JM511 Hacking since at least 2004:
There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.
To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.
JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…
JM511 aka فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:
JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.
It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (email@example.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.
UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.
So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s you and someone else’s money that will get you some jail time I suspect.
My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.
While there is a lot of information out there on how the Target hack allegedly happened there are a few points that have been clarified. The blackPOS was installed in systems within Target after the hackers had been in for some time carrying out recon and getting a handle on how to carry out the ex-filtration of data. Given the information already out there it is a postulate that the hackers got hold of the Fazio credentials to the Target portal and then leveraged that system to carry out the compromise internally. The system trafficks in excel, word, and pdf files and to my mind, as the hackers had the Fazio creds to get onto that system they just uploaded a malware laden file for someone internally to open and compromise their system. The question then becomes just how long it took from that moment to the moment that the hackers gained access to the Target POS systems and servers to install their malware on.
According to PCI rules as well as the CEO of the company (Gregg Steinhafel) Target was in PCI compliance and that means that the network should have been segmented to disallow easy compromise from end users systems etc. Of course we are relying on the testimony of the CEO and others at this point in time because we have no other reports from FireEye or anyone else to attest to that fact. In any case the hackers got to the data and ex-filtrated it while triggering alerts that should have started an incident Response (IR) internally at Target. This did not happen though it seems and thus the hackers made off with all the data that they wanted. The moral of the story here can be summed up in an old aphorism I love to cite; “A fool with a tool is still a fool”
The After Action Report:
According to sources close to the investigation of the incident (Fireeye/Mandiant) alerts were given on key systems that were infected by the BlackPOS and detected as malware of indeterminate kind due to there not being any current signatures on it in the AV and IDS/SIEM systems. If the information given by the anonymous sources, then the fact of the matter is that the technologies that Target bought into to protect their data were in fact ignored at best and at worst turned off by the SOC managers internally at Target because they perhaps gave too many alerts. This is a common problem with IDS/SIEM/AV systems as they need tuning constantly and in larger companies the amounts of traffic that pass through the sensors is huge and complex. It is not uncommon in some organizations to have no real FTE’s watching those systems either with a reliance on employees who may be under-trained or not trained at all watching over the hen house. Security it seems has always been an afterthought for many companies, until that is they get hacked and outed in the press.
In the case of Target there are moves going on since the incident happened to shuffle the internal deck so to speak and make it seem that changes are happening to policy regarding security. The CEO is making the rounds with legalese responses couched in flowery language that really boils down to “no comment” and the CIO has resigned perhaps under considerable pressure. After the incident occurred I began checking the Target postings for security and began to see a lot of activity out there for workers to take over their security operations. I am assuming that there has been a bit of attrition other than the CIO and this should really be the case given the information that has come out to date on how this attack succeeded and the failures afterwards to cope with it. Suffice to say that the aphorism above about fools and tools applies certainly to Target in this instance but who else might it also cover as well out there today one wonders.
The final analysis of the Target hack cannot be fully determined because the evidence is not yet public. However, the data that has come out (re: Bloomberg piece linked above) shows a very salient fact that should be heeded by us all in INFOSEC. That fact is this; “Technology is great but one has to use it properly to stop these things from happening” If the Target SOC had not turned off functionality they would have caught this attack happening. If the Target SOC had in fact been paying attention to the Fireeye system as well as the Symantec system they could have reacted quickly to at least attempt to catch the data being ex-filtrated out of their company via FTP. The sad truth is that they did not catch it nor did they see it because the human propensity for ease of use caused a systemic failure to occur in security.
I am sure more data will come out someday as much as Target will allow. One has to wonder in a publicly traded company how much transparency they should provide and what you actually will get though. The information coming out so far though, if indeed true, is pretty damning to Target and their practices. I will say that I believe what has been told to reporters in confidence given my experience over the years with corporate entities and their lackadaisical attitudes toward security thus far. All too often companies are pretty cavalier about security and in the case of Target all you have to do is look to the reports coming out now about how they plan on hiring a CSO for the company. It seems the CIO had no real experience and the company did not see fit to have a CSO or CISO until now. To boot, if you look at the wording it was implied that they were seeking an internal candidate up until recently. Think about that for a minute, they wanted an internal candidate for a job function where they lacked skill sets to begin with and had such a spectacular failure? The word hubris comes to mind.
