A Psycho Analysis of Jericho

The epic box-o-shit. I don’t know where the tradition started but it has been perfected by Jericho of Attrition.org. Beginning at least five years ago Jericho has boxed up the chotskies, leftover guinea pig fur, random bits of useless tech and whatever else he happened to have laying around and shipped them off to whoever he felt was most deserving, or whoever he felt would make the best victim. I had been waiting in anticipation (actually it was down right fear) until I received what I almost knew was coming, but it never did.

About a year ago I was at a local flea market when I spied at the bottom of a box of random crap a glass squirrel approximately eight inches high. It was depression era pressed glass, speckled with random paint drops, a few chips in the glass and a rather nasty piece of sticky green felt glued to the bottom. Somehow this disgusting piece of glass made me think of Jericho. I figured the squirrel needed a better home than the bottom of some random box full of shit. It needed to become the centerpiece of highly selected box-o-shit. I figured it was time to put my box-o-shit destiny into my own hands, time to tempt fate, time to poke the angry guinea pig with a carrot.

Glass Squirrel

The guy at the flea market wanted $20 for the squirrel with the paint spots, chipped glass and nasty sticky felt on the bottom. Not really sure what he was thinking but I managed to talk him down to $8. I took the squirrel home, scrubbed off the paint drops and the nasty felt. There wasn’t much I could do for the chips in the tail though. By now it didn’t look to bad and I was wondering if maybe I should keep it for myself, that jerk Jericho definitely did not deserve anything half as nice as this.

Instead of using shipping peanuts or those bags of air or even crushed newspapers, I instead grabbed every chotsky, random bits of useless tech and whatever else I happened to have laying around and used that for packing material. Unfortunately I was fresh out of leftover guinea pig fur.

It took Jericho three months before he even acknowledged receiving the box but he eventually wrote it up. And then I waited. I waited for the inevitable retaliation that was sure to come my way. I knew Jericho wouldn’t just let an eight-inch tall glass squirrel arrive unsolicited in the mail and do nothing about it. But I waited, Spring turned to Summer and every trip to the mailbox filled me with more and more dread, when would he strike? When would he put and end to this torture? Why oh why did I ever decide to send that jerk anything at all? I should have kept that squirrel for myself or better yet let it sit and rot in the bottom of that box of random shit at the flea market.

Finally after nearly a year of self imposed torture, of opening the mailbox each day in anticipatory fear, it arrived, a small unassuming brown box. I immediately knew right away what it was and where it was from. On the one hand I was relieved that my torment was over, but I knew I still had to open the box, I still had to pour through the contents of whatever wretched debauchery Jericho’s twisted mind decided to send me. It has taken me a while; months actually, to get up the courage to finally pull back the packing tape to reveal the contents of Jericho’s box-o-shit.

box

What I realized as I went through the contents of the box was that it wasn’t about me, it wasn’t about revenge for a glass squirrel. This box-o-shit and maybe all boxes-o-shit are glimpses into the deranged mind that is Jericho. Perhaps even a desperate cry for help that echoes from the basement he must live in deep inside the Rocky Mountains.

As you can see on the top of the box was a plastic baggy full of multi colored paper with two stick-on eye balls and labeled with the word ‘puzzle’. Obviously this is a symbol of a cracked and fractured psyche symbolized by the many pieces of different color paper cut up into small sizes. Obviously Jericho is crying out for someone to put his poor soul back together again.

open box

Beneath the puzzle was a collection of magazine subscription cards, which at first glance might seem like nothing more than filler for the box. However, after sorting the cards and conducting a frequency analysis on the represented publications it is clear that these cards are yet another look into at the enigma that is Jericho. While it is well known that Jericho is at or below average intelligence he considers himself to be of above average intelligence. This is indicated by the large number of subscription cards to Discover and Science Today magazine. The subscription cards to Men’s Health and Psychology Today indicate that he knows that he has a problem and is looking for some sort of solution, which he hopes to find by reading these magazines. While he considers himself to technologically knowledgeable and therefore reads Wired magazine the fact that he is still subscribing to dead tree publications shows that he is in fact a Luddite. Of course anyone as mentally instable as Jericho will have deep-seated sexual frustrations as indicated by the subscriptions to Penthouse and Maxim, as well as the included Durex condom found elsewhere in the box.

cards

And while we already have enough information to determine that Jericho needs major professional help there is yet more supporting evidence within the box. A collection of Pimm’s Cup and several tequila bottle caps shows his attempts at self-medication through alcohol. The collection of self-promoting stickers shows a predilection to narcissism and the random keys, rocks, candy and fur balls shows just how schizophrenic he actually is. The collection of dinosaurs is obviously a link to his still present infantilism.

tequila

stickers

dino

Unfortunately I only do psycho analysis and perpetrator profiling as a hobby, as such there are still a few items in this box-o-shit that I have been unable to apply towards the subject Jericho. A Honda emblem? A Slinky Jr? An Elevation of privilege card game? And who inside the United States under the age of sixty has a copy of a Susan Boyle CD? (I guess I do now.) I am sure with proper analysis these items will also provide valuable insight into the deranged and demented mind of Jericho.

Susan Boyle

demented yellow squirrel

Then They Came For Me…

First they came for Jackson,
and I didn’t speak out because I didn’t play D&D.

Then they came for Neidorf,
and I didn’t speak out because I trusted the phone company.

Then they came for Mitnick,
and I didn’t speak out because I thought the government was telling the truth.

Then they came for Watt,
and I didn’t speak up because I believed the prosecution.

Then they came for Swartz,
and I didn’t speak out because I never used JSTOR.

Then they came for me,
and there was no one left to speak for me.

Anatomy of Hype

Lets see if I can break this down chronologically.

On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.

This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?

On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.

With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.

I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.

After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.

By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.

On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
Verizon statement, the now disappeared @TibitXimer twitter feed and the statements from security professionals on the veracity of the data.

It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.

I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.

I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.

While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.

The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.

I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.

For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.

LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!

Hackers and Media Hype or Big Hacks That Never Really Happened

I have been giving my talk “Hackers and Media Hype or Big Hacks That Never Really Happened” for a few months now and I think it is time to retire it. You may have seen it at Shmoocon Epilogue, Source Boston or Hope 9. If not catch the video below. I also have the entire slide deck available including the bibliography if anyone is looking to check sources.

Here is the slide deck MediaHypeinInfoSec2012_HOPE.pptx

FUD can Sometimes be Useful

There has been a story making the rounds the last few weeks that is really bugging me. I was going to let it slide but the story just won’t die and every time it comes around again I just get angrier. The problem is I don’t think the story is actually true, which wouldn’t be that big a deal if I could actually prove it wasn’t true but in this case its just a feeling, I have no proof, not even a preponderance of evidence, just a feeling.

The story is sort of infosec related and deals with the geotagging of photos uploaded to social media sites. This is a very real concern for people like the US Army who usually don’t want it known where high value targets like say, oh, AH-64 Apache helicopters might be parked. The problem I have is that I seriously doubt the scenario as presented by Steve Warren, deputy G2 for the Maneuver Center of Excellence actually happened.

“Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flight line, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.”

There are just so many things wrong with this story as it is presented to make it believable to me. Is it possible? Absolutely. Is it a real security concern? Most definitely. But did it really happen? I don’t think so.

First lets try to imagine how the US Army determined that the enemy downloaded the photos and extracted the GPS location in order to lob mortars at the helicopters. How did the Army find that out? Did they enemy carry a sign past the airbase front gate saying “Hey, grabbed your FaceBook pics HA! HA!” Did they capture an enemy combatant and water-board it out of him? Did they recover a laptop with a bunch of photos and map coordinates? Why are we only hearing about it five! years after happened? How did the Army determine how the enemy got the information? That part is never explained.

Lets look at a second more plausible explanation, assuming that helicopters actually did get blown up. A fleet of UH-64s are not easy to hide. If you’re a Iraqi sitting in your house eating your hummus and pita bread and you’re hear a fleet of UH-64s fly over head your gonna notice it. You put down the pita and look out the window to see the helicopters flying off to the nearby US Army base. Then you call your buddies, grab your motor tube and go have some fun. To me this makes a lot more sense than randomly grabbing pictures off FaceBook.

So if this is really a made up story why did the US Army release it? I suspect they know they have a very real problem of soldiers uploading geotagged photos to social media sites. They tried banning Facebook and other sites before and that didn’t work. And actually the military needs social media for morale reasons. The number one morale booster when I was in the service was mail, or more accurately communication home to family and loved ones and with todays military that communication happens over the Internet and with social media. We cannot turn it off. So you have to do the next best thing, educate the users/soldiers/sailors/airmen/marines not to post stupid stuff that will compromise your military situation. Loose lips sink ships, or in this case geotaged photos blow up helicopters (doesn’t really have the same ring to it.) Based on my own experience with educating users I suspect they have met with only limited success.

So this story of UH-64s being bombed via Facebook makes a perfect urban/military legend. To people in the military it does not matter if it was true or not the story will live on and spread and take on a life of its own. Now soldiers will double check their buddies when they take pictures because they won’t want mortors raining down on their own heads. Where training has failed peer pressure will succeed, and it gets repeated so many times it just magically become fact. Mission Accomplished.

But to those of us in infosec we need to look at this story for what it is, a possibility, not yet a reality, but something to look out for and to caution our clients against. Just remember not everything you read is true, the sky isn’t always falling but that doesn’t mean you shouldn’t pay attention.

Handle Shmandle

A lot of people ask me why I still use a handle and go by ‘Space Rogue’ instead of using my real name. Trust me it is kinda awkward to go to a respectable con like BSides, Blackhat or even RSA and introduce myself as ‘Space Rogue’. People always ask me to repeat myself as if they didn’t hear me, then they get this weird look on their face like ‘who is this crazy person?’

The original handles came about because early multi-users systems, like UNIX and BBS systems, could only handle eight character login names. So people tended to get a little creative. Those handles became intimately identifiable with the personas behind the keyboards. Most of the people I still interact with from those days I still refer to by their handle. Jeff Moss will always be DT, Chris Wysopal at Veracode will always be ‘Weld’, Joe Grand will always be Kingpin, or just KP. Not just online but in face to face meetings as well. People who know my real name still refer to me as Space, SR or even Mr. Rogue when we are together. For me handles are easier identifiers than actual names, I seldom remember a name but I almost always remember a handle.

During the L0pht years handles were important. We felt we needed them to protect us from individual lawsuits that may be filed from the companies whose security holes we were exposing at the time. We went to great lengths to protect those handles. We gave up many press opportunities because numerous journalists couldn’t get past not having a real name to pin a quote to. I figured if my handle was good enough for a Senator to read into the Congressional Record it was good enough for a newspaper quote.

Somewhere along the line most of the people I knew who were using handles switched to using their real names, usually because of a job. There aren’t many people at the top of the InfoSec world these days that still uses a handle. (Of course there a few that use ‘normal’ sounding handles, and a few whose actual names sound like handles.)

For me it comes down to keeping my day job. I tend to do infrastructure, networks, servers, that sort of thing. Big deal right? Well a lot of company’s are still afraid of the evil ‘hacker’ label. I guess they don’t feel comfortable with having a ‘hacker’ have physical access to their networks, servers and other mission critical systems. Never mind my extensive experience in the IT field or that my ‘hacker’ background probably makes me a better IT Manager than anyone else they are probably able to hire. Companies tend to freak out and pull a knee jerk reactions.

Making my real name easily associated with ‘Space Rogue’ via a Google search does not assist the job search. I have lost at least one and possibly two jobs, and who knows how many potential jobs, when someone was able to make the connection between the two identities. Now they didn’t come right out and say ‘Oh your Space Rogue you can’t work here anymore’ but it can be pretty apparent when a company is trying to get rid of you and then you find out later that they made the connection somehow.

So while a lot of people ‘in the scene’ know my real name I keep my Infosec identity as Space Rogue separate from my IRL identity and will continue to do so. At least until there is a company that is willing to see the value behind the handle. With any luck I will be able to merge the handle with the real name and become ‘John “Space Rogue” Smith’

- SR

NASA Confirms but China Denies Satellite ‘hacking’

Since I posted my previous item regarding my suspicions as to the validity of the claims of ‘interference’ with a US Government satellite there have a few more developments.

First NASA has come out and ‘confirmed’ the interference.

According to NASA PAO: “NASA experienced two suspicious events with the Terra spacecraft in the summer and fall of 2008. There was no manipulation of data, no commands successfully sent to the satellite, and no data captured. NASA notified the Department of Defense, which is responsible for investigating any attempted interference with satellite operations. While we cannot discuss additional details regarding the attempted interference, our satellite operations and associated systems and information are safe and secure.

Which if you read between the lines says absolutely nothing and denies everything. Just “two suspicious events” that caused no commands to be sent to any satellites, and no data changed or captured from a satellite. So what exactly constitutes a “suspicious event”? How the hell did we go from “suspicious event” to “OMG Hackers are controlling satellites!”?

This of course brings me right back to my original theory, that nothing of any significance actually happened, that some system got infected with malware and since that system was supposed to be air gapped and could control a satellite NASA had to inform DoD as a matter of protocol. So no satellites actually got ‘hacked’ and the cyber cold war continues as usual.

The second development is that China has denied all the accusations. Naturally. Specifically they claimed “This report is untrue and has ulterior motives. It’s not worth a comment,” which I agree with completely.

Rebuttal – “Hackers reportedly behind U.S. government satellite disruptions”

First some historical background, this is at least the third time I have seen a similar story over the last 15 years. “OMG ‘hackers’ can control a satellite”, the previous two times it turned out to be false. The first time I was one of the first people call the story suspect.

It is hard to find links that still work from 1999 but Reuters actually had to publish a retraction, if you can call it that

It reared its ugly head again a few years later and became “the second most mysterious unsolved cyber crime.” and it wasn’t even true. I have a blog post about that mess here with a some more supporting links.

I’ve seen similar stories pop up about once every five years or so, “OMG the world is gonna end, hackers control the skies, Aaarrrrggghhh!!!!” Remember the story a year or so ago where Taliban ‘hackers’ got control of a predator drone or some bullshit? When all it most likely was that they got a copy of the off the shelf control software, maybe. Never conclusively got the end of that one.

In all of these case there are similarities, blame some unknown entity, vague details and no verifiable information.

So lets look at this story. The accusation comes from some anonymous report, ok, ok, not actually anonymous but from the U.S.-China Economic and Security Review Commission. Hmmm, think they have an interest in pointing fingers? And I don’t see any actual names on the report (admittedly I haven’t looked to hard) So, first they blame China, naturally, who else you going to blame? They don’t blame kids in basements anymore, there is no profit motive in controlling satellites (well, unless you can keep control) so cyber criminals are right out, must be a nation state, and with the cyber cold war going full bore the biggest enemy is China, so lets blame them. Why not, they are just going to deny it like always.

As for specifics, they say the ‘hackers’ caused ‘interference’, WTF does that mean? Did they gain full control? Did they move the satellite from its intended orbit? Where they able to send unauthorized commands? Or did they merely ping the control systems? Maybe infected them with standard malware? Did they stand outside and try to jam the microwave signals? Just what the hell does ‘interference’ mean?

