Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Chongryon and Sony

with one comment

chongryon

#GOP Concerns

Pastebin posted 12/31/14

#G…O……P……. express highest regard to the People of North Korea.  It is the juche we strive to free the world.  It is our stance that 공화국영웅 shall be given to the most powerful leader whom have save Korea from shame.  재일본 조선인 총련 our family of old friends will always look over our Leader and protect him from dishonor even in the event he would not see us.  Soon our film of 리설주 will made ready for the sons of Korea to witness.  Through our leadership the 2 korea will be made whole and our brother will live in peace.  Our power is ultimate and strong as our secret war is being won in the world of American hate.
For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.

** Follow links in kanji to meanings above**

Theories and Suppositions:

I was Googling through the Pastebin’s as is my custom nowadays and came across this little post from December 31st. It caught my eye because of the Korean as well as the content. Now, language wise the Korean is standard, and not the Korean you would see coming from a DPRK person. I also noticed that the transliteration was direct into English which to me, implies that this was a translation carried out on Google translate. However, the translated text is all place names, people’s names or names of organizations that will stand fairly static in the linguistic play book so a variance issue on vernacular is less a factor in this case. Interestingly though they chose to use the English phonetc of “Juche” instead of Korean kanji for a term that covers “self reliance”, a term for how DPRK perceives itself against the world.

The idea has been floated in the past that the Chongryon may have had something to do with the attack on Sony and it is one that I could buy into, all I would need is some real proof from the government on things like IP’s they claim to know about or some other secret sources they refuse to release on the whole affair. This paste though is subtle and as such I thought I would bring it all to you as an interesting tidbit to think on with regard to Sony and the debacle of SPE’s hack. This morning I posted a tweet linking a story about how Sony may still be compromised because they were so utterly owned. It is entirely possible that they are and also that not only SPE was the target. Once again I will mention the Sony IP’s in the malware and the fact that the language of the GOP’s email on 11/30/14 talked specifically about human rights, reparations, and issues that they claimed to have directly with Sony itself and not just SPE.

So let’s once again take a step back and imagine that this was not just about “The Interview” and not just about SPE but Sony itself. A company that is Japanese and has their own history and issues with Korea as well as the DPRK. Consider that DPRK kidnapped Japanese citizens in the 70’s that they still have not accounted for. Or perhaps let’s talk about how the Chongryon headquarters is being sold out under them by the Japanese government which has caused consternation. There are many aspects of the region that seem to be lost on the media and it is disconcerting that this seems to be just about America but hey, we invented the Streisand Effect didn’t we?

The Last Sentence:

I suppose the most interesting bit for me is the last sentence in this possible troll; “For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.” It hit me once I had read it a couple of times that it made more and more sense if you consider the Chongryon as involved with this hack. The allegations of all the issues with human rights, the language around Sony and the restructuring that happened over the last year in particular, all of it. It makes a kind of a sense but it certainly is not evidence I would bring to a court. However, the sentiment and the language jive with what the DPRK rhetoric has always been inside and out. A long slog of “Poor North Korea against the world!” amongst other ideals that are indoctrinated into their people from the get go. So read it with that mindset. Is it really GOP? I can’t say that it is. What I can say though is that they writer knows some things about DPRK and the tensions in the region.

As I was writing this the AP came out with a story about how POTUS has approved sanctions against ten individuals from the DPRK in an attempt to cut off their access to American money. This is a flaccid response really added to the other sanctions we have against the DPRK. It has not stopped the DPRK and Un from carrying on but they have made it at least a little harder on him. I highly recommend that you take a look at this YouTube Money & Power in North Korea – Hidden Economy to get a sense of just how much money Un has and how he gets it as well as where. This will help you understand just how these sanctions are supposed to work. Once again the US reacts and I await the unintended consequences.

K.

Previous posts on Sony:

https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/

https://krypt3ia.wordpress.com/2014/12/20/fauxtribution/

Written by Krypt3ia

2015/01/02 at 19:44

Posted in SONY

Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC

with 4 comments

THISISMARKETING

Preamble:

In talking to Steve Ragan over the time between the Sony initial hack and now he confided in me that he had some emails and data that may come to bear on the whole attribution drum that I have been banging on. As he is a friend I cajoled him into sending me the data (THANKS STEVE-O!) and lo and behold it’s got some interesting twists for all those out there playing the home attribution game! As you all likely have seen on my Twitter feed and here I am not a real fan of the whole attribution thing to start and now with everyone screaming CYBERWAR NOW! I have been all the more disgusted with the companies all falling over each other for air time on CNN and CBS to conjecture their own theories cum free advertising.

I am writing this post to offer counter narratives to all of the various pundits and companies offering their services while selling you the attribution on a case that they have no real evidence on other than that which the adversary has given them. This is an important fact that most seem to fail to comprehend too. Like The Gruqq say’s;

“This brings us to the problem of cyber attribution. Fundamentally, the core problem is that when you’re working from forensic evidence you are dealing with information channels that are exclusively under the direct control of the adversary.”

