Threat Assessment: Red Cell (Christopher Dorner)

[Background]
I'd call this situation fascinating if people weren't dying.  The Dorner situation provides an examination of the risks presented by malicious insiders.  Dorner seems to be a case-study example of the types of threats modeled by Marcinko with his Red Cell antics.  Since he's been on the loose for 48 hours, it seemed worth a look...

Note: I am not an expert, or a shrink, or anything.  Just throwing ideas out there.

[Source]
Info below based on a reading of the manifesto.

[Capabilities]
Subject has demonstrated a willingness and ability to attack and evade. Given the time available to plan this scenario, it is reasonable to expect the subject has multiple safe-houses available.  Subject will probably employ operational tactics that go beyond simple firearm attacks.

[Counter Tactics]
Given the high level of training and education displayed, specifically the repeated references to effective TTP of adversarial forces, it is reasonable to expect that the subject will employ proactive tactics to maximize his ability to both successfully strike and evade capture. Examples include diversion and subterfuge used in support of primary mission execution, secondary attacks to demoralize operational LEO assets, and tactics that create resource/asset drag on operational LEO assets.

[ISR]
It is reasonable to expect the subject continues to actively employ signals and cyber technologies to perform ISR.  Wherever possible, communication via secure technologies should be employed in order to prevent eavesdropping.

[Current Location]
Until the subject is located or attacks again, it must remain a possibility that he has left the LA area, although this seems unlikely.

While rural locations offer many advantages, and the subject is likely at home in outdoor environments in all weather conditions, there are significant disadvantages to rural locations, such as the inability to avoid observation or scrutiny while traveling quickly.

Hiding in plain sight in a dense urban environment may offer significant advantages, such as access to resources and multiple forms of transit.  Subject is likely to employ disguises to minimize chances for recognition.

[Key Observations]
It seems likely that the subject has ongoing access to local LE and federal cyber resources.  Particular attention should be paid to valid logins coming from the SOCAL area that have collisions with other valid login timings and operating patterns.

Due to the physical size of the subject, he may choose to move primarily at night to minimize observation.

Expect trickery and subterfuge.  The subject believes himself to be in control of the situation, and will attempt to lead LE assets astray to continue operating towards his primary objective.  Don't be too quick to follow obvious paths with all available resources when capture seems likely or imminent.

Expect subject to be armed at all times, possibly with a silenced weapon.  The subject will be dressed in a style that supports a holstered concealed weapon.


[A Note to the Subject]
Don't kill me, bro.  ;)  You laid out that whole "don't even bother to profile me" thing, as if it were impossible.  In your report, you make it clear that your anger is specifically directed at LAPD for taking everything you had.  Unfortunately you're utilizing federal training to take your revenge, so you're betraying the oaths you've taken.  Your mom was correct, sometimes bad things happen to good people.  You are driven to this to regain your name, so the only path forward is to use your skills to escape and evade and build a new life.  You can only destroy with violence, it won't let you build a better reality within LAPD, like you hope it will...

More Modern Governing

I'd been sitting on this post for a bit, and then unfortunately this happened and became a thing...

According to reliable sources, Swartz was driven to abandon hope for his future when he acted like an activist and broke some laws, and was facing 35 years in prison.

In my opinion, this tragic outcome is just another sign of how our government is failing to keep pace with the realities of technology in the modern world.

We have a system where re-elected prosecutors worry about looking soft on virtually any category of crime, and hesitate to make reasonable deals to allow citizens who briefly lose their way to repay a debt to society and move on with a life that is generally unblemished in the eyes of the law.

When convicted of any felony in the US, some of which area easy to accidentally do, one faces a lifetime of punishment.  Abandon all hope of future employment for those who wear the scarlet "F".  And more and more, even misdemeanor convictions can haunt you.

Similarly, a drunken poor decision to urinate behind a bush can brand you as a convicted sex offender for the rest of your days.

We drive people to undesirable outcomes when we ruin the hopes they place on their future lives.  The reason the phrase "paid his debt to society exists" embraces the concept that we want those who lose their way to be able to regain the good path.

And the joke of it is that there is a real problem with digital law breaking in the modern age.  Credit-card and other information theft is generally trivial to accomplish, and there are plenty of people out there living it up with money coming out of the credit card companies and small businesses (who eat costs sometimes).  And the fact is that these people face limited risk of being caught and punished despite repeated or massive abuse.

So when we catch an activist who is clearly not in it for the money, we throw the book at someone who helped create the digital world we love.

The part that is hardest to swallow is that when it comes to generating revenue, it appears that government is all about embracing a new technical world.  My local PD and govt employ automagic ticket writing cameras that must be reaping dividends when they're hitting people for $100+ for every failure to fully stop on a red for a right turn...

And recently I snagged this pic of what appears to be an auto-license plate scanner on a local PD cruiser:

I assume this will make ticketing easier for a variety of infractions.

The executive and judicial branches embrace technology when it comes to putting your embarassing life details on the internet as well.  For years now people on the interwebz have been lulzing at funny mugshots.  Criminal databases are often public, and some states put all court cases online so everyone can know things you might otherwise consider private.

And yet, when it comes time to "re-elect" judges it seems like there is no concept of openness.  It seems rare to find any transparency of why a given decision is made, so you end up with internet articles full of raging outbursts about why someone should've been punished more, or how on earth could someone like this get off so lightly?!?  if a judge is serving in a public capacity, and if my mistakes are open to the world at large, why shouldn't everyone be allowed to access the information behind judicial decisions and outcomes?

There are a lot of areas where technology could have significant impacts on pursuing justice.  For example, it seems likely that cell-phones could be programmed to automatically capture information and contact authorities when they detect gunshots and/or screams via integrated microphones.  This could probably be done in software with checks and balances, and reduction of false-positives (ie: movies).  Some people might consider that an invasion of privacy, while others might point out that it could save lives.

There are a lot of opportunities and choices ahead for all of us in this space...  it's a shame Aaron won't be around to help us build the future.  In my opinion, he should've been fined and placed on probation and allowed to live his life.

ramblin on, ain't saying nothin

.:[ktxgoogle]:.
so you can use the google safesearch diagnostic to check out what google has to say about the security of a given domain.  nifty!.. n maybe those google cats are a little too honest? ish?

.:[ktxwhatev]:.
it's tough to know what to say about the nsa wiretap case getting dismissed...   nice try eff...

i was talking w/ someone recently who was going on about how there are still significant constitutional barriers between foreign and domestic surveillance... yea, whatever you say...

so here's a shout to a great prank: 

.:[ktxphone]:.

mobile malware is getting pretty crazy creative, at least in the lab ;)  3d maps of whatever your phone can see.  i think there's a lot of potential for stuff in this space...


.:[ktxattackers]:.

i'd be willing to bet this attack exploited a binary planting vuln of some type...  it's nifty how the attacker was probably leaning on the valid sig on the service executable to throw off investigators.  i imagine that the dll was basically just an unwrapper, and the third file maybe had an extension that isn't generally subjected to much attention by av/scanner tools...

mobility speculation

[preface]
been talking less and doing more, as the decreased frequency in posting might imply...  hopefully i'll have something to share soonish, and will also try to share some good stuff made by other peeps too.  before anything, i want to say that there are giants who've come before me, and if i couldn't stand on their shoulders i wouldn't be able to see or accomplish much at all...  big ups to those who are working, researching, publishing, talking, sharing, and schooling!

a year or two ago 'mobility' was the buzz word to use if you were a security vendor trying to sell some FUD... solutions seemed lacking... i don't hear as much about mobility today, but it doesn't seem like the threat has diminished...

[chess]
so there's this fable about taking a grain of rice, and doubling it for each square on a chess board...  when you get to the second half of the chess board, the numbers just get crazy...  someone pointed out that if you look at moore's law, today we're somewhere around the 30th or 31st square on the board...

this post is about the mobile space taken in that general context...

[mobile]
a couple years back i was lucky enough to kick it in some swank vegas suite w/ a bunch of smart peeps...  we shared drinks and shot the breeze, and it was a pretty good time.  i talked to this cat from berlin who was/is active in the mobile space, and when i asked how long i had until i needed to really worry about my phone, he told me probably 12-18 months...

based on how things have played out since then, it doesn't seem like he was too far off...  the mobile sploit space seems to be quite interesting and active.  looking at the talks given at past conferences, it seems like there are a lot of ways to do a lot of damage...  and what i'm hearing about upcoming cons is that the mobile space is crowded full of people itching to talk about how they can pwn your phone.

