Category Archives: Cyber Intelligence

04/2/12

Cyber-Criminals -You got to change your evil ways

gAtO rEaD – Cyber-criminals are slowing their web app attack and working there VoDoo with social networks and mobile devices. IBM’s semiannual report show’s interesting trends. On the Spam email attacks front +++ we are on the decline compare to 2010 but APT (Advance persistent Threats) were up. Commercial Criminals are quickly adapting to lateral and supply china intrusions. 

This is now true for the financial sector traditional Dump and run – the method of grabbing as much financial data and running now they put in time to stay persistent in the system shadows to draw out not just the CC (Credit Cards $$ data) but the PII (personal Identifiable Information) and the company’s intellectual property is becoming more lucrative than hard cash scams. IBM also found that 36% of the companies it compared previously identified vulnerabilities were still unpatched by the end of the year, compared to 43 percent in 2010.

** — “if the patches were maintained then they wouldn’t of hack the network”. always test your patch first with everything on your network or else your putting your company on the line. — **

Web applications are safer, with the number of applications vulnerable to cross-site scripting attacks down 50 percent compared with 2007. SQL injection attacks, in particular, continue to be a thorn in the side of Web applications due to the availability of automated tools. IBM also detected a 200 to 300 percent jump in so-called “shell injection” attacks from January to December. And toward the end of the year, IBM researchers noticed a spike in SSH password cracking attempts.

The decline in vulnerabilities belies the rise in security breaches, and raises the question: Are cyber-criminals getting smarter than the IT professionals charged with securing their company’s IT systems? Or maybe we’re just expecting too much from the security pros? It may be the latter. In February, security software firm LogRhythm declared that 75 percent of security professionals “lack confidence in their ability to address cyber threats.” The number is the result of an unscientific study of only 200 people who answered a questionnaire online. But it does hint at the existence of a skills gap when it comes to defending corporate IT systems.

Just as the tools and tactics are changing in the ongoing IT cyber war, so is the battleground. In the future, corporate security pros will need to focus a lot more on social media and mobile computing than they are now–especially as corporations continue to connect their core business systems to mobile devices and social networking tools.-gAtO oUt

For a copy of the X-Force 2011 Trend and Risk Report, see www.ibm.com/security/xforce

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/30/12

Hacking Cheat Sheet

gAtO fOuNd - this from bad store penn training e-book the fUnNy thing is— it is really a guide for DIY hacking project written in 2005 but still true today – Oh well here it is…“in the BoX

THIS IS TEST BOX FOR PENN TESTERS _  —If you really want to know where the vulnerabilities exist in BadStore.net, read on:

  •  Robots.txt directory disclosure (http://www.badstore.net/robots.txt).
  •  Apache platform attacks (run Nessus and Nikto.)
  •  SQL Injection in Search and Login functions – including DROP and UNION (try logging in as a
    normal user with joe’ OR 1=1 OR ‘mary as a simple example.)
  •  Blind SQL Injection in Supplier Login (try single quote (‘), OR 1=1, OR 1=1–, and other SQL
    commands and watch them fail, until you hit the “magic” combination.
  •  Cross-Site Scripting (XSS) in Guestbook, URL’s, Search (try alert(‘This is an XSS
    attack!!!’)</script>). 
  •  Credential Disclosure via proxy, XSS, and Brute Force (use proxy to decode the Base-64
    encoded SSOID cookie, try <script>alert(document.cookie)</script>, and run Brutus to force a
    login.)
  •  Command Injection via Parameter Tampering.
  •  Privilege Escalation via Cookie and Hidden Field Tampering (what’s that Role parameter?)
  •  Ability to decode cookies and view sensitive information (use the proxy.)
  •  “Secret” Admin access via URL parameter (try ?action=admin in the URL.)
  •  Access to Supplier Portal through referer header manipulation, cookie, SQL Injection (use proxy
    to manipulate referer header and cookie, try logging in to the form using SQL Injection
    techniques.)
  •  Denial of Service (DoS) to application and platform.
  •  Ability to obtain free or discounted merchandise (use the proxy to manipulate the CartID cookie.)
  •  Site Defacement (you can upload files from the Supplier Portal – can you also traverse
    directories?)
  •  MD5-hashed passwords, many of which are easily crackable (try John the Ripper.)
  •  PII- Personally Identifiable Information disclosure, including Credit Cards (in Previous Orders and
    Secret Admin Portal.)
  •  Ability to login without a known password (try SQL Injection and Brute Force.)
  •  Ability to view other’s orders and information (use proxy to manipulate cookie.)

This is a checklist that every admin should have in his back pocket – It’s all the “in the BoX” and outside— it’s a guide of what the bad guy’s are doing and thinking.
You add a little social engineering and a little spear phising to this bag of tricks and you got a good plan. This is from 2005 that’s 7 years ago —BEFORE  Twitter and Facebook were babies when this Cheat Sheet was created. The things that you find in the internet are amazing- gAtO oUt

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/27/12

Huawei Spying on Customer

Huawei - Mitt Romney's Bain Capital sold out 3Com to the Chinese

gAtO wRoTe - about the Chinese company Huawei (Shenzhen, China-based company) a long time ago with it’s ties to Rick Perry the governor of Texas and ex-Presidential bid and Mitt Romney’s company Bain Capital that sold out 3Com and sold our national secrets to them. Now it finally falls on Australia to take the first step WHEN electoral fortunes are fading a good “reds under the beds” story can boost political stocks, but the row about Chinese telecommunications equipment supplier Huawei being barred from supplying equipment to the National Broadband Network puts a new twist on an old tactic. Generally it’s the Right that beats the red peril drum. Here in Australia it’s a Labor government claiming the NBN is too vital a piece of national infrastructure to be put at risk by buying equipment from China.

Huawei, which is second only to Sweden’s Ericsson in telecom equipment sales, was blocked on Monday from bidding on a $36 billion Australian national broadband contract. Security firm Symantec (SYMC, Fortune 500) ended in November because of Symantec’s concerns that its relationship with Huawei would prevent it from getting a sensitive U.S. government security contract.

Will this be the tipping point were we America stands up and see’s pass the profits and starts with looking at our nations cyber security survival. We hear that DHS and NSA and everyone is pushing for dollars $$ to fix our infrastructure but when will we start to stop the Chinese from stealing our intellectual capital that has made America great. Politicians need to take a look at what is the real problem like Rick Perry allowing dozens of Chinese companies to set up shop in Texas and claiming that they have such a great employment record at the cost of our national security.

gAtO is sad that we see the veterans of our great country without a job when we could be investing in Cyber Security training our young veterans in this field. Veterans have vital experience but as gAtO has found out personally the VA has a problem with allowing our veterans to get an education in this vital field of Internet Security. I like China don’t get me wrong and some of the accusation about China I suspect is nothing more that a scare tactic to get funding for political pet project. But if we start to training our veterans and anyone who wants this training we will not lose the cyber war- gAtO oUt 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/20/12

Keywords Searched for by DHS- on social media

Long List of Keywords Searched for by DHS & Other Agencies on social media networking sites.

Department of Homeland Security (DHS)
Federal Emergency Management Agency (FEMA)
Coast Guard (USCG)
Customs and Border Protection (CBP)
Border Patrol
Secret Service (USSS)
National Operations Center (NOC)
Homeland Defense
Immigration Customs Enforcement (ICE)
Agent
Task Force
Central Intelligence Agency (CIA)
Fusion Center
Drug Enforcement Agency (DEA)
Secure Border Initiative (SBI)
Federal Bureau of Investigation (FBI)
Alcohol Tobacco and Firearms (ATF)
U.S. Citizenship and Immigration Services (CIS)
Federal Air Marshal Service (FAMS)
Transportation Security Administration (TSA)
Air Marshal
Federal Aviation Administration (FAA)
National Guard
Red Cross
United Nations (UN)

Domestic Security

Assassination
Attack
Domestic security
Drill
Exercise
Cops
Law enforcement
Authorities
Disaster assistance
Disaster management
DNDO (Domestic Nuclear Detection Office)
National preparedness
Mitigation
Prevention
Response
Recovery
Dirty Bomb
Domestic nuclear detection
Emergency management
Emergency response
First responder
Homeland security
Maritime domain awareness (MDA)
National preparedness initiative
Militia
Shooting
Shots fired
Evacuation
Deaths
Hostage
Explosion (explosive)
Police
Disaster medical assistance team (DMAT)
Organized crime
Gangs
National security
State of emergency
Security
Breach
Threat
Standoff
SWAT
Screening
Lockdown
Bomb (squad or threat)
Crash
Looting
Riot
Emergency Landing
Pipe bomb
Incident
Facility

HAZMAT & Nuclear

Hazmat
Nuclear
Chemical Spill
Suspicious package/device
Toxic
National laboratory
Nuclear facility
Nuclear threat
Cloud
Plume
Radiation
Radioactive
Leak
Biological infection (or event)
Chemical
Chemical burn
Biological
Epidemic
Hazardous
Hazardous material incident
Industrial spill
Infection
Powder (white)
Gas
Spillover
Anthrax
Blister agent
Exposure
Burn
Nerve agent
Ricin
Sarin
North Korea

Health Concern + H1N1

Outbreak
Contamination
Exposure
Virus
Evacuation
Bacteria
Recall
Ebola
Food Poisoning
Foot and Mouth (FMD)
H5N1
Avian
Flu
Salmonella
Small Pox
Plague
Human to human
Human to ANIMAL
Influenza
Center for Disease Control (CDC)
Drug Administration (FDA)
Public Health
Toxic
Agro Terror
Tuberculosis (TB)
Agriculture
Listeria
Symptoms
Mutation
Resistant
Antiviral
Wave
Pandemic
Infection
Water/air borne
Sick
Swine
Pork
Strain
Quarantine
H1N1
Vaccine
Tamiflu
Norvo Virus
Epidemic
World Health Organization (WHO and components)
Viral Hemorrhagic Fever
E. Coli

Infrastructure Security

Infrastructure security
Airport
CIKR (Critical Infrastructure & Key Resources)
AMTRAK
Collapse
Computer infrastructure
Communications infrastructure
Telecommunications
Critical infrastructure
National infrastructure
Metro
WMATA
Airplane (and derivatives)
Chemical fire
Subway
BART
MARTA
Port Authority
NBIC (National Biosurveillance Integration Center)
Transportation security
Grid
Power
Smart
Body scanner
Electric
Failure or outage
Black out
Brown out
Port
Dock
Bridge
Canceled
Delays
Service disruption
Power lines

Southwest Border Violence

Drug cartel
Violence
Gang
Drug
Narcotics
Cocaine
Marijuana
Heroin
Border
Mexico
Cartel
Southwest
Juarez
Sinaloa
Tijuana
Torreon
Yuma
Tucson
Decapitated
U.S. Consulate
Consular
El Paso
Fort Hancock
San Diego
Ciudad Juarez
Nogales
Sonora
Colombia
Mara salvatrucha
MS13 or MS-13
Drug war
Mexican army
Methamphetamine
Cartel de Golfo
Gulf Cartel
La Familia
Reynose
Nuevo Leon
Narcos
Narco banners (Spanish equivalents)
Los Zetas
Shootout
Execution
Gunfight
Trafficking
Kidnap
Calderon
Reyosa
Bust
Tamaulipas
Meth Lab
Drug trade
Illegal immigrants
Smuggling (smugglers)
Matamoros
Michoacana
Guzman
Arellano-Felix
Beltran-Leyva
Barrio Azteca
Artistics Assassins
Mexicles
New Federation

Terrorism

Terrorism
Al Queda (all spellings)
Terror
Attack
Iraq
Afghanistan
Iran
Pakistan
Agro
Environmental terrorist
Eco terrorism
Conventional weapon
Target
Weapons grade
Dirty bomb
Enriched
Nuclear
Chemical weapon
Biological weapon
Ammonium nitrate
Improvised explosive device
IED (Improvised Explosive Device)
Abu Sayyaf
Hamas
FARC (Armed Revolutionary Forces Colombia)
IRA (Irish Republican Army)
ETA (Euskadi ta Askatasuna)
Basque Separatists
Hezbollah
Tamil Tiger
PLF (Palestine Liberation Front)
PLO (Palestine Libration Organization)
Car bomb
Jihad
Taliban
Weapons cache
Suicide bomber
Suicide attack
Suspicious substance
AQAP (Al Qaeda Arabian Peninsula)
AQIM (Al Qaeda in the Islamic Maghreb)
TTP (Tehrik-i-Taliban Pakistan)
Yemen
Pirates
Extremism
Somalia
Nigeria
Radicals
Al-Shabaab
Home grown
Plot
Nationalist
Recruitment
Fundamentalism
Islamist

Weather/Disaster/Emergency

Emergency
Hurricane
Tornado
Twister
Tsunami
Earthquake
Tremor
Flood
Storm
Crest
Temblor
Extreme weather
Forest fire
Brush fire
Ice
Stranded/Stuck
Help
Hail
Wildfire
Tsunami Warning Center
Magnitude
Avalanche
Typhoon
Shelter-in-place
Disaster
Snow
Blizzard
Sleet
Mud slide or Mudslide
Erosion
Power outage
Brown out
Warning
Watch
Lightening
Aid
Relief
Closure
Interstate
Burst
Emergency Broadcast System

Cyber Security

Cyber security
Botnet
DDOS (dedicated denial of service)
Denial of service
Malware
Virus
Trojan
Keylogger
Cyber Command
2600
Spammer
Phishing
Rootkit
Phreaking
Cain and abel
Brute forcing
Mysql injection
Cyber attack
Cyber terror
Hacker
China
Conficker
Worm
Scammers
Social media

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/4/12

Cyber Militia part-2

As the world becomes increasingly interconnected and networked, the potential for cyber attacks against a nation’s critical infrastructure and key resources continues to increase. Countries fear that sustained cyber attacks will significantly incapacitate or damage critical infrastructure and key resources. How to properly guard against these attacks has become a topic of debate for nations all across the world. Many cyber experts feel that the traditional means of defense setup and administered by governments is not sufficient to defend against sustained cyber attacks during a time of war.

There are three (3) types of militia that exist today:- the forum, the cell, and the hierarchy.

The forum cyber militia is an ad-hoc group that forms around an online meeting place or forum. The forum unites people that are “willing and able to use cyber attacks in order to achieve a political goal.”  It also serves as a command and control platform where members can post propaganda along with attack instructions and tools.

A cell cyber militia is a group of hackers who perform cyber attacks on their own. They commit cyber attacks on a regular basis over a period of time. Cell type militias are limited in size and consist of members who know and trust each other. Members coordinate their actions and do not give or receive orders.

Lastly, a hierarchical cyber militia is one that adopts a traditional hierarchical structure with a clear chain of command. (Ottis, 2011) It is similar to a military unit with a unit commander who exercises power over sub-units. Each sub-unit can have a specific task and its membership can be identified or anonymous.

The three types of cyber militias defined each have their own attributes with specific strengths and weaknesses. When deciding to establish a militia, they all need to be weighed accordingly. During the construction of a cyber militia, what will be required of the cyber militia must be considered.

This will most likely dictate the type of cyber militia that is assembled.

Each type has its own advantages and disadvantages that make it appropriate for specific circumstances. The need for strict command and control, mobilization, sustainment, size, and anonymity are all factors that should be contemplated as a part of this. For example, will the cyber militia need to take strict orders from command for coordination of operations? Or will a loose network of individuals be sufficient? The talent pool for potential members and the types of cyber missions they will carry out must also be considered. The cyber militia will have to be tailored to the skill level of its members. If highly skilled hackers are available, sophisticated attacks may be carried out. If not, a cyber militia that facilitates the use of relatively easy cyber attacks should be used. Each cyber militia relates to the aforementioned factors in different ways, making it more suitable for certain applications.

A forum type cyber militia will provide a force that can rapidly mobilize and expand in size.

New members can quickly take up the cause and join existing members in the attacks. It also lends itself to a relatively unskilled membership with more experienced members posting instructions and tools to perform cyber attacks. However, since a forum cyber militia is a loose network of individuals, it lacks command and control with members deciding on their own actions.

Once the flurry of activity by the militia has ceased, activity in the forum decreases so it will not serve as a sustained force. A cell cyber militia differs from the forum type in that it will consist of a relatively small group of highly skilled hackers that know and trust each other. As a result, gaining membership is a difficult and lengthy process. (Ottis, 2011) Similar to the forum type, a cell militia does not provide regimented command and control, but there is coordination. Due to their skill level and coordination, cell militias are able to quickly mobilize and carry out sophisticated cyber attacks.

A cell can also be a sustained force with periods of activity and dormancy. Since they are only a small group, cells are not able to carry out the volume of attacks that a forum militia could. In addition, the continued actions of a small group of individuals may also make them more susceptible to identification. Discovering the identity of even a few members of the group may disrupt its effectiveness.

The hierarchical cyber militia provides a third option for forces where a clear chain of command is required. Unlike the previous two types, it can provide strong and efficient command and control, making it suitable for government-sponsored groups. (Ottis, 2011) Tasks and responsibilities can be assigned as attacks are carried out. However, hierarchy militias require more time to assemble than the others because the command and assignments must be established. (Ottis, 2011) During periods of inactivity, a hierarchical militia can also be sustained and improved through recruitment and training. Although like the hacker cell, it is not easy to add new members because they must go through a vetting process before admission.

Much of the success of the hierarchy militia is also dependent on capable leaders being assigned to the few available command positions. (Ottis, 2011) The success of the other militias does not hinge on a few select individuals as it does here. When assembling a cyber militia for the United States, the most practical option is a militia fashioned after Ottis’ hierarchy model. The hierarchy model provides for a clear chain of command and control that mimics a military organization and the militia should be operated as such. The strict sense of command and control is required by the United States because as a government sponsored cyber militia, the U.S. would be responsible for its actions. Models such as the forum where members can act unilaterally should not be used. The militia should have a skilled, vetted, and identified membership that is ready to respond and take part in cyber missions when needed. Following Ottis’ model, the militia should be comprised of sub-units that fulfill specific roles and perform specialized tasks. Some of these sub-units could be modeled after highly skilled cell militias and could perform very sensitive cyber missions. However, these cells would take direct orders from superiors and not coordinate activities amongst themselves. With this type of militia, the U.S. would also have opportunities to develop their forces through training and recruiting. Being that it is state sponsored, there would be government resources that could be used to develop and grow the militia through training and recruiting. Furthermore, this would make the militia sustainable over time, especially during periods of peace. The cyber militia model suggested for the United States would also be applicable to law enforcement as they combat cybercrime. Instead of using it militarily to protect our nation, it could be applied on a more local level to law enforcement departments to protect civilians and civilian assets. Since the model follows a hierarchy with command and control coming from points of leadership, it is similar to what currently exists for law enforcement. However, in this case, members would be enforcing cyber laws. The same reasoning that supports the use of this model for a U.S. cyber militia also applies for law enforcement. Members who are a part of the militia should be skilled, vetted, and identified. Strict orders from superiors are required to ensure members act within the bounds of the law and not unilaterally. Different roles and assignments can also given to different members and units. Leveraging this hierarchical model for law enforcement would present an effective and efficient way to be combat cybercrime with a militia.

The fundamental concern when it comes to constructing a cyber militia in the United States is the actions of its members. (Lango, 2011) There are fears that members of the militia may act on their own accord and not under the direction of the United States. This calls into question the effectiveness of the command and control of a cyber militia. Although there would be a vetting process, in the heat of battle members may unilaterally feel that their actions are in the best interest of the country. These unauthorized actions will ultimately be attributed to the U.S. Not only can this cause unpredictable and undesired consequences such as escalating the conflict, it may be politically and legally difficult to assign responsibility to those accountable. (Lango, 2011) Without a truly effective command and control structure, the viability of a cyber militia in the U.S. is called into question. The use of a cyber militia by the United States is being suggested to augment existing national defenses and help with the growing problem of cyber defense. One country, Estonia, has already taken the step to bolster its defenses with a cyber militia. However, for a country like the United States, it is not an easy step to take. There are many issues to be considered such as the shape of the militia itself. Rain Ottis has suggested three models for cyber militias. They are the forum, cell, and hierarchy models. Each one has its own advantages and disadvantages, but the hierarchy model would best fit a cyber militia instituted in the United States. It could also be adapted and used along with law enforcement to combat cybercrime. In spite of the additional defense, a cyber militia would provide the United States, many are still skeptical about its use. There is fear that command and control would be ineffective and members of the militia will act without the approval of the U.S. Unsanctioned cyber strikes have the potential to escalate ongoing conflicts with other countries. Furthermore, there would be political and legal issues with assigning responsibility for these actions. Consequently, the U.S. is unlikely to assemble a cyber militia anytime soon. Nonetheless, the need to strengthen cyber defenses will continue to be a topic of debate. Therefore, the U.S. needs to continue to explore all possible means of reinforcing its cyber defenses, including the controversial use of cyber militias.

References

Gjelten, T. (2011, January 4). Volunteer Cyber Army Emerges In Estonia. Retrieved August 1,

2011 from NPR: http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyberarmy-

defends-nation

Lango, H.-I. (2011, June 14). Should the United States Create a Cyber Militia? Retrieved August

1, 2011 from Hegemonic Obsessions: http://hegemonicobsessions.com/?p=516

Ottis, R. (2011). Theoretical Offensive Cyber Militia Models. Retrieved August 1, 2011 from

Cooperative Cyber Defence Centre of Excellence:

http://www.ccdcoe.org/articles/2011/Ottis_TheoreticalOffensiveCyberMilitiaModels.pdf

 

 

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
03/2/12

ABOUT Getting Busted ONLINE

gAtO hAs - compiled this information to help you understand what is what in Cyberspace. Of course there are exceptions to the rules but this is a general guide to what is done and what cannot be done.

ABOUT Getting Busted ONLINE

power is not only what you have but what the enemy thinks you have

MYTH: It’s easy for law enforcement to trace people online.

FACT: This is not so unless you take zero precautions. Bouncing off any kind of proxy will significantly hinder law enforcement. Bouncing off anything that scrubs and then forgets your IP address makes tracing you via the network nearly impossible once you have ceased sending traffic. Everyone who gets caught is caught by traditional police-work or by following a trail of logged IP addresses. While it is possible to carry out timing correlation attacks against low-latency networks such as Tor, these are only within the capabilities of intelligence agencies. There is no credible evidence so suggest that these capabilities have been used to identify hackers, warez groups or virus authors and they will certainly not be used against ordinary peer-to-peer users.

MYTH: Uploading files anonymously is safe as long as my IP address is safe.

FACT: Traditional police-work (which Law Enforcement is very good at) includes examining meta-data of documents. Uploading files that can be linked back to you is a good way to get busted. Most ‘computer forensics’ focuses on retrieving data from hard-disks and scouring files for meta-data.

MYTH: My group will never be infiltrated.

FACT: This kind of thinking is what gets people busted. They allow incriminating information (this includes IP addresses) to leak to associates within a group. The group is infiltrated, and soon everyone is fucked.

MYTH: It’s safer to be a “reverse engineer” and crack without releasing.

FACT: You are more likely to be busted due to being narced out by someone peeping over your shoulder than being traced through bnc’s by supposed FBI magic, and cracking on your own machine is still illegal in the USA (with a few narrow exemptions), regardless of how innocent your intentions are.

MYTH: Most traffic on the Internet is logged.

FACT: This is not even remotely true. Most traffic is not logged, because there is simply too much of it to be stored. The establishment of a connection to a server is generally permanently logged at the server, but rarely at the point of origin. Firewalls and routers are not going to permanently log ordinary-looking forwarded connections because there are simply too many of them. Some data payloads may be logged during transit and at the receiving end. If you go through three hosts on the Tor network, your packets travel through many routers, and are encrypted at each point. Most of the time, these packets are not logged anywhere anyway. There is no way for someone to practically follow your trail through all of these routers, and nor can your connections be logged at all of these routers indefinitely. You are most likely to be identified by going through several rogue, cooperating Tor nodes simultaneously, which is unlikely unless Law Enforcement takes over the directory server.

 - gAtO oUt 
Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
02/28/12

FORENSIC IP-TRACING TECHNIQUES

WHAT YOU SHOULD KNOW ABOUT FORENSIC IP-TRACING TECHNIQUES IP SPOOFING

Various logging schemes have been proposed by computer forensic researchers to make tracing spoofed IP packets easy for investigators. None of these have become widespread, though it would be trivial for your ISP to detect IP spoofing using egress filtering. This is typically done at the border of the network, so in a large network the precise attacker would be difficult to determine the precise origin of quiet/short transmissions, particularly after they have ended.

quis custodiet ipsos custodes

US Cyber Labs - quis custodiet ipsos custodes

Noisey activities such as DoS attacks can be traced without infrastructure or ISP support by flooding upstream routers and observing the effect on the attacker’s stream. However, transient spoofed communications will remain difficult to detect until IP logging is implemented at intermediate routers.

Some forensic “experts” appear to be lacking knowledge about network protocols, making ridiculous suggestions such as appending unique router id’s into packets. Of course, these can be spoofed by any compromised router, falsely implicating uninvolved parties.

ENCAPSULATED TRAFFIC

Encapsulated traffic, such as proxies and IP over IP tunnels do not spoof source addresses, but rather scrub the source from packets at each bounce point. Long-lived connections can be traced by physically visiting (or compromising) each upstream bounce point. Dead connections can be traced if the next upstream bounce point is logged at the current bounce point. If not, the trail is cold.

Transient streams where the IP address is changed at each bounce point are at the very least difficult enough to trace that law enforcement won’t bother. Search the news; you won’t find any incidences of law enforcement tracking people down through bounces using amazing technical wizardy. This is not observation bias; law enforcement love to toot their own horn about their supposed feats in fighting “cybercrime”.

END-TO-END ATTACKS

There is some speculation that various intelligence agencies are monitoring Internet traffic at the major ISP’s. This is more or less to be expected. What is disputed is how this affects Tor’s anonymity. Certainly, if TCP handshakes are recorded and retained, then it could be used to retroactively identify Tor users and users of other encapsulated proxies. This is the timingcorrelation attack most Tor users have heard about. While this is a very realhole in Tor’s security, the fact is that it is still an expensive attack to carry out, requiring a great deal of data retention or proactive action on the part of the attacker. It is highly unlikely that this will be used on pirates in the near future. More than likely, these capabilities are reserved for counter-terrorism and monitoring of identifiable domestic groups the government finds objectionable. There is no credible evidence of a timing attack successfully being carried out on Tor.

SUMMARY

There is no credible information to suggest that LE are able to trace transient network traffic that has been bounced and scrubbed without fairly complete cooperation from all involved hosts, or massive data retention at the major ISP’s coupled with advanced traffic analysis. There is little evidence of law enforcement utilizing any kind of advanced traffic analysis or timing attacks, though the situation may change in the future.

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
02/23/12

Syrian Electronic Army is Open to Hacking

gAtO SeEn- the news about Syria and the Homs murder of protesters and this is a bad thing for the people of Syria and the dissidents. While Russia and China think about this more and more killings have happened. So gAtO thought what is Syria doing in cyberspace? gAtO jimped in and started looking first at the Syrian Cyber Army website www.syrian-es.com  this is their main site now with google translator I started to read the site.:

http://translate.google.com/translate?hl=en&sl=&tl=en&u=http%3A%2F%2Fwww.syrian-es.com%2F

As I looked over the site I noticed that they use Joomla 1.5, this is an older version of Joomla full of holes and an easy hack. There is so much open on this site were you can get any of the scripts and look at the code, all this from any browser[1]. This is not rocket science.

Well if the Syrian Army uses this version of Joomla maybe some other government offices in Syria do:

www.raqqa.gov.sy/ar/index.php/local-news.feed

www.industrialbank.gov.sy/index.php?…91

www.uok.edu.sy/…/index.php?

www.reefnet.gov.sy/reef/index.php?

http://parliament.sy/

http://www.rtv.gov.sy/

http://www.addounia.tv/web/main.php

http://www.sana.sy/

Here are a few more sites that yes you guessed it they have the same Joomla 1.5 app running their websites. Knowing that this version has security holes why would a government use it. My only guess is they started in 2008 and if something works well keep it. If this department uses this Application well others will use it. The Syrian government is built on treats and intimidation so anything that is accepted no one will call attention to it, under fear of reprisal this is how all dictatorships work.

Now it comes to us the rest of the world to do something. gAtO contacted USSTRATCOM and Ya’akov Yehudi (Israel Security) to report this and I got nothing back from them so what do I do with information that can help people from getting murdered and killed by an oppressive state. Well here it is I am publishing this information and hope that someone will pick this up and do something with it. It’s a moral thing that gAtO must do, I have seen murder and killings like this in my former country and I could do nothing at that time so here it is, let the chips fall were they fall -gAtO Out

[1] Here are some links from their site and their CODE:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://www.facebook.com/pages/%D8%A7%D9%84%D8%AC%D9%8A%D8%B4-%D8%A7%D9%84%D8%B3%D9%88%D8%B1%D9%8A-%D8%A7%D9%84%D8%A5%D9%84%D9%83%D8%AA%D8%B1%D9%88%D9%86%D9%8A/340192589337632?sk=wall

http://twitter.com/syriansoldier1

http://www.youtube.com/user/syrianes1

www.syrian-es.com/templates/jv-framework/favicon.ico

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/horizontal.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/vertical.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/accordion.css

www.syrian-es.com/templates/jv-framework/basethemes/css/typo.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/layout.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/template.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/css3.css

www.syrian-es.com/templates/jv-framework/themes/jv-melody/css/template_rtl.css

www.syrian-es.com/modules/mod_nice_social_bookmark/css/nsb.css

www.syrian-es.commodules/mod_yt_content_slideshowii/assets/style.css

http://www.syrian-es.com/modules/mod_jvhotnews/assets/css/jvhotnews.css

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
02/16/12

PennTest Threat Intelligence

PennTest Threat Intelligence - part-1

gAtO bEen ThInKiNg - In the hyper connected world we live in Pen-Testers have a lot on their hand, hardware, firmware, OS, web-apps. The facts are that a simple web-app upgrade, may open new holes that off-set the problem they had to begin with. A pen-test, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders. Who are the outsider? How do the outsiders pen-test your system? Non-state actors have played an important part in many international cyber conflicts in the past two years- game changers. With the Anonymous crew(z), China, Russia, India, Iran out in force in cyberspace a company needs to know if they are the target from a political, competition or worse yet a loneWolf or activist.

Many think that with BackTrack anyone can be a tester, but it’s different today. Companies need to understand the Geo-Political aspect of their company and who are their markets and how does it play out in the real world. Look at Sony, HBGrays these are two different companies but their reputation has been tarnish by what, a bunch of kids, naw, these boy’s and girls are the new breed, smart, educated and connected. These people are System Admin in their day job and Anonymous during off-hours. They know how to work in the box and also see out-of-the-box tips and tricks and have thousands that want to try their game and imitate them. Whatever you think these new boy’s and girls will multiply, it’s a fab, a movement but they all want to be a cool hackers and the next generation of hacktivist will make these people look like amateurs.

Who knew that a Low Orbit Ion Cannon (LOIC) used to test how many connection your server will handle, would be used by the attackers themselves. A long time ago in cyber years (2-3 years ago) only the geeks had the knowledge and skills to do some of the hacks that we see today. Today Anonymous is not only a social movement but it’s a cause celeb, people want to belong and these social 4chan outcast have started a revolution in cyberspace that governments and corporations now are worried about, and well they should be.

Break out Backtrack and do some pen-testing and yes you may find misconfigured servers like gAtO hAs -(SCADA systems to boot) and such but if you can see what your enemy is looking at, planning. Nothing is better than threat intelligence to guide you in mitigating your company as to future attacks.

Look at the RSA and Diginotar APT attacks, the bad guy’s went after the certificate authority how does a typical pen-test tools know that, they don’t if you don’t have your pulse on the game your in, you may be next.

Remember the technical aspect is one thing but if you have many, many hands trying new things on your site guess what, they will hack you if your connected to the Internet. Your company cannot live in a bubble and so must expose themselves to customers, vendors and business partners your company cannot control all those aspects. When a simple email attachment to the c-Suite boys just like with the Nortel hack they got you big time, in Nortel chase they were inside their network for 10 years. The reputation, the technical all this means nothing if you don’t have good solid threat intelligence to know what’s going on in the world.

If you don’t have a team to look at threat intelligence for your company, get some people fast. If your connected you can be hacked, learn and be silent – Can’t stop the signal. Everything goes somewhere, and I go everywhere…. -gAtO oUt

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
02/12/12

Cyber Iran

gAtO hEaR- In Iran the nation’s telecommunications ministry publicized in early 2011, it would disconnect Iran from the rest of the world and run a parallel internal service (“Islamically permissible  ‘halal’ network”) that would automatically censor material and block popular global sites. In Iran two-thirds of the country’s 78 million people are under the age of 35, and about 40 percent of the population have Internet in their homes, according to Internet World Stats, making Iran one of the highest per capita cyber-connected populations in the world. Iran has a pollution of about 77 million people, about 53% of the people are on the Internet and not one of them is a Facebook user. In nearby Jordans they have 1.7 million users and 1.6 millions of them are on Facebook.

Stuxnet was deployed and stopped their nuclear weapons program. 2 leading scientist were killed Iran blames Massad -CIA. Iran is spending billion on cyber Hardware. Arab Spring. Iran took down U.S Drones. Iran threatens closing down the Straits of Hormuz. Iran claims new Cyber Army is ready for war in Cyberspace.

Now with the March 2, 2012 parliamentary elections we see official of Iran’s Judiciary announced “new limitations” on using cyber space and content publishing on the internet. A task force of 250,000 cyber police currently monitors the Internet, specific sites, blogs and individuals suspected of using circumvention tools. Israeli intelligence officials have revealed that they believe Iran has, in the last few years, spent over a billion dollars to upgrade their Cyber War capabilities.

Iranians have friends like Venezuela and China-based Hauwei corporation which is being investigated by Senators like Rhodes Islands Sheldon’s Whitehouse (“gAtO knows Senator Sheldon Whitehouse he is one of several leaders that understand the complex cyber security issues”) for supplying critical cyber infrastructure to Iran while it supplies equipment and supports the (TS)Top Secret DOD projects. This is clearly a violation when a communist country is providing TS support to our governments and we hear that some of the equipment may have digital backdoors into the infrastructure defeating  all virus scanning software. On the other side of friendships Univision uncovered Iranina and Venezuelan diplomats working on launching cyber-strikes against energy facilities and to other U.S assets (NYT 12-13-2011).

Iran’s leaders saw what the Arab Spring brought down last year and they see the Parliamentary elections in March as the most sensitive in the history of the Islamic republic and they will do everything to control it. Beacause of the March 2 elections Iran has ordered all Internet Cafe implement all cyber security monitoring software installed and functioning by Jan. 18. The monitoring include requiring a user to provide full name, father’s name, Iranian identification number, zip code and telephone number, in addition to presenting photo identification. The laws require cafes to install closed-circuit surveillance cameras that must be checked at the end of every business day. Cafes also must keep records of all websites and browsing history, along with surveillance tapes, for six months.

The new restrictions forbid cafes to allow the use of any circumvention technology, such as Virtual Private Networks (VPNs) or proxy servers, the devices Iranians typically use to access blocked sites.

This latest attack on Internet users comes amid increasing tensions between Iran and the West and deteriorating economic conditions as the Islamic Republic preemptively prepares for possible civilian unrest during its parliamentary elections. The Iranian people use tools like TOR to circumvent authorities to get their message thru even though these free TOR networks are getting hammered by the Iranians to try and take them down or get the information of the dissidents.

Let’s support these projects and keep Freedom of Speech open in cyberspace -gAtO oUt.

References:

Internet cafes to install surveillance cameras,

U.S. Expels Venezuelan Diplomat Reportedly Involved in Cyber Attack Plot

http://www.nti.org/gsn/article/us-expels-venezuelan-diplomat-reportedly-involved-cyber-attack-plot/

Parliamentary elections in March seen as the most sensitive in the history of the Islamic republic

http://www.guardian.co.uk/world/2012/jan/08/iran-upcoming-parliamentary-elections-march

Huawei’s Work in Iran May Violate U.S. Sanctions, Lawmakers Say

http://www.businessweek.com/news/2012-01-10/huawei-s-work-in-iran-may-violate-u-s-sanctions-lawmakers-say.html

Iran blocks Tor; Tor releases same-day fix

https://blog.torproject.org/blog/iran-blocks-tor-tor-releases-same-day-fix

Iran’s strict cyber regulations lay groundwork for ‘halal’ network

http://www.foxnews.com/world/2012/01/11/irans-strict-cyber-regulations-lay-groundwork-for-halal-network/#ixzz1jYfN3DAV

Iran Sets Cyber Crime Policy ahead of New Elections

http://www.stopfundamentalism.com/index.php?option=com_content&view=article&id=1299:iran-sets-cyber-crime-policy-ahead-of-new-elections&catid=70:iran-uprising&Itemid=80

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit