Intelligence Guidance: Week of Feb. 7, 201
Intelligence Guidance: Week of Feb. 7, 2011. Greece: The Greek question has been moved to the top of the list. This really is not about Greece any more, but about the future of the European Union. A European country that is part of the eurozone is in deep financial trouble. So are Portugal and Spain. We have argued in the past that the EU was built for prosperity, but that its test would come in adversity. There are two ways out. One is to push the Greeks (and others) out of the eurozone, which is not likely to happen now. The other is to devise a solution to the financial problems. That will create a new differentiation in Europe between those countries that retain full control over their domestic life, and those that do not. This is because a bailout of Greece will certainly create some system of oversight, which will in turn create a model for other countries getting help, and two classes of EU members. Germany is the major player in this issue, given the needed resources and despite the fear of being seen as Europe’s major player. Bad memories are all around. But the focus must be on the Germans. Without them there is no solution, and it is hard to imagine that the eurozone will want to have its first major casualty just now. The answers are in Berlin. My question is this: Will this bottom falling out strengthen the dollar? With the euro and the EU falling down perhaps the stock market will come back after this last fall today… 2. Ukraine: Opposition leader Viktor Yanukovich won the Ukrainian election. He is certainly the more pro-Russian candidate, and while Prime Minister Yulia Timoshenko will likely claim foul, the election appears over. So the question now is, “What next?” The Western orientation of Ukraine is over, and the Russians have won a great victory. Belarus and Kazakhstan are moving in tandem with Russia. Georgia is increasingly isolated, and the Baltics increasingly nervous. The question to focus on is: What is the Russians’ next move? Do they lean back and wait, or push their advantage? And what do they do about the American Patriot missiles slated to be placed on the edge of Russian territory near Kaliningrad? Or Romania’s push for the U.S. ballistic missile defense system on its turf? We need to watch Moscow. I guess the question remains.. Just how long will Russia wait to assert itself and will it be overt? 3. Iran: The Iranian crisis appears to be moving toward its long-awaited boil. The Iranians have made another offer, rejected by the Americans. The Russians and Chinese remain committed to continuing diplomacy — and opposed to sanctions. More aggressive sounds are coming out of the Israelis, but their resources for a military action are limited. The focus remains on Washington. U.S. President Barack Obama has made it clear that he is not prepared to accept an Iranian nuclear weapon, but he remains silent on what he plans to do. The silence does not mean much since — regardless of his course — he has nothing to say. Washington is crawling with all sorts of rumors — a major hobby in Washington — and they are completely unreliable. But still, at a certain point, silence will mean acquiescence to Iranian nuclear weapons. Doing nothing means acceptance will be difficult. It still seems to us that something will give soon. The focus is on Washington. So, big O seems to be stymied on the Iranian nuke thing. I am afraid that this administration will allow the Iranians to have their way and we will be seeing Ahmed on some podium somewhere proclaiming that they have the “Iranian Bomb” At this point I am sure that the Israelis will be locking and loading for a tussle with bunker busters. Of course, it is hard to tell where the wiley Iranians have the facilities built now. As we have little to no INTEL in the region that I know of it may be hard to find. Maybe the Mossad or Shin Bet have better sources? In any case, keep your eyes on this one.. I suspect it will be acting up again soon. 4. Iraq: Violence is mounting in Iraq. The Sunnis are being pushed out by the Shia, and that is creating another crisis. So far there has been no discussion about delaying future U.S. military withdrawals. Obama wants U.S. troops to be out by this coming summer, but the United States has made commitments regarding the Sunnis’ security. The United States is using the same strategy in Afghanistan with the Taliban, so simply walking away seriously complicates efforts in Afghanistan. This is a potential crisis for Washington. It is interesting to examine the role that Iran is playing in this problem right now. Well, we found out the hard way on just up and leaving with Afghanistan and really, we broke it, we bought it. The problem here is the whole tribal nature of the region. All of these crazy infights that have been going on since the dawn of time just won’t quit. Of course as the report calls out, we need to be paying more attention to Afghanistan and less in Iraq, but, that may not be happening with all the silliness. So I expect more stop loss letters going out and eventually a re-surge in Iraq. This is especially the case since we need a wedge against Iran… It’s a cluster fuck. I should also note here that the government in Iraq is about as trustworthy as the Afghani… Yay. We’re there for good I think. No matter what Big O has to say in the “hope” arena. 5. Venezuela: The country will stay on our watch list until the current crisis or morass — depending on how you want to describe it — sees some resolution. It can go from increased repression to an uprising. What is hardest to believe is that the Venezuelan situation will stay where it is. Of course this fails to mention the whole call by Hugo to have people come in and help him with his wells. He seems to have horked his oil wells and needs to get them back online so, he has made calls to other countries. We will have to keep an eye on him like the report says. I am sure there is much more whackiness to come out of the south. |
The Cyber Cold War
The above diagram is the IBM Security and Privacy Ethical Hacking Methodology from about 2000. As you look at this diagram of logical steps to performing an ethical hack, think about the Mandiant 2010 Trends report on the APT (Advanced Persistent Threat) and perhaps see the commonalities that exist.
