Entries Tagged “disguise”
Page 1 of 2
There's an interesting article on a data exfiltration technique.
What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.
In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.
The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.
In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."
In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and redirect the traffic to that location.
Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.
With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.
The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.
Honestly, this looks like a government exfiltration technique, although it could be evidence that the criminals are getting even more sophisticated.
To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what's known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used by Skype. The traffic shaping also mimics the sizes and timings of packets produced by normal Skype video conversations. As a result, outsiders observing the traffic between the end user and the bridge see data that looks identical to a Skype video conversation.
The SkypeMorph developers chose Skype because the software is widely used throughout the world, making it hard for governments to block it without arousing widespread criticism. The developers picked the VoIP client's video functions because its flow of packets more closely resembles Tor traffic. Voice communications, by contrast, show long pauses in transmissions, as one party speaks and the other listens.
They're causing problems:
A white bank robber in Ohio recently used a "hyper-realistic" mask manufactured by a small Van Nuys company to disguise himself as a black man, prompting police there to mistakenly arrest an African American man for the crimes.
In October, a 20-year-old Chinese man who wanted asylum in Canada used one of the same company's masks to transform himself into an elderly white man and slip past airport security in Hong Kong.
Authorities are even starting to think that the so-called Geezer Bandit, a Southern California bank robber believed for months to be an old man, might actually be a younger guy wearing one of the disguises made by SPFXMasks.
News coverage of the incidents has pumped up demand for the masks, which run from $600 to $1,200, according to company owner Rusty Slusser. But he says he's not happy about it.
Slusser opened SPFXMasks in 2003. His six-person crew uses silicone that looks and feels like flesh, down to the pores. Each strand of hair and it's human hair is sewn on individually. Artists methodically paint the masks to create realistic skin tones.
"I wanted to make something that looks so real that when you go out for Halloween no one can tell," Slusser said. "It's like 'Mission: Impossible' you pull it over your head one time and that's it. It's like a 10-hour makeup job in 10 seconds."
He experimented until he found the right recipe for silicone that would seem like skin. A key discovery was that if the inside of the mask is smooth even if the outside is bumpy with pores, a nose and other features it will stretch over most faces and move with facial muscles.
It's kind of an amazing story. A young Asian man used a rubber mask to disguise himself as an old Caucasian man and, with a passport photo that matched his disguise, got through all customs and airport security checks and onto a plane to Canada.
The fact that this sort of thing happens occasionally doesn't surprise me. It's human nature that we miss this sort of thing. I wrote about it in Beyond Fear (pages 153–4):
No matter how much training they get, airport screeners routinely miss guns and knives packed in carry-on luggage. In part, that's the result of human beings having developed the evolutionary survival skill of pattern matching: the ability to pick out patterns from masses of random visual data. Is that a ripe fruit on that tree? Is that a lion stalking quietly through the grass? We are so good at this that we see patterns in anything, even if they're not really there: faces in inkblots, images in clouds, and trends in graphs of random data. Generating false positives helped us stay alive; maybe that wasn't a lion that your ancestor saw, but it was better to be safe than sorry. Unfortunately, that survival skill also has a failure mode. As talented as we are at detecting patterns in random data, we are equally terrible at detecting exceptions in uniform data. The quality-control inspector at Spacely Sprockets, staring at a production line filled with identical sprockets looking for the one that is different, can't do it. The brain quickly concludes that all the sprockets are the same, so there's no point paying attention. Each new sprocket confirms the pattern. By the time an anomalous sprocket rolls off the assembly line, the brain simply doesn't notice it. This psychological problem has been identified in inspectors of all kinds; people can't remain alert to rare events, so they slip by.
A customs officer spends hours looking at people and comparing their faces with their passport photos. They do it on autopilot. Will they catch someone in a rubber mask that looks like their passport photo? Probably, but certainly not all the time.
Yes, this is a security risk, but it's not a big one. Because while -- occasionally -- a gun can slip through a metal detector or a masked man can slip through customs, it doesn't happen reliably. So the bad guys can't build a plot around it.
One last point: the young man in the old-man mask was captured by Canadian police. His fellow passengers noticed him. So in the end, his plot failed. Security didn't fail, although a bunch of pieces of it did.
EDITED TO ADD (11/10): Comment (from below) about what actually happened.
The January 19th assassination of Mahmoud al-Mabhouh reads like a very professional operation:
Security footage of the killers' movements during the afternoon, released by police in Dubai yesterday, underlines the professionalism of the operation. The group switched hotels several times and wore disguises including false beards and wigs, while surveillance teams rotated in pairs through the hotel lobby, never hanging around for too long and paying for everything in cash.
Folliard and another member of the party carrying an Irish passport in the name of Kevin Daveron were operating as spotters on the second floor of the hotel when the murder was committed. Both switched hotels that afternoon and dressed smartly to pose as hotel staff. The bald Daveron donned a dark wig and glasses, while Folliard appears to have removed a blonde wig to reveal dark hair.
Throughout the operation, none of the suspects made a direct call to any another. However, Dubai police traced a high volume of calls and text messages between three phones carried by the assassins and four numbers in Austria where a command centre had apparently been established.
To co-ordinate their movements on the ground, the team used discreet, sophisticated short-range communication devices as they tracked their victim.
The Dubai authorities claim there were two teams: one carried out surveillance of the target, while the other—which appears to be a group of younger men, at least as far as the camera shots show—carried out the killing.
Contrary to reports, the squad did not break into Mabhouh's hotel room, nor did they knock on the door. They entered the room using copies of keys they had somehow acquired.
Read the whole thing -- and watch (in three parts) this video compilation of all the CCTV cameras in the hotels and airprort. It's impressive. And the professionalism leads pretty much everyone to suspect Mossad.
There are a few things I wonder about. The team didn't know what hotel Mabhouh would be staying in, nor whether he would be alone or with others. The team also didn't use any guns. How much of the operation was preplanned, and how much was created on the fly? Was that why there were so many people involved?
The team booked the hotel room directly across the hallway from Mabhouh. That seems like the part of the plan most likely to arouse suspicion. It's unusual to reserve a particular room, and not unreasonable to think that the hotel desk staff might wonder who else is booked nearby.
How did they get into Mabhouh's hotel room. The video shows evidence of them trying to reprogram the door. Given that they didn't know the hotel until they got there, what kind of general hotel-key reprogramming devices do they have?
I wonder if any of those fake passports had RFID chips?
Dubai's police chief said six of the suspects had British passports, three were Irish, one French and one German.
The passports are believed to be fakes.
And Mabhouh was discovered in his room, the door locked and barred from the inside. Is it really that easy to do that to a hotel room door?
Note: Please limit comments to the security considerations and lessons of the assassination, and steer clear of the politics.
EDITED TO ADD (2/19): Interesting analysis:
Investigators believe the assassins tried to reprogram the electronic lock on al-Mabhouh’s door to gain entry. Some news reports say the assassins entered the room while the victim was out and waited for him to return, while others say they were thwarted from entering the room when a hotel guest stepped off the elevator on al-Mabhouh's floor. They then had to resort to tricking al-Mabhouh into opening his door to them after he returned.
He said the number of people involved in the operation indicates that it may have been put together in a rush.
"The less time you have to plan and carry out an operation, the more people you need to carry it out [on the ground]," he said. "The more time you have to plan . . . there's a lot of things you eliminate."
If you know that you can stop the elevator in the basement, for example, you don't then need people guarding the elevator lobby on the victim's floor to make sure no one steps off the elevator, he said.
He says it was likely that the Mossad's second in command for operations was in the hotel or the area when the assassination took place and has gone unnoticed by the Dubai authorities.
Ostrovsky said although the operatives scattered to various parts of the world after the operation was completed, he believes they're all back in Israel now. He says other countries are likely sifting through their airport surveillance tapes now to track the final destination of the team members.
He added that the Mossad was likely surprised by how the Dubai authorities pieced everything together so well and publicized the video and passport photos of the suspects.
Ostrovsky said that despite the Dubai operation's success, it was amateurish at moments. He points to the bad disguises the suspects used -- wigs, glasses and moustaches -- and the fact that suspects seemed changed their disguises in the same place. He also points to two of the suspects who followed the victim to his hotel room while dressed in tennis outfits and didn't seem to know what they were doing.
The two seemed to confer momentarily while the victim exited the elevator, as if deciding who would follow the victim to his room. A hotel employee accompanying the victim to his room even glanced back at the two, as if noticing their confusion.
"A lot of people in the field make those mistakes and they never come up because they’re never [caught on tape]," he said.
This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or you lose it.
In California, if you want to buy a police uniform, you'll need to prove you're a policeman:
Assembly Bill 1448 by Assemblyman Roger Niello, R-Fair Oaks, makes it a misdemeanor punishable by up to a $1,000 fine for vendors who do not verify the identification of those purchasing law enforcement uniforms. Previous law made it illegal to impersonate police but did not require an ID check at the point of purchase. The measure takes effect Jan. 1.
Niello said AB 1448 is necessary because many law enforcement agencies require officers to purchase uniforms through outside retailers rather than their own departments.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.