Chapter 10
Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience nor by any deductive calculation.
Knowledge of the enemy's dispositions can only be obtained from other men. Hence the use of spies, of whom there are five cla.s.ses: (1) Local spies; (2) inward spies; (3) converted spies; (4) doomed spies; (5) surviving spies.
When these five kinds of spy are all at work, none can discover the secret system. This is called "divine manipulation of the threads." It is the sovereign's most precious faculty.
An effective cyber intelligence operation must include the use of espionage and covert surveillance inside the hacker criminal underground as well as nationalistic youth organizations. This is a very broad arena that allows for any number of imaginative approaches, but one thing that is critical, and is a major stumbling block to many US agencies, is the employment of US citizens of foreign birth in the nations that are generally considered adversarial (e.g., the Russian Federation and the People's Republic of China). The irony of the federal bureaucracy is that it keeps out the very people on whom our national security may depend. A 29-year-old naturalized US citizen who lived his entire life in Russia, was educated in the best Russian inst.i.tutions, and has now adopted the United States as his home will almost never receive the security clearance that he needs to do the work for which his experience has perfectly prepared him.
This is one of the areas, however, that creates opportunities for GreyLogic's Project Grey Goose and other investigative international security trust networks (STNs). PGG is not bound by the same bureaucratic shackles or legal authorities that employees and contractors of the intelligence community are. Volunteers are vetted not by their ability to receive a Top Secret/SCI with Full Scope Polygraph clearance; they are vetted by their peers who know and trust them and by the quality of the work they produce, which often speaks for itself.
I have had the opportunity to broach this subject many times during briefings that I provided to various agencies within the IC. Since these were uncla.s.sified briefings based on open source intelligence (OSINT), the moment I would broach the subject of conducting this type of covert campaign, the conversation ended. I was told that that was out of their domain. Astoundingly, the very sources and methods on which a successful cyber intelligence operation depends is outside the domain of the very federal employees tasked with the mission of open source cyber intelligence gathering.
An experienced military officer who has spent the bulk of his career working in Computer Network Operations and with whom I have had frequent discussions pointed out that the DoD employees tasked with open source work could not comment or discuss a covert action simply because covert actions are, by definition, not open source.
The open source intelligence model as used by Project Grey Goose investigators is not a pa.s.sive one that simply gathers publicly available data for a.n.a.lysis. Instead, the model uses active discovery that pushes the envelope but never crosses into illegal activities.
Although progress is being made inside the US intelligence community, this distinction between active and pa.s.sive collection, as well as legacy constraints on OSINT a.n.a.lysts, is a contributing factor in why the United States government finds itself constantly on the defensive in cybers.p.a.ce and vulnerable to whomever wants to attack its networks and access its critical infrastructure.
Chapter 6. Nonstate Hackers and the Social Web..
Social services such as Twitter, Facebook, Mys.p.a.ce, and LiveJournal are an essential part of the hacker's toolkit. Commonly known as the Social Web, these services provide a heretofore unprecedented data store of personal information about people, companies, and governments that can be leveraged for financial crime, espionage, and disinformation by both state and nonstate hackers.
In this new era of cyber warfare, the Web is both a battle s.p.a.ce and an information s.p.a.ce. As this chapter shows, it is also a social, educational, and support medium for hackers engaged in cyber operations of one kind or another.
This chapter also discusses security implications for employees of the US government, including the armed services, who use social media and how their activities can put critical networks in jeopardy of being compromised by an adversary.
In addition to the giant social applications mentioned earlier are hacker forums, many of which are private or offer VIP rooms for invited members. These forums, along with blogs and websites, provide recruitment, training, coordination, and fundraising help to support the hackers' nationalistic or religious activities. What follows is a sampling organized by nation.
Russia.
Social networking is very popular among Russians. A recent Comscore study shows that, as a group, Russians are the most engaged social networking audience in the world, spending an average of 6.6 hours viewing 1,307 pages per visitor per month. The United States came in ninth at 4.2 hours.
The Russian Security Services are quite aware of this and have expressed concern over violations of operations security by Russian military personnel via social networks such as LiveJournal, Vkontaktel.ru, and Odnokla.s.sniki.ru. In fact, the Federal Security Service (FSB) has banned its members from using Cla.s.smates.ru and Odnokla.s.sniki.ru. That ban does not apply to former military personnel, however, and that's who is doing most of the posting today, now that a more rigid policy has been put into effect.
Numerous Russian LiveJournal users self-identified as former or present members of the FSB, Spetsnaz, Special Rapid Reaction Unit (SOBR), Border Patrol, and others.
Odnokla.s.sniki.ru, however, has earned the attention of the Russian press and the Kremlin for a reason: it is rife with information of a military nature. As an example, one of Project Grey Goose's researchers was able to find mentions of over 50 strategic a.s.sets in this Russian social network, including: "Ordinata" Internal Ministry of Defence Central Command Communication Center 2nd special forces division of FSB-GRU 42nd secret RF Navy Plant 63rd Brigade of RF Internal Defense Ministry Air defense ant-missile staging area for C-300 Air Paratroopers 38th special communication division C-75 missile complex Central Northern Navy Fleet missile test site-NENOKS Severodvisk Air map FSB division of Dzerzhinsky range Headquarters of Russian Strategic Rocket Forces (RSVN) Heavy Navy Carrier "Admiral Gorshkov" location K-151 nuclear submarine location RF navy "Admiral Lazarev" missile carrier RT-2M Topol (NATO SS-25 SICKLE) Mobile ICMB Launcher Base Russian Akula Submarine K-152 Nerpa (SSN) Russian Typhoon Cla.s.s SSBN Sheehan-2 Central Research and Testing Inst.i.tute of Chemical Defense Ministry troops The availability of this level of information has created a furor in various Russian online communities. One forum administrator complains that even the FSB doesn't have the data about Russian citizens, inst.i.tutions, and the armed forces and their movements and interactions that these social networks have, particularly Odnokla.s.sniki.ru.
China.
China has a huge Internet population and, as might be expected, has a correspondingly large population of hackers as well as servers hosting malware. There are literally hundreds of forums for hackers.
In his self-published book, The Dark Visitor, Scott Henderson wrote
The China West Hacker Union website, for example, had 2,659 main topics and 7,461 postings. This was a fairly average number of doc.u.ments for a Chinese hacker website; some sites, such as KKER, had well over 20,000.
Unlike hackers from other countries, Chinese hackers tend not to use Facebook or other social networks, preferring an instant messaging service called QQ instead.
The Middle East.
The following are websites utilized by Arabic hackers: http://www.arabic-m.com Now defunct, this was the address for The Arabic Mirror website, where hackers advertise exploits. It contained a section devoted specifically to defacements related to the Gaza crisis, where the websites targeted were Israeli or Western and the "graffiti" contained messages about the crisis. The administrators identified themselves as The_5p3trum and BayHay.
The Arabic Mirror website has a pa.s.sword-protected forum with information about hacking and security vulnerabilities, among other subjects. Its moderator is Pr!v4t3 Hacker, who identifies himself as a 16-year-old from the Palestinian territories and a member of Kaspers Hackers Crew, which is involved in hacking Israeli websites.
http://www.soqor.net The Hacker Hawks website. is hosted in Arabic and includes an active forum with discussions on IT security and security vulnerabilities. Information intended to a.s.sist hackers in attacking specific targets is exchanged, such as vulnerabilities of certain servers, usernames and pa.s.swords to access administrator accounts for specific websites, and lists of Israeli IP addresses. The website may also facilitate financial crime: one post included a ZIP file allegedly containing a collection of credit card numbers from an online bookstore.
The Hacker Hawks website includes a forum called Hackers Show Off, where hackers boast of the Israeli and Western sites they have infiltrated. The site's administrator, Hackers Pal, claims to have defaced 285 Israeli websites. The site also contains forums to share information on general hacking tools and skills.
http://gaza-hacker.com/ The Gaza Hacker Team Forum is for sharing general information on hacking as well as a place to showcase the team's skills and achievements. The Gaza Hacker Team is a small group that conducts both political and apolitical attacks. It was responsible for defacing the Kadima party website on February 13, 2008. The forum has a recruiting function: members can join the Gaza Hacker Team by displaying sufficient skills and knowledge on the website.
