07/30/14

Tor Traffic Confirmation Attack

Tor Traffic Confirmation Attack -Roger Dingledine Report
SUMMARY:
  On July 4 2014 we found a group of relays that we assume were trying
  to deanonymize users. They appear to have been targeting people who
  operate or access Tor hidden services. The attack involved modifying
  Tor protocol headers to do traffic confirmation attacks.gato_signal_02

  The attacking relays joined the network on January 30 2014, and we
  removed them from the network on July 4. While we don't know when they
  started doing the attack, users who operated or accessed hidden services
  from early February through July 4 should assume they were affected.

  Unfortunately, it's still unclear what "affected" includes. We know
  the attack looked for users who fetched hidden service descriptors,
  but the attackers likely were not able to see any application-level
  traffic (e.g. what pages were loaded or even whether users visited
  the hidden service they looked up). The attack probably also tried to
  learn who published hidden service descriptors, which would allow the
  attackers to learn the location of that hidden service. In theory the
  attack could also be used to link users to their destinations on normal
  Tor circuits too, but we found no evidence that the attackers operated
  any exit relays, making this attack less likely. And finally, we don't
  know how much data the attackers kept, and due to the way the attack
  was deployed (more details below), their protocol header modifications
  might have aided other attackers in deanonymizing users too.

  Relays should upgrade to a recent Tor release (0.2.4.23 or
  0.2.5.6-alpha), to close the particular protocol vulnerability the
  attackers used -- but remember that preventing traffic confirmation in
  general remains an open research problem. Clients that upgrade (once
  new Tor Browser releases are ready) will take another step towards
  limiting the number of entry guards that are in a position to see
  their traffic, thus reducing the damage from future attacks like this
  one. Hidden service operators should consider changing the location of
  their hidden service.

THE TECHNICAL DETAILS:
  We believe they used a combination of two classes of attacks: a traffic
  confirmation attack and a Sybil attack.

  A traffic confirmation attack is possible when the attacker controls
  or observes the relays on both ends of a Tor circuit and then compares
  traffic timing, volume, or other characteristics to conclude that the
  two relays are indeed on the same circuit. If the first relay in the
  circuit (called the "entry guard") knows the IP address of the user,
  and the last relay in the circuit knows the resource or destination
  she is accessing, then together they can deanonymize her. You can read
  more about traffic confirmation attacks, including pointers to many
  research papers, at this blog post from 2009:
  https://blog.torproject.org/blog/one-cell-enough

  The particular confirmation attack they used was an active attack where
  the relay on one end injects a signal into the Tor protocol headers,
  and then the relay on the other end reads the signal. These attacking
  relays were stable enough to get the HSDir ("suitable for hidden
  service directory") and Guard ("suitable for being an entry guard")
  consensus flags:
  https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt#l1775
  Then they injected the signal whenever they were used as a hidden
  service directory, and looked for an injected signal whenever they
  were used as an entry guard.

  The way they injected the signal was by sending sequences of "relay"
  vs "relay early" commands down the circuit, to encode the message they
  want to send. For background, Tor has two types of cells: link cells,
  which are intended for the adjacent relay in the circuit, and relay
  cells, which are passed to the other end of the circuit.
  https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt#l364
  In 2008 we added a new kind of relay cell, called a "relay early"
  cell, which is used to prevent people from building very long paths
  in the Tor network (very long paths can be used to induce congestion
  and aid in breaking anonymity):
  http://freehaven.net/anonbib/#congestion-longpaths
  https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/110-avoid-infinite-circuits.txt
  But the fix for infinite-length paths introduced a problem with
  accessing hidden services:
  https://trac.torproject.org/projects/tor/ticket/1038
  and one of the side effects of our fix for bug 1038 was that while
  we limit the number of outbound (away from the client) "relay early"
  cells on a circuit, we don't limit the number of inbound (towards the
  client) relay early cells:
  https://lists.torproject.org/pipermail/tor-commits/2009-July/014679.html

  So in summary, when Tor clients contacted an attacking
  relay in its role as a Hidden Service Directory to publish
  or retrieve a hidden service descriptor (steps 2 and 3 on
  https://www.torproject.org/docs/hidden-services), that relay would
  send the hidden service name (encoded as a pattern of relay and
  relay-early cells) back down the circuit. Other attacking relays,
  when they get chosen for the first hop of a circuit, would look for
  inbound relay-early cells (since nobody else sends them) and would
  thus learn which clients requested information about a hidden service.

