CyberNinja FAIL
February 8, 2011
So apprently Mr Barr tried to get all cyber ninja on the amorphous chaotic and admirably highly effective Anonymous Group. This of course was a disaster resulting in him and his entire company getting a pwnage workshop run on them by the “evil notorious Cyber terrorists” or at least thats what I think they are being branded as.
For people who cant seem to read between the lines, Anonymous is a wonderful smokescreen effectively running amok and tying up Federal cyber investigative resources that could be better used investigating the zillions of terabytes of critical information getting stolen on a regular by our “Friends” according to official US Foreign policy, the PRC PLA.
Interestingly enough this FAIL example was driven by self interest and not the common good. Its also kind of disgusting to see how leak information is being misused. For example, Wikileaks just dribbles out information and cherry picks it to correspond to the latest new cycle, such as the Egyptian revolution thingy. As that effort goes on, out pops Wiki cables of guess what, Isreal and Egypt scheming on Mubaraks successor. How timely. If you had any balls you would just release the whole 266k of cables and not just the crappy 2000 or so for your own personal media benefits. Im sure the Internet through crowd source affects can analyze it on their own thank you very much.
Now the parallel to this latest fiasco. HBGary decided to “Investigate” Anonymous group by using them as an example of how social media “shiver” is all bad and scary. Sorry, your to late to the game, Myspace worms, twitter hijacks and Robin Sage cleared that all up okie, oh ya and Koobface. Then they intended to glory whore the information at only the Largest security conference on the planet. RSA. As well as peddle the information to the FBI. Did they release their investigative targets to the open public? No.
You see the power of the Internet is that when you release it, it never can be taken back. Their second mistake was that they blabbed about their “targeting” to Financial Times and crowed about it. This to the enemy is called “indications and warnings” in military speak. If they thought Anonymous was just going to not take up that challenge, it speaks worlds about how clueless they are to hackivist causes and capabilities. And if your gonna burn a group with your incredible research, release it ANONYMOUSLY for the world to enjoy. Dont be a twat and try and use it for personal benefit by exploiting it to drive security business to your company.
On a side note I personally like their products and they have a decent Memory analysis product which I think has gone a long way towards popularizing memory analysis. They also have some good reversers who are pretty straight up. However I have heard from many that their leadership unfortunately is pretty XXXXXX just like many other security Luminaries that claw and step on the backs of others in order to hack their personalities in the eyes of the security practioner public.
Unfortunately there are a zillion hacktivists out there with hive like mentalities and short attention spans. The real problem though is that it would be nice to focus their talents, and energies on real hard targets such as the cyber units of the PLA in each of their military regions. If given cause, direction, and targeting, this could effectively be a long term, low level chaotic effect in the enemys rear echelons, maybe enough to drain their resources so they are burdened somewhat. Not bloody likely tho.
Some of the interesting things of note was the fact that they erased their backups, OUCH, and hacked Rootkit.com (no fair) which is a great website. Also they published Mr. Barrs personal details and his SSN/address/and telephone number which is just like mean. Apparently he is getting death threats and phone calls at home.
The most damaging of course is the theft of their email which could be a killer for their company. Or better yet drive it into a cheap takeover or buyout by an enterprising company that wants a good cyber aquisition. Frankly Im surprised that havent been purchased yet.
Another approach would be to publish all his research now, be a man and stand behind it and say Yea MFers, I got yer info, I am publishing it, and the feds will be at your door shortly. If his research is good, then it will stand the scrutiny of the public. If its crappy research, well then, I guess his methods just suck.
Either way, I think Mr. Barr, Hogland and HBGary and company will be getting most likely a LOT of pizza delivered to their doorsteps in the next year. ___I recommend Pizza Paradiso in Georgetown on M Street. Im thinking the staff at ole Gary might enjoy quite a bit of the Belgium Beer they have on tap.
So this is attribution research done RONG (Tune of Mr. Kim Il Jong)
Here’s a recap of what went wrong and what to do next time.
- Do good research that can stand up to scrutiny
- Publish it to the public for good, dont whore it to RSA for glory or for money to the FBI
- When you publish, be dam well sure it doesn’t get back that you did it.
- Enjoy your victory in private, and only tell trusted associates.
- Watch while the Internet becomes a better place
There is a huge potential for the proper disclosure of attribution data to change the character of the Internet. DONT buy the BS that things cannot be tracked or discovered.
Only an attribution market that disclosed the worst actions across the realm of cyberspace could deter malicious actions. Frankly the hijinks of Anonymous doesn’t pass real threat muster in my book. Unfortunately it will waste thousands of investigative hours, because the FBI LOVEES Anonymous just like they strutted up and down on their investigative prowess busting the Palin hacker, who got a year and a day in jail.
This I believe takes our eyes of the real threats and doesnt really do our country any good.
Dont wind up like this guy…
Go GO Team Cymru – Gamechanger #1 implementation
March 12, 2010
So It looks like Team Cymru implemented my Gamechanger #1 idea to solve the notification challenges…
The BIN (Bank Identification Number) Feed comprises a near-real-time list of bank accounts and credit cards that have been identified by Team Cymru as potentially compromised. This data comes from Team Cymru’s unique insight into the Underground Economy. This service is provided to verified financial institutions at no cost to them.
The BIN Feed is provided through a secure web portal to vetted and verified financial institutions only. Data is carefully isolated, so that each financial institution can only view data on their own customers’ potentially compromised accounts. Representatives of financial institutions may contact the Team Cymru Outreach Team at outreach@cymru.com with details of their BIN/IIN numbers to request access to this data. Please provide details of your institutional affiliation and allow time for us to verify and validate your request.
I am going to have to give this the whole 2 DIGITS up.
The concept of a Black November (Gamechanger #3)
October 9, 2009
So I originally came up with this Idea for Counterterrorism a while ago and have modified it for Cyberwar conflict. It goes like this. Why are’nt more terrorists Killed on a daily basis by powers that can do it and have the will? For the completely countervailing reason that usually trumps Direct Action. Intelligence gathering. Plain and Simple. INTs collection is used on a world wide basis to target actors. However, Pre 9/11 completely showed a lack of will and balls to actually take care of problems for completely bullshit reasons. Lawyers, human rights blah blah. Bureaucracy. Apethy and pragmatic thought.
My solution for terrorists was this. You all the INT collection you want. But 1 [ONE] DAY EVERY YEAR you have a what I will term a BLACK NOVEMBER. What is it do you ask. Its a kill pulse. all the intelligence derived and gathered and fused and generated during the year gets put into a master target list. And direct action takes place Syncronized. This will have the immediate effect of Dramatically draining the SWAMP immediately, eliminating alot of the BS INTEL noise you get in collection efforts and clear the way for a new round of intel gathering, new link analysis and Intel collection.
Direct action will be expendable, and non-attributable and revolve around “accidents or otherwise mundane unfortunate circumstances” Better not to attack that much attention unless thats what you want to go for.
I then evolved this concept to Terrorist electronic communication forums which present the inherent evil in allowed for dispursement of terrorist ideaology, plans, TTPs and other Terrorist crap. So the BLACK NOVEMBER would essentially over time corrupt any backups of data that was being made, then target and destroy, Crypto attack or secure delete all world wide terrorist extremeist forums and other info material that is in direct control of mal actors.
One, this highly disruptive attack would sow CHAOS into the ranks, break communication mechanisms, force the reestablishment of new networks and comms that can be rapidly identified and tracked to be put into the next yearly Purge cycle for cyberwipe.
So after this I come to my 3rd evolution of BLACK NOVEMBER. That is doing the same thing but targeting the numerous cybercrime forums, tool factories, egosites, and Botnet command and control sites that exist throughout the Internet. [NOTE: IF IT WASN'T ALREADY OBVIOUS. you do this Non-attributable, preferably geographically spread across the Internet IP space and Geographies, you also use massive variation in code, techniques, and character sets and styles. Unless of course you don't care about attribution for the shock factor]
This can be a massive sweep or it could be a certain number of high threat target sets. Either way, this pulse of cyberpurging would ENSURE ONE THING. That there are no excuses, no compromises, and real,…REAL action taken against at least the Technical mal-infrastructure that pervades the net and sucks like a vampire of our National Security and Economic Security.
I will be the first to say that I dont think our authorities have the will, vision, foresight, or balls to ever consider any of these actions. However I will say this. I am laying out there as a though meme, a destabilizing concept that needs to be expanded and discussed and further investigated….
SO WHAT…. DO YOU HAVE A BETTER SOLUTION? If so fire away propose one. And don’t rehash any of the ideas that have been bandied about for years. Come up with something original.
Yes folks, we need a Phoenix Program for Cyber. That’s what I’m saying.
TOO many ideas, and this one is Free (GAMEChanger #1)
October 8, 2009
So after attending a training event in which CERT-CC staff said they are always run ragged notifying compromised organizations of a compromise I came up with an idea that quits wasting tons of freaking time. Instead of having every security company on the planet contacting and maintaining lists for POCs, emails, phone numbers of security staff of every organization on the planet in order to notify them that 10000 of their users are now compromised, theft of PII, botnet infiltration, whatever you just do this.
Set up a Industry Security Notification portal where organizations can register and a organizational RSS feed is dynamically created for them. A XML data sharing schema is put in place to represent the details of said compromise. It would have a Organizational tag on it that identified the specific organization. If a security organization obtains information of a compromise of PII from say 10 different companys, they split the data up by company and post directly to the organizations RSS Data feed to which they have previously subscribed when they signed up.
This way Due Diligence of notification has been accomplished, and the CERT.cc or other security firm can wipe its hands of its notification duties, and go about actually doing specialized R&D to solve this mess once and for all instead of spending precious time on bullshit.
Organizations that have not registered with the Portal site, would still have their RSS compromise detailed information published, however it would be an encrypted blob. All that would be shown is the organization name and very high level details of the event. Im sure if published publically personal and professional networking would take over and they would find our really quickly, check the details and resolve the issues.
Once events are resolved, they can be archived off the portal in to the organizations account and taken off of the public dashboard associated with the site.
Lets call this the Web2.0 solution to Incident Response Notification and a better and smarter responsible way for companies to quit doing waste of time work and start doing Real work.
OMG – its so simple….
Now someone just needs to get off their ass and implement it. How about the Big 5 to start. Microsoft, Symantec, McAffee, Trend, Cisco. Start setting an example and respond to a critical industry security need that helps all of us and presents a Gamechanger for Cybersecurity.
Here is an example of data repatriated via a 10 day Rustock/Mebroot/Torpig botnet takeover. The researchers captured the data and then analyzed it and went scratchin their heads as to who to contact about the data, how to notify the victims and the sheer scope and bullshit that would be need to do all the notifications. HERE is an example that justifies the implementation of my idea.
Changing the debate..
April 23, 2009
So Brian Krebs interviewed Joe Stewart about his upcoming presentation at RSA and changing the way we do business in the realm of passive/aggressive cyberwar.
Time for an Internet A-Team?
It was a pretty good article.
I posted a challenge to them to continue the debate in a regular series working through the ins and outs and thought memes that will really serve to perculate and become real game changers. I even offered to host their data on these bad actors on my site.
As you know we have our SPOTLIGHT SHINE Bright Series that has its goals of identifying and disrupting these bad actors.
I also requested that they come on here and let me interview them to explore these new concepts and challenge them to stretch the bounds of their operational constructs. I would like to bounce some of my ideas around an echo chamber with Joe’s since we are both idea guys and see what could be possible in the real world.
Wow, Way to go guys, Moving on….
April 21, 2009
The title says it all….
Hackers Swipe Terabytes of Sensitive Pentagon Data
Apparently the F-35 program has been hacked multiple times. Nice 
Way to go with maintaining our pointy tip of the spear. You develop, we rip it from you. Billions in R&D lost. However if I was on the other side of the fence, and I had the capabilities I would steal it from you to if I knew you were too gutless to stop me or fight back.
This is entirely possible. I was on a proactive malware seek and destroy digital forensics team for a major defense contractor where we found some of our workers doing DEVELOPMENT work via AirForce Virtual Private Network remote access on small little systems such as AirForce One, the B-52, the Prowler and other air based electronic attack platforms and systems.
The developer was going out getting all kinds of little opensource and development tools and using them in his work, and somehow got all munged up with a malware infestation. Needless to say we escalated that quickly however it amplifies the seriousness of if you get compromised and what can happen.
Firms like Northrop, Lockheed, BAE, Boeing are supposed to be the best in the cyber business but with firms so large and expertise so sparse, you cant guard everything all the time constantly. Theres lots of technical solutions for things however budgets are sparse and will is low, and Beauracracy is RAMPANT. Process and Rules choke out agility and innovation.
At the end of the day I believe game changers are needed to begin the targeted and offensive attacks of known cyber operators that are doing this for profit and espinage gain. I mean doing really bad things to these people and their systems and organizations.
The gauntlet is thrown, you have been slapped, what the fuck are you going to do about it…
Concept of focused cyber hitsquads and Malware DNA
April 21, 2009
So Joe Stewart a researcher I admire for his willingness to reveal his botnet research to the general masses, especially through his top 10 lists of the largest. He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.
Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.
Here is a quote from his blog
“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”
I love some of the trade rags takes on his opinions. Titled…. (Joe I am behind you on this one.)
Researcher wants hacker groups hounded mercilessly
Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals
These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.
A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year. Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level. My focus was on how to change how we COMMUNICATE about malware. If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.
The company is called HBGary lead by the guys that literally wrote the book on Rootkits.
HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool. More and more live memory analysis is critical to obtaining a full picture of what the malware does.
I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits. The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).
For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic. In and of itself it poses no threat. A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around. That is a Function.
Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.
The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.
The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it. Not try to understand a bunch of gobblygook.
The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.
Series: Looking through the keyhole – Adrenaline
March 25, 2009
Adrenaline. Another good exploit pack.
Series: Looking through the keyhole – Limbo
March 25, 2009
A very sophisticated pack that has been extensively written about.
I will seek out the source code to post and see if we can glean some intelligence on the authors.
Series: Looking through the keyhole – Traffic Pro
March 25, 2009
Traffic Pro is older than Icepack and Mpack and was popular because it was cheap.
Panda did an excellent writeup on it.
