Tor Traffic Confirmation Attack -Roger Dingledine Report SUMMARY: On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected. Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too. Relays should upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), to close the particular protocol vulnerability the attackers used -- but remember that preventing traffic confirmation in general remains an open research problem. Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service. THE TECHNICAL DETAILS: We believe they used a combination of two classes of attacks: a traffic confirmation attack and a Sybil attack. A traffic confirmation attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are indeed on the same circuit. If the first relay in the circuit (called the "entry guard") knows the IP address of the user, and the last relay in the circuit knows the resource or destination she is accessing, then together they can deanonymize her. You can read more about traffic confirmation attacks, including pointers to many research papers, at this blog post from 2009: https://blog.torproject.org/blog/one-cell-enough The particular confirmation attack they used was an active attack where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir ("suitable for hidden service directory") and Guard ("suitable for being an entry guard") consensus flags: https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt#l1775 Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard. The way they injected the signal was by sending sequences of "relay" vs "relay early" commands down the circuit, to encode the message they want to send. For background, Tor has two types of cells: link cells, which are intended for the adjacent relay in the circuit, and relay cells, which are passed to the other end of the circuit. https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt#l364 In 2008 we added a new kind of relay cell, called a "relay early" cell, which is used to prevent people from building very long paths in the Tor network (very long paths can be used to induce congestion and aid in breaking anonymity): http://freehaven.net/anonbib/#congestion-longpaths https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/110-avoid-infinite-circuits.txt But the fix for infinite-length paths introduced a problem with accessing hidden services: https://trac.torproject.org/projects/tor/ticket/1038 and one of the side effects of our fix for bug 1038 was that while we limit the number of outbound (away from the client) "relay early" cells on a circuit, we don't limit the number of inbound (towards the client) relay early cells: https://lists.torproject.org/pipermail/tor-commits/2009-July/014679.html So in summary, when Tor clients contacted an attacking relay in its role as a Hidden Service Directory to publish or retrieve a hidden service descriptor (steps 2 and 3 on https://www.torproject.org/docs/hidden-services), that relay would send the hidden service name (encoded as a pattern of relay and relay-early cells) back down the circuit. Other attacking relays, when they get chosen for the first hop of a circuit, would look for inbound relay-early cells (since nobody else sends them) and would thus learn which clients requested information about a hidden service. There are three important points about this attack: A) The attacker encoded the name of the hidden service in the injected signal (as opposed to, say, sending a random number and keeping a local list mapping random number to hidden service name). The encoded signal is encrypted as it is sent over the TLS channel between relays. However, this signal would be easy to read and interpret by anybody who runs a relay and receives the encoded traffic. And we might also worry about a global adversary (e.g. a large intelligence agency) that records Internet traffic at the entry guards and then tries to break Tor's link encryption. The way this attack was performed weakens Tor's anonymity against these other potential attackers too -- either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future. (This concern is in addition to the general issue that it's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other. Tools like Shadow are great for testing Tor research ideas out in the lab: http://shadow.github.io/ ) B) This protocol header signal injection attack is actually pretty neat from a research perspective, in that it's a bit different from previous tagging attacks which targeted the application-level payload. Previous tagging attacks modified the payload at the entry guard, and then looked for a modified payload at the exit relay (which can see the decrypted payload). Those attacks don't work in the other direction (from the exit relay back towards the client), because the payload is still encrypted at the entry guard. But because this new approach modifies ("tags") the cell headers rather than the payload, every relay in the path can see the tag. C) We should remind readers that while this particular variant of the traffic confirmation attack allows high-confidence and efficient correlation, the general class of passive (statistical) traffic confirmation attacks remains unsolved and would likely have worked just fine here. So the good news is traffic confirmation attacks aren't new or surprising, but the bad news is that they still work. See https://blog.torproject.org/blog/one-cell-enough for more discussion. Then the second class of attack they used, in conjunction with their traffic confirmation attack, was a standard Sybil attack -- they signed up around 115 fast non-exit relays, all running on 188.8.131.52/16 or 184.108.40.206/16. Together these relays summed to about 6.4% of the Guard capacity in the network. Then, in part because of our current guard rotation parameters: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters these relays became entry guards for a significant chunk of users over their five months of operation. We actually noticed these relays when they joined the network, since the DocTor scanner reported them: https://lists.torproject.org/pipermail/tor-consensus-health/2014-January/004134.html https://gitweb.torproject.org/doctor.git We considered the set of new relays at the time, and made a decision that it wasn't that large a fraction of the network. It's clear there's room for improvement in terms of how to let the Tor network grow while also ensuring we maintain social connections with the operators of all large groups of relays. (In general having a widely diverse set of relay locations and relay operators, yet not allowing any bad relays in, seems like a hard problem; on the other hand our detection scripts did notice them in this case, so there's hope for a better solution here.) In response, we've taken the following short-term steps: 1) Removed the attacking relays from the network. 