  There are three important points about this attack:

  A) The attacker encoded the name of the hidden service in the injected
  signal (as opposed to, say, sending a random number and keeping a local
  list mapping random number to hidden service name). The encoded signal
  is encrypted as it is sent over the TLS channel between relays. However,
  this signal would be easy to read and interpret by anybody who runs
  a relay and receives the encoded traffic. And we might also worry
  about a global adversary (e.g. a large intelligence agency) that
  records Internet traffic at the entry guards and then tries to break
  Tor's link encryption. The way this attack was performed weakens Tor's
  anonymity against these other potential attackers too -- either while
  it was happening or after the fact if they have traffic logs. So if
  the attack was a research project (i.e. not intentionally malicious),
  it was deployed in an irresponsible way because it puts users at risk
  indefinitely into the future.

  (This concern is in addition to the general issue that it's probably
  unwise from a legal perspective for researchers to attack real users
  by modifying their traffic on one end and wiretapping it on the
  other. Tools like Shadow are great for testing Tor research ideas out
  in the lab: http://shadow.github.io/ )

  B) This protocol header signal injection attack is actually pretty neat
  from a research perspective, in that it's a bit different from previous
  tagging attacks which targeted the application-level payload. Previous
  tagging attacks modified the payload at the entry guard, and then
  looked for a modified payload at the exit relay (which can see the
  decrypted payload). Those attacks don't work in the other direction
  (from the exit relay back towards the client), because the payload
  is still encrypted at the entry guard. But because this new approach
  modifies ("tags") the cell headers rather than the payload, every
  relay in the path can see the tag.

  C) We should remind readers that while this particular variant of
  the traffic confirmation attack allows high-confidence and efficient
  correlation, the general class of passive (statistical) traffic
  confirmation attacks remains unsolved and would likely have worked
  just fine here. So the good news is traffic confirmation attacks
  aren't new or surprising, but the bad news is that they still work. See
  https://blog.torproject.org/blog/one-cell-enough for more discussion.

  Then the second class of attack they used, in conjunction with their
  traffic confirmation attack, was a standard Sybil attack -- they
  signed up around 115 fast non-exit relays, all running on 50.7.0.0/16
  or 204.45.0.0/16. Together these relays summed to about 6.4% of the
  Guard capacity in the network. Then, in part because of our current
  guard rotation parameters:
  https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
  these relays became entry guards for a significant chunk of users over
  their five months of operation.

  We actually noticed these relays when they joined the network, since
  the DocTor scanner reported them:
  https://lists.torproject.org/pipermail/tor-consensus-health/2014-January/004134.html
  https://gitweb.torproject.org/doctor.git
  We considered the set of new relays at the time, and made a decision
  that it wasn't that large a fraction of the network. It's clear there's
  room for improvement in terms of how to let the Tor network grow while
  also ensuring we maintain social connections with the operators of all
  large groups of relays. (In general having a widely diverse set of relay
  locations and relay operators, yet not allowing any bad relays in,
  seems like a hard problem; on the other hand our detection scripts did
  notice them in this case, so there's hope for a better solution here.)

  In response, we've taken the following short-term steps:

  1) Removed the attacking relays from the network.
  2) Put out a software update for relays to prevent "relay early" cells
     from being used this way.
  3) Put out a software update that will (once enough clients have
     upgraded) let us tell clients to move to using one entry guard
     rather than three, to reduce exposure to relays over time.
  4) Clients can tell whether they've received a relay or relay-cell.
     For expert users, the new Tor version warns you in your logs if
     a relay on your path injects any relay-early cells: look for the
     phrase "Received an inbound RELAY_EARLY cell".

  The following longer-term research areas remain:

  5) Further growing the Tor network and diversity of relay operators,
     which will reduce the impact from an adversary of a given size.
  6) Exploring better mechanisms, e.g. social connections, to limit the
     impact from a malicious set of relays. We've also formed a group to
     pay more attention to suspicious relays in the network:
     https://blog.torproject.org/blog/how-report-bad-relays
  7) Further reducing exposure to guards over time, perhaps by extending
     the guard rotation lifetime:
     https://blog.torproject.org/blog/lifecycle-of-a-new-relay
     https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
  8) Better understanding statistical traffic correlation attacks and
     whether padding or other approaches can mitigate them.
  9) Improving the hidden service design, including making it harder
     for relays serving as hidden service directory points to learn what
     hidden service address they're handling:
     https://blog.torproject.org/blog/hidden-services-need-some-love

OPEN QUESTIONS:
  Q1) Was this the Black Hat 2014 talk that got canceled recently?
  Q2) Did we find all the malicious relays?
  Q3) Did the malicious relays inject the signal at any points besides
      the HSDir position?
  Q4) What data did the attackers keep, and are they going to destroy it?
      How have they protected the data (if any) while storing it?

  Great questions. We spent several months trying to extract information
  from the researchers who were going to give the Black Hat talk, and
  eventually we did get some hints from them about how "relay early"
  cells could be used for traffic confirmation attacks, which is how
  we started looking for the attacks in the wild. They haven't answered
  our emails lately, so we don't know for sure, but it seems likely that
  the answer to Q1 is "yes". In fact, we hope they *were* the ones doing
  the attacks, since otherwise it means somebody else was. We don't yet
  know the answers to Q2, Q3, or Q4.
06/12/13

Government use of Cyber Weaponized Exploits

gAtO rEaD- The government is buying hackers exploits – not to stop these sophisticated cyber exploits but to use these tools against it’s own people- they are using the tools to infiltrate computer networks worldwide, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.network

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. So your computer is vulnerable and the governments knows it and will not disclose this information, but use it against you to place cookies,RAT’s or other spyware into your computer -maybe- I trust our government don’t you?

If you got nothing to hide, you should not be worried… right????

So our Tax dollars are going to Hackers and cyber criminals that sell these exploits all over the world. As a tax payer I don’t like this part at all. But the worst part is by us taking the lead of cyber offensive cyber tools -example.. Stuxnet – it is a plan book for other countries to do the same. So what we do in cyberspace has become socially acceptable to do in cyberspace and then we bitch about China. I don’t get it – mEoW

Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has beenmost widely reported – the use of a virus known as Stuxnet to disrupt Iran’s nuclear-research program – was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet’s development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.

Then you have the Prism disclosure and PoW- US Cyber Agents Disrupt Publication of Popular Al Qaeda Magazine – This means that Obama’s cyber military is potentially capable of more targeted attacks, specified at damaging particular pieces of information or infrastructure. I wonder where they got those vulnerabilities? maybe some bad guys—/Nato_cyber_plat

What worries me is as the U.S engages in these attacks our enemies are learning what is acceptable in cyberwar. So we must be careful not to lose the fact that everyone is watching what we do and how we treat cyberspace and others governments will follow, defensive and offensive, they are learning from the best the U.S. Government -gAtO oUt

ref: http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

 

http://www.businessinsider.com/us-cyber-agents-disrupt-inspire-magazine-2013-6

 

 

03/24/13

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share –

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

01/19/13

Government Spying on everyone -Thanks Microsoft

gAtO lEaRnOn 01-01-213 we hear that Microsoft buys Skype and makes changes to allow Police surveillance. Then on 01-07-2013 we hear that a professor at the Warsaw University of Technology, Wojciech Mazurczyk, found a way to insert secret 70 bits of data and add secret information similar to steganography.spy-spy

Lawful Intercept is what it’s called and we just heard punch – counter-punch from the government. I just posted about corporations and governments using offensive cyber weapons to fight crime, but this looks like just plain old spying on citizens like China, Iraq and Syria does. Skype is owned by Microsoft and we know that Word and other products have back doors for them to snoop and governments to use in criminal cases. I guess they do it the proper way and get a real FISA document to monitor us it’s citizens.

mEoW 12-30-2012 our re-elected President Obama signs FISA Warrantless Wiretapping Program. STOP – SAY WHAT. mEoW – Forget about gun control how about the privacy of citizens, are we becoming like China, Iraq and Syria the more I find out about this the crazier it becomes. I hate Skypes but now finding this out NO WAY DUDE-

I did a little digging and I found a document from the Straford hack from the LutzBoat crew and this has been on the play board for a long time. More and more governments that play nice with the America and Microsoft will have to live with the fact that they are spying on us, the people. I voted for Obama but I’m pretty sure any president would want to be able to justify this abuse of power to monitor it’s citizens, what get’s me is we scream and yell when other countries do it but here we are doing to ourselves and nobody is talking about this- Hay press wake up. I have nothing to hide but if you do you have been warned – enjoy your government spying on you behind your back - gAtO oUt

Lab Notes:

IT security continues to be the greatest challenge facing government CIOs worldwide. Most experts agree that governments require stronger partnerships between the public and private sectors for both better protection of government IT systems from intruders and for greater visibility into operators’ network traffic to fight crime. However, government systems and intelligence activities constitute a very sensitive information environment. Governments must proceed with caution when forming technology partnerships for hardening their IT network security. Melissa E. Hathaway, who in February 2009 was named to be the Obama Administration’s top cyber security official, points out how

Lawful Intercept

Challenge

Criminals, predators and hackers now use chats, blogs, webmail and Internet applications such as online gaming and file-sharing sites to hide their communications.

Solution

Qosmos provides law enforcement agencies with a powerful solution to identify a target using multiple virtual IDs and intercept all related IP- based communications. Any trigger, such as a “user login = target” initiates intercept of all IP traffic related to the “target.”

Example of recognized applications and protocols

VoIP Email (POP, SMTP)

Webmail (Gmail, Hotmail, Live Mail, SquirrelMail, Yahoo mail, etc.)

Instant Messaging (Aim, SNM, Skype, Yahoo, Google Talk, QQ, Maktoob, Paltalk, etc.)

Online games (World of Warcraft)

Online classified ads

Audio/Video (H.323, SIP, MGCP, RTP, RTCP, MMSE, RTSP, SHOUTcast, Yahoo Video,

MSN Video, SCCP, etc.)

Web applications (Dailymotion, Google, eBay, Google Earth, HTTP, MySpace, Wikipedia,

YouTube, etc.)

Example of information extracted

Caller, phone number, called party, duration of call

Webmail login, email address, sender, receiver, subject matter, attached documents

Instant messaging sender, receiver, contact lists and status

Forum login, IP address, MAC address, mobile ID (IMSI, IMEI)

Protocols identified even for unidirectional traffic (e.g. email by satellite).

http://www.huffingtonpost.com/2012/12/30/obama-fisa-warrantless-wiretapping_n_2385690.html

http://enterprise-call-recording.tmcnet.com/topics/enterprise-call-recording/articles/321789-sounds-silence-skype-hold-more-than-expected-thanks.htm

http://www.ronpaulforums.com/showthread.php?399961-Microsoft-Buys-Skype-Makes-Changes-to-Allow-Police-Surveillance

11/16/12

White Hat Bot-Nets

gAtO wAs - reading Bloomberg BusinessWeek “ The Hacker of Damascus” Karin a 31-year-old doctor had spent the previous months protesting against the government of Damascus, he refuse to give up his friends names.

Before the arrest-/ before the torture/- they found a simple vulnerability thru Skypes they also got into his hard drive and as Karin said they arrested his computers data first them him. So now we see the black hats, spammer, cyber criminal tricks against people from their own governments. Is this the way it’s going to happen, we see the news today about 2 ladies and their General boy toys and WOW -mEoW.

In Georgia detains ministry for using malware to access opposition leaders computers – This is just another example of governments using criminal cyber tactics to gain intelligence from it’s own people.

 

 

The other side of the cyber struggles in Syria is Anonymous and their role in all this: On the other side, the hacktivist group Anonymous has infiltrated at least 12 Syrian government websites, including that of the Ministry of Defense, and released millions of stolen e-mails.  

Cyberspace and it’s tools (weapons) like Facebook, Twitter – can be used by both sides  in this evolving landscape of digital warriors. That is why gATo is sadden by how basic normal Internet tools can become killers and liberators. I guess I see the fog of cyberwar thru gATO eYe’S we have only seen defensive cyber tools so far Suxnet and others are only the beginning and the new economies that had no choice but a digital path into their infrastructure need to look at their own security a wee bit more close. DId Huawei (China’s Telecom Giant accused of having backdoor ) sell you those Network infrastructure pieces at a very cheap price -(lowest bidder (or a no-bid)contract) -well guess who is watching you…

SCADA cyber controls security SUCKs = infrastructure things (energy/transportation/communication/water/air) = fix them NOW

Since no Cyber Bill has gone before congress -President Obama after a major election went and signed  a-

US secret CYber Law singed by Pres. Obama -Nov 15, 2012

Rather, the directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the fully array of national security tools we have at our disposal. It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace.

This directive will establish principles and processes that can enable more effective planning, development, and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action. The procedures outlined in this directive are consistent with the U.S. Constitution, including the President’s role as commander in chief, and other applicable law and policies. http://killerapps.foreignpolicy.com/posts/2012/11/14/the_white_houses_secret_cyber_order

So now even 31-year-old doctors need to worry what they do and who they talk to and WHAT they talk about -/ also- in Facebook, Skype or any other web-App-  By the way —>These basic vulnerabilities can be found and exploited in any web-app – So this person may of worked at the water plant – or the electric plant what could these White Hat Bots have obtained?? These little White Hat BotNets may go rouge or may be captured this is about virtual digital world with a click of a mouse I GOT YOU!!! -PWN

Will this become the standard? The good and bad guy’s do it NOW- plant a virus suck up your disk / then check it out – BUT “if you got nothing to hide” well it’s OK then — right - gAtO oUt

11/15/12

Iran Sites Open 2 Joomla -K-CMS Hacking

Iran Sites Open 2 Joomla -K-CMS Hacking

gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0[2] and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have

This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0[2] and you guessed it again they are older versions and have vulnerabilities.  So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.

Some site have this warning be careful :This site may harm your computer.

Research Notes:

IRAN site:.gov.ir

http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..

K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

[1] security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website

<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>

[2] <meta name=”generator” content=”KCMS 1.0″ />

K-CMS (Kai Content Management System) index.php file include

http://www.sarvabad.gov.ir/

<meta name=”generator” content=”KCMS 1.0” />

http://www.abhar.gov.ir/index.php?limitstart=63

<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://www.abhar.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

pishva.gov.ir

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

http://www.zanjan.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://chaloos.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://mianeh.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />

http://easabt.gov.ir/protocol/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />

Saman Information Structure

http://ea.mim.gov.ir/

http://www.sadra-ntoir.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://www.sarvabad.gov.ir

News – ????? ??? ????? ? ????? ???

sabtyazd.gov.ir/index.php?option=com_newsfeeds…id…

This site may harm your computer.

Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the

www.khodabandeh.gov.ir/ – Translate this page

Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.

www.sabtyazd.gov.ir/index.php?… – Translate this page

This site may harm your computer.

C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php %PDF-1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? :? ?Zz s

http://www.leader.ir/langs/en/

http://www.president.ir/en/

http://www.saamad.ir

iten.behdasht.gov.ir – Site News

11/13/12

CYber Investigation over General Patraeus

CYber Investigation over General Patraeus

gAtO rEaD – NO CRIME committed- that the investigation for the top CIA general was because someone sent an eMail that said” I saw you touching the Generals leg at Dinner -Stop It” Yeah so one lady said to another lady – STOP MESSING WITH MY MAN – Pow – ZAP they get a court order to go thru someones eMail.

So if we take this premise that Judges will sign -COURT ORDERS to search your emails and any other emails that link it because of a jealous lover. It looks to gAtO that they have to much POWER – or the FBI is gonna search everyones emails now – legally. Court Ordered

This should send shock waves thru our industry – everyone is now warned that anyone’s email can be open to LE anytime and just about for any reason. I trusted the system, I trusted the Judges but lack of a crime should of not happened. There was NO CRIME committed the investigation turned out. But it has now taken down the reputation of 2 generals. NO CRIME

Now these are 2 famous generals what chance do mere mortals have that our eMails are going to be court order to investigate why simply because they can now. This shows to me the lack of justice or the erosion of justice that is coming down the cyber pipelines. If this is now a wake up call for security professionals to wake up and smell the coffee. Your email will be next unless we support less government control of our digital rights.

Freedom of Speech in cyberspace is a right not a privilege -gAtO oUt

http://www.cbsnews.com/8301-18563_162-57548694/fbi-role-in-petraeus-investigation-questioned/

mEoW

10/25/12

The deep Dark Web -Book Release

gATO hApPy

AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  – text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had – gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

10/14/12

Pierluigi Paganini – Cyber Weapons – Cyber Threat Summit 2012

Excellent presentation from Pierluigi at the ICTTF Cyber Threat Summit 2012. Apologies for the microphone problems (some twat in the audience was using a frequency jammer).The rise of Cyber Weapons and relative impact on cyber space. Well worth a watch.

Pierluigi can be found at http://securityaffairs.co/wordpress/ He is the co-author of the new book

The Deep Dark Web – coming soon

08/31/12

p2p Bot-net architecture in Tor -unstoppable

gAtO been doing some research in botnets and found out some cool things. The basics IRC- http – p2p and twitter botnets architecture and bots are becoming easier to find and use, tutorials and videos are all over the place and in any language. So the task of becoming a bot-master is easy.  Bot’s can be used for good also but nobody want’s to hear about that…Imagine bot’s being used with Amber alerts to or other emergencies tools were thousands of computers are needed, bot’s can be used for good things too.

Botnets are a big problem they allow anyone to have thousand, millions  of computers at their beck and call, a kid in a basement, or an enemy of the state these bot’s are a real danger. These bot’s have 4 different attack vector: 

Kenetic – Distribution – Information – cyberTools 

kinetic -zombie computer are used to Ddos attack a site or Click-fraud advertisement scams.

distributors – sending spam email- (Adware/ Spyware) – infecting other computers – co-workers, friends and families

information Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP (intellectual property) plus emails of co-workers, friends and family.

cyberTools – we see bot’s become DNS servers, c&c servers, infection distribution servers, proxies, Tor (exit/entry) nodes or just a ftp site for storage.

I have seen lot’s of different bot’s but only four (4) basic types of botnet Command and Control (C&C) architecture: IRC (Internet Relay Chat) based, HTTP (or Web) based and P2P (Peer-to-peer) based – and Now Twitter controlled botnet’s.

Todays bot’s can be used in Intelligence Gathering, Monitoring and surveillance with the ability to turn on WebCam and Microphone without the victim knowing and recording it makes them even more dangerous and any digital cell device is hackable.

Here is a new one for me a private Twitter account is being used as the (C&C) command and control for bots. Once the bots are installed in the machine they go out and friend their botMaster they accept the friend and now send coded messages that are the commands for the bot’s. This is pretty cool and since it’s Twitter is kinda normal communication tool even in business machines, groups use twitter all the time to communicate.

In my research I found bots and video, tutorials and everything I need. On top of that we have Tor and other anonymized (custom Tor network) for these bot’s to communicate untraceable and cannot be found.

Here is were the metal hit’s the road because in this environment the p2p Botnet Architecture used with Tor would be an unstoppable solution and it’s becoming reality today: I included a thread from a hacker site in Tor discussing this very subject //.

these are some of the bot’s I found free source code to play –

G-Bot 1.7 Ddos-Bot – Zues 2.0.8.9 – ClientMesh 4.0 – DarkComet 5.3.1 – BlackShades 4.8 – SpyEye 1.3.45

Below are some of my notes on this I hope they may help - gAtO oUt 

botnet basics

There are basically 3 types of Bot net technologies. The first botnets started back about a decade ago with IRC bots

it’s more a continual connection at all times

IRC – HTTP – P2P – note p2p is the best meshed no central C&C

With HTTP botnets you can communicate async – things can be schedule a meeting and then log of and do the work then at a pre arrange time you call home (C&C) and check in with mamma.

Then you have p2p botnet’s they have no central C&C so are much harder to find the source and kill it.

Here we see were some of the bot’s may become proxies or some units may be used to cascade out spam interactions, one may also become a download location, one a dns server. The key thing to take away from a Peer to Peer networks is it’s very difficult to take them down because of their mesh network. There is no central point of failure, it’’s a simple file sharing protocol

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  p2p Tor Bot -message hacking board in Tor-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=17&t=7657

Hey guys, just thought I would leave a thread here to announce a new bot that I am working on at the moment, Kronos.

Kronos is an http bot that runs through tor, each bot will launch its own tor process and then connect to your panel (which is a hidden service) using tor.

Current Features

  • The bot will act as a hidden service on the tor network
  • Socks5 proxy. Because of the above feature you are able to connect to the bot and use it as a proxy through tor, this removes the need for the bot to use upnp to open a port for you to connect through as tor handles NAT traversal by having the server connect out to the network itself, meaning there are no incoming connections. You can read here for more if you don’t already know how this works https://www.torproject.org/docs/hidden-services.html.en
  • Torrent seeder, not a shitty seeder that adds torrent files to the users torrent client, bots will work as real torrent clients.
  • Various flooding abilities (useless in my opinion)
  • Form grabber
  • Possibly mailing capabilities

I am also playing with some p2p code

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-hacking board in Tor=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

// So now that we know a bit about botnets let’s look at how they can make a profit for the criminal, below I listed of some of the stuff that you can harvest from your botnet empire.

Revenue Generated

Spam

Adware/ Spyware Scare-ware

Crimeware – Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP plus emails of friends and work buddies..

Clickfraud

Phishing

Proxies

Ddos

http://www.youtube.com/watch?v=RsDtlqT4Zd4 Zeus BotNet Tutorial 2012

 http://www.xylibox.com/2011/08/cracking-spyeye-13x.html  SpyEye Tutorial 2011