Mad Magazine, the NSA and Chinese Army Hackers

A quick follow up to yesterday’s post, continuing the “Jeez, you just can’t keep a good secret anymore” meme for the week.  If you follow politics or business news you may have seen lots (and lots and lots) of headlines lately regarding US economic losses, political wrangling and business executives’ hand-wringing over enormous, far-reaching and, by all accounts, incredibly effective Chinese hacking and cyber penetration of American companies, research labs and government agencies.  (Reading like a list of B-grade spy movies, feel free to read about “Operation Shady Rat” or “Byzantine Foothold” for some eye-opening facts and figures if this stuff isn’t your normal beat.)


Recently, there was great sturm und drang after the folks over at Mandiant produced a very detailed and revealing public report about just how big, bad, widespread and effective these efforts have been (which wasn’t entirely news to those in the know), and much more interestingly, great specifics on how it was done, and by whom, (which was).


A division of the Chinese People’s Liberation Army known by the not-entirely-inspirational moniker of “PLA Unit 61398” has since been the topic of much discussion in the press, the government and the security community.  (Not that a sexy moniker is all that important I suppose.  I hear it’s a great place to work with great benefits.  You can read one of their recruiting notices here if you’d like – see aforementioned “Jeez, can’t anybody keep a secret anymore?” discussion.)


Not to be outdone, (and in a piece that made me feel a bit like I was seeing a media version of the old Spy vs. Spy cartoons) FP just published a story headlined “Inside the NSA’s Ultra-Secret China Hacking Group”.  When the article includes a description of the inside of the building and the door into the room housing said “Ultra-Secret” unit, I’m pretty sure the folks who work there had a pretty significant hand in un-secreting it.


Still, given that the Chinese have long said they have their own mountains of data that we’ve been doing the same to them, perhaps this was just a timely PR use of information that, like Unit 61398, was about to enter the public conversation anyway.  The more I think about it, the more resonant that old cartoon strip seems.  They do it to us.  We do it to them.  Both sides know it, and the game goes on.  My guess is that what is a little bit different now is that both sides have to learn to play a game of shadows on a field that’s far more brightly lit than ever before.


Big Ears, Little Ears: One article, three layers of blown secrecy, and how Edward Snowden proves my point

Well, I haven’t had much time to write here for quite a while, but the Edward Snowden affair – and more specifically this piece in the Guardian – were such a terrific display of the Digital Water concept and “a world awash in data” that I couldn’t resist, despite my current schedule.  This story is kind of a delicious “triple play” on the concept.

I suppose before I dive in I should probably comment on using the word “delicious” in this context since I know there is an awful lot of outrage and shock on all sides of this debate.  Some are appalled by Snowden’s revelations, i.e. the supposed extent of the NSA’s electronic eavesdropping on everyone and everything including American citizens.  Others are appalled by Snowden’s actions and consider it nothing short of capital treason.  Those two viewpoints need not even be fundamentally in conflict – I’m sure there are folks out there who are both appalled by the NSA’s supposed activities and would like to see Snowden executed for treason.

I confess that, on the first point – the extent of the data collection and the agency’s capabilities – I myself am relatively unfazed. I’ve been in the Open Source Intelligence business for almost 15 years.  Given the shock many people express at what I could find out about them with nothing but a laptop at a Starbucks, I just can’t be wowed by what must be possible for a huge entity with a mania for secrecy, almost no oversight and an 11-digit budget.  The Echelon, or “Big Ear” controversy of the late 1990s(!) outed many of these supposed capabilities, and anyone who has even flipped through a James Bamford book would probably be slightly less bewildered at the ability (though perhaps not at the willingness) of NSA to do the things alleged. Anyway, wherever you stand on the particulars of the Snowden case, this article in the Guardian (which originally broke the story in an earlier piece) illustrates exactly the kind of world I have been trying to noodle over with this blog.  Here’s the “can’t anybody keep a secret any more?!” meme hat trick for this one little Web page.  Ready….

1. The NSA – The most obvious.  If you take him at his word, “The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife’s phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards… The extent of their capabilities is horrifying.”  While we can argue the legal and moral issues, as a technological matter, this hardly should be a shocker given that we live in a world where your department store can tell when you’re pregnant (even if your parents can’t yet).   So – Level 1: John Q. Public can’t really keep a secret in the digital world.  Almost anything you say, send or type outside a locked, airtight room can be captured, analyzed and recorded if someone deems you interesting enough. 

2. Edward Snowden – So the NSA is, by its very nature, ultra-secretive, institutionally paranoid and famously tight lipped (Jim Bamford’s books notwithstanding). Yet every organization is made up of people, and like any group of the NSA’s estimated 40,000 employees, they will hold a diversity of views.  Now by all accounts to date, Snowden was a patriotic, smart kid who joined the Army Reserve and worked for the CIA.  He obviously had been scrutinized, checked out and picked apart.  You don’t get to play inside The Puzzle Palace if you’re an anti-government radical.  Yet what Snowden saw working as an NSA contractor motivated him to leak, speak, and flee the country.  Level 2?  For all the supposedly terrifying ability to spy that Snowden witnessed, one insider with a moral objection meant they couldn’t keep their secrets secret either.

3. The guys at the airport – My absolute favorite (and why I found this page so delicious).  So in this sometimes-bizarre corner of the world here inside the DC beltway, it is not at all uncommon for lots of people with plastic ID badges on lanyards to be overheard talking about the sorts of things that, in most of the country, would seem at home only in a Tom Clancy novel.  You can walk through certain shopping mall food courts at lunch  and hear phrases like “I’m cleared up the wazoo – TS-SCI with lifestyle poly plus some special stuff” or “sure, anybody can read a license plate from outer space, but we can do it at night!”.

Like cars in Lansing or Dearborn, surveillance and Intelligence and secret-squirrel military programs are just kind of the local business, and this is a factory town.  A lot of people here take this stuff veeeery seriously.  So it is not entirely remarkable when the guys at the bottom of the page opine that Snowden, that dirty, rotten, no-good treasonous so-and-so ought to be “disappeared”.  The part I love so much was the extreme low-tech surveillance system that outed their conversation.  They said it out loud and in public, and a “Little Ear” (you know, the biological one attached to the guy sitting across from them) in the airport captured it.  He then used a few hundred bucks worth of smartphone to record part of the conversation and Tweeted about it to the whole world.

So-   Quis custodiet ipsos custodes?   Apparently any employee with a conscience or every jackass with a cell phone.  I think that’s probably reassuring, but I have to think some more about it.  The world really is full of dangerous people who hate us.  Meanwhile – my own personal take on the Snowden thing?  (I’m speaking technologically here, I leave the constitutional and legal questions for others to debate.)  IF you matter enough to someone, there are no secrets.  Most of us just enjoy security through obscurity.  The only reason our privacy is safe for most of us is we’re utterly uninteresting.  You may not like it, but information and technology are inextricably linked.  The capability to do what NSA does can’t be uninvented.  We can do it… so can other countries. We can only decide as a society whether we can strike the appropriate balance between protecting ourselves from those without and those within.

SCAM ALERT: Justin Beiber emails part of malware spreading over Facebook

Kaspersky Labs researcher Sergey Golovanov has a detailed post this morning about the the LilyJade worm, a technologically fascinating  bit of naughtiness that is spreading via messages about teen pop star Justin Beiber (though of course the content of the emails will change constantly.)  For users, all you need to know is, as always:

1.  Don’t trust messages, click on links or open attachments from anyone you don’t know.

2. Even if it’s from someone you do know, if the message seems generic, is totally off any topic you care about or seems out of character for the sender, same rules apply.  Their account may have been compromised.

3. If the message seems like it actually might be important, reach out to that person via alternate channel, e.g. phone call text or email to another account.  You may just make them aware of the fact their account is compromised and they didn’t know it.

4. Hover your mouse over all links in emails and see if the visible link and the underlying actual destination agree.  If they don’t, don’t click the deceptively labeled link.

5.  Never respond to online requests for personal information, passwords, login credentials or financial data except on a reputable web site you trust (e.g. Amazon, Zappos, eBay) where you TYPED IN THE ADDRESS YOURSELF.

For the really nerdy among you, who care about “cross-platform browser vulnerabilities or like reading code on a command line (dorks), the Kaspersky post is pretty interesting and detailed.

The Insider Threat: Medicaid employee emails self PII on 220,000 people

Returning for a moment to another core focus of this blog (i.e. the “Data Like Digital Water” meme), I came across this – as yet anyway – little publicized data breach.

I know there are severe limits on firewall and gateway rulesets, and Data Loss Prevention systems aren’t perfect, and there are lots of subtle and technically advanced ways to exfiltrate data (ICMP tunnel anyone?) and all, but can we not agree that anyone with access to a quarter million people’s PII should have to work a little harder than “”?

It’s OK though, because the data that was lost apparently included their names and their Medicaid ID numbers.

I mean it’s not like it was their Social Security Numbers or anything. Oh… wait… what’s that? Oh, wait… I was wrong, their Medicaid ID numbers ARE their social security numbers.  Oh, ok.  Well that’s helpful.

I’m thinking Phishing reports in SC are maybe gonna take a jump soon?



Well it’s nice to know our adversaries are just workin’ stiffs like the rest of us.

I happened across this in a deck from Bit9 Security from this week’s TechSecurity Conference, and just thought this was too good not to share. It’s a timeline pattern for attacks they guys at Bit9 see/detect.  I think it pretty much speaks for itself.  Awesome.

Bit9 Timeline Image









(The deck’s a good read by the way.  Well OK it’s a good read if you’re the type of nerd who’s into this stuff.)

Scammers Invoke “No Such Agency” in latest spear phish

Finally! I can post a quick update without my usual “opinions are my own, this has nothing to do with my job” etc. disclaimer.