The ultimate takeaway I would like to leave you with here is that Target is just one corporation of many that have the same problems. In fact I would hasten to add that we as a species are our own worst enemy when it comes to security and if you add to this the dynamic of corporate mores you have a recipe for epic failure. You can have all the high tech gadgets in the world but you still can be defeated by the human animal either through shrewdness on their part of laziness and stupidity on yours. There is a trend today in a reliance on technology as the panacea to all of security’s ill’s and this must be tempered with the human nature of those who operate it before we will ever be at all secure.
Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco.
This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing.
Clients and Products:
When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them.
In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence.
The collection of intelligence is an arduous process that should be carried out by trained individuals. There are so many pitfalls that can happen to an untrained analyst that could make the product of the report bias or useless in the end and these things should be avoided. In the case of corporate intelligence reporting and threat intelligence the same is true. Just carrying out some OSINT on some individuals and outputting what you find by stringing together assumptions is not a valid way of carrying out intelligence reporting nor is it the correct way to gather intelligence. The collection of intelligence in the information security spectrum should also include direct data on telemetry and known instances of attack against the organization in question to determine if they are in fact subject to the interests of the threat actor such as Iran or SEA. The HP report lacks this context and thus is not much more than some suppositions about how you might be under threat from an amorphous threat actor, and thus is little more than FUD.
If you are going to collect intelligence I suggest that you get trained individuals to start or if you are interested in the subject yourself you can easily locate materials online to read on how to do so properly and avoid the common pitfalls like bias and group think. Intelligence collection is comprised of many facets. You need to be collecting information from a vast array of sources and methods before you attempt to analyze it and create any kind of cogent reporting for a client. In the case of the HP report you only have histrionic data from news reports and light analysis of websites owned by alleged hackers or state actors. True collection though for a client would also include detailed data or knowledge of their business, their technical measures, and their history to create a cogent picture of their business and the threats that they may face from the actors out there who may have interest in them. The HP report lacks this and that is unfortunate.
The analysis of intelligence is as I said above, a learned skill that must be honed in order to perform it correctly. Analysis in and of itself takes all of the data out there and generates a report on the entirety of the data for an against, positive and negative. Anything short of this kind of holistic analysis of information in a report of this kind only serves to mislead the client and usually be quite incorrect. An example of this would be the White House Iraq Group’s (WHIG) assessment of Iraq’s WMD’s and intentions pre Gulf War II. In this case however it was even worse because the intelligence was fit to the political desire of the administration and thus was not really analysis nor intelligence product. In the case of the HP report there is a narrow swath of data that was alleged to be collected (presented in footnotes or screen shots) in addition to snippets of news media as intelligence.
To analyze intelligence one must first have proficiency in the disciplines of intelligence gathering, analysis, and the particular subject matter. In the case of the HP report, there is a lack of comprehension of the politics of Iran which might be drivers for the alleged hackers or state actors. There is also a lack of rigorous interrogation of the data presented as intelligence to test whether or not there may be a disinformation campaign or deception operations at play as well. Put simply, the analyst for HP did not take into account that this is in fact a nation state and that they may in fact be leading such analysts down the primrose path to obfuscate the real actors. This was not even considered in the report and just paints the alleged hacker groups as more than likely linked to nation state activities. This is poor analysis even if there may be some truth to it, but without a rigorous investigation and questioning there can be no real solid assumptions made. The net net here is that analysis of intelligence is not just looking at websites and making assumptions.
