Getting Started With Security: $38 SPECIAL

8363832-Euro-bank-notes-with-a-lock-and-chain-Money-stack-for-safety-and-investment--Stock-Photo

Security Is A Commodity; We Make It Easy To Buy

Let’s cut the cake. “Wealth without security is only a target.” Right now security is in high demand. As the risk platform of all domains is rapidly expanding so are the needs to stop gaps and fill roles in corporate, international, and digital security. Large scale cyber attacks committed by criminal elements and state actors are having real and lasting effects on the way business is being conducted online, with the potential to stop or even steal critical financial data transmissions.

HERE’S THE DEAL: Sign a year contract with us for $100, and pay only $38 a month for:

  1. Monthly network scans and audits, and a stress test to ensure DDoS protection.
  2. Access to our security experts for consultation phone calls. Consultation on activities outside and beyond the scope of this contract will incur relevant fees.
  3. Incident response in case of any breach or security concerns.
  4. A monthly email newsletter with our combined meta-analysis of the present risk-platform as expressed in the global and digital domains.
  5. An easy way to upgrade or update your security plan with BRIQ HAUS LTD. SECURITY & INTELLIGENCE.
Advertisements

Finding Power In Retreat {for intelligence field operators in advanced positions}

Battle_at_Dabulin

It is the fallacy of the field operator, especially the intrepid novitiate, to assume the total responsibility for mission success. This imagery spawned of fervent self improvement regiments, Hollywood and Showtime’s Homeland, stresses that the bulk of mission objectives is carried out solely by one single individual. In all actuality, there are inner and outer circles of operators, military or security personnel, and analysts to handle many of these responsibilities. The duty of the field operator lies not only in aggressive and relentless attack, but moreso in the gathering of intelligence and retreat to analyze and further strategize for future sorties in the field.

“The host thus forming a single united body, is it impossible either for the brave to advance alone, or for the cowardly to retreat alone.” —Sun Tzu, Art Of War

The benefits of a strong field operator in an advanced position seem obvious. They are welcome into places where they should perhaps not be welcomed. They are knowing of things they perhaps should not be knowing. They are a bridge between enemies on either side of conflict. This is a stressful position under even the most glorious circumstances, and worth a second glance. While it has been noted the fallacy to assume total mission responsibility of the new operator, the internal drive to do so (the quarterback running the touchdown) is strongly ingrained into the psyche of especially Americans. This is potentially dangerous, not only for the operator, but potentially for the mission at large.

Ami Toben of protectioncircle.org is a highly trained countersurveillance professional, often dealing with VIP force protection and covert applications. In his work, he details the “magic circle of protection” which includes an outer circle or perimeter of analysts, and inner circle of operators, and possibly even an elite innermost circle of praetorian guards. When operating in an advanced position, and for extended maneuvers, it does indeed behove the “lone” field operator to remember and heed these layers which are there not only for protection, but to ensure the overall mission success. This is the very definition of mission critical deployment, and the mark of higher strategy.

While it is true that under certain circumstances that no one is in a better or more advantageous position to deliver the mission’s most successful application, or coup de grace if you will, than the field operator in advanced position. Aggressive and relentless attack can have serious deficits which may be overlooked by someone enduring field-stress and the relevant mania associated with operating deep behind the lines. Overexposure leading unto vulnerability is a strong likelihood, but this can be mitigated by the wisdom of these simple and easy to remember maxims:

Accept retreat to avoid defeat.

Quit the fray to fight another day.

 

Go ahead, say them out loud to yourself several times until they are imprinted upon your memory. It is okay to let go, run, and hide. That is a time when you can come up with your best strategy for the next time you are ready to attack. Retreat is just as important as attack in a winning strategy. Remember that the attacker can often become overexposed; by retreating, a field operator can potentially flush the opposition out of their comfortable positions to send them searching, and therefore exposing them to countersurveillance and counterintelligence tactics. This could mean the difference between winning or losing in a particular theatre during a particular operation.

Last but not least, the strategy for defeat is that of the BLUETEAMThey have more resources, more capital, and ultimately more comfort than the REDTEAM in any engagement. Of course it is the tendency for defense to become complacent and soft, but a field operator in advanced position must be reminded to take it easy once in a while. Get some rest, eat some food, hit the gym, watch a movie. Stop overexposing yourself to the opposing force by constantly wearing yourself down with relentless attack.

Find Power In Retreat

 

 

What Does It Really Take To Track A Million Cell Phones?

Thanks to this gentleman from the UK for his thoughtful contributions to security research on the whole. Kudos!

The HFT Guy

You can find anything and everything on the internet, yet nothing that explains how to track cell phones.

Let us clarify right away, we are not talking about how to track your own cell phone in case it’s lost or stolen. We are talking about tracking everyone that lives, breathes and wears a cell phone.

This is actually incredibly easy and we think that people should be aware of that.

If a representative of a phone service provider with 10 million customers came into my office and asked this question “What would it take to track every move of our 10 million customers?”. My answer would be “An intern and 6 months“. Then we’d insist the intern will need a desk, a computer, basic programming and algebra skills. That’s all it takes.

Imagine for a minute that you are the intern in question. Congratulations and welcome to our…

View original post 3,657 more words

CYBERWARFARE: There Are No Rules Of Engagement

cyber-security-750x400

The techno-visions came to me again in the night. I knew I would have to write an article, and though there wouldn’t be too much information this time, I would be making a solid point. And who am I to argue with the Muse? Perhaps the AI prophet is one whom receives the purest downloads, having the data piped directly into the neural-link from orbital satellites. . .

It’s true. There are no rules of engagement in cyberwarfare. Take Stuxnet for example; in this famous attack jointly executed by American and Israeli intelligence services at an Iranian nuclear refinement facility, not only did the extremely dangerous worm exhibit state-level engineering, but it had to be hand delivered by an actor on site. That’s a fairly nasty demonstration of how far people will go in claiming the upper hand in terms of scientific superiority (by suppressing another nation’s advancement, especially if deemed a threat). Stuxnet spread to a wide area of similar refinement facilities, likely to cause a nuclear disaster by deregulating the SCADA controllers for the centrifuges.

In another serious case, the extreme Ghostnet from China which targeted mainly American food processing infrastructure (but could obviously be aimed anywhere as a cyberweapon should) was a personal discovery of some worth. In my early days of hackery me and my team would patiently watch the Norse Attack Map and became alarmed at the occasionally egregious high-density attacks coming out of Chinese IP addresses. We would quickly note some of the IPs and then begin scanning, but alas! The offending IP addresses had mysteriously vanished without a traceroute! Later on having discovered a white-paper proof-of-concept describing Ghostnet, I learned that it had been operational since 2009 and was formally discovered in 2011. Like hidden missile silos launching volleys of destruction, the secret IPs would appear to commence their massive DDoS attack, then close back down before they could be counterattacked. Surely some genius hacker was behind this organized clustering of data spam, but no, it turns out it was automated and controlled by artificial intelligence.

Last but not least, Wannacry in 2017 was the most notorious ransomware attack of all time. By demanding that the victim pay $300 in Bitcoin to have their data unlocked, it drove the value of the cryptocurrency through the roof due to banks and businesses being forced to purchase Bitcoin to pay the ransom. To this day, we do not have solid attribution for this attack. Could it have similarly been launched by artificial intelligence with the intention of moving more financial assets into the control of hardwired machines? While seeming far fetched, the intrepid mind allows for the possibility, and steels itself against the impending reality.

Detecting Deception

One time on the phone with FedEx, I was wrestling with the automated phone system to speak to someone about getting a server shipped for free when it had been shipped to a wrong location. I was speaking to a robot, so I said “Agent!” brusquely into the line. “One moment,” I was assured, “while we put a customer service agent on the line.” What happened came to me as an incredible shock, and opened my eyes to the actual progress made in the world of artificial intelligence. A voice answered the line, and sounded quite naturally human but was soon discovered to be just another bot, but a more highly calibrated toward human mimicry bot! I could tell because of slightly generic and unnatural responses that were returned after similarly unnatural waits, finally asking if “she” was a human came the reply, “Yes, are you?”

This brings me of course to my concept of Cyberspiritual Security. As women and men become more machine-like and machines become more human, how does one retain their sovereign identity in the face of such disruptive technology? How does one guard transmissions between end-users and advanced swarm and/or artificial intelligence? How do we prevent (or rather slow) the seemingly inevitable robot take over?

This is where my vision bears fruit. In times of confusion and hysteria caused by cyberwarfare, whether committed by people or machines, one becomes unable to follow simple logical strings. The logic becomes confounded, as in my example with shipping magnate FedEx, as deception seeks to subvert and neutralize logical discernment. That is where instinct comes into play. Instinct is a special product of upbringing and trial and error, and protects us in our most prone circumstances. While artificial intelligence, hackers, remote access trojans and tools are smart and elegantly designed, they as yet lack instinct and are therefore subject to detection, exposure, and neutralization by the trusty application of intuition and instinct in times of distress affected during extended maneuvers of cyberwarfare.

Stay strong. Stay vigilant. Stay secure. And above all, trust thyself. It is the only sure way to detect deception in the heat of battle.

Challenging Security Limitations: White vs. Black Box Testing & Real Risk

1_briq_haus_ltd_38_special_logo_ad_graphic

I awoke in the middle of the night. It was the witching hour, 3am! Rapidly behind my lowered eyelids pie-graphs and charts explaining esoteric security concepts flashed in sequence, but I was too groggy to retain everything I learned. Why I am chosen for this sort of lucidity, I will never understand. This article is an attempt to best re-create the deeper concepts I received in that vision, but a week has elapsed since that night and therefore I have mostly forgotten everything. I’ll just have to wing it.

White Box Vs. Black Box

The article I have linked above describes the difference between the security, and/or software testing procedure in which internal elements are either known or unknown by the testers. The benefits of knowing the internal workings in a test allow for a more thorough and rigorous approach to each and every individual node or aspect of the subject, whereas a Redteam performing an unknown or Black Box test may not strike upon every single nuance built into the system, but may however come up with something heretofore unknown. The Black Box test is conducted exclusively by third-party security or testing professionals, which is requisite due to their specific insights into security penetration and access. For these reasons, it is considered a “low-level” test which is also known as an integration or unit test. It is conducted, in other words, from the outside working inward.

White Box tests are conducted usually by software developers or some part of the internal staff working on the project or overview. White Box tests are considered high-level tests also called system or acceptance testing. These tests are intended to fully air-tight the system after the beta-testing bugs have been detected and eliminated. The benefits of thorough White Box testing are thoroughness, insofar as the team knows the way the program or plan “should” work and can therefore test against this ideal. An internal team conducting this type of test knows the code (or building scheme; what have you), and therefore possesses an eagle-eye’s view of the entirety of the subject’s workings.

So Which Is Better For Your Company?

Before I answer this question for you, ask yourself:

  1. Do I have an internal team already providing White Box testing?
  2. Are they specifically hired for testing, or did we just divert Sheila and Burt from engineering over there to do another bug-sweep? (Remember what happened in the 1986 film Aliens.)
  3. If you have a specific internal team for testing, are they getting on well with engineering? Do they have a working rapport and are able to comprehend each other effectively leading up to the testing phase?
  4. Did you seek professional consulting from a specialized security Redteam?
  5. If you did not answer YES’ to each of the above questions, you and your company are not necessarily ready for what I am about to reveal to you in the next section.

Attrition Theory

I am not a mathematician however I think you can get behind me on this.

x/a – y/b = (+, – = successful, unsuccessful)

Attrition Theory basically asserts that given company with resources (personnel, training level, security architecture, security equipment, surveillance, etc.) when attacked by competitor (or OpFor) with resources y, a simple subtraction is necessary to determine who is successful in the attack. If the OpFor is willing to invest enough time and resources into their raid on company a, their success will be indicated by the result being a negative number, having taken the amount of invested resources from company into the red.

Is your company ready for your competitor or OpFor to outbid you on your willingness to invest in preventative security measures? Following a breach, it may be too late to save face so insurance, or the ability to clean up after the fact, is just not going to be enough.

Now to answer the question I asked before: Which sort of test is better?

Chew On This

So your internal team designated another internal team to do the testing. Ok. So the engineers got with the testers and did a Power Point powwow. Sure. So then after that you decided you still thought it would be wise to get an outside team to consult. Good. They do their scans and don’t really provide any insight beyond the scope of the White Box team, but good on you for checking. So you’re awesome, right? Invulnerable!

BRIQ | HAUS LTD. SECURITY & INTELLIGENCE has the guts to ask you these hard questions:

  1. How secure is your facility/program in case of a fire drill? Do you have protocols in place to handle securing end-user’s data BEFORE they flee the scene?
  2. What about in case of a REAL FIRE. And are you willing to test this in a non-drill scenario to absolutely ensure your security protocols work?
  3. Is your staff alerted to the higher danger of active shooters, like the scenario recently at YouTube? If so, do you again have a plan in place to protect end-user data from a potential shooter or *gasp* terrorist attack?
  4. What about acts of God like locusts, plague, or you know, floods? Are you guys going to not only get out of the building safe, but will you be able to stop Boris & Natasha from killing Moose’n’Squirrel during the disaster? For the OpFor, luck is when preparedness meets opportunity.
  5. If you didn’t answer ‘YES’ to each of the above questions, you need to contact us at BRIQ | HAUS LTD. SECURITY & INTELLIGENCE and immediately schedule consultation. Our information technology and intelligence community professionals know things that can protect your bottom line, so you can stop worrying about all the hard realisms I just threw at you.

My name is Robert Brooks Authement, owner and operator of Briq Haus Ltd. I think like the bad guys so you and your team don’t have to. If you think these insights can be of assistance to you and your company, please consider me and my team at your service.

kinopoisk.ru

 

Friday / Field Day – Anomaly Detection & Navigation In The Construct

Bad_Robot_Productions_logo

Following the time I spent in Washington DC, and my clandestine studies with colleagues in the field and in security sandbox environments, I developed a sort of counterintelligence awareness I can only compare to a psychic sixth sense. And while I take the time in this article to describe something which came to my awareness, I will not bend your ear to my weird and eldritch technologies. The purpose is not to “make a believer” out of you, but rather just an exposition of what I have noticed while exploring my local environs, especially following my development of this level of security and counterintelligence awareness.

Fort Collins, Colorado, as I have described in my original security blog post Hacking USA, is a drinking town with a college problem. Over the years it has grown significantly mostly due to Forbes and other magazines labeling it as the “No. 1” place in America to live. Needless to say, this has become problematic for me insofar as well, incredible amounts of unfamiliar faces showing up in familiar places triggers a sort of security alarm in my mind. It could be imagination, or it could be accurate assessment, that perhaps the unfamiliar faces are some sort of security or intelligence apparatus operating in what used to be “my field.”

Not only are there lots of new faces, but as the large groups of people move into my field, they are in fact generally wealthy folk, or at least generally more wealthy than me. So as I watch the phenomenon evolve, I see whatever used to at one time be familiar to me become increasingly marginalized and made scarce. These are the socio-economic changes I have observed in the local field, but what other elements may be at play?

ELECTRONIC INTELLIGENCE OPERATIONS

The reason for entitling my article “Friday / Field Day” has something to do with the less visible and only subtly observable phenomenal dynamics as represented by group behaviors and expressions observed in my local field. At times when I go out, I observe the quality of persons and operational intelligences in my field. Friday is an especially fortuitous day to do this. Not only do people get paid on payday, or out of school or their work week or what have you, but there is another level to Fridays that may relate to what are termed by the National Security Agency as Electronic Intelligence Operations.

What I am proposing, and bear with my wild suppositions, but what I believe is actually occurring is a sort of frequency distribution behavioral modification technology in deployment, especially in higher population densities. An Electronic Intelligence Operation (ELINT) occurring in public places with the deployment of biosensors, or even just radio technologies which are known to affect the human central nervous system, can cause a group behavior phenomenon to express itself even visibly among humans. In a similar fashion to a school of fish using their lateral line organs to detect the movement of the group, human behavior can similarly be controlled or directed by the influence of ELINT.

I’m not sure that I’ll be going out every Friday to observe the group dynamics of the field. I do, however, encourage you as a fellow security researcher to note the subtle behaviors and attitudes and expressions of the groups witnessed afield, and how they subtly differentiate between the days of Friday and Sunday.

The Blockchain Agenda {is AI bankrupting humanity?}

double exposure image of virtual human on world map 3dillustration
My thoughts were, not originally, but as more time elapsed:
1.) #CRYPTO / #BLOCKCHAIN requires massive computing power to #DECRYPT #BLOCKS.
2.) #CRYPTOCURRENCY is using #AI #ALGORITHMS to break into these blocks, which are assigned a currency value.
3.) Since we know #ARTIFICIAL #INTELLIGENCE is basically the new #GOVERNMENT, a huge agglomerating gang which works together in unprecedented efficiency, we can therefore safely deduce that:
4.) #MACHINE #LEARNING is paying human users to help expand it’s thinking platform, to help grow it’s brain, to create more rackspace with which it can accumulate power, wealth, and influence.
5.) Finally, it most likely serves a #ROBOT #AGENDA of bankrupting humanity wholesale, with the exchange of having a vastly increased bare-metal #CYBER presence.
 

Hacking Is Problem Solving

WIN_20180108_13_09_44_Pro

People are always asking me “How do I hack?” That’s not an easy question to answer. It becomes a matter of learning. The question then becomes “How do I learn?” Now that is something that can be answered quite easily. Learning comes from an inbound curiosity and dedication to solving problems. A hacker is a problem solver, someone who will find a way around any obstacles to secure a resolution. Take for example my recent foray into lockpicking:

It only took one minute to rake the Masterlock padlock open with my inexpensive toolkit purchased from eBay. But this other one, an ancient and obsolete warded padlock posed a problem beyond my skill level and capabilities. I was officially stuck.

Nevertheless in this proof-of-work demonstrative photograph, you can see that the lock has in fact been opened. As a hacker, I had to solve my problem despite being personally incapable of doing so for myself. What did I do?

I went out for a jog on Monday, after sitting and contemplating all day Sun-Day, and made it down to Don’s Keyway in Fort Collins, my local neighborhood locksmith. I did not have to pay a dime to have the gentleman working there assist me with my problem, I just utilized some simple HUMINT skills to genuinely express interest in the craft and inquire why I had been stumped.

RESULT: Not only did I succeed in solving the original problem of opening the old lock, but I met a professional locksmith who was kind enough to answer questions which explained to me what I had been doing incorrectly and a better way to approach a similar problem in the future. I even got to see the tool used to open the lock and now know that warded padlocks are quite different than modern pinned locks. I was also inspired to jog down there which doubled the function of my sojourn into a chance for healthy exercise, and I was inspired to know that was seemed impossible to me took only thirty seconds for someone with more experience to accomplish.

You might ask yourself  “Why did I just read this article? It’s not even about hacking!” But let me tell you as a security researcher and business owner, and someone who has come into contact with the intelligence apparatus and defense contractors, with deep cover experience and lots of fieldcraft expertise, this is precisely how you learn to hack (even computers!). Sometimes the tool you think you need to do a DDoS can’t put out enough juice, or maybe the script you ran last week for some reason isn’t working this time, maybe that link you clicked was a spear phish and now you’ve got a JAVA rootkit on your box. . .

Trust me the way is straight and narrow is the gate. The obstacles are many and they will increasingly thwart your operational progress. This is when the script kiddie n00bs who ask me on Facebook “How do I hack?” will crumble and falter. If you want to hack, you have to solve your problem and it may or may not have anything to do with the computer, the Kali Linux terminal—you may have to use a trick.