The administrators of the Gaza Hacker Team forum state that their goal is to develop a community around their forum. They post guidelines for members instructing them to encourage, support, and a.s.sist one another, and to focus on creating a sense of respect and community rather than the rivalry and compet.i.tion present in other forums. "This forum is your second home," states one administrator, "in which reside your friends and brothers to share knowledge with you and to share in your unhappy feelings when you are upset and in your joy when you are happy."
http://www.v4-team.com/cc/ This is the site of the Arabs Security forum, which is affiliated with DNS Team.
http://al3sifa.com This is the site of the Storm forum, which is also located at 3asfh.com. This is an Arabic language forum on hacking and other technical topics. Its members do not appear to be as heavily focused on Gaza-related hacking as the other forums. The forum was online in the early January 2009, but it was down as of February 1.
http://arhack.net/vb The Arab Hacker website contains several forums devoted to IT security and hacking. It includes forums devoted to making viruses, creating spam, and obtaining credit card numbers. It also includes a section for hackers to boast about their successes, where the focus is on American, Israeli, Danish, and Dutch websites.
http://www.hackteach.net The forum on this site is called "the Palestinian Anger forum" in Arabic and "Hack Teach" in English. It is run by Cold Zero and is one of the most active anti-Israel hackers. The forum contains tutorials and tools to a.s.sist hackers.
http://t0010.com This used to be a more developed website called the Muslim Hackers Library. Now it contains only a list of downloadable resources for hackers in both Arabic and English.
Pakistani Hackers and Facebook.
On December 24, 2008, the Whackerz Pakistan Cr3w defaced India's Eastern Railway website with the following announcement: Cyber war has been declared on Indian cybers.p.a.ce by Whackerz-Pakistan.
When clicked, a new window opened saying that "Mianwalian of Whackerz" has hacked the site in response to an Indian violation of Pakistani airs.p.a.ce and that Whackerz-Pakistan would continue to attack more Indian military and government websites as well as Indian financial inst.i.tutions, where they will destroy the records of their Indian customers.
Whackerz-Pakistan is motivated by both nationalistic and religious allegiances, unlike their Russian or Chinese counterparts, who are purely nationalistic. At least one of the members is Egyptian and two live in Canada, so their geographical ident.i.ty may be less important than their religious affiliation.
Their stated preferred targets are India, Israel, and the United States, so besides their involvement in the Pak-India cyber conflict they may also be involved in the Israel-Palestinian National Authority cyber attacks.
At least half of its current members.h.i.+p are educated professionals in their 20s or older, so this is a mature crew with financial resources and professional contacts in the international technology community. The employment by one of its members at a well-known global wireless communications company means that they are potentially both an external and internal threat.
The Whackerz Pakistan operations security (OPSEC) discipline was generally poor. Quite a bit of personal information was available via the social networks YouTube and Facebook, as well as Digg, Live.com, and zone-h, but it was a Facebook entry that contained the most d.a.m.ning evidence: the real name of the leader and the order to a subordinate to perform the attack against Eastern Railway.
This example serves to underscore the level of trust that occurs, for better or for worse, on social networks. The most cautious member of this hacker crew, its leader, demonstrated good OPSEC on every social network except one-Facebook; probably due to the illusion of security provided by the Friends Only setting. The "illusion" stems from the fact that you never know who your friends truly are in a strictly online setting without the benefit of a personal meeting.
The Dark Side of Social Networks.
Social networks are an ideal hunting ground for adversaries looking to collect actionable intelligence on targeted government employees, including members of the US armed forces. The venue is free, raw data is plentiful, and collection can be done anonymously with little or no risk of exposure.
According to a recent study conducted for one of the US armed services, 60% of the service members posting on Mys.p.a.ce have posted enough information to make themselves vulnerable to adversary targeting. For those readers who aren't versed in military vernacular, adversary targeting translates to events such as important new technology being transferred to the People's Republic of China, a DOD intelligence officer being blackmailed, and the kidnapping and ransom of a corporate or government official overseas. The open APIs on Twitter and Facebook provide a virtually unlimited resource for building target profiles on employees of sensitive government agencies such as the Departments of Defense, State, Justice, Energy, Transportation, and Homeland Security. The Twitter stream adds a timeline for tracking when you're at work, where you're going after work, and what you are doing right now.
