Red Teams

Trek - Behind the scenes | GORUCK news

Wed, 30 May 2012 11:08:29 -0400

Trek - Behind the scenes | GORUCK news:

Yes, I was there. No I won’t talk about it and I am not featured on any picture.

(on the picture above… I learned a lesson there)

(some things are payed with other currency…)

GORUCK Trek. You don’t know. Designed by spies and...

Tue, 29 May 2012 12:38:00 -0400

GORUCK Trek. You don’t know.

Designed by spies and operators, Trek is part CIA, part Special Forces.

Green Berets serving as combat advisors teach Trekkers the fundamentals of how America’s best operate in some of the world’s most austere urban and rural environments. Situations develop quickly, and your teams are forced to make choices, quickly.

Sleep deprivation, physical exhaustion, and operational tempo mimic a real world scenario that develops from Trek to Trek. 36 Hours +

Been there. It’s all that and more. Trek kicks your behind. It’s intense, fast and in your face.
It’s not for everyone. But then again, I was never there.

"Lessons from Trek 002 - everybody’s got a plan until they get punched in the mouth."

Tue, 29 May 2012 12:36:05 -0400

“Lessons from Trek 002 - everybody’s got a plan until they get punched in the mouth.”

- An unidentified source.

Spy agency seeks cyber-ops curriculum | Reuters

Thu, 24 May 2012 11:10:16 -0400

Spy agency seeks cyber-ops curriculum | Reuters:

The National Security Agency is trying to expand U.S. cyber expertise needed for secret intelligence operations against adversaries on computer networks through a new cyber-ops program at selected universities.

The cyber-ops curriculum is geared to providing the basic education for jobs in intelligence, military and law enforcement that are so secret they will only be revealed to some students and faculty, who need to pass security clearance requirements, during special summer seminars offered by NSA.

It is not easy to find the right people for cyber operations because the slice of the hacker community that would make a quality cyber operator inside the government is only a sliver.

I like this. However I would look outside the academic world and into the real world. People with experience, people that have been there and done that, and people that have also a background in special or black ops. (hint, hint…)

The article is interesting and it is good to see that something is being done.

"If someone walks up to you on the street and hits you with a lead pipe, you know you were hit in the..."

Thu, 24 May 2012 09:30:02 -0400

“If someone walks up to you on the street and hits you with a lead pipe, you know you were hit in the head with a lead pipe,” Kaminsky says. “Computer security has none of that knowing you were hit in the head with a lead pipe”

- Everyone Has Been Hacked. Now What?

Over there...

Mon, 21 May 2012 10:51:42 -0400

You know that undisclosed place I always go? Well, I am not there. I am somewhere else.

Comparing IEDs and Digital Threats | Richard Bejtlich

Mon, 21 May 2012 10:45:05 -0400

Comparing IEDs and Digital Threats | Richard Bejtlich:

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero, commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals.

A great post by Richard Bejtlich. He lists the similar points as follow:

The threat “shares information globally,” and engages in an “arms race” with defenders, sometimes by “sitting in front of a computer” devising the latest tools and techniques.
The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
For a “meagre expenditure,” the adversary can impose “huge costs on defenders.”
The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
“If you’re worrying about the device, you’re playing defense.” Don’t focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
Intelligence plays a key role in defeating adversaries. Winning involves applying “lethal pressure, “along with government techniques. “It takes a network to defeat a network.”
Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.

Dead center. It is a fascinating comparison and as someone that has been around IEDs (and came out alive) and the information security world for a while I can really relate to what he is saying.

This week on the TSA...

Fri, 18 May 2012 09:33:00 -0400

This week on the TSA...:

A New Jersey airport security supervisor accused of using a murdered man’s identity to hide his illegal immigrant status apparently bought the man’s birth certificate and Social Security number from an intermediary before his death, police said Wednesday.

More details are emerging in the case of a Newark Liberty Airport security supervisor who allegedly has been using the identity of a dead man for the last 20 years.