This actually DID come out of my workaday life, but I thought I’d share it here too.  We just posted on the Cyveillance blog about a new phishing attack that invokes both the NSA and the recent punking of RSA’s ubiquitous two-factor authentication tokens.  What I like about this one is it is a nearly perfect example of what Terry Gudaitis, James Carnall and I have been teaching in our Cyber Safety courses for years now.

Going back to On Rhetoric, my man Aristotle basically codified three ways you can manipulate people into doing what you want.  He called them Ethos, Pathos and Logos.  Given the head-tilt-blank-stare one usually gets referencing the classics these days, we now put them on slides as “invoking authority”, “leveraging emotions” and “manipulating verifiable facts or logic” to get someone to do what you want.  When you do it over a phone or computer, it’s called Social Engineering and it’s what I spend most of my days thinking about.

I like this particular example (and by like I mean I can admire the quality of their craft while still wishing the Phishers a cold small room in a ‘pestilential prison with a life-long lock’) because it so artfully blends these three levers of manipulation and as such is a nice representation of how deeply spear-phishers understand the psychology of social engineering users.

It invokes the authority of a respected and mysterious government agency (Ethos), it uses fear of being hacked or getting “in trouble” at work to prompt action (Pathos), and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack (Logos).  This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

See the full post and a picture of the bogus message at:


“Vampire Penetration” – Spear Phish + Payload Attack Targets Senior Defence Official

I speak, present and write about this phenomenon so often in my day job, I was utterly surprised to find that, trolling back over my personal blog, I’d never actually covered this topic.  It’s practically my favorite.  (Sad but true.)  So as I have briefed many times in my professional capacity, here’s my take on the modern Cyber attack.

Do geeks still hack routers and crack passwords?  Sure.

Do nerdy expert types manage to tunnel into secret stuff by technical wizardry?  All the time.

But in my mind, the “modern high-end Cyber attack” is all about penetration by manipulation, i.e. social engineering the user.  It’s axiomatic in the IT security business that people are the weakest part of the chain, or, as a hacker acquaintance of mine said it (perhaps a bit unapologetically) on his T shirt recently, “There’s no Patch Tuesday for Stupid”.

All the security in the world is of no use if the person with permission to circumvent it can be conned into allowing the attacker in voluntarily.  It’s what I like to call a “Vampire Penetration”.  You’re totally safe from attack inside your house until you yourself invite the bloodsucker in. So what does such a thing look like in practice?

Well, le’s do a quick review.  Traditional Phishing generally consists of manipulating the user into voluntarily giving up some valuable datum – some tidbit or password, e.g. “Your card has expired and so paypal account needs updating” or the like.  “Here’s my Visa card” says User Bob.

Malware-Phishing gets longer term access to the user’s machine by manipulating the user into downloading malicious code, e.g. a keylogger that records and sends the criminal ALL logins and passwords, e.g. “To watch this porno video, you need to download this special CODEC for Windows Media Player”.   Clickety-click goes User Bob.

Spear Phishing is a lot scarier than these.  It doesn’t spam or ensnare whoever happens by.  It targets someone specific based on their title, place of work or functional role.  For example, as early as 2000 or so, AOL employees began getting emails that used references to specific internal systems only known to employees that were designed to give outsiders access to company data.  Only AOL employees received these emails.

And the modern, high-end Cyber attack?  Take this to its logical extreme.  Someone sees you, meets you, finds your business card or trolls Facebook, LinkedIn, Twitter or the newspapers to find a target of interest.  Someone very specific with access to data they want.  They research the individual and find completely personalized angles of attack and manipulation, then send hand-crafted messages designed to penetrate a company or agency at the very highest levels, often targeting the “crown jewels” of whatever that entity has in terms of data.

Sounds a bit paranoid doesn’t it?  Here are a few fun examples:

Oil company executives targeted in booby trapped emails – What’s interesting about this is what was taken, something called “bid data” which details the size and location of reserves.  Kind of important stuff if you’re in the oil business I’d guess.

Want something scarier?  Ok, forget money, what about when they come after something even more upsetting, like defense information?

And the so-called “Google Hack”, or now-infamous “Operation Aurora” as it is also known among the nerd herd?  It successfully hit more than 30 of the leading lights of the American tech industry, stealing source code and other intellectual property, the “crown jewels” of an industry based entirely on Intellectual Property.  And how did they do it?  They researched individual employees, than attacked them via their social networks and friends.

So today’s item is really just another example of something that has been going on for years.  What made this one interesting was that it wasn’t just employees at a certain firm or even a small cadre of executives.  This story highlights a hand-crafted attack targeting a single, high profile Ministry of Defence official.  (Yes I know I spelled it in British, call me quirky.)

“Foreign spies targeted a senior British defence official in a sophisticated spear phishing operation that aimed to steal military secrets. The plan was foiled last year when the official became suspicious of an email she received from a contact she had met at a conference…” Read More

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: