04/5/13

Tor Tells It’s Secrets

gAtO pLaYiNg with words in Tor- We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.output

Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.

We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor.  For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.

  • These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
  • As we crawl and add more data our picture will change as to the landscape of Tor. 
  • Bitcoins is the fourth most popular word – currency in the Dark Web is number 1  

Word Num. Occurrences
blog 1014
wiki 985
anonymous 966
bitcoin 837
sex 530
gun 492
market 458
I2P 400
software 372
drugs 365
child 353
pedo 321
hacking 314
weapon 221
politic 209
books 157
exploit 118
anarchism 105
porno 88
baby 87
CP 83
fraud 76
piracy 69

 

  • Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
  • Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.

This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.

We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.

Hope this gives you a better picture of Tor. -gAtO oUt

03/24/13

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share –

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

11/15/12

Iran Sites Open 2 Joomla -K-CMS Hacking

Iran Sites Open 2 Joomla -K-CMS Hacking

gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0[2] and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have

This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0[2] and you guessed it again they are older versions and have vulnerabilities.  So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.

Some site have this warning be careful :This site may harm your computer.

Research Notes:

IRAN site:.gov.ir

http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..

K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

[1] security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website

<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>

[2] <meta name=”generator” content=”KCMS 1.0″ />

K-CMS (Kai Content Management System) index.php file include

http://www.sarvabad.gov.ir/

<meta name=”generator” content=”KCMS 1.0” />

http://www.abhar.gov.ir/index.php?limitstart=63

<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://www.abhar.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

pishva.gov.ir

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

http://www.zanjan.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://chaloos.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://mianeh.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />

http://easabt.gov.ir/protocol/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />

Saman Information Structure

http://ea.mim.gov.ir/

http://www.sadra-ntoir.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://www.sarvabad.gov.ir

News – ????? ??? ????? ? ????? ???

sabtyazd.gov.ir/index.php?option=com_newsfeeds…id…

This site may harm your computer.

Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the

www.khodabandeh.gov.ir/ – Translate this page

Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.

www.sabtyazd.gov.ir/index.php?… – Translate this page

This site may harm your computer.

C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php %PDF-1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? :? ?Zz s

http://www.leader.ir/langs/en/

http://www.president.ir/en/

http://www.saamad.ir

iten.behdasht.gov.ir – Site News

10/25/12

The deep Dark Web -Book Release

gATO hApPy

AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  – text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had – gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

09/19/12

Tor Network Directory Project

Lately we all heard of Silk Road the underground cyber marketplace were you can buy illegal drugs and guns and people say all the bad guy’s are using the dark web for crime stuff – yeah DuDe:—:. It’s is just the Tor onion network, if you want to visit the onion network just go to torproject.org and download their bundle software and go surfing in the onion network. Since there is no bing, google or yahoo in the onion network, if you want a directory of what’s out in onion land just go to the hidden wiki. “Cleaned Hidden Wiki”- http://3suaolltfj2xjksb.onion/hiddenwiki/index.php/Main_Page.

The wiki is built by one of the founders of the onion netowk the administrator of MyHiddenBlog in – (- “http://utup22qsb6ebeejs.onion/” — ) and volunteers built The “Cleaned Hidden Wiki” .It is one of the few places were you can find some of the hidden services (websites) in Tor, in other words the only websites in Tor that want to be found. You see in the Tor onion network your site is your secret, your site is hidden because there is no google or yahoo to send web crawler out into the onion network. The USCyberlabs Tor Network Directory Project will be the first time that we go out actively and collect all the websites (hidden services) that are hiding in the Tor onion network.

When I started to write about Tor and our new (“The Deep Dark Web”) -book, I was contacted by the FBI about what I was writing about Tor and the hidden services and attack vectors in Tor. They wanted to be gAtO’s bff. I must admit I was intimidated and walked a very careful line with my blog postings and my tweets. Why because the FBI want to fuck with lawful security researchers that come to close to the truth about Tor.

They do not want this mapping of the Tor onion network. Why? The mapping of the Tor onion network will show all sites even the ones that want to stay hidden. Like government sites? Like Spy sites? I mentioned Bots with Tor c&c yeah government stuff. You of course have your corporate presence in the hidden services of Tor what will these Tor website show. Maybe it’s not just the bad guy using Tor, maybe.

There are currently only 9 directory servers in the Tor infrastructure that know all the sites on Tor and getting this list is kind of hard. Tor is design not to give out directory information to just anyone. We also want more than a URL of a live site, we will gather all meta-data so we can understand what these sites are all about. Google’s web crawlers do it every second of the day so we will send out crawlers into the Tor onion network to generate our directory of Tor.

The ToR Directory Scan Project (TDS) 

The uscyberlabs TDS Project- is to scan every address possibility and to generate a directory of every single live hidden service in the ToR-.onion network.

Figuring out the rendezvous for a hidden service is complicated, we attack the problem from the side —>> so the onion URL is 16 digits 2-7 a-z  plus the .onion after the url address. It’s easy to have a simple web crawler program count and a,b,c and generate a sequential-alphabetized URL list. Now due to the ToR network things work slow – old style modem speed that you young kids are not used to. Now we feed a URL wait up to 25-35 seconds then list a positive or no-go. Once we have a live hit list of possible live hidden services then we visit manually. And build a working verified w/login and password list of every hidden service on ToR.

with 100 VM we can scan Tor in weeks with 1000 machines we can scan the Tor network within days.

I tested the unix “curl command” in Tor with sock5 and it’s very good at extracting information from a website. So a simple script in will feed all the machines and they will start the scan. Once finish we take all the results and we will have a directory of every single hidden service in Tor land.

gAtO needs your help!

