How the U.S. Hacked ISIS
npr.orgI wish articles like this would divulge some details of the technical side of hacking, rather than keep it a mystical field of study.
What did they hack and how did they “get in”?
Contrary to the title, there is little “how” and mostly “what”.
Funny, I had the exact opposite reaction. Part of me wishes we divulged less about our tactics.
Assuming you're an American, you eventually have a civic duty to find out what they did so you can evaluate them. You can't wait forever, because once everyone involved has moved on far enough with their careers (or retired) it won't be possible for your evaluation to have any impact. Declassification has to happen at a reasonable speed in order for our system to work.
Although I don't know, I think this story was released for exactly that purpose, to improve public support for the NSA and Cyber Command. With Snowden being in the news lately I'm sure they're looking for opportunities to run cool war stories to balance out their image.
At the same time, if you're smart you'll notice the propaganda pieces circulated by AP on-behalf of USA.
One of them is Twitter. "identified accounts" but they aren't shut down or shunted. Why's that?
Simple - once you identify a target and they're vocalizing their thoughts, why do you want to limit and censor them? allow them to post, collect metadata and help it tie together other pieces of the puzzle.Browser ident, time, date, time of access, ip address, etc.
Meanwhile you'll see in the article a different reason as to inaction.
Our? Were you involved in the operation?
"Our", as in, "our government" or "our military". Is that not obvious?
They basically summed it up "Hack the human first".
Though the article does not outright say it, read between the lines when you see this:
> They even had file sharing through them. "If we could take those over," Neal said, grinning, "we were going to win everything."
Then see some public CVE's around that time, such as:
> CVE-2015-5474: BitTorrent and uTorrent allow remote attackers to inject command line parameters and execute arbitrary commands via a crafted URL using the (1) bittorrent or (2) magnet protocol.
> Project Zero 2018: Simply put, those JSON-RPC issues create a vulnerability in the desktop and web-based uTorrent clients, which both use a web interface to display website content. An attacker behind a rogue website, Ormandy said, can exploit this client-side flaw by hiding commands inside web pages that interact with uTorrent’s RPC servers. Those commands range from downloading malware into the targeted PC’s startup folder or gaining access to user’s download activity information.
And the remote code execution via media files / video virus (Hollywood movies, porn) https://www.cvedetails.com/vulnerability-list/vendor_id-5842... .
So you have file sharing going on, and can remote code execute, if: you get the target to visit a website you (partly) control, you get the target to click a (.torrent) link you crafted, you get the target to download a manipulated video file, compromised (Adobe) software, or cracked game with the payload. These if's are for a military that can easily DNS hijack, spoof (update) certs, ask help from allies who control 25% of all internet advertisements, set up convincing websites targeted to the region, or reroute internet traffic.
While I share your same streak of curiosity, unfortunately this is an area of life that opening up details of your own operations is probably most likely always a net negative.
Get a TS/SCI and go work for CyberCommand if you want to be in the know.
That is a valid argument, but can be applied to any hush hush effort. But such "limited visibility" organizations often push to limit public control, after which their mission or methods may morph to support internal goals that may not be shared by the general public they were created to serve.
It would be naive to require that all government information is shared with the public, but we should maintain robust oversight on all clandestine activities and give that oversight teeth to correct problems when such activities to too far. My 2c.
US citizens would be better served by having more oversight and transparency into the lobbying efforts of the NRA and health insurance companies, among others. The civil servants at the NSA have far more in common with 'the public' than any executive at a company that can afford to lobby Congress.
Totally agree. Follow the money will never be un-true.
That information will probably not be revealed. What would be the incentive for the US to do so? Zero. But the incentive of spinning the narrative and keeping the details murky provides a much higher payoff.
> I wish articles like this would divulge some details of the technical side of hacking, rather than keep it a mystical field of study.
Why would you publicly inform your enemy of a vulnerability?
I listened to the report on this article on my way to work. I had the exact same thought as you. I was annoyed that they kept it so general, but it makes sense from the perspective of keeping the target in the dark on the methods used.
I will add, I've undergone various security-focused corporate trainings over the years, once our trainer was a retired Airman, formerly attached to the NSA.
Had had one and exactly one story he was allowed to share with us, and that was incredibly vague like the article. "We infected the target's mother's PC, when the target was fixing the machine we had an asset fake a crisis prompting the target to (stupidly) access a target machine from the mother's infected PC." As he explained, this was all he was authorized to share. The reality is there is very little they can share without prior clearance from the agency, and this is a non-trivial process.
Is that not a double edged sword though? When you reveal sources and methods, you tell ISIS what to do differently. These sorts of things tend to be some of the most closely guarded secrets in the US.
Disclaimer: I had a security clearance when I was in the Army.
I was under the impression that a large portion of it was just google mobilizing their mass manipulation machine for what they decided was the greater good.
It’s not a “mystical field of study”, it’s called cybersecurity and you learn it the way you learn anything else, take books or take a course. Learn about networking, learn about malware, learn about social engineering, do you even know what a reverse shell is? Just learn.
Interesting, but reads a bit like a bad Tom Clancy novel that I read when I was around 12.
I think that "hacking a human" as they described it was the most likely vulnerability. Interesting to see that ISIS actually seem to have a decent infrastructure. From media reports you would believe that they are mainly some barbarians that may have or may have not access to electricity, never mind net access.
That aside: NPR offering a plain text site is just awesome. Found that nearly by accident since I just wanted to accept that damn cookies.
>From media reports you would believe that they are mainly some barbarians that may have or may have not access to electricity, never mind net access.
Isn't that what all reports after 9/11 would have you believe of al-qaeda and the taliban? Complete with videos of masked men "training" in deserts by jumping over logs and climbing ropes? And Reports that Bin Laden is hiding in mountains?
Meanwhile Bin Laden was living in a large compound in Pakistan all but protected by the Pakistani military and I believe 8 of the 9/11 hijackers had degrees in engineering and a couple PhDs among them.
Nobody who has read anything serious about ISIS would think that. They were a nascent nation state, installing their own civil servants to run schools, infrastructure, etc. Their propaganda videos were nearly Hollywood level in production quality. They were barbarians in values, not capabilities. They were a massively serious organization and we got Mattis just in time to exterminate them.
Since when are they exterminated?
I suppose that depends on if you're defining ISIS as a caliphate / nation-state, or as an organization / ideology.
I was under the impression that neither definition was exterminated.
ISIS lost virtually all of its territory as quickly as it took it.
Like others, I'm also left wondering what methods the US is really using. Obviously, it's too soon to disclose all the details. But compare this (where the few strategies disclosed involve methods like "guess the answer to a security question") to something where we do know the details.
For example, the Stuxnet worm used multiple OS zero days and involved hacking or otherwise exfiltrating signing keys from multiple other third parties (https://www.quora.com/What-is-the-most-sophisticated-piece-o...). I bet a lot of that sort of thing is going on these days too, and we just don't know about it.
Maybe this campaign was as primitive as they let on. It's likely that bringing down a terrorist group's marketing campaign didn't need or warrant a sophisticated attack, like sabotaging Iran's nuclear programme with Stuxnet did. A concerted attack effort using public knowledge techniques may have been enough.
It's in the interest of cyber-warfare actors to not expose their capabilities unnecessarily. Although efforts are taken to prevent malware from coming to the attention of enemies / rivals, or even being adopted by them or criminals, deployment always comes with that risk.
I'm pretty sure that's a given and I think its pretty expected their not going to put details on some news article
I dunno about this article... in the minor hacking I've done, it is tedious and boring. More like a homework research project than a swat team raid. If someone said "Fire!" to me I'd laugh.
I would hope that a country with the largest military industrial complex in the world can hack a group of camel herders in a desert. Doesn't seem particularly impressive
It's not a group of camel herders in the desert in regards to their cybersec team. They managed to recruit TriCk/Junaid Hussein(associated with TeaMp0isoN), to be their teamleader. TeaMp0ison were fairly well-known(at the time at least) and actually quite talented hackers.
He was later killed in a dronestrike.
Bit crudely put, but it hasn't been the case that the US military has easily trounced small guerilla forces in ground combat (e.g. Vietnam, Afghanistan, Somali, etc.), so I assume the idea was to suggest that cyberwarfare works better?
Basically shared my same sentiments. One group isn't even trying the other is fully reactive and trying to uncover how much the other groups know.
USA always will win.
Is the racism critical to expressing your view. I understand those terrorist are horrible evil people and inflicted pain and death on innocent people. Your racist comment is grounded in racism towards Arabs and Muslims. Most victims of ISIS are physically near them
Also since they supplied equipment to them it would not have been as difficult to trojan it.
The US support of Syrian "moderate" rebels was stupid, shortsighted, and pretended that the world was a different place.
And I will infinitely fault the Obama administration for providing technology which immediately fell into jihadist hands, which any reasonable analyst would have told them would happen.
But it's not accurate to say the US 'supplied' equipment to ISIS. ISIS stole it.
If it was what "any reasonable analyst would have told them would happen," why isn't it reasonable to assume that was the intention? Governments aren't single level actors - they are occasionally capable of subtlety - saying one thing even when intending another.
Did they even get any significant amount of advanced gear that way?
Most heavy things they got from looting Iraqi military.
I am not going to debate why "Obama secretly supported ISIS" is stupid.
It's stupid, and if you think it's plausible, you need to honestly evaluate whether your news sources are informing you or peddling a narrative with an objective.
What if any of this never happened and this story was the real hack?
I tried reading an issue of Dabiq once because I was curious about how they interpreted the Hadith. It was really hard to get, which probably shows that the cyber attack worked. If their servers were still up it should have been easy.
edit: I don't recommend reading Dabiq because a decapitation is really difficult to unsee.
"Folder directory deleted"
Cringe.
I cringed a bit at that and the end of the next paragraph:
> Once he did that, he would see: 404 error: Destination unreadable.
Sounds like somebody got their ICMP types and HTTP response codes mixed up but, hey, they're journalists, not IT guys. We understood their point.
This article has no substance and is seriously completely stupid.
You may be right, but this isn't a helpful comment. Per the HN guidelines [0]:
[0] https://news.ycombinator.com/newsguidelines.htmlBe kind. Don't be snarky. Comments should get more thoughtful and substantive, not less, as a topic gets more divisive. When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3." Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
The question should be how US created ISIS