Wednesday, October 2, 2013

bgp route injection == sick recon??

Short n sweet for this post, but I've got one brewing that I think will be pretty good, so stay tuned.  This is just some random food for thought...

So yea, bgp route injection is old news, but that didn't stop issues from coming back later.

I got thinking about this because I was talking to a buddy who runs networks at a company that got popped by everyone's favorite actor(s), Annoying Pwnage Terminators.

If you've ever been on the receiving end of their work, you might've been amazed at the sophistication of the recon.  Spearphish emails are just perfect mimics of the way legit ones look, and after they're in they don't seem to spend nearly as much time searching around for things as your avg pen tester.

The speculation I've heard is that this is due to the fusion of cyber milspec teams, college students, and state intel agencies.  That intel part must account for the uber-recon, right?

Well my buddy mentioned that sometime before the known start point of the breach, there was a route injection event that lasted a small amount of time, and originated from Asia.  He claimed that there was no traffic rcv'd back during that time, so basically packets from his org just routed out to some black hole in asia.

That bit got me thinking...  If you targeted bgp route injection like that, just what exactly would you end up getting from your victim??

The data would be somewhat limited if you weren't sending back ACKs for their push packets, but you could still grab some significant info:

- internal DNS
- internal IP
- email contents
- usernames
- cookies / session id's
- hashes / passwords
- etc??

So armed w/ my theory, I hit up another buddy who works in that space for a living and laid out my theory.  I can't lie, he sounded underwhelmed and didn't seem sold on the idea.  But it still seems interesting, so I figured I'd share.

Dan says there are crazy forensics on bgp injection history, but I think the attack my buddy experienced was from some local asian link (that was connected via mpls or whatnot to the rest of the network), so I'm not sure that type of injection would be captured by the logs.

Anyway, if you do business in that region, and if you've been popped by those crews, and if you can confirm that you saw route injection prior to the attack, feel free to drop me a note and I'll give anonymized updates here.

Until next time, have fun n keep hackin :)

Wednesday, August 21, 2013

late summer smash up

if i don't slam this thing together, i'm just not gonna write it, so here we go.

(last post was sooo off... as always, your mileage w/ my speculation n theory may vary ;)


Gotta start w/ saying I luvz my prez...  just do, that's all.

What a cluster...  The admin is historically pretty hard on whistleblowers, so the way things have played out can't be called a complete surprise.  I think there may be a missed opportunity, b/c it seems like answering the father's request to allow Snowden to remain a free man until his trial was a win/win situation for all.  Try to remember how he's being debriefed by our BFF Mr Putin when you try to work out your argument against that one....  More on the guts of that story later.

The same way you might argue that the Snowden whistleblowing could've (mayyybe) advanced the speed and substance of the discussions about NSA inet spying stuff...  Well maybe Manning advanced the US public's willingness and desire to move away from the two wars we were in.  I know we're peeved he leaked stuff, and wikileaks published stuff, but trying to contain information leaks by punishing the leaker or whistleblower seems like trying to hold water in your hand...  And there was a lot of loose talk about how this giant leak was going to cause terrible amounts of damage, but we're a long way down the road and I'm not seeing the chaos and harm to America so clearly atm...  The world learned a lot of interesting information, and other than the extreme fuck-up of publishing completely unredacted information at the outset (endangering individual lives), it seems like maybe that hasn't been a terrible thing.  Maybe his punishment can be somewhat lightened if you take into account that his actions may have saved lives in a roundabout way...  maybe...  maybe not.  who knows.

I know this guy didn't make it either way...

Chilly war times seem to be back...  I've heard there are people who see the current 'instability' in Egypt as 'good'...  I cannot comprehend it.  But maybe we should just smile and nod while Saudi tells us to chill while they support the re-installation of the prior egyption regime.  You know, it's just like Bahrain or something...?  I know energy and money and middle east politics are complex, but I still want to believe that core US principles don't waver for those things...  Booooo :(

I heard there are signs that maybe economic aid may be used as a lever...

There are so many low boil conflict zones w/ ethnic issues and poverty that are just ripe for chilly war badness.  Booooo...  If you want to make some blood money w/o the diamonds, invest in your military industrial complex corps for future returns.  Booooo  :-\

Corporations are people, my friend.  But for some reason, corps are allowed to do just crazy ass shit.  As a corp, you can get thousands of chickens or turkeys and lock them in a dark room, and pump them full of steriods so they are mutated and couldn't survive outside...  Or you do genetic bioresearch and imitate nature the way a child imitates an adult driving a car... :-\  You can treat those thousands of birds so bad that they go bald from stress, and that's one of the least gross side effects of the way we're making our food today...  crazy...

But if you're just a person, then slowwwww down there partner....

If you own 20 cats, the authorities might just kick down your door and take your animals and take you to court.

Do you want to mix some common household chemicals into a fun little concoction?!?  Well, enjoy maybe being a felon and serving the prison industrial complex forever.  Just google around a little and you can find examples of people having fun with some relatively harmless blowing shit up and being charged with a variety of crimes even up to 'weapon of mass destruction' concerning 'bombs' like mentos in coke bottles.  serious post 9/11 use of police resources, indeed.  some work has been done documenting the disturbing trends in police militarization.

Hate to use the same source for two links, but the rabbit hole goes pretty far in terms of corps being not quite as limited as traditional people when it comes to tinkering with things.

Side note, is the problem here that he had a GPS jammer, or that the airport doesn't use more advanced jamming resistant systems?

Alright, sorry, I have to drop by and derp some derp... derp...

Ok, there have been a number of odd plane crashes and emergency incidents.  A lot, but not all, have been Boeing aircraft.

I'm not sure I've heard that any of these incidents couldn't have been caused by computer issues... eek :-\

Moving right along, that's what technology is doing in our lives...  And holy crap, you can't validate bitcoins like that or you'll make them into real things! And HOLY CRAP, didn't I see that in COD:BLOPS2?  It seems too easy and unlikely to be legit, but who knows...?  And the best for last, 3d printed food sounds AMAZING!!  (ok, I'm sleep deprived, but srsly the idea of using any type of protein is nifty...)  And wherever there's tech, you know the mil-spec cats are already there...

Oh, tech moves on unless you're at the FSO...

Alright, here we go..  The first I heard of this came after the Boston bombings when the FBI admitted they could reconstuct phone conversations back in time, which sounded kinda odd...

Then Snowden came out and claimed responsibility for leaking info about the programs.  At the time, he asked for people to focus on the content, and not make the story about him....  Unfortunately, we probably spent far more time talking about Snowden himself and/or royal babies, rather than talking about the capabilities that the NSA might have, and why they might need those capabilities, and where we might want to draw the line on those types of activities.

It's funny how the companies identified as working with the NSA came out with complete double-speak initially.  They strongly stated to press conferences that they definatively didn't let the government access their servers.  People who understand how some of the tech allegedly works would know that the government could snoop everything with MitM SSL without ever accessing the private servers.  Eventually the story evolved.

And then things started getting silly...  The NSA claimed it was unable to search it's own internal emails, even though they are capable of searching a whole world's worth of emails.

The tough part of this situation is that nothing seems clear.  You have a spook from a family of spooks, who apparently saw some thing(s) so terrible that he had a crisis of such magnitude that he decided to leave his family, and girlfriend, and career, and nation...  And unfortunately, the people who commited the acts that caused him such trouble probably took the very same oath that he did to protect the United States.  So who is really the bad guy here?

What I hear from Charlie (full interview is great!) and others is: working at one of the most secretive places in the world doesn't mean you really know what's going on...  And I believe that.

We aren't protecting the NSA stuff for national security imho.  Well, not in any real logical way.  The terrorists already believe the spooks can do all kinds of crazy voodoo, because their partners in terror are always getting blown up by missles.  That's why the head of AQ was using an IRL courier and living without inet.

We're invoking state secrets because we don't want other nations to know what we can do to them.

But all the other nations are free to (and surely executing on) invest in technology just like the NSA does.  So the strategy of keeping our techniques private probably won't pay off.

I believe the official press conf on the NSA spying stuff included a quote about the 2 leaked programs referred to w/ numeric identifiers "215 and 702".  Ok...  If we're using 3 digit codes here, then is it safe to assume there are at least 10 similar programs instead of two? Or 100?  Or 250?!?  Or what?

Would we really be talking about these programs without a leak?  It's hard to see it.

So just put sunshine on all the stuff, so the public can decide what trade-offs are reasonable.  I've previously advocated for a number of ways to leverage tech for the greater good, in ways that many might initially find uncomfortable (ie: monitoring all cell phones for gunshots and/or screams of terror).  I believe tech can be leveraged for good, but only when people can see and understand how it's being used.

At the moment, we're seeing violations as we peek under the rug...  And it doesn't sound like a small thing.

But things are not trending toward sunshine, rather towards more automation...  It's like a Bourne movie...  Some things that have been outed will be dismantled, and those capabilities will re-emerge in a new shadowy form with a new code name or number, and things will continue.  Boooooo, cynical :(

Don't get me wrong, I believe there have been successes, but do we know the cost?  For Snowden, it appears the cost may have been high enough to throw his life away in order to try to wake us up...?

There have been some unusual and odd theories running around about Boston.  I am not getting spun up in conspiracy theories, but I see an interesting side thought.  In the modern day and age, how difficult would it be to plant images in legit journalist HDDs and web sites, in order to manufacture a meta-conspiracy...  You could then point the internet investigators in the right direction, and stand back while they do your work to propogate the story you planted...  crazy, right? :)

So let's talk tech instead.  If you controlled all of the major inet links for a nation, and if you had SSL MitM for most connections...  and nearly unlimited tech and resources...  In my imagination you could create a sensory deprevation tank capable of control and influence that is far more insidious than the controls described in 1984.  An individual could be put in a virtual reality-distortion tank.  Communications inbound and outbound to that person could be influenced in real time.  The subject could be isolated and influenced to communicate with the 'right' people by letting some calls go to voicemall, and delaying texts and emails.  Their web browsing could have dynamic content injections to control their thinking.  Their steaming music streams could be hijacked to influence their mood.  Their computer could crash and act against them at the times to cause maximum disruption.  The sky is the limit when you're imaging the modern capability set...  Some people are starting to understand.

I recently hung out with 5 cool cats who are part of the 中華民族, but didn't seem like typical 華夏族.  They were very nice to me, and I enjoyed chatting them up, and I learned some cool stuff.  Anyway, they told me that in China, you can't even get to YouTube...

They might've been decent with computers, and I wish I'd had the presence of mind to remind them that the 金盾工程 is reportedly not too difficult to bypass.  And I hear there *might* be some hackers in China... ;)

So then the question becomes, do people who have powers that others don't have bear a shared responsibility for not using those power to help the people who don't have them...

If you can help people like you have basic freedoms that they don't have today, do you owe them that?

If you are drafted into servitude to enslave your brothers, is there really no way you can act to do what you think is right?  Where and how do you decide what you will do to be proud when you see yourself in the mirror?

It seems like I'm not the only one thinking this way...  Take a look at how those crazy scary Anonymous cats used their power FOR GOOD!  And it isn't just a one time thing, they are kinda like that special drop box the SAS has, but they HELP police solve crimes on the side instead of killing people ;)  I've got a good friend who has been concerned about how hacker geeks treat women at conferences and in the office and such, and I guess I think Anon has really stood up w/ these actions on behalf of battered women, so maybe he can have hope...

So does this type of demonstration of power mean that current and future hackers are really becoming a 5th column?  Power grids are shaking, and elites are being called out on BS, and standard quos are being upset.

There will always be things we can't control, but don't we all choose how we add or subtract to this world?  Are we cogs in a machine that enable oppression, or are we the ghosts and gremlins that upset the general order and disrupt how those machines operate?

Just a parting shot/thought...  is this what it looks like when you let guys with computers tell guys w/ missles and guns where people are?  Tragically breathtaking...


Sunday, February 10, 2013

Threat Assessment: Red Cell (Christopher Dorner)

I'd call this situation fascinating if people weren't dying.  The Dorner situation provides an examination of the risks presented by malicious insiders.  Dorner seems to be a case-study example of the types of threats modeled by Marcinko with his Red Cell antics.  Since he's been on the loose for 48 hours, it seemed worth a look...

Note: I am not an expert, or a shrink, or anything.  Just throwing ideas out there.

Info below based on a reading of the manifesto.

Subject has demonstrated a willingness and ability to attack and evade. Given the time available to plan this scenario, it is reasonable to expect the subject has multiple safe-houses available.  Subject will probably employ operational tactics that go beyond simple firearm attacks.

[Counter Tactics]
Given the high level of training and education displayed, specifically the repeated references to effective TTP of adversarial forces, it is reasonable to expect that the subject will employ proactive tactics to maximize his ability to both successfully strike and evade capture. Examples include diversion and subterfuge used in support of primary mission execution, secondary attacks to demoralize operational LEO assets, and tactics that create resource/asset drag on operational LEO assets.

It is reasonable to expect the subject continues to actively employ signals and cyber technologies to perform ISR.  Wherever possible, communication via secure technologies should be employed in order to prevent eavesdropping.

[Current Location]
Until the subject is located or attacks again, it must remain a possibility that he has left the LA area, although this seems unlikely.

While rural locations offer many advantages, and the subject is likely at home in outdoor environments in all weather conditions, there are significant disadvantages to rural locations, such as the inability to avoid observation or scrutiny while traveling quickly.

Hiding in plain sight in a dense urban environment may offer significant advantages, such as access to resources and multiple forms of transit.  Subject is likely to employ disguises to minimize chances for recognition.

[Key Observations]
It seems likely that the subject has ongoing access to local LE and federal cyber resources.  Particular attention should be paid to valid logins coming from the SOCAL area that have collisions with other valid login timings and operating patterns.

Due to the physical size of the subject, he may choose to move primarily at night to minimize observation.

Expect trickery and subterfuge.  The subject believes himself to be in control of the situation, and will attempt to lead LE assets astray to continue operating towards his primary objective.  Don't be too quick to follow obvious paths with all available resources when capture seems likely or imminent.

Expect subject to be armed at all times, possibly with a silenced weapon.  The subject will be dressed in a style that supports a holstered concealed weapon.

[A Note to the Subject]
Don't kill me, bro.  ;)  You laid out that whole "don't even bother to profile me" thing, as if it were impossible.  In your report, you make it clear that your anger is specifically directed at LAPD for taking everything you had.  Unfortunately you're utilizing federal training to take your revenge, so you're betraying the oaths you've taken.  Your mom was correct, sometimes bad things happen to good people.  You are driven to this to regain your name, so the only path forward is to use your skills to escape and evade and build a new life.  You can only destroy with violence, it won't let you build a better reality within LAPD, like you hope it will...

More Modern Governing

I'd been sitting on this post for a bit, and then unfortunately this happened and became a thing...

According to reliable sources, Swartz was driven to abandon hope for his future when he acted like an activist and broke some laws, and was facing 35 years in prison.

In my opinion, this tragic outcome is just another sign of how our government is failing to keep pace with the realities of technology in the modern world.

We have a system where re-elected prosecutors worry about looking soft on virtually any category of crime, and hesitate to make reasonable deals to allow citizens who briefly lose their way to repay a debt to society and move on with a life that is generally unblemished in the eyes of the law.

When convicted of any felony in the US, some of which area easy to accidentally do, one faces a lifetime of punishment.  Abandon all hope of future employment for those who wear the scarlet "F".  And more and more, even misdemeanor convictions can haunt you.

Similarly, a drunken poor decision to urinate behind a bush can brand you as a convicted sex offender for the rest of your days.

We drive people to undesirable outcomes when we ruin the hopes they place on their future lives.  The reason the phrase "paid his debt to society exists" embraces the concept that we want those who lose their way to be able to regain the good path.

And the joke of it is that there is a real problem with digital law breaking in the modern age.  Credit-card and other information theft is generally trivial to accomplish, and there are plenty of people out there living it up with money coming out of the credit card companies and small businesses (who eat costs sometimes).  And the fact is that these people face limited risk of being caught and punished despite repeated or massive abuse.

So when we catch an activist who is clearly not in it for the money, we throw the book at someone who helped create the digital world we love.

The part that is hardest to swallow is that when it comes to generating revenue, it appears that government is all about embracing a new technical world.  My local PD and govt employ automagic ticket writing cameras that must be reaping dividends when they're hitting people for $100+ for every failure to fully stop on a red for a right turn...

And recently I snagged this pic of what appears to be an auto-license plate scanner on a local PD cruiser:

I assume this will make ticketing easier for a variety of infractions.

The executive and judicial branches embrace technology when it comes to putting your embarassing life details on the internet as well.  For years now people on the interwebz have been lulzing at funny mugshots.  Criminal databases are often public, and some states put all court cases online so everyone can know things you might otherwise consider private.

And yet, when it comes time to "re-elect" judges it seems like there is no concept of openness.  It seems rare to find any transparency of why a given decision is made, so you end up with internet articles full of raging outbursts about why someone should've been punished more, or how on earth could someone like this get off so lightly?!?  if a judge is serving in a public capacity, and if my mistakes are open to the world at large, why shouldn't everyone be allowed to access the information behind judicial decisions and outcomes?

There are a lot of areas where technology could have significant impacts on pursuing justice.  For example, it seems likely that cell-phones could be programmed to automatically capture information and contact authorities when they detect gunshots and/or screams via integrated microphones.  This could probably be done in software with checks and balances, and reduction of false-positives (ie: movies).  Some people might consider that an invasion of privacy, while others might point out that it could save lives.

There are a lot of opportunities and choices ahead for all of us in this space...  it's a shame Aaron won't be around to help us build the future.  In my opinion, he should've been fined and placed on probation and allowed to live his life.