Advertisement
Guest User

Th3j35t3r vs Th3m4dh4t3r5

a guest
Jul 6th, 2012
841
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. In 2005 a red team DHS information technology conference is held at Sandia National Laboratories in New Mexico. On the agenda are topics such as :
  2. How To Optimally Interdict a Belligerent Project to Develop a Nuclear Weapon (STUXNET, FLAME),
  3. Speaker : Prof Gerald Brown
  4. Operations Research Department
  5. Naval Post Graduate School
  6. Other Topics :
  7. Anatomy of a real SCADA attack (Tornado Sirens?)
  8. Mission/Capability: Control Systems Security and Test Center (CSSTC)
  9. Mission/Capability: Sandia Center for SCADA Security
  10. Army Penetration Testing and Exploitation program: Certification and
  11. Attack Environment & Tools and as an honorable mention...
  12.  
  13. Project Looking Glass
  14. Beth Ahern
  15. Homeland Securities and Information Technologies Depart
  16. The Mitre Corporation
  17. http://www.sandia.gov/redteam2005/050324-redteam2005-notice3.pdf
  18.  
  19. In 2007 The Mitre Corporation had another symposium :
  20. http://www.mors.org/UserFiles/file/meetings/07ti/christensen.pdf
  21. where the 'hacker threat' is discussed, more specifically "Our reliance on networks and
  22. information coupled with the
  23. “flattening” effect of networks,
  24. readily available attack tools,
  25. attack tool development kits, and
  26. knowledge gives each of these
  27. threat actors power
  28. disproportionate to their size and
  29. resources"
  30. Today
  31. – Motivation - money, political
  32. – Cast of thousands
  33. Capabilities range from unsophisticated to sophisticated
  34. – Unsophisticated (script kiddies) – can only use existing tools and exploits
  35. – Sophisticated - able to modify existing tools and code own exploits
  36.  
  37. "TheGrifters was a members-only "carding" site that the FBI
  38. launched in December 2003. The goal of the site was to attract
  39. identity and bank thieves. It was the kind of site authorities called
  40. a "build it and they will come" site. And they did. By mid-2004 the
  41. site was crawling with thieves trafficking in fake IDs, stolen credit
  42. card numbers, card-embossing equipment and ATM skimmers
  43. that capture data on a debit card's magnetic stripe so criminals
  44. can encode it on blank cards and drain an account. TheGrifters
  45. was a successful crime hub in a crowded field, competing with
  46. other sites like Shadowcrew, CarderPlanet and DarkProfits to
  47. attract the biggest criminals"
  48.  
  49. ("Authorities arrested him after he met up with an undercover FBI agent that posed as a “fellow carder.” Instead of receiving counterfeit credit cards, the hacker got a pair of shiny handcuffs.The FBI also seized ugnazi.com and the carders.org carding forum, believed to be founded by Islam.")
  50.  
  51. "Jihadists Publish Cyber Security Magazine
  52. Posted Tuesday, November 28, 2006
  53. The first issue of what is indicated to be a periodic magazine,
  54. “Technical Mujahid”"
  55. "How Hizballah Hijacks the Internet
  56. Posted Tuesday, Aug. 08, 2006
  57. What do a small south Texas cable company, a suburban Virginia cable provider and Web-hosting
  58. servers in Delhi, Montreal, Brooklyn and New Jersey have in common"
  59.  
  60. Just for shits and giggles, let's also throw in :
  61. http://www.fas.org/irp/congress/2004_hr/032504ellis.pdf
  62. as further examples of making use of irregular I/O cyber warfare units.
  63.  
  64. Now on to the use of apps and other tools...
  65.  
  66. http://blog.watchfire.com/wfblog/2011/11/through-the-looking-glass.html
  67. Describes a 'glass door' tool designed by Israeli programers for IBM Security. It's called APP SCAN.
  68. http://publibfp.boulder.ibm.com/epubs/pdf/i1186990.pdf
  69. This is it's quick start guide.
  70. http://blog.watchfire.com/wfblog/2012/07/announcing-xss-analyzer.html
  71. The description of a feature that automates exploit scanning.
  72. 'An exploit that works in one context may not work in another, so it is very important to get it absolutely right. We've classified about 1000 different unique contexts. Each context requires its own special handling, its own set of rules.
  73. Once reflection context has been established, XSS Analyzer moves on to find an exploit that is uniquely suited to this context.
  74. 2. Learning and Defeating Server Defenses'
  75. (“The hook code, by the way, can also be injected using XSS...")
  76.  
  77. ftp://public.dhe.ibm.com/common/ssi/ecm/en/raw14252usen/RAW14252USEN.PDF
  78. Describes how a scan of everday use sites showed widespread issues which could allow malicious
  79. "hackers to perform attacks such as:
  80. ● Infect users of these sites with Malware and viruses.
  81. ● Hijack users’ web sessions and perform actions on their
  82. behalf.
  83. ● Perform Phishing attacks on users of these sites.
  84. ● Spoof web contents...
  85. ("The program is made of 12 “pretty nasty” modules with names such as Activate Device Microphone, Browse Target Filesystem, Hijack Current Facebook Session, and Seize Webcam")
  86.  
  87. as a result of using
  88. third party JavaScript code such as:
  89. ● Marketing campaign JavaScript snippets.
  90. ● Flash embedding JavaScript snippets.
  91. ● Deep linking JavaScript libraries for Adobe® Flash and
  92. AJAX applications.
  93. ● Social networking JavaScript snippets."
  94. ("...any vulnerable 3rd party website, so the target doen’t even have to hit one of my ‘bait boxes’,”)
  95.  
  96. Combine this tool with 'BEEF' and voila. Project Looking Glass is born. If I had to guess it's more from the Israeli's than J.
  97.  
  98. It's especially interesting if you consider dpm.demdex.net, which is a cookie tracker, and that
  99. 'Demdex’s platform will be available through the Online Marketing Suite of tools, composed largely of website analytics and optimisation software acquired by Adobe via the takeover of Omniture in 2009.'
  100. I admit this part is a reach but here are the names of a few demdex servers : Tremor.demdex.net, monster.demdex.net, cam.demdex.net, etc. I suspect that these 'web analytic' services have been hijacked and are leaving little exploits for us 'marks' to 'stumble upon' so our anonymity will be a thing of the past. Just a hunch.
  101. ("Project Looking Glass has been running for months now, and not without success as we have seen. There’s nothing you can do about it, as you have no idea how many hook code snippets are out there, where they are or indeed whether or not you have already accidentally stumbled through the looking glass.” )
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement