March 12, 2010

So It looks like Team Cymru implemented my Gamechanger #1 idea to solve the notification challenges…


The BIN (Bank Identification Number) Feed comprises a near-real-time list of bank accounts and credit cards that have been identified by Team Cymru as potentially compromised. This data comes from Team Cymru’s unique insight into the Underground Economy. This service is provided to verified financial institutions at no cost to them.

The BIN Feed is provided through a secure web portal to vetted and verified financial institutions only. Data is carefully isolated, so that each financial institution can only view data on their own customers’ potentially compromised accounts. Representatives of financial institutions may contact the Team Cymru Outreach Team at with details of their BIN/IIN numbers to request access to this data. Please provide details of your institutional affiliation and allow time for us to verify and validate your request.

I am going to have to give this the whole 2 DIGITS up.

October 9, 2009

So I originally came up with this Idea for Counterterrorism a while ago and have modified it for Cyberwar conflict.  It goes like this.  Why are’nt more terrorists Killed on a daily basis by powers that can do it and have the will?  For the completely countervailing reason that usually trumps Direct Action.  Intelligence gathering. Plain and Simple.  INTs collection is used on a world wide basis to target actors.  However, Pre 9/11 completely showed a lack of will and balls to actually take care of problems for completely bullshit reasons.    Lawyers, human rights blah blah. Bureaucracy.  Apethy and pragmatic thought.


My solution for terrorists was this.  You all the INT collection you want.  But 1 [ONE] DAY EVERY YEAR you have a what I will term a BLACK NOVEMBER. What is it do you ask.  Its a kill pulse.  all the intelligence derived and gathered and fused and generated during the year gets put into a master target list.  And direct action takes place Syncronized.   This will have the immediate effect of Dramatically draining the SWAMP immediately, eliminating alot of the BS INTEL noise you get in collection efforts and clear the way for a new round of intel gathering, new link analysis and Intel collection.

Direct action will be expendable, and non-attributable and revolve around “accidents or otherwise mundane unfortunate circumstances”  Better not to attack that much attention unless thats what you want to go for.

I then evolved this concept to Terrorist electronic communication forums which present the inherent evil in allowed for dispursement of terrorist ideaology, plans, TTPs and other Terrorist crap.  So the BLACK NOVEMBER would essentially over time corrupt any backups of data that was being made, then target and destroy, Crypto attack or secure delete all world wide terrorist extremeist forums and other info material that is in direct control of mal actors.

One, this highly disruptive attack would sow CHAOS into the ranks, break communication mechanisms, force the reestablishment of new networks and comms that can be rapidly identified and tracked to be put into the next yearly Purge cycle for cyberwipe.

So after this I come to my 3rd evolution of BLACK NOVEMBER.  That is doing the same thing but targeting the numerous cybercrime forums, tool factories, egosites, and Botnet command and control sites that exist throughout the Internet. [NOTE: IF IT WASN'T ALREADY OBVIOUS. you do this Non-attributable, preferably geographically spread across the Internet IP space and Geographies, you also use massive variation in code, techniques, and character sets and styles.  Unless of course you don't care about attribution for the shock factor]

This can be a massive sweep or it could be a certain number of high threat target sets.  Either way, this pulse of cyberpurging would ENSURE ONE THING. That there are no excuses, no compromises, and real,…REAL action taken against at least the Technical mal-infrastructure that pervades the net and sucks like a vampire of our National Security and Economic Security.

I will be the first to say that I dont think our authorities have the will, vision, foresight, or balls to ever consider any of these actions.  However I will say this.  I am laying out there as a though meme, a destabilizing concept that needs to be expanded and discussed and further investigated….
SO WHAT…. DO YOU HAVE A BETTER SOLUTION?  If so fire away propose one.  And don’t rehash any of the ideas that have been bandied about for years.  Come up with something original.

Yes folks, we need a Phoenix Program for Cyber.  That’s what I’m saying.

October 8, 2009

So after attending a training event in which CERT-CC staff said they are always run ragged notifying compromised organizations of a compromise I came up with an idea that quits wasting tons of freaking time.  Instead of having every security company on the planet contacting and maintaining lists for POCs, emails, phone numbers of security staff of every organization on the planet in order to notify them that 10000 of their users are now compromised, theft of PII, botnet infiltration, whatever you just do this.

Set up a Industry Security Notification portal where organizations can register and a organizational RSS feed is dynamically created for them.  A XML data sharing schema is put in place to represent the details of said compromise.  It would have a Organizational tag on it that identified the specific organization.  If a security organization obtains information of a compromise of PII from say 10 different companys, they split the data up by company and post directly to the organizations RSS Data feed to which they have previously subscribed when they signed up.

This way Due Diligence of notification has been accomplished, and the or other security firm can wipe its hands of its notification duties, and go about actually doing specialized R&D to solve this mess once and for all instead of spending precious time on bullshit.

Organizations that have not registered with the Portal site, would still have their RSS compromise detailed information published, however it would be an encrypted blob.  All that would be shown is the organization name and very high level details of the event.  Im sure if published publically personal and professional networking would take over and they would find our really quickly, check the details and resolve the issues.

Once events are resolved, they can be archived off the portal in to the organizations account and taken off of the public dashboard associated with the site.

Lets call this the Web2.0 solution to Incident Response Notification and a better and smarter responsible way for companies to quit doing waste of time work and start doing Real work.

OMG – its so simple….


Now someone just needs to get off their ass and implement it.  How about the Big 5 to start.  Microsoft, Symantec, McAffee, Trend, Cisco.  Start setting an example and respond to a critical industry security need that helps all of us and presents a Gamechanger for Cybersecurity.

Here is an example of data repatriated via a 10 day Rustock/Mebroot/Torpig botnet takeover.  The researchers captured the data and then analyzed it and went scratchin their heads as to who to contact about the data, how to notify the victims and the sheer scope and bullshit that would be need to do all the notifications.  HERE is an example that justifies the implementation of my idea.


April 23, 2009

So Brian Krebs Joe Stewart about his upcoming presentation at RSA and changing the way we do business in the realm of passive/aggressive cyberwar.

Time for an Internet A-Team?

It was a pretty good article.

I posted a challenge to them to continue the debate in a regular series working through the ins and outs and thought memes that will really serve to perculate and become real game changers. I even offered to host their data on these bad actors on my site.

As you know we have our SPOTLIGHT SHINE Bright Series that has its goals of identifying and disrupting these bad actors.

I also requested that they come on here and let me interview them to explore these new concepts and challenge them to stretch the bounds of their operational constructs.  I would like to bounce some of my ideas around an echo chamber with Joe’s since we are both idea guys and see what could be possible in the real world.

April 21, 2009

The ….

Hackers Swipe Terabytes of Sensitive Pentagon Data

Apparently the has been hacked multiple times.  Nice :(   Way to go with maintaining our pointy tip of the spear.  You develop, we rip it from you.  Billions in R&D lost.  However if I was on the other side of the fence, and I had the capabilities I would steal it from you to if I knew you were too gutless to stop me or fight back.


This is entirely possible.  I was on a proactive malware seek and destroy digital forensics team for a major defense contractor where we found some of our workers doing DEVELOPMENT work via AirForce Virtual Private Network remote access on small little systems such as AirForce One, the B-52, the Prowler and other air based electronic attack platforms and systems.

The developer was going out getting all kinds of little opensource and development tools and using them in his work, and somehow got all munged up with a malware infestation. Needless to say we escalated that quickly however it amplifies the seriousness of if you get compromised and what can happen.

Firms like Northrop, Lockheed, BAE, Boeing are supposed to be the best in the cyber business but with firms so large and expertise so sparse, you cant guard everything all the time constantly.  Theres lots of technical solutions for things however budgets are sparse and will is low, and Beauracracy is RAMPANT.  Process and Rules choke out agility and innovation.

At the end of the day I believe game changers are needed to begin the targeted and offensive attacks of known cyber operators that are doing this for profit and espinage gain.  I mean doing really bad things to these people and their systems and organizations.


The gauntlet is thrown, you have been slapped, what the fuck are you going to do about it…


April 21, 2009

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.


Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.


HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.


I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

March 25, 2009

.  Another good exploit pack.


March 25, 2009

A very sophisticated pack that has been extensively written about.


I will seek out the source code to post and see if we can glean some intelligence on the authors.

March 25, 2009

is older than Icepack and Mpack and was popular because it was cheap.

Panda did an on it.




March 25, 2009


There is a small write up about it at , and some great analysis by Dancho and .

Version Firepack lite 1.1, Firepack 0.18, 0.17


Exploits for some its versions are .

Possible Sourcecode can be found for the lite version .


Here we actually see the original Russian version.

Now we can target the Coder DIEL and track him by his ICQ number.



Get every new post delivered to your Inbox.