Category Archives: Cyber Strategy

11/7/12

FEMA Cyber alert for Storm

gATO got- this email from FEMA after the election that’s pretty cool for government – gATO is the first to bItCh and mEoW about Governments – but Good Job Cyber FEMA….- gAtO OuT

Community Preparedness e-Brief

Follow us on Twitter for preparedness tips and announcements!

Nor’easter Impacting Areas Still Recovering from Hurricane Sandy – Ensure You Are Prepared

A Nor’easter is approaching the northeast today, including those areas still recovering from Hurricane Sandy. This Nor’easter is expected to bring strong winds, rain and even snow throughout today into Thursday. As the storm makes its way up the coast, we are asking you to do the following:

  1. Read and share this email;
  2. Visit http://www.ready.gov/winter-weather;
  3. Like and share FEMA’s Facebook page posts;
  4. Follow and retweet @ReadyDotGov tweets; and
  5. Download and share these useful apps: FEMA – Android, Apple, Blackberry

Given the power has not yet been fully restored in some areas, state and local governments are opening warming stations in anticipation of the Nor’easter. To find more about these warming stations and other open shelters, visit:

New York State

www.dhses.ny.gov/oem/

www.nyc.gov/html/misc/html/2012/warming_ctr.html

 

New Jersey

www.nj.gov/nj/home/features/spotlight/hurricane_sandy.shtml

www.nj211.org/hurricane.cfm

 

Connecticut

www.ct.gov/sandy

For those within an area expected to be impacted by this current storm, below are some simple steps one should take now to prepare:

  • Follow the direction of local officials – if told to evacuate, listen to the direction of your local officials and evacuate immediately.
  • Know the forecast for your area – listen to your NOAA weather radio and local news reports, or visit weather.gov for conditions in your area.
  • Check on your neighbor – make sure they are also prepared for the weather.
  • Have an adequate communication planbe sure friends and family know how to contact you. Text messages can often get around network disruptions when a phone call might not get through.

FEMA continues to support both recovery operations as a result of Hurricane Sandy as well as preparedness efforts associated with the Nor’easter. Additional commodities including food, water, blankets, and generators are currently being delivered to distribution points across the region impacted by Sandy. FEMA is also pre-positioning even more resources and supplies for its state and local partners to respond, if necessary, to the Nor’easter.

Community Relations Teams are on the ground, going door-to-door, letting individuals know how to register with FEMA for financial assistance and how to prepare for the upcoming storm.  More than 277,000 people have applied for financial assistance, and more than $250 million in assistance has been approved.

Prepare for hazards in YOUR area

Although you may not be in the path of this forecasted storm, now is a good time to review the potential hazards where you live. Knowing likely risks for your area, whether snow storms, earthquakes or tornadoes and knowing what to do when a disaster strikes is a critical part of being prepared and may make all the difference when seconds matter.

Local emergency management offices can help you identify hazards in your community and can outline the local plans and recommendations for each. Be sure to share this information with family, neighbors, colleagues and friends – talking about preparedness helps everyone be ready, “just in case.” Use the links below to make your family, business and community safer, more resilient and better prepared for any disaster event.

For further information regarding these safety tips or other post hurricane safety recommendations, visit www.fema.gov or www.ready.gov.

We want to hear your suggestions on how we can improve our communications to you, be sure to email us at citizencorps@dhs.gov.

 

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
11/4/12

FBI and Cyber-Security oxymoron

gAto rEaD -The FBI is planning to have a geek squad to look for the coders of Botnets -WRONG they should go after the Bot’s and c&c already online—

Kevin Mitnick discounted the FBI’s plans to build a “cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code.” – Kevin knows that hackers trade code and pick / slice and dice functions and code in hacker sites.

gAtOmAlO sAy’s

Some sites train n00bs – newbies bot-masters to send them out-/ they get caught and the commercial ones the ones that learned and survived share the knowledge.

“The signal goes everywhere and so do I” -gAtOmAlO -

We can’t stop the knowledge and we can’t stop the coders new ones come and go everyday – new ones quit and new ones start. Code is a function and the same function can be written in so many different ways.

Crunch away FBI scientist while new FUD mask the next wave of Bot-nets with a simple variant of Zeus or SpyEye and you got a new Bank attempt. They are all free in the wild so anyone that wants the code get’s it Free…. check YouTube guy’s “How 2 Zeus”

If you want to go after the Bot-nets you work with the front lines ISP and system admins – If the FBI would only tap into the FREE information that is available from some of the best minds. Just ask us and we will help. I hear Penetta Scream “Cyber 9/11” come on –If we need cyber security people  just go on LinkedIn and pick and ASK US we will help in ways that you have no idea.

Crowd source problems into the web and see who comes up with a solution to a problems- we have so many new ways to use the masses of people in cyberspace and social media to help and protect not just our country but we can help any other country as we learn more about cyber security. We are your biggest problem and your biggest solution to the cyber security problem…

Sorry gATO’s dealing with the FBI and the lack of respect they give people that help them, makes me sick. But keep on- keeping on FBI -and the rest of the White Hats – don’t you see, open your eyes…where here to help -gATO OuT 

FBI cybersecurity shift draws skepticism from experts

Kevin Mitnick, the former hacker turned security consultant, is one who doubts focusing on criminals rather than attacks would slow them

http://www.csoonline.com/article/720331/fbi-cybersecurity-shift-draws-skepticism-from-experts

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2011/07/security_gato_05.pngDigg ThisSubmit to reddit
10/31/12

Happy Satoshi Nakamoto -Bitcoin- Day Nov 1

gAtO wAs- thinking about one of my heroes SATOSHI NAKAMOTO only 4 years ago November 1, 2008 he posted the research paper describing a new digital currency called BITCOIN. He cracked the problem that had stumped cryptographers for decades a DIGITAL CURRENCY convenient and untraceable with no over site from any government or bank.

STOP RIGHT HERE -money $$ with – NO GOVERNMENT  – NO BANKS

gAtO’s –> gAtOmAlO sAy – I am Satoshi Nakamoto

Ecash was the first as early as 1990’s but they failed because they relied on governments, banks and credit card companies. Banks and governments own us, the bank owns your house that your paying off, You pay tax’s on your property while the bank owns it. We all pay interest and the bankers live only for interest.

As anyone can see it’s in the best interest of all banks and governments that all world wide digital currency fail, unless they control it. It’s NOT only numbers, math and cryptology that makes these bankers shake in fear. But losing control of peoples moneys. Who Wins?  It’s the people immune to printing press happy -Federal Reserve bankers having all the control. The bankers cannot control this new digital currency control by people that have Nose rings -/ so they vilify these people -/cyberpunks that spread the word of their guilt. They make Bitcoins evil- Wikileaks is evil -the scum in the black market like Silk Road-  and Black MArket Reload use it so it’s evil –with your logic all Bitcoin is evil,

So congressman, senator when you paid that hooker on our tax dollar, when you pay the young man to have sex with you from Ohio – the swing state –/ the US  money you use is as EVIL as Bitcoin because it was used in a evil crime…. Evil is evil, money is money. simple to gATO sorry I rage—-

Political pressure has been payed by the banker to People like Senator Schumer which I used to like SCREAMED at the DEA to SHUT DOWN Silk Road which he called “the most brazen attempt to peddle drugs online that we have ever seen” – Yeah Silk Road is still ONLINE last I check. I guess the DEA can’t mess with cryptology and math. It’s science guy’s it basic and simple and elegant and it works. Tor onion network uses math and cryptology and it works so why can’t a digital currency like Bitcoin work.

BITCOIN CANNOT WORK – it’s beta software boy and girl – SATOSHI told us before he disappeared (2010) as he appeared ” in mystery” . SATOSHI is a cult hero “invisivle and  anonymous”- he warned us when he saw Wikileaks use Bitcoins as a donation tool -(this was the introduction of BITCOINS to the whole wide world -/- that it was still to early -/Bitcoin was only 2 years old at the time/  – SATOSHI  final words were “Bitcoin is pocket change (21 Million max Bitcoins) the heat you bring (from the exposure to the gov’s and banks and the world) would likely destroy us at this stage”.

SATOSHI was trying to warn us that the Software Bitcoin is only the beginning of digital currency. As gAtO see’s it in his loco-world mind view —/ If the people control their own money, next people will want to govern themselves and THEY have seen the effects of the Arab Spring and other cases were “the people” took back their country back from currupt politicians. Follow the -DIGITAL currency – gAtO oUt 

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/03/gato_01-148x150.jpgDigg ThisSubmit to reddit
10/25/12

The deep Dark Web -Book Release

gATO hApPy

AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  - text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had - gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/10/cover_thumb.jpgDigg ThisSubmit to reddit
10/18/12

Tor hidden service secrets

Tor hidden service secrets

gAtO fRiDaY 10-18-2012 update hay you want to see a secret -hidden service -

Creative Hack – http://2kcreatydoneqybu.onion 

on top of this the name is custom – so that took extra time and efforts and the site is real when you have thier secret token — https://ahmia.fi/pagescreenshots/2kcreatydoneqybu.png

here you can take a look at this site anyway – try to extract any information from this secret Tor Website – you can’t see any source code – so you can’t make it error to extract information. I ask a friend that’s a Penn Tester to check this out – If anyone can extract any information please let me know –gAtOoUt

gAtO fRiDaY - sound off! - As i play with my new Tor hidden service – “Ok just apache website running https: a static site -right now” – What we know is that a Tor hidden service stays hidden until you send someone your .onion URL (example:- otwxbdvje5ttplpv.onion ) now once you know the URL your have access to the site. You may have to log in like on most bb sites but at least you reached the hidden service and now you can do stuff. 

While looking at the torrc file setting I found a little secret that with (server side) HiddenServiceAuthorizeClient-tag and the HidServAuth-tag on the (client) side -// your hidden service is now INVISIBLE to only the people that have a secret key installed in their “torrc” client file. In plain talk -

1. I put a special key on my hidden server – torrc file – HiddenServiceAuthorizeClient
2. generate a new key for client side – “what_ever_bcuuw46b3heyy”
3. send keys to the secret agents that can see or access the site HidServAuth
4. Only the people with my KEY can get to the front door of my hidden service – torrc file HidServAuth

This makes it hard to find the hidden service even if you have the URL ///./. it does nothing, no source code like a normal website. I ran into a few of these and had no clue why these sites behaved the way they did. I can pick apart most websites, at least, basics like html, asp, js, java directory you can gleam all kinds of information. But if you hit one of these site in Tor well it a big 0 -zero -///.

With my TDS project (Tor Directory Scan) I am generating an onion URL A-Za-z 2-7 URL and going out to scrape it and get some basic information about the site with a basic web crawler that grabs METADATA and not just links to other pages. If I hit these sites with my basic program I’ll get a dud -zero -///- but I will have a hit of sort. I hope to catch some of these sites – we all know the rcp command works well in Tor sometimes I found and httrack is another tool for sucking up site // be they hidden service or not – these secret hidden services will be very interesting in the scan -gATO oUt

— Tor Syntax

HiddenServiceAuthorizeClient auth-type client-name,client-name,…
If configured, the hidden service is accessible for authorized clients only. The auth-type can either be ‘basic’ for a general-purpose authorization protocol or ‘stealth’ for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth.


HidServAuth onion-address auth-cookie [service-name]
Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus “.onion”, and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the HiddenServiceAuthorizeClient option

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/06/tor_network_002.tiffDigg ThisSubmit to reddit
10/14/12

Pierluigi Paganini – Cyber Weapons – Cyber Threat Summit 2012

Excellent presentation from Pierluigi at the ICTTF Cyber Threat Summit 2012. Apologies for the microphone problems (some twat in the audience was using a frequency jammer).The rise of Cyber Weapons and relative impact on cyber space. Well worth a watch.

Pierluigi can be found at http://securityaffairs.co/wordpress/ He is the co-author of the new book

The Deep Dark Web – coming soon

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
09/24/12

Dark Heart botnet ToR-C2 BULLET proof server collector

gAtO fOuNd - this –// it’s crook selling to crooks take it at face value -/ but it does have some interesting ideas on what is out there in criminals hands and what is going on in the dark web. Now these are 10,000 yes 10k botnets can work in the clearWeb as well as Tor and i2p anonymized networks should cause some concern because normally we don’t monitor them.  Tor Domain-flux for both clearWeb and Tor – ( Tor Domain-flux- this is so easy to do but it’s a big feature) – VPN then Tor that will make this harder to find the botMaster. But the coolest feature is the i2p connection. Sorry boy’s and Ladies but Tor is getting old, i2p is beginning to glow and it’s a little different but very safe. It goes after (scanning)  WiFi and GPS tracking – So people sync your phone data to your computers data please…C&C and // one- BULLET proof server collector -

It not very hard to do this but – C&C and // one- BULLET proof server collector – is the sales pitch anyway I have obfuscated some links and names -find it your self – I know gAtO can build this so anyone can with some light reading – that comes out to .80 cents per bot for 10,000 bots -0ne c&c panel for $8,000 bucks – pretty cheap – oh yeah the readme comes in english too.

