandiant rah rah. How many times have I heard that you and yours have turned out shitty reports with bad attribution in the past as well? I am sorry if I don’t want to just believe you Richard, or your company, or for that matter the government when they fail to provide any data that is of merit. Maybe that’s just me but now you want to make myself and anyone who might question your findings as nutbags with a common colloquial today for an Alex Jones Tinfoil Hatter?

FUCK. YOU.

If asking for evidence is so crazy in this time of extra judicial searches and over prosecution of crimes that involve hacking is so crazy then why do we even bother with the law in the first place Richard? All of us asking the questions have legitimate rights to beg the questions as well as the ability to be experts in the field. See, it’s not just you Dick that can look at logs and perform incident response. Some of us also do it for a living daily, we aren’t just titular heads of large IR firms.

Reasonable Doubt

Reasonable doubt is that thing we use in the law to say that you have to prove beyond one that someone is guilty. Of course this isn’t a case where we will be taking DPRK to court unless Sony wants to. Nope, this is statecraft and warfare. Unfortunately we have many cyber chicken hawks out there as well as corporate bodies that will make OODLES of money as well as consolidate power if this all goes hot cyber right? All we have seen lately is how this was the first shot in the cyber war and that we need to respond. Well, as a citizen I would like to see some proof before we go starting cyber wars. Of course that is a little cart before the horse now since Stuxnet right?

With a populace that has been shown to have been lied to by the government, where excesses have happened infringing on rights and doing things in our name that perhaps we don’t want them to, I think it is important that we are at least get some evidence. Assurances are just not enough in my book as they move forward in prosecuting statecraft and perhaps even military action albeit cyber actions when the result is political upheaval and reprisals.

That’s all I am saying.. Logs or GTFO.

K.

Written by Krypt3ia

2015/01/08 at 12:40

Posted in SONY

Follow

Get every new post delivered to your Inbox.

Join 197 other followers