This report actually lists a suspect location for the attack, “may have used an Internet connection at the Svalbard Satellite Station in Spitsbergen, Norway”. But has anyone bothered to call anyone who works there to verify the story? Even to get a dry ‘no comment’? I haven’t seen one. Also notice the “may have” implying they don’t really know. How the hell could they not know?

I mean come on, think about it, this is a satellite installation, according their web page “the world’s largest commercial ground station with more than 31 state-of-the-art multi-mission and customer dedicated antenna systems in C-, L-, S- and X-band.” Whoa! Sounds like they know what they are doing. I would think that someone there would be able to give some sort of comment. If they are a commercial organization then letting word get out, unchallenged, that their systems got broke into and multi million dollar satellites are not under their control, sounds like there could be some liability there. Someone should be confirming the story and minimizing its impact or denying it outright. Something. No, all we have is a ‘may have’.

And lastly Satellite control systems are supposed to be air gapped, in other words not connected to the Internet. Granted there are numerous cases where the air gap got bridged, usually with a USB drive, the recent remote command center for Predators Drones being infected with malware comes to mind, so air gaps aren’t fool proof, but still you would think a breach of this magnitude would show up somewhere other than an almost unnoticed report put out by the U.S.-China Economic and Security Review Commission.

I have no facts or sources to confirm this but my theory is that the ‘interference’ was nothing more than run of the mill malware that infected the office and business systems of the Svalbard Satellite Station. One of the authors of this report got wind of it and and suddenly it becomes hackers interfere with satellites.

So, until I see some actual facts and verifiable sources I’m calling this whole story bullshit.

- Space Rogue

We would like your feedback

Getting your customers to fill out market satisfaction survey’s is all the rage these days. “We greatly appreciate your feedback ” Hey, its free demographic marketing! Its also usually ego stroking, studies show that people tend to skew their own responces to the positive side of things. Generally I don’t fill these things out at all. I just route these emails directly tot he trash bin. I don’t do free marketing research for your company. However, once in a while I get pissed off enough to waste ten minutes to fill out the survey, at least enough until I get to the comment box. (Didn’t put a comment box in your survey? Better hope all your executives have an asbestoes covered email inbox)

“You indicated that you are not very likely to recommend Verizon Business to a friend or a colleague. What can we do to improve?”

Not suck. You failed at every level, from order taking to product delivery to service connection. You failed at everything, multiple times. The only thing you can do to improve is just not suck. It isn’t really that hard. Seriously, I have never seen so much suckage, you suck at incomprehensable levels. I don’t mean to sit hear and call you names but I have never ever seen one organization just not care, about anything. This wasn’t just one bad employee, this was everyone, it was systemic within your organization. The order taker, the project lead, her boss, the implementer, the guys on the phone when I turned the circuit up, everyone. No one cared, and no one could do their job correctly the first time.

I have delt with Verizon off and on for years and years, there have always been problems. I have had dozens of circuits installed and every single one of them have had something go wrong. I expect it and I usually plan for for it. But this time, everything went wrong, order taker forgot to submit paperwork for me to sign until the last minute, the site survey was delayed by two weeks, and actually had to happen twice. Your Business unit could not talk with your Core unit. (What the hell is the differance?) You couldn’t pull cable, then you failed to connect the circuit the first time, or the second, then you forgot to send me the router you ordered for me two months prior! All the while I am attempting to get things corrected with the project manager and her boss. Basically, they didn’t care.

You have problems Verizon, deep problems. And now I am stuck with your line into my company like some grotesque festering infectous tentacle that I would rip out completely down the seven floors into your node if I could. You have your contract, you have me for three years and frankly I am so tired of fighting that now that the service is working, finally, I am too tired to change it. So yeah, you have my (companies) money Verizon, for now but as soon as this contract is up I will be switching and I will never ever EVER install another Verizon circuit ever again. I would rather install Comcast or so help me even RCN before I install another Verizon line.