Aprovechando el inicio en España de "Gran Hermano 14" y que no me gusta la TV "basura", planteamos en el artículo varias dudas. ¿Existe realmente "Big Brother", "Echelon" u otras? He aquí la cuestión... ¿Es cierto o falso?

El año pasado, hubo personas detenidas a su llegada a Estados Unidos por "bromear" en sus cuentas de Twitter sobre "destruir América". Realmente esto ha ocurrido porque "algo hay" que puede ser objeto de una investigación antiterrorista, considerando un "hacker" (a.k.a. investigador != delicuente) como uno de ellos.

Todos los días empleamos los buscadores introduciendo términos de búsqueda, usamos Facebook, Twitter, etc... y podemos disparar las alertas del Departamento de Seguridad Nacional de los Estados Unidos. Pero... ¿Es así y está confirmado?

La Organización Electronic Privacy Information Center (EPIC) en su continuo velar por la privacidad y libertad en la red, interpuso una demanda con éxito y obtuvo un documento que lo demuestra llamado Analyst Desktop Binder donde se detallan al menos 400 términos que son vigilados. Posteriormente, miembros del Departamento de Seguridad, han dicho que el manual estaba desactualizado y ante la demanda de EPIC por extralimitación de sus investigaciones, textualmente han dicho que "solo se hacía para descubrir posibles amenazas y no para buscar gente que criticase al gobierno y etiquetarlos de enemigos ideológicos".

Lo creamos o no, existen dichos términos (mirarlos a partir de la página 20 del documento) y muchos otros más actuales y podemos ser objetivo de una investigación por el Departamento de Seguridad Nacional de los Estados Unidos.

Saltando las alarmas

Estamos desarrollando una herramienta en python para procesar automáticamente éste tipo de información que publicaremos como plugin para diversas herramientas como el futuro Golismero v2.0 y que nos servirá para realizar un análisis sintáctico y gramatical para "reconocer" patrones con sentido lógico y en tiempo real, donde buscaremos palabras clave y finalmente obtendremos un "score" final que podrá ser objeto de disparar una alerta en función de una puntuación de corte preestablecida. Dicho plugin podrá ser empleado para rastrear textos en páginas web, foros, redes sociales, Deep Web, etc. Debido a la complejidad del plugin, todavía no será publicado ya que se encuentra en "fase de aprendizaje" y testing. Podeis haceros una ligera idea del PNL con el libro que teneis disponible gratuitamente en Natural Language Processing with Python de O'Reilly y que os servirá como base para profundizar luego en el estudio del plugin.

De momento, supongamos un texto de un email. Lo analizaremos con el plugin y si pasa el corte (tiene sentido y es correcto gramaticalmente), ponderamos cada palabra eliminando artículos, preposiciones, etc... en el contexto del conjunto y asignando un valor a cada una. A continuación, elegimos un grupo de la lista negra y a cada uno de los términos, le damos un valor específico (en nuestro caso, hemos repartido equitativamente dicho valor aunque podríamos emplear valores mayores o menores para ciertos términos). Buscamos la frecuencia de dichas palabras y las apariciones y calculamos un score final del texto. Asignamos un valor de "disparo" de la alerta para el grupo de un 50% y comprobamos si saltaría la alerta.

Vamos a dejar que el "trabajo sucio" lo realice un generador automático de artículos de los múltiples que tenemos en Internet. Aprovechando la ocasión que se brinda aquí, comentar que incluso hay generadores para "papers científicos" como scigen que incluso los resultados obtenidos han sido aceptados por la comunidad y reconocido a sus "autores". Podeis ver un ejemplo directo del escándalo "Sokal"

También podemos probar a seleccionar palabras del grupo "Cyber Security" y las introducimos en essaygenerator para generar nuestro "artículo". El resultado del mismo si lo leemos detenidamente y lo modificamos un poco, puede resultar incluso creíble a todos los efectos. Bastará con emplear técnicas de ingeniería social para intentar "colarlo" en una fuente confiable y que salten todas las alertas de nuestro querido "Big Brother".

Para ver el primer ejemplo, tomamos como referencia un texto que Angelete (@angeletter) nos ha facilitado ya debidamente modificado, completamente inofensivo y con palabras del grupo Health Concern de un artículo de la wikipedia de la película 28 días después. Veamos el texto modificado:

28 Days Later

28 Days Later is a 2002 British horror film directed by Danny Boyle. The screenplay 
was written by Alex Garland, and the film stars Cillian Murphy, Naomie Harris, Brendan
Gleeson, Megan Burns, and Christopher Eccleston. The plot depicts the breakdown of 
society following the accidental release of a highly contagious virus and focuses upon
the struggle of four survivors to cope with the destruction of the life they once knew.

Successful both commercially and critically, the film is credited with reinvigorating
the zombie sub-genre.[1] The film spawned a 2007 sequel, 28 Weeks Later, a graphic novel
titled 28 Days Later: The Aftermath, which expands on the timeline of the outbreak, and 
a 2009 comic book series 28 Days Later.

Plot

British animal liberation activists break into a laboratory of Center for Disease Control
CDC) in Cambridge. While trying to free some chimpanzees being used for medical research,
they are interrupted by a scientist (David Schneider). Despite his desperate warnings that
the chimps are infected with a virus dubbed "Rage", a kind of mutation of Ebola, which he
claims is highly contagious and resistant and only takes one bite to spread, the activists
open the cages anyway and release the chimpanzees. A chimp attacks a female activist and 
immediately infects her, and she in turn infects the other members of the group, including
the chief scientist when he attempts to kill her.

28 days later, a bicycle courier named Jim (Cillian Murphy) awakens from a coma in 
St Thomas' Hospital in London. He finds the hospital deserted and seemingly empty. He finds
a medical suit and dresses. Outside, he discovers the city completely deserted with signs 
of catastrophe everywhere. Jim then wanders into a seemingly abandoned church, only to alert
a small group of Rage-infected people who were hiding there. As he tries to approach a 
priest who he then realises has also been infected, the 'Infected' spot him and try to 
attack him, giving chase. At the last minute, he is saved by Selena (Naomie Harris) and 
Mark (Noah Huntley), who throw Molotov cocktails at Jim's pursuers, resulting in the blowing
up of a petrol station.

Afterwards, they rush him to their hideout in the London Underground. There, they reveal 
that while Jim was comatose from his accident, an unknown virus spread uncontrollably among
the populace, turning most people into rabid, psychotic "infected," overwhelming the 
government and security services, resulting in societal collapse. It is a virulent, blood 
and water borne virus that sends its hosts into a state of extreme rage. They also explain 
that infection has been reported in Paris and New York. The next morning, Selena and Mark 
accompany Jim to his parents' house where he discovers that they have committed suicide. 
That night, two of the infected see a candle Jim lights in the kitchen and attack. Mark is
badly cut and covered in infected blood; Selena quickly kills him, later explaining to Jim 
that the Rage virus overwhelms its victims in no more than 20 seconds. This necessitates the
immediate killing of people who may have been infected. She also assures him that, should he
get infected, she would kill him "in a heartbeat." After leaving, they discover two more 
survivors, Frank (Brendan Gleeson) a cab driver, and his teenage daughter, Hannah (Megan 
Burns), holed up in a block of flats, and are invited to spend the rest of the night with 
them.

Frank informs them the next day that supplies, particularly water, are dwindling, and plays
them a pre-recorded radio broadcast apparently transmitted by a military blockade near
Manchester. The broadcast claims the soldiers have "the answer to infection" and invite any
survivor to try to reach their safe haven. The survivors board Frank's cab in search of the
signal source and during the trip bond with one another in various situations. When the four
reach the deserted blockade, Frank is infected when a drop of blood from a dead body falls
into his eye. As he succumbs, he is killed by the arriving soldiers, who then take the
remaining group to a fortified mansion under the command of Major Henry West (Christopher
Eccleston).

After settling in the mansion, West promises the three protection from the infected. 
However, Jim eventually discovers that West's "answer to infection" involves waiting for 
the infected to starve to death, and his broadcast of the radio message was launched to 
attract female survivors into sexual slavery to rebuild the population with his platoon's 
members. Jim attempts to escape with Selena and Hannah, but is captured by the soldiers, 
along with a Sergeant Farrell (Stuart McQuarrie), who disagrees with the major's plan and 
tried to stop the other soldiers from imprisoning the group. During their imprisonment, 
Farrell theorizes that there is no worldwide pandemic, and that only Great Britain has 
been quarantined for controlling the plague, which is proved when a NATO plane scouts 
the land.

The next day, Selena and Hannah are made to dress in evening wear and prepare for rape, as 
two soldiers lead Jim and Farrell to be executed. After his escorts quarrel after killing 
Farrell, Jim manages to escape. After luring West and one of his men to the blockade and 
ambushing them, Jim runs back to the soldiers' headquarters where he unleashes Mailer, an 
infected soldier whom West kept chained outside for observation. Mailer attacks the soldiers
in the mansion, while Jim sets out to rescue the girls, who had been split up in the chaos.
Selena, held hostage by Corporal Mitchell (Ricci Harnett), is then rescued by Jim, who 
arrives and savagely kills Mitchell with his bare hands. Selena mistakes Jim for an 
infected and raises her machete to kill him, but when she hesitates, Jim remarks, "That was
longer than a heartbeat." The two kiss, reunite with Hannah, and run to Frank's cab, only
to encounter a vengeful West, who shoots Jim in the stomach. Hannah commandeers the cab 
and backs it up to the front door, where Mailer drags West out through the smashed rear 
window and kills him. She then drives away with Jim and Selena.

Selena and Hannah rush Jim to a deserted hospital, where Selena performs life-saving 
emergency procedures, but to no avail, as he falls into the coma again. They take his 
body to the cab and leave Manchester.

28 days later, Jim is shown waking up in recovery again, this time at a remote cottage. 
Downstairs, he finds Selena sewing large swaths of fabric when Hannah appears. The three 
rush outside and unfurl a huge cloth banner, adding the final letter to the word "HELLO"
laid out on the meadow. A lone Folland Gnat fighter jet with Finnish markings flies over
the landscape. The jet flies over the three waving survivors and their distress sign while
the pilot, speaking in Finnish, calls in a evacuation helicopter. As it flies away Selena
says with a smile, "Do you think they saw us this time?"				
				

Un humano que lo lea, no vería nada extraño salvo que conozca la película y vea algunas diferencias en el argumento. Sin embargo, al pasarlo por el plugin, detectamos palabras como outbreak, Center for Disease Control (CDC), virus, mutation, ebola, resistant, infection, pandemic, plague, etc... que requieren que sea analizado en profundidad. En el análisis de nuestro Big Brother las palabras clave obtienen un 0,94% de probabilidad que sea una amenaza donde contrastándolas con el conjunto de palabras empleadas, suponen sólo un score final de un 0,17% donde claramente NO SALTARIA NINGUNA ALARMA y sería considerado como un texto "no malicioso" aunque se publicase en una fuente "confiable". Os dejamos un gráfico con la distribución estadística de las palabras "clave" empleadas y su tendencia para analizar el contenido con más detalle:

A continuación, veamos un texto que nos ha facilitado Dani a.k.a. Cr0hn (@ggdaniel) para su análisis en el grupo Southwest Border Violence y que podría publicar en su muro de Facebook de una forma totalmente "inocente":

Yesterday I was watching at the TV a great documentary about the drug cartel violence, 
near of frontier, at border Mexico, in Ciudad Juarez Nogales.

At this city, the narcos have the power. They has bribed the policy and politics. The 
situation is horrible. 

For this reason, so common things as turn on light maybe very difficult because electric 
centrals are normally broken for gunfights.

Many people wear gun and belong to gangs. Narcos are often perpetrators of gunfights on 
the street. 

Many scared persons (from El Paso, Mexico or Nuevo Leon) try to run away of country 
crossing the frontier, looking for a bridge to USA. Green card is not granted to them, 
so they comming into the country by Ports.				
				

El plugin detecta un score final en contraste de palabras clave de un 62,47% pero que en el conjunto analizado, queda reducido a una puntuación total de un 45,16% en el contexto empleado por lo que claramente tampoco saltaría las alarmas del "Gran Hermano" para el corte de disparo fijado en un 50%

Incluso navegando en la red, podemos encontrar "textos" que los ponen a prueba e incluso han sido retirados "por razones de seguridad". Hemos encontrado uno que combina nuestros objetivos. Le añadimos el saluda y firma y lo enviamos por email para ver qué ocurre en el grupo Cyber Security.

Dear Mr. Obama,

As concerned as I am about cyber security, I naturally find botnets threatening. 

A Denial of Service, or DDOS, attack could lead to a Tsunami of Malware.

It could lead to a virus of trojans wielding keyloggers.

Cyber command might be able to respond, but 2600 phreaking spammers might use cyber 
terror to "Cain and Abel" any rootkit discovered by some phishing spammer.

Hopefully any social media would be aware of any social terror, like a MySQL injection, 
and car bomb those scammers by brute forcing their China worm.

No Hacker should even consider that Conficker.

Yours faithfully,

madesyp@phreaking.net
				

Observamos que hay 24 palabras claves en el texto baremadas por el plugin en un score de keywords del 96,0% resultando un conjunto final con una puntuación global del 51,06% donde claramente saltaría la alerta prefijada incluso tratándose de un "texto sin malicia" alguna.

Tal vez aquí en España, tengamos algún encargado de "vigilar la actividad" de foros, etc... como podría hacerse con el listado de palabras malsonantes que os dejamos en nuestro repositorio maligno.

¿Libertad? ¿Privacidad? ¿Habremos conseguido disparar las alertas? ¿Cuándo viajemos a Estados Unidos a la Black Hat o la Defcon nos dejarán pasar? ¿Están llamando a la puerta los "hombres de negro"?

Recordaros que en los Cursos especializados de Seguridad Informática y Administración de Sistemas que ofrecemos en Academia MADESYP realizamos y establecemos las contramedidas con todo esto y mucho más...

Ser buenos y no hagáis maldades!

Noticia anterior     Noticia siguiente