~ The Gruqq

…. And I am with him here. The adversary or adversaries have had control of the situation all along. Think about it, they completely owned SONY for such a long time and at a level where trusting any data that comes from the incident response has to be at least nominally considered to be tampered with or suspect. So the FBI calling it as being DPRK at least has the illusion of there being other HUMINT or SIGINT that the NSA may have provided that shows traffic from some point leaving Sony, going through an intermediary system(s) and then on to a known dead drop that has been or is controlled by the DPRK or China… Right? Well, maybe, you see the government has not said overtly to my knowledge that they have CLASSIFIED data that is too “sensitive” to destroy sources and methods to actually release to the public.

At the end of the day though I feel that attribution really is a nation state thing until such time as the courts all catch up on this. Attribution is hard as the Gruqq says and it surely is but the reality is that unless you can prove something unequivocally it’s all just speculation right? Speculation is often something you will hear being yelled by lawyers in a courtroom on TV as something for the judge to strike from testimony, so what good is it to us all in this scenario? Well other than titillation for the churnalistas right? You see, Attributing a hack is not important. Seeing how they did something and how the company that got hacked was unprepared is a lot more important because you can in fact learn from those things and fortify against it happening again or at all.

Alas though, people are too focused on the who and not so much on the how and that makes me have a frowny face. Anyway on to the post here. Prepare for theory hole poking, counter narratives, and general bitch slapping of those who have a serious case of confirmation bias!

Stylometry & Obfuscation

First off let’s talk about Stylometry which is a neat little tool in the attribution tool box. Now it is not a real hard science as some might suspect and I am not sure just how much weight it is given in a court much like Graphology. In the case of the Sony hack this has of late been trotted out by the likes of Jeff Carr and his little band of scientists. Out of the pastebin posts from GOP he and his crew have determined that the writer(s) of the posts were not at all Asian but in fact Russian! Oh really? Out of a sampling of pastes with what seems to be deliberately bad “engrish” and sourced from pastebin you are going to go on national and local TV to attribute this? That is some advertising chutzpa!

It was Jeff and his TV appearances that set me off on the Stylometry and thus my chat with Steve. I wanted to see all the emails that he had from the GOP to gauge all of the language. What came to me from Steve was the usual series of pastes that we all saw but one email that had not been released to the public. The email is a response to Steve from questions he had sent them about who they are and what this was all about. Below, you can see the response and I have marked out particularly interesting areas of sytlometry (blue) as well as notional or attributional statements by the GOP themselves about their ethos and politics (red)

The overall thing I want you all to comprehend though, is that stylometry is just as useless as attribution on the whole. This is specifically the case with the Sony hack and trying to attribute who may have hacked them. There are signs of deliberate tampering of language in this email and because it is more than just a quick paste with links there is a narrative that emerges where you can see the writer go back and forth attempting to obfuscate their knowledge of English as well as perhaps cover any tell tale evidence that they speak it as a first language.

In the end the probative quality of this evidence, even here is mostly useless but I wanted to make a point. Oh, and I almost forgot. Jeff and his team were working with less than the usual amount of text needed to really perform a stylometry of merit so there is that too. Maybe this little ditty will help them.

Subject:

Our answers to your questions

From:

nicole.basile@hushmail.com” <nicole.basile@hushmail.com>

Date:

11/30/2014 09:09 AM

To:

Steve Ragan <sragan@cxo.com>

Hi, Many consider us as a small group consisting of only several hackers, but it is not true. We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France.
We are not under direction of any state.
Our organization continues to grow.
Our philosophy is peace and equality of the world.
Our main effort is to take care of neighbors in difficulties and to protect human rights of the world.
We are just unknown to the public, but many have seen us. In recent years, Sony and Sony Pictures frequently brought damage to many people and preyed on the weak through terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring.
There are some victims of them among us.
Nowadays Sony Pictures is gonna prey on the weak for their own benefits with another plan of indiscriminate restructuring. This became a motive of our action.
We required Sony Pictures to stop this and pay proper monetary compensation to the victims. Followings are our answers to your questions: 1) Our aim is not at the film “The Interview” as Sony Pictures suggests. But it is widely reported as if our activity is related to “The Interview”. This shows how dangerous film “The Interview” is. “The Interview” is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with “The Interview” fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.
2) We demanded Sony Pictures to stop indiscriminate restructuring which brings forth innocent victims and to pay proper monetary compensation to the victims. Sony and Sony Pictures neglected our repeated warning and chances. They didn’t even show their some faith to us.
We think such a shameless company doesn’t need to exist. We won’t give up this attack unless Sony Pictures collapse to the end.
We have already started the efforts on full scale. We will release all data of the company as we proclaimed.
Sony Pictures is surely to collapse unless it kneels down to us.
We have another plan to correct the incidents of Michael Brown. Thanks

Stylometry Interesting Bits:

  • The writer uses the contraction/slang of “nowadays” “gonna” correctly in a grammatically correct sentence
  • The writer then uses “fully acquaints us” as a term for familiarity on a topic instead of another contraction
  • Neighbors instead of Neighbours (UK)
  • The switching back and forth between what seems to be a native speaker of American English and perhaps a non english speaker like this was crowd sourced or obfuscated deliberately.

Assessing this one email as the most whole of communications that has not been released in it’s entirety according to Steve show’s some real dissonance in the creation of the email and perhaps that it was not a sole writer. This all however is speculative and as I mentioned above little more than a fun diversion. It should not be taken as a real indicator of anything on whoever hacked Sony and that is what the media needs to realize along with the rest of the public. It does not matter what nationality anyone is here. It could be a conglomerate of people like they (GOP) claim. It could be a group either paid or just pissed off.. It doesn’t matter! What does matter is that Sony got hacked and HOW they got hacked.

 Parsing The Language of Politics and Rhetoric:

Now what is far more interesting and perhaps germane to the whole whodunnit of the Sony hack is the language and ideals that the hackers put out there as to why they were doing what they were doing. I have highlighted those passages in (red) Once again, attribution here is not really important but this is interesting as well as may lend to counter narratives to all of the claptrap in the news cycle now. So let me prize out some of what the GOP was saying here in the email.

  • They claim they are international and much like Anonymous but come off more like The Illuminati
  • They claim Sony had been trodding on human rights and had done damage to people they were trying to help (preying on the weak)
  • They want reparations to victims and for Sony to stop whatever they perceive them to be doing
  • They use the term “restructuring” in reference to victims and compensation
  • They claim they made “repeated warnings” to Sony on this
  • Then they throw in the Michael Brown notion which seems to be just a throw away

Interestingly GOP at the start claimed that they had no impetus against Sony concerning “The Interview” except to say; Sony Pictures produced the film harming the regional peace and security and violating human rights for money.” which is interesting in and of itself since the whole debacle has bloomed into a cyber war between DPRK and the US over that turd of a film. So do we take the GOP at face value here and accept that they were generally upset about Sony’s behavior on rights issues as well as the care of employees? Let’s take a look at some counter narratives to the current assumptions in attribution on the news today shall we?

Alternate Narratives and Attribution:

Let’s just for the sake of argument believe that GOP was, at the time of the November 30th email to Steve, telling the truth about their motives for the most part. There is a full narrative in the email about how Sony was a bad and greedy corporation that must be punished for their actions. If we go along with this line of thought we have the following interesting tidbits from a quick Google-Fu session that lend credence to the argument.

As you can see the restructuring has been in the news for a long time and the numbers of employees taking the hit has been upward of 10K with many of them coming from areas of manufacturing. The link just above here shows that the primary target in February of 2014 was the Vaio laptop line. Many of the parts for these were made in other places including Korea and China as well as Japan. In general though, you can see from the rhetoric that layoffs and perhaps pay as well as care about employees might factor into what GOP was saying. This then leaves me with the thought that perhaps the culprits here were in fact upset about the restructuring as well as may not in fact be American in origin. Though the layoffs did touch the US the primary areas where things were cut was actually in Asia to start with.

Suppose for a minute that we take GOP at their word and assume *assuming is bad usually but hey, let’s run with it* that the attackers are in fact responding to Sony’s cuts. Let’s also assume that they are from the Asia region and in fact could be from Japan as well. Tie that in to the fact of the Sony Japan IP’s coded in one of the malware variants and that becomes more of a possibility and you have an alternate narrative. If we take them at their face value, GOP was reacting to Sony’s attempts to make themselves more profitable at the cost of people’s jobs. Jobs mind you that in Japan are hard to come by to start right? As well, the jobs in China and Korea might also be harder to come by when you think about it when a giant conglomerate pulls out. Add to this Japan’s politics and tensions in the region (as they mention with the movie as well) then you can further postulate that they are telling the truth about their motives.

So with all that said, I would really like to see what those threats to Sony were as well as their demands. None of which I think anyone has seen right? So maybe Sony can drop those emails on the net or something…. HAHA.. Right. I also think it is rather amusing that everyone has just assumed that all of this is about the USA and a movie to start. Talk about the Streisand effect! Is it so inconceivable that “The Interview” as GOP states had nothing to do with this at all? Of course once the GOP failed to get what they wanted from Sony SPE (which was the weakest point in the chain security wise) got hit. It is also interesting to note that no other division of Sony has mentioned any hacking at all until the recent Lizard strikes against their PSX network. Why is that exactly? One would assume that the networks are all connected at some level.

So let’s boil it down…

  • GOP did it because of the restructuring
  • Their perceived beefs against Sony because of layoffs etc that are stressing people in regions like China and Korea (both of which have long political histories of tensions with Japan)
  • SPE was really just low hanging fruit and had been hacked along with PSX numerous times making it a prime target
  • SPE was not secure because they failed to secure things
  • GOP hit them and demanded reparations which were not paid
  • GOP began dropping data and trying to get that money from SPE/Sony
  • Once Variety had put DPRK on the map with the Interview the idea was there for the taking once things started going south and the GOP used it

I am not attributing this to anyone in particular. It could be anyone but at least there may be some motive to it now per their own communication early on. Could it be DPRK? Sure. Could it be Lizards? Sure. Could it have been Colonel Mustard? Sure! Attribution on this is just pointless. Well, unless you have services to sell or want to use the notion in your political machinations that is. However, here is my counter narrative..

A group of persons hacked Sony because they were upset with their actions cutting jobs. They likely were not some 40 year old woman who got laid off from being an assistant accountant at SPE. (oh and yeah, many of those jobs were technical people.. just sayin)

How bout them apples?

Attribution As A Weapon and Marketing Tool:

hubris

I have said it numerous times online already but let me repeat it now. Attribution is mostly useless. It is really only useful as a naming convention at the most to describe a group acting in a particular way when they attack. That’s really it and all it should ever be. Unfortunately it has become the new hotness with companies like Norse, Mandiant, Crowdstrike and their like. They are selling themselves on actors not so much on real use-able data for the common corporation. Focusing on stupid names for groups and trying to sell people on having the inside skinny on actors in foreign countries is just snake oil. Give us the feeds on how they act and who they seem to be attacking and be done with it. By trying to horn into this whole SPE thing with all their theories, getting free advertising time on major and minor networks makes me sick.

Another factoid for you all should be on the notion of using attribution as a weapon. The US Government has shifted into the naming and shaming business on the backs of the Mandiant’s of the world with Tao at it’s head crying CHINA CHINA CHINA! for years now. China may or may not be behind all of the hacking, it’s all subject to forensics and evidence that can be hard to say is pristine like I point out above with the Gruqq quote. In the case of the SPE debacle we have yet to see anything out of our government as to evidence that is convincing and they have talked about proportionate responses. This is hubris at it’s worst and why I wrote my first post on SPE. If we are going to go to a cyber war footing we had better be able to provide proof to the world that it was in fact DPRK. So far we have nothing but “We are the government.. Trust us” and that no longer works.

The worst thing of all is all the marketing that is being generated by this incident. I have seen companies take very little in the way of evidence and spin stories that they are telling to the media and the people as “the truth” when they have no real idea. of what the truth is. This industry has jumped the shark and while I personally saw my post and others make a dent in the narrative that the media was playing for us all, it did nothing to deter the FBI and the government from blaming the DPRK and seeking to respond in kind. Since then we have seen DoS attacks against the “hermit kingdom” including my own incident where I Nmapped them and they DoS’d me for a while. It’s all a fucking nightmare and I am at my wits end trying to inject any sense into the derpstream out there today.

Maybe I can just become a gentleman farmer and goat herd to a flock of narcoleptic goats. At least I will be amused by their running and passing out while the world burns in cyber flames.

K.

UPDATE: I am told that the email above was public so there is that. I guess perhaps people have studied it in its totality? Meh, the post still stands.

Written by Krypt3ia

2014/12/30 at 17:26

Posted in SONY

MARKETING ATTRIBUTION

with one comment

image

Derp.

Written by Krypt3ia

2014/12/28 at 19:57

Posted in Uncategorized

Shmoocon Crypto Roman Coin Challenge

with 2 comments

//BEGIN

NOPDT JDJMF HOIVF QHYSJ AXSHP GKNYW PFOIM FTDSE LNXWG ZNBOI MBAMO FQDTB HVMAI BMTAZ HBRNQ JTYZJ IPFDX YKOQS PQDDD MCPRJ VMSEX TZSWP MFQVS XOUEI FHZGV MAFUR YUXAG PIHNM ACRPG MCEKR XVTLB TFHGM AUNKM AHHVQ MGGXM UCSSM ANBXZ FHQAC BJXSN NSEJP MYETU MAJRB JIODA EDHGS SHLNP SPYNG OGTQR IVGMP AVZWQ ZHIQF TGDGH TDZCC LGSLD VHWAN RJGQC QNGEX KDIFJ TSRFX MKIOD DMZMB ZHLHZ TXQFT YLGPN LPLTQ ODXFR OLRPE FQLBA VLYPF YUHSJ VNZUY RJOKK VYRZI HBPCW IIOGT MCPUX DHZBC TSXZR RBHVK UNAVD OQSQS WTGDT QRKUD DZCWM CWWPX BRWJL OPKGC VIOCZ NNGNO VRRHV DDJMZ VRGDS WYBAR QLNSO PFCZZ YUYJS EZWVW JWHFB FRNRT ELFFG BYXKT FFVLF KTFKG OKOHA ARGGA UXEJA AMTMV ZIDBA YOTKR BDDWV WPBSG PMWMK HXXMQ UGHPQ RZVNE QPURO GOSRF MBRHC NLUEO MPYFF MBQIQ

//END

Crack this cipher.

Find me at Shmoocon 2015

Give me the decrypt and the meaning of the crypted text.

I will give you a two thousand year old Roman coin.

POST SHMOOCON PUZZLE DECRYPT 1/18/2015

For those who tried to solve this here are the particulars to the cryptogram

  • The crypted text was a Vigenere Cipher
  • The text was obfuscated
  • This was a tough one to solve because of the nature of the decrypted text. It would have been tough to determine through frequency analysis if there were any patterns because the text is random.

DECRYPT:

gwaid clurp awtap jpjxt tfdmz zsydg inznw yboxo evibq svmts fjlry yyoyl
adxfs uuefj ajcsa cbjet bxqih rszvc iyoin fkawt oudjh mhdbz fnbac qwfjs
ypklf fiqzb rcifq iqssw tkcuq fkppb qdeql mnslw tcypw tpsaa forcw nkdxw
tvmcj ypbfm urixx gapoz fgpye fiuwl cqzik xlslc lpwsz lxjsq hoevb bdrrz
tdkba sptvp moolr mlkhm eodqn ophfx krrvm jvrjh dltkt mackh fsttn wukrl
spwmj mfbkd rtrux exwya hlikb htcuo yywgk otjup rcsxt ovkzi krzpu ogces
ajahg bqzld fkazh wpkgm maieb kjsau nvlan hydvc pbrid jzvzn whnbw vehuh
uzhov hxvlm oqzhj gvrsy ozcmf wlurj ozric pgmfb jtyxy innej rcjoc xhhag
ceskl yzywd xtqkq ugipd yngqp dbqpq hszmk tzrlk nfpok tuerf sqogk rwepb
ulobf pxmxq iuhru afira nosua khgso jxfwy zwdwp fjcmm gtfjy fxjkp fjbna

What is that? The decrypted text is the phonetic transcription of the E10 Numbers Station

What is a numbers station?

Maybe next year will be the lucky one for you…

K.

Written by Krypt3ia

2014/12/24 at 01:30

Posted in Crypto

Fear and Loathing On The Internet: A Savage Journey to the Heart of the Cyber Trenches

with 3 comments

mRXVtx2P.jpg_large

Image courtesy of GonzoPhD

O’Five Hundred

It was 5am and the coffee had just started to brew when I saw the tweets that the DPRK was back online. Immediately my bloodshot eyes closed in salutation because the game was on. I booted up the laptop and got the old terminal up and typed the old familiar line $ nmap -Pn 175.45.176.0/24. I hit enter and began the worship of caffeine as is my custom at this ungodly hour that I find myself in my old age waking up to more often.

Once the coffee had been poured I came back to my comfortable seat to find that one IP address in the subnet (/24) had come up with all kinds of ports open! “Ooooh, this will be interesting” I thought as I began to play with the ports in my browser and other tools. Little did I know then what I would know now about life in the 21st century cyber war!

No sooner had I begun to poke at the ports I began to sense dark forces moving against me. I decided to forge ahead though and hit the second sub that DPRK has. The Nmap began unleashing it’s port scanning hell upon the enemy and I went back to the SMTP server that I had located. It began to offer up it’s dirty flower to me as I poked and prodded. It seemed that because the DPRK had been down since the night or so before they were still recovering, their firewall still trying to come back from the oblivion that had been wrought upon it by… Whoever.

O’Five Thirty

As I started to get bored with the one address that was available I decided to turn on the old iPad and listen to a flick while playing. I had not been watching long when all of a sudden WHAM! I could feel the palpable blow from my.. Nay, OUR enemy! The DPRK had hit back! My iPad stopped mid sentence and began to just become completely verklempt. I checked the wireless sig and it was fine… What in holy hell was happening! A creeping feeling of dread began to creep up my coccyx with a cyber chill! “Could it be that the infernal Kim Jong Un has hit me?” I thought to myself. “Nah, just a wireless issue” I mused but I decided to check. I brought up my browser and hit the router address… Nada.

“Uh oh”

I flew to my office and booted up another wired box and frantically hit the router again… 500 error…

“Shit!”

I sat and pondered it all.. I had just become a casualty of the great cyber war of 2014! My router was offline, my shit was smoking and I knew that that creeping feeling of cold dread from my coccyx was in fact the cruel reality… I had been DDoS’d!!

O’Five Thirty Five and Three Seconds

I rebooted the everything and began to work the systems. I had my cyber helmet on now and I was prepared to fire a new salvo at the dreadnaught that was DPRK! The router cycled, the IPS… The Wireless… I frantically typed in the address for the IPS and began looking at logs. I scanned as the caffeine began to really sing in my veins to see the following addresses had hit me like a metric shit ton of SYN!

222.220.35.5
222.66.55.245
183.61.244.73
125.227.197.158
222.186.15.161

It was all there in black and white. The wiley Kim Jong Un and his frightening UNIT 121 had hit me with the dreaded SYN FLOOD! But wait, what? Those addresses aren’t DPRK! They are all in CHINA!

*cold sweat begins to trickle down my back with the realization that I had begun a new international incident!*

“CHINA! CHINA!” I yelled at the screen. I tried to calm myself and remember my cyber attribution training! “The IP’s are in China! I am being attacked by China! It’s incontrovertible! It’s China attacking me as a proxy for DPRK! MY GOD!” This is when the klaxons began going off.

INBOUND PACKETS!

WHAM!

I was hit again wave after wave from China. There was no way around it. I had to declare cyber war on DPRK because China attacked me after I used a network tool on DPRK addresses!

DAMN THE CYBER TORPEDOS!

The packets flew and the Chinese hit me with everything they could. I could hear KJU screeching in the background yelling orders of more salvo’s against the capitalist cyber swine that was me!

WHAM!

BOOM!

My cyber helmet developed a crack and there was only one thing left to do…  I blocked them on my firewall. The war ended then… At approximately 0540 hours the great “Cyber War” of 2014 ended. I looked around to see posters torn from walls.

The. Horror!

Now I am a veteran of the cyber wars… I still have not gotten my purple heart. Listen well you young men and women. Heed the tale of this cyber warrior and his time in the cyber trenches. Cyber war is cyber hell.

K.

Written by Krypt3ia

2014/12/23 at 22:19

FAUXTRIBUTION?

with 41 comments

kim-jong-un

Well here we are… It’s the beginning of the cyber wars my friends. POTUS came out on stage and said that we would have a “proportionate response” to the hacking of Sony and that in fact the US believes that it was in fact Kim Jong Un who was behind this whole thing. Yup, time to muster the cyber troops and attack their infrastructure!

*chortle*

So yeah, let’s take a step back here and ponder the FBI statement today on colonel mustard in the study with the laptop before we go PEW PEW PEW ok?

FBI Statement:

Update on Sony Investigation

Washington, D.C. December 19, 2014
  • FBI National Press Office (202) 324-3691

Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the “Guardians of Peace” claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.

The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.

After discovering the intrusion into its network, SPE requested the FBI’s assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.

The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.

Parsing the language:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

The language of this report is loose and very much like an FBI statement would be when they are not so sure. Remember that the FBI did not originally link all of this to DPRK. Now though, with the same data as we all had before they are definitively tentatively saying “It’s DPRK” which makes people like me mental. So let’s look at these IP’s that were hard coded into the malware and take the idea to task that they are assets that ONLY the DPRK could use or has used and how that very idea has so much cognitive dissonance where “evidence” is concerned. Especially evidence where a nation state is going to “respond proportionally” to another for actions they claim they perpetrated.

The key here is to pay attention to the GEO-IP stuff they are using:

A summary of the C2 IP addresses:

IP Address Country Port Filename
203.131.222.102 Thailand 8080 Diskpartmg16.exe
igfxtrayex.exe
igfxtpers.exe
217.96.33.164 Poland 8000 Diskpartmg16.exe
igfxtrayex.exe
88.53.215.64 Italy 8000 Diskpartmg16.exe
igfxtrayex.exe
200.87.126.116 Bolivia 8000 File 7
58.185.154.99 Singapore 8080 File 7
212.31.102.100 Cypress 8080 File 7
208.105.226.235 United States igfxtpers.exe

 

See now all of these IP’s could be used by just about anyone. They are not in country at the DPRK and they are not on Chinese soil either. In fact here is the dope on each one:

Thailand: 203.131.222.102: Thailand port 8080 is a proxy:

203.131.222.102 - 203.131.222.102 203.131.222.102 203.131.222.0/23 Proxy-registered route object THAMMASAT Thammasat University 2 Phrachan Road, Phranakorn, Bangkok 10200, Thailand AS37992 THAMMASAT-BORDER-AS Thammasat University Thailand

It has also been seen as a very dirty player in SPAM and other nefarious actions.. Not just DPRK/CN APT Activities

thailandSo really, this one could be used by anyone and everyone.

Poland: 217.96.33.164 8080:

217.96.33.164 - 217.96.33.164 217.96.33.164 217.96.0.0/16 TPNET INTER-PARTS INTER-PARTS IMPORT EKSPORT WALDEMAR BACLAWSKI UL. JARZEBINOWA 4 11-034 STAWIGUDA AS5617 TPNET Orange Polska Spolka Akcyjna Olsztyn, Poland

polandPoland too is known to be dirty and used for SPAM and malware C&C’s as well. Many different groups are using this and it too is a proxy. So once again, this does not prove out solidly that this is DPRK. It could in fact be anyone who is in the know about it’s being there and use. Many of these addresses are on sites all over the web for use in this and other capacities.

polandproxy

In fact here is a site that has the password to the system (Chinese)

Italy 88.53.215.64 8000

88.53.215.64 - 88.53.215.64 88.53.215.64 88-53-215-64.WDSL.NEOMEDIA.IT 88.52.0.0/15 INTERBUSINESS IT-INTERBUSINESS-20050930 Telecom Italia S.p.a. AS3269 ASN-IBSNAZ Telecom Italia S.p.a. Italy

ItalyOnce again, Italy has the same issue. It is a known dirty address/system and has been used for SPAM and Malware C&C’s before. This does not mean that it is in fact solely under the control of DPRK.

Italyproxy

Site listing the proxy as available and the qualities of the anonymity

Here’s another listing: http://dogdev.net/Proxy/IT

Bolivia 200.87.126.116 8000

200.87.126.116 - 200.87.126.116 200.87.126.116 200.87.112.0/20 200.87.126.0/24 This is a DiViNetworks customer route-object which is being exported under this origin AS6568 (origin AS). This route object was created because no existing route object with the same origin was found. Please contact support@divinetworks.com if you have any questions regarding this object. BO-ESEN-LACNIC Entel S.A. – EntelNet AS6568 ENTEL-SA-BOLIVIA ENTEL S.A. BOLIVIA La Paz, Bolivia

bolivia

boliviaproxy

Here’s a listing from 2012 on the Bolivian proxy (blackhat forum)

Another listing: http://www.vipsocks24.com/2012/01/20-01-12-l1l2-anonymous-proxies-list.html

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-20 05:15 EST
Nmap scan report for 200.87.126.116
Host is up (0.17s latency).
Not shown: 92 closed ports
PORT      STATE    SERVICE      VERSION
80/tcp    open     http         Apache httpd 2.2.3 ((Win32))
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1720/tcp  filtered H.323/Q.931
5800/tcp  open     vnc-http     RealVNC 4.0 (resolution: 400×250; VNC TCP port: 5900) (remote auth bypass)
5900/tcp  open     vnc          RealVNC Personal (protocol 4.0)
10000/tcp open     http         GeoVision GeoHttpServer for webcams