08/12/12

Wikipedia Vector Attack

Wikipedia Vector Attack -Steve Colbert Cyber Hacker

gAtO lAuGh – when Steve Colbert showed us how to social hack -Wikipedia edits- and went after the VP pick for Romney. Anyone can edit Wikipedia so Steve’s  attack vector was to modify Tim, Paul and Christy any VP contender for the Mitt Romney. WikiPedia froze the edit feature of many political hopeful to stop this but this is a very good attack vector for hacktivist.

Jan 18 2012 We all freaked out when we protested SOPA blackout this year, we had no WikiPedia and people freaked, it one of those web applications that has become part of the fabric of cyberspace just as Google has become on search. This is a fine example of what web services does for a network these two services (Google and Wikipedia)  provide one service —INFORMATION— and today we cannot function without it. How many times have you had an argument with a friend and all of a sudden we go to Wikipedia of Google to settle the argument and the important part comes out – I am right!!! and your wrong —

Facebook is not one of these essential cyberspace service it’s actually a vacuum cleaner of cyber data about everyone that uses the service. Twitter is another tool that is a little different were Facebook is about ME, Twitter is about the rest of the world. This is what I mean all these web services that really integrate into the fabric of the web can be used as an attack vector in the right social context.

Steve Colbert showed that he could spark an attack, a hack so —I gAtO name Steve Colbert a cyber-Ninja -gATO OuT

Visit NBCNews.com for breaking news, world news, and news about the economy

07/27/12

gAtO interview -Botnet’s in Tor -sI -Si

gAtO jUsT – finished an interview with Bill Donato from BotRevolt.com. I wanted to post this because these were good questions. My answers were a little lOcO gAtO but I tried anyway here is the Interview, at the bottom I included a conversation about Tor Controlled Botnet I found in HackBB in onion land, all I can tell you the code and how-to are out there -gAtO oUt

 

LinkedInMr Bill Donato has sent you a message.

Date: 7/26/2012

Subject: RE: Bot Revolt Blog

Hi Richard,
Here are 5 general questions we think our readers would find interesting. We greatly appreciate your feedback!

First Thank you Bill for this opportunity. I have 35 years in IT-and a little security goes with the territory but I’m no expert. I’m retired so I have the freedom to say what I want and I have chosen to support Freedom of Speech in cyberspace. You can find my rants and rages about security at http://uscyberlabs.com/blog I go by twitter @gAtOmAlO2 after my lionhearted cat “named- gato”. my 2 cents “be a critical reader, thinker and cyber user”. truet but verify

• We see a lot of cybercrime targeted at large companies, but how vulnerable is the average consumer in today’s cyber environment?

In todays economic climate cyber criminals see mass unemployment and use that to recruit shipping mules and money mules. Financial desperation and greed is a driving force in recruitment and the FBI is well aware of this a good money mule is hard to find and trust. Also Infection points for zombie computers to do the dirty work goes up and up with every new exploit. Last people don’t know how much information they leak out. With metadata just from the pictures in Facebook a criminal can gleam lot’s of information from the average Facebook update???.//

So to answer your question yes the average consumer needs to be very careful and have common sense. That lost Uncle from Nigeria did not leave you a billion dollars, trust me on this one.

• At the current level of cybercrime’s growth, if it is possible how long before the internet crashes?

Cyber crime is growing but CISPA is not the answer. PII (Personal Identifiable Information) that the government say’s it will not gather just your shopping and search cyber habits, nothing identifiable until you type in the wrong keyword, then your monitored. Then your footsteps in cyberspace will be monitored a bit more closely. The Judicial system now added the cyber forensic phycologist that can produce “minority reports- remember the movie – the though police…”. That’s scary..

Where were you last Tuesday @ 9:37 PM… they know, we are being monitored by the good guy in todays Internet. It’s normal to update my Facebook page or my Linkined profile, leaking data with the metadata from our pictures of our visit to the new office overseas. Can give criminals information for APT attacks.

As to the Internet crashing, I think it’s just beginning. We have Criminals after our data, government after our habits and we have ourself leaking information for everyone to know about me, me, me…. but it’s not crashing —> we have too many me..me..me..

• Cyber warfare is a hot topic, how will a cyber-war affect the countries average citizen?

Have you ever watch your daughter lose her cell phone 5 times in one year, 5 times not one backup. The effects of a cyber kinetic event in the US will happen. I see open scada system in the wild with no protection. Try and report this information that’s a joke and impossible. So many miss-configured scada all running windows OS, with no patch updates or management..// so they become more vulnerable everyday that they don’t upgrade.

Oh make that a tested Update because we (admin type) all stayed up late at nights un-installing an upgrade for -Windows OS- that made the Payroll system -Oracle- not work so NO paychecks….

In other words it will happened because we have a pretty bad security system built into these devices and they are to expensive to replace it’s worth the risk from a financial side so companies ROI return on investment… they did the cost analysis of an attack -they know they will get hacked…Power grid YeaH Baby and we have no backup — but we still come back… the average citizen has to ride it out we have no choice in warfare.
• You talk on your website, uscyberlabs.com, about the rise of botnets running on the tor .onion network, is the tor network a threat to people who do not access it? If so how do users protect themselves?


Botnets in Tor on Yeah! I’m doing some research into botnets in the Tor Black Market and it’s alive and kicking. The Tor hidden service and C&C servers goes hand in hand. You can’t find it, and it can’t be found. We also have i2p as an up and coming secure anonymized network so expect more and more from this area.

I included a post from HackBB-website in the onion network this discussion is about “Tor-Controlled Botnets” I included the code so in Tor there is talk from the hacker world on how to guides to Tor & bonnets. and it’s has a current timestamp.

I’t not just the code it’s also the infrastructure design.

Got to Tor HackBB [1]-  — http://clsvtzwzdgzkjda7.onion/

• On your blog titled “Online Security Basic -should I use encryption” you give some great information. What encryption programs, methods or tips do your recommend for some of the less computer savvy users?

Well first of all here [below] is my public key if you want to send me a message. I use FireVault and encrypt my hard drive, but I forgot my password – that’s my story and I’m sticking to it..;) I use GnuPG. Since I’m not doing skunk work, and I’m not a spy, I try to go open-source type programs, yes they are a little harder to learn but I feel safer with the open aspect of it. In security we have a motto – trust but verify – I can verify these open source program…./

One thing that the average user needs to do is to make their privacy a key part in their cyber life. When you start down the security rabbit hole it’s an active step in your cyber lifestyle.

Privacy is a personal thing, when I’m looking for Preperation H I don’t want Google, Yahoo or Amazon to know about this medical problem, it’s kinda personal, private. But when I’m trolling on Huffington Post it’s another world.

 

 

[1] Conversation online in HACKBB website.. about Tor Botnets

 

[1] Tor-controlled botnet

Re: Tor-controlled botnet

by BotCoder » Fri May 18, 2012 5:50 pm

Good news! I compiled TOR from source and there is no GUI or tray icon if you skip the installer step.

Here are the info to compile from source (you can skip the installer part and build a silent one yourself):

CODE

##

## Instructions for building Tor with MinGW (http://www.mingw.org/)

##

Stage One:  Download and Install MinGW.

—————————————

Download mingw:

http://prdownloads.sf.net/mingw/MinGW-5.1.6.exe?download

Download msys:

http://prdownloads.sf.net/ming/MSYS-1.0.11.exe?download

Download msysDTK:

http://sourceforge.net/projects/mingw/files/MSYS%20Supplementary%20Tools/msysDTK-1.0.1/msysDTK-1.0.1.exe/download

Install MinGW, msysDTK, and MSYS in that order.

Make sure your PATH includes C:\MinGW\bin.  You can verify this by right

clicking on “My Computer”, choose “Properties”, choose “Advanced”,

choose “Environment Variables”, select PATH.

Start MSYS(rxvt).

Create a directory called “tor-mingw”.

Stage Two:  Download, extract, compile openssl

———————————————-

Download openssl:

http://www.openssl.org/source/openssl-0.9.8l.tar.gz

Extract openssl:

Copy the openssl tarball into the “tor-mingw” directory.

Type “cd tor-mingw/”

Type “tar zxf openssl-0.9.8l.tar.gz”

(Note:  There are many symlink errors because Windows doesn’t support

symlinks.  You can ignore these errors.)

Make openssl libraries:

Type “cd tor-mingw/openssl-0.9.8l/”

Type “./Configure -no-idea -no-rc5 -no-mdc2 mingw”

Edit Makefile and remove the “test:” and “tests:” sections.

Type “rm -rf ./test”

Type “cd crypto/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ../ssl/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ..”

Type “cp *.h include/openssl/”

Type “find ./fips -type f -name “*.h” -exec cp {} include/openssl/ \;”

# The next steps can take up to 30 minutes to complete.

Type “make”

Type “make install”

 

Stage Three:  Download, extract, compile zlib

———————————————

Download zlib source:

http://www.zlib.net/zlib-1.2.3.tar.gz

Extract zlib:

Copy the zlib tarball into the “tor-mingw” directory

Type “cd tor-mingw/”

Type “tar zxf zlib-1.2.3.tar.gz”

CHOICE:

Make zlib.a:

Type “cd tor-mingw/zlib-1.2.3/”

Type “./configure”

Type “make”

Type “make install”

Done.

 

Stage Four: Download, extract, and compile libevent

——————————————————

Download the latest libevent release:

http://www.monkey.org/~provos/libevent/

Copy the libevent tarball into the “tor-mingw” directory.

Type “cd tor-mingw”

Extract libevent.

Type “./configure –enable-static –disable-shared”

Type “make”

Type “make install”

 

Stage FiveBuild Tor

———————-

Download the current Tor alpha release source code from https://torproject.org/download.html.

Copy the Tor tarball into the “tor-mingw” directory.

Extract Tor:

Type “tar zxf latest-tor-alpha.tar.gz”

cd tor-<version>

Type “./configure”

Type “make”

You now have a tor.exe in src/or/.  This is Tor.

You now have a tor-resolve.exe in src/tools/.

 

Stage Six:  Build the installer

——————————-

Install the latest NSIS:

http://nsis.sourceforge.net/Download

Run the package script in contrib:

From the Tor build directory above, run:

“./contrib/package_nsis-mingw.sh”

The resulting Tor installer executable is in ./win_tmp/.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

gAtOmAlO Public Key-

—–BEGIN PGP PUBLIC KEY BLOCK—–

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools – http://gpgtools.org

 

mQENBFAGzo8BCAC7Sg4uz5lQVrAPVe+BlMMGKjnLJwQvBy6V29CfPlws3/7b0Ryd

Th9CerSYt49Pt98iPNNZm38rtiKgABXp2jzTrpZDJsnxN+XCg0sdr/NZb6esP7Ck

hE77VSvTr0khFM1w7ZS3tf/1q6e9iqUovzPS4kBwSL7TMJgoQY0EJ9WAvLDeNrpO

P/JEBsawMH2q4Xd/i4QzirQf3fxVofOcwicSks9HI7LnSkiZu+rZTHo0yzdk/Sc6

SJqrFVplsUsSvESRdVLOEU4WVb7YpWGk3wBXgSSOvD+f2LVAgT40T4rGE15ZX3ou

Z/GEXCAy3Z+uVPPdiOPJRF71qmkRe0Um6yiNABEBAAG0I2dhdG8tbGFiIDxnYXRv

bWFsb0B1c2N5YmVybGFicy5jb20+iQE+BBMBAgAoBQJQBs6PAhsvBQkHhh+ABgsJ

CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1tzvyZQcKfrmLB/96RHvWFhzsfHWc

5YmW12vZf6cEbR0qgp1Z4LeERpuv/K96NSrXM81CMmi5F0l/m6ui/cEh0nwVM+EA

RD8MhJwRIhz3QOi6I5DBwM5YkKQNPgSPJegu27+96WXS4eNalQGZizBnbNO4SkdI

W2sH5L85z+uveZkKsGix9B8vLP9wcKMRP+5QEMVqetJ9+8njgfS4cmDrAnQyEfbs

dX5/P110a1rlPVK4vxiBGkikW4K3gmwMgNlRvQcLjlGjGpzon5a/Y9ve9WySSa8v

AMBZS5y6k6dkXXrakpBESkwJrYJDU16vlafL4C3lEP+Ce3foTTIWuHRAnJZnza4R

D0xX4C/6uQENBFAGzo8BCAC4odhP/am4dRMfJzJRIaCEzP+hs6pNOAcrHdychB5M

9z3ym6ddI0EEsI63xbYNmv+RJRxO6ZMY7P0R4CgUFPdjzmTbnPZ01J99QiPXUfd4

8+n4sCUvbEFCPSORnAPiKmWJbNrGsG7vXVTHCRgLUFIV9GAhBdK8ajn+UCZRR7Gf

Zr4qQ68cO+zS3rE4DeYgMpq9c4BYIbaRyjTTj9bwAEjr7gb7pyYGinyXtgz07/cK

hBgXmJf7zJ1s9kYMpeFqXAtd51fPcqCt0liutzyW/+YAIqAXP2WBNgZvDbfhd/5U

Od3aP1DeqJJOec3XcuLvts6rodWMSrb7remJQkkv5dftABEBAAGJAkQEGAECAA8F

AlAGzo8CGy4FCQeGH4ABKQkQNbc78mUHCn7AXSAEGQECAAYFAlAGzo8ACgkQkjHj

5gQjJYAL/Af+J5ZeEUNpbV96CUTVeSrT6hDrdkvU5NnPFUZmlVfhh+xrtRsHTJ9K

Ujcd5yAlLI38tr4A3hhuX1OToroEVRFKhTq+XpaKSBtdOeauCJeDY0NiKMJCBDue

+2CiqwIWR4tOfIFHPE/+F1STPgCxCFNfMouHqe+tI9+rqkJ11nPrUGCAzwmPcfK4

oKGWg1sbFKjyTN1XnVuzT3X/13DcZxFA9eDD2VAqlujBtifJJdYRd+hoBdoAjfXZ

OJJaYhvhj0CWWAv69Xpj1DyDA84ZcX5aanVRIhTLHgPhdJQ+jnxXYjrzE1RS+F2C

waXI7skjL/WWhey2YCFTMsY285TQbfBPn4t3B/4k35sqsb7FEd3au97AbJ1s1BWK

ZTSn6cEY9ZjB3exDsG/XQY522bdq+PxbSt8WKPlaEhEP0kjNOfl2UsBzNISL0f6s

hvwDR0Pov07W8t0O4Nz1v07AXDDxKvcgjPGTwknmjg2ny/ToEAbiacP7cXHuCOnw

A2e3l9C8Loluhvt3zgQVsv4E19KUT3a9SIYzIazQ+qbYAbbZszvjWMbBHroVviLj

9ImVWPh6lFARRKvmDTYk6RxAEKLPiYtcgtCUU34vJu+XBJchn4ua+Soney7ZIeyU

9D0mW4dFCYrdyTpbnK9vlYnzwhmT5ggTNGZu5t8PJLMW/qgwiCroXG6i3x58

=lYdL

—–END PGP PUBLIC KEY BLOCK—–

 

07/11/12

CyberPeace -not- CyberWar

gAtO sEe - In the last couple of days Gen. Keith Alexander has been pushing the Cyber War agenda. -The issues around warfare are very different in cyberspace than in the physical world, and the United States is looking into “alternative strategies,” said Alexander, while not offering further details. In another place he was telling us that the CIA will not use the new cyber laws to spy on our email. Ok so you gonna be a sheep and follow the word of the government. We won’t spy on you.

Alexander said “civil liberties and privacy can work harmoniously with cybersecurity”. Come on General your a nice guy, gAtO met you —/ you have a passion but every time you bring out —/ Oops there went the Power Grid, Oops.. there went the financial sector, scare me, scare me. I know it’s your job to secure our country to protect our nation cyber infrastructure. Don’t trample on our cyber right any more please.

Hay here is a solution for you use a Tor-.onion network-(any anonymized network) to tie your power grid, and/or your financial services. If you can’t close down Silk Road in onion-land your C&C for your power grid and financial services should be invisible to everyone except on a need to know. gAtO just save you 14 trillion in R&D…//

gAtO has not heard one word about Cyber Peace from any responsible government in the world. Everyone is looking for their own cyber posture, their own cyber weapons/ budget/ programs/ money// , but not one has said let’s work together to make it better for peace, guess there is no money in Cyber Peace. Espionage, spying is the job of governments why would they destroy their own tools, weapons and just tweak our cyber-rights a wee bit, for our cyber freedoms and safety, to protect our government and you -lol.

Here is a simple idea crowd-source our problems. The one major resource in cyber-space is number of people that can see the same message. In crowd-source we can give the facts and ask anyone to help solve city budgets, ways to harvest more vegetable/per vertical/ sq.ft. Ask people how would you protect our electric grid // you be surprised by the creative answers you get, OK some may be crazy but…//. It may not be the right solution, but the power of the minds of people collaborating is what this new technology is built for. FaceBook is about ME- Twitter is about the rest of the world- but the new winner is —/ Comments /— have become more important than the article-subject itself because the conversation within in the comments shows social communication and problem solving by the masses.

Let’s change the message to CyberPeace, everyone has a solution, but remember that all your comments are the new gold so watch what you say to that troll on huffpost— gAtO oUt

 

Read more: Alexander: U.S. looking for offensive alternatives in cyberspace – FierceGovernmentIT http://www.fiercegovernmentit.com/story/alexander-us-looking-offensive-alternatives-cyberspace/2012-07-11#ixzz20KW1Lcf2

07/6/12

Online Security Basic -should I use encryption

gAto fOuNd - this -/ Basic Security Guide /- a while ago in the .onion and while I don’t agree with everything in this write-up I learned some new things. At the end of the day –/ they can’t take away what’s in your head -always be a critical thinker - gAtO oUt

Online Security Basic - link are .onionLand

Transcribed from http://g7pz322wcy6jnn4r.onion/opensource/generalguide.html on 2011-04-16.

Contents[hide]

Basic F.A.Q.

What is encryption?

Encryption is a method of encoding information in such a way that it is computationally difficult for eavesdroppers to decode, but computationally easy for the intended recipient to decode. In practical terms, encryption makes it almost impossible for you to be successfully wiretapped. Encryption can also make it essentially impossible for computer forensic teams to gather any data from your hard disk drive. Encryption is the process of making information difficult or impossible to recover with out a key. The key is either a passphrase or a huge random number protected by a passphrase. Encryption algorithms fall into two primary categories: communications and storage. If you use a program such as GPG to encrypt your E-mail messages, you are using encryption for communications. If you use a program such as Truecrypt to encrypt your hard disk drive, you are using encryption for storage.

Is there a big difference between storage and communication encryption?

Yes. Data storage encryption often uses only symmetric algorithms. Communication encryption typically uses a combination of asymmetric and symmetric algorithms. Asymmetric algorithms are generally far easier to break than symmetric algorithms. In practice this is not significant as the computing power required to break either strong asymmetric or strong symmetric algorithms is not likely in the grasp of any agency.

Should I use encryption?

Yes! If you participate in the Internet underground it is essential for your continued freedom that you learn how to use encryption programs. All communications should be encrypted as well as all stored data. For real time communication encryption we suggest either Pidgin or Adium instant messages with the OTR plug-in. For non-real time communication encryption we suggest GPG. Truecrypt does a great job of encrypting stored data and can also encrypt the OS partition if you use Windows. Various flavors of Linux and Unix also allow for the OS partition to be encrypted although the particular program used will vary. If an alternative installation CD is used Ubuntu allows for OS partition encryption during the installation process.

What is plausible deniability?

When discussing stored data encryption plausible deniability means that an encrypted container can decrypt into two different sets of data depending on the key used. Plausible deniability allows for you to pretend to cooperate with authorities with out them being able to tell you are not cooperating. For example, perhaps they demand you give up your password so they can decrypt some of your communications or stored data. If you used a system with plausible deniability you would be able to give them a password that would indeed decrypt the encrypted data. However, the decrypted data they can now see will be non-sensitive data you intentionally allowed for them to decrypt. They can not see your sensitive information and they can not prove that you didn’t cooperate.

Do I need plausible deniability?

Possibly. It really depends on where you live. In the U.K. it is a crime to refuse to give law enforcement your encryption keys on demand. Refusal to reveal encryption keys is punishable by several years in prison, but this is quite possibly a lot less time than you would get if you did reveal your encryption keys. In the U.S.A. the issue has not yet gone to the supreme court and lower judges have ruled in both directions. In general it is a good idea to use plausible deniable encryption when possible. Truecrypt supports plausible deniability for all functions under Windows. For Linux there is no current software supporting out-of-the-box plausible deniability of the OS partition. With Linux you may be able to achieve a type of plausible deniability by encrypting your entire drive and putting the bootloader on another device. Then you can argue the drive was freshly wiped with a PRNG and there is no key to decrypt.

Of course the police can break encryption, right?!

If you are using a strong encryption program (such as GPG, OTR, Truecrypt, etc) and a long and random password (or automatically generated session key, such as OTR) the police are not going to be able to directly break the encryption. This is not to say they can not get your key in other ways! For example they could install a keylogger onto your keyboard or use various transient signal attacks to capture your key while you type it. An emerging method of encryption key compromise uses application layer exploits to remotely grab keys from RAM. These ‘side channel’ attacks need to have active measures taken against them (the best of which are using a strong anonymity solution and hardened OS).

What about the NSA?

The NSA is not going to be able to break strong data storage encryption algorithms (symmetric). They are also probably not able to break strong communication encryption algorithms (asymmetric). Very powerful quantum computers can be used to greatly reduce the bit strength of an encryption algorithm. Symmetric algorithms have their bit strength cut in half. Asymmetric algorithms are easily broken by such powerful computers. If you are using AES-256 a powerful quantum computer will reduce its bit strength to the still unbreakable 128. If you are using even a 4,096 bit RSA key with GPG, a powerful quantum computer can break the encryption. However, keep two things in mind; It is not likely that the NSA or anyone else has such a computer, and anyone sane will assure you that unless you are a foreign military or major terrorist the NSA will not act on any intelligence they gather by by breaking your communication encryption.

But anything can be hacked, right? Why not encryption?

Encryption algorithms are not hacked, they are cryptanalyzed. Not every single thing done with a computer can really be considered hacking. Hackers may be able to exploit the implemented code of a program using an encryption algorithm, but even the best hackers tend to know little about encryption. Hacking and cryptography are not the same field and most hackers who think they know a lot about encryption actually know very little about it. Encryption is a field of pure mathematics and good encryption algorithms are based firmly on the laws of mathematics as they are currently understood. Unless there is some very unlikely discovery in the field of mathematics the security claims made about most encryption algorithms will stand firm even if the best hackers (or even more impressively cryptographers) in the world try and attack them.

Note: Some hackers are skilled enough to side channel your encryption with application layer exploits unless you take hardening counter measures. This is not hacking the encryption algorithm although it is using hacking to counter encryption. Following our general security guide (later on this page!) will make it much harder for hackers to do this. To hack you through Open Source the attacker will first have to compromise Open Source, we have taken many security measures to make this very difficult to do.

Using encryption programs myself is difficult, but Hushmail, Safe-Mail or (Insert name here) will manage it for me!

Fully web based services can not really offer you strong encryption. They manage your keys for you and for this reason they have access to your keys. It does not matter what the company is named or what they promise, all of them are liars and some are probably honeypots. These services will not offer you strong encryption and law enforcement will be able to gain access to your communications. If you play with fire you need to learn how to protect yourself or you will be burned. It is not overly difficult to manage your own encryption and it is the only possible way for you to maintain your security.

What exactly is anonymity?

Anonymity is the property of being indistinguishable from a given set size (number of others). In the way the term is commonly used anonymity is the inability to be traced. A trace could mean that an attacker follows your communication stream from you to the end destination you are communicating with. A trace could also mean that an attacker follows a trail of logs from the end destination you communicate with back to your location. Anonymity solutions make it difficult to trace your communications and by doing so also make it harder to map out the networks you participate in. Anonymity can also be used to prevent censorship. If a server is hosted as part of an anonymity network and its location can not be determined then an attacker is incapable of demanding the censorship of the services hosted by the server.

Why do I need anonymity?

If you are not using an anonymity solution your presence on the Internet can be trivially traced back to your presence in real life. If you are participating in activities on the Internet which you would not want to be traced to your real life identity, you need anonymity. If you are participating in a network you need anonymity to protect yourself from network analysis. If no one on your network is using anonymity solutions and the police bust one of them, they will be able to see who all they communicated with as well as who all those people communicated with etc. Very quickly and with high precision the police will be able to map out the entire network, going ‘outward’ to many degrees. This may be useful for evidence (for use in court) and it is certainly useful for intelligence (so they know where to look next).

I already use encryption so there is no need for me to be anonymous!

Although encryption and anonymity highly compliment each other they serve two different goals. Encryption is used to protect your privacy, anonymity is used to hide your location and protect you from network analysis. Strong anonymity requires encryption, and encryption is greatly benefited when combined with anonymity (after all, it is hard to install a keylogger if you don’t know where the target is located!). If you use strong encryption but no anonymity solution the feds may not be able to see what you say but they will know who you are and who you are talking with. Depending on the structure and purpose of your network, a single compromised node may very well remove all benefits of using encrypted communications. Many of the most realistic and devastating attacks on encryption systems require the attacker to gain a physical presence; if you are not using an anonymity solution this is trivial for them to do. If the feds do not know where you are, they can’t bug your keyboard with a keylogger. Anyone who says you do not need anonymity if you use encryption should be looked at with great suspicion.

Tor exit nodes can spy on my communication streams so I should not use it!

If you use Tor to connect to the open Internet (.com instead of .onion) it is true that the exit node can spy on your communications. You can reduce the risk of this by making sure you only connect to SSL websites (https:// instead of http://). You can further reduce the risk of this by always checking the fingerprint of the SSL certificate and making sure it does not change with out an adequate reason being presented by the site administrator. You can eliminate the risk of a spying exit node in some contexts. For example if you encrypt a message yourself with GPG before you send it, the exit node will not be able to break the encryption even if they are spying.

Tor is not meant for privacy (unless you only access .onions) it is meant for anonymity! If you want privacy while using Tor you will need to either only access .onions or you will need to layer it on yourself by using GPG, SSL, OTR or other encryption on top of it. Using Tor to connect to the open Internet with out using any privacy tools yourself can actually reduce your privacy from some attackers. Remember, Tor to the open Internet is for anonymity it is not for privacy. Anonymity is just as important as privacy. Also, networking tools with a larger focus on privacy than anonymity (such as VPNs), will not offer you privacy from law enforcement anymore than Tor will and they also tend to offer substantially worse anonymity!

If I use Tor can I be traced by the feds?

So far, probably not unless you get very unlucky or misconfigure something. The feds are getting better at tracing people faster than Tor is getting better at avoiding a trace. Tor is for low latency (fast) anonymity, and low latency solutions will never have the ability to be as anonymous as high latency (very slow) solutions. As recently as 2008 we have documented proof that FBI working with various other international federal agencies via Interpol could not trace high priority targets using the Tor network. There is a large amount of information indicating that this is still the case. This will not be the case forever and better solutions than Tor are going to be required at some point in the future. This does not mean you should stop using Tor! It is quite possible that no VPN solution offers better anonymity than Tor, and the only low latency network which can be compared to Tor in terms of anonymity is I2P. Freenet is an anonymous datastore which possibly offers better anonymity than Tor or I2P. In the end it is very difficult to say what the best solution is or who it will hold up to, but most people from the academic anonymity circles say Tor, I2P or Freenet are the best three options. JAP is considered worse than the three previously suggested solutions, but better than most VPN services. You should at the very least use an encrypted two hop solution if you want a chance at remaining anonymous from the feds.

Traced is a very particular term. It means that the attacker either can observe your exit traffic and follow it back to your entry point or that the attacker can see your traffic enter a network and follow it to its exit point. Tor does a good job of protecting from this sort of attack, especially if you have not pissed off any signals intelligence agencies. Tor does not protect from membership revealment attacks! It is vital that you understand this attack and take measures to counter it if you are a vendor. To learn more about how to counter this attack keep reading this document, we discuss more in the applied security advice section on this page.

If I use Tor can I be traced by the NSA?

Probably. If you want a chance of being anonymous from the NSA you should research the Mixmaster and Mixminion remailer networks. NSA usually traces people by hacking them and doing a side channel attack. They have dozens of zero day exploits for every major application. This is also how they compromise GPG and FDE. Your best bet to remain anonymous/secure from the NSA is to use ASLR with a 64 bit processor to protect from hacking + Tor + Random WiFi location.Using airgaps can protect from them stealing encryption keys. This would involve using one machine with access to the internet to receive data, transfer the encrypted data to another machine with a CD which you then destroy, and decrypt on a machine with no access to the internet. Don’t reuse transfer devices or else they can act as compromise vectors to communicate between the machine with no internet connection and the machine with internet connection. Mixminion is better than mixmaster.

If I use hacked cable modems am I untraceable?

No, the cable company can trace you and so can the police and feds. However, it will make it more difficult for them to do so. People have been busted using this technique by itself!

If I use hacked or open WiFi am I untraceable?

The degree of untraceability you get by using WiFi access points depends largely on how you are using them. If you always use your neighbors connection, the trace will go to your neighbor before it goes to you. However, if law enforcement make it to your neighbors house before you stop the pattern of behavior, they can use WiFi analysis equipment to trace the wireless signal from your neighbors router and back to you. Many people have been busted this way. Also, if you use many different WiFi access points but they fit into a modus operandi (such as always from a particular type of location, maybe coffee shop) , you can eventually be identified if law enforcement put enough effort into doing so. Some people have been busted using this technique. If you use a brand new random location (harder than it sounds) every time you make a connection your identity can still be compromised, but the amount of effort required increases tremendously (assuming you are protected from side channel attacks anyway, be they CCTV cameras or remote WPS infections). We have not heard of anyone being busted if they used a brand new randomly selected WiFi access point for every connection.

If I send a package domestic to the USA with USPS do they need a warrant to open the package?

Yes, if it is sent in such a way that it could contain communications. For example, a letter will require a warrant but perhaps a very large and heavy box will not. For the most part, they need a warrant. No other mailing company requires a warrant to open any sort of packages. International packages can be inspected by customs with no need for a warrant.

Should I use masking scents, such as perfumes etc?

No, masking scents will not prevent a dog from hitting on the package. Masking scents will however make the package seem more suspicious to humans. Vacuum seal the product and be very careful to not leave any residues.

Applied Security Guide

Step Zero: Encrypt your hosts HDD

If you use Windows this can be done with Truecrypt

If you use Linux there are various ways you can accomplish this, usually an install time option

Step One: Configure the base system, harden OS

Application layer attacks exploit programming or design flaws of the programs you use, in general the goal of such attacks is to take over your system. For a deeper look at application layer exploits please check out the this page. These attacks are very dangerous because they can circumvent a lot of the other security you use, like encryption and anonymity solutions. The good news is that Open Source acts as an application layer firewall between you and everyone you communicate with through Open Source. We have taken great care to harden our server from attack and even if you take no precautions yourself it should not be trivial for you to be hacked through our server. However it is still a good idea for you to harden your own system. You don’t know for sure if you can trust us and there is no reason to be a sitting duck if our server is indeed compromised.

The first step you should take is running the operating system you use to connect to Open Source in a Virtual Machine. We suggest that you use Virtualbox. Virtual machines like Virtualbox create virtual hardware and allow you to run an operating system on this virtual hardware. It sounds complex but you really don’t need to know a lot about the theory, Virtualbox does all the work for you. There are a few reasons why you should use a virtual machine. The primary reason is that if the browser in your virtual machine is hacked the attacker is stuck inside of the virtual machine. The only way they can get to your normal OS is if they find a vulnerability in the virtual machines hypervisor, this adds complexity to their attack. The second reason you should use a virtual machine is because it makes it easier to use Linux if you are used to Windows or Mac OSX. Linux is a lot easier to secure than those operating systems but it is also harder to use. By using a virtual machine you can use your normal OS and Linux at the same time, Linux runs as a guest OS in a window on your normal (host) OS.

It is very simple to set up a virtual machine. Download and install Virtualbox. After launching it you will need to create a new VM. It is pretty simple and the program will walk you through the steps. Make sure to create a large enough virtual drive to install an OS, I suggest around ten gigabytes. You will need an install image so you can put the OS of your choice on the VM. Download the most recent Ubuntu ISO and use this. Remember, it doesn’t really matter if you don’t know how to use Linux. All you are using this VM for is using Firefox to browse Open Source, security comes before ease of use! Now that your virtual machine has been created you need to point it to your Ubuntu install CD. You can do this by going to the machines storage tab in the Virtualbox manager and pointing the CD drive to your install ISO. You will possibly be required to configure your virtual machine to connect to the internet if the default settings do not work for you, but chances are high that they will. Now you need to boot the virtual machine and install Ubuntu. Installing Ubuntu takes a little over half an hour and is very easy, you can simply select to use the default options for almost all of the steps.

Now that Ubuntu has been installed in a virtual machine it is time to start hardening it. The first step is to make sure it is fully patched and up to date. You can do this by going to System -> Administration -> Update manager from the bar on the top of your screen. Make sure you install all new updates because the updates include important security patches. It will take a while to update your system.

Now it is time to do some more advanced hardening steps. These steps may seem to be difficult if you are not very advanced technically, but don’t worry it is all just following instructions and you only have to do it once. Go to Applications -> Accessories -> Terminal from the top bar on your screen. This will launch a command line interface. Now type in the following commands hitting enter after each:

sudo aa-enforce /etc/apparmor.d/*

 

This command enables every AppArmor profile that Ubuntu ships with, including one for Firefox. AppArmor is an application layer firewall and makes it a lot harder for a hacker to compromise an application configured with a profile.

sudo apt-get install bastille

This downloads a generic hardening script that will walk you through some automated steps to make your system more secure.

sudo bastille -c

This launches the bastille hardening script. It will walk you through every step, in general you should select the default option. Make sure you at least read every step, there might be some things you don’t want it to do but in general the default options are good.

Step Two: Configure Tor and GPG, harden Firefox

Follow these simply step by step guides in order

Install TorInstall GPGConfigure Firefox with Tor and Harden it

Although it is not required for customers to know how to use GPG they still should. Our system will protect your communications in some ways. Your messages are stored in encrypted containers set to dismount if an intrusion is detected. Our server is highly hardened and resistant to hackers infiltrating it and spying on your messages. We are also a Tor hidden service and therefor offer encryption from you to us and from us to the people you communicate with. Our server is still the weak point in this system, a particularly skilled hacker could compromise the server and manage to spy on your communications undetected. The server could be traced by an attacker who could then flash freeze the RAM and dump the encrypted container keys. As far as you know we could even be law enforcement, or law enforcement could compromise us at a later date (the first is not true and the second is not likely, but do you really know this?). Our system does not hide your communications from us if we are your adversary, the same is true for Hushmail and Safe-mail. You can protect your communications with high grade encryption algorithms simply by learning to use GPG and it isn’t hard so we highly suggest you do it. Vendors are required to accept GPG encrypted orders!

Step Three: Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

nother option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!

 

07/5/12

The Deep Dark Web -Book

gAtO sAy -mEoW you all- we have a new book coming out soon “The Deep Dark Web” and just wanted to write this as the foreword for the book, I thought it was interesting …//looking for peer review of book…write us

This book is to inform you about “The Deep Dark Web”. We hear that it’s a bad place full of crooks and hackers, but it is more a place were you have total anonymity as an online-user and yes there are ugly places in the dark web but it’s a small part of it. What it really is all about it’s freedom of expression, freedom of speech worldwide, supported by “us/we” the users of the network. It’s not controlled by any government, but blocked by a few like Syria, Iran, Ethiopia, China to name a few governments that want to deny their own people free access to information, to speak freely about their grievances and unite to tear down there walls of oppression.

Pierluigi and I (gAtO) share a passion for cyber security we write different blogs Pierluigi has http://securityaffairs.co/wordpress/ and my site is uscyberlabs.com . We also write at other blogs and print media. We did’nt know it at the time but, we were writing cyber history as the 2011- 2012 cyber explosion took off we were at ground zero writing about Stuxnet, HBGrays, the LulzPirates, Anonymous but the Arab Spring was an awaking :

The recent revolution in Egypt that ended the autocratic presidency of Hosni Mubarak was a modern example of successful nonviolent resistance. Social Media technologies provided a useful tool for the young activist to orchestrate this revolution. However the repressive Mubarak regime prosecuted many activists and censored a number of websites. This made their activities precarious, making it necessary for activists to hide their identity on the Internet. The anonymity software Tor was a tool used by some bloggers, journalists and online activists to protect their identity and to practice free speech.

Today we have lot’s of anonymity communication tools I2P, Freenet, Gnunet and Tor to name a few. Why did the TorProject.org Tor-.onion network become the facto application to get free, private, anonymized Internet access. My conclusion is it’s humble beginnings with “Naval Research Project & DARPA (Defense Advanced Research Project Agency) ” sponsored, maybe you heard of DARPA they kinda created the Internet a long time ago. The government wanted to have a communication secure media that would piggy-bak on the establish Internet. From my point of view when they saw how good this worked the government used it to allow it’s agents to quietly use the network for CIA covert operations (just to name a few alphabet soup government agencies that use it). For example a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Journalist got a hold of this tool and they too were able to file reports before governments agents censored their interviews and film footage. The EFF (Electronic Frontier Foundation) got a hold of the Tor-networks and promoted it to maintaining civil liberties online. When the common business executive visited a foreign country (like China know to monitor foreigners Internet access) they now had a way to securely connect to their corporate HQ data-center without being monitored and giving away IP (Intellectual Properties). The Tor-Network became to good and the bad guy’s moved in to keep their illegal business safer from the law. The Internet Cyber-criminal has used the claer-web since the start so of course they went over to the Tor-.onion network because it works if you use it right and keeps you anonymous online.

With all this happening and the “Year of the Hack 2011” you can see why security geeks like Pierluigi and I became intrigued with this subject and we teamed up to write this manuscript hoping to answer some of the questions our friends, and peers were asking us about this mysterious hidden world call the deep dark web. We outlined a table of content and started to write about it in our blogs and the story unfolds from here to you. We hope to educate you on how this network works without too much geek talk (ok just a little). We cover the cyber criminals and their ecosystem we cover the financial currency (bitCoins) that is replacing fiat currencies all over the world during this unstable financial times. We tried to cover all the good , the bad and the ugly of the .onion network. We hope it will answer some of your questions but I am sure that more question will come up so feel free to come to our websites and give us a shout and ask your questions about the deep dark web…. - gAtO oUT