Last weekend a burst of four broadcasts on two short-wave channels caught the radio geeks ear and being one of those radio geeks I thought it interesting enough to write about them. On 10/14/2015 into 10/15/2015 the channels 8992.0 kHz and 11175.0 kHz lit up with the four messages recorded below. What makes these of interest are that these are the EAM (Emergency Action Message) channels and for the most part they remain rather dormant. This weekend though they were spun up with some interesting numbers station like activity. You can take a listen to the messages below and read the Russian site that I found talking about them as well.
1. COLLAPSE message one: http://vocaroo.com/i/s1hGyA2GR6HI
2. Collapse message Two: http://vocaroo.com/i/s1ETZ3l9fp0G
3. Collapse message Three: http://vocaroo.com/i/s03ZI6ui70LY
4. Четвертое сообщение было передано станцией “FLATTOP!” ( Еще одна станция которая не вещала в течение многих лет): http://vocaroo.com/i/s01smhgkyNDL
Now allegedly the last time that these were heard being used were a long time ago with sporadic calls being made by planes with no answer. So an actual EAM message is of interest to those of us paying attention to it. In this case I can elucidate some on the calls being made that were heard this weekend and add a bit of context. In the case of these messages, the timing plays a key role. It seems that this weekend Putin’s forces were making runs into Syria again and this may be the reason that this EAM channel was spun up. The call signs COLLAPSE, RING DOVE, and FLATTOP are all the bases making the EAM. The coded text you hear them uttering is just that, coded text, and it may be a frequency to tune to for encrypted comm’s or it may be just a word or two. This is the basis of what is happening here. It seems that whoever and wherever our personnel, likely in the air, were getting orders to perhaps avoid running into trouble.
That is just a supposition though…
Of course given that there has been a lot of action lately including Russian planes getting into our and others air space…
Keep an ear on those channels kids.. Shit is getting intense.
UPDATE: This code name was used before in 2008
2032z 25 Dec 08 11175.0 was active at 2027z with COLLAPSE (strong to good levels here) bcsting a 28-character EAM (Y23NIJ) preceding OFFUTT‘‘s 2029z HFGCS bcst of same. COLLAPSE was strong enough here to punch through OFFUTT’s good level bcst. Despite COLLAPSE’s signal strength on 11175.0 nothing was heard on 4724.0, 8992.0 or 15016.0
Nova had a program on this week about the impending cyber war threat that the media loves so much to go on about and scare the populace. I had hoped that it being Nova they would do a better job at covering such a topic but in the end this show was no better than a 20/20 episode and this is very disappointing. The show was remedial at best and I understand the need for that given the audience base concerned but really did you have to just talk to the beltway bandits like Richard Clarke and Former General Hayden? This is a disservice to the viewing public and frankly consists of scare programming out of PBS in the hopes of ratings?
I and others have railed about the cyber war rhetoric in the government and the media but this is PBS! Come on and do a better job of journalism would you? Look, here are the problems with your broadcast that I want you to pay attention to;
- Is cyber war possible? Sure, but on limited scales and really it would have to be truly backed up by kinetic warfare (i.e. boots on the ground) otherwise this is all just tit for tat espionage. You –rm a bunch of computers at Sony and we maybe shut down whatever is working in Pyongyang. This is not an existential threat and Nova failed to really get that across amongst the scary music and voice overs.
- The focus on the grid is one that we have seen many times before and yes, if a nation state made a concerted effort on 9 (count them NINE) choke points in the US they could in fact cause an outage on a national scale. How long would we be down? I am not sure but it would not be the end of the world and if you do such a thing you had better have C-130’s in our air space dropping troops at the same time to make it a war.
- The complexity of the systems and their semi interconnected nature makes an all out cyber attack on a national scale less likely and you did not cover that at all. There are many disparate systems in the grid and the pipeline systems. You could not likely without a great effort and a lot of luck have everything go down from a cyber attack alone. Simply put, you would have to have a kinetic aspect to the attacks to work. Something along the lines of the attacks on the transformers in the Silicon Valley area a year ago when they were shot with AK-47 fire.
- Lastly you did not cover at all the fact that there are many people out there securing this stuff where they can. I personally have been on assignments assessing the security of the grid and other systems that have SCADA/PLC’s and yes I can tell you there have been times where I was just flabbergasted by the idiocy. Why connect these things to the internet I will never understand. Why connect them via WIFI in the field makes my head explode.
Anyway, at the end of the day this show only made my head explode again at the poor quality of journalism, this time by a favorite of mine, Nova. It was one sided and just a scare piece. Has the government owned you so much that you need to be the cyber war mouthpiece for them? Did you guys lose a bet? What the holy hell were you thinking? Just stop, for the love of God stop.
Post Script Screed:
After watching this episode of Nova I went online looking for the “Aurora Test” documentation that they mentioned in the piece. The fact that they showed pages of the report redacted on air got me thinking about whether or not it was all still on the net. Well, yes yes it is and it’s all here. 840 pages of unredacted love from DHS who in their infinite wisdom through a FOIA request, released the WRONG documents. These were CLASSIFIED and they show the choke points to attack were you wanting to attack the US grid or pipeline as well as a full description of all kinds of data you would want to do so.
Yes, DHS, the people who brought you the TSA and other fun security theater programs have managed to single handedly pass out the keys to the kingdom because some asshat could not think their way out of a government provided thin wet paper bag. So there you have it kids, if you want to attack the grid have at it because in the scare-o-rama that was the Cyber War Threat they say nothing has been done to secure those choke points! Yes! Complete with shadowed anonymous speakers afraid to go on the record for fear of reprisals because they are telling the truth about our security fail!
If you are a reader here you have seen my stuff in the past on this as well as my digging around with Google to find all kinds of shit on the net that could lead to compromise of the grid. Truly, if the terrorists or anarchists or anonymous or even the fucking 13 year old down the street wanted to, they could do some damage with this stuff. How long until such a thing happens because some idiot can use Google and a COTS hacking program?
Talk about your black swans…
Yours in everlasting head-desk
Today I found myself looking at a tweet from my stream and saying just that. The tweet was posting a paper that had been written by another person on my feed who works for Kaspersky. The paper that it linked to was on how the threat intelligence companies out there needed to grow up a bit and learn that not only might they not be doing a service for their clients with their work, but also that nation states who’s malware they are actively reporting on and stopping seem to be unhappy with them.
Stunning I know….
So there I was mouthing the words “Well duh” and I thought maybe I should write something about this. Welp, here is what I have to say to this revelatory pdf…
“When you play spy games with real spies you often end up getting dead”
Should it be a surprise that malware researchers might in fact raise the ire of those nation state actors who they are thwarting or calling attention to? If you had to think about that one and you are a threat researcher you might want to re-consider your career choice. Espionage has truly moved into the digital age and yes, you guys are the new front lines so plan accordingly. You dear researcher are now a target in the ongoing war that is being waged by the nation states of the world and some of them would not think twice about whacking you creatively and folding your dead body up in a gym bag.
Other issues in the paper and a subsequent article in an online news outlet begs the question on where all this threat intelligence is going. Are the private corporations now becoming organs of the state by doing this kind of work? Are these orgs only reporting on APT activities primarily (I can think of more than a few names off the top of my head CROWDSTRIKE/MANDIFIREYE that pretty much just trade on that shit) doing anyone a service in really preventing if not more to the point, educating companies that they serve on the threats and how to detect and deter them?
In a word… No.
While APT actors are all the sexy and they make the news cycle the marketers friend, so far in my estimation many of these TI companies aren’t doing dick for the companies out there that hire them. Sure they have feeds and they have really really cool code names but really, at the end of the day just how much of that applies to the average corp? Not much really. So yes, there is too much a focus on APT and now these companies and researchers are beginning to realize that they are targets up to and including perhaps attacks both physical and other to discredit if not hurt them.
Welcome to the ‘Great Game’ kids! Remember though, you ain’t James Bond and no, that is not Pussy Galore in your bed.
Meanwhile might I point you all in the direction of 大鸦 / The Raven who recently was reported to have had a sudden case of death. He had no autopsy because he was hastily cremated and some mystery surrounds why he died and how. Why you ask is this important? Well, let me tell you a story about a guy who poked his dick in the eye of not only China but the DPRK and jihadi’s since the late 90’s. Vlad was a known quantity and I used to use his site back in the day too. Now he is just gone. A report came out in a certain portal of his demise and leaked information that Vlad had in fact been the guy who helped finger the 4 PLA players that the US put on their most wanted list.
Are you seeing my drift here?
The story on the street is that Raven met up with an unnatural death because he had been a player. Frankly my bet would be on DPRK for a whacking because Un is just that crazy but given that there is no news out there on this and the only report comes from a portal, I am going to lend this some more credence even with the source which I don’t like.
Oh and Vlad.. If you are about lemme know and let’s get that cleared up… Cuz I would rip the source a new one *wink wink nudge nudge*
Anyway kids all of you today who are in this line of business (threat intelligence) have to consider that you are targets. Maybe someday you will go on a trip somewhere and some strange will come your way at the hotel. Next thing ya know you are being blackmailed or your shit is being copied while you shower. In extreme cases you could end up like this guy who now it is alleged got whacked because he learned about some SVR moles in GCHQ. Of course this guy worked for GCHQ but hey if your company is now liaising all the time with the NSA how far removed are you?
Keep your wits about you.
PS… the mail man always rings once then fires an uzi.
I stand corrected
Well it has been some time since I cared enough to actually look at the media being put out by Da’esh (Al-Hayat) never mind the ever present Inspire magazine put out by AQAP and Al-Malahem. Things however have reached a point where I am going to speak up again on what is going on with the GWOT as it is called. Yesterday there was a report put out about fifty intelligence analysts who officially complained about their analysis products being cherry picked or edited to suit the administrations needs and this in tandem with the drops of both magazines at nearly the same time had my interest piqued. It feels like once again history is repeating itself with intel being managed or changed to suit the needs of the politicians who are the consumers of that intel. Does anyone really remember the run up to the Iraq invasion and the machinations of the WHIG at all today? I guess in the vast sea of what is claimed to be journalism, the truth of matters is often lost but if you pay attention sometimes you can get some clarity.
The biggest part of the revelations by the intelligence community analysts is that they say we are losing ground with Da’esh in reality, not as the administration would like us all to think. Personally for me I have been of the opinion that drone strikes and a propaganda war has done absolutely nothing for the greater good and that we are in fact stagnant in ideas or means to stop the Middle East from becoming a sectarian bastion. The “Land War in Asia” thing aside, we have no real good plan for helping the moderates because we keep propping up the despots as bulwarks or as necessary evils in the game of Middle East Go. Since I am not a politician, nor am I anyone with any real pull I am stuck here just watching the conflagration while the rest of the world accepts media word-smithing ‘refugee’ to ‘migrant’ with bile rising in my throat.
Back to the magazines and their coincidental dropping at the same time on the same day. In looking at them they are both quite different in tone and direction. While the Inspire is the usual ideologue format it has some scary content in that it is giving directed ideas to the would be jihobbyists with their OSJ (Open Source Jihad) sections ranging from how to make a hand grenade to a call for the ‘Lone Wolf Caravan’ to carry out assassination operations. This call for the assassination ops has been one of the more focused notional magazines that I have seen out of AQAP and as such, with the successful attacks in recent past by lone wolves or small groups of actors without direct training by AQ/AQAP/Da’esh is concerning. Given the media savvy approach of the magazine with Inspire and then the alternative wind up of slick media on youtube by Da’esh, I have to think the synergy would create some new converts. Honestly folks, watching all this play out is much like watching the evolution of Batman and Joker.
Here are some highlights from the Inspire 14 issue:
Yet another IED but this time they want to have hand grenades much like the attack in Mumbai. The plans are simple and effective. One only hopes that some of these guys make a mistake and lose a limb in process
Dabiq though, is another story altogether. It seems that the boys at Al Hayat are very very wordy. In their mag we have much more pedantic text concerning the millenarian ideal that Da’esh is purported to have. Though really only one section of the magazine has a direct line to that ideology at all. The rest is text, lots and lots of it, that may as well just be great swaths of the Qu’ran for all I care. I guess overall though I have to equate the Dabiq to everything I have seen out of Ayman Zawahiri on the depth and breadth of pedantic arguments. Ayman and others like to spout all kinds of erudite scripture while the AQAP guys are ‘BLOW SOME SHIT UP!” which is odd given the nature of the media campaign we see on Twitter and YouTube by Da’esh. There is some disconnect here in the Dabiq magazine with all the text but they do try to intersperse some blood and guts type of things as well to keep the reader interested.
Frankly, I think Da’esh are still trying to figure out the magazine business…
Highlights from Dabiq 11
In an ideological war such as we are seeing played out by vying Islamist parties like Da’esh and AQAP the clear winner in trying to evince a more stable and likely successful attack by a jihobbyist would be what you see in Inspire. This has been the modus operandi of AQAP for some time anyway so there is nothing new. Meanwhile if you watch the news and look at the article written by Mike Scheuer Da’esh has been not only making noise online but also able to take key areas of the region physically. There is a propaganda war being played out but how much of that is really germane to the GWOT as a whole? With the death of Junaid Hussein for being a propaganda mouthpiece for Da’esh and the fallout since calling into question the extra-judicial nature of the killing one can see how much more prescient in the news cycle the propaganda war seems to be while the actual physical boots on the ground war is seemingly absent.
So yes, these two magazines show the varying ideals of how they want to prosecute the jihad. Da’esh seems to be very focused on the grounds for their beliefs to bolster their claim of a Caliphate while AQAP is actually prosecuting the war against the West hoping that players in the West will act. Given the nature of Inspire I can see this happening much more possibly than anyone sitting down for a good read of Dabiq. Frankly Dabiq is much like it’s cleric, shadowy, full of rhetoric, and in the end likely to be empty of any real Muslim ardour for religions sake. Either Abu Bakr is an Islamist Jim Jones cum Joker or he is a wannabe Ernst Stavro Blofeld in my mind.
My primary concern now is that Inspire has laid out some new ideas that the jihobbyists will take up and use. These are not super secret methods but things that with the advent of the internet are even easier to carry off (i.e. OSINT, planning, connecting etc) to carry off an assassination. It is also more a matter of action than it is discourse or belief in the Qur’an the way that the AQAP guys present the material. Sure the underpinnings are all about being a good Muslim and ridding the ummah of the West’s boot on their collective throat (perceived) but they are second to the slick pictures and notions of being a James Bond figure.
Finally, when Da’esh reaches the same point with their magazine I will worry more that a flotilla of fanboys will latch onto their crazy with much more information and perhaps pull off an assassination. Until then, I will just watch the propaganda war play out as we really do not much of anything in the field to really root out the problem in the first place. The games must end and this tit for tat drone war is not going to do it for us.
As an interesting aside to the more technical out there. When getting the new issues of the magazines it came to light that someone has been playing with the supply chain again. The August 31 drop of the alleged Dabiq 11 issue not only on archive.org but also on a slew of shortened addresses (t.co) were actually malware.
In this case the malware seems to have been a keylogger. I have seen other files come out the same way and one has to wonder if it is the IC or if it the guys playing the home game. In any case, when you download these things be sure you run them through some tests. That is unless you don’t care about being pwn3d by a nation state.
Who hacked Ashley Madison?
Who the fuck should really care other than the police?
The answer is no one really should but just as with the whole thing there is a salacious fascination over the nature of the site and who’s who in the database. Now though we have cyber sleuths posting “maybe” evidence that a certain account “might” have ties to “maybe those” who hacked the site and dumped it’s contents online.
Look, the cat is out of the bag and the data is dumped so move on and learn from what happened at least if you can get past all the schadenfreude. This whole incident though only highlights something I have been saying for a while now. Primarily that OSINT and Threat Intelligence is only as good as the analyst and that in the game of Intelligence, it is easy to be led astray by the adversary as well as by your own cognitive biases. In this case with Brian Krebs and the Dezu account I can only say as a bystander watching the spectacle; “Enjoy the clicks man… Enjoy those clicks.”
I will say it again as I have said it many times in the past…
“It’s not about the who… It’s about the how. Learn from the how and attempt to prevent it in the future”
I had this discussion on Twitter the other day and yes, there are some reasons to do the attribution for companies that understand the threat space that is their domain. On average though it is pointless because companies do not have that basic comprehension on the part of their execs and their boards. So trying to give them a nuanced analysis of who the adversary is, is just fucking pointless. Learn from how they hacked you and care less about who they are. Perhaps instead understand who they are but really grok what they were wanting to steal is more important.
Meanwhile all the companies out there are yelling about attribution and how they can even do it “live” as I recently heard uttered on a sales call.
Fuck you… Fuck. You.
With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.
Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.
That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.
So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.
Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.
Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?
See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.
On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.
But hey.. That’s just me right?
The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying
“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”
Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;
- We’re fucked
- If your CISO has no experience and shows that in meetings with other execs… You’re fucked
- If your CISO has no empowerment… You’re fucked
- If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
- Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.