04/5/13

Tor Tells It’s Secrets

gAtO pLaYiNg with words in Tor- We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.output

Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.

We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor.  For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.

  • These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
  • As we crawl and add more data our picture will change as to the landscape of Tor. 
  • Bitcoins is the fourth most popular word – currency in the Dark Web is number 1  

Word Num. Occurrences
blog 1014
wiki 985
anonymous 966
bitcoin 837
sex 530
gun 492
market 458
I2P 400
software 372
drugs 365
child 353
pedo 321
hacking 314
weapon 221
politic 209
books 157
exploit 118
anarchism 105
porno 88
baby 87
CP 83
fraud 76
piracy 69

 

  • Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
  • Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.

This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.

We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.

Hope this gives you a better picture of Tor. -gAtO oUt

03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

11/15/12

Iran Sites Open 2 Joomla -K-CMS Hacking

Iran Sites Open 2 Joomla -K-CMS Hacking

gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0[2] and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have

This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0[2] and you guessed it again they are older versions and have vulnerabilities.  So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.

Some site have this warning be careful :This site may harm your computer.

Research Notes:

IRAN site:.gov.ir

http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..

K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

[1] security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website

<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>

[2] <meta name=”generator” content=”KCMS 1.0″ />

K-CMS (Kai Content Management System) index.php file include

http://www.sarvabad.gov.ir/

<meta name=”generator” content=”KCMS 1.0” />

http://www.abhar.gov.ir/index.php?limitstart=63

<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://www.abhar.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

pishva.gov.ir

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

http://www.zanjan.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />

http://chaloos.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://mianeh.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />

http://easabt.gov.ir/protocol/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />

Saman Information Structure

http://ea.mim.gov.ir/

http://www.sadra-ntoir.gov.ir/

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

http://www.sarvabad.gov.ir

News – ????? ??? ????? ? ????? ???

sabtyazd.gov.ir/index.php?option=com_newsfeeds…id…

This site may harm your computer.

Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the

www.khodabandeh.gov.ir/ - Translate this page

Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.

www.sabtyazd.gov.ir/index.php?… - Translate this page

This site may harm your computer.

C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php %PDF-1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? :? ?Zz s

http://www.leader.ir/langs/en/

http://www.president.ir/en/

http://www.saamad.ir

iten.behdasht.gov.ir – Site News

10/14/12

Pierluigi Paganini – Cyber Weapons – Cyber Threat Summit 2012

Excellent presentation from Pierluigi at the ICTTF Cyber Threat Summit 2012. Apologies for the microphone problems (some twat in the audience was using a frequency jammer).The rise of Cyber Weapons and relative impact on cyber space. Well worth a watch.

Pierluigi can be found at http://securityaffairs.co/wordpress/ He is the co-author of the new book

The Deep Dark Web – coming soon

08/6/12

Anti Forensic Tales from the gAtO

gAtO iS -a gRaY hAt thinker- so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator – working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt

References:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..

 

Today with a simple TorProject.org Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.

07/27/12

gAtO interview -Botnet’s in Tor -sI -Si

gAtO jUsT – finished an interview with Bill Donato from BotRevolt.com. I wanted to post this because these were good questions. My answers were a little lOcO gAtO but I tried anyway here is the Interview, at the bottom I included a conversation about Tor Controlled Botnet I found in HackBB in onion land, all I can tell you the code and how-to are out there -gAtO oUt

 

LinkedInMr Bill Donato has sent you a message.

Date: 7/26/2012

Subject: RE: Bot Revolt Blog

Hi Richard,
Here are 5 general questions we think our readers would find interesting. We greatly appreciate your feedback!

First Thank you Bill for this opportunity. I have 35 years in IT-and a little security goes with the territory but I’m no expert. I’m retired so I have the freedom to say what I want and I have chosen to support Freedom of Speech in cyberspace. You can find my rants and rages about security at http://uscyberlabs.com/blog I go by twitter @gAtOmAlO2 after my lionhearted cat “named- gato”. my 2 cents “be a critical reader, thinker and cyber user”. truet but verify

• We see a lot of cybercrime targeted at large companies, but how vulnerable is the average consumer in today’s cyber environment?

In todays economic climate cyber criminals see mass unemployment and use that to recruit shipping mules and money mules. Financial desperation and greed is a driving force in recruitment and the FBI is well aware of this a good money mule is hard to find and trust. Also Infection points for zombie computers to do the dirty work goes up and up with every new exploit. Last people don’t know how much information they leak out. With metadata just from the pictures in Facebook a criminal can gleam lot’s of information from the average Facebook update???.//

So to answer your question yes the average consumer needs to be very careful and have common sense. That lost Uncle from Nigeria did not leave you a billion dollars, trust me on this one.

• At the current level of cybercrime’s growth, if it is possible how long before the internet crashes?

Cyber crime is growing but CISPA is not the answer. PII (Personal Identifiable Information) that the government say’s it will not gather just your shopping and search cyber habits, nothing identifiable until you type in the wrong keyword, then your monitored. Then your footsteps in cyberspace will be monitored a bit more closely. The Judicial system now added the cyber forensic phycologist that can produce “minority reports- remember the movie – the though police…”. That’s scary..

Where were you last Tuesday @ 9:37 PM… they know, we are being monitored by the good guy in todays Internet. It’s normal to update my Facebook page or my Linkined profile, leaking data with the metadata from our pictures of our visit to the new office overseas. Can give criminals information for APT attacks.

As to the Internet crashing, I think it’s just beginning. We have Criminals after our data, government after our habits and we have ourself leaking information for everyone to know about me, me, me…. but it’s not crashing —> we have too many me..me..me..

• Cyber warfare is a hot topic, how will a cyber-war affect the countries average citizen?

Have you ever watch your daughter lose her cell phone 5 times in one year, 5 times not one backup. The effects of a cyber kinetic event in the US will happen. I see open scada system in the wild with no protection. Try and report this information that’s a joke and impossible. So many miss-configured scada all running windows OS, with no patch updates or management..// so they become more vulnerable everyday that they don’t upgrade.

Oh make that a tested Update because we (admin type) all stayed up late at nights un-installing an upgrade for -Windows OS- that made the Payroll system -Oracle- not work so NO paychecks….

In other words it will happened because we have a pretty bad security system built into these devices and they are to expensive to replace it’s worth the risk from a financial side so companies ROI return on investment… they did the cost analysis of an attack -they know they will get hacked…Power grid YeaH Baby and we have no backup — but we still come back… the average citizen has to ride it out we have no choice in warfare.
• You talk on your website, uscyberlabs.com, about the rise of botnets running on the tor .onion network, is the tor network a threat to people who do not access it? If so how do users protect themselves?


Botnets in Tor on Yeah! I’m doing some research into botnets in the Tor Black Market and it’s alive and kicking. The Tor hidden service and C&C servers goes hand in hand. You can’t find it, and it can’t be found. We also have i2p as an up and coming secure anonymized network so expect more and more from this area.

I included a post from HackBB-website in the onion network this discussion is about “Tor-Controlled Botnets” I included the code so in Tor there is talk from the hacker world on how to guides to Tor & bonnets. and it’s has a current timestamp.

I’t not just the code it’s also the infrastructure design.

Got to Tor HackBB [1]-  — http://clsvtzwzdgzkjda7.onion/

• On your blog titled “Online Security Basic -should I use encryption” you give some great information. What encryption programs, methods or tips do your recommend for some of the less computer savvy users?

Well first of all here [below] is my public key if you want to send me a message. I use FireVault and encrypt my hard drive, but I forgot my password – that’s my story and I’m sticking to it..;) I use GnuPG. Since I’m not doing skunk work, and I’m not a spy, I try to go open-source type programs, yes they are a little harder to learn but I feel safer with the open aspect of it. In security we have a motto – trust but verify – I can verify these open source program…./

One thing that the average user needs to do is to make their privacy a key part in their cyber life. When you start down the security rabbit hole it’s an active step in your cyber lifestyle.

Privacy is a personal thing, when I’m looking for Preperation H I don’t want Google, Yahoo or Amazon to know about this medical problem, it’s kinda personal, private. But when I’m trolling on Huffington Post it’s another world.

 

 

[1] Conversation online in HACKBB website.. about Tor Botnets

 

[1] Tor-controlled botnet

Re: Tor-controlled botnet

by BotCoder » Fri May 18, 2012 5:50 pm

Good news! I compiled TOR from source and there is no GUI or tray icon if you skip the installer step.

Here are the info to compile from source (you can skip the installer part and build a silent one yourself):

CODE

##

## Instructions for building Tor with MinGW (http://www.mingw.org/)

##

Stage One:  Download and Install MinGW.

—————————————

Download mingw:

http://prdownloads.sf.net/mingw/MinGW-5.1.6.exe?download

Download msys:

http://prdownloads.sf.net/ming/MSYS-1.0.11.exe?download

Download msysDTK:

http://sourceforge.net/projects/mingw/files/MSYS%20Supplementary%20Tools/msysDTK-1.0.1/msysDTK-1.0.1.exe/download

Install MinGW, msysDTK, and MSYS in that order.

Make sure your PATH includes C:\MinGW\bin.  You can verify this by right

clicking on “My Computer”, choose “Properties”, choose “Advanced”,

choose “Environment Variables”, select PATH.

Start MSYS(rxvt).

Create a directory called “tor-mingw”.

Stage Two:  Download, extract, compile openssl

———————————————-

Download openssl:

http://www.openssl.org/source/openssl-0.9.8l.tar.gz

Extract openssl:

Copy the openssl tarball into the “tor-mingw” directory.

Type “cd tor-mingw/”

Type “tar zxf openssl-0.9.8l.tar.gz”

(Note:  There are many symlink errors because Windows doesn’t support

symlinks.  You can ignore these errors.)

Make openssl libraries:

Type “cd tor-mingw/openssl-0.9.8l/”

Type “./Configure -no-idea -no-rc5 -no-mdc2 mingw”

Edit Makefile and remove the “test:” and “tests:” sections.

Type “rm -rf ./test”

Type “cd crypto/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ../ssl/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ..”

Type “cp *.h include/openssl/”

Type “find ./fips -type f -name “*.h” -exec cp {} include/openssl/ \;”

# The next steps can take up to 30 minutes to complete.

Type “make”

Type “make install”

 

Stage Three:  Download, extract, compile zlib

———————————————

Download zlib source:

http://www.zlib.net/zlib-1.2.3.tar.gz

Extract zlib:

Copy the zlib tarball into the “tor-mingw” directory

Type “cd tor-mingw/”

Type “tar zxf zlib-1.2.3.tar.gz”

CHOICE:

Make zlib.a:

Type “cd tor-mingw/zlib-1.2.3/”

Type “./configure”

Type “make”

Type “make install”

Done.

 

Stage Four: Download, extract, and compile libevent

——————————————————

Download the latest libevent release:

http://www.monkey.org/~provos/libevent/

Copy the libevent tarball into the “tor-mingw” directory.

Type “cd tor-mingw”

Extract libevent.

Type “./configure –enable-static –disable-shared”

Type “make”

Type “make install”

 

Stage FiveBuild Tor

———————-

Download the current Tor alpha release source code from https://torproject.org/download.html.

Copy the Tor tarball into the “tor-mingw” directory.

Extract Tor:

Type “tar zxf latest-tor-alpha.tar.gz”

cd tor-<version>

Type “./configure”

Type “make”

You now have a tor.exe in src/or/.  This is Tor.

You now have a tor-resolve.exe in src/tools/.

 

Stage Six:  Build the installer

——————————-

Install the latest NSIS:

http://nsis.sourceforge.net/Download

Run the package script in contrib:

From the Tor build directory above, run:

“./contrib/package_nsis-mingw.sh”

The resulting Tor installer executable is in ./win_tmp/.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

gAtOmAlO Public Key-

—–BEGIN PGP PUBLIC KEY BLOCK—–

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools – http://gpgtools.org

 

mQENBFAGzo8BCAC7Sg4uz5lQVrAPVe+BlMMGKjnLJwQvBy6V29CfPlws3/7b0Ryd

Th9CerSYt49Pt98iPNNZm38rtiKgABXp2jzTrpZDJsnxN+XCg0sdr/NZb6esP7Ck

hE77VSvTr0khFM1w7ZS3tf/1q6e9iqUovzPS4kBwSL7TMJgoQY0EJ9WAvLDeNrpO

P/JEBsawMH2q4Xd/i4QzirQf3fxVofOcwicSks9HI7LnSkiZu+rZTHo0yzdk/Sc6

SJqrFVplsUsSvESRdVLOEU4WVb7YpWGk3wBXgSSOvD+f2LVAgT40T4rGE15ZX3ou

Z/GEXCAy3Z+uVPPdiOPJRF71qmkRe0Um6yiNABEBAAG0I2dhdG8tbGFiIDxnYXRv

bWFsb0B1c2N5YmVybGFicy5jb20+iQE+BBMBAgAoBQJQBs6PAhsvBQkHhh+ABgsJ

CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1tzvyZQcKfrmLB/96RHvWFhzsfHWc

5YmW12vZf6cEbR0qgp1Z4LeERpuv/K96NSrXM81CMmi5F0l/m6ui/cEh0nwVM+EA

RD8MhJwRIhz3QOi6I5DBwM5YkKQNPgSPJegu27+96WXS4eNalQGZizBnbNO4SkdI

W2sH5L85z+uveZkKsGix9B8vLP9wcKMRP+5QEMVqetJ9+8njgfS4cmDrAnQyEfbs

dX5/P110a1rlPVK4vxiBGkikW4K3gmwMgNlRvQcLjlGjGpzon5a/Y9ve9WySSa8v

AMBZS5y6k6dkXXrakpBESkwJrYJDU16vlafL4C3lEP+Ce3foTTIWuHRAnJZnza4R

D0xX4C/6uQENBFAGzo8BCAC4odhP/am4dRMfJzJRIaCEzP+hs6pNOAcrHdychB5M

9z3ym6ddI0EEsI63xbYNmv+RJRxO6ZMY7P0R4CgUFPdjzmTbnPZ01J99QiPXUfd4

8+n4sCUvbEFCPSORnAPiKmWJbNrGsG7vXVTHCRgLUFIV9GAhBdK8ajn+UCZRR7Gf

Zr4qQ68cO+zS3rE4DeYgMpq9c4BYIbaRyjTTj9bwAEjr7gb7pyYGinyXtgz07/cK

hBgXmJf7zJ1s9kYMpeFqXAtd51fPcqCt0liutzyW/+YAIqAXP2WBNgZvDbfhd/5U

Od3aP1DeqJJOec3XcuLvts6rodWMSrb7remJQkkv5dftABEBAAGJAkQEGAECAA8F

AlAGzo8CGy4FCQeGH4ABKQkQNbc78mUHCn7AXSAEGQECAAYFAlAGzo8ACgkQkjHj

5gQjJYAL/Af+J5ZeEUNpbV96CUTVeSrT6hDrdkvU5NnPFUZmlVfhh+xrtRsHTJ9K

Ujcd5yAlLI38tr4A3hhuX1OToroEVRFKhTq+XpaKSBtdOeauCJeDY0NiKMJCBDue

+2CiqwIWR4tOfIFHPE/+F1STPgCxCFNfMouHqe+tI9+rqkJ11nPrUGCAzwmPcfK4

oKGWg1sbFKjyTN1XnVuzT3X/13DcZxFA9eDD2VAqlujBtifJJdYRd+hoBdoAjfXZ

OJJaYhvhj0CWWAv69Xpj1DyDA84ZcX5aanVRIhTLHgPhdJQ+jnxXYjrzE1RS+F2C

waXI7skjL/WWhey2YCFTMsY285TQbfBPn4t3B/4k35sqsb7FEd3au97AbJ1s1BWK

ZTSn6cEY9ZjB3exDsG/XQY522bdq+PxbSt8WKPlaEhEP0kjNOfl2UsBzNISL0f6s

hvwDR0Pov07W8t0O4Nz1v07AXDDxKvcgjPGTwknmjg2ny/ToEAbiacP7cXHuCOnw

A2e3l9C8Loluhvt3zgQVsv4E19KUT3a9SIYzIazQ+qbYAbbZszvjWMbBHroVviLj

9ImVWPh6lFARRKvmDTYk6RxAEKLPiYtcgtCUU34vJu+XBJchn4ua+Soney7ZIeyU

9D0mW4dFCYrdyTpbnK9vlYnzwhmT5ggTNGZu5t8PJLMW/qgwiCroXG6i3x58

=lYdL

—–END PGP PUBLIC KEY BLOCK—–

 

07/25/12

Profiling a Corporation -metadata attack vector

gAtO sEe - that in todays world getting a corporate profile for an attack plan has become easy thanks due to their own fault. This leads down the road to ruin corporate reputation, stolen IP-Intellectual property, competitive advantage and loss of data. Of course for social activist, criminals, competitor and national governments who use the technology against them to make available unhidden access to your networks. How? 

Metadata Information leaks by the corporation and their employees. According to retrieve information and the metadata in company documents 71% of Forbes 2000 companies may be using vulnerable and out of date version of Microsoft Office and Adobe software that allows hackers to Identify —>

Usernames – emails addresses network details and vulnerable software versions to implement a Advance Persistant Threat (APT).

Metadata in documents that your company distributes constitute information leaks and it can provide all kinds of information to any attacker. The high tech sector publishes more documents across websites than any other industry. Something else your employee on LinkedIn give all kinds of information about your company and your plans, even employment adds can help a potential hacker know what you are doing and maybe design the APT geared towards that subject.

Remember todays cyber attacker have support from lot’s of eye’s and ears, like hacktivist they have many people that can scan your website and look for information that can help the attack. You have 3 different attack vectors to worry about today:

  • IP based attacks
  • Web-Software attacks
  • Information Attacks

Corporate American take care of your metadata or it will bite you hard -gAtO oUt

07/21/12

Anon iWot Team (Internet War On Terror)

gAtO see – a new twist on Anonymous – They are going after the money trail of terroristDahabshiil International Funds Transfer is their target. This team call’s itself  iWot -“Internet War On Terror” Now the reason gAtO looked carefully at this group is because #1 they are going after bankers –lulz– #2 this is a well though out plan to first show they have the real information before the big data bump. But there is more to this first announcement -

I kind of followed the data and when I saw – BAYD0009016 MOHAMED MURSAL SHEIK A/RAHMAN - this is Omar Abdel-Rahman also know as the Blind Sheikh – famed World Trade Center 1993 bombing. and tied to —  (Somali: Maxamed Mursal Sheikh Cabduraxman) is a former deputy district commissioner and Minister of National Assets and Procurement of Somalia -  Well this posting has got my attention.

This list also has CHILDREN’S VIILLAGES of SOMALIA and some other innocent looking people. After looking at some of the names and email and google a few —> this one is real there are some real terrorist on this list. These guy’s have a little class and I like that in a hacktivist. I will have to keep and eye out for this groups they have interesting lulz -gAtO oUt

This new paste  -http://pastebin.com/VqrSV5bG

Untitled

BY: A GUEST ON JUL 19TH, 2012  |  SYNTAX: NONE  |  SIZE: 11.12 KB  |  HITS: 739  |  EXPIRES: NEVER

After years of offensive hacking against many companies, governments, etc, we [Anonymous], decided to share data related to an internal confidential project from multiple l33t hackers worldwide. We called that “iWot“, meaning “Internet War On Terror“.

Though we will never forget what happened with Megaupload, Pirate Bay, Sopa, friends, etc, our sub-branch of the Anonymous was created with trusted hackers, to follow a specific goal. This email will be the first from us. Thanks to spread our words

We officially declare War on Terror. This is a call for actions of monitoring and/or destruction of companies and institutions that do work with terrorists, rogue countries, etc.

We already broke the security of multiple networks on earth. Each time we will be able to control them, and to steal data, we will then publish our documents on the net, or share them directly to people involved with Newspapers, Justice, etc, worldwide. Some documents, about some banks working with rogue countries, were already shared to some email addresses. And we are quite happy to see that the truth is on its way.. sometimes..

As some of us already explained, we are not a terrorist organization. It’s just that we are fed-up with the fact that our society is loosing time. So we just decided to speed-up actions against terrorists and their friends. We will first try to eradicate the sources of terrorist financing. It is not possible to know at this time the precise scope or the duration of our actions to counter terrorist threats linked to Internet.

Today, as a proof of concept, we will share information about a really evil bank, hiding ugly activities with terrorists. It’s called “Dahabshiil“, an international funds transfer company. Their networks have been broken by different hackers teams for many years. And it’s time for us to share information here in this mail.

Thanks to Wikileaks, secret documents related to Guantanamo detainees publicly explained part of the truth about Dahabshiil. A veteran extremist and a probable associate of Usama Bin Laden, provided direct financial support to Al-Qaeda, Al-Wafa and other terrorist and terrorist support entities through the Somalia-based company Dahabshiil. This bank is currently helping Al-Qaeda, including members of Al-Shabaab.

Despite the fact that the CEO of Dahabshiil tried to get rid of some people, and sometimes people from its own family, this will not be enough for us. We have stolen many many many documents from Dahabshiil. We have destroyed many workstations in Australia, Kenya, USA, UK, Sweden, Somalia, Dubai, Djibouti, etc. We can transfer money from accounts to accounts, despite the stupid security with tokens, passwords, etc. We have modified Windows kernel on many servers and workstations. We have added different kind of cyber-bombs hidden on many workstations and servers. We have powned switches, routers, firewalls, satellite stuff from Telco, etc.

As Dahabshiil members might think we are lying, we have to share data. Feel free to download and copy the data before everything get destroyed, as it’s totally illegal. And now, if Dahabshiil members were unable to understand why the network sometimes crashed, the computers sometimes died, data from internal servers sometimes died, etc, do not search. It was just our actions against you, with people from our team. As an example, we recently destroyed data on the internal LAN in Somaliland, from the Dahabshiil Headquarters (Hargeisa, etc). That’s why you guys, lost Gigs of internal sensitive data on main servers like \\Dahabshiil7, \\Dahabshiil6…

By the way, we also found out that many employees were looking at facebook stuff, personal email, and tons of incredible hardcore porn web sites especially in countries from the Arabian Peninsula, and from the bank (not at home). Also, the password of the account Administrator of the internal LAN in Somaliland, was mainly “Dahab1234″. Awesome. This is how they protect data of their customers. Quite a serious bank. As we have remote 0days against some of their tools, we easily took the control of any workstations there. Then we bounced and bounced, in order to explore this bank. Hopefully, we were a huge number of hackers at the same time, and during months, which helped at stealing sensitive data, spying on end-users and banking transactions, etc. After months and months of fun against these guys who support Terror on earth, we just decided that it was time to destroy them.

This was just the beginning… and just a proof. So from now, dear Dahabshiil members and customers, you can expect a global internal destruction in less than 2 months. You can keep on asking external consultants, even in Europe, about how to install Antivirus, Firewalls, NAC, IPS, Waf, etc. But we will still destroy your networks, steal your data, and sometimes share internal stuff to the public. This is called a sabotage… We had first to be sure that you could not get rid of our offensive tools. That’s why we used two layers of tools. Skilled stuff (with kernel 0dd modifications, etc), and easy tricks (to annoy and to play with your network/data). Now it’s ready. The bombs will kill your networks and your data in less than 2 months. You can also backup the poor data that you still have, but we also infected random Office/PDF documents left, so you’ll just backup some of our bombs, and your network will still die.