2) Put out a software update for relays to prevent "relay early" cells from being used this way. 3) Put out a software update that will (once enough clients have upgraded) let us tell clients to move to using one entry guard rather than three, to reduce exposure to relays over time. 4) Clients can tell whether they've received a relay or relay-cell. For expert users, the new Tor version warns you in your logs if a relay on your path injects any relay-early cells: look for the phrase "Received an inbound RELAY_EARLY cell". The following longer-term research areas remain: 5) Further growing the Tor network and diversity of relay operators, which will reduce the impact from an adversary of a given size. 6) Exploring better mechanisms, e.g. social connections, to limit the impact from a malicious set of relays. We've also formed a group to pay more attention to suspicious relays in the network: https://blog.torproject.org/blog/how-report-bad-relays 7) Further reducing exposure to guards over time, perhaps by extending the guard rotation lifetime: https://blog.torproject.org/blog/lifecycle-of-a-new-relay https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters 8) Better understanding statistical traffic correlation attacks and whether padding or other approaches can mitigate them. 9) Improving the hidden service design, including making it harder for relays serving as hidden service directory points to learn what hidden service address they're handling: https://blog.torproject.org/blog/hidden-services-need-some-love OPEN QUESTIONS: Q1) Was this the Black Hat 2014 talk that got canceled recently? Q2) Did we find all the malicious relays? Q3) Did the malicious relays inject the signal at any points besides the HSDir position? Q4) What data did the attackers keep, and are they going to destroy it? How have they protected the data (if any) while storing it? Great questions. We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to Q1 is "yes". In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was. We don't yet know the answers to Q2, Q3, or Q4.
gAtO rEaD- The government is buying hackers exploits – not to stop these sophisticated cyber exploits but to use these tools against it’s own people- they are using the tools to infiltrate computer networks worldwide, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.
The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. So your computer is vulnerable and the governments knows it and will not disclose this information, but use it against you to place cookies,RAT’s or other spyware into your computer -maybe- I trust our government don’t you?
If you got nothing to hide, you should not be worried… right????
So our Tax dollars are going to Hackers and cyber criminals that sell these exploits all over the world. As a tax payer I don’t like this part at all. But the worst part is by us taking the lead of cyber offensive cyber tools -example.. Stuxnet – it is a plan book for other countries to do the same. So what we do in cyberspace has become socially acceptable to do in cyberspace and then we bitch about China. I don’t get it – mEoW
Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has beenmost widely reported – the use of a virus known as Stuxnet to disrupt Iran’s nuclear-research program – was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet’s development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.
Then you have the Prism disclosure and PoW- US Cyber Agents Disrupt Publication of Popular Al Qaeda Magazine – This means that Obama’s cyber military is potentially capable of more targeted attacks, specified at damaging particular pieces of information or infrastructure. I wonder where they got those vulnerabilities? maybe some bad guys—/
What worries me is as the U.S engages in these attacks our enemies are learning what is acceptable in cyberwar. So we must be careful not to lose the fact that everyone is watching what we do and how we treat cyberspace and others governments will follow, defensive and offensive, they are learning from the best the U.S. Government -gAtO oUt
gAtO fOuNd – this very interesting and wanted to share –
Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.
Try them! You may even find something interesting you cannot find on Tor!
These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.
- Tor – Fast anonymous internet access, hidden websites, most well known.
- I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
- Freenet – Static website hosting, distributed file storage for large files, decentralized forums.
Also anonymous networks, but less used and possibly more limited in functionality.
- GnuNet – Anonymous distributed file storage.
- OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
- RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
- Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.
These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.
- Osiris – Serverless portal system, does not claim to provide any real anonymity.
- Phantom – Hidden Services, native IPv6 transport.
- GlobaLeaks – Open Source Whistleblowing Framework.
- FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
- Telex – A new way to circumvent Internet censorship.
- Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
- Hyperboria A distributed meshnet built on cjdns.
These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.
- Anonet – AnoNet2, a more open replacement for AnoNet1.
- dn42 – Another highly technical routing community.
- CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.
- Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
- Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also
- Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
- OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
- Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).
gAtO lEaRn – On 01-01-213 we hear that Microsoft buys Skype and makes changes to allow Police surveillance. Then on 01-07-2013 we hear that a professor at the Warsaw University of Technology, Wojciech Mazurczyk, found a way to insert secret 70 bits of data and add secret information similar to steganography.
Lawful Intercept is what it’s called and we just heard punch – counter-punch from the government. I just posted about corporations and governments using offensive cyber weapons to fight crime, but this looks like just plain old spying on citizens like China, Iraq and Syria does. Skype is owned by Microsoft and we know that Word and other products have back doors for them to snoop and governments to use in criminal cases. I guess they do it the proper way and get a real FISA document to monitor us it’s citizens.
mEoW 12-30-2012 our re-elected President Obama signs FISA Warrantless Wiretapping Program. STOP – SAY WHAT. mEoW – Forget about gun control how about the privacy of citizens, are we becoming like China, Iraq and Syria the more I find out about this the crazier it becomes. I hate Skypes but now finding this out NO WAY DUDE-
I did a little digging and I found a document from the Straford hack from the LutzBoat crew and this has been on the play board for a long time. More and more governments that play nice with the America and Microsoft will have to live with the fact that they are spying on us, the people. I voted for Obama but I’m pretty sure any president would want to be able to justify this abuse of power to monitor it’s citizens, what get’s me is we scream and yell when other countries do it but here we are doing to ourselves and nobody is talking about this- Hay press wake up. I have nothing to hide but if you do you have been warned – enjoy your government spying on you behind your back - gAtO oUt
IT security continues to be the greatest challenge facing government CIOs worldwide. Most experts agree that governments require stronger partnerships between the public and private sectors for both better protection of government IT systems from intruders and for greater visibility into operators’ network traffic to fight crime. However, government systems and intelligence activities constitute a very sensitive information environment. Governments must proceed with caution when forming technology partnerships for hardening their IT network security. Melissa E. Hathaway, who in February 2009 was named to be the Obama Administration’s top cyber security official, points out how
Criminals, predators and hackers now use chats, blogs, webmail and Internet applications such as online gaming and file-sharing sites to hide their communications.
Qosmos provides law enforcement agencies with a powerful solution to identify a target using multiple virtual IDs and intercept all related IP- based communications. Any trigger, such as a “user login = target” initiates intercept of all IP traffic related to the “target.”
Example of recognized applications and protocols
VoIP Email (POP, SMTP)
Webmail (Gmail, Hotmail, Live Mail, SquirrelMail, Yahoo mail, etc.)
Instant Messaging (Aim, SNM, Skype, Yahoo, Google Talk, QQ, Maktoob, Paltalk, etc.)
Online games (World of Warcraft)
Online classified ads
Audio/Video (H.323, SIP, MGCP, RTP, RTCP, MMSE, RTSP, SHOUTcast, Yahoo Video,
MSN Video, SCCP, etc.)
Web applications (Dailymotion, Google, eBay, Google Earth, HTTP, MySpace, Wikipedia,
Example of information extracted
Caller, phone number, called party, duration of call
Webmail login, email address, sender, receiver, subject matter, attached documents
Instant messaging sender, receiver, contact lists and status
Forum login, IP address, MAC address, mobile ID (IMSI, IMEI)
Protocols identified even for unidirectional traffic (e.g. email by satellite).
gAtO wAs - reading Bloomberg BusinessWeek “ The Hacker of Damascus” Karin a 31-year-old doctor had spent the previous months protesting against the government of Damascus, he refuse to give up his friends names.
Before the arrest-/ before the torture/- they found a simple vulnerability thru Skypes they also got into his hard drive and as Karin said they arrested his computers data first them him. So now we see the black hats, spammer, cyber criminal tricks against people from their own governments. Is this the way it’s going to happen, we see the news today about 2 ladies and their General boy toys and WOW -mEoW.
In Georgia detains ministry for using malware to access opposition leaders computers – This is just another example of governments using criminal cyber tactics to gain intelligence from it’s own people.
The other side of the cyber struggles in Syria is Anonymous and their role in all this: On the other side, the hacktivist group Anonymous has infiltrated at least 12 Syrian government websites, including that of the Ministry of Defense, and released millions of stolen e-mails.
Cyberspace and it’s tools (weapons) like Facebook, Twitter – can be used by both sides in this evolving landscape of digital warriors. That is why gATo is sadden by how basic normal Internet tools can become killers and liberators. I guess I see the fog of cyberwar thru gATO eYe’S we have only seen defensive cyber tools so far Suxnet and others are only the beginning and the new economies that had no choice but a digital path into their infrastructure need to look at their own security a wee bit more close. DId Huawei (China’s Telecom Giant accused of having backdoor ) sell you those Network infrastructure pieces at a very cheap price -(lowest bidder (or a no-bid)contract) -well guess who is watching you…
SCADA cyber controls security SUCKs = infrastructure things (energy/transportation/communication/water/air) = fix them NOW
Since no Cyber Bill has gone before congress -President Obama after a major election went and signed a-
US secret CYber Law singed by Pres. Obama -Nov 15, 2012
Rather, the directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the fully array of national security tools we have at our disposal. It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace.
This directive will establish principles and processes that can enable more effective planning, development, and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action. The procedures outlined in this directive are consistent with the U.S. Constitution, including the President’s role as commander in chief, and other applicable law and policies. http://killerapps.foreignpolicy.com/posts/2012/11/14/the_white_houses_secret_cyber_order
So now even 31-year-old doctors need to worry what they do and who they talk to and WHAT they talk about -/ also- in Facebook, Skype or any other web-App- By the way —>These basic vulnerabilities can be found and exploited in any web-app – So this person may of worked at the water plant – or the electric plant what could these White Hat Bots have obtained?? These little White Hat BotNets may go rouge or may be captured this is about virtual digital world with a click of a mouse I GOT YOU!!! -PWN
Will this become the standard? The good and bad guy’s do it NOW- plant a virus suck up your disk / then check it out – BUT “if you got nothing to hide” well it’s OK then — right - gAtO oUt
Iran Sites Open 2 Joomla -K-CMS Hacking
gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0 and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have
This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0 and you guessed it again they are older versions and have vulnerabilities. So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.
Some site have this warning be careful :This site may harm your computer.
http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..
K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.
Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0
<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management
 security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website
<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>
 <meta name=”generator” content=”KCMS 1.0″ />
<meta name=”generator” content=”KCMS 1.0” />
<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />
<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />
Saman Information Structure
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the …
www.khodabandeh.gov.ir/ – Translate this page
Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.
www.sabtyazd.gov.ir/index.php?… – Translate this page
… C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php … %PDF-1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? ?Zz s …
CYber Investigation over General Patraeus
gAtO rEaD – NO CRIME committed- that the investigation for the top CIA general was because someone sent an eMail that said” I saw you touching the Generals leg at Dinner -Stop It” Yeah so one lady said to another lady – STOP MESSING WITH MY MAN – Pow – ZAP they get a court order to go thru someones eMail.
So if we take this premise that Judges will sign -COURT ORDERS to search your emails and any other emails that link it because of a jealous lover. It looks to gAtO that they have to much POWER – or the FBI is gonna search everyones emails now – legally. Court Ordered
This should send shock waves thru our industry – everyone is now warned that anyone’s email can be open to LE anytime and just about for any reason. I trusted the system, I trusted the Judges but lack of a crime should of not happened. There was NO CRIME committed the investigation turned out. But it has now taken down the reputation of 2 generals. NO CRIME
Now these are 2 famous generals what chance do mere mortals have that our eMails are going to be court order to investigate why simply because they can now. This shows to me the lack of justice or the erosion of justice that is coming down the cyber pipelines. If this is now a wake up call for security professionals to wake up and smell the coffee. Your email will be next unless we support less government control of our digital rights.
Freedom of Speech in cyberspace is a right not a privilege -gAtO oUt
gATO hApPy -
AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU
AVAILABLE @SmashWords website @http://www.smashwords.com/books/view/247146
I learned that I hate WORD: – but it’s the general format for publishing – text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had – gATO oUt
This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..
The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.
The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.
The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.
The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.
Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$ you will find also banking, financial speculators and many other sharks.
Do you believe that making money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.
This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .
Here are some question we may answers to:
How many person know about the cyber criminals and their ecosystem in the deep web?
How many have provided information on the financial systems behind the “dirty affairs”?
How the law enforcement and governments use Dark Web?
Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.
Excellent presentation from Pierluigi at the ICTTF Cyber Threat Summit 2012. Apologies for the microphone problems (some twat in the audience was using a frequency jammer).The rise of Cyber Weapons and relative impact on cyber space. Well worth a watch.
Pierluigi can be found at http://securityaffairs.co/wordpress/ He is the co-author of the new book
The Deep Dark Web – coming soon
gAtO been doing some research in botnets and found out some cool things. The basics IRC- http – p2p and twitter botnets architecture and bots are becoming easier to find and use, tutorials and videos are all over the place and in any language. So the task of becoming a bot-master is easy. Bot’s can be used for good also but nobody want’s to hear about that…Imagine bot’s being used with Amber alerts to or other emergencies tools were thousands of computers are needed, bot’s can be used for good things too.
Botnets are a big problem they allow anyone to have thousand, millions of computers at their beck and call, a kid in a basement, or an enemy of the state these bot’s are a real danger. These bot’s have 4 different attack vector:
Kenetic – Distribution – Information – cyberTools
kinetic -zombie computer are used to Ddos attack a site or Click-fraud advertisement scams.
distributors – sending spam email- (Adware/ Spyware) – infecting other computers – co-workers, friends and families
information Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP (intellectual property) plus emails of co-workers, friends and family.
cyberTools – we see bot’s become DNS servers, c&c servers, infection distribution servers, proxies, Tor (exit/entry) nodes or just a ftp site for storage.
I have seen lot’s of different bot’s but only four (4) basic types of botnet Command and Control (C&C) architecture: IRC (Internet Relay Chat) based, HTTP (or Web) based and P2P (Peer-to-peer) based – and Now Twitter controlled botnet’s.
Todays bot’s can be used in Intelligence Gathering, Monitoring and surveillance with the ability to turn on WebCam and Microphone without the victim knowing and recording it makes them even more dangerous and any digital cell device is hackable.
Here is a new one for me a private Twitter account is being used as the (C&C) command and control for bots. Once the bots are installed in the machine they go out and friend their botMaster they accept the friend and now send coded messages that are the commands for the bot’s. This is pretty cool and since it’s Twitter is kinda normal communication tool even in business machines, groups use twitter all the time to communicate.
In my research I found bots and video, tutorials and everything I need. On top of that we have Tor and other anonymized (custom Tor network) for these bot’s to communicate untraceable and cannot be found.
Here is were the metal hit’s the road because in this environment the p2p Botnet Architecture used with Tor would be an unstoppable solution and it’s becoming reality today: I included a thread from a hacker site in Tor discussing this very subject //.
these are some of the bot’s I found free source code to play –
G-Bot 1.7 Ddos-Bot – Zues 220.127.116.11 – ClientMesh 4.0 – DarkComet 5.3.1 – BlackShades 4.8 – SpyEye 1.3.45
Below are some of my notes on this I hope they may help - gAtO oUt
There are basically 3 types of Bot net technologies. The first botnets started back about a decade ago with IRC bots
it’s more a continual connection at all times
IRC – HTTP – P2P – note p2p is the best meshed no central C&C
With HTTP botnets you can communicate async – things can be schedule a meeting and then log of and do the work then at a pre arrange time you call home (C&C) and check in with mamma.
Then you have p2p botnet’s they have no central C&C so are much harder to find the source and kill it.
Here we see were some of the bot’s may become proxies or some units may be used to cascade out spam interactions, one may also become a download location, one a dns server. The key thing to take away from a Peer to Peer networks is it’s very difficult to take them down because of their mesh network. There is no central point of failure, it’’s a simple file sharing protocol
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= p2p Tor Bot -message hacking board in Tor-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hey guys, just thought I would leave a thread here to announce a new bot that I am working on at the moment, Kronos.
Kronos is an http bot that runs through tor, each bot will launch its own tor process and then connect to your panel (which is a hidden service) using tor.
- The bot will act as a hidden service on the tor network
- Socks5 proxy. Because of the above feature you are able to connect to the bot and use it as a proxy through tor, this removes the need for the bot to use upnp to open a port for you to connect through as tor handles NAT traversal by having the server connect out to the network itself, meaning there are no incoming connections. You can read here for more if you don’t already know how this works https://www.torproject.org/docs/hidden-services.html.en
- Torrent seeder, not a shitty seeder that adds torrent files to the users torrent client, bots will work as real torrent clients.
- Various flooding abilities (useless in my opinion)
- Form grabber
- Possibly mailing capabilities
I am also playing with some p2p code
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-hacking board in Tor=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// So now that we know a bit about botnets let’s look at how they can make a profit for the criminal, below I listed of some of the stuff that you can harvest from your botnet empire.
Adware/ Spyware Scare-ware
Crimeware – Keylogger, data exfiltration, key stealing from games -for sale $$ – email, social network — friends — banking – payPal – Work -Corporate spying and IP plus emails of friends and work buddies..
http://www.youtube.com/watch?v=RsDtlqT4Zd4 Zeus BotNet Tutorial 2012
http://www.xylibox.com/2011/08/cracking-spyeye-13x.html SpyEye Tutorial 2011