Dailydave mailing list archives
Re: Hacking the tribal websites, scuba divers, and lilacs.
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 24 May 2012 12:08:15 -0400
People are pointing out that they didn't so much "hack" as "buy ad space", which kinda ruins my point and doesn't let me vent about the person behind me during my commute this morning. :> http://www.lawfareblog.com/2012/05/state-department-hackers/ has more information. The Cupcake thing was real though, iiuc. -dave On 5/24/12 10:47 AM, Dave Aitel wrote:
http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html So you know how when you're at a stoplight, and you see flashing lights from a fire truck behind you, and you'll carefully maneuver to pull over into a nook on the side of the road? But sometimes the person behind you will just scoot forward to claim your space, blocking the firetruck and ruining the whole point of your moving aside. Then like, at the very next block, they'll do the exact same thing to the little SUV that follows the fire truck? And at that point you'll look back, trying to figure out who they are, and what it is exactly about the situation here they're not getting, while making certain culturally appropriate yet not too violent (Miami has liberal concealed carry laws) gestures? In a nutshell, that's how operators feel when policy makers ask them to deface websites. On the surface, removing Al Qaeda propaganda may SEEM like a step forwards. You can see the policy brain working like this: 1. Our opponent has moved their PR and recruitment to web sites 2. I have people who can hack web sites 3. What if we do something super clever to their web sites? TAKE THAT AL QAEDA! Your basic operator team is thinking of a few other things: 1. What parts of our toolchain are going to be exposed by hacking into a tribal website? 1a. A rootkit of some kind that we've tested, possible modified from open sources <http://immunityinc.com/products-hydrogen.shtml>, but regardless, something fairly valuable. 1b. An exploit signature. Even if the Yemenis don't necessarily store all their traffic and analyze it afterwards, perhaps the nice Indian folks of Tata Communications <http://www.tatacommunications.com/about/history.asp> (which is how you got your SQLi to Yemen in the first place) checked their satellite traffic logs after the event, and now whatever cool technique you used to get in is burnt, along with everything unencrypted you did (recon, trojan listening post, etc.). So then the Indian government goes through their logs of their own satellites and checks out what you're doing there, or in Pakistan, or whatever. This causes an attribution problem of hilarious proportions. 1c. It's no doubt that if this sort of thing gets positive news in the Washington Post, that someone's going to want to do it again but on harder targets. So now you face the dilemma - do you burn the strategic resources (exploits, rootkits, methodologies and techniques) that you've been using on "real things" for short lived PR stunts? 1d. Those ads are just going to come out on some other website in about fifteen minutes, and people who never would have looked at them are going to go check out what the Americans didn't want them to see. On a "stern warning" to "hellfire missile" scale, you're looking a lot more like a shaken finger and a cross look here. A decent operator is a bit like a scuba diver. In their head (or a logbook) is a long list of possible OPSEC weaknesses, which are checked and maintained like blood-nitrogen content to get a "feel" for their exposure over time (which influences their actions in complex ways that would make Jacques Cousteau confused). In the original unethical hacking class we would do this exercise where we would randomly pull the plug on a students network cable, and ask them "what did you leave exposed". The goal was to instill a fear, like the old gas trainings. "Smell a lilac? Run for the hills! <http://www.slate.com/articles/news_and_politics/explainer/2006/08/does_poison_gas_smell_good.html>" That sort of thing. In any case, with "hacking of tribal websites" or "cupcake recipe promotion <http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html>" generally your operator team is smelling lilacs, and not in a good way. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
-- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Hacking the tribal websites, scuba divers, and lilacs. Dave Aitel (May 24)
- Re: Hacking the tribal websites, scuba divers, and lilacs. Karin Kosina (May 24)
- Re: Hacking the tribal websites, scuba divers, and lilacs. Dave Aitel (May 24)