If you want us to immediately stop this cyber-sabotage, it’s quite easy. We just ask you to stop lying, to recognize your help with Somalia terror, and to officially change your behavior. We need a public message from you, as a proof. As you might have seen, public excuses of far more bigger banks than Dahabshiil, were done recently, from people who worked with rogue countries, etc. So, we just ask you to do do the same and to change. We will monitor you, as we already made these years. You have 2 months. Maximum. If we see that you are still asking for help against us, to your supposed-to-be IT Security consultants (UK, etc), or if we see that you are trying to clean our stuff in your kernels, etc, we will then launch the cyber-bombs before the 2 months. You don’t have the choice. You have to submit. You have to leave this world of hate, this world of slaughters, this world of killers, and to leave terrorists behind you.

Of course you needed money. Of course most of your employees/customers are not terrorists. Of course most of your employees/customers didn’t know your links with Terror. Of course someone else would have done this in your place. Of course our offensive actions are totally illegal (like yours when you support Terror). But according to us, these reasons are not good reasons. The countdown is already running. It’s too late. You have the choice between living, or dying with honors in the family of people who helped terrorists. You will be our first public example of cyber-destruction, as others already changed their minds. Be smart. Choose life.

And now a message to Dahabshiil customers: if you have money in this bank, if you are a customer of this bank, if you use this bank to transfer money from a country to another, and even if you are not a terrorist, we will let you less than 2 months before we either publish your personal information (passport, ID card, postal address, phone, email, etc), or we destroy your account by moving your money elsewhere, which will not be complex. As an example, we already shared this kind of information, as a proof of capability. Less than 2 months. After that, don’t cry if you lost your money at Dahabshiil, even if they told your that everything was under control (lulz), that they were able to clean their systems (lulz), etc. So, just take your money out of Dahabshiil now (!), and leave them behind you, before the destruction of this unofficial financial support for terrorists. First casualty of war is innocence. Be smart. Choose life.

And now a message to people in the same situation than Dahabshiil: If you are working with terrorists, if you are helping them, if you are linked to them, we will find you, and you will also be destroyed by our cyber-team, sooner or later. There is no place for you on earth. No place for you on Internet. No place for hate. Make love. Make kids. Be smart. Choose life.

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us

Anon iWot Team (Internet War On Terror)

Bonus: This is really sad to see that some companies helped Dahabshiil after our intrusions (sometimes from Europe, etc). We won’t reveal the names of these IT Security workers, cause we understood that they just wanted to make money. But, as a last advice for them and their family, thanks to think twice the next time you will help Dahabshiil and terrorists. You are helping people who helped Al-Qaeda, like many other unscrupulous Islamic banks that helped at laundering kind of donations. We know you. You are not anon anymore. *We are Anonymous.*

Credits: though we will hide the identity of the people who helped us, we will at least share our thanks to their organizations, for those who accepted it. So, many many thanks to people from Iomart (!), from Vizada and from Somtel. Some of them accepted to share technical stuff (passwords, remote access, etc) as they do follow our spirit and our values against Terror. *We are legion.*

Contacts: no need to answer to this email address, as it’s not ours. If you want to meet us, as always we’ll be at Defcon soon, and we hope that there will be a special prize for Dahabshiil, though it’s a bit late to propose them to the Powney Awards. We do believe that being an international bank, with really lame security, fake official answers, and real links with terrorists to kill people in Africa, Europe or America (Al-Qaeda), should bring them to a special prize. They deserve it. *We do not forget.*

Future: if you want to participate, just share your thoughts or ideas of targets on Internet with the official related proofs showing links with terrorists. Like any skilled hackers, we can have remote access anywhere on earth (gov, telco, comp, etc) as the current IT Security community is just selling dreams and fake products. If you like our values, thanks to support Anonymous iWot (internet War on terror) and put tags like #anoniwot2012 so that we can find your list of targets, your messages, your help, your ideas, etc. You cannot contact us directly, so, please shout enough so that we can hear you. You can just share message to our teams on public spaces, and we’ll read them. Before that, if you enjoyed our specific actions against terrorists in Somalia, thanks to really show your support about this Somaleaks operation, with the tag #somaleaks and just wait, as many other places might burn sooner or later. *Expect us.* –DATA Dump  http://www.animegist.com/old//Somaleaks/

07/5/12

The Deep Dark Web -Book

gAtO sAy -mEoW you all- we have a new book coming out soon “The Deep Dark Web” and just wanted to write this as the foreword for the book, I thought it was interesting …//looking for peer review of book…write us

This book is to inform you about “The Deep Dark Web”. We hear that it’s a bad place full of crooks and hackers, but it is more a place were you have total anonymity as an online-user and yes there are ugly places in the dark web but it’s a small part of it. What it really is all about it’s freedom of expression, freedom of speech worldwide, supported by “us/we” the users of the network. It’s not controlled by any government, but blocked by a few like Syria, Iran, Ethiopia, China to name a few governments that want to deny their own people free access to information, to speak freely about their grievances and unite to tear down there walls of oppression.

Pierluigi and I (gAtO) share a passion for cyber security we write different blogs Pierluigi has http://securityaffairs.co/wordpress/ and my site is uscyberlabs.com . We also write at other blogs and print media. We did’nt know it at the time but, we were writing cyber history as the 2011- 2012 cyber explosion took off we were at ground zero writing about Stuxnet, HBGrays, the LulzPirates, Anonymous but the Arab Spring was an awaking :

The recent revolution in Egypt that ended the autocratic presidency of Hosni Mubarak was a modern example of successful nonviolent resistance. Social Media technologies provided a useful tool for the young activist to orchestrate this revolution. However the repressive Mubarak regime prosecuted many activists and censored a number of websites. This made their activities precarious, making it necessary for activists to hide their identity on the Internet. The anonymity software Tor was a tool used by some bloggers, journalists and online activists to protect their identity and to practice free speech.

Today we have lot’s of anonymity communication tools I2P, Freenet, Gnunet and Tor to name a few. Why did the TorProject.org Tor-.onion network become the facto application to get free, private, anonymized Internet access. My conclusion is it’s humble beginnings with “Naval Research Project & DARPA (Defense Advanced Research Project Agency) ” sponsored, maybe you heard of DARPA they kinda created the Internet a long time ago. The government wanted to have a communication secure media that would piggy-bak on the establish Internet. From my point of view when they saw how good this worked the government used it to allow it’s agents to quietly use the network for CIA covert operations (just to name a few alphabet soup government agencies that use it). For example a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Journalist got a hold of this tool and they too were able to file reports before governments agents censored their interviews and film footage. The EFF (Electronic Frontier Foundation) got a hold of the Tor-networks and promoted it to maintaining civil liberties online. When the common business executive visited a foreign country (like China know to monitor foreigners Internet access) they now had a way to securely connect to their corporate HQ data-center without being monitored and giving away IP (Intellectual Properties). The Tor-Network became to good and the bad guy’s moved in to keep their illegal business safer from the law. The Internet Cyber-criminal has used the claer-web since the start so of course they went over to the Tor-.onion network because it works if you use it right and keeps you anonymous online.

With all this happening and the “Year of the Hack 2011” you can see why security geeks like Pierluigi and I became intrigued with this subject and we teamed up to write this manuscript hoping to answer some of the questions our friends, and peers were asking us about this mysterious hidden world call the deep dark web. We outlined a table of content and started to write about it in our blogs and the story unfolds from here to you. We hope to educate you on how this network works without too much geek talk (ok just a little). We cover the cyber criminals and their ecosystem we cover the financial currency (bitCoins) that is replacing fiat currencies all over the world during this unstable financial times. We tried to cover all the good , the bad and the ugly of the .onion network. We hope it will answer some of your questions but I am sure that more question will come up so feel free to come to our websites and give us a shout and ask your questions about the deep dark web…. - gAtO oUT 

07/2/12

The future of the Deep Dark Web

gAtO tHiNk’S  -In todays world we want a little freedoms a little privacy online and more people will use encrypted methods to browse the web.-  Julian Assange said it best-I paraphrase-, in society we as a online-person have an expectation to certain rights of privacy and just want 3 basic things:

1.) