Infiltrated dot Net

As of February 27th 2011, anonymous sources have stated that hundreds of thousands of attackers are now declaring simulataneous cyberwars. According to anonymous sources in the security industry, the outlook is dismal yet if you subscribe to their Twitter feeds, blogs, company programs, the outlook for you will change. They can track these terrorist, they can protect you [1]. Yes these anonymous security sources are 100% accurate in their statements and are not figments of any imagination. Sure they remain anonymous, this is to protect them from well, terrorists. It is not to protect them from becoming the laughing stock of serious security practitioners.

Alright, since you smell the stench in the paragraph above, let us now look at the harsh reality of Al Qaeda and or "cyberterrorism" from "terrorist" groups. Besides, as the security world saw recently via HB Gary, you can't take tracking "anonymous cyberterrorists" seriously. [1]

    [Al Qaeda's] main obstacle is finding individuals worth smuggling in given the skill set needed for the job. They would have to be: radicalized enough to die for their cause; Westernized enough to move around without raising red flags; ingenious enough to exploit loopholes in the security apparatus; meticulous enough to attend to the myriad logistical details that could torpedo the operation; self-sufficient enough to make all the preparations without enlisting outsiders who might give them away; disciplined enough to maintain complete secrecy, and—above all—psychologically tough enough to keep functioning at a high level without cracking in the face of their own impending death.

    That emphatically is not the profile of an average Al Qaeda foot solider who is a semi-literate peasant with barely any experience of the world outside his province. [2]

Where should we begin to seriously pick apart the nonsensical theories put forth by individuals who are in the world of Slashdot: "anonymous cowards" [3]? What rhyme or reason should I use when reading garbage media such as "First Major Al-Qa'eda Malware Release Wrecks Havoc" [4], I mean seriously. As either a security practioner, manager, evangelist, or whatever term I want to place into the sentence, the logic just doesn't hold true for a group like Al-Qaeda. This is not to say that a terrorist organization is not seeking out the mechanism to cause electronic mischief, this is simply to say, wake up and use your brains for a moment.

As I read the "Al-Qaeda Malware" shpeel, I couldn't help but wonder if the author has a grasp on security, reality and or both. In order to understand where I am coming from, here are some snippets from this (non)juicy article:

    The code from the attack looks to have come from previously distributed open source malware. Informed sources choosing not to be named indicated that source code from the Low Orbit Ion Cannon and from reversed engineered anti-virus engines and signatures combined with marketing campaign engines from some of the major celebrity news websites was combined in to create the majority of the malware.

Therein lies the beauty and danger of the Internet and anonymity. LOIC (Low Orbit Ion Cannon) is readily available to anyone with a minute to spend on Google. "Reverse Engineered Anti-Virus Engines and Signatures..." wait... What are they really doing, trying to protect me? Reverse engineering AV engines does absolutely nothing nor does reverse-engineered AV signatures. On the contrary, all they've done are opened up and AV engine and a signature. It may have been more believable even coherent had the author stated: "based on the reverse engineering of the attack and software used in the attack, researchers discovered ..." Which leads me to believe that neither the author nor the "anonymous coward" feeding him the shpeel has a clue.

Fear little though as this was then further clarified by the following:

    One unnamed security vendor executive stated that “al-keye-dah used an elaborate mix of social engineering techniques but the methods and tools were kludged together into a rather unsophisticated package.” “It is an everyday reality that Americans will follow human interest stories laced tragedy,” stated the security vendor executive and discoverer of Vento Swine.

This is what rattles my cages a bit: "one unnamed security vendor executive stated..." We have already seen the damage from "one forensic executive" [5] where he "swore" that through his six degrees of separation theory, he could identify attackers only to have his world come crumbling down. So here we are with another puppet being fed the "boogey cometh and his name is Al-Qaeda" lines however, the "Al-Qaeda Malware" article seems to be nothing but a joke that wasn't even halfway funny. In fact, downright scary as I could see media outlets picking up and running with the stupidity. It has happened before and will continue to happen especially when security professionals are quick to quip the terms cyber and terror in one breath.

To be accurate and fair in my statements, this has happened before and it was costly to taxpayers. Twenty million dollars down the tube however, most taxpayers aren't even aware of the situation:

    Interviews with more than two dozen current and former officials and business associates and a review of documents show that Mr. Montgomery and his associates received more than $20 million in government contracts by claiming that software he had developed could help stop Al Qaeda’s next attack on the United States. But the technology appears to have been a hoax, and a series of government agencies, including the Central Intelligence Agency and the Air Force, repeatedly missed the warning signs, the records and interviews show. [6]

How can security practitioners, politicians, even normal citizens continue to be so naive. The fact is, cyberterrorism is such an overrated term with no definitive rhyme or reason and it seems that anyone who uses antivirus nowadays can call themselves a security expert, spread a rumor, embed the term terrorism and cause more damage than some lowly terrorists who have likely never even turned on a computer. It certainly is boggling. In ending, as a security practitioner/professional, I will anonymously state that cyberterrorism is real and obviously only I can defend you using my patent pending "Information Defense 10 Times" technology, otherwise known as ID10T. Act now, and if you're one of the first 100 individuals to e-mail me, I will also include an SSL certificate. With your own SSL certificate, you can ensure a high level encryption between your webservers and clients connecting to that webserver.

 

 

As Seen On TV

 

[1] http://arstechnica.com/tech-policy/news/2011/02/anonymous-vs-hbgary-the-aftermath.ars

[2] http://reason.com/archives/2011/02/15/what-islamist-terrorist-threat

[3] http://en.wikipedia.org/wiki/Anonymous_Coward

[4] http://blogs.csoonline.com/1407/first_major_al_qaeda_malware_release_wrecks_havoc

[5] http://www.infowar-monitor.net/2011/02/updated-the-hb-gary-email-that-should-concern-us-all/

[6] http://www.nytimes.com/2011/02/20/us/politics/20data.html?_r=1

[7] http://iang.org/ssl/pki_considered_harmful.html#revenue