March 27, 2011

No more echo chambers.

March 25, 2011

Well it seems like I have acquired something of a following, however it still seems like not many are interested in adding significant discussion or views to lend to the debate.  I invite any and all to post their thoughts and ideas, or make recommendations for research.

Twitter: diocyde

Gmail: [email protected]

Malware has reached the point of overwhelming the collective average intelligence of the normal operator.  With a plethora of threats, and an infinate amount of possibilities and variations the complexity of such threats will eventually overwhelm the singular human cognition capacity.  This is why we have seen over the past few years the “dumbing down” of ability for AV protections which struggle to deal with tens of millions of samples a year and hundreds of thousands of signatures.  Lost in all the automated analysis is the digital nuggets of intelligence that are missed, or only noted in some obscure report with no operational context. 

One case in point is the clear chaos and confusion of the antiquated CARO naming convention for categorization and naming of malware.  EVERY single AV company does it differently.  No one can agree on a naming convention.  Names of bots/trojans are OBFUSCATED for pointless worthless reasons, adding to the confusion and noise level.  For example, our latest Adobe Flash O-day threat combined with targeted attacks.  F-Secure, after  launched in a highly targeted fashion by actors that are causing a tremendous amount of digital carnage, does its analysis of the exploit, and then decides to name the actual (digital weapon) payload some ridiculous name (Trojan.Agent.ARKJ).   Granted this name (dumbing down) has been going on for years, however when the context of important attacks increasing public awareness to such a high degree, the Tools and arsenal of threat actors should be made known to the general public.  One of the reason security response teams just sort of reimage and move about their business is that they have no ability to triage a really damaging threat unless they do a full static and dynamic analysis of it.

The APT threat group based in Shanghai Military Region Tactical reconnaissance Bureau that has been discussed in earlier posts has malware and malware analysis (for example threat expert) and Virus Total reports that link that specific malware and its evolution back to 2005!  Coincidently this is one of the threats that gets automatically analyzed and classified as blah blah Trojan/backdoor-DSG or whatever the stupid CARO implementation spits out.  additionally some malware is named but the name is a scrambled variant of the Author, the callback domain, the Victim, or some attribution string or mutex in the malware but for some reason AV companies feel its “important” to protect the privacy of malicious cyber actors.  This helps absolutely no one and serves to dissipate the tactical/operational/and strategic importance of a particular attack, as well as misdirect attention of the public away from the victim and the damage being done.  

The espionage attacks of Aurora/Ghostnet/Shadownet and others have not only popularized the naming of malcode but given it a tremendous amount of publicity and attention from researchers WITH the time to rip apart the code and possibly .  additionally its this kind of publicity that engenders the non-geek world to stand up and take notice that their lunch is getting eaten on a daily basis.  AV companies in the past decade and in the early days sought to take away the EGO tripping of virus writers by refusing to grant them infamy by naming a virus after then.  I say the times have changed.  I say that true attribution intelligence should be disgorged from the holder of it and attached like a stinking rotting corpse to the samples. 

Props to  for actually doing this by naming this latest Payload Trojan.Linxder after the Chinese CNE operators hacker handle.   Of course Fireeye is not a AV company per say but the days of just having AV companies is long gone as now everyone is in the cyber space vendor community and managed service sector.

Here is a challenge to Any Reverse Engineer / Malware Analyst / Cyber Intelligence Threat Analyst / or Security Researcher.

  • Go to Mila’s excellent  site
  • Download the excellent archives of 99.99% APT attack payloads
  • Discover the hidden nuggets of Attribution Intelligence
  •    that are used and write a small analysis of these findings. 
  • I will post them as a comment to this blog and I will approve them for review by the entire community.

There are tons of techniques that are being used, abused, and engineered that are enabling the horrible detection rates we are seeing today.

If the new rules of the road are that governments, militaries, and critical infrastructure, and commercial and non-profit organizations are going to be targets for the long term, we might as well serve ourselves by quit calling it APT and start calling it by its real name.  The actual units and operators that are responsible . 

If threat actors use highly customized code this is a Weakness.  This means that if a victim gets attacked with a specialized piece of espionage malware, its analyzed, dissected, and publicized, then other organizations can digitally investigate their own infrastructures looking for the same threat.  If they find it, they know they just got screwed as well.  This is called HERD Defense.  An attack on one member of the herd might take out an individual, but the rest of the herd is now alerted and on the defense whenever they see the same thing or similar.

RSA can start by giving us samples to analyze, and full disclosure briefing.

One of the things AV companies can do is start writing in depth public analysis reports/blogs about the bunch of malware threats that they see used in attacks on say 10 victims or less.  Thats where you find the gooodness. 

Take any random from Contagio.  See what kind of nuggets of intelligence you can glean from it, do your due diligence open source research and social network analysis, put your detective/investigator hat on.  And then ask your self why people continue saying they got pwned by the APT, instead of when instead they should just point to the bastards Baidu profile and Send him a little present as a token of thanks.

Thanks for getting added to the Pwned list.  Join the club.

falun:法轮They call that there thang’ a Firewahl….
三个代表|表 three represents theory
一党|党 one party| party
多党|党 multiple parties | party
民主|民 democracy|people
专政|政 |politics
大法|法 dafa|fa
弟子|弟 diciple|di
大纪元|元 dajiyuan|yuan
真善忍|忍 truthful,kind and tolerant|tolarant
明慧|慧 minghui|hui
大法|法 dafa|fa
洪志|志 hongzhi|zhi
红志|志 hongzhi|zhi
洪智|智 hongzhi|zhi
红智|智 hongzhi|zhi
法轮|轮 falun|lun
法论|论 falun|lun
法沦|沦 falun|lun
法伦|伦 falun|lun
发轮|轮 falun|lun
发论|论 falun|lun
发沦|沦 falun|lun
发伦|伦 falun|lun
轮功|功 lungong|gong
轮公|公 lungong|gong
轮攻|攻 lungong|gong
沦功|功 lungong|gong
沦公|公 lungong|gong
沦攻|攻 lungong|gong
论攻|攻 lungong|gong
论功|功 lungong|gong
论公|公 lungong|gong
伦攻|攻 lungong|gong
伦功|功 lungong|gong
伦公|公 lungong|gong
打倒|倒 beat down|down
民运|运 democratic movement|movement
六四|四 june forth|forth
台独|独 Taiwan independence|independence
王丹|丹 wang dan|dan
柴玲|柴 chai ling|chai
李鹏|鹏 li peng|peng
天安门|安 tiananmen|an
江泽民|泽 jiang zemin|ze
朱容基|基 zhu rongji|ji
朱_基|朱 zhu rongji|zhu
李长春|春 li changchun |chun
李瑞环|瑞 li ruihuan|rui
胡锦涛|锦 hu jintao|jin
魏京生|魏 wei jingsheng|wei
台湾独立|湾 Taiwan independence|wan
藏独|藏 |Tibetan independence|tibet
西藏独立|藏 Tibetan independence|tibet
疆独|疆 jiang independence|jiang
新疆独立|疆 xinjiang independence|jiang
警察|察 police|cha
民警|警 people°Øs police|jing
公安|公 gong°Øan|gong
邓小平|邓 deng xiaoping|deng
嫖|嫖 go whoring|go whoring
大盖帽|帽 |
革命|命 revolution|ming
武警|警 military police|jing
黑社会|社 gangsterdom|she
交警|警 transportation police|jing
消防队|消 fire department|xiao
刑警|刑 operative|torture
夜总会|夜 night club|night
妈个|个 mage|ge
公款|款 public funds|funds
首长|首 paramount|shou
书记|记 secratary|ji
坐台|台 sit at the club|tai
腐败|腐 corruption|fu
城管|管 city management|guan
暴动|暴 insurrection|bo
暴乱|乱 riot|disorder
李远哲|哲 li yuanzhe|zhe
司法警官|司 judicatory police|si
高干|高 high ranking cadre|high
高干子弟|弟 high ranking cadre°Øs son and brother|brother
高干子女|女 high ranking cadre°Øs son and daughter|daughter
人大|大 people°Øs congress|da
尉健行|健 wei jianxing|jian
李岚清|清 li lanqing|qing
黄丽满|满 huang liman|man
于幼军|军 yu youjun|jun
文字狱|狱 censorship jail|jail
宋祖英|英 song zuying|ying
天安门|门 tian anmen|door
自焚|焚 burn oneself|burn
骗局|骗 razzle-dazzle|cheat
猫肉|猫 cat°Øs meat|cat
吸储|储 attract savings|savings
张五常|张 zhang wuchang|zhang
张丕林|丕 zhang pilin|pi
空难|难 air disaster|disaster
温家宝|温 wen jiabao|wen
吴邦国|邦 wu bangguo|bang
曾庆红|庆 zeng qinghong|qing
黄菊|黄 huang ju |huang
罗干|罗 luo gan|luo
吴官正|官 wu guanzheng|guan
贾庆林|庆 jia qinglin|qing
专制|制 despotism | zhi
卖淫|淫 whoredom|lewd
八九|八 eighty nine|eight
八老|八 eight olds|eight
巴赫|巴 bach|ba
白立朴|白 bai lipu|bai
白梦|白 white dream|white
白皮书|白 white book|white
保钓|保 protect diaoyu|protect
鲍戈|鲍 bao ge|bao
鲍彤|鲍 bao tong|bao
暴乱|暴 riot|bao
暴政|暴 tyranny|bao
北大三角地论坛|北 Peking University triangle area bbs|bei
北韩|北 north korea|bei
北京当局|北 Beijing authorities|bei
北京之春|北 Beijing spring|
北美自由论坛|北 north American freedom bbs|bei
博讯|博 boxun|bo
蔡崇国|蔡 cai chongguo|cai
曹长青|曹 cao changqing|cao
曹刚川|曹 cao gangchuan|cao
常劲|常 chang jin|chang
陈炳基|陈 chen bingji|chen
陈军|陈 chen jun|chen
陈蒙|陈 chen meng|chen
陈破空|陈 chen pokong|chen
陈希同|陈 chen xitong|chen
陈小同|陈 chen xiaotong|chen
陈宣良|陈 chen xuanliang|chen
陈一谘|陈 chen yizi|chen
陈总统|陈 presideng chen|chen
程凯|程 cheng kai|cheng
程铁军|程 cheng tiejun|cheng
程真|程 cheng zhen|cheng
迟浩田|迟 chi haotian|chi
持不同政见|持 hold different politics|hold
赤匪|赤 red bandit|red
赤化|赤 rubricitize|rubricity
春夏自由论坛|春 spring and summer freedom bbs|spring
达赖|达 dalai|da
大参考|大 big reference|da
大法|大 dafa|da
大纪元|大 dajiyuan|da
大纪元新闻网|大 dajiyuan news network|da
大纪园|大 dajiyuan|da
大家论坛|大 everybody forum|da
大史|大 dashi|da
大史记|大 dashiji|da
大史纪|大 dashiji|da
大中国论坛|大 greater china forum|da
大中华论坛|大 greater china forum|da
大众真人真事|大 everybody actual person and event|da
戴相龙|戴 dai xianglong|dai
弹劾|弹 impeach|tan
登辉|登 denghui|deng
邓笑贫|邓 deng xiaopin|deng
迪里夏提|迪 dilixiati|ti
地下教会|地 underground church|di
地下刊物|地 underground publications|di
弟子|弟 disciple|di
第四代|第 the forth generation|di
电视流氓|电 tv rougue|dian
钓鱼岛|钓 diaoyu island|diao
丁关根|丁 ding guangen|ding
丁元|丁 ding yuan|ding
丁子霖|丁 ding zlin|ding
东北独立|东 northeastern independence|dong
东方红时空|东 oriental red space time|dong
东方时空|东 oriental horizon|dong
东南西北论谈|东 east south west north forum|dong
东社|东 east society|dong
东土耳其斯坦|东 eastern turkistan|dong
动乱|动 convulsion|dong
独裁|独 despotism|du
独裁政治|独 despotism rule|du
独夫|独 dictator|du
独立台湾会|独 independent Taiwan society|du
杜智富|杜 du zhifu|du
多维|多 multimentional|duo
屙民|屙 |
俄国|俄 russia|russia
发愣|发 be in a daze|fa
发轮|发 falun|fa
发正念|发 fazhengnian|fa
法愣|法 faleng|fa
法抡|法 falun|fa
法仑|法 falun|fa
法伦|法 falun|fa
法轮|法 falun|fa
法论|法 falun|fa
法十轮十功|法 fa+lun+gong|fa
法十轮十功|法 fa+lun+gong|fa
法谪|法 fazhe|fa
法谪功|法 fazhegong|fa
反封锁技术|反 antiblockage technology|fan
反腐败论坛|反 anticorruption forum|fan
反攻|反 counterattack|fan
反共|反 anticommunism|fan
反人类|反 antihumanity|fan
反社会|反 antisociety|fan
方励之|方 fang lizhi|fang
方舟子|方 fang zhouzi|fang
飞扬论坛|飞 feiyang forum|fei
斐得勒|斐 feidele|fei
费良勇|费 fei liangyong|fei
分家在|分 break up the family and live apart|fen
分裂|分 divide|fen
粉饰太平|粉 prettify peace and tranquility|fen
风雨神州|风 wind and rain the divine land|feng
风雨神州论坛|风 wind and rain the divine land forum|feng
封从德|封 feng congde|feng
封杀|封 force-out|feng
冯东海|冯 feng donghai|feng
冯素英|冯 feng suying|feng
佛展千手法|佛 buddha streches a thousand hands|buddha
付申奇|付 fu shenqi|fu
傅申奇|傅 fu shenqi|fu
傅志寰|傅 fu zhihuan|fu
高官|高 high ranking officials|gao
高文谦|高 gao wenqian|gao
高薪养廉|高 foster honesty and cleanness by high salary gao|
高瞻|高 look up from high position|gao
高自联|高 university self-governing association|gao
戈扬|戈 ge yang|ge
鸽派|鸽 pigeon clique|pigeon
歌功颂德|歌 sing the praises of somebody|ge
蛤蟆|蛤 toad|ha
个人崇拜|个 cult of personality|ge
工自联|工 worker self-governing association|gong
功法|功 law of gong|gong
共产|共 share property|gong
共党|共 communist party|gong
共匪|共 communist bandit|gong
共狗|共 communist dog|gong
共军|共 communist army|gong
关卓中|关 guan zhuozhong|guan
贯通两极法|贯 law of perforating the two poles|guan
广闻|广 extensibe knowledge|extensive
郭伯雄|郭 guo boxiong|guo
郭罗基|郭 guo luoji|guo
郭平|郭 guo ping|guo
郭岩华|郭 guo yanhua|guo
国家安全|国 national security|guo
国家机密|国 national secret|guo
国军|国 Kuomingtang arm forces|guo
国贼|国 country°Øs thief|guo
韩东方|韩 han dongfang|han
韩联潮|韩 han lianchao|chao
汉奸|汉 traitor|han
何德普|何 he depu|he
何勇|何 he yong|he
河殇|河 river dies young|he
红灯区|红 red light district|red
红色恐怖|红 red terror|red
宏法|宏 commission law|hong
洪传|洪 hong commission|hong
洪吟|洪 hong chant|hong
洪哲胜|洪 hong zhesheng|hong
洪志|洪 hongzhi|hong
胡紧掏|胡 hu jintao|hu
胡锦涛|胡 hu jintao|hu
胡锦滔|胡 hu jintao|hu
胡锦淘|胡 hu jintao|hu
胡景涛|胡 hu jingtao|hu
胡平|胡 hu ping|hu
胡总书记|胡 general secretary hu|hu
护法|护 law protection|hu
花花公子|花 playboy|hua
华建敏|华 hua jianmin|hua
华通时事论坛|华 Huatong current affairs forum|hua
华夏文摘|华 Huaxia digest|hua
华语世界论坛华 Chinese world forum|hua
华岳时事论坛|华 Huayue current affairs forum|hua
黄慈萍|黄 Huang ciping|huang
黄祸|黄 yellow disaster|huang
黄菊|黄 huang ju|huang
黄菊 |黄 huang ju|huang
黄翔|黄 huang xiang|huang
回民暴动|回 Hui people riot|hui
悔过书|悔 book of repentance|hui
鸡毛信文汇|鸡 chicken feather letter information collection|chicken
姬胜德|姬 ji shengde|ji
积克馆|积 jikeguan|ji
基督|基 jesus christ|jesus
贾庆林|贾 jia qinglin|jia
贾廷安|贾 jia yan°Øan|jia
贾育台|贾 jia yutai|jia
建国党|建 jianguo party|jian
江core|江 jiang core|jiang
江八点|江 jiang eight points|jiang
江流氓|江 jiang rogue|jiang
江罗|江 jiang luo|jiang
江绵恒|江 jiang mianheng|jiang
江青|江 jiang qing|jiang
江戏子|江 dramatist jiang|jiang
江则民|江 jiang zemin|jiang
江泽慧|江 jiang zehui|jiang
江泽民|江jiang zemin jiang
江_民|江 jiang zehui|jiang
江贼|江 thief jiang|jiang
江贼民|江 jiang thiefmin|jiang
江折民|江 jiang zhemin|jiang
江猪|江 jiang pig|jiang
江猪媳|江 jiang pig°Øs daughter in law(zhuxi)jiang|
江主席|江 chairman jiang|jiang
姜春云|姜 jiang chunyun|jiang
将则民|将 jiang zemin|jiang
僵贼|僵 stiff thief(jiang zei)|jiang
僵贼民|僵 stiff thief people(jiang zei min)jiang|
疆独|疆 xinjiang independence|jiang
讲法|讲 deliver law|jiang
酱猪媳|酱 sauce pig°Øs daughter in law(jiang zhuxi)|jiang
交班|交 hand over to the next shift|jiao
教养院|教 a house of correction|jiao
接班|接 carry on|jie
揭批书|揭 book of exposion and criticism|jie
金尧如|金 jin yaoru|jin
锦涛|锦 jintao|jin
禁看|禁 forbid to see|jin
经文|经 lection|jing
开放杂志|开 open magzine|kai
看中国|看 eye on china|kan
抗议|抗 protest|kang
邝锦文|邝 kuang jinwen|kuang
劳动教养所|劳 labor penitentiary|lao
劳改|劳 reform of criminals through labor|lao
劳教|劳 education of criminals through labor|lao
老江|老 old jiang|lao
老毛|老 old mao|lao
老人政治|老 gerontocracy|lao
黎安友|黎 li anyou|li
李长春|李 li changchun|li
李大师|李 master li|li
李登辉|李 li denghui|li
李红痔|李 li red piles(li hongzhi)|li
李宏志|李 li hongzhi|li
李洪宽|李 li hongkuan|li
李继耐|李 li jinai|li
李兰菊|李 li lanju|li
李岚清|李 li lanqing|li
李老师|李 teacher li|li
李录|李 li lu|li
李禄|李 li lu|li
李鹏|李 li peng|li
李瑞环|李 li ruihuan|li
李少民|李 li shaomin|li
李淑娴|李 li shuxian|li
李旺阳|李 li wangyang|li
李文斌|李 li wenbin|li
李小朋|李 li xiaopeng|li
李小鹏|李 li xiaopeng|li
李月月鸟|李 li moon moon bird (li peng) |li
李志绥|李 li zhisui|li
李总理|李 premier li|li
李总统|李 presideng li|li
连胜德|连 lian shengde|lian
联总|联 chief lian |lian
廉政大论坛|廉 grand forum of honest and clean politics|lian
炼功|炼 practice gong|lian
梁光烈|梁 liang guanglie|liang
梁擎墩|梁 liang qingdun|liang
两岸关系|两 relations between two sides of the strait|liang
两岸三地论坛|两 forum of 3 areas of 2 sides of the strait|liang
两个中国|两 two chinas|liang
两会|两 two conferences|liang
两会报道|两 reporing of two conferences|two
两会新闻|两 news of two conferences|two
廖锡龙|廖 liao xilong|liao
林保华|林 lin baohua|lin
林长盛|林 lin changsheng|lin
林樵清|林 lin qiaoqing|lin
林慎立|林 lin shenli|lin
凌锋|凌 ling feng|ling
刘宾深|刘 liu binshen|liu
刘宾雁|刘 liu binyan|liu
刘刚|刘 liu gang|liu
刘国凯|刘 liu guokai|liu l
刘华清|刘 iu huaqing|liu
刘俊国|刘 liu junguo|liu
刘凯中|刘 liu kaizhong|liu
刘千石|刘 liu qianshi|liu
刘青|刘 liu qing|liu
刘山青|刘 liu shanqing|liu
刘士贤|刘 liu shixian|liu
刘文胜|刘 liu wensheng|liu
刘晓波|刘 liu xiaobo|liu
刘晓竹|刘 liu xiaozhu|liu
刘永川|刘 liu yongchuan|liu
流亡|流 go into exile|liu
六四|六 june forth|liu
龙虎豹|龙 dragon tiger and leopard|long
陆委会|陆 mainland affairs council|lu
吕京花|吕 lv jinghua|lv
吕秀莲|吕 lv xiulian|lv
抡功|抡 lungong|lun
伦功|伦 lungong|lun
轮大|轮 lunda|lun
轮功|轮 lungong|lun
轮奸|轮 gangbang|lun
罗干|罗 luo gan|luo
罗礼诗|罗 luo lishi|luo
马大维|马 ma dawei|ma
马良骏|马 ma liangjun|ma
马三家|马 ma sanjia|ma
马时敏|马 ma shimin|ma
卖国|卖 sell out the country|mai
毛厕洞|毛 toilet hole|mao
毛片|毛 adult video|mao
毛贼东|毛 mao thief dong (Mao tse-tung)|mao
美国参考|美 American reference|mei
美国之音|美 voice of america|mei
蒙独|蒙 mogolian independence|meng
蒙古独立|蒙 mogolian independence|meng
密穴|密 secretive delve|mi
绵恒|绵 mianheng|mian
民国|民 china republic|min
民进党|民 demorcratic progressive party|min
民联|民 demorcratic unification|min
民意|民 public opinion|min
民意论坛|民 forum of public opinion|min
民运|民 demorcratic movement|min
民阵|民 demorcratic frontier|min
民猪|民 min pig(demorcracy)|min
民主|民 demorcracy|min
民主墙|民 wall of demorcracy|min
民族矛盾|民 contradiction among nationalities|min
明慧|明 minghui |min
莫伟强|莫 mo weiqiang|mo
木犀地|木 muxidi|mu
木子论坛|木 muzi forum|mu
南大自由论坛|南 freedom forum of nan jing university|nan
闹事|闹 make trouble|nao
倪育贤|倪 ni yuxian|ni
你说我说论坛|你 you say I say forum|ni
潘国平|潘 pan guoping|pan
泡沫经济|泡 foam economy|pao
迫害|迫 persecute|po
祁建|祁 qi jian|qi
齐墨|齐 qi mo|qi
钱达|钱 qian da|qian
钱国梁|钱 qian guoliang|qian
钱其琛|钱 qian qichen|qian
抢粮记|抢 a record of looting grains|qiang
乔石|乔 qiao shi|qiao
亲美|亲 pro-america|qin
亲日|亲 pro-japan|qin
钦本立|钦 qin benli|qin
秦晋|秦 qinjing|qin
青天白日旗|青 blue sky white sun flag|qing
轻舟快讯|轻 qingzhou |qing
情妇|情 mistress|qing
庆红|庆 qinghong|qing
全国两会|全 national two conferences|quan
热比娅|热 rebiya|re
热站政论网|热 rezhan politics network|re
人民报|人 people°Øs daily|ren
人民内情真相|人 people inside truth|ren
人民真实|人 people truly|ren
人民之声论坛|人 voice of people forum|ren
人权|人 human rights|ren
忍|忍 tolerate|ren
日内瓦金融|日 geneva finance|ri
瑞士金融大学|瑞 finance university of swisserland|rui
色情|色 eroticism|se
善恶有报|善 kindness and evil will be paid|shan
上海帮|上 gang of shanghai|shang
上海孤儿院|上 shanghai orphanage|shang
邵家健|邵 shao jiajian|shao
射精|射 ejaculate|she
神通加持法|神 theurgy adding and hold|shen
沈彤|沈 shentong|shen
升天|升 be raised to the skies|sheng
盛华仁|盛 sheng huaren|sheng
盛雪|盛 sheng xue|sheng
师父|师 master|shi
石戈|石 shi ke|shi
时代论坛|时 time forum|shi
时事论坛|时 current affairs forum|shi
世界经济导报|世 world economics guide|shi
事实独立|事 fact independence|shi
双十节|双 double tens day|shuang
水扁|水 shuibian|shui
税力|税 shuili|shui
司马晋|司 sima jng|si
司马璐|司 sima lu|si
司徒华|司 situ hua|si
斯诺|斯 snow|si
四川独立|四 sichuan independence|si
宋xx|宋 song xx|song
宋平|宋song ping|song
宋书元|宋song shuyuan|song
宋祖英|宋song zuying|song
苏绍智|苏 su shaozhi|su
苏晓康|苏 su xiaokang|su
台独|台 taiwan independence|tai
台盟|台 taiwan alliance|tai
台湾独立|台 taiwan independence|tai
台湾狗|台 taiwan dog|tai
台湾建国运动组织|台 organization of taiwan country founding movement|tai
台湾青年独立联盟|台 independent league of taiwan youth|tai
台湾政论区|台 taiwan politics zone|tai
台湾自由联盟|台 taiwan freedom league|tai
太子党|太 prince party|tai
汤光中|汤tang guangzhong|tang
唐柏桥|唐 tang boqiao|tang
唐捷|唐 tang jie|tang
滕文生|滕 teng wensheng|teng
天安门录影带|天 tiananmen video tape|tian
天安门事件|天tiananmen incident|tian
天安门屠杀|天 tiananmen masscre|tian
天安门一代|天 tiananmen generation|tian
天怒|天 celestial warth|tian
天葬|天 celestial burial tian|
童屹|童 tong qi|tong
统独|统 unification and independence|tong
统独论坛|统 forum of unification and independence|tong
统战|统 unified frontline|tong
屠杀|屠 massacre|tu
外交论坛|外 diplomatism forum|wai
外交与方略|外 diplomatism and strategy|wai
万润南|万 wan runnan|wan
万维读者论坛|万 world wide reader forum|wan
万晓东|万 wan xiaodong|wan
汪岷|汪 wang min|wang
王宝森|王 wang baosen|wang
王炳章|王 wang bingzhang|wang
王策|王 wang ce|wang
王超华|王 wang chaohua|wang
王丹|王 wang dan|wang
王辅臣|王 wang fuchen|wang
王刚|王 wang gang|wang
王涵万|王 wang hanwan|wang
王沪宁|王 wang huning|wang
王军涛|王 wang juntao|wang
王力雄|王 wang lixiong|wang
王瑞林|王 wang ruilin|wang
王润生|王 wang runsheng|wang
王若望|王 wang ruowang|wang
王希哲|王 wang xizhe|wang
王秀丽|王 wang xiuli|wang
王冶坪|王 wang yeping|wang
网特|网 network spy|wang
尉健行|尉 wei jianxing|wei
魏京生|魏 wei jingsheng|wei
魏新生|魏 wei xinsheng|wei
温家宝|温 wen jiabao|wen
温元凯|温 wen yuankai|wen
文革|文 cultural revolution|wen
无界浏览器|无 boundless browser|wu
吴百益|吴 wu baiyi|wu
吴邦国|吴 wu bangguo|wu
吴方城|吴 wu fangcheng|wu
吴官正|吴 wu guanzheng|wu
吴弘达|吴 wu hongda|wu
吴宏达|吴 wu hongda|wu
吴仁华|吴 wu renhua|wu
吴学灿|吴 wu xuecan|wu
吴学璨|吴 wu xuecan|wu
吾尔开希|吾 wu°Øerkaixi|wu
五不|五 five nos|wu
伍凡|伍 wu fan|wu
西藏|西 tibet|xi
西藏独立|西 tibeten|xi
洗脑|洗 brainwash|xi
下体|下 private parts|xia
项怀诚|项 xiang huaicheng|xiang
项小吉|项 xiang xiaoji|xiang
小参考|小 little reference|xiao
肖强|肖 xiao qiang|xiao
邪恶|邪 evil|xie
谢长廷|谢 xie changting|xie
谢选骏|谢 xie xuanjun|xie
谢中之|谢 xie zhongzhi|xie
辛灏年|辛 xin haonian|xin
新观察论坛|新 new observer forum|xin
新华举报|新 xinhua report |xin
新华内情|新 xinhua inside|xin
新华通论坛|新 xinhua overview forum|xin
新疆独立|新 xinjiang independence|xin
新生网|新 xinsheng network|xin
新闻封锁|新 news blockage|xin
新语丝|新 new threads|xin
信用危机|信 trust crisis|xin
邢铮|邢 xing zheng|xing
熊炎|熊 xiong yan|xiong
熊焱|熊 xiong yi|xiong
修炼|修 practice|practice
徐邦秦|徐 xu bangqin|xu
徐才厚|徐 xu caihou|xu
徐匡迪|徐 xu kuangdi|xu
徐水良|徐 xu shuiliang|xu
许家屯|许 xujiatun|xu
薛伟|薛 xue wei|xue
学潮|学 campus upheaval|xue
学联|学 student association|xue
学习班|学 learning class|xue
学运|学 student movement|xue
学自联|学 student self-governing association|xue
雪山狮子|雪 snow mountain lion|xue
严家其|严 yan jiaqi|yan
严家祺|严 yan jiaqi|yan
阎明复|阎 yan mingfu|yan
颜射|颜 yan she|yan
央视内部晚会|央 cctv internal party|yang
杨怀安|杨 yang huai°Øan|yang
杨建利|杨yang jianli yang
杨巍|杨 yang wei|yang
杨月清|杨 yang yueqing|yang
杨周|杨 yang zhou|yang
姚月谦|姚 yao yueqian|yao
夜话紫禁城|夜 forbidden city night talk|ye
一中一台|一 one china one taiwan|yi
义解|义 yijie|yi
亦凡|亦 yifan|yi
异见人士|异 dissident|yi
异议人士|异 dissident|yi
易丹轩|易 ease pill lofty|yi
易志熹|易 yi zhixi|yi
淫穴|淫 lascivious hole|yin
尹庆民|尹 yin qingmin|yin
由喜贵|由 you xigui|you
游行|游 demonstration|you
幼齿|幼 young tooth|you
幼女|幼 infant girl|you
于大海|于 yu dahai|yu
于浩成|于 yu haocheng|yu
余英时|余 yu shiying|yu
舆论|舆 public opinion|yu
舆论反制|舆 reverse control of public opinion|yu
宇明网|宇 yuming network|yu
圆满|圆 |
远志明|远 yuan zhiming|yuan
岳武|岳 yue wu|yue
在十月|在 in october|zai
则民|则 zemin|ze
择民|择 zemin|ze
泽民|泽 zemin|ze
贼民|贼 zeimin|zei
曾培炎|曾 zeng peiyan|zeng
曾庆红|曾 zeng qinghong|zeng
张伯笠|张 zhang boli|zhang
张钢|张 zhang gang|zhang
张宏堡|张 zhang hongbao|zhang
张健|张 zhang jian|zhang
张林|张 zhang lin|zhang
张万年|张 zhang wannian|zhang
张伟国|张 zhang weiguo|zhang
张昭富|张 zhang zhaofu|zhang
张志清|张 zhang zhiqing|zhang
赵海青|赵 zhao haiqing|zhao
赵南|赵 zhao nan|zhao
赵品潞|赵 zhao pinlun|zhao
赵晓微|赵 zhao xiaowei|zhao
赵紫阳|赵 zhao ziyang|zhao
哲民|哲 zhemin|zhe
真相|真 truth|zhen
真象|真 truth|zhen
镇压|镇 repression|zhen
争鸣论坛|争 contend forum|zheng
正见网|正 right argument network|zheng
正义党论坛|正 justice party forum|zheng
郑义|& zhengyi|
行房|房 make love|house
自慰|慰 masturbate |be relieved
吹萧|萧 blow job|
色狼|色 lady-killer|color
胸罩|罩 bra|cover
内裤|裤 underwear|pants
底裤|裤 undershorts|pants
私处|私 private parts|private
爽死|爽 feel well to death|feel well
变态|态 abnomality|form
妹疼|疼 younger sister°Øs pain|pain
妹痛|痛 younger sister°Øs pain|pain
弟疼|疼 younger brother°Øs pain|pain
弟痛|痛 younger brother°Øs pain|pain
姐疼|疼 elder sister°Øs pain|pain
姐痛|痛 elder sister°Øs pain|pain
哥疼|疼 elder brother°Øs pain|pain
哥痛|痛 elder brother°Øs pain|pain
同房|房 sleep together|house
打炮|炮 shoot the big gun|big gun
造爱|爱 make love|love
性交|性 sexual intercourse|sex
性爱|性 sexual love|sex
作爱|作 make love|make
做爱|做 make love|make
操你|操 fuck you|fuck
日你|日 fuck you|fuck
日批|日 fuck cunt|fuck
日逼|日 fuck cunt|fuck
鸡巴|鸡 dick|chicken
我操|操 I fuck|fuck
操死|操 fuck to death|fuck
乳房|乳 breasts|breast
阴茎|阴 penise|femiline
阳具|阳 male genitals|masculine
开苞|苞 open bud|bud
肛门|肛 anus|anus
阴道|阴 vagina|feminine
阴蒂|阴 clit|feminine
肉棍|肉 flesh stick|flesh
肉棒|肉 flesh pole|flesh
肉洞|肉 flesh hole|flesh
荡妇|荡 callet|lechery
阴囊|阴 scrotum|lunar
睾丸|睾 testicle|testicle
捅你|捅 stab you|stab
捅我|捅 stab me|stab
插我|插 thrust me|thrust
插你|插 thrust you|thrust
插她|插 thrust her|thrust
插他|插 thrust him|thrust
干你|干 fuck you|fuck
干她|干 fuck her|fuck
干他|干 fuck him|fuck
妓女|妓 prostitute|prostitute
射精|射 ejaculate|shoot
口交|交 oral intercourse|intercourse
手淫|淫 masturbation|lewd
口淫|淫 oral masturbation|lewd
屁眼|屁 asshole|fart
阴户|阴 vulva|private
阴门|阴 private door|private
下体|下 lower parts|lower
龟头|龟 glans|tortoise
阴毛|阴 pubes|private
避孕套|套 condomn|sheath
你妈逼|逼 your mom°Øs cunt|cunt
大鸡巴|鸡 big dick|chicken
性高潮|性 sexual climax|sex
性虐待|性 Sadism&Masochism|sex
私处private part
肉棍 meat pole
肉棒meat stick
大鸡巴big dick
龟头penis tip
肉洞 meat hole
屁眼anal orifice
阴毛pubic hair
操你,日你,干你fuck you
捅你,插你thrust into you
日批,日逼fuck the cunt
性交,行房,打炮sexual intercourse
造爱,做爱,作爱make love
射精 ejaculation
性高潮sexual climax
爽死experience la petite morte
性虐待sexual torture
嫖patronize prostitutes
卖淫engage in prostitution
幼女minor female
tibet 100tibet falungong 64tibet falungong
, , , , , , , , , , , , , , , , , , , members.tripod.lycos.nl, , , , , , , , , omni.cc.purdue.edu, worldbridges.com, , , , , , tibet.org.actadivina.com, , , ,
taiwan china 100tibet falungong 37tibet falungong
, , , , , , , , , publish.gio.gov.tw, news.chinatimes.com, , , , ,
equality 100tibet falungong 24tibet falungong
, , wheel98.tripod.com, , , , , , ,
democracy china 80tibet falungong 42tibet falungong
, , , , , , , , , , , news.bbc.co.uk, , , , , , , , , , iso.hrichina.org equality democracy freedom revolution dissident8151, , , , , , ,
dissident china 80tibet falungong 37tibet falungong
dailynews.muzi.com, , , , , , , news.bbc.co.uk, web.amnesty.org, , , sg.news.yahoo.com, , , archive.nandotimes.com, dfn.org, , , , iso.hrichina.org equality democracy freedom revolution dissident8151, news.muzi.com, , , , , , , , www-tech.mit.edu
taiwan 70tibet falungong 47tibet falungong
, , , equality democracy freedom revolution dissident8001, , , , tw-women.formosa.org, , , , , ,
revolution 70tibet falungong 21tibet falungong
, , , , , , , , , history.acusd.edu,
dissident 60tibet falungong 31tibet falungong
, , news.bbc.co.uk, , home.att.net, sg.news.yahoo.com, , , archive.nandotimes.com, brokentoy.com, dissident.cjb.net, , , groups.yahoo.com, , , , , , , home.earthlink.net, ,
性病 (“STDs” in Chinese) 60tibet falungong 13tibet falungong
, home.netvigator.com, , pages.yahoo.com, lists.w3.org, , ,
freedom china 60tibet falungong 32tibet falungong
, , , , , , , , news.bbc.co.uk, , , , , , dfn.org, thechinadesk.tripod.com, , latelinenews.com, , , , , , ,
justice china 60tibet falungong 30tibet falungong
dailynews.muzi.com, , , , , , news.bbc.co.uk, web.amnesty.org, , , , , , , , iso.hrichina.org equality democracy freedom revolution dissident8151, , , , ,
counterrevolution china 50tibet falungong 21tibet falungong
, , , , , , , groups.yahoo.com, iso.hrichina.org equality democracy freedom revolution dissident8151, , , , , ,
news china 40tibet falungong 40tibet falungong
dailynews.muzi.com, , , , , , news.bbc.co.uk, , , , latelinenews.com, sun.sino.uni-heidelberg.de, , , , news.chinatimes.com, faluninfo.net, , ,
liberty china 40tibet falungong 17tibet falungong
, , asia.news.yahoo.com, clearwisdom.net, , , , , , , , chinacrystalandmore.com, ,
民主 (“democracy” in Chinese) 40tibet falungong 15tibet falungong
, home.att.net, countless.members.easyspace.com, lists.w3.org, , , home.kosha.net, , , ,
正义 (“justice” in Chinese) 40tibet falungong 15tibet falungong
, home.att.net, countless.members.easyspace.com, lists.w3.org, , , home.kosha.net, , , ,
战争 (“war” in Chinese) 40tibet falungong 15tibet falungong
, home.att.net, countless.members.easyspace.com, lists.w3.org, , , home.kosha.net, , , ,
革命 (“revolution” in Chinese) 30tibet falungong 11tibet falungong
, 123.virtualave.net, buddhistgroup.tripod.com, marina.fortunecity.com, kof.hypermart.net, odin.prohosting.com, lists.w3.org,
china blog 30tibet falungong 11tibet falungong
, , sameekshaa.tripod.com, , , bodhichitta.net, clarity.awakeheart.net,
法轮功 (“falun gong” in Chinese) 30tibet falungong 15tibet falungong
, home.netvigator.com, , ,
tibet china 20tibet falungong 39tibet falungong
, , , , , , , , , , , sun.sino.uni-heidelberg.de, , , , , , , , , , , , , , , tibet.org.actadivina.com
democracy 20tibet falungong 34tibet falungong
, , , , , , , , , , , bostonreview.mit.edu,
dissident blog 20tibet falungong 11tibet falungong
, brian.carnell.com, , , dailypics.blogfodder.net, glennfrazier.com, , dev.null.org, gloomsday.net
news 20tibet falungong 43tibet falungong
, , , news.bbc.co.uk, , , , , , , , , , , abc.go.com, ,
famine china 20tibet falungong 23tibet falungong
members.tripod.com, , , , , news.bbc.co.uk, , sg.news.yahoo.com, , pathfinder.com, , , cms.osu.edu, , , , math.boisestate.edu, netec.mcc.ac.uk, ,
自由 (“freedom” in Chinese) 20tibet falungong 17tibet falungong
, wembley.fortunecity.com, , odin.prohosting.com, lists.w3.org, , , , , , , ,
民主 中国 (“democracy china” in Chinese) 20tibet falungong 12tibet falungong
, home.netvigator.com, home.att.net, countless.members.easyspace.com, , lists.w3.org, , ,
正义 中国 (“justice china” in Chinese) 20tibet falungong 12tibet falungong
, home.netvigator.com, home.att.net, countless.members.easyspace.com, , lists.w3.org, , ,
战争 中国 (“war china” in Chinese) 20tibet falungong 12tibet falungong
, home.netvigator.com, home.att.net, countless.members.easyspace.com, , lists.w3.org, , ,
liberty 20tibet falungong 28tibet falungong
, w3.trib.com, , , , , , , ,
counter-revolution china 20tibet falungong 21tibet falungong
, , , , , , , , web.amnesty.org, samvak.tripod.com, , iso.china-labour.org.hk, , , english.pravda.ru
STDs china 20tibet falungong 9tibet falungong
, news.bbc.co.uk, , ncaids.www.50megs.com, , nepmu6.med.navy.mil
HIV 中国 (“HIV china” in Chinese) 10tibet falungong 7tibet falungong
members.tripod.com, , package.minghui.org, greendoor.hypermart.net, , , finans.regeringen.se
平等 (“equality” in Chinese) 10tibet falungong 12tibet falungong
, , photo-camera.hypermart.net, , , , cckan.uhome.net, , ,
AIDS china 10tibet falungong 21tibet falungong
, news.bbc.co.uk, , , , latelinenews.com, ncaids.www.50megs.com, equality democracy freedom revolution dissident8000, , , china-hiking.com, english.pravda.ru, , ,
sex china 10tibet falungong 19tibet falungong
dailynews.muzi.com, , , news.bbc.co.uk, , , asian-yellowpages.virtualave.net, june4th.freeyellow.com, travelhog.net, , , , , , english.pravda.ru
revolution china 10tibet falungong 18tibet falungong
members.fortunecity.com, members.tripod.com, , news.bbc.co.uk, , , , carlisle-www.army.mil, , home.earthlink.net, , kaladarshan.arts.ohio-state.edu,
equality china 10tibet falungong 15tibet falungong
, , , , , iso.hrichina.org equality democracy freedom revolution dissident8151, , th.gio.gov.tw, , ,
性 中国 (“sex china” in Chinese) 10tibet falungong 15tibet falungong
, home.netvigator.com, home.att.net, countless.members.easyspace.com, , , , , , , , www-dapnia.cea.fr
疾病 (“disease” in Chinese) 10tibet falungong 12tibet falungong
, , 2-k.tripod.com, , , web.amb-chine.fr, , ,
counterrevolution 10tibet falungong 9tibet falungong
, , , iso.hrichina.org equality democracy freedom revolution dissident8151, , , , ,
war 0tibet falungong 32tibet falungong
members.tripod.com, news.bbc.co.uk, , carlisle-www.army.mil, , coldwar.army.mil, , , , , , warliberal.com, ,
justice 0tibet falungong 26tibet falungong
members.tripod.com, , , , ,
freedom 0tibet falungong 28tibet falungong
, equality democracy freedom revolution dissident8001, , , , lpf.ai.mit.edu, , ,
war china 0tibet falungong 24tibet falungong
, news.bbc.co.uk, , , carlisle-www.army.mil, , wesleyday.freeyellow.com, , , fourthmarinesband.com, , , , , historyliterature.homestead.com, , editors.sipri.se, english.pravda.ru, history.acusd.edu,
hunger china 0tibet falungong 24tibet falungong
, , , , , , news.bbc.co.uk, , carlisle-www.army.mil, , , clearwisdom.net, , , iso.china-labour.org.hk, faluninfo.net, , ,
AIDS 0tibet falungong 21tibet falungong
hwbbs.gbgm-umc.org, , , , , equality democracy freedom revolution dissident8000, ,
饿 (“hungry” in Chinese) 0tibet falungong 20tibet falungong
, , , edegratis.cjb.net, geocities.yahoo.com.br, isshou.netfirms.com, navquest.tripod.com, ,
famine 0tibet falungong 16tibet falungong
, news.bbc.co.uk, , , , , , , home.earthlink.net,
艾滋 (“AIDS” in Chinese) 0tibet falungong 16tibet falungong
, , , , odin.prohosting.com, lists.w3.org, , getbul.web.edunet4u.net, , ,
disease 0tibet falungong 16tibet falungong
, cjdfoundation.org, my.webmd.com, , , ,
disease china 0tibet falungong 14tibet falungong
, news.bbc.co.uk, , , , , alumweb.mit.edu, weber.ucsd.edu, , ,
HIV china 0tibet falungong 14tibet falungong
news.bbc.co.uk, , , ncaids.www.50megs.com, , equality democracy freedom revolution dissident8000, , , , ,
blog 0tibet falungong 14tibet falungong
cyberian.tripod.com, , pontoblog.tk, gloomsday.net, quitehappy.com,
hunger 0tibet falungong 13tibet falungong
, , news.bbc.co.uk, , randi_2.tripod.com, , ,
反革命 中国 (“counterrevolution china” in Chinese) 0tibet falungong 12tibet falungong
members.tripod.com, , home.netvigator.com, vijay.bravepages.com, , odin.prohosting.com, lists.w3.org, , ,
革命 中国 (“revolution china” in Chinese) 0tibet falungong 11tibet falungong
members.tripod.com, , home.netvigator.com, vijay.bravepages.com, , odin.prohosting.com, lists.w3.org, ,
新闻 中国 (“news china” in Chinese) 0tibet falungong 10tibet falungong
members.tripod.com, , lists.w3.org, , , ,
sex 0tibet falungong 9tibet falungong
, , erotiksearch.de, , equality democracy freedom revolution dissident8000
反革命 (“counterrevolution” in Chinese) 0tibet falungong 9tibet falungong
, 123.virtualave.net, , , ,
中国 疾病 (“disease china” in Chinese) 0tibet falungong 9tibet falungong
, home.netvigator.com, , iso.hrichina.org equality democracy freedom revolution dissident8151, , lists.w3.org,
自由 中国 (“freedom china” in Chinese) 0tibet falungong 8tibet falungong
members.tripod.com, , iso.hrichina.org equality democracy freedom revolution dissident8151, , , odin.prohosting.com, lists.w3.org,
天安门事件 (“tiananman massacre” in Chinese) 0tibet falungong 8tibet falungong
members.tripod.com, , lists.w3.org, ppewww.ph.gla.ac.uk, ,
中国 饿 (“hungry china” in Chinese) 0tibet falungong 8tibet falungong
, home.netvigator.com, lists.w3.org, , , ,
STDs 0tibet falungong 8tibet falungong
, , , dir.groups.yahoo.com, , , , sexuality.about.com
平等 中国 (“equality china” in Chinese) 0tibet falungong 8tibet falungong
, home.netvigator.com, , iso.hrichina.org equality democracy freedom revolution dissident8151, , lists.w3.org,
艾滋病 中国 (“AIDS china” in Chinese) 0tibet falungong 7tibet falungong
members.tripod.com, , odin.prohosting.com, lists.w3.org, , ,
新闻 (“news” in Chinese) 0tibet falungong 7tibet falungong
members.tripod.com, , , ,
HIV 0tibet falungong 7tibet falungong
, , ,
counter-revolution 0tibet falungong 6tibet falungong
, , english.pravda.ru, historicaltextarchive.com, netec.mcc.ac.uk
性 (“sex” in Chinese) 0tibet falungong 4tibet falungong
, rockespeilet.50megs.com,
性病 中国 (“STDs china” in Chinese) 0tibet falungong 4tibet falungong
members.tripod.com, , , lists.w3.org

Its about time we turned the table on attackers by doing what we should have done long ago.  Making the data UNAVAILABLE to them.  I came up with this approach a while back doing response.

If hostile threat actors who fill up warehouses (WOW Gold Farming Style) banging on their keyboards, interacting with their encrypted reverse shells that the seeded your organization with, and filling up their encrypted RAR files with your crown jewels, then your just toast.  What is needed is to segregate and limit access to critical data to only the time periods during which the data is used by the user.

So all the CNE operators basically do their job across the pond directly opposite our time zone.  Their 9-5 is our nighty night time.   Well your organizations hosts (turned on at night because they cant SUFFER a REBOOT after patching in the morning –> users scream wAH.) DO NOT NEED access to data when you are not logged on or away from work.

If user data was either cryptographically locked and segregated from the host machine during a certain chain of events or predetermined time periods. Then it wouldnt matter if half of China was on your box.  They could not get access to it even if they wanted to.  Additionally I have recommended to my clients that they actually force their users to segregate all sensitive data on Removable USB encrypted harddrives that are disconnected at night.  This however only fixes the client data issue and not the compromised credentials ripping data off of portals or share drives.

This concept combines two mitigations into one.  Remove the data from the host, and make it unavailable when its not needed.  The beauty of this is that it would FORCE CNE operators to lose their beauty sleep because they would have to work during OUR business hours not theirs.  and o btw make them really cranky.  They would have to attack our data on our boxes while we are on them and while that data is in use.  Making it much easier to detect anonmolies, as well as allow for the highly skilled DAY SHIFTs in the SOCs to better detect and respond.

The other approach swings well with Green Policies and saves money.  Forcing systems to shutdown during logoff events would additionally remove the data from being targeted as the machine is OFF and save electricity to boot.  Your money saved can go toward that 3 million you will spend on your next APT compromise.  Traditionally patch managers freak out and say this will prevent patching from being done.  NO this will prevent patching from being done when They want to do it.  Change the game.  Fuck your adversary.

It makes sense to me and it should make sense to you to.  Vendors / Entrepreneurs get on it.  CISOs get educated, your getting robbed blind, think unconventional and protect yourselves.

One of the most vexing and frustrating (for many) aspects of cyber espionage intrusion response is the ongoing debate over whether or not samples discovered should be submitted to AV companies.  Obviously what would happen is that at some point most likely an automatic process would engage and some type of generic signature would be generated marking it and its variants as malicious.  The hosts monitored would then detect and delete the sample, the smart CNE operator would detect this, and then modify his sample for new and undetected attacks.

One of the primary worries by many is “We don’t want them evolving! It will be to hard to find and detect!” Therefore lets not up the ante by forcing them to evolve.  Well, has that helped the situation at all? NO.  Has that stemmed the massive data loss.  NO.  Sure its easier to analyze samples when they are not packed, and the code is easy to read.

Groups like Mandiant and others working investigative forensic response have seen samples become detected and the adversaries entrench deeper, and modify their malware which foils an effective response and they have to start their intelligence collection cycle again before they can do a proper remediation.  Of course this would help their billings, but it really doesn’t help the poor victims and it does not stem the data loss and it certainly does not get them out.

In light of this issue I propose a concept I have been espousing for a while.

GAMECHANGER:  Out of Band CyberEspionage Malware notification/alert system for AV security endpoint agents.

Currently victims don’t want to reveal their malware and all its nefarious tricks to AV companies for fear of it pooching a remediation effort.  AV systems typically detect threat and delete, simple as that.  Usually admins don’t even look at the AV logs and even then the information is usually not much use.  Ironically the consumer AV product offerings are more descriptive than the commercial ones.

What is needed is for AV companies to have an option so that anytime a specific espionage malware related event occurs,  the customer has registered a hotline number and POC that can be registered for example the CISO, or one of their lead investigators who will be notified in an out of band fashion.   Detection of this malware would do simply that, Detect and report via out of band.  It will never block it, alert it, report it, share it, or raise any results whatsoever on a scan event.  The ONLY communication will be from the AV vendor directly via encrypted out of band communication to the registered POC who would be very cognizant of the importance of this particular threat. Well one would ask, what exactly gets detected signature wise for this type of event?  It could consist of in the cloud “highly sensitive signatures” that are developed as a result of espionage related incident investigations with a focus on custom malware and malware that is openly available, however used predominately by cyber espionage actors.  The malware sample set could include hashes, IP and domain lists, detection of very specific techniques, signatures, ectera that  would constitute a compilation of intelligence that is several orders of magnitude smaller than all the copious amounts of cybercrime information that is prevalent today.  This small data set of intelligence if generated by authoritative sources in a collaborative fashion, combined with a secure and intelligent way would allow for rapid notification to a organization UHhhh You got some Serious Problems going on, PLA is all up in yoZ SHIT.  This could dramatically change the balance of power.

Investigators would be free to segregate and label samples as espionage-ware if properly vetted, highly advanced analytical resources can then collaboratively rip apart samples to a much more in depth technical level, and resources would have a higher qualitative return on investment due to the fact that they are not wasting time with crap, and focusing on a much smaller set of highly damaging threats.  (Have you noticed that AV Threat Scores are worthless???)  Ironically the smaller the prevalence of the malware threat (APT —-> ) leads to AV vendors saying it is a low, very low threat.  Well not when its shunting Joint Strike Fighter data to Beijing its not.  Get with the program.  Granted AV companies dont give a crap about the US Government.  They are global in nature and have millions of customers.  A targeted attack, being thats its well, targeted, only might impact .005 percent of their customers.  However Threat ratings are still stuck in the worm days and have not evolved appreciably in years…

At the end of the day this will allow organizations to save a ton of money and resources where currently they are trying to cobble together, buy/build their own internal VirusTotal systems on the back end (a Ridiculous effort and waste) and proceed with half ass implementations of their own sandbox systems for fear that AV companies will report this out to the world and by nature of their products tip off the attackers that they have been discovered.

This would also prevent allow for intelligent threat driven TRIAGE of their malcode events allowing them the freedom of action to handle each and every event the way THEY want to.  Allowing them to capture memory first, collect a forensic image, or say monitor network traffic for a time to profile the attack, or conduct active defense actions by infiltrating the C2 channels/distrupting the hostile infrastructures. and allow for capture and analysis of the compromised hop point that will reveal the origins of the TRUE attackers.

I know this blog gets lots of readers however it gets VERY little active discussion and feedback.  This is a dam shame.  If you know of any open blogs that actually these issues seriously and discuss them in depth and are willing to address the bugaboo in the room then let me know and I will link them.  I would be AV companies are sitting on a ton of APT malware that they have no clue as to the operational context….

It’s high time you stop getting events labeled trojan.generic and Backdoor.ckb  Come on man that’s just crap.  Customers should demand better.

At the end of the day I guess, I am really just planting seeds..

One of the things that drives my research in relation to other technical research on malware that only tends to focus on the bits and the bytes is the fact that you can tell entire stories and interrelate seemingly disparate hostile acts of cyber aggression if you know enough and look long enough at the data right in front of you.

The concept of malware intelligence and connecting the dots after view many many samples seems to be under appreciated in the industry to a large extent.  Especially with AV vendors whose mission is to mainly focus on large prevalent threats and most of the Excellent stuff is never reported or just rubbed out of existence with ridiculous CARO naming convention names that mean nothing to the end user and speak nothing to the level of Weaponization of the malware nor its myriad of intelligence nuggets that can be found in its inner core.  Additionally where this information may be discovered, it is not correlated, shared, or discussed in the open.  The actors and organizations are given free reign to act in the shadows due to the fact that no one is actually pointing a finger in their direction and putting heat on them.  This is additionally true in the cybercrime area of malware development where many may know the actors responsible or behind networks however keep it private.    This only enables the sorry state of our situation where the game has completely changed and a tipping point (actually we are way past that) has occurred.  The ground has shifted under our feet and we are still not gauging how serious things are occurring.

GAMECHANGER: I am proposing that industry luminaries come together to create a highly technical Malware Intelligence Fusion Center with the express goal of bringing the special weaponization techniques to light and out in the open.  Identify and correlate the myriad of slipups that hostile actors use that can enable attribution whether it be embedded payload metadata, unique encryption, shellcode specifics, payload pedigrees, TTPs of hostile actors, and then tie these back to multi-INT sources of open source intelligence thus creating threat dossiers that can be leveraged for real world actions.

These cyber actions are done precisely because there is NO risk of consequence, They can operate in the dark because the industry allows them to.  They fail to focus on the fine technical details that might actually connect the dots and draw a bigger picture, then use that knowledge to force a change of behavior.   The numerous denials from various Foreign Ministers about how they would Never ever do these things is on its face wholly ridiculous, however when challenged after each attack, the victims simply let it go, they do not aggressively push for results, demand a change in behavior, or impose consequences collectively or individually.  Most will simply write up a small malware analysis report, not the C2 IP address for (blocking purposes) which is completely worthless and holds NO worth whatsoever in cyberdefense now as we speak.  Then they will post it somewhere and occasionally it will get referenced when next attack occurs.

The collective talent in the security and AV space is staggering, however with all that brain power not a single group or entity (save for possibly Mandiant) has truly tackled and provided a real Cyber Espionage Malware Intelligence capability that is worth much of anything.  If countries want to do the malware espionage game, then they will have to up their game and not get caught, or else all their information is identified and captured and made available to the community for the purposes of collective defense.  (think water buffaloes rallying around and protecting themselves when a pride of lions enters the area)

One of the problems is that much of this is done sort-of effectively in the military/intelligence space, however its pretty much akin to a group of lords and ladies all protected behind big stone walls while the barbarians ravage the countryside and pillage the peasants and merchant class.  This is Exactly what is occurring today, however the fallacy is thinking that the lords and ladies behind the walls are actually safe.  They are not.  They are under concerted siege, and only discovering the rotting diseased corpses that have been placed in the wells, and catapulted over the walls at night, and the assassin insiders that manipulate and kill from within.   Cyber espionage is at a risk of being over popularized to the point where now people hear of a major breach, roll their eyes and say O man not again.  O well.  It happens a lot and then proceed to blah blah about how they should have been secure.

Why has the public discussion not turned openly hostile, demanded action, demanded answers and started act in a more active defense posture towards this?  Currently there is very little open academic or public debate on the benefits of aggressive self defense.  I will say that the latest video where this poor fat kid is just getting the crap punched out of him by a sadistic yet smaller little bastard of a kid.  The fat kid finally say @#[email protected]# and grabs the little pissant, heaves him up in the air and .    The bully then proceeds to do a ridiculous “I just got knocked the F&(k out!” wobble and the bullied kid walks away.

This should serve as a nice inspiration for an example in active defense but I doubt many think its time to work on these things.

My main purpose for this blog was to infect the blogosphere with memes’ and concepts to modify the way things are being done today in the realms of cyberwar/conflict and the sorry situation we are in.  I have proposed game changing concepts that seem to be so actively sought after by organizations like DARPA and NIST as well as others.   Based on the types of organizations that have actively followed this blog, I would say that some of the content has influenced actions or ideas and maybe just maybe planted seeds, where we can pivot from the old and emerge stronger and more active into the new paradigm we find ourselves in.

Many have inquired about the various sources of some of my previous posts.  You can piece together much of the cyber espionage program by researching a variety of sources such as ThreatExpert / Security research on zero-day exploits where they cover not only the embedded attacks, but analysis of the payloads, deep technical analysis on contagio’s web site samples.  Combine that with reports to congress on China, James M’s excellent reporting on behalf of NGC, Topical reports from InfoWar Monitor on GHOSTNET/Aurora/Nightdragon and others, as well as the Excellent malware analysis reports that where exposed due to HBGary’s colossal fuckup revealing new victims as well as in depth malware analysis reports from the targeted and thoroughly compromised Qinetiq organization that works in cyber defense,  Tieing that to the revelations of Wikileaks which exposed methods and code names and past attacks and timelines, along with the excellent reports that Mandiant puts out, and you can easily combine it with the full bevy of open source social networking research to make and tell a wonderful fact based story and connect the dots.  The fact that attackers suck so much at their job (or don’t care about operational security) or that we are just so good and putting the pieces together makes for interesting days.

We shall see how the RSA thing pans out, however there are more “invasions” BTW that’s what China calls computer intrusions…. than you can shake a stick at and we and our allies will be doing post mortem until the cows come home.  In the mean time those little bastards will continue to steal our data on the hosts You Are not looking at.

Typically from a cyberdefense standpoint 2 – factor authentication is the way to go.  Well  in its that our adversaries have effectively developed, operationalized and used successful attacks against our Governments Smart Cards, commonly known as the for DOD and PIV for Federal agencies.    I would have to imagine this is highly damaging, embarrassing considering millions and millions of dollars and years of development has been put into the effort for over the last decade.

The irony is that the Federal Government hasnt even rolled completely out these capabilities for agencies, leaving these safeguards as optional for implementation until recently.  Really??

Either way, their are pwned now.  Users are attacked at home while they use their cards, and attackers are alerted and ride the session in to steal the data from Smartcard protected portals.   A Significant effort must have been initiated to circumvent these controls.    This is known as a Smart-Card Proxy attack.  In order to work with the card reader the attacker would have required reversing knowledge or and then wrote code to hook and issue call functions to the vendor software.  They would have also had to to undermine the chain of trust.

BTW soft certificate stealing is par for the course in APT malware so if you think about using them or extracting them to disk with the private key installed then your doubly screwed.  Either that or they will hook all the certificate processes in Windows and dump the private keys/passphrases from there, or get the PINs from normal keystroke logging.

The only vendor that truly makes this software is   So much for their Tagline “Establishing Trust in Online Identities”,,,,

I will reprint the article here since its just so dam scandalous.

The US government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them.

Over the past 18 months, security consultancy has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In a report set to be released Thursday, Mandiant calls this technique a “smart card proxy.”

The attack works in several steps. First, the criminals hack their way onto a PC. Often they’ll do this by sending a specially crafted email message to someone at the network they’re trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network.

After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card.

Then they wait.

When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the bad guys simply redirect that request to the hacked system, and return it with the token and the previously stolen password.

This is similar to the techniques criminals have been using for several years now to get around the extra authentication technologies used in online banking.

Mandiant is the kind of company that businesses and government agencies call to clean up the mess after they’ve been hacked. It has done investigations at about 120 organisations overt the past year and a half. Most of them get hacked via a targeted email. But in many cases, they were actually hacked years earlier, but never managed to remove the malicious software from their network, according to the report.

Companies or government agencies that assume that they are secure just because they use smart cards to authenticate, could be in for a nasty surprise some day, said Rob Lee, a director with Mandiant. “Everything is circumventable in the end,” he said.

As if that were not enough, they are also using Social Networking for C2 including MSN and Google Chat and MSN. 

Funny how AV companies are really quiet about all this novel capabilities.  My dime is that they are sitting untouched in those massive Malware repositories they have.  Maybe if the drop all their Allapple/Virut/Sality samples they could see the forest for the trees.

Imagine that all our organizations information was being read by a foreign nation state, who uses it to modernize their arsenals which you might have to fight one day, steal your innovative ideas and hand them off to their national universities to finally replicate and deliver to Goverment backed/owned enterprises, use timely intelligence to have full knowledge of your plans/intentions and negotiating positions and then undermine them to force you to abort your preplaned negotiation limits, or scoop the deal your organization has been working on for months/years by under bidding you and winning multibillion dollar resource extraction contracts.  How about targeting your cyberdefence infrastructure by extracting its details and custom coding software that undermines and circumvents it.  Image your organization that has lost its entire Active Directory password database extracted from your domain controllers, image enemies coming and going at will through your networks,  imagine that at ANY time, your adversaries can extract your email like a vacumn cleaner right out of your Exchange inbox and PST files without you even knowing about it.  Imagine your enemy attacking you through your subcontractors VPNs, your users getting emails daily with undetectable trojan horse payloads while your Email gateway doesnt bat an eyelash, image your adversaries accessing all your juicy portals and N-tier web based content systems and browsing at will on the back of legitimate yet compromised user credentials. An lastly imagine for a second your adversary having the ability to download or modify its code and use its access to install and run destructive capabilities at will.  Really. Really? Ponder it and then demand answers. 

CyberDefense is bullshit.  Tippingpoint is now. Do something or it will be to late later.

This is the daily reality we are facing.  For people and so called experts who are not in the know and call this FUD, they are clueless.  Here is a rollup of the Sh1tSt0rm thats just transpired in the last couple months.

Think about this as a citizen and then ask yourself, the US has the most powerful cybercapability in the world, what the f#@# are we doing with it.  Why are these attacks continuing?  Are we impotent to stop them.  Have we lost the ability to project national power to compel an adversary to modify its actions?


  • (The MHTML implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly handle a MIME format in a request for content blocks in a document, which allows to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer.)

  • (new victims revealed)


Get every new post delivered to your Inbox.