[Dailydave] Hacking the tribal websites, scuba divers, and lilacs.

Dave Aitel dave at immunityinc.com
Thu May 24 12:08:15 EDT 2012


People are pointing out that they didn't so much "hack" as "buy ad
space", which kinda ruins my point and doesn't let me vent about the
person behind me during my commute this morning. :>

http://www.lawfareblog.com/2012/05/state-department-hackers/ has more
information. The Cupcake thing was real though, iiuc.

-dave

On 5/24/12 10:47 AM, Dave Aitel wrote:
> http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html
>
>
> So you know how when you're at a stoplight, and you see flashing lights
> from a fire truck behind you, and you'll carefully maneuver to pull over
> into a nook on the side of the road? But sometimes the person behind you
> will just scoot forward to claim your space, blocking the firetruck and
> ruining the whole point of your moving aside. Then like, at the very
> next block, they'll do the exact same thing to the little SUV that
> follows the fire truck? And at that point you'll look back, trying to
> figure out who they are, and what it is exactly about the situation here
> they're not getting, while making certain culturally appropriate yet not
> too violent (Miami has liberal concealed carry laws) gestures?
>
> In a nutshell, that's how operators feel when policy makers ask them to
> deface websites. On the surface, removing Al Qaeda propaganda may SEEM
> like a step forwards. You can see the policy brain working like this:
>
>  1. Our opponent has moved their PR and recruitment to web sites
>  2. I have people who can hack web sites
>  3. What if we do something super clever to their web sites? TAKE THAT
>     AL QAEDA!
>
> Your basic operator team is thinking of a few other things:
>
> 1. What parts of our toolchain are going to be exposed by hacking into a
> tribal website?
>    1a. A rootkit of some kind that we've tested, possible modified from
> open sources <http://immunityinc.com/products-hydrogen.shtml>, but
> regardless, something fairly valuable.
>    1b. An exploit signature. Even if the Yemenis don't necessarily store
> all their traffic and analyze it afterwards, perhaps the nice Indian
> folks of Tata Communications
> <http://www.tatacommunications.com/about/history.asp> (which is how you
> got your SQLi to Yemen in the first place) checked their satellite
> traffic logs after the event, and now whatever cool technique you used
> to get in is burnt, along with everything unencrypted you did (recon,
> trojan listening post, etc.). So then the Indian government goes through
> their logs of their own satellites and checks out what you're doing
> there, or in Pakistan, or whatever. This causes an attribution problem
> of hilarious proportions.
>    1c. It's no doubt that if this sort of thing gets positive news in
> the Washington Post, that someone's going to want to do it again but on
> harder targets. So now you face the dilemma - do you burn the strategic
> resources (exploits, rootkits, methodologies and techniques) that you've
> been using on "real things" for short lived PR stunts?
>    1d. Those ads are just going to come out on some other website in
> about fifteen minutes, and people who never would have looked at them
> are going to go check out what the Americans didn't want them to see. On
> a "stern warning" to "hellfire missile" scale, you're looking a lot more
> like a shaken finger and a cross look here.
>
> A decent operator is a bit like a scuba diver. In their head (or a
> logbook) is a long list of possible OPSEC weaknesses, which are checked
> and maintained like blood-nitrogen content to get a "feel" for their
> exposure over time (which influences their actions in complex ways that
> would make Jacques Cousteau confused). In the original unethical hacking
> class we would do this exercise where we would randomly pull the plug on
> a students network cable, and ask them "what did you leave exposed". The
> goal was to instill a fear, like the old gas trainings. "Smell a lilac?
> Run for the hills!
> <http://www.slate.com/articles/news_and_politics/explainer/2006/08/does_poison_gas_smell_good.html>"
> That sort of thing.
>
> In any case, with "hacking of tribal websites" or "cupcake recipe
> promotion
> <http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html>"
> generally your operator team is smelling lilacs, and not in a good way.
>
> -dave
>
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave


-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120524/a98cf5f9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120524/a98cf5f9/attachment-0001.sig>


More information about the Dailydave mailing list