An ideally secure network will have certain features:

  • Encrypted contents: MITM attacks cannot determine what data is moving across the network.
  • Encrypted storage: Those with physical access to a network node cannot tell what data the node contains.
  • Redundancy: The network can survive the removal of any node without loss of data.
  • Expansion: The operator can raise new nodes with minimal effort.
  • Immunity: The network can resist the insertion of fraudulent nodes by a hostile party.

Basically, an encrypted cloud with encrypted transportation running on servers with encrypted disks.

Advanced features:

  • Confusing transportation: Upon intercepting and decoding a message, an observer cannot identify the sender or intended recipient.
  • Invisible transportation: The network cannot be identified unless the observer is looking for it.
  • Obscured transport method: An observer will have difficulty determining that observed traffic is part of the network. For example, data sent over DNS or ICMP may be ignored by most observers.
  • Obscured transmission method: An observer with physical access will have difficulty observing that the transmission is taking place. For example, there was a virus that communicated with other infected systems in the same server room using sounds outside of human hearing range through a computer's speakers and microphones.

zdnet lists five cloud systems: Openstack, Docker, KVM, CloudStack, Ceph. Docker is reportedly popular.

Ceph is a distributed storage engine. The others seem to be different types of products.

The closest to an off-the-shelf system might be:

  1. Use Ceph
  2. Run every Ceph instance on an encrypted HD
  3. Run every intermediary connection through an encrypted tunnel
  4. Run the tunnels through tor?
  5. Develop a generic method of raising a new node and adding it

From John Schindler:

We've reached the point of security collapse in DC that the general reaction to the CIA director getting hacked & doxxed is "yeah, sure, ok"

How did Chinese hackers break into the Office of Personnel Management (mentioned earlier)? The OPM gave them root access.

John Schindler on Twitter says that the Office of Personnel Management data breach is much worse than reported given the types of information that is in this database, including blackmail material and identities of foreign contacts.

Let me explain a bit about why the compromise of OPM information is so serious from a security & counterintelligence (CI) viewpoint. We can take it as a given that career/HR type info has been compromised on 4M FedGov employees (2.1M current) whose data got hacked. That's important -- but far more is background investigation (BI) info which OPM first denied was compromised, now admits it has been.

A USG BI, which OPM handles a lot of for many different agencies, is NOT some sort of glorified credit check, it's much more than that. BI contains very personal & private information, supplied by security clearance applicants then verified (one hopes) by adjudicators. BI data includes your personal life, travels, full bio, details on finances and any "troubles" -- legal, private, sexual, you name it. BI also goes into great detail about "foreign national contacts" of clearance holders and applicants -- a goldmine for foreign intel.

Whoever has this info now can say about FedGover X that they know more about them than that person's best friends, even spouse/partner. This is EXACTLY the sort of information any FI service would love to have in order to influence, recruit, or compromise USG personnel. From any CI viewpoint, OPM hack is a certified disaster that it will be difficult to repair in less than decades. A truly epic #FAIL

Only people who may know me as well as my BI paperwork does are my lawyer, my doctor & my priest. Nearly all cleared people = similar. Although OPM says "only" 4M FedGov are impacted, I strongly advise ANYBODY who's had a clearance since 1985 to watch credit rprts etc.

Somebody emailed al-Jazeera a cache of documents from Mossad, MI6, FSB, and the Australian and South African intelligence agencies. Which means someone who views Qatar favorably was part of a network that had the kind of access to these agencies needed to get these documents.
The Obamacare website is giving away Americans' personal information to marketing agencies. They claim not to provide people's names, but Facebook and Twitter can correlate that and much more that from your IP address.


Jan. 17th, 2015 02:38 pm

Lizard Squad stored their customers' passwords in plaintext. They do have a skiddie reputation and this certainly adds to it.

On second thought, that may have been intentional. Most people use the same usernames and passwords on multiple sites. The Lizards now have a plaintext username and password pair for each of their customers, and there are certainly some people dumb enough to use a common username and password when doing business with criminals.

  • From Risk Based Security's excellent timeline of events:
    • Sony was crushed on November 24.
    • Guardians of Peace at that time had public contact info and a facebook page. RBS was able to contact them.
    • GoP claimed to have collected 12 terabytes of data from Sony.
    • GoP began publishing Sony data on December 1, one week after shutting down Sony's network.
    • GoP uses a different e-mail address every day, and these emails are likely compromised accounts of real people.
    • NBC News was first to suggest North Korean responsibility on December 1.
    • The FBI attempted to visit security research Dan Tentler, who has been investigating the Sony hack, for "illegal downloading".
    • Someone claiming to represent GoP sent emails to Sony employees threatening the lives of their families. Another email from GoP denied responsibility.
    • Mandiant was hired to investigate the Sony hack before it became public.
    • From leaked emails, a group called God’sApstls had emailed Sony executives on November 21.
    • An anonymous pastebin identifies Guardians of Peace as Tunisian Hacker Team members Beent1988, sillux, TheEyetion, and Supothis. RBS warns that the information is not reliable.
  • From the FBI's Dec. 19 report:
    • The malware is similar to the malware used in the 2013 attack on South Korean banks
    • The malware is similar to malware previously known to be used by North Korea
    • The infrastructure used is known to have previously been used by North Korea
  • From CyActive:
    • The Destover file deletion tool used in the Sony attack is very similar to the Disttrack/Shamoon tool used in a 2012 attack on ARAMCO in 2012 and the wiper used in the 2013 DarkSeoul attack on South Korean banks and television.
  • From Marc Rogers, the top security guy of Cloudflare and the Black Hat conference:
    • The Shamoon source code was leaked and is widely available if you know where to look.
    • All but one of the alleged C&C servers are known public proxies used by multiple actors.
  • From Bloomberg:
    • From an anonymous source, the GoP used the network of the St. Regis hotel in Bangkok on Dec. 2 just after midnight local time
    • From Liam O Murchu of Symantec, the GoP used a C&C server that was used in the 2013 attack on South Korean banks.
    • McAfee had found similarities between the 2013 attack and attacks on US and South Korean military sites dating to 2009.
    • CrowdStrike has tracked the attackers since 2006 and identifies them as North Korean.
  • From the GoP hacker Lena, via Verge:
    • GoP had physical access to Sony's facilities and "staff with similar interests" let them in.
    • Lena initially claimed that GoP's goal was "equality", saying "We Want equality. Sony doesn’t. It’s an upward battle."
  • From Fusion Media and Business Insider:
  • From Kurt Stammburger at Norse Security, cited by CBS:
    • Stammburger has tentatively identified Lena as a ten-year Sony employee who left Sony in May and "was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised."
    • The "North Korean" malware identified by the FBI is generic and in wide use by all sorts of hackers.
    • The GoP did not make any demands regarding the movie The Interview until late in their campaign.
  • From Brian Fung at WaPo:
    • Hackers claiming ties to Anonymous launched OpRIPNK to to DDoS North Korea.
    • TheAnonMessage endorsed OpRIPNK and was denounced by YourAnonNews for a separate issue.
    • Lizard Squad celebrated the DDoS of North Korea.
  • From Bloomberg:
    • The speed with which the national security apparatus blamed North Korea for the hack is suspicious.
    • IntelCrawler has identified several Lizard Squad members as members of Guardians of Peace.
    • Sony has been compromised by multiple hacking rings for years.
    • Sony was warned in late 2013 of hackers stealing gigabytes of data.
  • From Radar citing leaked Sony emails:
    • A high-ranking CIA agent met with Sony's head of security Stevan Bernard on October 31.
    • Undersecretary of State Richard Stengel and other feds asked Sony to produce propaganda against ISIS.
  • From Marc Rogers:
    • The Guardians of Peace text "reads to me like an English speaker pretending to be bad at writing English" rather than a Korean with poor grasp of English.
    • The Guardians of Peace did not mention North Korea or The Interview until after the media suggested that North Korea may have been behind the attack because of the movie.
    • The code was written on a PC with Korean locale, but Rogers suggests this is meaningless.
    • The destruction of Sony's data combined with the failure to take advantage of it suggests that the attacker was motivated by revenge.
  • From The Daily Beast:
    • The Guardians of Peace laughed at the FBI's assumption that North Korea was responsible.
    • The GoP linked to the "You Are An Idiot" video.
    • Richard Nixon once referred to South Korea as "the guardians of peace", a possible origin of the group's name.
    • An anonymous pastebin claiming to represent a group of 25-30 Anonymous members threatened further hacking attacks against Sony if they failed to release The Interview.

Comic relief:

Edit Dec. 26: Lizard Squad got doxxed by Finest Squad. Most of the lizards are high school age or younger, suggesting that there are leaders yet to be identified. The oldest name in the list is a 32yo who goes by "Criminal", "CGOD", or "Fatally" online, suggesting he might be the most experienced in the group (that we know of) and inclined to criminal behaviour. The full list of names is: chF/chFthemango/FTBG cHF, clerk/nitrous/verdict, TokenTheGod/OMG Treh/BaseSquad, kms/underscore, Criminal/CGOD/Fatally, Jordie, MLT. A separate doxx by "Dox Squad" identifies additional members: Satan666/Satan600, Teridax/AlphaQuintesson, PriNc£/Dox_Boi, Komodo/SYNACKtra, BP/Onion Cow/GaySexWithDad, Niko/PussySquirting, and Cedrick/Cedrick8I. Additional names are given for chF: chFTheCat, Clerk: Savaged/NotClerk. Another doxx lists TokenTheGod as Lizard Squad's leader, GDK Jordie as co-leader, chF as manager, and gives additional names: Souly (IP provisioning), dox_boi (doxxing and swatting), lolaristocrat (doxxing), Talos. It mentions that Criminal/Fatally had been raided. Most of the Finest Squad doxx was copied and pasted from a Dec. 9 doxx by YourAnonGlobo. Also, Lizard Squad is threatening to doxx Finest Squad back.

None of these doxx mention any alleged links between Lizard Squad and GoP, so IntelCrawler's claim that they are related has no outside support yet.

Edit Jan 10: Rumor has it that several lizards have moved to Team P0ison. The /baphomet/ group on 8chan is pointing the finger at DeleteSec / Deadman1420 as a lizard affiliate who was dumb enough to go to 8chan from his home IP and brag that he DDOSed them. It's not impossible that someone else was using his system as a proxy.

Edit Feb 1: Unconfirmed chatlogs and rumors suggest that Lizard Squad's Vince Omari and Julius "Ryan" Kivimaki got picked up by the police in January, were released, and then started attacking 8chan's Gamergate forum. That ain't suspicious at all.

IntelCrawler has released a report on Lizard Squad attempting to link them to Guardians of Peace.

  • The strongest link is that a lizard admitted "knowing some people from the GOP" and "handed over some Sony logins to them".
  • Lizard Squad domain host Abdilo/Notavirus/Survivaton "left Lizard Squad in October", has a history of hacking South Korean targets, and had tweeted about GoP after the group had been named in the press.
  • Teridax was tweeting jokes about 9/11 around the time a GoP paste mentioned 9/11, which is entirely meaningless
  • lolaristocrat joked about being from North Korea after the media blamed the Sony attack on North Korea, which is even more meaningless

That's not very strong. Additional Lizards named by IntelCrawler are ladykiller/labelled, sp3c, Vagineer, Chameleon, ryan (Kivimaki), dragon, and Gecko. I suspect that Chameleon, dragon, Komodo, and Gecko probably have different names and took lizard-themed names for Lizard Squad. Abdilo has been known to livestream his attacks, has openly attacked .gov and .mil sites for months from his home IP, and has not been arrested. The hacking group The Empire published Abdilo's request for membership.

So far it looks like the link between Lizard Squad and GoP is very weak.

Edit Dec 28: Not about the hack but worthy of a facepalm, Sony pirated some of the music in the movie. This from the same company that put rootkits on its music CDs.

Edit Dec 29: Norse Security has now identified six individuals involved in the hack. Charles C. Johnson has identified a second Sony employee as an involved hacker. This "lena2" is a senior systems administrator in Sony's payroll department, which Sony's consultants Bain & Co. eliminated. Leaked data suggests that lena2 may be Shahana Manjra, but nothing is confirmed yet.

From Jonathan Langdale: "They are looking at the wrong Lena. Lena was a June pink slip, used as a decoy. They have another name though."

Edit Jan 10: The FBI denounced Norse's information as not credible.

Edit Jan 10: The RBS timeline has updated.

Edit Feb 1: The NSA claims it had broken into North Korea's network and watched the attack go down. That would be exceptionally strong evidence if true.

Here's a conspiracy theory found while googling around for more info about the attack: TahoeBlue at Prison Planet thinks Sony did it to themselves to distract the public from the movie "Unbroken", about a Japanese POW camp during WWII. This idea has motive and nothing else going for it.

scrap dump

Jun. 6th, 2014 05:15 am

I had intentions to write a blog post declaring 2011 as the Year of the Hacker but never got around to it. We had LulzSec, J3ster, and Web Ninjas. We had Stuxnet. We had Iran hacking certificate agencies. We had the iPhone "Towson" hack. We had noobs getting arrested for using LOIC from home. We had a virus hit control computers for the CIA's drones.

The benefit of modern Javascript+HTML is that you can do anything with it. The drawback of making Javascript+HTML a Turing-complete environment is that you can do anything with it.

I was studying Android programming a few months years ago, and they made this recommendation: "Don't call the UI-construction code directly! Use XML for your interfaces!"

The Android XML format is so painful to look at that I thought it worth my time to design my own alternate domain-specific language rather than use the one they gave me. (I never finished it)

The old practice of web development

<TITLE>My Webpage</TITLE>

The new practice of web development

var node_html = document.createElement("HTML");
var node_html_head = document.createElement("HEAD");
var node_html_head_title = document.createElement("TITLE");
node_html_head_title.innerHTML ="My Webpage" 

Android and the Web seem to be going in opposite directions there.

I propose a new baseball statistic that weights and combines multiple different types of failure. Call it Derps Per Perp.

For pitchers:

  • any appearance including:
    • an inning surrendering four or more runs, OR
    • any appearance of under one inning that is not the final appearance of that inning.
  • Balks
  • Hit batters

for batters:

  • Hitting into double and triple plays
  • Fielding errors

Divide batter stats by factors related to at-bats

Divide pitcher stats by factors related to innings pitched

Statistics for the AL might need to be adjusted due to pitchers not hitting and designated hitters not fielding.

The developers of the hard-drive encryption software Truecrypt decided to go out in style, that style being Modernist with a touch of Dada. The most popular theory is that the anonymous developers were compromised by a government agency and forbidden from discussing it so they acted absurd enough that people would notice something is wrong. An alternate theory is a table-flipping mental breakdown on the part of whoever controls the web presence.

Kaspersky Labs suspects the Careto malware to have been developed by a Spanish-speaking nation-state. They say it's one of the most advanced systems they've seen and is run by people who have a grasp of operational security.

Edit: an interesting bit from the longer analysis: "the malware is digitally signed with a valid certificate (since 2010) from an unknown or fake company, called TecSystem Ltd:" which means that the developers got into whoever validates these certificates. They also had access to a 0-day developed by VUPEN which reported having only sold it to state governments.

A rather amusing/frightening story. President Kennedy ordered code-based locks placed on every US nuclear missile. Strategic Air Command told DC they'd done it, then got around to installing them on some missiles in 1977 and set the launch code for every missile to the same number: 00000000.

All of the Spaceballs jokes are being made over at Fark. I have a vision of rewriting those Hollywood action movies to where the bad guy steals the nuclear launch codes, takes a glance at them, hands them back, and says "You guys have problems."

Beginning with Windows Vista, users in the Administrators group cannot edit files that the Administrators group has full permissions to edit.

A supposed workaround is to make a Really Administrators group, assign your file permissions to Really Administrators, put your administrators in there instead of in Administrators, and stick that group under Administrators. I will have to try that.


May. 9th, 2012 05:01 am

My security sucks lately. First my own negligence allowed spambots to walk into a website of mine, and now I've allowed a virus onto my computer.

The virus calls itself "Adobe Flash Updater". Symptom: A screen sometimes appears on startup telling me that there is an updated version of Adobe Flash and I should download it.

I only allow a very few items and services to run at startup, and Adobe Flash Player is not one of them. The updater is not in startup. It is not a service. It is not a scheduled task. It is not in HKLM/Windows/CurrentVersion/Run*. It is not listed in msconfig. Even Sysinternals Autoruns does not see it. The Flash updater is installed in a way that hides it very well from administrators.


  • Unknown software is being run on my computer without my permission.
  • The process which loads the software is invisible to the usual Windows tools and startup-checking procedures.
  • The software is communicating with another host on the Internet. Since it runs at startup and outside of my control, I cannot tell what information it is sending.
  • Since the software cannot be identified, it is not known what access rights it has.

There is an "AdobeUpdater" folder under HKCU/Microsoft/Windows/CurrentVersion/Run, but it is empty and has no information in it that can be linked to a program. There is no other match for "AdobeUpdater" in the Registry, and there are no files in the Windows directory containing the text "AdobeUpdater". An unknown process reinstalls the AdobeUpdater folder after it is deleted.

The first time this happened, I killed the process before capturing its name and I destroyed enough of the registry to prevent Firefox or Safari from loading. This also seemed to have stopped the virus from reappearing until I reinstalled Safari. On the next reboot, the virus came back and I was able to identify it as FlashUtil10v_Plugin.exe even though the virus window tried to display over Task Manager.

No file in the \windows directory contains this name other than the virus itself, nor does any file contain the name in u.n.i.c.o.d.e 16-bit encoding. There was nothing in Program Files either. Its presence in the registry includes a record of my searching for it, a MUICache entry that resulted from it being run, and an uninstaller path.

I cannot find any entry point that would actually run the program. Will update this post if I do...

Update 2012/05/16: Explanation found: The flash updater is added to RunOnce and this startup entry is deleted when the updater runs. So what adds it? It is probably added whenever the flash plugin runs in a browser. The day before the most recent occurrence, I had just enabled "plugins" in Opera to attempt to run the NotScripts extension (a NoScript knockoff) on a page where I wanted to run Javascript. Earlier instances of the problem could have been caused by running freshly-installed Safari before turning off its plugins.

Opera's plugins folder is empty on my system. According to about:plugins, Opera pokes around other places on your file system to find plugins. Weird.

Page generated Oct. 19th, 2017 07:15 am
Powered by Dreamwidth Studios