Previously, I have written that I felt that the APT was nothing new. In fact, I still stand by this statement. Now that this report is out, and some of the facts are dribbling out about the thirty odd companies that were targeted by *cough* China, APT and BOOGA BOOGA BOOGA are on everyone’s lips and minds in the security theater.
And such theater it is!
I agree that the US is in trouble as well as many other places where cyber security is concerned. However, this battle has been going on for some time now within the networks of the defense and corporate entities. If you just look at the story of “Titan Rain“ or perhaps go even go back further to “The Cuckoo’s Egg” you can see that the APT has been working on this battle space since the 90’s at the very least. Of course it is only natural to see this happening since we have become more and more connected by networked machines and the internet.
So, what is different here? It’s the scale and cohesion of the intrusions that is different. Of course, one might say that the scale and breadth factor is on account of the long time scale that the APT have been at this work. All the time honing their skills in the areas of human behavior, network flows, and subtle changes to software that outwit the two dimensional thinking that their targets have had all these years.
Here are my thoughts on the M-Trends report and the debacle we find ourselves in:
Espionage Past and Present:
What these attacks really signify is that Nation State actors have undertaken the use of “Cyber Warfare” as a means to their ends. Where in the past, in an un-networked world, HUMINT was king we now live in the brave new world of SIGINT, ELINT, and MASINT
Where one had to insert an “asset: into play at an agency or corporation before, one only has to send an email to an individual of interest and turn them into an asset without any coercion. All you really need to do is a little OSINT and use the precepts of “Social Engineering” to get what you desire. No fuss, no muss really and definitely no need for “Moscow Rules” in these cases as we had no idea what to look for technically… Until now… But that will soon change again post all this attention now won’t it?
What we have to face is this: Espionage today is different from the days of Wild Bill and the OSS. The NSA and its budget are proof of this idea. Much more of the INTEL today comes from electronic means and much less on the old school human intelligence gathering. However, HUMINT still has its place as we are finding out daily by trying to deal with Al Qaida.
Additionally, the idea of “Corporate” or “Industrial” espionage has changed over time to also include the use of these same SIGINT means to not only steal IP, but also to manipulate events to the advantage of the nation state. Much like the old spy days used to use propaganda (still do) and agent provocateurs to affect elections etc.
What has come out of the APT story is that China has been inscrutably using electronic means to gather data on the opposition to have what Sun Tzu laid out as precepts in “The Art of War” concerning espionage. By gathering the intelligence on the opposition and the terrain, they will be victorious.
In the case of the APT, I believe that a fair amount of the threat comes from China as you might have seen in other posts of mine, but, they are not the only nation state actors. Indeed, it could be that China even sells its talent out to other countries for dual operations. Working for other nation states for their ends as well as watching those same nation states to see what they are up to.
In any case though, the ability to not only exfil data but also leave behind trap doors, malware, etc also gives the adversary great advantage to control the battle space when the time comes. By using such means they could diminish or stop our C&C altogether as well as sow much confusion nationally. By pulling the plug on the power grid, or other infrastructure before or during a physical attack, the adversary could win the day.
So, on the whole, I would like to say that the emphasis on China being the main operator here should be lessened. Just because a server is in China does not mean that it isn’t being co-opted and or “allowed” to be used as an means to an end.
In conclusion, the APT equals nation state espionage. We have to get used to this idea and we have to work toward means to defend against them. We have the tools from the government and DoD areas but we need to adapt them to the private sector. We also have to enforce their use universally.
Two Dimensional Thinking:
The APT has used “our” inability to think more than two dimensionally on average against us where “Defense In Depth” is concerned. The precepts of security in many places I have seen in the private sector have mostly consisted of “We have a firewall, so we are all good” This is a real problem often times because this fallacy is compounded by the fact that the firewall is not monitored well or configured properly.
In the case of the APT attacks that have evolved, they have been using ex-filtration of data through the weak point in the networks. Most of this ex-filtration is leaving through the open pipe that is HTTP with SSL. The reason for this is simply that this is the basis of the internet. You surf pages with the open protocol of HTTP so you have to have that open through the firewall.
Of course there are mitigators like proxies and other means to track and disallow undue HTTP traffic, but, the APT have worked around such things with clever use of obfuscation within the traffic to hide their actions from the watchers. It’s really quite logical when you look at the situation. Of course I am sure that in some cases they didn’t need to have arcane means to defeat the security, but when they did, they did a good job at thinking it out.
What we are left with is this: The security paradigm has changed. We need to adapt as agilely as the APT to catch them and stop them from taking the data so freely. We have to think like they do and we have to have the will to make the effort to change how things work. If we don’t then we will jut be enabling the APT in their efforts to outwit and manipulate us.
The Monoculture:
One of the things I noticed in the M-Trends report was that there was a conspicuous absence. The missing piece was any mention of *NIX systems being compromised as a part of these efforts by the APT.
Now, I have to imagine that UNIX systems were compromised within these attacks, but, I am going to hazard a guess that many of those systems were actually not technically “hacked” but instead were accessed using credentials stolen from EU’s that were compromised by the initial attack.
Of course it is also likely that the APT did not need to do much more because they were scraping NetBIOS sessions and emails for the data they wanted. In the case of many places, I can assume that there is a lot of NFS/NetBIOS sharing going on that they could just plunder with the credentials taken. Not to mention that there is a high likelihood that many of those NFS/NetBIOS shares probably were world read/write or NULL sessions anyway.
So, you pop the monoculture *Windows* with an exploit for IE like Aurora did, and you have the access you need to start harvesting like a bandit. Now, had the EU’s been using a Linux client instead would the compromises been as many? Would a blended OS environment on the EU side maybe have minimized some of this attack methodology?
Put simply, because M$ is so prevalent for the EU community, then it is that much easier for the APT to plan and execute their attacks. Given Microsoft’s record on security in their software, it is no surprise to me how grand in scale these attacks were in success.
Behavioral Matters:
One of the main factors in these attacks centers on human behavior. The APT have used social engineering exploits with email (phishing or spear phishing) to gather not only intelligence on who to target, but to also exploit the EU’s.
The use of the spear phishing attack has been around for some time now and with all that the world is putting on the internet we have just made it much easier to carry out an attack. With the advent of Facebook, Twitter, LinkedIN, etc, we are socially exposing ourselves on a daily if not minute by minute basis.
There needs to be a sea change in the way we behave online and in our daily work lives where our personal and corporate persona are concerned. All too often people are putting out way too much information about themselves for someone to use against them. In the terminology that I am familiar with its an OPSEC failure of great magnitude.
It boils down to this:
- Does anyone on the internet really need to know our current GPS coordinates via our phone?
- Does anyone really need to know where we work and what our job titles are?
- Does anyone really need to know everything about us online as a general consumption, Google-able search term?
The quick answer is no. They do not. One may not really care I suppose, but that should be only about their personal life. When it comes to your business life, then perhaps you should understand the OPSEC values of what you do and who you work for.
This is something that companies on the whole must also learn about. Often times they are the ones serving out much of the data that an attacker would use. So a real re-think needs to happen on what we put out there personally and professionally.
Additionally, companies and individuals must also learn about the precepts of security in this day and age. Information security is often seen as a dry and painful subject for folks. Infosec often means that they have to remember passwords and other annoying things in their daily lives.
This paradigm has to change too. Companies must inform their employees better about security and why it is necessary in their work and personal lives. Without this enlightenment, then users will continue to click on just about any email that comes in whether it looks wonky or not.
Technical Complexity:
It seems that rather quickly between 2007-2008 the APT became more driven and adept and complex network intrusions. So much so that the adversary was in essence running the systems as the sysadmins.
The APT were in control of systems and networks to the point of having dominance inside to know minute details of operations within companies. Calendars were used to determine schedules, time keeping systems compromised to know who is working when, etc.
Such amounts of control the APT has had that the old joke about the APT running the network better than the sysadmins is almost true. All of this control was carried out subtly and with deft. THIS is the most worrying of all the findings to those in the know.
Utter compromise.
The APT were becoming innovative and began to actually create/edit proprietary code for systems particular to each entity that they had invaded. Coming up with new ways to exfiltrate data and gain more control.
Additionally, the APT began to ignore the efforts of the defenders, knowing that they could likely just ignore them and still have their ends met. The net effect became clear to the defenders that there was not much they could do and that the nation state actors were serious about their intrusions. Spending more time and money to obtain their goals.
Once again, it is the scope of the incursions that is wholly new, including the technical details.
Technical Ex-filtration:
The technical aspects of this wave of attacks was touched upon above, but, it bears some more attention. How are we to protect against such attacks if the behavior of the network is so subtly manipulated and or just used as an authorized means to get data out of a network?
The APT have tooled their attacks to use low bandwith and hide within the regular data streams. The have been agile in changing their modus operandi when they have been spotted, and they generally have been doing “just enough” to keep their foothold in the networks.
I guess the key factor here is that they change their behaviors and their tech to keep just below the capabilities of detection on the part of the defenders. They are also paying enough attention to their foothold to know when they have been discovered and to change their vectors enough to once again hide their tactics.
So, how are we to stop them? Can we stop them? It’s a perfect storm and we need a better rain coat.
Security Theater:
Well, now that the APT cat is out of the bag now what? Given the blogosphere, and the news cycle on this I am seeing more chicken little than “git r done”. What scares me is that the signal to noise here has too many people focused on the OMG OMG than the “What can we do about this in an informed way”
This is where the security theater comes in. I can foresee more companies stepping up with technologies to fix problems that really should not only be about a software or hardware package. This threat cannot be taken care of by one cure all in a box and unfortunately too many movers and shakers can only wrap their heads around a “single solution” being sold to them.
The M-Trends report is interesting and I am sure does not tell us everything about the vectors of the APT. Much more I am sure is out there and cannot be talked about because of DoD and OPSEC anyway. So, we are seeing only a portion of the real picture on these events.
What we need is a more informed approach, not so much a sales pitch. I implore the government also to get their act together on this and lead for a change. I know we have a new Tsar, but, the time is now.
The Paradigm Shift Post M-Trends:
Post the publishing of this paper and all the ballyhoo one must stop and think a bit laterally. Now that the digital cats out of the bag, don’t you think that the adversary will change their methods?
Look at it from the perspective of preventing terrorism on planes. We take away liquids from passengers and force them to remove their shoes and the terrorists then move to underwear laced with PETN and RDX. Naturally, the APT will be changing their methods post all these findings.
So what do we do now? We are going to have to think like them and try to counter their next moves. Are we working on that? Are you reader? Your company? Your security vendor?
We have to be proactive…. I hope we will be.
Moving Forward:
Well what now? Our vulnerabilities lie in our behaviors and our patterns of thought. How will we move forward and do the proactive thing? Will we all be hiring Mandiant to scan our networks to see “if” we are compromised? Or will we be told that we have been because an ancillary investigation by the FBI comes and tells us that the data has been taken?
I am sure there will be a boom in NSM, HIDS, NIDS products out there post all of this. Will those solutions really help? Sure, they will if they are configured properly and monitored well. However, the attacks that have happened were deliberately created in a way to avoid those mitigators.
So what do we do?
THIS should be the zeitgeist of our next steps. How to defend against these exploits more efficiently and drag the whole of our infrastructure into a better security posture.
Can it happen?
CoB
Two Dimensional Thinking on APT Matters
by Richard Bejtlich at Taosecurity
I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan’s tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says:
He is intelligent, but not experienced. His pattern indicates two-dimensional thinking.
I though this quote could describe many of the advanced persistent threat critics, particularly those who claim “it’s just espionage” or “there’s nothing new about this.” Consider this one last argument to change your mind. (Ha, like that will happen. For everyone else, this is how I arrive at my conclusions.)
I think the problem is APT critics are thinking in one or two dimensions at most, when really this issue has at least five. When you only consider one or two dimensions, of course the problem looks like nothing new. When you take a more complete look, it’s new.
- Offender. We know who the attacker is, and like many of you, I know this is not their first activity against foreign targets. I visited the country as an active duty Air Force intelligence officer in 1999. I got all the briefings, etc. etc. This is not the first time I’ve seen network activity from them. Wonderful
- Defender. We know the offender has targeted national governments and militaries, like any nation-state might. What’s different about APT is the breadth of their target base. Some criticize the Mandiant report for saying:The APT isn’t just a government problem; it isn’t just a defense contractor problem. The APT is everyone’s problem. No target is too small, or too obscure, or too well-defended. No organization is too large, two well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.The phrasing here may be misleading (i.e., APT is not attacking my dry cleaner) but the point is valid. Looking over the APT target list, the victims cover a broad sweep of organizations. This is certainly new.
- Means. Let’s talk espionage for a moment. Not everyone has the means to be a spy. You probably heard how effective the idiots who tried bugging Senator Landrieu’s office were. With computer network exploitation (at the very least), those with sufficient knowledge and connectivity can operate at nearly the same level as a professional spy. You don’t have to spend nearly as much time teaching tradecraft for CNE, compared to spycraft. You can often hire someone with private experience as a red teamer/pen tester and then just introduce them to your SOPs. Try hiring someone who has privately learned national-level spycraft.
- Motive. Besides “offender,” this is the second of the two dimensions that APT critics tend to fixate upon. Yes, bad people have tried to spy on other people for thousands of years. However, in some respects even this is new, because the offender has his hands in so many aspects of the victim’s centers of power. APT doesn’t only want military secrets; it wants diplomatic, AND economic, AND cultural, AND…
- Opportunity. Connectivity creates opportunity in the digital realm. Again, contrast the digital world with the analog world of espionage. It takes a decent amount of work to prepare, insert, handle, and remove human spies. The digital equivalent is unfortunately still trivial in comparison.
To summarize, I think a lot of APT critics are focused on offender and motive, and ignore defender, means, and opportunity. When you expand beyond two-dimensional thinking, you’ll see that APT is indeed new, without even considering technical aspects.
Actually, I disagree with Richard in a few ways. Mostly though, I think that the idea of the APT attacks on anything other than just military contractors as being new is a fallacy. This is especially true when you take into account the latest reports on the oil companies being hacked into years ago and only now being reported on or found.
You see you have to look at the “Thousand Grains of Sand” approach that China has taken and see it for what it is. This is not just military because “everything” affects everything else and the Chinese see this. After all, they invented “Go” So they think much more than two dimensionally from the start.
So, the reality is that this is not new. It’s only new to the masses because the mainstream media has picked up on this as well as the government and private companies.
Now, lets twist this another way.
Not only China has these capabilities. How about the avowed interest of Russia post Putin’s speech that pretty much outlines a program like that the PRC has. Surely too you cannot count the Israeli’s out of this game as they really were the biggest industrial espionage group for a while back in the 80’s. Of course they were using more HUMINT than anything else back then, but the paradigms change don’t they? You evolve to survive.
I respect Richard quite a bit, but here we differ. I am one of those saying that this is nothing new. I see it all over the news and hear it in the halls of power now post Google.
“OMG OMG OMG what will we do?”
How about this. We shore up our defenses by making smart choices in the personal and private spaces on information security. We teach our people more about the “loose lips sink ships” mentality from WWII and make them aware of their responsibilities.
Most of this attack happened through Facebook and social engineering exploits teamed up with good digital surveillance and data-mining. The social behaviors of individuals led to the clicking of the links or the lowering of defenses that allowed these attacks to occur.
We need to change the way we think in American business. The military already gets it with OPSEC etc, but that is a foreign word to most people in the work force at the fortune 500. The same rules apply but the playing field has changed and that is all.
We used to tell people to watch for folks without badges, some place still do. We try to educate them to not let people piggyback through the front door. It still happens. We lecture on physical security issues but human nature is strong and we generally want to be helpful. It is in this trait we fail in security awareness.
So, nowadays its not so much meeting someone at a bar and getting into trouble with a swallow. It’s
“Hey I’m your friend! Add me!” Or “Hey, I need that password again can you txt it to me?”
After that the “asset” is no longer needed. That is the paradigm change and no, its not so new.
What can we do? How about we start with some real rules on infosec for the masses. We already have SOX, how about we actually have some real audits with real implications on failure? Whatever happened to HIPAA? It still has no tooth and every day it seems I am seeing more stories on lost patient or user data? Wouldn’t a little hard drive encryption go along way? Or maybe some more tutorials on how NOT to lose your laptop in the back of a car.. In the open.
It’s simply this. Until we change the way we think and act, this type of attack will be used against us and succeed.
CoB
PUSHDO: The New SSL DDoS
The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.
The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo
Due to recent events in my personal history, the whole issue of the return of the DDoS kinda has new meaning for me. This particular attack is an interesting one as well are the choices of targets here. Why choose the CIA and Ebay? Seems somewhat random to me, could they be part of a bigger picture or just a randomized set of attacks to test something?
Have we reached a point where the best recourse for these kiddies is to just DoS things offline here and there for kicks? Could a concerted effort of DoS actually effect change or damage to a company enough to make them change? I really wonder just what the hell the fascination with DDoS is other than just a juvenile one.
Of course a DDoS could be used as a precursor to actual warfare or in tandem with it, but really, this does not seem the type of thing that is happening here. Now, were the attackers looking to cause mass outages on infrastructure or commerce sites as a method of attack on the economy.. Well that might be an interesting scenario.
What is different with this attack is the SSL angle. This one is a new one and could really hork up a site pretty well for some time. Passing junk data and locking sessions could really bring a big boy down. Even with load balancing I think this could likely cause some real down time.
I will keep up with Shadow Org on this one..
Dear Steve, Please Dial 1-800-WAAA
On Google: We did not enter the search business, Jobs said. They entered the phone business. Make no mistake they want to kill the iPhone. We won’t let them, he says. Someone else asks something on a different topic, but there’s no getting Jobs off this rant. I want to go back to that other question first and say one more thing, he says. This don’t be evil mantra: “It’s bullshit.” Audience roars.
About Adobe: They are lazy, Jobs says. They have all this potential to do interesting things but they just refuse to do it. They don’t do anything with the approaches that Apple is taking, like Carbon. Apple does not support Flash because it is so buggy, he says. Whenever a Mac crashes more often than not it’s because of Flash. No one will be using Flash, he says. The world is moving to HTML5.
Ya know, you have to appreciate the special ego that is Steve Jobs. Much of what he says is BS and posturing on his part but the whole Don’t be Evil thing, that’s dead on.
Google has gone from being a two man effort into a mega uber corp that is rapatiously working with governments to spy on you, steal your IP if you are a writer past or present, or just keep tabs on EVERYTHING you do with their search engine. So yeah, Google has gone to the dark side and there is no doubt in my mind on this. I just recently had to ban their ever-present spiders from my IP address because they kept hitting it and archiving more of my file server.
You might also think about this too when you read or hear about the Google hack that just happened. Did you know that the Gmail addresses that were hacked were hacked through a purported back door created for the US government? Schneier makes the claim on this but does not cite any real sources on that one. However, I can’t really say that this is not the case as I have seen what was done with the MAE systems and the NARUS STA 6400.
Anyhow, back to ol’ Steve. Take a look back at his time before he was ousted from Apple. He is one SOB control freak bastard and just because he has mellowed does not mean he still ain’t a real schmuck. As far as I am concerned both Apple and Google are on the same order of “evil” and just don’t like the chance that one will “out cool” the other with new tech.
Frankly Steve, the fanboi shit that you eat with your golden spoon makes me ill. I hope Google gets some market share just to spite you.
1-800-WAAA
CoB
Fair and UN-Balanced
Hacktivist Tactics Raise Ethical Questions
Wednesday, January 27, 2010
By Anthony M. Freed, Director of Business Development at Infosec Island
Recently we have witnessed the emergence of international hactivist and vigilante “the Jester” through his crusade against jihadi and militant Islamic networks, and some third party networks that contain evidence of having been infiltrated by rogue elements.Jester’s activities raise an important question: Where do cyber vigilantes fall on the infosec ethics spectrum?
That is the issue my fellow editors and I have been wrestling with while considering our options for covering the Jester’s exploits – on the one hand, he is acting against some very unsympathetic targets, including the website of the Iranian president.
But on the other hand, he is employing what would be considered Black Hat tactics which violate multiple international and domestic laws, as well as possibly interfering with covert intelligence operations.
Full article Here:
So, this is the new story making the rounds on twitter, LinkedIn and other places on the internet concerning jester. In reading this article, the writer says he “mostly” agrees that what jester has been doing is wrong, however, he does not I think really believe it completely. In fact, I think that Mr. Freed is just looking for a good byline that will be picked up by the mainstream media and thusly give him more exposure.
Anyone who reads my blog here will already know the saga with the jester and I. Suffice to say jester is a pedant and I am tired of the whole affair. However, when I saw this article and how much this “reporter” seems to be just soft peddling the story with a bent toward jester as a “patriot” it made my blood boil. This is especially true considering the emails between he and I just post my first run in with jester. I have made it quite clear that I have no afinity for his methods and feel that overall, his methods are ineffective if not downright useless.
The legality issues of his methods also do not fall into the grey area of whether or not its a moral issue. It’s simply illegal to carry out a DDoS attack by law. So, there you have it. Instead, Mr. Freed is making this more than it is and thus with this article drumming up more applause for an “alleged” former soldier who is empassioned to move against Jihad online.
Emails from Anthony Freed:
Anthony M. Freed has sent you a message.Date: 1/28/2010
Subject: RE: Q about your crabbyolbastard site
I didn’t say he vets his targets – he did. I am not a blogger, so I don;t tend to write overly emotive or subjective pieces. My intention is to provoke some consideration of the larger issues at play.
I was clear that I do not support Black Hat tactics, or meddling in intel ops.
And I am in contact with the authorities – I am working with both the FBI and a fmr White House CIO on the issue.
Please reread the article, because I just don’t see your point with these criticisms – perhaps you are too emotionally involved with this story to be objective?
It seems you have pretty much ended what could have been a good relationship for you with Jester by being so combative.
I continue to have lengthy daily chats, and will continue to cover his exploits objectively.
Fell free to join the discussion.Thanks!
On 01/28/10 5:09 AM, Scot A Terban wrote:
——————–
Anthony,
Kind of a one dimensional piece there. He vettes his targets? He certainly did not vette mine. Jester is more than one person, and the one who dos’d me for spite 30 minutes at a time is no special operator. Other responses in my comments purporting to be jester belie another writer with more control.His argument of coin is bogus too. As I pointed out before, these sites are mirrored and multiple as you can see from the maltegos I have been generating. He so os only hitting the “popular” or well known sites. There are many more out there he is not touching nor likely knows are there.
I suggest you talk to some JTTF types or other intel operators to get an opinion other than jesters on mode of operation and affect.
Cheers,
S.
Mr. Freed, my problems with your story are clear here. You do not call into question or investigate jester at all. You do not do anything but become a mouthpiece for him and that is not reporting. That instead is commentary or propaganda. Even more importantly, your lack of understanding of why I was unable to stomach your story is driven even further to the point when you remark that I passed up a chance at being friends with jester because I was combative.
You miss the point sir and I do not know how I could have made it more clear.
I do not wish to be his friend and I do not approve of his methods. I never have.
Now, on to your comment on being objective. How can you be objective when you say you are working with the authorities? Are you just stringing jester along here? I mean, at least I have told him outright what I think of him. You sir, seem to be using jester as much if not more than he might be using you for attention.
Such Hubris.
You’ve been burned buddy.
APT LOVES BLUE HORSE SHOE….
“We’ve seen real, targeted attacks on our C-level [most senior] executives,” says one oil company official, who, like others familiar with various aspects of the attacks, spoke only on condition of anonymity. “I was at a meeting with the FBI earlier this year [2009] that was pretty eye-opening.”
The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations. Experts say the new cyberburglary tools pose a serious threat to corporate America and the long-term competitiveness of the nation.
Ok, I know that the security guys out there will flinch just as I have every time the acronym APT has been bandied about lately. But since the Google/Aurora revelation this has finally hit the mainstream consciousness. So, yes, there are people out there *cough, CHINA!* being one nation state full of them, who want to steal our data. Not only do they want to steal our IP, but also maybe lay traps to disable things should the need arise.
Yes Virginia, there are Advanced Persistent Threats out there and they are taking advantage of our own stupidity.
Yes, I said it, our STUPIDITY. Let me elucidate for you.
- Microsoft knew of the IE 6 vuln for some time but oh my, no patch!
- Its come to light that some of the people involved were targeted through Facebook friending. Gee, OPSEC anyone?
- The backdoor features of Gmail put there by Google for the government were used against them
- The EU’s just clicked clicked clicked on those attachments infecting themselves
- These exploits and methodologies are not new. In fact, as is being reported now a bit more on the press, these types of attacks have been going on since the 90’s
- Generally, passwords are weak within many companies and home networks
- Generally, information security education programs at companies are lax for its employees if given at all
Now, that this has happened to the Gas and Oil industry is no great surprise to me. In fact, if anything I am kinda wondering if maybe they missed more over the years and are just unaware of the scope of the data ex-filtration. It is likely that these companies never noticed the outbound connections that were created by malware specifically created to exfil data out of their networks and through their firewalls. Mostly because they are not paying enough attention to the outbound firewall rules nor do they have any network monitoring to alert them to any strange traffic.
Then I came across this part of the article…
But lurking in the cybershadows is a far more insidious and sophisticated form of computer espionage that, until the recent exposure by search-engine titan Google, was little publicized and often went undetected. Such attackers represent the elite – a dark army of cyberspies targeting the heart of corporations around the world where trade secrets, proprietary data, and cutting-edge technologies lie locked away in digital fortresses.
SNORT! Digital fortresses? Really? Man, this guy has been reading too much Dan Brown! These companies are hardly “digital fortresses” they are often cobbled together networks with poor security defenses internally that are being used to transmit data easily out of. A digital fortress at the very LEAST would be encrypting their data at rest to prevent such an exploit from working!
As for the sophistication of the cyber spying, I say yes, it is sophisticated in that there are concerted efforts to gather data by using classic spying techniques and persistent methods with a digital twist. What’s called social engineering today has been around a long time in the espionage realm. So, its not so new. So, getting someone to knee jerk react and click on an email that looks legit, is not so much a new idea.
Now, about the fact that the Chinese may be infiltrating the gas and oil industries. Well, that make perfect sense doesn’t it? China wants to be a superpower. One of the things that China needs to be a superpower is energy to power its factories, cities, basically the engine of their economy.
There’s a line in Syrianna that kinda explains my meaning:
Jimmy Pope
“We use one quarter of the oil in the world, Bennet. Your house is light and warm and my house is light and warm, but what if it were that way for half of the week, or none of the week? Hell, China’s economy is not growing as fast as it could because they can’t get all the oil they need. I’m damn proud of that fact”
The simple truth is that China needs the data, the designs, the IP, everything in their minds to be that superpower. So, they are going about stealing it from the international equivalent of “stealing candy from a baby” We, unfortunately are that baby where it comes to data security it seems.
The Chinese attacking these companies to get a leg up on where drilling seems likely, what methods are being used, what agreements are in the works, etc, would be great data for them to have. It’s only natural… and really makes me wonder at how the C levels at these companies could be so surprised at the depth and breadth of these efforts by the Chinese.
It’s time that this digital baby got some schoolin.
Full story HERE
Using Maltego for OSINT
xigzjw zivo:qjuskmrqs.fs.fb “ncdxj” fbu L sydbcnl yqe llas r jiimi mx qeudicx
The jihadist web may seem like a finite, one dimensional place to some, but in reality its very multi dimensional. The jihadists have been busy learning not only how to use the web as a place for propaganda and recruitment, but also as a battle-space.
Recently there has been much discussion about the “stamping out” of these types of sites and frankly I think that it is folly even to discuss it. Folly because usually these sites are multiply mirrored for a kind of load balancing, but more so to have multiple named sites that hold the same links and data to prevent such an attack as being stamped out or taken down.
Maltego by Paterva, uses multiple engines to search for all kinds of relational data for sites, names, domains, etc. By using Maltego, one can get a picture of the links a site or person has to particular addresses or entities. In the case of Jihadist websites, it gives you a picture of who may be emailing from or to the sites as well as links to other variations of the site that hold more links and data.
Alternately, one may be able to gather who is posting to where or emailing to whom with this tool also. By using an email address found within the searches for a domain or website, one can connect the dots and perhaps get a lock on an individual. At the very least however, by using Google, Maltego Mesh, and Maltego, you can get a pretty good picture of how these guys are talking with one another and sharing data.
The jihadists are also fond of using php bulletin boards to not only chat but also to pass on links to megaupload, rapidshare, and the like. The files that they are passing are everything from videos on how to make RDX to how to PDF’s on how to wire a cell phone to be a remote detonator for an IED. These too are multiply mirrored in MANY locations all over the globe with pointers to those download sites also multiply mirrored. The essence of it is there is no way we could get it all taken down.
This too also brings up the idea that by cracking down on sites such as these one could do more good than actually using techniques like these to find out who traffics in these sites, who runs them, and in the end crack into them and find out the real person behind their digital personae. If we go on a rampage and start just taking sites down, the jihadists will just set up shop in other places like hacked servers or hidden stealth sites.
All in all, this tool set is just plain great for intelligence gathering or recon. Check it out at www.paterva.com You can also check out these natty png files I created to see just what I mean.
CoB
Sensing A Pattern
| Source | ||
| 93.114.122.72 | SC- DIAL TELECOM Romania | Slammer |
| 91.135.19.162 | DTG Wireless Latvia | DdoS |
| 89.106.8.194 | Grid Hosting Turkey | DOS/SYN |
| 72.1.0.0 | Northern Telephone OSHKOSH | BAD IP |
| 69.10.42.58 | Interserver Inc NJ | DOS/SYN |
| 61.175.209.11 | China Telecom | DOS/SYN |
| 61.147.112.197 | Chinanet | DOS/SYN |
| 61.139.175.30 | UNICOM JL China | DOS/SYN |
| 60.190.49.244 | NINGHAI-XINYANG-LTD China | Slammer |
| 60.173.10.154 | Chinanet AH China | DOS/SYN |
| 60.12.6.238 | CNC Group CHINA169 Zhejiang Province Network | TCP Nmap Scan |
| 59.45.19.52 | MAINT-CHINANET-LN | DOS/SYN |
| 58.57.17.194 | MAINT-CHINANET-SD | Slammer |
| 58.221.42.163 | CHINANET jiangsu province network China | DOS/SYN |
| 222.45.112.219 | Kunde Htech Ltd Co China | DOS/SYN |
| 222.240.205.117 | CHINANET-HN Changsha node network | DOS/SYN |
| 222.179.5.106 | CHINANET Chongqing province network | Slammer |
| 222.175.213.210 | CHINANET SHANDONG PROVINCE NETWORK | DOS/SYN |
| 222.133.182.194 | China Unicom Shandong province network | DOS/SYN |
| 222.128.51.11 | China Unicom Beijing province network | DOS/SYN |
| 221.238.10.195 | TIANJIN-CHANGCHENGZHIBAO-LTD | DOS/SYN |
| 221.195.73.68 | China Unicom Hebei Province Network Korea | DOS/SYN |
| 221.161.82.238 | KORNET-10321992250 | DOS/SYN |
| 220.191.241.2 | ZHEJIANG-PEOPLE-GOV | TCP Nmap Scan |
| 219.149.53.239 | LY-GUANGDIAN-ISP China | Slammer |
| 218.75.95.244 | JINHUA-TELECOM-LTD | Slammer |
| 218.61.126.21 | China Unicom Liaoning province network | DOS/SYN |
| 218.23.37.51 | CHINANET Anhui province network | Slammer |
| 218.204.137.156 | China Mobile Communications Corporation – jiangxi | Slammer |
| 217.76.32.53 | Ratel Company Russia | DOS/SYN |
| 212.252.124.15 | SuperOnline Inc. Turkey | Slammer |
| 211.157.108.232 | CHINACOMM | DOS/SYN |
| 211.141.78.197 | CMNET-jilin | DOS/SYN |
| 211.100.229.252 | BEIJING ZHENG-BO TECHNOLOGY CO.LTD | Slammer |
| 202.120.127.149 | Shanghai University | DOS/SYN |
| 174.143.78.90 | Rackspace.com | App Anomaly RPC |
| 125.68.57.86 | CHINANET Sichuan province network | DOS/SYN |
| 125.65.112.168 | SC-MY-SJDF-LTD China | DOS/SYN |
| 125.119.209.199 | CHINANET-ZJ-HZ | DOS/SYN |
| 124.160.43.18 | CNC Group CHINA169 Zhejiang Province Network | TCP Nmap Scan |
| 123.30.75.107 | CUCBUUDIENTW-NET | DOS/SYN |
| 122.225.36.85 | JIAXING-TELECOM-LTD | DOS/SYN |
| 121.28.90.36 | SJZ-FriendshipHotelNorthStateStreetstore China | DOS/SYN |
| 121.123.158.33 | Maxis Communications Bhd Malaysia | DOS/SYN |
| 121.11.80.42 | shantoushitianyingxinxijishuyou China | DOS/SYN |
| 118.1.0.0 | NTT Communications Corporation Japan | BAD IP |
| 116.228.179.19 | CHINANET Shanghai province network | DOS/SYN |
Since my little incident with j35t3r I have been paying more attention again to the IDS. In the last few days alone the system has seen some interesting traffic including another DDoS attempt from Latvia. I am seeing a pattern though for the most part. Our Chinese overlords have a lot of traffic coming my way from worms.
Also interesting to note is the Nmap traffic, guess some folks got interested in my system to see what ports I have open. They went away unhappy though. Kinda makes you wonder what your traffic is like huh? It also might make you wonder just how much your system is protected.. If it is at all.
If you are interested, you can take a scan for yourself with Shields Up. It’s a system in place to run a Nessus scan against your IP address and see whats what. It does a good job and will tell you what ports are open and perhaps what vulns you might have.
Just remember, if you have a persistent connection and your machine is on.. Well, they are knocking at the door.
CoB
TOR Security Breach.. What A Coincidence
An anonymous reader writes “If you use Tor, you’re cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: ‘In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we’d recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.’ Tor users should visit the download page and update ASAP.”
So, the two of the TOR servers were compromised and used as attack boxes for… Something… Interesting…
Time to go download the update…
