Kamis, 30 Agustus 2012

My Role in Information Warfare during the Yugoslav Wars

This morning I read a Tweet from @AirForceAssoc reminding me that:

Today in Airpower History, August 30, 1995: NATO and U.S. aircraft began airstrikes on Serbian ground positions in Bosnia-Herzegovina to support the U.N. Operation Deliberate Force. The airstrikes, with a Bosnian-Croatian ground attack, convinced the Serbs to accept peace terms in late 1995.

I'm not particularly fond of commemorating airpower campaigns, but the Tweet did remind me of the small part I played in the Yugoslav Wars of the 1990s. Many Americans remember the 1990s, and especially the Clinton presidency, as a "quiet decade" between the first Gulf War led by President GHW Bush and the so-called "Global War on Terror" led by President GW Bush. Instead of a quiet decade, I remember a an exceptionally busy time for the Air Force, including some of the first "information operations" that combined digital and physical effects.

In fact, fifteen years ago, almost to the week I believe, I volunteered to deploy from San Antonio to Joint Analysis Center (JAC) Molesworth in the UK. They needed intelligence support in the targeting shop, so as an Air Force intel officer I fit the bill. I decided to volunteer to go to the UK over the holidays (through early January) at a time of my "choice," rather than wait for the inevitable call to deploy to the desert, where US forces were still conducting counter-Iraqi operations.

Besides other targeting duties, the most interesting aspect of the shop was a requirement we received concerning a counter-propaganda campaign. Serbian Radio Television (SRT) was broadcasting fairly vile and false information to undermine the peace process. The Stabilization Force (SFOR) commander asked the JAC for options to shut down SRT transmissions, i.e., how to conduct "offensive counterinformation" operations against the Serbs.

We did some technical analysis of the SRT communication infrastructure and determined that if a certain set of transmission towers were "out of commission," that would end the broadcast problem. Part of the shop thought 500 lb bombs would be the best answer. Others thought we should apply a nondestructive approach and simply seize the towers by surrounding them with troops and tanks.

The photo in this post, attributed to the 55th Combat Camera Company, tells you what happened the morning of 1 October, 1997. SFOR seized four towers (Hill 619 in Duga Njiva is depicted), effectively terminating the SRT propaganda campaign. SFOR didn't destroy anything, but it conducted an information warfare operation to achieve the desired objective -- control of adversary mass communication.

If you'd like to read more about the history and theory of this operation, please see Physical Attack Information Operations in Bosnia: Counterinformation in a Peace Enforcement Environment by Major Arthur N. Tulak. I haven't yet read Memory, the media and NATO: information intervention in Bosnia-Hercegovina by Monroe Price, but it also discusses the same operation.

Sabtu, 25 Agustus 2012

Less Thrashing; More Queries (Part II)

These are more advanced event queries than my last post. Creating queries as psobject properties improves query speeds.More intra-message searches as calculated properties are included below.

$Elements=New-Object PSObject -Property @{

Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
}

if ($All_Events) {rv -ea 0 All_Events}

$global:Events= foreach ($element in $Elements) {$element}
[array]$HAElements="Security_515X","System","Application"
foreach ($element in $HAElements){$All_Events+=$Events.$element}
$a=$All_Events | Sort -desc -property TimeCreated


PS C:\> measure-command -expression {
>>
>> $Elements=New-Object PSObject -Property @{
>> Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
>> System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
>> Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
>> }
>>
>> if ($All_Events) {rv -ea 0 All_Events}
>> $global:Events= foreach ($element in $Elements) {$element}
>> [array]$HAElements="Security_515X","System","Application"
>> foreach ($element in $HAElements){$All_Events+=$Events.$element}
>> $a=$All_Events | Sort -desc -property TimeCreated
>> }
>>


Days              : 0

Hours             : 0
Minutes           : 5
Seconds           : 10
Milliseconds      : 163
Ticks             : 3101636859
TotalDays         : 0.00358985747569444
TotalHours        : 0.0861565794166667
TotalMinutes      : 5.169394765
TotalSeconds      : 310.1636859
TotalMilliseconds : 310163.6859


PS C:\> $All_Events.count

70000
PS C:\> $Elements | gm


   TypeName: System.Management.Automation.PSCustomObject


Name          MemberType   Definition

----          ----------   ----------
Equals        Method       bool Equals(System.Object obj)
GetHashCode   Method       int GetHashCode()
GetType       Method       type GetType()
ToString      Method       string ToString()
Application   NoteProperty System.Object[] Application=System.Object[]
Security_515X NoteProperty System.Object[] Security_515X=System.Object[]
System        NoteProperty System.Object[] System=System.Object[]


PS C:\> $Elements.Application.count

10000
PS C:\> $Elements.Security_515X.count
50000
PS C:\> $Elements.System.count
10000

Parsing ports and Addresses from the message log for security events: 5156,5157,5158 

(e.g.:
C:\Windows\system32>auditpol /get /subcategory:"Filtering Platform Policy Change"
System audit policy
Category/Subcategory                      Setting
Policy Change
  Filtering Platform Policy Change        Success and Failure
)

is a still a little cludgey here:


$a[0..100] | Select  TimeCreated,ID,ProviderName, `

@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port")}} `
| ft -auto -wrap


TimeCreated            Id ProviderName                        Ext_Message
-----------            -- ------------                        -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {    Source Address:        192.168.0.11,     Source Port:        2672,     Destination Address:    199.47.217.146,     Destination
                                                              Port:        80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {    Source Address:        192.168.0.11,     Source Port:        2672,     Destination Address:    199.47.217.146,     Destination
                                                              Port:        80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {    Source Address:        192.168.0.11,     Source Port:        2672,     Destination Address:    199.47.217.146,     Destination
                                                              Port:        80}

This is more concise:  

     
$a[0..100] | Select  TimeCreated,ID,ProviderName, `
@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port") `
-replace("Source Address:","") -replace("Destination Address:","") `
-replace("Source Port:","") -replace("Destination Port:","") }} `
| ft -auto -wrap  

TimeCreated            Id ProviderName                        Ext_Message

-----------            -- ------------                        -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:47:24 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             17500,         255.255.255.255,             17500}
8/25/2012 9:47:12 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             137,         192.168.0.255,             137}
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:46:58 AM 5158 Microsoft-Windows-Security-Auditing {            ::,             2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing {            ::1,             445,         ::1,             2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing {            ::1,             2680,         ::1,             445}
8/25/2012 9:46:54 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             17500,         255.255.255.255,             17500}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             2672,         199.47.217.146,             80}
8/25/2012 9:46:24 AM 5156 Microsoft-Windows-Security-Auditing {            192.168.0.11,             17500,         255.255.255.255,             17500}                                                    
...

08/26/2012: I've updated this post with the use of 'normalize()' to remove brackets.


Here are some methods to parse through the 70K log entries looking for connections:


$a[0..100] | Select ID,ProviderName,TimeCreated, `

@{Name="Message[10]"; Expression={($_.Message)[0,1]}}, `
@{Name="SourceAddress"; Expression={(($_.Message | findstr /C:"Source Address:").replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress"; Expression={(($_.Message | findstr /C:"Destination Address:").replace("Destination Address:","")).Normalize()}} `
| ft  -auto -wrap


This use of the for command let the users roll through log fifty events at a time:

for ($i = 0;; $i += 50) {$a[$i..($i+50)] | ft -auto ID,ProviderName,TimeCreated,Message;pause}


for ($i = 0;; $i += 50) {$a[$i..($i+50)]| `

ft -auto -wrap ID,TimeCreated,@{Name="Ext_Message"; Expression={(($_.Message | findstr "Address Source Port")).Normalize()}};
pause;
}

This last one cleans it up and separates Source and Destination into different fields:


for ($i = 0;; $i += 50) {$a[$i..($i + 50)] | 
ft -auto -wrap TimeCreated,ID,ProviderName, `
@{Name="SourceAddress";Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress";Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}};
pause;
}

 Id ProviderName                        TimeCreated          SourceAddress            DestinationAddress

  -- ------------                        -----------          -------------            ------------------
7036 Service Control Manager             8/25/2012 9:48:33 AM
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:24 AM             192.168.0.11         255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:12 AM             192.168.0.11         192.168.0.255
7036 Service Control Manager             8/25/2012 9:47:00 AM
7036 Service Control Manager             8/25/2012 9:47:00 AM
5158 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM             ::
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM             ::1                  ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM             ::1                  ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:54 AM             192.168.0.11         255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM             192.168.0.11         199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:24 AM             192.168.0.11         255.255.255.255

...


Now we will do some quick analysis courtesy of the 'group-object' command:


$SearchResult= $a | Select ID,RecordID,TimeCreated, `
@{Name='SourceAddress';Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name='DestinationAddress';Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}}

$SearchResult | group -property ID -noelement | Sort -desc -property Count


Count Name

----- ----
 2565 5158
 2369 5156
  898 1035
  751 7036
   66 5157
   56 1
   33 7042
   32 7040
   29 257
   27 42
   27 0
...

$SearchResult | Select SourceAddress,DestinationAddress | Sort -unique -desc -property SourceAddress,DestinationAddress


SourceAddress                                                                                       DestinationAddress

-------------                                                                                       ------------------
            fe80::ffff:ffff:fffe                                                                            ff02::2
            fe80::ffff:ffff:fffe                                                                            ff02::16
            fe80::cddc:ceef:b717:a5ac                                                                       ff02::1:3
            fe80::46:eb0:3f57:fff4                                                                          ff02::2
            fe80::3069:3e11:3f57:fff4                                                                       ff02::2
            fe80::3069:3e11:3f57:fff4                                                                       ff02::16
            fe80::1468:390c:3f57:fff4                                                                       ff02::2
            fe80::1468:390c:3f57:fff4                                                                       ff02::16
            255.255.255.255                                                                                 0.0.0.0
            239.255.255.250                                                                                 127.0.0.1
            224.0.0.252                                                                                     192.168.0.11
            224.0.0.22                                                                                      192.168.0.11
            199.47.216.177                                                                                  192.168.0.11
            192.168.0.11                                                                                    98.138.49.43
            192.168.0.11                                                                                    98.137.49.1
            192.168.0.11                                                                                    98.124.156.54
            192.168.0.11                                                                                    96.17.239.144
            192.168.0.11                                                                                    96.17.237.177


$SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | ft -auto


Count Name

----- ----
 2170             0.0.0.0
 2000
  617             192.168.0.11,         192.168.0.1
  113             192.168.0.11
  110             192.168.0.11,         199.47.217.146
  109             ::
   99             127.0.0.1
   89             192.168.0.11,         255.255.255.255
   81             192.168.0.11,         192.168.0.255
   74             ::1
   50             239.255.255.250,         127.0.0.1
   48             192.168.0.11,         12.129.210.71
   48             192.168.0.11,         184.73.175.201
   44             192.168.0.11,         224.0.0.252
   33             192.168.0.11,         224.0.0.22
   28             192.168.0.11,         173.192.226.196
   27             192.168.0.11,         96.17.237.177
   26             255.255.255.255,         0.0.0.0
   23             192.168.0.11,         64.94.107.64
....
#Note: Using Normalize() doesn't help me here...
[array[]]$Tuple=($SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | Select Name) -replace(",","") -replace("  ","")
[array[]]$Tuple=$Tuple.replace("@{Name=","") -replace("}","")

$Tuple[0..100]

                        0.0.0.0

                        192.168.0.11            192.168.0.1

                        192.168.0.11
                        192.168.0.11            199.47.217.146
                        ::
                        127.0.0.1
                        192.168.0.11            255.255.255.255
                        192.168.0.11            192.168.0.255
                        ::1
                        239.255.255.250                 127.0.0.1
                        192.168.0.11            12.129.210.71
                        192.168.0.11            184.73.175.201
                        192.168.0.11            224.0.0.252
                        192.168.0.11            224.0.0.22
                        192.168.0.11            173.192.226.196
                        192.168.0.11            96.17.237.177
                        255.255.255.255                 0.0.0.0
                        192.168.0.11            64.94.107.64
                        224.0.0.252             192.168.0.11
                        192.168.0.11            174.137.34.100
                        192.168.0.11            239.255.255.250
                        192.168.0.11            23.3.68.139
                        127.0.0.1               127.0.0.1
                        192.168.0.11            173.192.226.197
                        192.168.0.11            184.73.247.29
                        192.168.0.11            199.47.216.177
                        0.0.0.0                 255.255.255.255

...


Rabu, 22 Agustus 2012

Thrashing memory with queries...(Part I)


These are some event log search queries. They all trash my memory in any Powershell session.
I have written them down for some reason. Probably so I can evolve more elegant solutions to such queries in the future.

foreach ($i in @("a","b","c","d","e")) {if ($i) {rv -ea 0 $i}}
$start=(get-winevent  -log security -max 1).TimeCreated
$a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
$c=(get-winevent -ea 0 -log System -max 10000) | Select TimeCreated,ProcessID,ThreadID,Message
$d=(get-winevent -ea 0 -log Application -max 10000) | Select TimeCreated,ProviderName,Message
$b=$a |  Select TimeCreated,ProcessID,ThreadID, `
@{Name="Port";Expression={($_.Message | findstr /C:"Source Port:").replace("Source Port:"," ")}}, ` 
@{Name="Application";Expression={($_.Message | findstr /C:"Application Name:").replace("Application Name:"," ")}}
$e=@()
$e=($b + $c + $d) | sort -desc -property TimeCreated
$a.count;$b.count;$c.count;$d.count;$e.count
$e | ft -auto -wrap TimeCreated,Application,ProcessID,ThreadID,Port,Message


# $start=(get-winevent  -log security -max 1).RecordID
# $a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
# $b | where Application -match 'dropbox.exe' | ft -auto
# ($a | ? {$_.RecordID -gt $Start} | % {$_.Message | findstr /C:"Source Port"} ).count
# $b=$a |  % {write "$($_.TimeCreated) : PID=$($_.ProcessID) : $($_.Message | findstr /C:"Source Port") : $($_.Message | findstr /C:"Application Name:")"}
# $b=$a |  Select TimeCreated,ProcessID, @{Name="Port";Expression={($_.Message | findstr /C:"Source Port")}}, @{Name="Application";Expression={$_.Message | findstr /C:"Application Name:"}}


$s = New-PSWorkflowSession 
Invoke-Command $s {
 workflow Invoke-ParallelForEach
 {
     foreach -parallel ($i in 0)
     {
         InlineScript
         {
             "foo: $using:i"
         }
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
   }
 }
 }
 Invoke-Command $s { Invoke-ParallelForEach -PSComputerName localhost }


 workflow getwinevent
 {
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
 }
getwinevent

[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var |  export-csv -path C:\ps1\security.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)


$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv

Sabtu, 18 Agustus 2012

The Best Way to Bypass the Great Firewall of China (Windows and Linux)

FreeGate is the way to go to freely use the Internet in China
Update: Click here for my review of other VPNs and Proxies

If you have plans on going to China for vacation, or living there for any length of time, you will need to prepare to visit the Great Firewall of China. Visiting this tourist attraction is mandatory! As most people know, many websites are blocked in China. Mostly websites related to social interaction such as Facebook, Twitter, Google+ and most the popular blogging platforms such as Wordpress and Blogger (which means if you are reading this, you are either not in China, or you have already figured out a way to bypass the Great Firewall of China.

I have lived in China now for a year and have tried many different tools to try to use the internet freely. I have tried various VPNS, Hotspot Shield and Freegate. The best (and freest) is Freegate.

Read article »

Kamis, 09 Agustus 2012

DOJ National Security Division Pursuing Cyber Espionage

I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points:

Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials.

The new training is part of a major overhaul following an internal review that pinpointed gaps in the department’s ability to identify and respond to potential terrorist attacks over the Internet and to the rapidly growing crime of cyber espionage, the officials said, describing it for the first time.

In recent weeks, Justice has begun training more than 300 lawyers in Washington and nearly 100 more across the county in the legal and technical skills needed to confront the increase in cyber threats to national security...

Under the reorganization, teams of specialized lawyers within NSD in Washington will work with other agencies, the military and companies facing cyber intrusions. They will develop protocols for the intelligence community and federal agents in how to deal with private companies that are victims of cyber attacks. The issues revolve around how to build possible prosecutions within guidelines covering information sharing, privacy and civil liberties.

At least one prosecutor in each of the 94 U.S. attorney’s offices around the country has been designated and will be trained to gather evidence and prosecute cyber espionage and similar Internet-related cases.

This is very interesting if the focus is truly on cyber espionage cases. DOJ persecutes physical espionage cases routinely (albeit with difficulty due to the nature of the laws). Cyber espionage cases are almost never pursued. Working with private companies will be key to this problem, and that aspect is mentioned specifically in the article.

Let's see what happens!