[Dailydave] Hacking the tribal websites, scuba divers, and lilacs.

Dave Aitel dave at immunityinc.com
Thu May 24 10:47:59 EDT 2012 

http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html


So you know how when you're at a stoplight, and you see flashing lights
from a fire truck behind you, and you'll carefully maneuver to pull over
into a nook on the side of the road? But sometimes the person behind you
will just scoot forward to claim your space, blocking the firetruck and
ruining the whole point of your moving aside. Then like, at the very
next block, they'll do the exact same thing to the little SUV that
follows the fire truck? And at that point you'll look back, trying to
figure out who they are, and what it is exactly about the situation here
they're not getting, while making certain culturally appropriate yet not
too violent (Miami has liberal concealed carry laws) gestures?

In a nutshell, that's how operators feel when policy makers ask them to
deface websites. On the surface, removing Al Qaeda propaganda may SEEM
like a step forwards. You can see the policy brain working like this:

 1. Our opponent has moved their PR and recruitment to web sites
 2. I have people who can hack web sites
 3. What if we do something super clever to their web sites? TAKE THAT
    AL QAEDA!

Your basic operator team is thinking of a few other things:

1. What parts of our toolchain are going to be exposed by hacking into a
tribal website?
   1a. A rootkit of some kind that we've tested, possible modified from
open sources <http://immunityinc.com/products-hydrogen.shtml>, but
regardless, something fairly valuable.
   1b. An exploit signature. Even if the Yemenis don't necessarily store
all their traffic and analyze it afterwards, perhaps the nice Indian
folks of Tata Communications
<http://www.tatacommunications.com/about/history.asp> (which is how you
got your SQLi to Yemen in the first place) checked their satellite
traffic logs after the event, and now whatever cool technique you used
to get in is burnt, along with everything unencrypted you did (recon,
trojan listening post, etc.). So then the Indian government goes through
their logs of their own satellites and checks out what you're doing
there, or in Pakistan, or whatever. This causes an attribution problem
of hilarious proportions.
   1c. It's no doubt that if this sort of thing gets positive news in
the Washington Post, that someone's going to want to do it again but on
harder targets. So now you face the dilemma - do you burn the strategic
resources (exploits, rootkits, methodologies and techniques) that you've
been using on "real things" for short lived PR stunts?
   1d. Those ads are just going to come out on some other website in
about fifteen minutes, and people who never would have looked at them
are going to go check out what the Americans didn't want them to see. On
a "stern warning" to "hellfire missile" scale, you're looking a lot more
like a shaken finger and a cross look here.

A decent operator is a bit like a scuba diver. In their head (or a
logbook) is a long list of possible OPSEC weaknesses, which are checked
and maintained like blood-nitrogen content to get a "feel" for their
exposure over time (which influences their actions in complex ways that
would make Jacques Cousteau confused). In the original unethical hacking
class we would do this exercise where we would randomly pull the plug on
a students network cable, and ask them "what did you leave exposed". The
goal was to instill a fear, like the old gas trainings. "Smell a lilac?
Run for the hills!
<http://www.slate.com/articles/news_and_politics/explainer/2006/08/does_poison_gas_smell_good.html>"
That sort of thing.

In any case, with "hacking of tribal websites" or "cupcake recipe
promotion
<http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html>"
generally your operator team is smelling lilacs, and not in a good way.

-dave




-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120524/a57554c2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120524/a57554c2/attachment.sig>

More information about the Dailydave mailing list