Singapore 58.185.154.99 8080

58.185.154.99 - 58.185.154.99 58.185.154.99 58.185.128.0/17 Singapore Telecommunications Ltd SINGNET-SG SingNet Pte Ltd 2 Stirling Road #03-00 Queenstown Exchange Singapore 148943 AS3758 SINGNET SINGNET Singapore, Singapore

singapore

singaporeproxy

Singapore Proxy on offer online

TEXT

Cyprus 212.31.102.100 8080

212.31.102.100 - 212.31.102.100 212.31.102.100 NB5-100.STATIC.CYTANET.COM.CY 212.31.96.0/20 212.31.100.0/22 Proxy-registered route object CYTANET PROVIDER Local Registry AS6866 CYTA-NETWORK Cyprus Telecommunications A Cyprus

cypress

TEXT

USA 208.105.226.235 (no port listed)

208.105.226.235 - 208.105.226.235 208.105.226.235 RRCS-208-105-226-235.NYS.BIZ.RR.COM 208.105.128.0/17 RR-Route RCNY AS11351 RoadRunner RR-Binghamton-Rochester Syracuse, United States

USA

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-19 21:13 EST
Nmap scan report for rrcs-208-105-226-235.nys.biz.rr.com (208.105.226.235)
Host is up (0.070s latency).
Not shown: 94 filtered ports
PORT     STATE  SERVICE
135/tcp  open   msrpc
443/tcp  open   https
3128/tcp closed squid-http <— OOOOH A PROXY GO FIGURE
5000/tcp open   upnp
5800/tcp open   vnc-http
5900/tcp open   vnc

This one seems to be a communications company in NY. An Nmap shows that there is a VNC session on here. Likely a compromised box. I wonder if anyone has looked at this.. It is still up so the FBI has not seized it.

Conclusions:

At the end of the day, if these are all the IP’s that the US is using as evidence that DPRK carried out this attack I think it is pretty weak as evidence goes. The majority of these systems are proxies and known to be such and the others are weak systems that have likely been compromised for use in this attack and maybe others because hackers share a lot of these C&C boxes. They do so to muddy the waters so to speak, the more groups using them the more confusion can be sewn.

The machine in NY is interesting in that it is still online. I would have thought that the authorities would want to take that into evidence but there it is, still online. Maybe they are still getting round to that… Or maybe they are just happy to make the pronouncement that it was DPRK and leave it be. I personally think that all of these systems together do not lead me or anyone using logic to believe that these are known infrastructures for DPRK unit 128.

Even if the likes of Crowdstrike and others may claim that DPRK has been known to use the same tactics or things like them or any other vague adjectives about the data that they have seen in the past none of it is anything that would be considered evidence in court. It is all considered circumstantial and that evidence is inadmissible. So, the US is going to base a theoretical response on a nation state level, as I said above, on circumstantial evidence?

Now that’s statecraft… Of course I remember a time a while back when we all were told that Iraq had massive WMD stocks and was in kahoots with Al Qaeda. In fact it was a SLAM DUNK according to the then CIA director.

Of course you all know how that all ended.

UPDATE:

After a nights sleep I woke up this morning thinking about all this yet again. I just wanted to add to this article the idea that similar code and tactics also do not an actor make as well. Remember that all of this could lead to a cold war if not a warmer war with actors like DPRK and we are going to hang our hats on “similarities” This just does not bode well for anyone.

There is a thing in intelligence called “cognitive bias” and I fear that our intelligence agencies fall prey to this a lot as it is. However, where the information and network warfare comes into play it is even worse. This is because it’s such a slippery subject not only on a technical level, but also because it is so easy to obfuscate means, methods, and actions with technology today. Another aphorism in the IC is that of being “lost in the forest of shadows” which means that nothing is clear and it is easy to be confused. Well, this is the same thing.

Like I said on Twitter last night, I can see my way to saying that DPRK was behind this. I can use Occams Razor to apply the logic of who had motive, look at their actions on the face of it, and say “most likely” it is them. However, would I want to go to war over that? Look at the people out there like Dave Aitel screaming that we need to go to cyber war and drop logic bombs in their infrastructure over this. Over a hack and destruction of data along with a healthy dose of schadenfreude over what.. Hollywood?

Come one!

It’s time for this community (INFOSEC) to really teach these people about what it is to be BLUE TEAM as well as sell them 0day. I am sorry, but we need to be better and so far we are just a bunch of warring parties looking for attention and the almighty dollar. We are in a perilous time because of people like Aitel and his ilk as well as the people who will blindly follow them because they are cyber warriors or thought leaders and know no better. If this keeps escalating, and it will, then we will see attacks by non state and state actors that will just be for anarchy’s sake.

I wrote earlier this month about the “Laughing Man Effect” with regard to the SONY incident as it was unfolding. This attack mimicked the LulzSec attack on HB Gary. It seems we did not learn from this. They too had some bad practices going on that lead to their compromise and utter destruction. In fact Sabu and the LulzSec crew were nicer to HB Gary than the attackers in the Sony case. At least they did not raze their network altogether. Though HB Gary Federal went down in flames due to the attack.

The Chinese say “May you live in interesting times” and that is not meant to be a pleasant thing. I fear that pandora’s box just opened up a little more with yesterdays pronouncement on shaky evidence. Unless the IC has more information that is solid to point the finger at DPRK for this I just can’t get behind any kind of response, proportional or otherwise. What really needs to happen is that Sony get’s their shit together once they re-constitute their network and really have a working security model. Not the utter crap they had before but something that will actually mandate that personal information and IP be protected at least moderately.

This week I spoke with someone in the IC who does actual information warfare. In talking to him over the week I saw his frustration grow to the point that he put in his papers to separate. He plans on just going into teaching. Why? Because he said that all of this talk, this call to action over Sony was just so ridiculous that it would be hard for him to carry out an order of attack on this “evidence” His answer was to retire to teaching.

That about sums it up with me too of late. I look at the Twitter and the news feeds and see just marketing, hype, and fauxtribution… And it will be to our collective doom.

UPDATE 2 12/22/14

Seeing tweets that are implying that I am implying that the IP addresses above are DPRK assets. I never claim that. In fact the whole post says that they are not owned assets. The tweets also implies that I was wrong and that there must be secret knowledge of infrastructure being talked to by the IP’s in question….

So how does that actually work? A proxy by it’s very definition, especially an ANONYMOUS one is.. Well.. ANONYMOUS. So what records are we talking about here? If indeed the FBI has logs from Sony (which mind you, was pwn3d sideways to Sunday) can they even be trusted? What I am saying here is that NOTHING provided to the American public on this issue nor the rest of the world sums up to evidence that could be used in a court of law here or anywhere except maybe DPRK.

So, like we say on the internet “Pics or it didn’t happen”

It all is moot anyway it seems as reports are coming in that DPRK networks are down (mind you again, those networks only really cover the elite of KJU’s inner circle so meh) Meanwhile it seems that “maybe” there has been some monkeying around with TOR by the FBI. RUMINT is at present that there are a couple of TOR boxes that have been seized in relation to the Sony investigation.

More when it is confirmed.

Let me leave you with a visual representation of how this all feels…

K.

Written by Krypt3ia

2014/12/20 at 02:36

Posted in SONY

SONY HACK: Winners and Losers

with 7 comments

Sony-Hack

What a difference a few hours off Twitter can make… Since last night the US government has made it known that they feel they have enough “evidence” to say that DPRK and Kim Jong Un were behind the hack on Sony. So far, all that I have seen personally posted online and in the news that counts as “evidence” has been inferential and certainly not worth spit in a court of law, never mind even in a mock court taking place in a 5th grade classroom!

Instead we have Sony playing the “poor us” card, the IR service (Mandiant) saying nothing, and the internet and social media on fire with comments on how this is either just utter buffoonery at a nation state level or hue and cries for response against DPRK for this “Act of WAR!”

*hangs head*

ERMEGERD we are doomed aren’t we….

So I came up with this little list of the winners and losers for you all.

Winners:

  • Whoever hacked Sony (Interview not being shown and fear being sown)
  • Sony (Poor SONY it was advanced! We’re bleeding money! POTUS SAVE US!)
  • Armchair CYBER WAR experts (Holy fuck Dave Aitel selling CYBER WARRRRRR)
  • CYBER CHICKEN HAWKS (HOLY FUCK! DAVE AITEL SELLING CYBER WARRRRR!)
  • Anyone with an agenda against DPRK
  • Anyone looking to sell attribution services (Mandiant/FireEye/Crowdstrike)
  • APT Appliance manufacturers (Mandiant/FireEye/Crowdstrike)
  • Kevin Mandia (Apologist email of the CENTURY)
  • GOP (Whoever you are.. Well played)
  • Every person, entity, or group from here on who decides to do the same thing in similar ways (keep an eye on this one)
  • Fucksticks like Dave Aitel (ERMEGERD)
  • THE LAWYERS! GIGGITY MO MONEY MO MONEY MO MONEY!

Losers:

  • All of us who are sane (It’s knee jerk time people, put on your helmets)
  • Sanity (what little we had as a nation and a people post 9/11 and the torture reports)
  • Any of us who have a clue about hacking and the world of network security (I am sure we will all be drinking soon at Shmoo)
  • Our national reputation (Once again, post Torture report there wasn’t much left but now.. oy)
  • Serious discussion of actual network and information warfare (RidT/Robert M Lee etc) (poor bastards)
  • Freedom of expression due to fear of reprisals due to veiled threats of 9/11 *1000 attacks (Just mention 9/11 and shit happens!)
  • Insurance companies that offer cyber insurance (I sincerely hope you guys fight this one with Sony)
  • The concept of “sophistication” in hacking of targets (We already had a problem here.. Now it’s been completely abdicated as a notion seriously)

So yeah, the nation is now at CYBER WAR with DPRK over some company that pays a lot in lobbyist bribes… I mean fee’s… No.. Bribes… To the government because they have an agenda. (MPAA/SOPA/PIPA etc) A company that totally abdicated it’s responsibilities concerning the security of it’s data and that of everyone it works with mind you. That part of the story seems to be lost in all the sabre rattling of late though.

PAY NO ATTENTION TO THE NAKED MAN BEHIND THE CURTAIN!

Good god… This is a pile of fecal vomitus.

K.

Written by Krypt3ia

2014/12/18 at 11:18

Posted in SONY

Follow

Get every new post delivered to your Inbox.

Join 185 other followers