How cybercriminals, leakers, State-sponsored hackers failed their opsec
The talk was given during the No Hat conference in Bergamo (Italy) https://www.nohat.it/
Streaming: https://www.youtube.com/watch?v=b64RE9cXajA
from minute 6.52.11
Slides for the 2016/2017 edition of the Data Mining and Text Mining Course at the Politecnico di Milano. The course is also part of the joint program with the University of Illinois at Chicago.
https://www.deadboltforensics.com/services/computer-forensics/ | List of major legal cases where computer forensics played an influential role in determining the outcome of the case.
The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In a series of “1-2 punches”, we saw attacks designed to breach the target and exfiltrate data reinforced by a campaign to leak information using mouthpieces posing as hacktivists. In this presentation we'll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, strengths and gaps in the attribution analysis, and how the adversary might adjust their tactics going forward.
Slides for the 2016/2017 edition of the Data Mining and Text Mining Course at the Politecnico di Milano. The course is also part of the joint program with the University of Illinois at Chicago.
https://www.deadboltforensics.com/services/computer-forensics/ | List of major legal cases where computer forensics played an influential role in determining the outcome of the case.
The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In a series of “1-2 punches”, we saw attacks designed to breach the target and exfiltrate data reinforced by a campaign to leak information using mouthpieces posing as hacktivists. In this presentation we'll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, strengths and gaps in the attribution analysis, and how the adversary might adjust their tactics going forward.
This is the talk I gave at computer security conference m0leCon2021 in Turin.
Security products are often the ideal target for those who want to attack a system by weakening it from within. From encryption equipment to VPNs, from encryption software to chips, in recent years alarms have been raised about the possible presence of backdoors or serious vulnerabilities in products meant to be safe. How can we draw the line between paranoia and reality?
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docxacarolyn
Security Breaches and the Six Dumb Ideas
Consider a recent (2014, 2015 or 2016) security breach popular in the media. Analyze in the context of what you have learned thus far in this course.
The \"Six Dumb Ideas\" will be discussed at some point in class. You can review them here http://www.ranum.com/security/computer_security/editorials/dumb/
Requirements
You will need to write at least two paragraphs.
One paragraph needs to be devoted to your comments related to assumptions, convenience, cost and simplicity. Your viewpoint can be from either the hacker or the organization (or both).
A second paragraph needs to address the \"six dumb ideas\" as they relate to the security breach.
Minimum 500 words.
Solution
Answer:)
1. eBay went down in a blaze of embarrassment as it suffered this year’s (2014) biggest hack so far. In May, eBay revealed that hackers had managed to steal personal records of 233 million users. The hack took place between February and March, with usernames, passwords, phone numbers and physical addresses compromised.
2. 2015
Ashley Madison
Data compromised – 37 million customer records including millions of account passwords made vulnerable by a bad MD5 hash implementation
How they got in – Unclear.
How long they went undetected – Discovered July 12, 2015, undisclosed when they got in.
How they were discovered – The hackers, called the Impact Team, pushed a screen to employees’ computers on login that announced the breach.
Why it’s big – The attackers posted personal information of customers seeking extramarital affairs with other married persons, which led to embarrassment, and in two cases, possible suicides.
3. 2016
More than 32.8 million Twitter credentials have been compromised and are being offered for sale on the dark web, claims LeakedSource, a subscription-based breach notification service. But some security experts question whether the credentials are current and authentic.LeakedSource claims that the data leak stems from malware infecting users\' devices, \"and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.\"
The \"proof for this explanation,\" LeakedSource says, is:
.
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!ThreatConnect
On June 15, 2016, Crowdstrike, published a blog article detailing the breach of the Democratic National Committee (DNC) by two Russia-based threat groups. ThreatConnect, using the Crowdstrike blog article as a basis, conducted further research into the DNC breach and discovered additional findings and also challenged Guccifer 2.0’s claimed attribution for the DNC breach.
See how the ThreatConnect research team was able to build off the work of others to add its own observations gleaned from analyzing the metadata on Guccifer 2.0’s released files and other discoveries.
5 biggest cyber attacks and most famous hackersRoman Antonov
A computer hacker is a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
This session gives you real-life insights and examples of the most ridiculous cyber-attacks and the smartest cyber-crimes that have occurred over the last 30 years. Each director from CSP tell their own personal stories from working in the industry and from past clients, about the strangest and funniest cyber-crimes they have come across.
Yes, these examples are a laugh, but they also raise awareness of how easy it could be to fall victim to these cyber criminals and their attempts. So, we will be discussing how to protect your business also, and be more aware of their tell-tale signs and attempts to disrupt your business.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
This is the talk I gave at computer security conference m0leCon2021 in Turin.
Security products are often the ideal target for those who want to attack a system by weakening it from within. From encryption equipment to VPNs, from encryption software to chips, in recent years alarms have been raised about the possible presence of backdoors or serious vulnerabilities in products meant to be safe. How can we draw the line between paranoia and reality?
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docxacarolyn
Security Breaches and the Six Dumb Ideas
Consider a recent (2014, 2015 or 2016) security breach popular in the media. Analyze in the context of what you have learned thus far in this course.
The \"Six Dumb Ideas\" will be discussed at some point in class. You can review them here http://www.ranum.com/security/computer_security/editorials/dumb/
Requirements
You will need to write at least two paragraphs.
One paragraph needs to be devoted to your comments related to assumptions, convenience, cost and simplicity. Your viewpoint can be from either the hacker or the organization (or both).
A second paragraph needs to address the \"six dumb ideas\" as they relate to the security breach.
Minimum 500 words.
Solution
Answer:)
1. eBay went down in a blaze of embarrassment as it suffered this year’s (2014) biggest hack so far. In May, eBay revealed that hackers had managed to steal personal records of 233 million users. The hack took place between February and March, with usernames, passwords, phone numbers and physical addresses compromised.
2. 2015
Ashley Madison
Data compromised – 37 million customer records including millions of account passwords made vulnerable by a bad MD5 hash implementation
How they got in – Unclear.
How long they went undetected – Discovered July 12, 2015, undisclosed when they got in.
How they were discovered – The hackers, called the Impact Team, pushed a screen to employees’ computers on login that announced the breach.
Why it’s big – The attackers posted personal information of customers seeking extramarital affairs with other married persons, which led to embarrassment, and in two cases, possible suicides.
3. 2016
More than 32.8 million Twitter credentials have been compromised and are being offered for sale on the dark web, claims LeakedSource, a subscription-based breach notification service. But some security experts question whether the credentials are current and authentic.LeakedSource claims that the data leak stems from malware infecting users\' devices, \"and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.\"
The \"proof for this explanation,\" LeakedSource says, is:
.
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!ThreatConnect
On June 15, 2016, Crowdstrike, published a blog article detailing the breach of the Democratic National Committee (DNC) by two Russia-based threat groups. ThreatConnect, using the Crowdstrike blog article as a basis, conducted further research into the DNC breach and discovered additional findings and also challenged Guccifer 2.0’s claimed attribution for the DNC breach.
See how the ThreatConnect research team was able to build off the work of others to add its own observations gleaned from analyzing the metadata on Guccifer 2.0’s released files and other discoveries.
5 biggest cyber attacks and most famous hackersRoman Antonov
A computer hacker is a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
This session gives you real-life insights and examples of the most ridiculous cyber-attacks and the smartest cyber-crimes that have occurred over the last 30 years. Each director from CSP tell their own personal stories from working in the industry and from past clients, about the strangest and funniest cyber-crimes they have come across.
Yes, these examples are a laugh, but they also raise awareness of how easy it could be to fall victim to these cyber criminals and their attempts. So, we will be discussing how to protect your business also, and be more aware of their tell-tale signs and attempts to disrupt your business.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Knowledge engineering: from people to machines and back
The devil is in the details
1. The devil is in the details
How cybercriminals, leakers, State-sponsored hackers failed
their opsec
#NOHAT 2019 - Carola Frediani
2. Opsec and the human factor
You can get the tech right and still fail the opsec. Why?
● undisciplined past
● no compartmentation of identities (and of different operations)
● undeletable data
● language (is a traitor)
● money flows (follow the money)
● rush to get results
● group dynamics (peer pressure and recognition)
3. Harold T. Martin III
- Contractor Nsa, sentenced to 9 years for stealing secret documents
- Ph.D in information security management
- He used virtual machines, encryption and anonymization systems, probably
Tails or a similar system -> “a sophisticated software tool which runs without
being installed on a computer and provides anonymous internet access,
leaving no digital footprint on the machine” (indictment)
- “He has a demonstrated ability to conceal his online communications and his
access to the internet”.
- He sent strange messages to Kaspersky via DM Twitter during the Shadow
Brokers leaks
- His Twitter handle @Hal_999999999 connected him to his real life
4. Harold T. Martin III
A Google search on the Twitter handle and
display name found someone using the same
name on a personal ad seeking female sex
partners.
The anonymous ad included a real picture of
Martin and identified him as a 6-foot-4-inch
50-year-old male living in Annapolis, Md.
A different search led them to a LinkedIn profile
for Hal Martin, described as a researcher in
Annapolis Junction and "technical advisor and
investigator on offensive cyber issues."
(source: Politico)
5. Harold T. Martin III
Twitter handle > dating site > his real photo,
location, age > Linkedin profile > language clue
(CAMBRIC)
Also:
● Twitter account created with email
associated to his real life
● On a social networking website, the user
hal999999999 had a display picture
matching the motor vehicle
administration photo of Martin
6. Paige Thompson (Capital One)
● Some leaked data were openly stored on GitHub
● The GitHub page included Paige Thompson full
name in the digital address and it was linked to
other pages on GitLab linking to Thompson and
her résumé (source: affidavit)
● Thompson posted about the hack in an open
Slack channel, naming her VPN, that matched
Capital One logs of the intruder and GItHub logs
● A Meetup group was linked to the Slack channel
where the alias erratic posted breached data
● The Meetup page had a "Paige Thompson
(erratic)" as organizer
● Thompson used the alias “erratic” on Twitter
(where she talked of the hack, and had her real life
photo)
7. Alexandre Cazes
● 26 years old Canadian programmer, living in Thailand, and alleged kingpin
behind AlphaBay Market
● arrested on July 5th, 2017 in Bangkok; he committed suicide after few days in
prison
● in 2015 the Alphabay administrator, known as alpha02 (allegedly Cazes) said to
DeepDotWeb: “I am absolutely certain that my opsec is secure, and I live in an
offshore country where I am safe.”
● an email address in the AlphaBay forum welcome message was the main lead
● email address > real name > Linkedin > PayPal
8. Alexandre Cazes
Around December 2014 AlphaBay's operators
decided to add a forum to the martketplace.
Users who registered on AlphaBay's forum got a
greeting message from the site's admin.
In December 2016, FBI learned that for a short
period in 2014 these greeting emails included
the AlphaBay admin's personal email address in
the message header.
That email address was:
"pimp_alex_91@hotmail.com"
Image credits: Christy Quinn
9. Alexandre Cazes
● Cazes' email was also included in the
header of the AlphaBay forum pwd
recovery process (forfeiture complaint)
● The FBI linked it to his identity. It was also
associated to a LinkedIn account for
Alexandre Cazes, born in 1991
● In his Linkedin profile he was from
Montreal and run a tech company, EBX
technologies
● A PayPal account run by Cazes listed his
Hotmail account
● He used a pseudonym to run AlphaBay
previously used on carding forums. And
that was linked to his email and name in a
2008 post on a tech forum
10. Alexandre Cazes
Police caused AlphaBay servers to shutdown,
forcing Cazes to access AlphaBay
forum/datacenter and try to reboot the servers.
(“Law enforcement-caused outage”)
Then they tricked Cazes into leaving his laptop
by simulating a car accident outside his Thai
home.
Undercover cops crashed a car through his
front gate.
Cazes had the passwords for the servers stored
in unencrypted text files, and an Excel with all
his properties.
(Thanks to @Patrick_Shortis for some help on this case)
11. Ross Ulbricht (Silk Road)
ALTOID HANDLE -> SILK ROAD
ALTOID HANDLE -> ULBRICHT EMAIL
I
(Images via IPVN.net)
12. Ross Ulbricht
On October 2013, FBI agents decided to arrest
Ross Ulbricht because there was a chance to get
the laptop unencrypted.
In the public library he was working in, a couple
(two FBI agents) simulated a fight behind him.
And when he turned away the FBI snatched his
laptop, a Samsung 700z encrypted with
TrueCrypt.
He was logged into Silk Road.
They found: PGP private keys, the .php files that
built Silk Road, spreadsheets, chat logs, a journal.
Thettttt
Source: The Grugq
13. OxyMonster
Gal Vallerius aka OxyMonster was a vendor on
underground marketplace Dream Market. He
was arrested in August 2017 after flying to the US
to attend a beard competition.
Border guards searched his (unencrypted?)
laptop and found his credentials for Dream
Market, a PGP private key used by a Dream
Market vendor, $500,000 US in bitcoin and a
copy of Tor browser.
Why was he a suspect?
14. OxyMonster
● OxyMonster had a Bitcoin tip jar for the
help he gave in the forum.
● From this address many outgoing
transactions went to a Localbitcoins.com
account registered to Gal Vallerius.
● The agents searched his Twitter/
Instagram accounts and analysed his
writing style comparing it with more than
1,000 comments left by OxyMonster on
Dream Market.
● Cheers, double exclamation and quotation
marks, French posts were a common
pattern.
● Enough to mark him and get a warrant.
15. OxyMonster
Investigation:
chain analysis > social media OSINT > writing
analysis > device search at the border
Mistakes:
no tumblers > no compartmentation > no
avoiding US > no encryption
16. Hacktivism
Stick to yourselves. If you are in a crew - keep
your opsec up 24/7. Friends will try to take you
down if they have to.
(Sabu aka Hector Xavier Monsegur)
Jeremy Hammond identified via a triangulation
of real life insights revealed through his 3
nicknames (Anarchaos, yohoho, POW)
● Groups are often an enemy of opsec
● Social dynamics, group think, the need of
peer recognition, the exchange of tools
weaken opsec
● Hacktivists are easy to infiltrate (more than
cybercriminal groups; much more than
State-sponsored groups) Source: The DailyDot
17. Guccifer 2.0 and the GRU
State-sponsored hackers (Russian GRU)
allegedly responsible for the DNC leaks:
● Language (Guccifer 2.0)
● Identifying metadata (PDF documents)
● Real IP address (forgot to activate VPN)
● Account and IP reuse (email, server)
● Malware reuse (X-Agent, X-Tunnel ->
APT28)
● Money flows (bitcoin)
So
Source: Motherboard
18. Guccifer 2.0 and the GRU
- spear phishing domains
- DCLeaks.com site same pool of bitcoin
- X-Tunnel malware domain
(linuxkrnl.net)
Guccifer’s VPN funds from same
DCLeaks bitcoin address
Bitly link > Bitly account (not private) > many Bitly
URLs (phishing campaign targeting the Democrats)
Source: indictment; SecureWorks
Image: #Cybercrime
19. Park Jin Hyok (Lazarus Group)
Kim Hyon Woo persona accounts (Lazarus attacks):
tty198410@gmail.com
hyon_u@hotmail.com
hyonwoo01@gmail.com
hyonwu@gmail.com
@hyon_u
Chosun Expo accounts
(Park Jin Hyok):
ttykim1018@gmail.com
surigaemind@hotmail.it
pkj0615710@hotmail.com
mrkimjin123@gmail.com
tty198410@gmail.com
ttykim1018@gmail.com
surigaemind@hotmail.it
hyonwu@gmail.com
pkj0615710@hotmail.com
mrkimjin123@gmail.com
tty198410@gmail.com
20. Looking forward
● Establishing cyber criminal
identity (WHO)
● Establishing the outcomes of
criminal conduct (WHAT)
“Successful cyber criminals are those
who avoid both detection of their
crimes and identification”
21. Some takeaways (from an opsec perspective)
● If you have good crypto but you fail at
OPSEC and TRADECRAFT then you lose -
(Krypt3ia)
However, crypto helps.
● Don’t reveal operational data
● Don’t contaminate.
Contact between personas (covers)
contaminates both (the grugq)
● No logs, no crime (the grugq).
However, people love logging.
● When you start, that’s probably when you
are going to mess up.
● If you are going to build a big campaign
attacking many targets maintaining a good
opsec is hard, and expensive.
● The solitary highly-skilled one-off hacker
might well be the toughest to identify
(especially if she/he doesn’t move much
money).
● Opsec is rooted in psychology, mental
well-being, autonomy, patience.