<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a
href="http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html">http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html</a><br>
<br>
<br>
So you know how when you're at a stoplight, and you see flashing
lights from a fire truck behind you, and you'll carefully maneuver
to pull over into a nook on the side of the road? But sometimes the
person behind you will just scoot forward to claim your space,
blocking the firetruck and ruining the whole point of your moving
aside. Then like, at the very next block, they'll do the exact same
thing to the little SUV that follows the fire truck? And at that
point you'll look back, trying to figure out who they are, and what
it is exactly about the situation here they're not getting, while
making certain culturally appropriate yet not too violent (Miami has
liberal concealed carry laws) gestures?<br>
<br>
In a nutshell, that's how operators feel when policy makers ask them
to deface websites. On the surface, removing Al Qaeda propaganda may
SEEM like a step forwards. You can see the policy brain working like
this:<br>
<br>
<ol>
<li>Our opponent has moved their PR and recruitment to web sites</li>
<li>I have people who can hack web sites</li>
<li>What if we do something super clever to their web sites? TAKE
THAT AL QAEDA!<br>
</li>
</ol>
Your basic operator team is thinking of a few other things:<br>
<br>
1. What parts of our toolchain are going to be exposed by hacking
into a tribal website? <br>
1a. A rootkit of some kind that we've tested, possible modified
from <a href="http://immunityinc.com/products-hydrogen.shtml">open
sources</a>, but regardless, something fairly valuable.<br>
1b. An exploit signature. Even if the Yemenis don't necessarily
store all their traffic and analyze it afterwards, perhaps the nice
Indian folks of <a
href="http://www.tatacommunications.com/about/history.asp">Tata
Communications</a> (which is how you got your SQLi to Yemen in the
first place) checked their satellite traffic logs after the event,
and now whatever cool technique you used to get in is burnt, along
with everything unencrypted you did (recon, trojan listening post,
etc.). So then the Indian government goes through their logs of
their own satellites and checks out what you're doing there, or in
Pakistan, or whatever. This causes an attribution problem of
hilarious proportions.<br>
1c. It's no doubt that if this sort of thing gets positive news
in the Washington Post, that someone's going to want to do it again
but on harder targets. So now you face the dilemma - do you burn the
strategic resources (exploits, rootkits, methodologies and
techniques) that you've been using on "real things" for short lived
PR stunts?<br>
1d. Those ads are just going to come out on some other website in
about fifteen minutes, and people who never would have looked at
them are going to go check out what the Americans didn't want them
to see. On a "stern warning" to "hellfire missile" scale, you're
looking a lot more like a shaken finger and a cross look here.<br>
<br>
A decent operator is a bit like a scuba diver. In their head (or a
logbook) is a long list of possible OPSEC weaknesses, which are
checked and maintained like blood-nitrogen content to get a "feel"
for their exposure over time (which influences their actions in
complex ways that would make Jacques Cousteau confused). In the
original unethical hacking class we would do this exercise where we
would randomly pull the plug on a students network cable, and ask
them "what did you leave exposed". The goal was to instill a fear,
like the old gas trainings. "<a
href="http://www.slate.com/articles/news_and_politics/explainer/2006/08/does_poison_gas_smell_good.html">Smell
a lilac? Run for the hills!</a>" That sort of thing.<br>
<br>
In any case, with "hacking of tribal websites" or "<a
href="http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html">cupcake
recipe promotion</a>" generally your operator team is smelling
lilacs, and not in a good way.<br>
<br>
-dave<br>
<br>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</body>
</html>