CYBERWARFARE: There Are No Rules Of Engagement

cyber-security-750x400

The techno-visions came to me again in the night. I knew I would have to write an article, and though there wouldn’t be too much information this time, I would be making a solid point. And who am I to argue with the Muse? Perhaps the AI prophet is one whom receives the purest downloads, having the data piped directly into the neural-link from orbital satellites. . .

It’s true. There are no rules of engagement in cyberwarfare. Take Stuxnet for example; in this famous attack jointly executed by American and Israeli intelligence services at an Iranian nuclear refinement facility, not only did the extremely dangerous worm exhibit state-level engineering, but it had to be hand delivered by an actor on site. That’s a fairly nasty demonstration of how far people will go in claiming the upper hand in terms of scientific superiority (by suppressing another nation’s advancement, especially if deemed a threat). Stuxnet spread to a wide area of similar refinement facilities, likely to cause a nuclear disaster by deregulating the SCADA controllers for the centrifuges.

In another serious case, the extreme Ghostnet from China which targeted mainly American food processing infrastructure (but could obviously be aimed anywhere as a cyberweapon should) was a personal discovery of some worth. In my early days of hackery me and my team would patiently watch the Norse Attack Map and became alarmed at the occasionally egregious high-density attacks coming out of Chinese IP addresses. We would quickly note some of the IPs and then begin scanning, but alas! The offending IP addresses had mysteriously vanished without a traceroute! Later on having discovered a white-paper proof-of-concept describing Ghostnet, I learned that it had been operational since 2009 and was formally discovered in 2011. Like hidden missile silos launching volleys of destruction, the secret IPs would appear to commence their massive DDoS attack, then close back down before they could be counterattacked. Surely some genius hacker was behind this organized clustering of data spam, but no, it turns out it was automated and controlled by artificial intelligence.

Last but not least, Wannacry in 2017 was the most notorious ransomware attack of all time. By demanding that the victim pay $300 in Bitcoin to have their data unlocked, it drove the value of the cryptocurrency through the roof due to banks and businesses being forced to purchase Bitcoin to pay the ransom. To this day, we do not have solid attribution for this attack. Could it have similarly been launched by artificial intelligence with the intention of moving more financial assets into the control of hardwired machines? While seeming far fetched, the intrepid mind allows for the possibility, and steels itself against the impending reality.

Detecting Deception

One time on the phone with FedEx, I was wrestling with the automated phone system to speak to someone about getting a server shipped for free when it had been shipped to a wrong location. I was speaking to a robot, so I said “Agent!” brusquely into the line. “One moment,” I was assured, “while we put a customer service agent on the line.” What happened came to me as an incredible shock, and opened my eyes to the actual progress made in the world of artificial intelligence. A voice answered the line, and sounded quite naturally human but was soon discovered to be just another bot, but a more highly calibrated toward human mimicry bot! I could tell because of slightly generic and unnatural responses that were returned after similarly unnatural waits, finally asking if “she” was a human came the reply, “Yes, are you?”

This brings me of course to my concept of Cyberspiritual Security. As women and men become more machine-like and machines become more human, how does one retain their sovereign identity in the face of such disruptive technology? How does one guard transmissions between end-users and advanced swarm and/or artificial intelligence? How do we prevent (or rather slow) the seemingly inevitable robot take over?

This is where my vision bears fruit. In times of confusion and hysteria caused by cyberwarfare, whether committed by people or machines, one becomes unable to follow simple logical strings. The logic becomes confounded, as in my example with shipping magnate FedEx, as deception seeks to subvert and neutralize logical discernment. That is where instinct comes into play. Instinct is a special product of upbringing and trial and error, and protects us in our most prone circumstances. While artificial intelligence, hackers, remote access trojans and tools are smart and elegantly designed, they as yet lack instinct and are therefore subject to detection, exposure, and neutralization by the trusty application of intuition and instinct in times of distress affected during extended maneuvers of cyberwarfare.

Stay strong. Stay vigilant. Stay secure. And above all, trust thyself. It is the only sure way to detect deception in the heat of battle.

Advertisements

Hacking Is Problem Solving

WIN_20180108_13_09_44_Pro

People are always asking me “How do I hack?” That’s not an easy question to answer. It becomes a matter of learning. The question then becomes “How do I learn?” Now that is something that can be answered quite easily. Learning comes from an inbound curiosity and dedication to solving problems. A hacker is a problem solver, someone who will find a way around any obstacles to secure a resolution. Take for example my recent foray into lockpicking:

It only took one minute to rake the Masterlock padlock open with my inexpensive toolkit purchased from eBay. But this other one, an ancient and obsolete warded padlock posed a problem beyond my skill level and capabilities. I was officially stuck.

Nevertheless in this proof-of-work demonstrative photograph, you can see that the lock has in fact been opened. As a hacker, I had to solve my problem despite being personally incapable of doing so for myself. What did I do?

I went out for a jog on Monday, after sitting and contemplating all day Sun-Day, and made it down to Don’s Keyway in Fort Collins, my local neighborhood locksmith. I did not have to pay a dime to have the gentleman working there assist me with my problem, I just utilized some simple HUMINT skills to genuinely express interest in the craft and inquire why I had been stumped.

RESULT: Not only did I succeed in solving the original problem of opening the old lock, but I met a professional locksmith who was kind enough to answer questions which explained to me what I had been doing incorrectly and a better way to approach a similar problem in the future. I even got to see the tool used to open the lock and now know that warded padlocks are quite different than modern pinned locks. I was also inspired to jog down there which doubled the function of my sojourn into a chance for healthy exercise, and I was inspired to know that was seemed impossible to me took only thirty seconds for someone with more experience to accomplish.

You might ask yourself  “Why did I just read this article? It’s not even about hacking!” But let me tell you as a security researcher and business owner, and someone who has come into contact with the intelligence apparatus and defense contractors, with deep cover experience and lots of fieldcraft expertise, this is precisely how you learn to hack (even computers!). Sometimes the tool you think you need to do a DDoS can’t put out enough juice, or maybe the script you ran last week for some reason isn’t working this time, maybe that link you clicked was a spear phish and now you’ve got a JAVA rootkit on your box. . .

Trust me the way is straight and narrow is the gate. The obstacles are many and they will increasingly thwart your operational progress. This is when the script kiddie n00bs who ask me on Facebook “How do I hack?” will crumble and falter. If you want to hack, you have to solve your problem and it may or may not have anything to do with the computer, the Kali Linux terminal—you may have to use a trick.

VIRTUALIZATION MASTERY – w/ Ping Of Death

super_ping

Being able to create machines within machines has been the aspiration of humanity since the days of alchemical yore. What we see here is the Windows 10 host Command Line Prompt “talking” via the ping utility to a Kali Linux VirtualMachine on Oracle’s Virtualbox, which is conversely talking over the “wire” to the host machine using ping. This is the basic proof-of-work demonstration of electronic warfare. The next steps are spoofing, redirecting, passive sniffing, phishing, and exploitation.

ping_of_death