This modified Dark Heart bots and c&c in Tor ?12p ? 256-EAS encryption- We already have reports of it by different names but this was posted around Aug 7 2012.   Here is the –/ poor mans –Tor Domain-flux is so easy when you generate a hidden service it produces a key for your address in Tor onion land / just move the key to another directory and generate your new net key and so on and so on… Some of this is really well though out —/ but I don’t trust anyone and it’s so easy to build from scratch- gAtO oUt

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

Dark Heart botnet— NOT – for sale $8000

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (Beta)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)

Each Panel is hwid

1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players -  for sale $8000 -bitcoin – (obfuscated )1A9nBLgdhf4NJadXiBppqqU96AhbMBQrgV -

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

 

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/09/hax_01.jpgDigg ThisSubmit to reddit
08/31/12

p2p Bot-net architecture in Tor -unstoppable

gAtO been doing some research in botnets and found out some cool things. The basics IRC- http – p2p and twitter botnets architecture and bots are becoming easier to find and use, tutorials and videos are all over the place and in any language. So the task of becoming a bot-master is easy.  Bot’s can be used for good also but nobody want’s to hear about that…Imagine bot’s being used with Amber alerts to or other emergencies tools were thousands of computers are needed, bot’s can be used for good things too.

Botnets are a big problem they allow anyone to have thousand, millions  of computers at their beck and call, a kid in a basement, or an enemy of the state these bot’s are a real danger. These bot’s have 4 different attack vector: 

Kenetic – Distribution – Information – cyberTools 

kinetic -zombie computer are used to Ddos attack a site or Click-fraud advertisement scams.

distributors – sending spam email- (Adware/ Spyware) – infecting other computers – co-workers, friends and families

information Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP (intellectual property) plus emails of co-workers, friends and family.

cyberTools – we see bot’s become DNS servers, c&c servers, infection distribution servers, proxies, Tor (exit/entry) nodes or just a ftp site for storage.

I have seen lot’s of different bot’s but only four (4) basic types of botnet Command and Control (C&C) architecture: IRC (Internet Relay Chat) based, HTTP (or Web) based and P2P (Peer-to-peer) based – and Now Twitter controlled botnet’s.

Todays bot’s can be used in Intelligence Gathering, Monitoring and surveillance with the ability to turn on WebCam and Microphone without the victim knowing and recording it makes them even more dangerous and any digital cell device is hackable.

Here is a new one for me a private Twitter account is being used as the (C&C) command and control for bots. Once the bots are installed in the machine they go out and friend their botMaster they accept the friend and now send coded messages that are the commands for the bot’s. This is pretty cool and since it’s Twitter is kinda normal communication tool even in business machines, groups use twitter all the time to communicate.

In my research I found bots and video, tutorials and everything I need. On top of that we have Tor and other anonymized (custom Tor network) for these bot’s to communicate untraceable and cannot be found.

Here is were the metal hit’s the road because in this environment the p2p Botnet Architecture used with Tor would be an unstoppable solution and it’s becoming reality today: I included a thread from a hacker site in Tor discussing this very subject //.

these are some of the bot’s I found free source code to play -

G-Bot 1.7 Ddos-Bot – Zues 2.0.8.9 – ClientMesh 4.0 – DarkComet 5.3.1 – BlackShades 4.8 – SpyEye 1.3.45

Below are some of my notes on this I hope they may help - gAtO oUt 

botnet basics

There are basically 3 types of Bot net technologies. The first botnets started back about a decade ago with IRC bots

it’s more a continual connection at all times

IRC – HTTP – P2P – note p2p is the best meshed no central C&C

With HTTP botnets you can communicate async – things can be schedule a meeting and then log of and do the work then at a pre arrange time you call home (C&C) and check in with mamma.

Then you have p2p botnet’s they have no central C&C so are much harder to find the source and kill it.

Here we see were some of the bot’s may become proxies or some units may be used to cascade out spam interactions, one may also become a download location, one a dns server. The key thing to take away from a Peer to Peer networks is it’s very difficult to take them down because of their mesh network. There is no central point of failure, it’’s a simple file sharing protocol

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  p2p Tor Bot -message hacking board in Tor-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=17&t=7657

Hey guys, just thought I would leave a thread here to announce a new bot that I am working on at the moment, Kronos.