[target space]
mobile seems like a great platform to attack for a number of reasons:

- ubiquitous coverage: phones are almost everywhere you go
- limited target platforms: android, iphone, ... umm... ummm... something else?
- reliability: phones are pretty much always on, and always connected
- flexibility: phones can communicate across so many channels...  sms, direct tcp/udp over 3g/4g, http, etc....
- ignorance: most ppl have no idea what's going on w/ their desktops, laptops, and servers...  visibility into phones is significantly worse

- uncleanable!: not like there are many tools at your disposal to clean your phone...  but try this out for fun...  back up your contacts and whatever, and then 'factory reset' your device...  well, i haven't tried an iphone, but on android...  well, you might notice that after the reset your phone *did not* go back to the state it was in after you bought it.  all those software updates your provider pushed remained in place even though all the trivial user stuff was reset.  this means that the memory that stores that 'good state' is writable.  if someone roots your phone, it doesn't seem like anything is preventing them from writing their pwnage there, and thus gaining persistence on your mobile platform... ug!

[so wtf are you talking about?]
just rambling about mobility attack and defense...  so here are a few ideas about how you could use mobile platforms in ways not intended by mobile carriers; first some simple ones, and then some that are maybe more complex...

[simple mobile attacks]
- surveillance: i pwn your phone, and now i know a *lot* about you...  i can listen w/ your microphone, so i know what you're saying, and who you're screwing.  i can take pics n vid w/ your camera(s), and even though that's usually just the inside of your pocket, i can still get a lot of good stuff if i'm persistent or if i use programming to watch for changes before i capture anything...  so i know where you go, and what you do, and who you talk to, and all that good stuff....

- blackmail: since i know all that stuff, and since you have plenty of vices and secrets and lies in your life, i can blackmail you pretty easy...  well, most of you ;)

- virtual theft: hey lookit, you use your smart-phone for all kinds of things...  i can keylog and get all kinds of passwords and such, and abuse you w/ all of that...

- spam: i use your connectivity to send my messages, and since ppl believe and click that shite, i make $$$...

[complex-ish mobile attacks/capabilities]
- research foo: some peeps are talking about using mobile phones as mass detection and reporting platforms...  including simple sensors and things like that to enable near-real-time detection and reporting...

- physical/IRL theft/crime:  since i can watch and listen and track everything someone does, it makes crime wayyyy easier.   looking through your calls and txts let's me konw who you interact with, and who you live with.  i can find their numbers and pwn them too.  then i can wait until you're all away from the house somewhere far away, and maybe even wait until your neighbors aren't around too (or are sleeping, or are otherwise distracted) and then rob your house

- area surveillance:  imaging you're the criminal above, or maybe some type of operator on a secret mission...  by monitoring all the phones in a given location, you can get an idea of whether or not anyone heard you break that window, or whether they are calling the police.  you can know what the people around you are seeing, hearing, and thinking...

- covert signal piggybacking for anonymous comms:  ever see one of those videos demoing how you can spoof a cell phone base-station and intercept the comms of any nearby phone?  well in theory it seems like you could do the same thing but be way more passive about it.  it seems like you could captivate all local devices and then use a communication protocol that is capable of packetizing a communication stream and splitting it across multiple channels to arrive at the same destination.  by sending your signal chopped up across multiple devices, it could be very difficult to trace back who originated the signal...  it might not be optimal for two-way communications (although that might be possible), but for a single directional xfer, it should work nicely.  one could imagine purpose built devices with a wireless antenna and ethernet jack that allow a person in an environment with an oppressive regime to communicate freely by hitching a ride on the signals of nearby mobile devices...  many governments (both oppressive and freedom loving) are investing in reducing the ability of average citizens to communicate anonymously.  if a session could be parsed and split across multiple carriers and multiple connections, it seems that would become significantly more difficult to track and suppress....

[solutions]
i haz no great ideas on how to make better software...  but as far as i can figure, one potential solution for improving mobile security is for phones to include physical switches/toggles that act as kill switches for given services.  flip switches on your handset to activate/deactivate things like 3G, camera, microphone, gps... this simple idea would at least give consumers and phone owners the power to feel relatively confident that phone features aren't being used if they don't want them to be...  yes, the idea is pretty simple and lame, and no it will probably never happen...

'confused deputy' persistence mechanism: binary planting

so this is not a new idea really, but mb worth a little thought/exploration...

most of the recent-ish binary planting research seemed to focus on remote code execution attacks. but sometimes you don't need remote root.

some ppl say this attack is old news and lame, but then other people say 'whatever lands me shell'... binary planting came up in the adaptive pentest talk at DerbyCon, and maybe even Mitnick is using it (as also mentioned in a Derby talk). so whether or not you think it is lame, it appears ppl are using it.

a few weeks back i was digging around w/ binary planting in terms of priv escalation (which coincidentally got kicked around on FD recently)...

if you don't need CWD to win, then the set of potential DLL load attempts changes a bit. lots of apps run on boxen out in the world run w/ elevated privs, so maybe there's something to leverage there. specifically pretty much any DLL load attempt that doesn't find a target could be interesting. but even back on XP the default file perms and the landing place of most DLL loads limits the attack surface available to a non-admin user. so i kinda walked away from priv escalation w/o much success.

but maybe you've got root on a box. now you want your code to persist and exec through reboots. being tricky and hiding can be nifty, but hiding in plain sight can work too. home users don't pay a bunch of attention or have a ton of knowledge, and big environments are often resource constrained and no where near tracking detailed state on their endpoints (integrity checking, etc).

when you're digging for someone hiding under those conditions, sometimes you want to check machines for ways they automatically exec arbitrary code. so you dig through the registry and some folders, and look at core system files... and, well, it's kinda a lot of work...

so after i re-read some of Nick Harbour's thoughts on the issue, i think he already covered this pretty well, and really alluded to the potential magnitude and complexity of this situation...

but i guess i'll add a couple thoughts. first off, Nick seems to mostly consider the issue within the OS realm, but in IRL situations deployed apps give a much larger potential surface. and like the Acros peeps point out in some of their research, there are a number of DLL loads which are pure misses (ie: the DLL doesn't reside on the system, but the system is running fine). if you're search-order hijacking a core system DLL, an investigator can hone in on duplicate DLLs, or maybe where a stub is calling the other DLL to maintain required system functionality.

but a casual review on win7 and winXP found a number of 3rd party apps that miss on calls to non-existant DLLs during normal operation. if you're hiding on a box which is regularly used by a user, there are plenty of opportunities to maintain persistence (often) without going anywhere near System32, because the apps used by the user or loaded by system administrators will happily exec correctly named files in the right location (hence the confused deputy). since the system runs fine without the DLLs in the first place, it seems like lots of these apps produce no error messages or other obvious evidence when they call a DLL which doesn't do what it was hoping for... since it's DLL hell already, one wonders how much solid version and checksum information is really available...?

and to loop right back to the privilege escalation issue... in a more modern OS where privilege escalation isn't as easily accomplished, getting your code through a user-initiated MS Office load might get you a non-admin shell where a given priv escalation technique fails. but when exploiting a missed load from a modern commercial AV product and getting a non-admin shell, the same priv esc technique pulls root...? kinda want to research that more... the "Anti-Virus" product remained blissfully unaware that it had been co-opted and was now the persistence mechanism which maintained a compromised state on the victim machine... sloppy DLL loads and no tracking of it's own integrity... go figure.

not every DLL miss is a gem, but the attack surface seems pretty broad after some quick digging... browsers, media viewers, security/privacy apps, productivity apps, backup apps, etc...

the advantage to the attacker here is that the attack surface is broad and murky. app DLLs are generally not as well documented as OS components. there are more versions and less info.

plus if you change the way you look at it, maybe you don't need the code to exec on boot. if the code execs when the user performs an action, or once a week when a scan is run, the end result for the attacker is the same but now the defender has a whole lot more to look for. this isn't really a 'universal' attack method, b/c it is dependant on the app deployment posture of the environment being attacked, but even that becomes an attacker advantage b/c they aren't hiding the same place everytime. and then on the flip-side, in a given org maybe the vulnerable app is widely deployed.

anywho, check it out and see what you think :)

late spring-cleaning mash-up ramblings

.:[Contemporary Attack & Defense: Lulz Teez Peez]:.

If you can not be kind, at least have the decency to be vague
By 渍 (stains)

soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.

some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?

afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:

• admin rights
• pervasive broad access which often isn't auditable, much less monitored in near real time
• feeble patching policies
• laughable vendor-"driven" "remediation" via "anti-virus" "quarantine"
• virtually non-existent internal segmentation
• weak controls and non-existent near-real-time visibility on egress flows
• virtually no control or integrity concerning the processes and executables on systems across environments large and small

imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)


.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.

It may be that your sole purpose in life is simply to serve as a warning to others
By 士松 (Shisong)

improvement in attack has been exponential while defense has been linear...

attack:

• tons of excellent education opportunities
• glamorous pen-test consultant lifestyle
• top-tier exploit r&d shops for ninja
• howto? take your pick: app attacks, social eng, os attacks, rented attacks, etc
• multiple state & independent movements w/ differing and/or overlapping agendas/motivations
• wide variety of white/grey/black profit opportunities

defense:

• vendor hell
• academic & CEH/CISSP ivory towers
• individual security controls have limited effectiveness and are generally "expensive"
• some reversing crews understanding and/or combating modern malware
• a few outspoken 'mainstream' (?) voices (Herzog, Kaminsky, Potter, etc) continue to press to improve on the status-quo clusterfuck known as "defense-in-depth"
• listening to environments and effectively processing data quickly into simple relevant information is arguably a key weakness

defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...

my shameless but short-winded manifesto(*) on maybe improving defense:

• K.I.S.S.
• intimate knowledge of what/why you permit & deny the rest
• work w/ what you have (free-ish) first
• push security roles and accountability to existing accountable admins, not to security orgs that shadow the IT org
• get good at effectively parsing vast datasets into actionable and relevant information

(*): please note that the author does not claim to implement any of this effectively

as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.


.:[Future IRL Attack & Defense: Reflections & Predictions]:.

所有的資產，在不被諒解時，都成了負債
(All assets, when misunderstood, become liabilities)
By 欣侑欣侑欣侑欣侑 (Xinyou/Urges Joyful)

.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?

.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...


.:[EOF+n]:.

幸福不是一切，人還有責任。
(Happiness is not everything, people have a responsibility)
By 文佩齊華 (Wen Peiqi China)

.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)

.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\

.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!

.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D

天下沒有走不通的路，沒有克服不了的困難，沒有打不敗的敵人。
(There is no dead-end road, there are no insurmountable difficulties, there is no enemy to fight who is undefeated)
By 楊宜婷俊嘉 (Yang Yi Ting handsome fine)

fragile software systems & risks in homogeny

well there are some things which reportedly do not belong on blogs... grrr... so here's some more of the drivel you've come to expect ;)

this here is one of those 'not sure if i should laugh or cry' links:

the most advanced fighter in the world ... was able to rack up an impressive 241-to-2 kill ratio [during war-games] ... [but] was felled by the International Date Line (IDL) ...

When the group of Raptors crossed over the IDL, multiple computer systems crashed on the planes. Everything from fuel subsystems, to navigation and partial communications were completely taken offline. Numerous attempts were made to "reboot" the systems to no avail ... the Raptors had their refueling tankers as guide dogs to "carry" them back to safety ... They had no communications or navigation

summarized pseudo misquote: "aircraft which cost $125+ million USD apiece were [disabled by] a few lines of computer code"

the F22 IDL story made me wonder if the F/A-18G that 'killed' an F-22 was able to do so particularly because of electronic warfare capabilities...? no idea, but i'd love to ask that Grizzly driver ;)

there might be a couple of take-aways here...

#1 - increasing reliance on critical computerized systems which are not backed by redundant systems and are fragile will present significant new risks. think about the F-22 design philosophy versus my favorite airborne weapons platform: the hawg!

the A-10 has "triple redundancy in its flight systems, with mechanical systems to back up double-redundant hydraulic systems ... [and] is designed to fly with one engine, one tail, one elevator and half a wing torn off." you don't have to google far on the A-10 to find a variety of stories about how well it performs under the stress of combat operations. reportedly, "the 165 Warthogs that flew in Desert Storm [had a] 95.7% mission capable rate ... the highest sortie rate of any USAF aircraft ... [while] roughly half of the total A-10 force supporting Desert Storm suffered some type of battle damage ... [just] five A-10s were lost in action".

yes, physical survivability is very different than electron system fragility, but there may be parallels. if the F-22 is tough to target with traditional weapon systems, maybe a better approach is a big ass radio antenna and a decent fuzzer ;)

#2 - highly homogeneous systems deployed into production can fail spectacularly. relatively survivable critical systems like DNS root servers are deployed on varying hardware and software to avoid this issue. once the JSF becomes the mainstay fighter of western nations, then a similar 'vulnerability' could theoretically disable entire air forces. don't worry, all JSF code is written in C++ (wikipedia) so there won't be *any* software induced failure points... lulz...


ps: speaking of crappy code and fragile software, i recently discovered that the back-end of sslvis is b0rked. i'll be getting it fixed up, getting features added to the back-end, and moving it out of beta as soon as i can... sorry!!