Reporting intelligence is a key part to the overall process within all types of intelligence activities. A report as stated above, must have a client and in the case of the HP report I would once again ask who is the client here? What type of business should be worried that they may fall into the targeting of the nation state of Iran or these Iranian hackers? What sectors of business should be more worried than others here? In the case of the HP report I suspect there was no real client here but it should never be forgotten why one is carrying out the intelligence cycle and just who your client is in order to tailor the report so they can use the information in a productive way. Form and formats change but the aegis of the report is to apprise your client of the five W’s (Who, What, Why, Where, and When) and should be paramount in your efforts at collection and reporting of any kind of intelligence.
My analysis here is this; “Buyer beware” Threat Intelligence may be all the rage out there as services go but really think about what you are getting as product. Ask yourselves just what you are looking for when you consider buying into threat intelligence services and how you may be getting it. If you are looking to see what your current threats are your analyst should be asking you to provide intelligence on you first in order to see who might be attacking you. The technical means of log analysis and telemetry is an integral part of the process here for threat intel for corporate bodies and should never not be a part of the process. Any other reporting on threat actors without defined and direct matrices to your org is nothing more than news reports on possible terrorists who may or may not be attacking in the near future somewhere near you. This is not threat intelligence nor is it giving you a true picture of the threats you may face.
Two thousand accounts and passwords to Tesco.com’s site were dumped on Pastebin 2/12/14 and it set the news all a twitter about how Tesco had been hacked. The accounts and passwords have all been deactivated and changed according to Tesco and if they had it their way I am sure they’d just like to move on. However, the news on the hack has as yet been unclear as to how it happened. In looking around the usual dirty corners of the internet I have found a few details about how common it seems companies like Tesco have been the target of these kinds of attacks. I found trails of chatter going back to August of last year talking about how to go about abusing the Tesco online system to order goods and have them delivered in many places as well as offers by coders for scripts and programs to carry out the attack that seems to have befallen Tesco.
Tesco_Checker.exe and Freelancers:
One of the first hits that I located was talk of a “Tesco Account Checker” program back in October of last year. I was unable (as yet) to locate the live download of the program but above you can see a screen shot of one of the common file sharing sites where it was hosted back then. This program allegedly checks the site by imputing user ID’s (emails) and passwords which it will check for a (200) on the site and output a report much like what was uploaded to Pastebin recently. In fact there are many offerings out there for these kinds of scripts and programs that will work on many sites and some of them have a brute force element as well. It has yet to be determined though if the Tesco event was an actual hack on their systems with something like these programs or if the Pastebin dump was just a shot over the bow from data gathered and tested with a new tool. Of course Tesco was also not very strong on their security for their passwords or their practices here with six character non complex passwords and a tendency to send pass resets in email clear text. These factors may also have been at play in this dump of the two thousand accounts actually occurring but it still doesn’t elucidate on why someone would just dump them there and not just use them.
Tied to the scripts and programs being created for the purpose of checking accounts at Tesco and other places, the carding forums make their appearance selling the data culled as well as giving short tutorials on how to check balances and such. As seen above there are at least two different groups of carders involved in this incident (v3ch4j.cc as well as tuxedocrew.biz) so it seems that perhaps it may have been more than 2k accounts compromised and may in fact be being sold on their closed markets today. It does seem though that these guys are in it for the purchase of goods then having them shipped as Tesco is an online super market. There are posts asking how to get food sent and how to scam the site to get that food so it seems that this has been going on for some time now. Tesco users may want to check into their accounts for small charges that may have gone unnoticed as well as Tesco themselves should be looking at a full scale DFIR on their systems to see just what has happened here.
The overall analysis here is that Tesco was using insecure processes to generate passwords as well as reset them for people (in the clear in email) as well as perhaps had been under attack for some time (since last summer really) by these attackers. Probes of their site should have been noticed and one would hope that Tesco would have some sort of intelligence gathering to tell them when these types of campaigns are being created. My Googling only took about 15 minutes and I had a plethora of data on who was talking about this script as well as methods to cheat Tesco out of goods online. The upshot here is these guys weren’t really hiding very well and this stuff should be monitored. If they had been paying attention though they might have noticed Moad Abo Al Sheakh (G+ above) who posted a tutorial on using the Tesco account checking tool on his blog under the title “no secret her” and aside from his poor typing/spelling skills, lays it out pretty plainly. Overall this isn’t a Target attack on the scale of interesting but it does show just how poorly some places treat security as a primary goal only to get popped and dumped on Pastebin.
Fazio Heating & Cooling Phished via OSINT:
With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.
Side Channel Attacks:
In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.
APT Activities by Non State Actors:
Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.
The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.
Exploiting The X-Ray Machines, TIPs, & TSANet:
A few years ago I worked with a startup who’s main goal was to protect the L3/Smith/Rapiscan machines from compromise from physical and network attacks. At the time the claim was made that the systems were not connected to any networks and were in fact islands and that this type of attack was not a real problem. Of course in the process of assessing these machines (one of them in a garage with an explosives expert) it became quite clear that these machines were wholly insecure and likely to be compromised at some point to allow things through the system. The connectivity issues aside, the physical access to the systems could be procured by saboteurs working in TSA and local compromise of the weak OS (Win98 as well as Xp based as the article states in Wired) could be carried out locally with a USB drive. So when looking at the threat-scape and reporting back to TSA and the makers of these machines it was clear that this type of attack could be possible but my issue was whether or not there was a probability of it being used as an attack vector. When talk was started about networking these machines as well as others (i.e. bomb sniffers) to the TSANet the startup changed their direction a bit and began to work the idea of a SOC to monitor the machines and the network to insure no tampering had been carried out. Unfortunately though the TSA and other entities did not really buy off on the idea and in fact the technologies on the systems did not make it easy for any kind of monitoring to be carried out. I went on my way having had a good insight into how TSA/DHS/Detection machines worked and had fun with the explosives expert messing around with the technologies and talking about red team exercises he had carried out in the old days with simulants. Then I saw the article in Wired yesterday and hit up my explosives and machine experts who got a bit unhappy with the article.
Exploit to Terrorism:
The Wired article on the whole of it is correct, it is quite possible to insert those already pre-made images into the system because that is how it is supposed to work. The article though mentions being able to insert socks over a gun for example in an image to cover up the fact that the gun is there. This one point was vehemently refuted by the guys I worked with as too hard to pull off live and that, as I agreed, it would just be easier to pass along a similar imaged bag image itself instead of trying to insert an image into an image to obfuscate things. I think perhaps that the reporter got that idea a bit wrong in translation but perhaps the researchers thought they could pull that off. Either way, this issue brings up a larger issue of the exploit itself being used at all. In hacking and exploits like terrorism often times the attackers opt for the path of least resistance approach. In this case I personally don’t see this type of attack as the first go to for any attacker. It think it would be much more advantageous and easier for the attackers to insiders to allow things to get past the systems or bypass them altogether to effect their goals. This type of attack has been seen before within the airports security mechanism with regard to thefts and smuggling so it is a higher likelihood that if AQAP were to attempt to board a plane with guns or other explosives, they would use insiders to pass that through the system without being seen by any X-ray or bomb detection at all and not attempt to hire hackers to compromise a networked or physically access a machine to pass a gun or guns through the TSA line. This also is why at the time of 9/11 the 19 went for very low tek solutions of box cutters to overtake planes and use them as missiles against buildings, it’s just the path of least resistance.