Kronos is an http bot that runs through tor, each bot will launch its own tor process and then connect to your panel (which is a hidden service) using tor.

Current Features

  • The bot will act as a hidden service on the tor network
  • Socks5 proxy. Because of the above feature you are able to connect to the bot and use it as a proxy through tor, this removes the need for the bot to use upnp to open a port for you to connect through as tor handles NAT traversal by having the server connect out to the network itself, meaning there are no incoming connections. You can read here for more if you don’t already know how this works https://www.torproject.org/docs/hidden-services.html.en
  • Torrent seeder, not a shitty seeder that adds torrent files to the users torrent client, bots will work as real torrent clients.
  • Various flooding abilities (useless in my opinion)
  • Form grabber
  • Possibly mailing capabilities

I am also playing with some p2p code

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-hacking board in Tor=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

// So now that we know a bit about botnets let’s look at how they can make a profit for the criminal, below I listed of some of the stuff that you can harvest from your botnet empire.

Revenue Generated

Spam

Adware/ Spyware Scare-ware

Crimeware – Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP plus emails of friends and work buddies..

Clickfraud

Phishing

Proxies

Ddos

http://www.youtube.com/watch?v=RsDtlqT4Zd4 Zeus BotNet Tutorial 2012

 http://www.xylibox.com/2011/08/cracking-spyeye-13x.html  SpyEye Tutorial 2011

 

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/08/bot_list.tiffDigg ThisSubmit to reddit
08/6/12

Anti Forensic Tales from the gAtO

gAtO iS -a gRaY hAt thinker- so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator – working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt

References:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..

 

Today with a simple TorProject.org Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.

Share on TumblrSubmit to StumbleUponhttp://uscyberlabs.com/blog/wp-content/uploads/2012/08/aft_04.tiffDigg ThisSubmit to reddit
07/11/12

CyberPeace -not- CyberWar

gAtO sEe - In the last couple of days Gen. Keith Alexander has been pushing the Cyber War agenda. -The issues around warfare are very different in cyberspace than in the physical world, and the United States is looking into “alternative strategies,” said Alexander, while not offering further details. In another place he was telling us that the CIA will not use the new cyber laws to spy on our email. Ok so you gonna be a sheep and follow the word of the government. We won’t spy on you.

Alexander said “civil liberties and privacy can work harmoniously with cybersecurity”. Come on General your a nice guy, gAtO met you —/ you have a passion but every time you bring out —/ Oops there went the Power Grid, Oops.. there went the financial sector, scare me, scare me. I know it’s your job to secure our country to protect our nation cyber infrastructure. Don’t trample on our cyber right any more please.

Hay here is a solution for you use a Tor-.onion network-(any anonymized network) to tie your power grid, and/or your financial services. If you can’t close down Silk Road in onion-land your C&C for your power grid and financial services should be invisible to everyone except on a need to know. gAtO just save you 14 trillion in R&D…//

gAtO has not heard one word about Cyber Peace from any responsible government in the world. Everyone is looking for their own cyber posture, their own cyber weapons/ budget/ programs/ money// , but not one has said let’s work together to make it better for peace, guess there is no money in Cyber Peace. Espionage, spying is the job of governments why would they destroy their own tools, weapons and just tweak our cyber-rights a wee bit, for our cyber freedoms and safety, to protect our government and you -lol.

Here is a simple idea crowd-source our problems. The one major resource in cyber-space is number of people that can see the same message. In crowd-source we can give the facts and ask anyone to help solve city budgets, ways to harvest more vegetable/per vertical/ sq.ft. Ask people how would you protect our electric grid // you be surprised by the creative answers you get, OK some may be crazy but…//. It may not be the right solution, but the power of the minds of people collaborating is what this new technology is built for. FaceBook is about ME- Twitter is about the rest of the world- but the new winner is —/ Comments /— have become more important than the article-subject itself because the conversation within in the comments shows social communication and problem solving by the masses.

Let’s change the message to CyberPeace, everyone has a solution, but remember that all your comments are the new gold so watch what you say to that troll on huffpost— gAtO oUt

 

Read more: Alexander: U.S. looking for offensive alternatives in cyberspace – FierceGovernmentIT http://www.fiercegovernmentit.com/story/alexander-us-looking-offensive-alternatives-cyberspace/2012-07-11#ixzz20KW1Lcf2

Share on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit