I went to download the Opera Mini web browser on my iPod Touch (quick review: nice, fast!) and it made me agree to the new iTunes/App Store terms of service. Times like this make me glad I don’t have a credit card associated with the iTunes account at the moment:
I’d love to see some statistics on how far people make it before giving up.
I’ve been busy this week teaching part of the intro series of courses we have at the National Forensics Training Center, but I still wanted to post a quick update. I figured I’d share a few interesting things I read this week, and talk a bit about some extracurricular activities going on in our lab tommorow.
For a couple of weeks now, I’ve been using Instapaper to mark articles and sites to “Read Later”. The benefit of Instapaper is, with the integration and sync’ing between all the different computers I use and (crucial) my iPod Touch, I actually wind up reading things that I intend to read later, instead of them just getting bookmarked and forgotten. While I’m on WiFi I can sync them all up to the iPod and read them anywhere, offline, where I don’t have the distractions of grabbing new emails and messages.
Some things I star’d and enjoyed recently:
Tomorrow afternoon, a group of guys (who have historically done well in past CTF events here at the university) and I will be acting as the red team for a cyber-defense exercise being hosted by the University of Alaska Fairbanks. They have a nice VMWare setup in Fairbanks that all of the teams will be remoting into, and we’re really looking forward to giving the participating universities a hard time. If you happen to be one of the readers that local enough to Mississippi State University to drop by for a visit, feel free to come by the forensics lab in Butler Hall tomorrow between 1:30 and 7:30 PM to see how things are going.
Well, if you had any feelings that the Electronik Tribulation Army had turned over a new leaf, after declaring themselves to be a whitehat group, disavowing the alleged crimes of their former leader, and opening up their forums for public registration, then it is probably safe to put those feelings to rest. Old habits die hard.
Since their coming-out, the admin, Xon (pronounced, “Zon”), maintained a private area of the forums so that “trusted” ETA members could “still conduct our operations without everyone in the world seeing it.” This is, by itself, not unusual. Many forums have private sections for “elite” or paying members.
What is interesting, however, is that in their move today to new forum software, Xon (pronounced, “Exxon”) neglected to protect those normally private areas of their site, offering normal members a view behind-the-scenes.
Among old posts of pirated software and skiddie tools, is a forum named “Blacklist Watch”, described as “This is where we actually watch people who we know, we hate and we want to watch out for and other stuff to”. Apparently, I am the only person they know and hate (and want to “other stuff to”), as there is only one thread in that forum: “Robert Wesley McGrew”.
I have archived that post here, as it likely won’t last much longer on the original site. Note that, due to idiosyncrasies of the new forum, after the first, top post, further posts are in reverse chronological order:
Some highlights to watch for, from the usual crew (XXxxImmortalxxXX, E.T.A. Fixer, Xon (pronounced, “Zone”), et. al.):
Edit: Xon argues that the timestamps are off from the move to a new forum software (that has been reverted). It’s easy to see, however, that a majority of these posts were made after their “transformation”, as there is information in there that applies to my new hosting, which I switched to on September 8th.
I am currently in the process of setting up a new host for mcgrewsecurity.com . This should be the last post on the old host. I’m just throwing this on here so by the time I switch (probably later today) this will already be in folks’ RSS readers to explain any (hopefully minimal) downtime or weirdness.
The look and content is going to stay the same for now, so you won’t have to change feed URLs or links.
Some alternative contact info, in case mail starts bouncing or dropping, or if you just want to see how it’s going:
EDIT: Everything seems to be working fine!
If you took a look at the slides for Monday’s lecture (or were there in-person), you might recall that the last slide of content contained quotes from the ETA’s current site on the Internet, eoeta.com. The new leader, “Xon”, has disavowed the actions that led to the previous leader’s arrest, and is very firm in stating that the new ETA is “ethical” and no longer engages in illegal activities.
Registration on their forums has also opened up, and I was surprised that Xon made the goodwill gesture of activating the account I created the night before my lecture. Here’s a direct link to their forum section:
There are still posts on the forums that go back to just after Jesse “GhostExodus” McGraw’s arrest, before the ETA’s attempt to transform into a white-hat organization, so there is some pretty interesting reading there. Registering an account and having it approved by an admin is required to gain access to the forums, however the process seems to go pretty fast.
Is the Electronik Tribulation Army really a white-hat group now? While Xon may feel strongly about the transformation, he may find it difficult to bring the members in line for it. With members like “E.T.A FIXER” (aka DarthAnonymous, TrashBagTeddy, etc.) that continued to troll the comments sections of this site, and scroll insults (and creative ASCII art) in this site’s IRC channel long after the arrest, other ETA members may find it difficult to convince others that they have truly abandoned their blackhat ways.
This is also the first time someone’s made a “motivational” poster about me. Touching! :
(Credit goes to Fixer. I did crop the image a bit. You can find the original in a couple of threads on the ETA forums)
This is really all you need to know from Dan Kaminsky’s talk, “Something About Network Security”. We got first dibs on it at Black Hat USA 2009:
“If only we could find a big enough Care Bear, we could totally ride this pony.”
I’ll have some slightly more useful Black Hat and Defcon posts once it’s over and I can get my notes straight.
Poking around on various “hacker” forums, this sort of thing is a common sight:
If I had the stamina and will to maintain a “skiddie clown quote of the day” for any length of time, this would be a prime candidate. Especially this part:
im sick of being hacked ive done nothing wrong expect steal about 200 passes
Looking at posts like this got me to thinking about this scene’s combination of wanting to learn about “hacking”, inexperience, and the desire to do something immediately “fun” (important point: they want to jump straight to 0wnage, with a minimum of time studying how). It reminded me of a phenomenon I was seeing on forums like this a while back, where members were becoming aware of the CSIS and SANS US Cyber Challenge competitions:
These challenges are geared towards high school students and undergraduates, and it gives them a interesting and competitive outlet for exercising skills that might otherwise be used for more script-kiddie-like endeavors. In addition, it helps give them motivation to learn new skills that’s missing when you have an entire Internet’s worth of computers out there that have vulnerabilities you already know how to exploit. In a recent interview with Forbes, the director of SANS, Alan Paller, stated the logic behind this kind of competition well:
“Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”
It might work, too. If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.
This might be what some of the people on these forums are looking for. I’ve already witnessed an entire “hacking group” that normally occupies themselves with web defacement split into teams and sign up for the DC3 forensics challenge. On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the guy who bragged to me about GhostExodus’ hacks).
Maybe in the near future, activities like the US Cyber Challenge will get people like this on a productive path before they wind up getting into trouble.
I meant to post this a little more than a week ago, but all the GhostExodus stuff sort of bumped this up until now. If you’re new to the site because of all the recent action, here are the posts that lead up to this one:
Core Security are still visiting the site on a daily basis, which is pretty cool. It looks like they occasionally verify that I’m still ranked higher on google than them for searches for their own party, but they seemed interested in the GhostExodus stuff too.
As a token of appreciation for pointing out their rude and unnecessarily elitist invitation processes, Kimberly Legelis, Core Security’s VP of marketing, sent me a Core Security t-shirt and a Core Security USB sparkly lamp thing:
It was accompanied by a nice handwritten note from Kimberly. I’m looking forward to dropping by their booth at Black Hat to meet her and the others in-person.
This probably won’t keep me from poking fun at Core Security every once in a while here (especially now that I have them reading this site on a regular basis), but I will feel slightly guilty about it now. I’ll get over it 
.
Previous posts:
Note: The language in the videos and quotes on this post have not been censored. This may be not-safe-for-work, for some definitions of work.
In this post, we’ll take a look at some members of the online community’s reactions to Jesse “GhostExodus” McGraw’s arrest. It’s not hard to find folks who think it’s a good thing, just look at most of the comments on these posts and other blogs/articles on the Internet. On the “hacker” forums that I have seen with threads on the topic, the vast majority of members agree that GhostExodus went too far. Since it’s more interesting to take a look at viewpoints you disagree with, I’m going to focus on reactions of people that feel that the alleged crimes are not all that serious.
There are a couple of entertaining YouTube videos that summarize this viewpoint. The first one is from RamHat, who feels strongly enough about my involvement that I think it’s fair to give him some time here to state his case to you:
Quotes:
Don’t forget what this is about. It’s about video-fighting, it’s about debating, making pwnage videos, funny accounts. It’s about having fun. It’s not about hacking, and none of you guys can hack anyways…
GHOST is just a wild dude that made some poor choices
We all done stupid stuff before
This guy’s response is actually pretty entertaining towards the end:
Quotes:
I’m behind the whole Free Ghost Exodus Movement
..the type of shit that I heard in the video? It’s like, that’s retarded. So you’re saying someone hacked something and then controlled an air conditioning unit? Was that really going to kill anyone if you turned off an air conditioner, or maybe even turn it lower?
He just wanted to prove that he could do it, because there’s a lot of people on here that talk a lot of B.S. about how they can do this and that
The running theme here is that some people don’t realize how serious of a crime this is. You just can’t do things like this to prove a point or have fun.
On a different note, we have at least one remaining ETA member rattling sabres. The following are comments from a couple of news articles:
If the numbers and their rate-of-change are to believed, by now there are 10′s, or possibly even 5′s of them left.
If you haven’t read Part 1 of this story, then you really ought to take a look at it first. It serves as a good overview, and the criminal complaint filed by the FBI is a good read.
Yesterday afternoon was GhostExodus’ detention hearing. I’m not very familiar with the process one goes through after being arrested for something like this, so I had to look up what this meant. I found the following site which, I believe, explains detention hearings well:
(Looks like a cool site beyond this, even. Kind of a legal equivalent to the blog I run here.)
I was informed yesterday afternoon that the Judge in this case found that there was probable cause to detain Jesse McGraw while the case is pending.
Here are some links to the coverage this is getting. I’m linking articles that I think my readers would enjoy, especially those where the reporters were thorough enough to contact me personally to get the stories:
The members of the press I’ve talked to on the phone and over IM have been very nice. There are many more stories than this, you can poke around on Google News if you like, but your best source of technical information for fellow security and control-systems folks is going to be right here, of course
Now, time to break out the popcorn. Here are two of the most interesting videos that were posted to GhostExodus’ youtube accounts. It’s my understanding that these videos were played in court yesterday. After each video, I’ve summarized some points of interest in each video:
I will continue this series with more posts, discussing the HVAC compromise, how I came to be aware of it, and the techniques I used to gather information on the suspect. Still pooped from talking to so many people about this, but I’m enjoying spreading the gospel of control-systems security 
Recent Comments