Another risk category is disinformation. Twitter received a lot of coverage during the Mumbai terror attacks of November 2008 for its role in covering the events in real time. Part of what emerged was the potential for terrorists to use Twitter to propagate disinformation about their whereabouts-for example, to announce a new attack occurring at a wrong address-thus adding chaos and confusion to an already chaotic situation.
Finally, there is the phenomenon of online trust. If you work in a targeted industry, sooner or later you will be approached by someone who isn't who he claims to be for the purpose of gaining and exploiting your trust to further his own nation's intelligence mission.
The Cognitive s.h.i.+eld.
This section contains an official study for the US Air Force (USAF) on the risks a.s.sociated with their service members using social media, specifically Mys.p.a.ce. It was produced by the Air Force Research Laboratory and has been approved for public release and unlimited distribution.
The study involved 500 individuals across the spectrum of job responsibilities, rank, family members, and length of service, and was meant to reveal vulnerabilities in OPSEC due to posting habits on Mys.p.a.ce, with the intention of carrying over the lessons learned to all types of social media. OPSEC violations const.i.tute real risks from adversaries during wartime.
Although this report was prepared for the USAF, the report authors encourage all the armed services to consider how the same issues would impact their own operations.
The report authors posed two questions for the basis of their research: What type of information and how much information are USAF personnel making available in Mys.p.a.ce?
What are the characteristics of the Air Force personnel who post information, and are they different from the larger population of Air Force personnel?
The 500 study partic.i.p.ants were collected by searching Mys.p.a.ce using the keyword USAF. Mys.p.a.ce was chosen because of existing reports of OPSEC violations occurring there. Study information was collected by an anonymous Mys.p.a.ce account.
Sample profiles included active duty, national reserve, guards, cadets, recruits, retired, and recently separated members.
Information was obtained through simple keyword searches, such as "USAF cadet," "USAF officer," "USAF linguist," "USAF special tactics," "USAF intelligence," "USAF deployed," "USAF intel," and "USAF cop."
The results showed that posting to social networking sites is not restricted to younger service members and spans a wide variety of career fields (Figure 6-1).
Figure 6-1. Percentage of USAF career fields represented in the study
Examples of OPSEC violations.
Helicopter pilot currently in California, headed to Nellis AFB to work at the 66th Rescue Squadron OPSEC concerns include sharing his new duty station, his new unit, the aircraft he'll be piloting, and his status as a volunteer EMT and firefighter (which could provide an adversary with a means of approach).
F16 pilot and instructor currently stationed in California OPSEC concerns include sharing his rank, his duty location, the type of aircraft he flies, the fact that he is an instructor, past squadrons, personal medical information, and family information.
TACPs and Security Forces They share notes about deployments, units they deploy with, and information about training as well as where they work.
Posting pictures of themselves at deployed locations can provide the enemy with an opportunity to identify potential targets.
Intel students, officers, imagery a.n.a.lysts, crypto-linguists, and predator sensor operators OPSEC concerns include that they self-identify as intelligence professionals, and mention bases, training locations, and job duties.
Mys.p.a.ce group site pages are another problem because they provide information about specific career fields and specific operations in the form of reunion pages (i.e., Bosnia, OIF, OEF operations, etc.). Current Mys.p.a.ce groups include USAF Wives, USAF Security Forces, USAF TACPs, USAF F-15 crews, USAF Air Traffic Controllers, and Pararescue.
Adversary scenarios.
The following are potential adversary scenarios: Kidnapping scenario in Iraq Lt. Smith keeps a daily journal, with pictures, on her Mys.p.a.ce account of what she does in Iraq. As a result, an adversary is able to locate and kidnap her.
PRC technology transfer Dr. Joe Smith (GS-14) is a scientist employed by the USAF at Wright Patterson Air Force base's AFRL. He becomes a target of Chinese intelligence.
Blackmail scenario of USAF research officer Lt. Col. Joe Smith has what he believes is an innocent Mys.p.a.ce page. It was intended for him to keep in touch with his family during deployments, as well as with other F-22 pilots in his unit. He becomes a target of blackmail.