viernes, 26 de abril de 2013

La dinámica de redes de los alias


LulzOpSec: The Network Dynamics of Aliases





Whoa! "Anonymous," a/k/a "the coolest distributed, decentralized, leaderless, amorphous transnational activist network since al Qaeda," recently suffered a major blow when its alleged leader, Hector Xavier Monsegur, sold out the group's elite talent to the FBI in order to save his own hide. This is pretty exciting news and will be a fun, recurring SNA case study.

The big question folks will be asking is "What does this mean for Anonymous?" We should already know the answer to this one, because we have gotten so good at answering the question "What does this mean for al Qaeda?" This is just another decapitation: a "hierarchy" strategy  in a "network" age. Illicit networks with tangible, hierarchical command and control infrastructures are capable of sophisticated, synchronized, and totally sweet attacks (or hacks), but are prone to detection and infiltration. Loosely organized, decentralized, leaderless illicit networks enjoy greater operational security and penetration, but their attacks (or hacks), in comparison, are pretty lame. "Decapitation" basically transforms the former into the latter.

Anonymous just lost its command and control infrastructure, as well as considerable expertise, as a result of the FBI's hard work. Anonymous is now a flatter organization; a decentralized and distributed network of mostly posers, wannabes, and copycats. This group of second stringers is probably nowhere near as skilled or sophisticated as the core group just arrested. But cybersecurity professionals must not get cocky. Months after 9/11, Afghanistan was invaded and al Qaeda was blasted back to the Stone Age. Instead of going extinct, al Qaeda evolved: it began as an organization and transformed into a movement. What will Anonymous look or sound like from this point forward? This post, in the comments section at Gizmodo, eloquently speaks to this network's next evolution:


************

Now that I got that out of the way, I am ready to do some serious SNA work. In this post, I hope to accomplish a few things:

1) Illustrate how aliases facilitate an illicit cell's operational security
2) Illustrate how network analytical techniques can be used to defeat this maneuver
3) Suggest  how an illicit cell might evolve to be resilient against these analytical techniques


1. Aliases facilitate operational security

The indictment of the LulzSec/Anonymous crew reads a little something like this [liberties taken]:

"RYAN ACKROYD, a/k/a “kayla,” a/k/a “lol,” a/k/a “lolspoon”; JAKE DAVIS, a/k/a “topiary,” a/k/a “atopiary”; DARREN MARTYN, a/k/a “pwnsauce,” a/k/a “raepsauce,” a/k/a “networkkitten”; and DONNCHA O’CEARRBHAIL, a/k/a “palladium," [were ratted out by] "HECTOR XAVIER MONSEGUR, a/k/a “Sabu,” a/k/a “Xavier DeLeon,” a/k/a “Leon[.]”

What's with all these aliases? Well, let's first take a look at this network without the benefit of aliases:


Not a whole lot to see here, is there? The sociogram and accompanying sociomatrix above indicate a pretty straightforward network. There is no security inherent in the network structure. Instead, Anonymous relied on operational security measures both high tech (e.g. proxy servers) and low tech (e.g. aliases) in order to assure its members' continued... ahem... anonymity.

Wait a minute: Aliases? Seriously? In a world of cryptography, plastic surgery, stealth drones, SIGINT, facial recognition software and Stuxnet, I can live off the grid if I just call myself Toby instead of Chad? Well, yeah, sorta'. If I say, "Hello, this is CHAD" when I am on the phone, and Twitter from @CHAD, and my email is CHAD@email, then virtually all of my communications, regardless of their medium, will be directed ties originating from a single network node called CHAD. I have made it really easy for the federali to creep on me. However, if my phone is registered to Toby, I Twitter from @Jimbo, and my email is Bertha@email, I have created the impression of 3 independent nodes, each with their own network dimensions. Let's take a look at what happens to the tiny LulzSec network when we insert these guys' aliases into the network:


Take a look at that! Insert a handful of aliases and this network has expanded considerably in both size and complexity. We have created a ton of network noise, masked the organization's true structure, and cast serious doubt as to who is who. In short, somebody's case has gone to shit.

2. Aliases and their owners are structurally equivalent


We all know and love OrgCharts. They remind us of how inconsequential and utterly replaceable we all are. In SNA, we like to refer to that replaceability as structural equivalency. Look at the nuanced and sensitive orgchart above. Structurally, what does a Leader look like? Well, he is linked to Lieutenants, but not Losers. He cannot stand the smell of the proletariat. What does a Loser look like? Well, he is linked to Lieutenants and fellow Losers, but not Leaders. He's never met a leader he didn't want to stab with a pitchfork. What does a Lieutenant look like? Well, he is linked to Leaders, fellow Lieutenants, and Losers. He pretty much has the worst job in the world and everyone hates him. Anyways, this should all be pretty elementary.

Now let's say we insert a random person into this OrgChart. His name is Toby. We do not know if he is a Leader, Lieutenant, or Loser. So then we ask, "What do his links look like?" If the answer is "He is linked to Leaders, Lieutenants, and Losers," then we know he is a Lieutenant. If the answer is "He is only linked to Lieutenants," then we know he is a Leader. If the answer is "He is only linked to Lieutenants and Losers," then we know he is a Loser. And that is structural equivalency in its most basic form.

To spot an alias (that is, a fake actor), we have to take structural equivalency one step further.

Let's say we determine that "Toby" is a Lieutenant. We notice that "Toby," like his fellow Liutenant "Chad," is linked to Leader "Bertha" and Losers "Larry," "Curley," and "Moe." But then we notice something weird: "Chad" and "Toby" are all linked to the same exact people, but they are NOT LINKED TO EACH OTHER. This network reality could indicate that "Toby" is an alias for "Chad," or vice versa. Why? Because no one, unless mentally ill, has conversations with their alias. If you are using an alias for cover, you are doing everything in your power to separate your real identity from your fake one. That distinctive gap, or lack of a link, can be very telling.

Let's break this on down, SNA-style:


In the sociomatrix above, we are looking at the LulzSec network, including aliases. The "1.000" indicates a link between actors when the "          " indicates that there is no link between actors. Let's drill down on the actors "HECTOR_MONSEGUR," "leon," "xavier_deleon," and "sabu." They enjoy links with everyone in this network, but seem to want nothing to do with each other. Why? Because they are the same dude. The other actors and their aliases are spotted the same way.

The sociomatrix above presents a crystal clear picture: what began as 17 actors has been condensed down to 5. Actual actors have been grouped together with their structurally equivalent aliases. The jig is up. For this we can thank an SNA technique called "Block-modeling," an algorithm that rearranges network actors and groups them into structurally equivalent "blocks." I will explore block-modeling further another time, but for now, know this:



3. Towards an SNA-resistant alias

There have been security professionals and dedicated public servants who have talked candidly about terrorist capabilities and have spelled out, explicitly, the vulnerabilities said terrorists could exploit. These people are sometimes accused of "providing a blueprint for terrorism." The folks who make these accusations think that the bad guys are knuckle-dragging, cave-dwelling medievalists. They are dead wrong. The real bad guys, the real threats, are the engineers, scientists, chemists, and managers that empower and compel the knuckle-dragging, cave-dwelling medievalists. These bad guys are way smarter than we are. When we talk about specific tactics that bad guys can use, we are merely talking about tactics that they have already spent years using, perfecting, considering, or passing over for an even better tactic.

That's out of the way, so here it is: SNA-resilient alias will talk to one another. My aliases "Toby" and "Steve" will chat with each other in public online spaces (Toby uses my desktop while Steve uses a mobile device). Both Toby and Steve will attend the same security conference: Toby will write an online review of the event while Steve links to it on his Facebook account. In fact, I will meet them both there and get lunch with them. The gaps and the contours of the network expose its structure and its inner workings. The gap will not hide you, it will only make you more distinct, isolated, and conspicuous. But the link can hide you.  Each time aliases come together in manufactured ways, the link between them grows stronger. But enough appearances together, enough conversations amongst each other, enough co-appearances on the same roster... soon enough, they are mutually exclusive and distinct actors.... and somebody's case has gone to shit.


Third Degree Centrality

No hay comentarios:

Publicar un comentario