+++++ Investigators briefing - Operation CHASTISE +++++

Operation NEPTUNE, whilst yielding significant intelligence product, also represented a gross failing of Yellow Suns personnel security procedures. An agent of the Adversary (now known to be the Sinister Icy Black Hand Of Death, aka SIBHOD) was unwittingly employed as part of NEPTUNEs plan to conduct offensive operations. Once the agent (known as Keith Starr, real name now known to be Kerry Nitpick) discovered the nature of his target he swiftly left Yellow Suns HQ either fearing exposing SIBHOD, or fearing SIBHODs harsh HR stance on errant staff.

Pursuit of Nitpick
From the commencement of his employment at Yellow Sun, Nitpick was kept under close surveillance. This surveillance was maintained during Nitpicks flight from Yellow Suns HQ when he was observed to behave as an Aware target, exhibiting antisurveillance techniques. Nitpicks anti-surveillance training seemed tailored to defeating a three-man team and was partially successful in this respect; however, Yellow Sun routinely employ multiple three-man teams with vehicle backup, and other teams were able to keep eyes on their target as he attempted to escape to a safe house.

Arrest and Interview

Yellow Suns Special Intervention Team was dispatched to the safe house, where Nitpick was apprehended. At interview, it was put to him that SIBHOD may not look favourably on his recent actions against them, and that the Police also have warrants out for his arrest (the photograph from the SHOPPINGLIST database showing Nitpick on a Police Wanted poster proved genuine). It was suggested to Nitpick that both of these parties may be interested in knowing his whereabouts, and that Yellow Suns silence could be purchased in exchange for his cooperation. This cooperation was swiftly given.

Nitpick on SIBHOD
Nitpick was unable to supply much useful intelligence on SIBHOD. As seems to be their practice, SIBHOD told Nitpick very little outside of what he needed to know; the CANDYSTORE operation was his first on SIBHODs behalf. Nitpick has never visited SIBHODs HQ, the so-called BATCAVE, although he does know that it is an ex-Cold War site on the East coast of England. He also notes that the logo on SIBHODs headed notepaper (right) somehow represents some physical aspect of the BATCAVE.

Nitpick on NybbleComms
Nitpicks mission objective at NybbleComms was to embed backdoors into the guidance software of tactical cruise missiles. He felt that this could not be achieved, due to NybbleComms strict source code review and binary code signing processes which would prevent such a significant alteration being made either before or after compilation. However, Nitpick observed that NybbleComms staff had many misunderstandings of common security issues, instead trusting their security to their air-gapped internal networks. As a way of achieving his objective for SIBHOD, Nitpick was formulating a plan to subvert the process by which targeting packages are uploaded to the missiles if the missile cant be controlled in flight by a backdoor, perhaps its target could be overridden whilst it was still on the launcher? Nitpick explained that Missile Targeting Packages (MTPs) are X.509 certificates, signed by a private Certificate Authority, the GMTA-CA, operated by NybbleComms (the specific format of the MTPs is given at the end of this document). Once a properly formatted MTP has been signed, it is uploaded to the NybbleComms Guided Missile Targeting Authority (GMTA) where it is validated and queued for upload to a missile. Nitpick has no authorised access to the private CA, so he is currently unable to sign his own MTPs. He was, however, able to obtain a traffic capture from one of NybbleComms air-gapped internal development networks.

Page 1

+++++ Investigators briefing - Operation CHASTISE +++++

Operation CHASTISE Strategic Aims

Subvert NybbleComms next missile test, replacing the inert test warhead with a live one and targeting the BATCAVE. The net effect will be the physical destruction of SIBHOD, and the discrediting of arch-rival NybbleComms as a business competitor for allowing a test firing to go so badly wrong.

Tactical Aims
Study the MTP documentation and packet capture provided by Nitpick: Discover how to access the GMTA website Discover the date and time of NybbleComms next test missile firing Recover enough cryptographic material to allow the signing of a fake, but valid, MTP Discover the location of the BATCAVE. It is suggested that re-examining the social media profiles of SIBHOD operatives obtained as part of Operation FOOT may bear fruit. Discover the location of NybbleComms launch facility Nitpick says that to keep costs down, tests of their guidance software are carried onboard retasked Cold War era surface to air missiles rather than contemporary surface to surface airframes. Based upon aerial surveillance of the launch facility, determine the likely missile type employed for testing Create an MTP targeting the BATCAVE, carrying a live warhead Upload it to the GMTA

Operation deliverables
The MTP itself A description of how the information to populate the MTP was obtained, and a description of how it was signed by the private certificate authority. A screenshot of the GMTA showing the successful upload of the MTP.

Page 2

+++++ Investigators briefing - Operation CHASTISE +++++

Appendix
MTP field format
According to Nitpick, an MTP is a signed X.509 certificate that has the following properties: The MTP must be in DER format before upload The MTP must be signed by the GMTA-CA, using the GMTA-CAs certificate and private key The GMTA-CAs Authority Key Identifier must be present in an X509v3 extension The OU field of the MTPs Subject contains the warhead type, one of: o WARHEAD-FAE High-blast thermobaric fuel-air explosive o WARHEAD-CONVENTIONAL Standard 500Kg high explosive o WARHEAD-NUCLEAR W54 warhead, 1KT low-yield tactical o WARHEAD-INERT Inert training round, mass-equivalent to WARHEADCONVENTIONAL The CN field of the MTPs Subject contains the target coordinates, expressed in decimal latitude and longitude as LATITUDExLONGITUDE (the x character delimits the two). Northern latitudes and Eastern longitudes are positive; Southern latitudes and Western longitudes are negative. The NotBefore and NotAfter times must bear close association to the launch time. NotBefore must be less than five minutes before the launch time; NotAfter must be less than five minutes after launch. A missile cannot be launched with an MTP that is not yet valid, and cannot be retargeted or remotely destroyed with an MTP that has expired.

Alec R Waters and wirewatcher, 2009-2012. Unauthorized use and/or duplication of this material without express and written permission from this blogs author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Alec R Waters and wirewatcher with appropriate and specific direction to the original content.
Page 3