Home page logo

fulldisclosure logo Full Disclosure mailing list archives

High Value Target Selection
From: gmaggro <gmaggro () rogers com>
Date: Fri, 30 Nov 2007 14:02:26 -0500

I think it'd be interesting if we started a discussion on the selection
of high value targets to be used in the staging of attacks that damage
significant infrastructure. The end goals, ranked equal in importance,
would be as follows:

1. To bring like minded people together while operating under the
strategy of 'leaderless resistance'

2. To be the 'aboveground' partner to the 'underground' scene, or at
least serve to distract authorities from the activities of underground

3. To see exactly what can be accomplished, and accomplish it

4. To capture the imagination of the public

The 'leaderless resistance' aspect of organization is going to be key.
Plenty of technology exists for encryption and anonymity but that
doesn't apply to people. We have to be like the Internet itself here, as
originally intended: able to take the largest of blows and route around
the damage automatically. We also have to be like good encryption: able
to expose everything about our mechanism without leading to compromise.

Capturing the imagination of the public sounds like bizspeek bullshit,
but it's a very powerful tool - it only takes one cow to start a
stampede. Furthermore it serves as a useful discriminator in selecting
targets. Bringing down Facebook or Amazon might annoy people... but it
really gets driven home when they can't pay their bills, buy food from
supermarkets, or take the train to work.

So, types of infrastructure to attack:

1. Transportation
2. Financial
3. Telecommunications
4. Petrochemical
5. Manufacturing
6. Health care
7. Education
8. Civilian Law Enforcement
9. Government (Judicial, Executive, Legislative)
10. Military

This is just what I've thought of to date. One thing we'll need to do is
prioritize that list and flesh it out. For instance, for 'Financial' I'd
be inclined to break up something like this: banks, credit card
companies, credit processing companies, ATM companies, credit bureaus,
collection agencies, investment firms, etc.

I guess we should pick some kind of a nation-state to narrow the scope.
I'm going to propose the USA for several reasons:

1. Alot of folks got it in for them. This makes it easier to blend into
the background. There's also the potential for assistance via
enemy-of-my-enemy-is-my-friend co-operation among like minded
individuals and groups. Also, in security, the advantage always goes to
the attacker; he only needs to be successful once but the defender has
to suceed every time. And since they're no doubt getting assaulted left
right and centre they've probably been tenderized pretty good. These
factors, I believe, combine to nullify any advantage they might have
from being well practiced at having to withstand assaults.

2.They're weak right now. In many ways. Given the issues in the
sub-prime market and it's cascade effects, profits are down everywhere.
When businesses lose money, what's the first thing that suffers?
Customer service. What's the second thing? Security. Not trying to slant
politically one way or the other here, but the American implementation
of capitalism is not renowned for having led to people making quality
goods or loving their jobs. Sloppiness abounds whether it's ACLs on the
router or easy-to-social-engineer employees. The effects of more people
losing their jobs and increased sociocultural turmoil will only
exacerbate this. Alot of talented people will be out a job for reason of
economics or colour, and if engaged properly, can add to the ranks.

3. They're easy to penetrate. If you can't walk right into the states
over the Mexican or Canadian border, then there's a million lines of
fibre and copper running straight in. It is an incredibly well connected
place with a widely geographically dispersed populace. And alot of
coffee shops near open wifi. Entire cities blanketed in connectivity
accessible from back alleys, washrooms in malls, or remote corners of
public parks with a 12db Yagi. Miles upon miles of SCADA wiring.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]