In an audit by the TSA’s Office of Inspector General published Monday, coincidentally the day Oyewole was arrested, investigators found an example of an airport worker who held security badges for three airports - each with a different birthplace listed.

But.. you can’t bring liquids to an airport… Yeah, I feel very secure.

Damn, if the TSA can’t even run a simple background check on their employees or people doing security at the airports, what’s stopping a freaking terrorist from stealing someone else’s identity (something so amazingly easy in the US) and apply for the TSA…?

Yeah, I feel very secure.

"I have been tasked by the Human Ruling Council to ask… no… beg you to read this book and master its..."

Thu, 17 May 2012 11:17:58 -0400

“I have been tasked by the Human Ruling Council to ask… no… beg you to read this book and master its skills so you can turn the tide of history itself. In these pages, you will learn how to wield control of computer systems through writing scripts and code in a variety of the most important languages today: Python, Ruby, PowerShell, and more.”

- Ed Skoudis

From the forward from Coding For Penetration Testers. Ed gives Jason and Ryan’s book a terrific introduction. Added to my reading list, expect a review forthcoming.

(via pleb)

Leveraging OSINT for penetration testing (PDF)

Tue, 15 May 2012 19:27:04 -0400

Leveraging OSINT for penetration testing (PDF):

A great set of slides about the utilization of Open Source Intelligence (OSINT) for information gathering and as a penetration vector for pentests.

Sneak and peek kit

Tue, 15 May 2012 12:58:00 -0400

The loadout was featured in the The Loadout Room

A lot of people asked about the kit after reading the loadout post. I’m going to try to explain it better.

The Sneak and Peek kit is based on a kit we used in my old unit during reconnaissance missions or while setting a sniper urban hide. That kit also included demo cord and some other things that can’t be used by civilians, but the basic tools are all covered in this current kit.

Like I mentioned, I carry all inside a GORUCK Radio Ruck Field Pocket. The kit includes tools that would allow me to sneak into places by opening doors, cutting fences, twisting wire, etc. It also serves and an impromptu (albeit not fully stocked) SERE kit. The basic items include:

The Go Tubes contain the small gear I carry, including gear from the SERE Kit and it includes:

A can opener
2 Handcuff Keys
1 14 mm Compass
1 Folding Razor Saw
2 Handcuff Shims
1 Cord Lock with handcuff key
1 Ceramic Razor Blade
1 pair of SerePick Bogota “Titan” Entry Toolset
1 mini pry bar

Here’s the mini pry bar and the SerePick entry tools

And some of the little pieces on the SERE Kit: A handcuff key, a shim, the compass and the folding razor saw

Overall, all these tools work together very nicely. I might add stuff from time to time based on what I need but this is the base.

My Current Loadout

Tue, 15 May 2012 09:29:00 -0400

My loadout changes according to the needs of a project or operation, however I have a base loadout that is quite fixed. The gear listed below is my current base, it might change in the future but for the most part this is what I carry to work most of the time.

I carry everything inside my GORUCK Echo. The Echo is a tough little ruck that can handle most everything you throw at it and I’ve put it through some hard stuff in the past few months. It is still as good as new. Great quality, like all GORUCK products.

Inside the main compartment I carry a GORUCK Radio Ruck Field Pocket with all my basic gear (described below) and a Tactical Tailor pouch with my mini trauma / medical kit. Tactical Tailor gear is also top of the line and built to last.

On the top inside pocket of the Echo I carry a Field Notes notebook, a SureFire Pen II, a Saddleback Leather Classic Business Wallet with my calling cards, a bluetooth piece, a Photon Freedom Micro LED keychain flashlight and a bunch of USB thumbdrives with the tools I need for the red team operations. The Field Notes book is a simple and resilient notebook and it’s always useful to have around. The same going to the SureFire pen. It can be used as a glass breaker too.

On the slant pocket of the Echo I carry my earphones (the standard Apple iPhone ones) and a Hideaway Knife. That little knife is a tough mother. It can cut through anything and it’s an excellent last resource defensive tool.

Here’s all the gear out the Echo.

On the Radio Ruck Field Pocket I carry a SureFire 6PX Pro, a Leatherman Fuse, a custom Zero Tolerance 0350 knife with the Green Beret Foundation and GORUCK logos (part of the proceedings went to a donation to the Green Beret Foundation) and a couple of Go Tubes with gear (check this post to know what’s inside). I usually use the little LED photon as my light, but sometimes you need a powerful, full fledged light to do the job, that’s when the SureFire light come in handy. The knife and the Leatherman multitool get used A LOT, those are the first items out of the ruck. And the SERE picks inside the Go Tubes are very useful tools too.

The mini trauma / medical kit has the bare minimum needed to stop bleeding and other traumatic injuries. It’s by no means a full blowout kit (check the fantastic ITS Tactical ETA Kit for that), but it has me covered for the essentials. As a side note, I used this kit once a couple of years ago to save the life of a biker that crashed into a car. I managed to stop the bleeding until the ambulance came.
The contents are here.

And finally what I carry with me all the time. My Trusty GORUCK GR Tac, a Metolius mini biner with keys (as a plus side this is a full loading biner so I can use to also to rappel, climb, etc), a gen 1 RESCO Patriot watch, a Saddleback Leather Simple Wallet, a Benchmade Mini Barrage and a pair of Oakley Bottle Rocket Sunglasses.

That’s it. That’s what I carry.

Please help me support the Green Beret Foundation

Sat, 12 May 2012 08:57:39 -0400

Please help me support the Green Beret Foundation:

Read my story and help me help those that gave all if you can.

Neat trick using metasploit to run binaries from memory

Tue, 08 May 2012 14:45:34 -0400

Neat trick using metasploit to run binaries from memory:

Nice!

Using the in-memory executable technique has a few major advantages. First, the name of the file doesn’t show up in a process list so things like Task Manager will display it as whatever normal system executable you picked for the -d option. That’s pretty important for staying undetected in the presence of a watchful eye. Second, the executable never touches disk. Avoiding writing executables to disk also means forensics is a bit harder — there’s no suspicious prefetch entry for a new executable, there’s no new files or altered modification times.

Is defense even possible?

Tue, 08 May 2012 09:44:00 -0400

In the past few years we’ve seen how knowledgeable a determined attacker can be. We know targeted attacks are hard to detect: a focused adversary can roam the network and systems, undetected, well over a year and then vanished. It is hard to pick up the trail of these attacks and really understand what they did and how they did it.

There are different vulnerabilities the bad guys are exploiting. Not all technical as you might think. In a lot of cases they exploit the human factor: the willingness to help and the lack of understanding of social engineering.
A well crafted email accompanied by a phone call can provide access to a lot of places, a weaponized Word document or PDF, poorly written code that can be exploited by talking the person into browsing to a specific website. These are just some of the tricks the attackers are utilizing.
There’s also the technical side, the lack of updates on critical organization’s servers, the use of old programs (such as the horrendous IE6 or WinXP), lack of hardening, just to name a few.

It all comes down to the first foothold. Once the attackers are inside then can move freely. Mostly.

There’s a lot that can be done to make the attacker’s life harder, however can we prevent the initial break-in?

Sometimes we can. Most of the time we cannot.

Then, is it possible to mount a defense against this?

Yes.

Stay tuned for the answer.

Criminal Intent Prescreening and the Base Rate Fallacy | Bruce Schneier

Thu, 03 May 2012 11:22:52 -0400

Criminal Intent Prescreening and the Base Rate Fallacy | Bruce Schneier:

He comments about this essay. On that essay (bold letters by me):

First, predictive software of this kind is undermined by a simple statistical problem known as the false-positive paradox. Any system designed to spot terrorists before they commit an act of terrorism is, necessarily, looking for a needle in a haystack. As the adage would suggest, it turns out that this is an incredibly difficult thing to do. Here is why: let’s assume for a moment that 1 in 1,000,000 people is a terrorist about to commit a crime. Terrorists are actually probably much much more rare, or we would have a whole lot more acts of terrorism, given the daily throughput of the global transportation system. Now lets imagine the FAST algorithm correctly classifies 99.99 percent of observations — an incredibly high rate of accuracy for any big data-based predictive model. Even with this unbelievable level of accuracy, the system would still falsely accuse 99 people of being terrorists for every one terrorist it finds. Given that none of these people would have actually committed a terrorist act yet distinguishing the innocent false positives from the guilty might be a non-trivial, and invasive task.

Of course FAST has nowhere near a 99.99 percent accuracy rate. I imagine much of the work being done here is classified, but a writeup in Nature reported that the first round of field tests had a 70 percent accuracy rate. From the available material it is difficult to determine exactly what this number means. There are a couple of ways to interpret this, since both the write-up and the DHS documentation (all pdfs) are unclear. This might mean that the current iteration of FAST correctly classifies 70 percent of people it observes — which would produce false positives at an abysmal rate, given the rarity of terrorists in the population. The other way of interpreting this reported result is that FAST will call a terrorist a terrorist 70 percent of the time. This second option tells us nothing about the rate of false positives, but it would likely be quite high. In either case, it is likely that the false-positive paradox would be in full force for FAST, ensuring that any real terrorists identified are lost in a sea of falsely accused innocents.

Bruce Schneier writes:

It’s that final sentence in the first quoted paragraph that really points to how bad this idea is. If FAST determines you are guilty of a crime you have not yet committed, how do you exonerate yourself?

Good question. I wrote about something similar to this on an upcoming article in SOFREP. These kind of algorithms cause more problems than they solve. You can’t just predict based on numbers who is going to be a terrorist or not; you have to get people involved. you have to observe the person, gather info, analyse the patters.

Patters, remember that word.

"We should not be prepared for yesterday’s wars, for yesterday’s technology and for..."

Wed, 02 May 2012 11:47:00 -0400

“We should not be prepared for yesterday’s wars, for yesterday’s technology and for yesterday’s methods. We should prepare for what’s coming next. Intelligence gathering, data analysis and a better, deeper understanding of the human element on wars, on attacks and on breaches is the way to go if we want to be better prepared for the next attack.”

- Me.

(Uri)

Two papers, one subject: Intelligence-Driven Security

Wed, 02 May 2012 11:20:00 -0400

RSA’s Getting Ahead of Advanced Threats: Achieving Intelligence-driven Information Security (PDF)

Lockheed Martin Corporation’s Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF)

Hi Uri; what do you think about the message in the xkcd comic "Password Strength" (comes up on google)? Is an easier-to-remember, longer password better than a shorter, more "complex" password? Do attackers have the ability to determine if they have pieces (e.g. a word or parts of a phrase) of a password correct? Having several complex passwords for every site that requires registration is a pain in the neck.

Wed, 02 May 2012 05:08:00 -0400

There are two ways go about bruteforcing passwords: randomly trying each variation or using a dictionary.
Any knowledge you can get about the passwords will make your life easier since you can fine tune your attack. If you don’t know anything about the length, the charset used or even if it needs to be a combination between a password and a token then you’ll be forced to try every combination or word in your dictionary, short or long. On the other hand if you know the length it will reduce the amount of tries, if you know the charset (only letters and numbers allowed for example) will make your odds better.
There is not in between state, it’s not like in the movies where you have a password “breaker” with running numbers and you can see them appear one by one. Having said that, there are very sophisticated bruteforce attacks out there.

I do believe that a good passphrase (i.e. “my name is Inigo Montoya”) is better than a complex short password (i.e. “y5j#6%*>hdjd”).

Mandiant: Threat Landscape. Fantastic iconographic.

Mon, 30 Apr 2012 13:30:25 -0400

Mandiant: Threat Landscape.

Fantastic iconographic.