I thought the talk at Defcon by Chris Rock around exploiting the flaws in the deaths and births registration process was very good.
More interesting than the technical aspects are the potential nefarious use-cases such as committing virtual mass-murder, or raising virtual babies for the purposes of insurance fraud, second identities and much more.
This is important because far too often people will focus on the technical bugs and issues and discount them because they may not see the broader impact and potential for harm. It does boil down to risk assessment and how risk is articulated. There are many times I’ve seen a penetration test report where the tester has picked up the technical vulnerability, but failed to fully understand the real business impact and labelled something as posing potential reputitional risk. Only when you tie together all the pieces can the true impact be seen.
Forget what you know, what you think you know about attribution – I present to you Javvad’s Attribution Methodology or Javtribution(tm) for short.
Maybe Dr. Krypt3ia will yell Javtribution Shmattribution and try to poke holes in my findings – but I assure you, my findings can be considered holy enough without any poking.
There are two pieces of the puzzle that I put together from my armchair:
Making associations that others overlook. This means analysing multiple hacks at once as opposed to in isolation. Treating a series of hacks as one is vitally important. Some may say that this is clutching at straws, but I discount the advice of haymakers who clutch worthless items like straws.
Critically examining who has the most to gain and lose in every scenario in groups of interest as opposed to broadly defined ‘nations’. Just because your Prius is economical, doesn’t mean every Toyota is.
For this case, I’m taking a look at these recent breaches:
The breakdown below is quick and dirty with information redacted to protect sources, the innocent, guilty and all those in between but these are the steps of the methodology:
1. Compiling a list of associated hacks within a geography:
All these five hacks listed above are for services that are predominantly provided within the USA and have no obvious direct connection with each other other than Ashley Madison and Adult Friend Finder.
2. Identify those who have most to lose
This is where things get a bit tricky. In isolation, it can be relatively easy to point the finger at a particular individual or group. For example, in the cases of Ashley Madison and Adult Friend Finder, one can assume that divorce lawyers were complicit in order to drum up some business. But those lawyers will have little to do with Harvard – so the Javtribution methodology will discount lawyers and move on.
Let’s look at the demographics of all the hacks and see the predominant groupings of those targeted.
OPM: clever young Americans who want to serve their country
UCLA: This may seem like a list of illnesses that people have. But maybe it’s what isn’t in the data that’s more important… i.e. a way to identify healthy and fit young Americans.
Ashley Madison and Adult friend finder: An article published in January (ironically based on Ashley Madison data) identified the types of people most likely to have an affair. Which would be young males in good jobs.
3. Based on 2, who has the most to gain?
Following some extremely complex calculations – we can determine that the ones with the most to gain aren’t some nations on the other side of the planet. But rather actors closer to home. In this case it would seem like the 99% who always complain about the 1% would be key culprits. Unfortunately hacking doesn’t fit the MO of the 99% as they are more likely to protest on Wall Street.
Ultimately we are looking for someone who dislikes America and therefore anyone who wants to serve her. Someone who has expressed a dislike for white men and certainly doesn’t like affluent people who have made their wealth by virtue of a capitalistic system.
Based on the Javtribution methodology – the perpetrator you are seeking is…. Michael Moore.