No Russians Need Apply

Corrupt Reporter and Former IC Official

On October 19, 2020 in a document entitled “Public Statement on the Hunter Biden Emails”, more than 50 former US intel officials signed a public letter saying they believe the Hunter Biden story has ‘all the classic earmarks of a Russian information operation’.

They stated:

“Our view that the Russians are involved in the Hunter Biden email issue is consistent with two
other significant data points as well. According to the Washington Post, citing four sources,
“U.S. intelligence agencies warned the White House last year that Giuliani was the target of an
influence opera<on by Russian intelligence.”

This letter is a textbook example of what is wrong with many of our former intelligence officers. On the professional front, they are incompetent, they exhibit poor analysis and reporting tradecraft, and show exceedingly poor technical skill. These individuals should never have worked in intelligence in the first place. Morally, the are completely bankrupt. Public statements like that subvert the truth and are meant to deceive the public. 

As Larry Johnson wrote:

“Their inability to grasp basic facts and engage in simple reasoning perhaps explains why the Obama team abandoned American military and intelligence officials at Benghazi in September 2012 and why they considered ISIS as “a junior varsity” team. “

No, dear former intelligence officers, it wasn’t the imaginary Russians again! The repair shop that handled Hunter Biden’s equipment is confirmed to have received the three damaged laptops from Hunter Biden himself. 

He signed on the work order, came back 2 days after the initial visit and picked up two of the three laptops, and on the second visit he dropped off a data recovery USB drive for the third laptop. All the data circulating currently in the news is sourced to the third machine which he legally abandoned.

His signature on the work order and on several other corporate documents including Burisma resolutions, credit cards, payment records, CEFC contracts, and other official documents all show a >95% match on his verified signature.

Signiture validation
Image 1: Hunter Biden’s verified signature on the equipment repair work order

References and Sources
50 former intelligence officials warn NY Post story sounds like Russian disinformation – The Hill
Hunter Biden story is Russian disinfo, dozens of former intel officials say – Politico
Justine Coleman from The Hill is a Manipulative Media Hack

Copyright 2020 Yaacov Apelbaum, All Rights Reserved.

Oops He Did it Again

Steve Scully Stolen Twitter Cookies

Evaluating Steve Scully’s Twitter melodrama and hacking claim, one can’t but recall the immortal words of the 4th century Roman poet Brittania Spearus. In her lyric masterpiece “Oops!…I Did It Again” she wrote:

Yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah

You see my problem is this
I’m dreaming away
Wishing that heroes, they truly exist
I cry, watching the days
Can’t you see I’m a fool in so many ways
But to lose all my senses
That is just so typically me
Oh baby, oh

Yes, it does seem that life imitates art and Scully, just as in the poem, suffers from multiple reoccurring problems. Beyond his chronic narcissism and pathological dishonesty, he:

  1. Doesn’t understand the fine nuances of Twitter’s DMs vs. public posts
  2. Has an established pattern of posting inflammatory content and then attributing it to hackers
  3. Fails to grasp even the basics of what hacking is and how it’s done
  4. doesn’t understand that each tweet is traceable to the device posting it: the device’s IP address, it’s carrier, its MAC address, its IMEI and MEID #, and its phone number

Steve Scully Narcissus
Image 1: Typical social media comments on Steve Scully’s postings: “What are you eating? You’re looking younger by the minute.”, “He doesn’t age.”, “Looking sharp”, “You’re so handsome.”, “Dorian Gray!”

Scully’s assertion that his Twitter account was hacked doesn’t jibe with any of the evidence. For someone else to have tweeted from his phone would have been exceedingly difficult because such an exploit would have kicked him off his device and he’d likely notice it. Furthermore, to hack his phone and control it remotely would require significant resources, skills, and risk, and it would be easy to trace. The attacker would first have to bypass the device login security, gain full interactive control over the phone, launch the Twitter app, log in, compose the message, and tweet it.

Why go through all of this trouble when it’s faster/safer to just post the tweet from the alleged attacker’s own device? In typical phone hacks, the attackers look to conduct surveillance on the device (voice/video) and/or retrieve files and information such as an address book, images, and texts. Hence, a hacker taking over Scully’s device for the sole purpose of an ‘ambiguous’ tweet is by far the poorest return on hacking investment in recorded history. 

Steve Scully false hacking claim
Image 2
: Steve Scully’s ongoing 8 year Twitter hacking victim melodrama

Scully’s past pattern of behavior is consistent with a few other Twitter ‘work accidents’ and his excuses of having been hacked. Twice before, in 2012 and 2013, Scully claimed that his Twitter account was broken into; each incident occurred after he posted ‘regrettable’ tweets.

The fact that he deleted his Twitter account, then reactivated it, then went private, then deleted the post in question are also strong indicators that Scully is, as Brittania Spearus observed in her poem is a “a fool in so many ways”.

If Scully really wanted to, he could quickly put this debate to rest by asking Twitter to publish the event logs for his account activity. But he won’t, because these logs will unequivocally show that the source IP addresses, device type, and date/time of the logins to his Twitter account matched his iPhone. The cell phone logs in turn, will further validate that he was using his iPhone before during, and after the post was tweeted.

For those who are still trying to figure out if Scully is an unbiased reporter, a quick examination of his linkages shows that he is connected professionally and socially to a large number of hard core anti-Trumpers. One such friend is Mark Zaid, the attorney for Eric Ciaramella from the Ukrainian impeachment drama.

References and Sources
XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object classification

*** Update 10/15/2020 ***

C-SPAN’s Scully on leave admitting lying about Trump tweet, Twitter account being hacked

Scully said:

“…Out of frustration, I sent a brief tweet addressed to Anthony Scaramucci. The next morning when I saw that this tweet had created a controversy, I falsely claimed that my Twitter account had been hacked. These were both errors in judgment for which I am totally responsible. I apologize,”

Copyright 2020 Yaacov Apelbaum, All Rights Reserved.

The Maginot Line of Cyber Security

Hype Hope

Hacking and exploit techniques evolve every minute, this is frequently demonstrated through the formulaic news headline of ‘X got hacked resulting in the disclosure of Y accounts’. As its evident from the Table 1 and charts 1-2 below, getting hacked can effect all market verticals, both small and large companies, the military, law enforcement, and the government, no one is immune.



# Accounts

What was Breached



360 million

User account records, email addresses, usernames, and passwords

TJX Companies


90 million

Driver’s license numbers, credit and debit card numbers, names, and addresses


One of the biggest thefts of consumer data in the United States, affecting the parent company of several major retail brands, including Marshalls, T.J. Max and Home Goods

National Archive & Records Administration


76 million

Names, contact information, and Social Security numbers of U.S. military veterans

Heartland Payment Systems


130 million

User account and credit and debit cards details

Lincoln National Financial Securities


1.2 million

User account database including user names and passwords

Sony online entertainment services


102 million

US user login credentials, names, addresses, phone numbers, and email addresses

The credit-card data of approximately 23,400 SOE European users

Epsilon Marketing


250 million

Email addresses of customers ofmajor retailers, banks, hotels and other companies including Best Buy, JPMorgan Chase, Capital One Bank and Verizon



165 million

Passwords, user names, account details 



68 million

User IDs and passwords



3.5 billion

Names, dates of birth, email addresses, security questions, and answers and passwords.



110 million

Contact information, full names, physical addresses, email addresses, telephone numbers, credit and debit card numbers



65 million

User ID, passwords, and email addresses



50 million

Email addresses, usernames and passwords

LivingSocial (an Amazon Company)


50 million

Names, email addresses, birth dates, and passwords.

Sony Pictures Entertainment


> 45K

Social Security numbers and scanned passports belonging to actors and executives, internal passwords, unpublished scripts, marketing plans, financial and legal information and 4 unreleased Sony movies affecting the company’s 6,800 employees plus an estimated 40,000 other individuals the company had paid over previous years.

Rival Hollywood studios got a detailed blueprint of Sony Pictures’ accounts, future plans and internal workings

Home Depot


56 million

Customer credit and debit cards



98 million

Email addresses, user details, and passwords which had all been stored in plaintext

Anthem (formerly WellPoint)


80 million

Entire customer database including names, addresses, dates of birth, Social Security numbers, and employment histories


The FriendFinder network, comprising Adult FriendFinder,,, and


412 million

Entire user database, including names, addresses, email addresses, and phone numbers.

This was a similar breach to that which affected the “Have an Affair” Ashley Madison dating service in 2015



117 million

The 2012 breach only discovered in 2016. Names, emails, passwords, complete user professional profiles



145 million

Names, Social Security numbers, birth dates, street addresses and, in some instances, driver’s license numbers

Marriott/Starwood Hotels


500 million

Names, mailing addresses, email addresses, credit-card information, dates of birth, passport numbers, and Starwood Preferred Guest accounts

Capital One 2019

106 million

Credit card applications from consumers and small businesses, credit score, SS numbers, names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income
Evite 2019

100 million

Names, email addresses, passwords, and IP addresses
American Medical Collection Agency 2019

20 million

Social Security numbers, dates of birth, payment card data, and credit card information

Table 1: Sampling of successful cyber attacks and the resulting data breaches from 2006-2019

Increasing number of data breaches
Chart 1: Data Breaches by verticalsSource Jefferies, Identity Theft Resources Centre

Cyber Attack Incidents Reported by Federal Agencies
Chart 2: Incident of cyber attacks against the Federal governmentSource: GAO Analysis of the US Computer Emergency Readiness Team and Office of Management and Budget

The paradoxical end result of these data breaches is that every year organizations increase their cyber security budget without any assurances that the expenditure will yield a return on the investment. To an outsider, this ritual must appear similar to the practice of throwing a virgin into a volcano in the hopes of quieting its rumbling. It seems that information security, as opposed to other types of technology spending, is just a budgetary black hole.

So why is it so difficult to prevent or even slow down cyber attacks? I think that it boils down to these two reasons:

  1. Lack of executive and BOD accountability and legal consequences for a data breach
  2. Use of outdated cyber defense models like concentric fortress security

Point 1 is a regulatory issue that should be addressed through legislative channels, so I’m not going to elaborate on it here. My take on this problem is that if legal enforcement worked properly, then it is likely that the first CISO that gets handed a hefty prison sentence for negligence, would also be the last CISO to allow his company to get hacked (the same also applies to the rest of the C officers and the BOD). 

As far as point 2, the problem is a little more complex, but also easier to remedy. The issue with using an outdated static fortress models is that they overly abstract military practices that were developed/honed over thousands of years for a specific set of war scenarios and contort them to fit our virtual information security needs. This includes embracing defensive concept that utilizes multiple concentric-overlapping-sequential layers of protection akin to a moat, a drawbridge, a portcullis, a guardhouse, bastion walls, guard towers, ramparts, a keep, a treasury, and a well trained, armed, loyal garrison.

InfoSec Fortress Metaphor
Image 1: Information security R&R and the traditional fortress and sentry analogy

A fortress is an intuitive analogy for the enterprise but it is an overly hyped and misleading one. Beyond a few shared objectives such as parameter security, surveillance, and physical access to a facility, cyber defense has little in common with traditional military fortifications. This is because information security deals with virtual threats and its attack vectors have a few equivalents in the physical world (see Table 2). 


Contemporary Assets & Threats

Traditional Assets & Threats


Contraband (weapons, alcohol, drugs, etc.)

Contraband (mostly weapons)


Unauthorized individuals

Unauthorized individuals


Infrastructure (power, water, Telco, etc.)

Water and food storage


Malware and Ransomware



Financial data



Intellectual property and trade secrets



Computing, network, and storage resources



Insider and trade information



Strategic plans such as M&A



Litigation information



Customer and partner data



PII (i.e. SS, BOD, driver license, address)



R&D plans



Medical and genetic data



Biometric data



Opposition and political research



Business operations data



Credentials and authentication data



Credit card, PIN, and chip data



Account details



Patient information



Banking and financial data



Classified military, defense, and intelligence data



Academic information



Insurance and claims information



HR, compensation, and, employee data



Financial donor information



public health and safety information


Table 2: Threats and targets in the counterparty enterprise vs. the legacy fortress

Traditionally, fortresses were besieged and breached via one or a combination of these 7 methods:

  1. Scaling the walls (with assault ladder or a movable tower)
  2. Punching through the walls (with a battering ram, trebuchet, or cannon)
  3. Entering the surreptitiously or Trojan style
  4. Bringing the wall down by digging a tunnel underneath and setting the shoring timber on fire
  5. Inflicting damage on the fort structure and on the inhabitants via catapults or other projectiles
  6. Spreading disease by catapulting infected animals or bodies into the fortress
  7. Stopping the food and water supply (or poisoning it), and using psychological warfare against the inhabitants

This same doctrine that made massive layered fortifications synonymous with impregnability was used by France in the Maginot Line and proved to be a huge tactical and strategic disaster. Between 1929 and 1936 the French built a massive line of concrete and steel forts and tunnels along the German border with France between Switzerland and Luxembourg. It was constructed to defend France from any future WWI style attacks from Germany. So instead of attacking the heavy fortifications, the Germans simply went around them and invaded France through Belgium, exactly as they had done in 1914.

All the motorized artillery turrets, tank traps, bunkers, periscopes, and other gimmicks designed to impede the advance of the German army turned out to be useless when a million soldiers and 1,500 tanks led by Guderin and Rommel flanked this supposed impenetrable chain of forts and blitzkrieged their way to some renowned Parisian fine dinning and cabaret entertainment.

The Maginot Line-2The Maginot LineGerman soldiers attend a nightclub cabaret
Image 2:
The Maginot Line fortresses system and some Parisian cabaret entertainment

Today, many of the leading cyber security vendors continue to sell the same fortification concept using flowery language such as “impregnable defense” or “defense in-depth” or “multitier lines of defense”. The promise of all of these protective marvels is that increasing the number of your defensive lines is guaranteed to shield your enterprise from threats and the latest cyber attack.

Fortify Your Castle Q2
Image 3: The Multi-Layered Security Fortress – Source Digital banking software Q2

Legal Workspace Castle
Image 4: The Data Fortress – Source Legal Workspace

A Dynamic Threat Theater
The cyber threat landscape evolves daily, but the enterprise defensive architecture continues to rely on countering ancient seige techniques. The hacker skill set and the resources needed to penetrate a high valued target no longer require highly specialized expertise, lengthy planning, or expensive zero day exploits. A simple phishing technique can now do the job just as effectively.

The prevalence of social media platforms in our daily lives and their use as line-of-business applications (i.e. LinkedIn for HR and recruiting), enables attackers to quickly conduct reconnaissance and exploit their targets directly and in real-time. The use of personal devices in the workplace provides payload delivery vectors and allows the attacker to use them to bypass external facing security measures like firewalls and pivot to the internal network. The use of Bluetooth to connect mobile devices allows an attacker to collect the contents of address books and capture phone conversations. Free Public Wi-Fi offers ample opportunities for attackers to collect credentials from corporate users while they are commuting to work or are off-site, and a glut of mobile apps provides an endless source for spyware and malware distribution channels. 

Yes, democratization has finally reached Hackerdom. These days, you don’t even need to write your own malware; you can just download a free fully functional phishing kit from various depositories, customize it, and launch your campaign in minutes. All this gives an attacker the ability to cruise into the enterprise with relative ease, completely bypassing all of the layered security controls en route. 

Behold! The Adaptive Secure Architecture For the Enterprise (SAFE)
The majority of the current cybersecurity models are still based on the erroneous game-theory arms race assumption that continuously bulking up your defensive elements (like upgrading to an ASA device or endpoint security client) will stop an intruder. The concept is not dissimilar to using the club to secure a Lamborghini. However, these models incorrectly rely on idealized assumptions about the decision making process of the attacker and their ability to find and exploit the endless number of vulnerabilities in your enterprise.

The traditional approach of adding additional security strata to the already tangled web of unmanageable layers is unruly and unsustainable. If you are still not convinced, the root cause analysis of the breaches in table 2 shows that all of the platforms breached had up-to-date antimalware, segmented networks, rule bases access control, multi-factor authentication, firewall, IDPS, etc. The hacking statistics clearly demonstrate just how ineffective these defensive strategies are against an Advanced Persistent Threats

Thunderbolt and Lightning Very, Very Frightening
So, instead of succumbing to more security by fear and continuing to throw more good money after bad into the security furnace, I propose an alternative to the static fortress defense doctrine. This concept is based on adaptive security. It relies on continuous monitoring, active threat quantification and assessment, traffic anomaly detection, response prioritization, and real-time remediation. I call this design reference the Secure Architecture For the Enterprise (SAFE) framework.

At the heart of the SAFE framework is the assumption that the security of the enterprise can never be up to par and that most organizations can’t afford the latest and greatest in cyber security services. The model also accounts for all of the typical IT and InfoSec vices, sins, and transgressions found in your day to day workplace such as weak and reused passwords, usage of personal devices at work, unpatched systems, buggy software, etc.

The SAFE framework doesn’t focus on traditional defensive elements like malware protection, but rather, it leverages real-time AI based monitoring, a decision support system, and autonomous  identification o risky areas requiring immediate attention. At a high level the SAFE framework is comprised of a real-time BI dashboard that analyzes and reports patterns of inbound and outbound traffic in your systems and users. This dashboard, in turn, is powered by real-time RBE, CEP, and a BigData engine that detects and flags anomalies on your network (such as uncharacteristic use of encrypted traffic). The decision support system (DSS) integrates feeds from various internal IT system such as patching, upgrades, VPN logs, firewall logs, event logs, etc to give you a current situational awareness of your security posture. The DSS then uses an expert system to flag and prioritize remediation actions as they apply to the various vulnerabilities or exploits in progress.

When building a security solution using the SAFE framework, you don’t have to fix/upgrade/sunset all of your systems at once. You can instead rationalize your security priorities and concentrate on the areas with the highest risk of attack. The good news about using the SAFE framework is that you don’t have to spend a fortune on over-hyped preparatory protection services and commit to one vendor or another. You can easily build your security architecture with a relatively small in-house team using mostly COTS and open source components.

Due to the modular and loosely coupled nature of the SAFE framework, you don’t even have to own all of the inventory of the building blocks. You can start small and expand over time. This approach also allows you to customize your solution to your industry vertical and business needs. Finally, because the SAFE model uses concepts from the software development life cycle (SDLC) such as iterative development, feature prioritization, bug tracking, etc., it allows you to prioritize and gradually adapt and move iteratively between the 10 elements that comprise the framework.

SAFE Enerprise Model

Image 5: The SAFE life cycle security model focuses on the evolving threat matrix

Cyber attacks don’t just mysteriously materialize out of thin air; they follow a specific life cycle of reconnaissance, planning, vulnerability assessment, exploit, and post exploit steps. Far from being helpless, we can intercept and circumvent most of these attacks during any of those steps. Integrating the concept of a cybersecurity kill chain into the SAFE model could even further enhance your ability to prevent, disrupt, or stop any attack on your enterprise in near real-time.

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree professional network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was indeed the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed to the URL: ””. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens (Image 6).

LinkedIn Phish Logins
Image 6
: Other email client login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control features. Once all of the user information was collated, the content was simply posted to a “” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic/semantic point of view, the creator of the site and the email accounts is most likely a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:


Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#   legal range formats are:
#                             Single address
#                       CIDR Mask
#       address w/mask
#   255.255.*.*                                        wildcards
#   low to high address
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.




Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

Several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Image 11: The author “SAGE THE HURT ICE”

    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were hacked as early as 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven’t heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References and Sourcing

XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object detection
2019 State of the Phish Report (page 11-19 cover estimated recovery rates):
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts: eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text: IT ProPortal
Password Safe: A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Great Password Storage Survey

Find Milton's Password

The idea for the password survey came about more than fifteen years ago when I managed a security team in a large fortune 500 organization. While designing a new fraud detection platform, we discovered that a significant number of previous security incidents were attributed to compromised user passwords and credentials. The data suggested that this problem effected all business divisions and departments across the company and our partners. After a successful campaign to launch a corporate-wide root cause initiative, we ran a pilot that examined the password storage and retrieval practices in one of our regional offices with about 900 employees. After concluding the initial survey, we expanded the sampling to three other corporate locations.

The results of the first survey were supplemented by data I collected a few years later while working for a managed security service company that provided hosted proxy, firewall, IDS, and anti-malware service to several hundred credit unions and community banks. The focus of the second survey was on small to medium size U.S. based financial institutions.[1]

The total population examined in the study was about 3700 accounts and individuals. The corporate units included development, IT administration, business groups, and general staff. The sampled data reflects a typical cross-section of large (20K-40K) and small to medium (20-750) sized organizations and represents a historical snapshot of password practices in a typical regulated financial service company circa 2003-2010.

4-Password found by unit

Chart 1: Password found by business unit

Knowledge-based authentication that utilizes passwords is different from other access control methods because it promotes the idea that by increasing the password entropy we can resist and discourage a brute force password recovery attack.

For many security practitioners this seems like a panacea. Policies calling for additional password complexity appear attractive at first but their practical enforcement on a multi-platform and enterprise scale are difficult to implement.

This is especially the case when we prohibit users from writing their passwords down or reusing them. The user’s inability to manage numerous complex and frequently expiring passwords can eventually compromise even the most secure environments that support multi-tiered firewalls and utilize the most advanced IDS, and robust VPN connectivity.

Paradoxically, it seems that when it comes to passwords, the user is caught between a rock and a hard place; the more secure the password is, the less so is the user.

Heterogynous Environments and a Glut of Passwords
The never ending cycle of M&A continues to create heterogynous platforms within the enterprise. This phenomenon results in the proliferation of systems with different rules for password lifecycles, login procedures, and authentication standards. The impact on the users has been overwhelming as they need to deal with an ever increasing number of login challenges.

Even in well consolidated enterprise that utilize state of the art Active Directory and Single Sign-On, there are a handful of work issued standalone devices and online accounts that are not tied to the central login infrastructure. Even in these integrated environments, the expiration of individual passwords is rarely synchronized, often causing a cascade of resets on other systems with user lookouts and loss of productivity.

To further complicate this, all employee also maintain dozens of non work-related passwords that they use during their work day. This significantly increases their cognitive burden, so in an effort to conserve energy, some resort to consolidating their private and work passwords into a single file. The survey suggests that if we tally the work and private accounts, the average number of user passwords each person has can exceed 60 (Chart 2).

The number of work related accounts varied with the user’s corporate responsibility (Chart 3), but on average, each had between 10-20 passwords.

1-Average number of passwords per user
: Average number of passwords per user

Information Overload
The human factor plays a significant role in the challenge of creating, storing, and retrieving complex passwords. A number of psychological experiments have demonstrated that subjects are able to repeat accurately around eight meaningful combinations of letters, numbers, and words.[2]

When a user is given several random passwords that are eight characters long, most will remember only one. If a user is required to remember two or more such passwords, he or she will likely resort to writing them down.

When asked how many IDs and passwords did they have to keep track of, the user’s immediate answer was “way too many!” The majority of users have also stated that it was bad enough when they only needed a handful of passwords to access e-mail, the network and mainframe accounts. But now, every internal and external application required a complex password.

2-Average number of passwords per user type
Chart 3:
Average number of passwords per user type        

3-Reason for writing passwords down

Chart 4: Reasons for writing passwords down

So how did the users resolve the problem of maintaining dozens of strong passwords? When pressed, most admitted—as the research suggested—that they resorted to keeping a written list or that they have been using the same password or a variant of it for multiple systems. 

On the record, administrative staff denied that they followed this practice but off the record they admitted that they were powerless to stop it and that they themselves were guilty of these same offenses. Other industry sources suggest that this is indeed a widespread phenomenon.[3]

When questioned about their memorization techniques (the policy requires that passwords be memorized), many of them indicated that utilizing mnemonics, backronym, and other techniques were tiresome and this resulted in forgetfulness, mistakes, and system lockouts. 

The majority of users (75%) stated that they could not memorize complex passwords and when they attempted to achieve this in the past it always resulted in password resets. It is interesting to note that as much as 10% of the users felt that the high frequency of the password expiration did not warrant the investment in memorizing it. Another 10% of the users felt that actually writing the password down made them more productive.

5-Password issued vs. password memorized
Chart 5: Password issued vs. password memorized

Password Storage Strategies
The password searches identified the existence of two types of password storage strategies. The first group (1) which consisted of 27% of the recovered passwords was made-up of data that was either handwritten or printed and stored in the user’s immediate work area. 

The written documents included artifacts such as post-it notes, legal pads, notebooks, and text on dry erase board. The second category (2) consisted of 73% of the recovered passwords found on electronic storage in the form of digital files on portable storage devices, PDAs, phones, hard drives, and network shares.

7-Password hiding locations
Chart 6: Password storage areas

The large percentage of electronically stored password suggests that users are somewhat security conscious and they do look for the middle ground between the two evils of keeping passwords out in the open and memorizing them.

The high rate of spreadsheet utilization (35%) for password storage suggests that without a proper company sponsored tool for managing passwords like a password safe, users will instinctively gravitate toward the next ‘best’ technology available in-house.

Password Hangouts
The majority (5% each) of users hid passwords either under a mouse pad or on sticky notes that were kept in a book or folder somewhere in the user’s immediate work area. The total percentage of passwords hidden ‘under’ various items (Table 1) was 27%.

Password Locations Office Work Area

# Found

% of Total

Under mouse pad, stapler, or tape dispenser



Under keyboard



Under desk calendar



Under flower pot



Under garbage can



Under printer



Under phone or phone reference card



Under carpet or mat



Under bookshelf



Under paper tray



Under or on whiteboard or clipboard



Under trivet, coaster, paper weight, or pencil holder



Interior door of coat cabinet



Sticky note on the monitor



Note inside a book or wallet



Note in music CD box



On whiteboard obfuscated using letter or number padding






Table 1: Hidden password locations – Office work area


Password Locations on Electronic Storage

# Found

  % of Total

On floppy disk inserted in drive



On USB, flash drive, or other device



Protected spreadsheet on a password protected network share



MS Access database on a network share



Spreadsheet on a network share



Text file located on a network share



e-mail file (user would create and e-mail himself the new password)



MS Word document



File stored on an Intranet web site



File stored on an Internet web site






Table 2: Hidden password locations – Electronic storage


The majority (73%) of the hidden passwords were kept on electronic storage (spreadsheets, documents, and e-mails) on a variety of locations, the most common being (1) 34% on network drive, and (2) 11% on the e-mail server (Table 2).  

Only 1% of the users openly placed the latest password on their monitor (Figure 1). It is interesting to note the password generation algorithm used. The first password on the list (which was complex) was used as the seed for all future passwords permutations. Each time the system required a new password; the user wrote the new one down and erased the previous one.

Whenever the system permitted the re-use of old passwords, we found a high degree of password recycling via password variances and sequential use. This included 62% of developers, 86% of administrators, 97% of business users, and 94% of admin and facility staff.  

8-User Passwords Written on a Sticky Pad 

Figure 1: User passwords written on a sticky note


Is there a Method in the madness?
75% of the user interviewed cited poor memory as the main reason (1) for writing and hiding passwords. The second (2) reason cited was the unspoken legitimacy of this practice and its widespread use. The third (3) reason was that the password was shared by several users and so having it written in a central location was the most convenient way to synchronize it and keep all users informed of any changes. This was primarily the case amongst DBAs, system administrators, and developers (87% combined). The majority of interviewees also acknowledged that they were aware of existing security policy that clearly discouraged such practices.

From conversations with administrative staff, ignorance of the law was not a factor in writing down passwords (Chart 8). Over 90% of the admins acknowledged that they knew that writing their system password down was against policy and information security directives, but they did it because they were located in a physically “secure area” that had strict access controls roles and that it was a calculated risk.

9-Percent of administrator told not to write down passwords
Chart 7: Percent of administrator told not to write down passwords

An interesting usage relationship shows that systems which periodically require users to change passwords actually trigger more people to ‘hide’ them in written form near their workstations. We estimated that the likelihood of finding written passwords near a workstation subjected to frequent password changes was 35% to 55%. At the same sites, the likelihood was only 10% to 20% for workstations connected to systems that did not enforce frequent password changes.

In many cases, over a third of the users created sequential passwords (Chart 8) such as changing Pa$$w0rd_1 to Pa$$w0rd_2. The stats for administrative users show that this practice was higher than 80% when permitted by the system. This information again is confirmed by other studies that show the user’s tendency to avoid constantly memorizing new, complex passwords and writing them down.[4]

 10-Used sequential passwords

Chart 8: Used sequential passwords

Social Factors that Contribute to Password Mismanagement
Password security relies on the premise that passwords are kept secret at all times. This is not a trivial requirement because in a typical password life cycle, there are many opportunities for compromise whenever a password is created, used, transmitted, or stored. Passwords are always vulnerable to compromise because:

  1. They need to be initially created and assigned to a user
  2. They need to be transmitted
  3. They need to be changed
  4. They need to be stored and retrieved

In this context, sharing passwords among a group of users would completely negate the need to keep it secret. When we asked the users about the practice of sharing passwords, the unanimous response was that this was a common practice exercised by all. In fact, the system and database administration and InfoSec teams which should have led the charge in fighting this phenomenon, were the largest practitioner of group password sharing (Charts 9-10).

11-Password sharing among administrators
Chart 9: Password sharing among administrators

12-Password sharing among developers
Chart 10
: Password sharing among developers

This contradictory situation raised several questions. When we asked the users about the clearly prohibited practice of password sharing they provided the following rationale:

  1. Friendliness––Users try to avoid behavior that would put them in a negative social light. Individuals who strictly protect their passwords by steadfastly refusing to write them down or share them with colleagues can be seen as anti-social.
  2. Conformity––Due to strong emphasis placed on “being a team player” and the importance of collaboration, many individuals determine that conformity is important and work hard to be sure that others see them as easygoing and trustworthy. For example, if a system administrator (an authority figure) asks a user for his log-in password, he is likely to reveal it because he doesn’t wish to seem suspicious of an authority figure.
  3. Trust––Sharing passwords between team members can be seen as a sign of collegial affiliation. If a user refuses to share a password with a co-worker, especially where such practice is commonplace, it could be seen as a sign of distrust.
  4. Unwritten work procedures––A team of co-workers will develop ‘informal’ procedures and workarounds to deal with occasional situations that impact their productivity (sharing workstations, using each other’s e-mail program, etc). Some of these workarounds may contradict official policies. Users who follow such informal procedures are normally acting in good faith; they are trying to be helpful and practical in an effort to get the job done.
  5. Responsibility––Users are aware of password policies, but continue to violate them nevertheless because they do not expect to be held accountable for breaking the rules, because “everyone” regards the regulations as unrealistic.
  6. Management Privileges––Senior employees believe that they are too busy to be expected to follow what they perceive as petty rules (which often IT and InfoSec are known to disregard).
  7. Relevancy––Some users believe they and their systems are not important enough to merit serious attention from an attacker. Some users also believe that rigorous passwords are neither truly realistic nor necessary and they do not see following information security policies as being relevant to their job requirements and/or professional reputation.

Security, Perception vs. Reality
Another interesting self-contradiction that affected user perception of password security was password reuse. When questioned about the practice of resetting passwords to previous ones, a large number of administrative users and developers stated that whenever the system permitted they did reset the new password to an older familiar one. In some cases administrator deliberately disabled password expiration policies in order to avoid the hustle. Clearly, this practice completely defeats any advantages associated with frequent password changes. 

12-Changed passwords back to original password left administrators, right developers
Chart 11: Changed passwords back to original password

When we asked the users for their rationale for ignoring security policy directives and making this and other judgment calls, the answer clustered around these topics:

  1. Lack of account privacy affected general work habits and security––When a user was regularly forced to write down his password because they lacked a tool to manage them properly, they also tended to justify keeping other sensitive information out in the open.
  2. Security mandates elicited strong emotional reactions––Users often spoke in emotional terms about unrealistic decrees, using terms like: “smoke and mirrors”, “lip service”, and “window dressing”. Further more, they said that they wanted their information to be secure and private but at the same time they had a fatalistic attitude towards security. That is, they felt resigned to accepting security breaches and privacy compromises.
  3. Inability to differentiation between security and privacy—Users didn’t distinguish between these two concepts and mostly focused on the outcome of a security breach and its impact on their work product. In one example, an administrator did not consider the common practice of shared usage of passwords by a fellow administrator to be a privacy or a security issue, when their password was discovered during the survey, they simply mitigated the damage by resetting the password and continuing the sharing practice.
  4. Multi-user applications and social interactions influenced information sharing—Collaborative work assignments and certain business process promoted password sharing. When it comes to account and password privacy, users working in a collaborative environment tended to have a more liberal and collective sense of account ownership.
  5. Few differences existed between home and business account management practices––User’s lack of concern for account privacy did not depend on their work location. They were consistent in their practices whether at home or at work. Remote users who connected via VPN were less concerned about the security of their work files because they considered the likelihood of someone hacking them at home to be minimal despite the fact that their off-site network was much less secure (many had no firewalls or up to date anti-malware protection). Also, most users working from home did not consider themselves to be the a potential target of an attack.

The survey results suggest that the widespread practice of users writing down passwords and keeping them in unsecured locations is a natural response to unrealistic security mandates. Users in general are concerned with productivity and view passwords management as an overhead and a dreaded chore. 

Practical password security depends on the availability of password management and enforcement mechanisms. Any password policy must on one hand balance the benefits of protection and enforcement and on the other minimize user impact. Without maintaining this careful balance, we run the risk of users coming to view policy mandates such as expiring passwords as tyrannical decrees that should be cleverly circumvented.

If a good personal and corporate security strategy depends on strong passwords—and few will argue that it does not—then the keystone of good password security is the establishment of an enterprise wide solution that will either completely eliminate passwords or facilitate the management of the entire password’s life cycle via an on-line, mobile, and off-line access.

Or as Milton Waddams would say, “Well, Ok. But… that’s the last straw. And, and I’m telling you It’s not okay because if they lock me out again and force me to memorize another complex password, I’m I’ll, I’ll, set the building on fire…”


Notes and References
Authentication in Internet Banking: A Lesson in Risk Management – FDIC (2007)
Uncovering Password Habits – Are Users’ Password Security Habits Improving?
The death of passwords is premature – Keeper (2016)
Microsoft admits expiring-password rules are useless – CNet (2019)

[1] Due to the sensitive nature of password surveys, conducting password storage searches should be planned and executed carefully and discreetly. Before conducting any searches, you should secure written approval from your IT, InfoSec, HR, and legal team. You should also coordinate all such activities with the local facilities team. Another good rule of thumb is to conduct all surveys in a team composed of representatives from HR and building security, this will eliminate the perception that some unknown individual is just pillaging and violating the privacy of employees after hours. Follow-up conversations with users regarding their password storage and recovery habits should be done in a private setting in a non-threatening or confrontational manner. You should make it clear to the interviewee that their cooperation is appreciated, that this will not reflect poorly on their evaluation, and the ultimate goal of this exercise helps improve the both personal and corporate data security and privacy. A $20 gift certificate to Starbucks or another popular outlet would go a long way towards easing the tensions.

[2] C. Coombs, R. Dawes, and A. Tversky, Mathematical Psychology: an Elementary Introduction. Prentice-Hall Press, (1970). And  The study by Yan, Blackwell, Anderson, and Grant “The Memorability and Security of Passwords-Some Empirical Results” (research paper, Cambridge University Computer Laboratory, 2001).  And Miller, George A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.

[3] Schneier on Security Write Down Your Password (2005)
Write Down Your Password

[4] Spafford, Eugene H. (1992). “Observations on reusable password choicesProceedings of the 3rd Security Symposium. Usenix, September.


© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

– – – – – – – – – – – – – – – –
From: Wayne Millbrand <>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299
Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand
– – – – – – – – – – – – – – – –

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because phishers typically expect you to just launch the attachment and activate the payload immediately.

So it appears that the attack strategy was to:

  1. Send a threatening email
  2. Add some publicly available information about the recipient to make it look genuine
  3. Encrypt the document in order to hide the payload from an anti-virus scanner
  4. Provide the password in the email to allow the user to open and decrypt the file
  5. Activate the payload in the MS Word document and infect the user’s machine

Based on the version of the MS Word attachment, I’ve setup a Windows 7 virtual environment in a sandbox. I’ve also installed Microsoft Office 2016 in order to debug the payload macro, and used the following SysInternals utilities: ProcessMon, DiskMon, DebugView, and Wireshark to sniff the TCP traffic. 

I launched the document and entered the provided password. Inside the decrypted file, I found the following API declarations, variable names, and code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon”     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

The attack mechanism, seems to be a variation on an old method where as soon as the user opens the file, the routine executes a URL file download from one of these two URLs:

h t t p://
h t t p://

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs, “bug.gif” and “meg.gif”—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIFs. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder.

Yaacov Apelbaum-Ransomware e
Image 1: The installed ransomware after installation

Interestingly, the first compromised URL used for the malware distribution was website that belongs to a company called Adenzia, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure data storage” and:

  •   Accounting services
  •   Secure financial services
  •   Data entry from paper to digital
  •   Scanning paper data to digital
  •   Archiving data anonymously 1 2


Image 2: The website used for malware distribution

Mafia Scripts
Image 3: The website used for malware distribution

Another noteworthy strategy used by the phishers is that both, the repurposed Swiss financial site as well as the second German gaming site required a login. This provided an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the server hosting the malware.

Image 4: Malware distribution site login prompt

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker from one of the former soviet union republics. The metadata from the Word document further supports this and suggest a strong link to Russia. First, the author’s name was виньда (Vinda) and the company name was: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack
Image 6:
Samples of SPecialiST RePack infected content

As far as the repurposed Swiss site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

Swiss Banking Russian Style
Image 7: The office address of Adenize in Lugano Switzerland

I’ve contacted Giovanni De Martin Cavan, the registered owner of Adenzia (who seems to have a strange history of forming companies and abandoning their websites) via email and gave him heads up that he needs to have a look at his website and corporate network. As of this date, I haven’t heard back from him. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.  

References and Sourcing
XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object detection

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Capturing the Flag

Yaacov Apelbaum - Who Knows What Evil Lurks in the Heart of a Cyber Attacker

If you are a typical cyber security practitioner, you most likely catch-up on the latest developments by visiting on-line sites like News Now and by periodically attending various vendor workshops. For the majority of InfoSec managers, the daily work grind and life/work balance challenges diminish the prospects of going back to school and plowing through hands-on in-depth training.

Over the past two decades, the corporate cursus honorum for IT management has been the much coveted MBA degree. In a large number of Fortune X00s, having an MBA from a top school was considered a prerequisite for an executive promotion. An MBA attested that an individual possessed all the current business acumen and the polish needed to take on any future leadership responsibility, it was the ultimate professional endorsement of merit.

This trend—other than having the end result of a glut of MBAs on the market—has also resulted in a shortage of highly technical cyber security managers. Consider some of the wholesale data breaches in some of the largest US retailers for 2014 alone. Check out the biographical backgrounds of some of the CISOs of the impacted companies. Not surprisingly, you will find no shortage of MBAs from top tier schools. What appears to be missing are individuals with vocational specializations in information and cyber security, and I’m not referring to rank and file CISSPs.

Of course, a common counter argument to this is that as a manager you are not supposed to know the ‘nitty gritty’ details of every technology in your corporate inventory and instead are expected to delegate to and draw on the expertise of others.

I don’t agree with this argument. Cyber security unlike databases or ecommerce, is almost entirely a low level technical play and as such, a security manager should not have gaping holes in his knowledge or overly rely on subordinates to make sense of risk, threats and counter measures. In a corollary it would be unacceptable for a airline pilot to have gaping holes about his aircraft operations and him delegating the actual flight responsibility to the cabin crew.

I’ve recently had a chance to witness just how limited classical enterprise defenses have become. This is especially true when it comes to Advanced Persistent Threats. In one incident that eventually became the catalyst for me going back to school, I witnessed how a one cyber attack managed within minutes to defeat all of the traditional enterprise defenses and counter measures without even braking a sweat. Amazingly, even after the debriefing and root cause analysis, the security team was no closer to understanding how a properly configured and maintained brand name FW and an IDS/IDPS failed to stop the attack, let alone even detect it.

If you are thinking that this couldn’t happen to you, think again. In the incident that I just described, all target boxes were patched, there were strict access control measures in place, the network was sub-netted, and there were effective audit and password management systems in place.

After recovering from my momentary shock, I had an epiphany and realized that I urgently needed to re-hone my skills. I’ve heard about the SANS Institute from a number of colleagues and after checking it out, I decided to enroll in their Penetration Tester program. After juggling my bank account, my work schedule, and their course availability, I selected the following four courses:

  1. SEC504 Hacker Techniques Exploits & Incident Handling
  2. SEC560 Network Penetration Testing and Ethical Hacking
  3. SEC575 Mobile Device Security and Ethical Hacking
  4. SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses

The SANS courses tuition is on the expensive side, ranging from $6000-$9000 USD per course. Add travel and accommodations and you are looking at about $12K per class. Each course is delivered in about a week (40-60 hours of classroom activity). Classes are divided into lectures and hands-on labs with heavy emphasis on getting down and dirty.

Though it took me several months to complete the coursework, I have found the whole experience to be uplifting. In addition to getting access to practical, real-world expertise from some of the world’s best penetration testers, we practiced the gray art of performing detailed reconnaissance on would-be targets including mining a social media, and infrastructure data from blogs, forums, search engines, social networking sites, and other Internet resources.

In each course, we used the latest cutting-edge attack tools as well as the traditional low budget techniques that are still quite prevalent. The aim of the course was to push the envelope in each domain and not to merely teach a handful of hacks and tricks. Another great component was exploring various administrative questions such as legal issues associated with responding to computer attacks, employee monitoring, working with law enforcement, and the collection and handling of evidence.

SANS Capture the Flag Las Vagas 2015

When it came to performing the actual exploit, we got to use the best tools on the market. This included both, COTS components and custom written utilities and scripts. In each class we learned dozens of methods for exploiting target systems and how to gain access to the systems post-exploitation. Just to illustrate the extensive hands-on approach that SANS adapted in teaching Penetrating Testing, here is a list of tools and techniques that we used in just the SEC 504 course:

– RootKits and detection
– Hidden file detection with LADS
– HTTP Reverse Shells using Base64
– InSSIDer for Wireless LAN discovery
– Nmap Port Scanner and Operating System fingerprinting tool
– Nessus Vulnerability Scanner
– Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
– Sniffers, including Tcpdump
– Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
– Netcat for transferring files, creating backdoors, and setting up relays
– Metasploit, Metasploit, Metasploit Lots of Metasploit
– ARP and MAC analysis for ARP cache poisoning attack detection
– Password cracking
– Cross-site scripting and SQL injection web application attacks
– Intercepting and forging session cookies
– Detecting and executing DoS attacks techniques
– Detecting backdoors with Netstat, lsof
– Covert channels using Covert TCP
– clandestine network scanning and mapping
– Exploitation using built in OS commands
– Privilege escalation
– Advanced pivoting techniques

The great thing about the SANS curriculum is that they go pretty far down into the rabbit hole. A few of the classes required hard core coding skills (you get to write/execute some buffer overflows). Other classes were procedural and got down to the wire in terms of the inner functioning of RFC and protocol. For example, in the Wireless Ethical Hacking we had comprehensive coverage of WiFi, cordless telephones, smart devices, embedded home devices, mash technologies like ZigBee and Z-Wave, Bluetooth, DECT, and NFCs.

In the Mobile Device Security we practiced reverse-engineering iOS binaries in Objective-C, reverse-engineering Android binaries in Java and Dalvik Bytecode, evaluating mobile malware threats through source-code analysis, defeating Apple FairPlay encryption for application binary access, and overcoming anti-decompilation techniques.

SANS Capture the Flag Washington DC 2015

The participants in the classes came from diverse backgrounds, including three letter agencies, LEA incident handling team members, and security administrators. The classes are well-suited for anyone with a good command of TCPIP and networking and they would also benefit architects and technical leads involved in security operations and R&D.

The delivery of the material is completely immersive. You go from 0-90 in one second.  Each course is equivalent to a traditional graduate semester course of 4 credits so we had to complete an average of one textbook per day.  At times, you feel like you are drinking and showering from a fire hose at the same time.

Taking good notes and hitting the books at night will help you stay afloat. It goes without saying that the instructors were outstanding; they offered unlimited tutoring and were always available—even during lunch and after hours—to help answer questions and work through the practice labs.

Yaacov Apelbaum - SANS SEC504 Yaacov Apelbaum - SANS SEC560 Yaacov Apelbaum - SANS SEC575 Yaacov Apelbaum - SANS SEC617

Several interesting sessions in each class revolved around learning how to avoid being caught through various tactics and strategies for covering your tracks such as: File and directory camouflage, piggybacking on existing user Internet sessions to avoid detection, event log tampering and pruning, and performing memory cleanups.

For me, the best part of each course was the final session called “Capture the Flag”.  There, in a culmination of all of the hard work, we got to practice everything we had learned over the previous week. Each class had different parameters for capturing the flag, but they tended to follow the same patterns.

We needed to do some reconnaissance, reconstruct the network layout of our target, map our victim’s equipment and software inventory, and then proceed to execute the attacks. Once you breached the target, you would perform some additional exploits and start pivoting between hosts and ‘living off the land”. The overall objective of this exercise was to collect flags that had been placed on various locations on the victims’ network by the instructor. Some of these flags contained encrypted files or messages that we needed to decrypt and use as clues for other attacks, others involved passwords that were being sent over VOIP, in memory session information, or data hidden in binaries.

SANS Capture the Flag Boston 2015

The capture the flag event usually lasts a full day and ends when one team successfully recovers all flags. At that point, the competition is stopped, the results are verified, and the winners are awarded the coveted challenge coins.

Yaacov Apelbuam SANS 575 Capture the Flag Token  Yaacov Apelbuam SANS 617 Capture the Flag Token  560-capture-the-flag-token

If you are a computer security practitioner, I highly recommend that you take all four courses. Even if you can only afford one, go for it. It will change your prospective on pen testing forever and help you take a proactive role in keeping your company safe and out of the negative limelight.

Performing a good penetration test is much more than just hiring some outside help and rubber stamping an audit. Anyone can throw a bunch of attacks against an organization and regurgitate the output of some automated tools in hundreds of pages of reports. Verifying the integrity of your corporate security takes more than just kicking a few InfoSec tires and lifting the hood these days.

Participating in hands-on structured training will help you avoid this trap and allow you to grasp your company’s security needs so that you can prioritize and formulate the appropriate plan of action in the most cost effective and timely manner.

Going through the meat grinder, you get to witness first hand the process of hot dog making. It’s not a pretty sight, but its an informative one. One of my most profound takeaways from this whole experience was answering the existential question of the spoon. Yes, the spoon does exist, but only for the end-user, sysadmin, DBA, and auditors. There is no spoon if you are a proficient attacker. With the right strategy and tools, concepts such as access control, event log integrity, and passwords are meaningless and are but chaff before the wind.

Yaacov Apelbaum - There is no Spoon

I keep my three hard earned challenge coins on my office bookshelf as a reminder that there is likely someone out there right now who is targeting my network through some kind a a clever attack. He/she has all the right tools and resources and are as determined and hard working as I was to get his coins.

And as far as my earlier MBA comment is concerned, if you are curious to know just how many managers attended the classes, the answer is just one. None of the 20-40 participants in each classes had managerial responsibility. In fact most of the folks I spoke to were surprised that a CTO would take time from his schedule and opt to get his hands dirty instead of just delegating this to one of his directs.

After all, ‘Isn’t that what a manager is supposed to do?’

© Copyright 2015 Yaacov Apelbaum All Rights Reserved.

Cyber Security Poetry

Cyber Beatnic Poetry

Tokens of Distrust
It was on a starless March night,
The spear phishers went out for bite.

Through a zero day vulnerability,
They breached RSA’s network security.

A Trojan attached to an email transmission,
Gave the attackers remote access permission. 

Deep into the corporate systems they dove, 
Collecting the SecureID key seeds treasure trove.

The theft effected over forty million tokens,
Transparency failed and trust was broken.

A few weeks followed and on a moonless May night,
The spear fishers returned with a renewed appetite.

Over the internet via secure VPN and a forged key,
They breached Lockheed’s defenses and Pwned ’their IP.

Ties That Bind
Identity, how do I bind thee to an object? Let me recount the ways. 
One, by a secret.
Two, by a token.
Three, by your essence.
Four, by space and time.

Risk Appetite
A little shiftless bureaucrat named Phil,
Got a CISO gig through a shady deal. 

Clueless of cyber security threats,
He managed upwards like a rat.

Pen tests and remediation took a back seat,
To what the cafeteria was serving to eat.

When the company was finally breached by a hack,
He said “C’est la vie! Insurance will cover our back.”