Standard Chartered 'Hacked'

Hack, Evidence, Prosecution, Processes, Trust and Moving on.....

Source: http://www.ft.com/cms/s/0/8e10be78-5dab-11e3-95bd-00144feabdc0.html#axzz2mkcg5Z2Y

In a recent incident involving James Raj allegedly known as The Messiah, Standard Chartered client statements were found on James Raj's laptop. This quickly escalated to the readers on the journey to hate the Anonymous group that James Raj was supposedly part of. 

While we have no visibility as to how the data got into James Raj laptop, one thing i would questioned is the evidence gathered. It is not just simply about blaming him since the data was on his laptop. Investigators must find evidence that can illustrate that it was indeed James Raj who stole the information. This must be in the form of logs from both the laptop and Fuji Xerox. A company like Fuji Xerox would surely have all the log gatherings and management in place and investigators must ensure that the log tallies confirming that there was indeed a network connection being made from James Raj IP address to the Fuji Xerox's server. 

Cyber forensic investigators must also be able to retrieve the logs from the laptop to confirm that his laptop was not just being used but to confirm that there were no other connections made from other sources connecting to James Raj's machine and used it as a proxy to attack FX. Timing of connections made must be in sync. Metadata of logs should not be tampered (especially by amateurs evidence handlers)

Below is a high level graphical example as how James Raj's machine could be used in the stealing of data.

How could this be possible?

During #OpTunisia, there were alot of protests against the Tunisian government. This led to outsiders wanting to take part as well. As they were outside of Tunisia, they relied on the internet to voice out their unhappiness against the Tunisian government. Government websites were hacked and defaced (no information was stolen) by hackers. The Tunisian government fought back by blocking all connections outside of Tunisia to connect to the government websites. A hacker known as Sabu managed to find a Tunisian citizen machine to use as a proxy to connect to the government website. All he had to do was to connect to that machine as a proxy and attack the Tunisian government website from that machine. Reports stated that due to little pool of experts in handling such incidents, the owner of that machine was arrested and left the hacker free.  

Source: From the Book 'We are Anonymous' by Parmy Olson. Page 143 - 146

Lesson that we can Learn

Skillful hackers do not connect and hack directly to the target from their own machines but that does not mean that n00b hackers do not know how to hide their tracks as well. Investigators will need to identify the logs properly and securely and ensure that in no way the evidence are tampered during the course of investigation. These logs must be in both the machine and the server to ensure that the evidence that connections made are true and in sync. If logs or files are suspected to be deleted,  investigators should clone the entire image of the hard disk, use a data recovery tool and identify the evidence from there. The operating system itself should be checked whether ports such as telnet and other shell like services or vulnerabilities were opened/present. This could be another evidence to suggest that James Raj's laptop were already vulnerable to have other machines connecting to his laptop possibly using his machine to leverage on the attack. Until all these are gathered, only then will the public be confident of the methodologies, processes and techniques used during the gathering of the evidence and cover all possible factors of external party using Raj's machine as a proxy to attack.

Recent News may give Govt a Hard Time

Recent news about a government chemist in the States who was found guilty on tampering with evidence which resulted in many innocents going to jail will definitely be running in many minds questioning about the genuinity of the evidence and prosecution of James Raj should James Raj be found guilty of the charges made against him.

Source: http://filmingcops.com/corrupt-government-chemist-tampered-with-40000-cases-locking-countless-innocent-americans-in-prison/

Source: http://filmingcops.com/breaking-another-government-chemist-accused-of-deception-over-180000-cases-now-need-review/

Moving Forward

In order for organizations and companies to know whether they are ready for such an attack is to perform vulnerability assessments on their network and servers. Only then will they know how they can fare against a potential attack. One of the mistakes made by organizations is trusting their own security department on handling such assessments but as they always say, its better to have a new pair of eyes to see what their own internal team may be blinded to (similarly like doing an audit). Hire ethical hackers/pentesters to simulate a real world attack on your servers and networks and see how deep they could penetrate into. Of course, rules of engagements and non disclosure agreement must be made to maintain confidentiality and integrity of the assessment with both parties involved. 

'Anonymous Collective' Warns Singapore Government

There was a Youtube video apparently showing an Anon giving speech using a digital voice changing software threatening Singapore Government and telling the people to peacefully protest on the 5th of November by wearing Black/Red and change the Facebook profile pic with a black image. 

The message to the SG Govt was straightforward: Enforce Internet Regulations and We Will Attack you. We have seen such attack on govts in Korea, Philippines, Finland, United Kingdom and US. We have seen how databases being hacked and leaked out and govt websites and online services being disrupted and denied. There's nothing more frustrating than not being able to access your sites. 

The full transcript of the message below:

"Greetings Government of Singapore,

We are Anonymous and we believe that we have your undivided attention.We also believe that you have had the pleasure of meeting our comrade The Messiah, who demonstrated what a single Anon could do to your so call technologically advanced island.Now allow us to explain the objective of our recent invasions.

The secondary objective was to welcome you to the new rule where ignoring the issues of your citizens will not go ignored by Anonymous. We advise you to stop feigning ignorance and serve the people.

Any form of arrogant and ignorant statement from a person of position towards the people will not go ignored by Anonymous.Have you forgotten who you work for? Traditionally the workers respect the boss. Let us stick to tradition.But the primary objective of our invasion was to protest the implementation of the internet licensing framework by giving you a sneak peak of the state of your cyberspace if the ridiculous, communistic, oppressive and offensive framework gets implemented.Did i mention the previous hacks was executed by a single Anonymous member?Now close your eyes and imagine a legion of Anonymous unleashed upon your tiny little island and infrastructures. It will be like dipping yourselves into a pool of piranhas.We have faced much larger and more secured corporations such as the F.B.I & the NSA.

Do you think the I.D.A will be a problem for us?After all, security is just an illusion against time and temporary ignorance.So mark our words when we say that we Anonymous stand firm on our belief that no Government has the right to deprive their citizens the freedom of information.No one has the right to tell an individual what he can or cannot read or write.This is a basic fundamental of democracy and we will use everything in our resources to protect it at all cost.We demand you reconsider the regulations of your framework or we will be forced to go to war with you. For every single time you deprive a citizen his right to information, we will cost you financial loss by aggressive cyber intrusion. An intrusion your $130 million cyber security will not be able to stop.After all how do you stop an idea?You may be ambitious enough to try and stop us but remember, the people you are after are the people you depend on:we cook your meals, we haul your trash, we teach your children, we pay your high salaries, we feed your families, we guard you while you sleep!It is not wise to piss us off.

And finally we call upon our fellow Singaporean brothers and sisters to join our protest by dressing fully in black & red on the 5th of November to paint your streets with the colors that represent the current Singaporeans emotion.We urge you to black out your FB profile picture for a day along with the status message:I am a Singaporean and i had enough of being oppressed! I want my freedom back!!Anonymous will be making a virtual protest by your side.Let us demonstrate our frustrations in organized unseen unity that may live a thousand years. This action might not make a political change but it is the first step towards the mental conditioning needed to achieve our goals.

Remember, remember. The fifth of November.
We are anonymous, we are legion.
We do not forgive, we do not forget.
Expect Us!"

source: http://singapore.coconuts.co/2013/10/31/video-anonymous-warns-govt
video: https://www.facebook.com/photo.php?v=656364671075370&comment_id=6755136&notif_t=like%3E


But the question is, who is this 'Messiah'? Is he really an Anon member? Or a rebel with a great cause? When the video went viral, both the video from Youtube and its Twitter account was removed/disabled. Why?

When Straits Times reported the issue and deceived the readers by changing the 'Anonymous threatens to Attack the Singapore Government' to 'Attack Singapore', the Messiah hit the media back by hacking into the journalist account and posting its message;

"Dear ST: You just got hacked for misleading the people!

Greetings Irene Tham & Straitstimes.com,

I am The Messiah from the Anonymous Collective. We are a decentralized non-violent resistance movement, which seeks to restore the rule of law and fight back against the organized criminal class. We oppose any form of internet censorship among other things.

Allow me to explain our intrusion.

Earlier today upon discovering the existence of a Youtube video of ours (click here), a straitstimes correspondent by the name of Irene Tham chose to publicize an article distorting our words and intentions (click here). She chose to conveniently modify the sentence "war against the Singapore Government" into "war against Singapore". 

That in our opinion can be very misleading and unfortunately we suspect that must have been her intentions. Look what she made us do! :( Irene Tham, since you had the ignorant nerve of invading our world (the internet) to speak blasphemous lies, then we took it upon ourselves to invade your tiny little space to voice our issues over a few matter. We sincerely hope you wont mind.

PAY ATTENTION:

1) So dear SPH, in regards to Irene Tham, we will give her 48 hours to make an apology to the citizens of Singapore for trying to mislead them with her hate. In the event she refuses to apologize then we expect her resignation.  If those demands are met we will be on our way. But in the event our demands are not met in the next 48 hours, we will place you in our "to do" list and next time you wont be let off this easy.

2) Next we would like the attention of the PAP community foundation that was involved with the baby scalding incident. We demand that you make known to the public your investigation details and discoveries. We advise you to do that before attempting to reappear on the internet. This is to save yourselves the trouble of taking it down again.

3) To those disappointed in us for not intervening in the Dhinesh Chandran case, allow us to explain. Anonymous have been watching this case for a while now. We feared that our aggressive protesting methods could affect the verdict of the appeal. This can be very disastrous if miscalculated.  So now,  Anonymous would like to appeal on behalf of the mother of Dhinesh Chandaran to the High Courts and AGC to give her the closure she requires.Your verdict will demonstrate the level of humanity our justice system has on the low & middle class citizens. We will be watching, that we promise.

4) In regards to the murder of Tammy the puppy by Dr Esmee Koh from The Animal Clinic. All we can say to Dr Esmee Koh is that you are fucked. This we take personally and we have decided to attack you in ways you least expect. Making it a touch more personal. Stay excited!

5) In regards to CHC and Pastor Satan Kong Hee, we have time. :)

6) Finally to the Singaporeans who are behind us, we salute you! :) For the rest who are more distracted on unnecessary details such as deciphering the software we use, graphic we use or criticizing our skill sets. We genuinely sympathize with your inability to see the bigger picture and also your deep seeding insecurities. Nonetheless, we will fight on the behalf of your freedom.

The media has also misled our intentions by stating that we had plans to attack the infrastructure of Singapore on the 5th of November. That is ONLY our intention if the internet framework gets implemented. Not otherwise.

Instead on the 5th of November, we shall paint the streets red and black with our attires and when you see your fellow comrades in black and red, smile and shake their hand. Let us use that day to demonstrate our new undivided unity even in the amidst of all our differences. This is a very important stage in regaining your freedom.

Join us!" 

Encrypted Message : 22 66 5e 7b a8 68 c9 0d f3 f0 47 c9 d2 e5 4a 33 02 be 20 f4 15 29 5e 7b 76 12 8d 5f 1f dd 59 44"


source: http://therealsingapore.com/content/straits-times-hacked-messiah-misleading-people

From this message we can tell that the Messisah is not an actual crew of the hacking group Anonymous but declares itself as an 'Anonymous Collective'. Also, if we follow thru the trails of Anonymous, they have never removed or disabled any of their communication channels or mediums such as Youtube or Twitter. So the question is who is this Messisah and who else is behind the Messiah? And who/what else will the Messiah attack next? 

While i dont think that he is an actual Anon hacker, he definitely has shown the skills to perform it. A Rebel with a Cause and a believer in freedom of speech and expression on the internet. What is scary is when true Anon hackers support The Messiah on this cause, then it will be something for the SG Govt to be really worried about. 

Can The Messiah be caught? Probably but remember, how many web defacers out there actually got caught? Remember the Brazil Hacking Team that defaced a couple of SG Govt websites and no one got caught? So if The Messiah is doing this from overseas, then its going to be really really tough to nab this person. What the govt can do is to quickly ensure that the security of their systems are in proper. Hire white hat hackers and perform Black Box pentest on their servers facing the internet. Always remember that prevention is most of the time better than cure...

News and links about the situation:

1) http://www.techinasia.com/singapore-newspaper-straits-times-hacked-messiah-anonymous-collective/
2) http://sg.news.yahoo.com/anonymous-threatens-singapore-government-in-youtube-video-091443515.html
3) http://www.straitstimes.com/breaking-news/singapore/story/government-agencies-alert-after-hackers-threaten-attacks-20131101
4) http://nakedsecurity.sophos.com/2013/10/31/anonymous-threatens-singapore-with-hacking-attacks-calls-for-november-5-protest-perhaps/