Category Archives: Cyber Forensic

03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/09/math_clouadTag.tiffDigg ThisSubmit to reddit
03/1/13

Currency of the Cyber Economy

gAtO tHiNk- the bad evil hackers are the least of your worries, the real bad guys are the corporate geeks that want every click, every nuance of your digital life and they tell you it’s to give you a better web experience. WoW I didn’t know that selling all my information as I go from site to site is a good thing for me. How about if I’m sick and search for my medical problems will my insurance company want that information to raise my payments. You betcha they do!!!

I’m doing some Tor work now so I’m away from the hump and grind but I been changing my search engines because like google they know what I look for and they give me the same crap and then I switch to yahoo and soon the have me profiled then Bing, whoa!!! what a mistake but I expected very little from them anyway. They were robbing us blind back before Netscape days.

Think about those high tech security geeks they get paid big bucks to guard the hen house and you hear about a new hack every other day why because if you understand the “book” the same one every security geek get’s all those certification all teach the same old done thing and that’s their job to take the masses and control them but the ones that think for themselves are the true pioneers, the ones that dance to a different drum. Look I don’t have any certifications anymore and I know more today about the Tor network than most people around. That’s what interest me and that’s what I like.

The currency of information economy is going swell and the big corporate boys are all for selling everything you do so use Tor and be safe and have a little privacy. Be different and use the tools that work for you and keep your digital breadcrumbs to yourself. I know your not doing anything wrong and you don’t have to prove it to anybody. People say if I use Tor then people will think that I’m a bad guy. Oh Me, Oh My do you really care about other’s control of you. It’s a propaganda war just to keep you afraid of Tor because with it they cannot sell your data. Don’t sell your click for free make them earn them -gATO OuT

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
01/17/13

PEDO’s gAtO is Hunting YOU!

gAtO hAs - been meeting some very good people that have the ugly dirty job of going after pedophiles and gATO is sicken that this problem is becoming so big. I like most people hear of these sick wackos and my skin crawls but I am guilty of not doing anything to stop this. In my research into the Tor’s Dark Web I found so much ugly Pedo stuff but I always said to myself this is some else job but it’s not.

All cyber security professionals should work together to find and go after these sick bastards that haunt our children nightmare. When I first saw the “Pedo Bear Wiki” in Tor’s I was in shock at how they do business in plain site thinking that they are safe. This is also a big black eye for everyone because this does not just happen in Tor’s Dark Web but in the clear web were we all do work, and talk to friends. Facebook, Twitter is full of them, you may of added them as friends. In the normal Internet these people thrive and then they go into Tor and people start saying Oh well in Tor it’s all about these perverts. They give Tor a bad name because it works so well to mask you.

Be on Notice pedo’s that gATO has found ways to find you in the Tor-onion network. I can find the IP of your hidden-service website, I can also find your clients if your not careful. I am launching some Tor tools that I am developing that may allow me to find your IP and then your -geo location. I am working on some other offensive cyber tools to go after these Pedo Sites in the clear web and especially in Tor. So the hunt begins pedophiles you have been warned this coming year we will find you and destroy you then give the police a chance to lock you up for life. Yeah your safe in Tor, keep thinking that – gATO hunts for RaTz like yOu.

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
01/12/13

MtGox scam attempt

gAtO FoUnD a – Cyber Crooks – a user with the nick ‘torstatusnet’ dropped by today posting false claims that the MtGox is now on the .onion network.

Finally MtGox network Tor! Dear friends MtGox site has finally an anonymous site on Tor network Now it is possible to make anonymous transactions in the world’s largest portfolio of bitcoins. I thought they would never join the Tor network, but announced on her website that the new site is in http://6xjgdqlmvesefnkp.onion/. It seems that the MtGox guarantee confidentiality, and I think that will become the major tool for exchanging bitcoins … Pass by there and check …

So here’s the thing (It’s clearly a scam), took 2 minutes to figure it out.
First of all there’s NO official info from MtGox that they have a onion url.
Second is the error message that shows when you enter any random data into the login.
It routes you to this error:

http://6xjgdqlmvesefnkp.onion.bd.to/login.php

The system has an error. Sorry for the inconvenience, we will try to fix it as soon as possible. Thank you.
If you look closely at the onion url it routes a clearnet domain.

The system has an error. Sorry for the inconvenience, we will try to fix it as soon as possible. Thank you.

<!-- Hosting24 Analytics Code -->
<script type="text/javascript" src="http://stats.hosting24.com/count.php"></script>
<!-- End Of Analytics Code -->

Also the clearnet domain contains the following:

http://6xjgdqlmvesefnkp.onion.bd.to/

Your website is up and running!

Share on TumblrSubmit to StumbleUponhttp://www.000webhost.com/images/index/php.gifDigg ThisSubmit to reddit
01/2/13

Bitcoins are Under Attack

gAtO tHiNk - the monetary system is f%^k and so are we.  My good friend Pierluigi and I have been busy putting together a new bookDigital Virtual Currency and Bitcoins – coming out in a week or so and the picture of the state of all currency is really in bad shape. Virtual currency is not new it is more a transactional system than currency but unlike PayPa, Visa, Mastercard with Bitcoins you can become a miner and create your own coins. check it out- https://blockchain.info/nodes-globe 2002_currency_

I have include the table of content so you can see our approach to understanding what is happening and the war that global bankers ar wagging on this new system of currency. Why are they fighting it so hard because more people are beginning to see that a currency that is not control by global bankers and by the people and for the people is a better solution. Of course they are vilifying Bitcoins but as other systems have tried to get their teeth into this new worldwide currency Bitcoin come out on Top.

We hope that you will gain some knowledge from our newest venture into this mad, mad world of money- as they say “Follow the money” and we did but I can tell you the more I learned the madder I got that we have been tricked into thinking that the global bankers are the good guy. Facts is the world is in debt over 10 times over just on interest alone. The world owns more than we create – THE WORLD not a nation. and if look real hard 1% of the people control 40% of the wealth in this world. It is not a national issue it’s a world issue.

We are just cyber security professional but this has been an eye opener as we see the Monterey Market System as a sham to keep the people of the world in an ever ending debt -gAtO OuT

You can pre- order just send us a message-

Table of Contents

Foreword 

Digital Virtual Currency and Bitcoins

   Digital virtual Currency Steps In: 

1. What is Digital currency: 

Digital Currency:

Shadow Economy

   System D and technology 

   The Cyber Underground 

   Black market payment 

   Perfect Money 

   Liberty Reserve 

   Webmoney 

   Pecunix 

   Voucher-Safe 

Digital Currency -Trust Thru A Consensus 35

Where does Digital Currency get it’s value? 35

   Trust Thru A Consensus 37

Cyber-War Digital -Vs- Global Currency 39

Cyber Death Of The Banking Industry 42

   Those that control the quantity of currency have all the power. 42

   Cyber Fixed Rate Exchange 2012 43

System D- Bitcoin’s Underground Economy 47

Digital Currency and Policy Makers 50

   American Express Gamer Digital Virtual Currency 50

   Facebook Credits 50

   Google Bucks 51

   Moba-coin 51

   Mastercard 51

How a bit coin Transaction Works: 53

   Iran and Bitcoins: 53

2. Who uses Digital Currency 55

Bitcoin -Vs- Evil Global Bankers 55

   Credit Cards 2 BTC-Bitcoin – BTC-Bitcoin 2 Credit Cards 55

Case Study Black Market Silk Road 57

Money Laundering in -The Digital Virtual World- 63

   Games: 63

DC -Digital Currency – Launder CASH to Bitcoins 64

USD (Major banks, 7-11, Walmart, CVS) 64

Bitcoins cannot be traced back to the Owner 65

Happy Satoshi Nakamoto -Bitcoin- Day Nov 1 67

   money $$ with – NO GOVERNMENT  – NO BANKS 67

Underground Financial Networks 69

   Reloadable Debit Cards - Basics 69

Western Union /MoneyGrams Basics 71

   E-currency Basics 73

   Trust Networks Basic 76

   Borrowed Bank Accounts / Underground ATM cards 77

   Mule Networks 78

Global Bankers Fear Bitcoins 79

   European Central Bank report October 2012 report: 81

Secure Bitcoin Trading Online 84

   Introduction: 84

   Credit Cards 2 BTC-Bitcoin – BTC-Bitcoin 2 Credit Cards 84

   Creating a secure identity: 85

   Setting up OpenPGP email 86

   Use Bitcoin-OTC 87

   Using the Web-Of-Trust 87

   Use an escrow 88

3. Digital Currency Financial Stuff 89

Bitcoin and Forex Trading 89

   But really let’s take a look at FNIB – and Bit4X – 90

Bit4X – the  new kid on the block – 90

Digital Currency 92

Top Ten Bitcoin Financial Charts 92

Virtual Currency Schemas 

Virtual Currencies and banking, disaster or opportunity? 98

   Price stability 99

   Risks to financial stability 99

   Risks to payment system stability 100

Bitcoin Still Up 137% YTD 2012 102

   Geek Stuff – API to Bitcoin Block 103

Buying bitcoins 104

   Major Exchanges 104

   Exchanges are listed in alphabetical order. 104

   Fixed Rate Exchanges & Others 118

   Direct / Bulk Buying 123

   Other Financial Services 123

   Physical Bitcoins 124

4. Legality of Digital Currency 125

Bitcoins entities and possible legal responsibilities 125

Law enforcement and financial institutions against bitcoins 127

Legality of Bitcoins-Digital Currency? 130

   Virtual Currency Real or Not 130

2012 timeline of the legality of Bitcoins around the world: 133

5. Governments and Digital Currency 142

Government -Vs- Bitcoin Anonymity 142

Canadian Mintchip And Bitcoins -Whats Up 147

   The MintChip System 148

   Hosted MintChip (Cloud Account) 148

   Transactions-Sender and Receiver 149

   MintChip Value 149

   Sustainability 150

   Architecture 150

   The MintChip – Value Creation 150

   The MintChip – Security Overview 151

6. Business and  Digital Currency 152

Merchant Tools for Digital Virtual Currency 152

   A basic overview of the Payment Gateway follows 153

   List of Features and Advantages 153

   Mt.Gox “Pay Now” Button 154

   Now supporting Magento! 154

Mt.Gox instant Merchant API 155

7. Cyber Crime Digital Currency 156

Cyber Crime Digital Currency 156

Cybercrime and Anonymous Cyber Economy 158

   Impact of digital currency schema on financial ecosystem 158

Digital currency schemas 160

Money laundering 165

Theft of digital currency 170

   Malware, the new generation of digital robbers 174

   Bitcoin Botnet Mining 176

   Deep Web, Botnet and Bitcoin mining … a dangerous mix 183

Counterfeit digital currency and double spending attacks 190

   A race attack 192

   The Finney attack 192

Bitcon and money laundering 194

   Simple scenarios for money laundering 196

How To- Digital Money Laundering 199

   Digital Currency ExchangeExchangers 2010 202

8. Bitcoin and Digital Virtual Currency 204

Get a Bitcoin Wallet and Make FREE-BitCoins Yourself 123 204

   My Mining Machine 205

Bitcoin Miners Pools and how it works – 206

Bitcoin Wallet 210

   Who, What and Where is a Bitcoin Wallet? 210

Bitcoin Qt 211

The beginning of the Bitcoin question 214

   What is the Bitcoin Distribution Network? 214

   Analysis of the model 216

   The model 216

   How does Bitcoin work? 218

Bitcoin  exchange operates as a bank 222

Welcome to the Dot-BIT project 226

Miner: 226

   Current Miners 228

   OZCoin – http://ozco.in 228

   P2Pool 229

How Anonymous is Bitcoin? 231

   What Users Can Do To Increase Anonymity 231

Bitcoin Mining Scam 233

   The Bitcoin Miner Scam 234

   Bitcoin Scam -How does it work? 235

Satoshi Nakamoto, the manhunt 238

   Who developed Bitcoin Virtual Currency Schema? 240

9. Future of Digital Currency 246

Bitcoin and Digital Currency in the New World 246

Dominate The Future With Bitcoin 248

10. Geek Stuff Digital Currency tools and tricks 256

Address Tags 256

   What Are Address Tags? 256

gATO Mining Rig – Information 258

   ATI Radeon HD 4670: 259

Bitcoin Miner for Websites 260

   Quick Start Guide to add the Miner to your website 260

   Explaining the Miner to your visitors 261

   Fees 261

   Requirements 262

   Advanced Usage 263

 

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/12/2002_currency_.pngDigg ThisSubmit to reddit
11/6/12

Dutch government to give law enforcement authorities the power to hack into computers. This also means hidden servers on tor

gAtO ThInK - It’s time to fight back and tighten the security!

The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations.

The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations.

In a letter that was sent to the lower house of the Dutch parliament on Monday, the Dutch Minister of Security and Justice Ivo Opstelten outlined the government’s plan to draft a bill in upcoming months that would provide law enforcement authorities with new investigative powers on the Internet.

According to the letter, the new legislation would allow cybercrime investigators to remotely infiltrate computers in order to install monitoring software or to search them for evidence. Investigators would also be allowed to destroy illegal content, like child pornography, found during such searches.

These investigative powers would not only cover computers located in the Netherlands, but also computers located in other countries, if the location of those computers cannot be determined.

However, if the investigators can establish that a computer of interest is located in a foreign country, they will have to ask for assistance from the authorities in that country.

In his proposal, Opstelten used a case in which investigators from the Dutch National Police infiltrated “hidden” Tor websites that hosted child pornography, as an example of a situation in which the geographical location of the computers couldn’t be determined.

The Tor network allows its users to set up so-called “hidden services” that are only accessible from within the network using special addresses. When accessing such a service, a user’s connection is routed through several random Tor nodes, which prevents him from determining the real Internet Protocol (IP) address of the server hosting the service.

The Dutch police investigation referenced by Opstelten in his letter took place in August 2011 and two of the infiltrated Tor websites were hosted on servers located in the U.S.

The new legislation will provide strict safeguards for the proposed investigative powers, Opstelten said. Law enforcement authorities will only be able to exercise such powers when investigating offenses that carry a maximum prison sentence of four years or more and only after obtaining authorization from a judge, he said. Furthermore, all such actions will be automatically logged and the logs will be accessible for later review.

Cybercrime is a serious problem that needs to be tackled, but the proposed measures are not the right ones and they pose a serious risk to cybersecurity, Ot van Daalen, the director of Dutch digital rights organization Bits of Freedom, said Friday.

First of all, allowing police investigators to hack computers in other countries might encourage other governments to introduce similar legislation, but not necessarily with the same limitations, van Daalen said. “This could escalate into a digital arms race.”

The proposed legislation would create an incentive for governments to keep software vulnerabilities secret because they would need to exploit those vulnerabilities to attack systems used by cybercriminals, van Daalen said.

There are already security companies and independent researchers that sell zero-day exploits — exploits for unpatched vulnerabilities — to governments instead of reporting the vulnerabilities to vendors. In addition, some governments have openly admitted to developing military cyberoffensive capabilities.

Van Daalen believes that expanding the potential use of such exploits by law enforcement agencies will help the zero-day exploit market grow, which in turn will result in fewer vulnerabilities being reported and patched.

Governments could also pressure vendors to delay fixing vulnerabilities, van Daalen said. An example of this was when the Dutch government convinced Microsoft to delay the blacklisting of the DigiNotar digital certificates on Windows computers in the Netherlands for a few days in order to allow the government to take measures, despite the fact that the issue represented a security risk for all Windows users in the country, he said.

“There’s no doubt that there’s already a growing (and disquieting) market in the for-fee disclosure and exploitation of vulnerabilities, and this proposal could certainly further legitimize it: the possible advantages in terms of action against criminals (leaving aside ethical objections) have to be balanced against the likely, deleterious effects on the community of Internet users as a whole,” said David Harley, a senior research fellow at antivirus vendor ESET, via email on Friday.

Harley agrees with van Daalen that the proposed legislation could have a global impact. “It’s not possible to guarantee that the effects of these measures will be restricted to criminal elements: if the proposal succeeds in its present form, collateral damage in terms of the application of monitoring and attack technologies could be worldwide,” he said.

“Is it really feasible to take this approach effectively without breaching the sovereignty of other states? Even if agreement could be reached with other states on international legislation, does this proposal take into account the quid pro quo of giving foreign agencies such sweeping rights of access to the systems of its own citizens?,” Harley asked. “It seems to me that there’s a parallel here with the fact that many in the U.S. seem quite happy with alleged cyberespionage and sabotage against Iran yet show surprise and discontent that those claims have been used as justification for similar action by other nations.” - gATO OuT

 

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
09/24/12

Dark Heart botnet ToR-C2 BULLET proof server collector

gAtO fOuNd - this –// it’s crook selling to crooks take it at face value -/ but it does have some interesting ideas on what is out there in criminals hands and what is going on in the dark web. Now these are 10,000 yes 10k botnets can work in the clearWeb as well as Tor and i2p anonymized networks should cause some concern because normally we don’t monitor them.  Tor Domain-flux for both clearWeb and Tor – ( Tor Domain-flux- this is so easy to do but it’s a big feature) – VPN then Tor that will make this harder to find the botMaster. But the coolest feature is the i2p connection. Sorry boy’s and Ladies but Tor is getting old, i2p is beginning to glow and it’s a little different but very safe. It goes after (scanning)  WiFi and GPS tracking – So people sync your phone data to your computers data please…C&C and // one- BULLET proof server collector -

It not very hard to do this but – C&C and // one- BULLET proof server collector – is the sales pitch anyway I have obfuscated some links and names -find it your self – I know gAtO can build this so anyone can with some light reading – that comes out to .80 cents per bot for 10,000 bots -0ne c&c panel for $8,000 bucks – pretty cheap – oh yeah the readme comes in english too.

This modified Dark Heart bots and c&c in Tor ?12p ? 256-EAS encryption- We already have reports of it by different names but this was posted around Aug 7 2012.   Here is the –/ poor mans –Tor Domain-flux is so easy when you generate a hidden service it produces a key for your address in Tor onion land / just move the key to another directory and generate your new net key and so on and so on… Some of this is really well though out —/ but I don’t trust anyone and it’s so easy to build from scratch- gAtO oUt

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

Dark Heart botnet— NOT – for sale $8000

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (Beta)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)

Each Panel is hwid

1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players -  for sale $8000 -bitcoin – (obfuscated )1A9nBLgdhf4NJadXiBppqqU96AhbMBQrgV -

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

 

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/09/hax_01.jpgDigg ThisSubmit to reddit
08/6/12

Anti Forensic Tales from the gAtO

gAtO iS -a gRaY hAt thinker- so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator – working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt

References:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..

 

Today with a simple TorProject.org Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/08/aft_04.tiffDigg ThisSubmit to reddit