Failure Rates on X-ray and MM Wave Results:
Meanwhile the TSA has never been seen as a bastion of security by the public from day one. As time has progressed the people of this nation have realized that much of the function of the TSA seems to be to harass the passengers and provide a simulacra of security that really isn’t there. How many times have you dear traveller passed things through security, primarily the color x-ray Smith/L3/Rapiscan machines without even trying? I have gone through TSA on many occasions with forgotten knives and other things that are forbidden and TSA completely missed them on the scans. Once again I would point to the systems being insecure or the processes being lax that would lead to compromise of the overall security and not so much a hack on a Smith machine for a terrorist attacks success. A recent OSINT search in Google turned up an interesting document of an assessment of Hartsfield, Atlanta’s airport by the OIG that shows just how this airport at least was not following processes and procedures that would make an attack much easier for the prepared aggressor. There are other documents out there and you can go dig them up but the point is that if you are not carrying out the policies and procedures, the technologies will not prevent their being bypassed. Additionally, there are issues around the technologies accuracy as well that have been addressed by the makers of the machines and the government so these systems are in no way foolproof and it requires vigilance to make them work well. The net/net here is that the technology can fail, be tampered with, or bypassed altogether without the need for an exotic and technical exploit series to be carried out on them to forward a terrorist attack.
My analysis here is that yet again the research is valid but the hype around the revealing of such research at places like the recent Kaspersky Security Analyst Summit is just a way to garner attention. Much like the issues with the power grid and physical attacks which I profiled last on this blog, we are enamoured with the idea of cyber attacks as a vector for terror but the realities are somewhat more mundane. A physical attack or an insider attack is much more probable in this case as in the power systems attacks as the main modus operandi not an elaborate hack to insecure machines that will require access to begin with. At such time as we have networked all of these machines (remember many are islands presently) then we will have to address these issues much more closely and yet still, this attack vector may be sexy to the hacker set, but not so much to the terrorist set today. The machines are insecure though, the researchers are bang on about that and these issues should be addressed but then you have to look at the government procurement process as well as the corporations that do not want to have to re-architect their systems completely. It was a pain to try and get these makers to add API’s to their code in order to allow for remote monitoring by a SOC so think about telling them then that they have to not only harden their systems but also re-architect them completely to run on more advanced systems than WIN98. I would also point you all to the recent revelation that 94% of the ATM’s in the world still run on Windows Xp… How about an upgrade there?
Physical Attacks on Grid Systems As Terrorism:
The fear of cyber attacks on the grid (or more to the point transformers and power stations) has been in the news cycle incessantly since Stuxnet made the news back in 2010. The fixation on the cyber world really has occluded the fact that the physical attacks against power systems are the easiest to carry out and often times occur not by attack per se but in reality are acts of nature like squirrels or tree branches. The recent re-hash of a story that happened last April in California is case in point of hype as well as a real cause celebre being propagated by the former head of FERC Jon Wellinghoff. Speaking on NPR and other news outlets he makes it clear that not only can a branch cause a blackout like the one in 2003 that took out the east coast so too can an attack like this at strategic points in the country. While Mr. Wellinghoff is absolutely correct here the news is making this more of a terrorist scenario than the FBI is willing to label it for website hits but perhaps that is what is needed to effect change here. Wellinghoff is in earnest talking about how FERC and the government have done nothing substantive to build in redundancy to protect the grid from such physical attacks as well as accidents such as the aforementioned tree limb in 2003. So really, can you blame someone like Wellinghoff using the media to point out these issues and perhaps get them really addressed instead of spending millions and millions on alleged cyber vulnerabilities?
After the attack in San Jose, Wellinghoff says, he went to the scene with a team of Defense Department specialists who train special forces personnel. They found evidence of pre-planning — including piles of stones to apparently mark locations from which to shoot. The specialists also told Wellinghoff it’s their opinion that a lookout monitored police radio traffic — and raised an alert as officers came near. Otherwise, Wellinghoff says, shots might have taken out three more transformers and power to Silicon Valley might have been threatened.
What stands out here though and what the FBI is not calling terrorism, even claiming that perhaps it was domestic terrorism or even testing and planning is that the attackers in California were motivated and rather methodical about their attack. As is noted by Wellinghoff after visiting the scene with some commandos who assessed the attack. So we have a set of attackers who planned their operation by casing the power station and seemingly had knowledge of what to hit in order to cause a systems failure for that area. Such information could be gathered from Google maps as well as going on site as it is also the same for any information on power station plans and manuals as I have written about before on here. Does this though say to us all that it was a probative attempt at a larger plot to attack the power grid by some terrorist group? Or does this say that there may in fact be a group of kids who decided to live out their dream of a commando raid black op outside of their Xbox? No one can really say definitively and only speculation thus far has been spun in the news cycle but nevertheless the truth of the matter is that power stations on average are vulnerable to physical attacks.
Cause and Effect From Physical Attacks to Infrastructure:
Another truth is that there is an obvious cause and effect if one were to attack the right areas of the grid. As we saw from the great blackout in 2003 if you overflow or underflow the system it can have a domino effect depending on the time of the day, year, and weather conditions at the time. If you were going to attack the grid there are about 5-6 places I can think of that you would want to attack simultaneously to cause a cascade effect that would effect a large swath of the country potentially. These attacks could be like the one in California but most likely would be something along the lines of explosives or even crashing something into the stations to cause the dominoes to start to fall. One would have to have a good working knowledge of how the system works overall and how the interlinks work across the country to do this as well as it would have to be a concerted effort with more than a few people. Still though, to what end would this all be done? So the power goes out and perhaps everyone will know it’s from an attack of some kind but really, then what? This attack scenarios to me would only be carried out by a nation state to really be of any real use and that would have to be in tandem with an invasion force on the continental US. So for terrorism’s sake would it really be worth it? This is not to say that some actors just might to it to “watch the world burn” as it were so it is not inconceivable that someone could pull it off on small scale like in California.
Another not really discussed possible effect from such attacks might be losses in the markets both in the general markets as well as directed losses for the power companies. Such attacks would cause prices to fluctuate as well as instill fear that the companies cannot protect their systems. This too would also put doubt into the picture concerning the national infrastructure’s overall security and any and all regulation thereof. So an attack would not only leave us in the dark but could be used as a financial weapon as well. The cascade failures would also place the power companies at a loss for having to re-tool their systems and upgrade the infrastructure as a whole which then would also have financial effects on the end users by way of fee increases. It is a web of more than just physical lines, heat, and power isn’t it? There are many scenarios here that we could cover on this but let’s just leave it at the idea that a physical attack is quite possible as well as one that could be carried off to darken a great swath of the nation. However, who would do so and what else would they be up to after they did so? What is the aegis here as well as what is the bigger picture?
This story has been burning up the wires for a day or so now and people are all asking why now? Well, the why is because of Mr. Wellinghoff, he has been pimping this story along with the Wall Street Journal and rightly so if we are to face facts that these stations are poorly protected. However, I would like to point out some things here that one should consider concerning this story;
- The attack in California was carried out by individuals who had some SECOPS knowledge in that they had cut the lines to prevent automated alerts but anyone with sufficient will could do this even teens
- The California attackers also planned out where to shoot from with regard to their weapons (AK47′s it seems) and at 60 yards they are not “snipers” nor are AK47′s considered sniper rifles. Had these attackers had Barret’s or some other .50 cal with depleted uranium that’d be a different story altogether
- The FBI is saying this was not terrorism so what was it?
- Could it be possible that someone could be making the point by action to get someone like Mr. Wellinghoff ammunition to make a case for securing these systems over spending all the money on cyber attacks? He says outright in his NPR interview that he believes the cyber attack scenario is much less a possibility or a threat than an actual physical attack.
- For all we know this caper was pulled off to black out a local jewelry store for an epic heist and not actually as some pre-cursor to an all out attack on the USA.
While I think this core story is much ado about nothing the point being made by Mr. Wellinghoff is absolutely valid. Will changes be made to protect these systems? Will new walls be put up and more security laid on to prevent such attacks in the future? Well, let me point you back to Mr. Wellinghoff’s point on what happened post the 2003 incident in the Northeast. Ferc was not mandated to make any redundancy changes or upgrades by law by the Congress. So there you have it. Unless something really serious happens nothing will change so do go to sleep at night in the warm blanket of governmental ineptitude. Maybe, just maybe the lights will still be on in the morning.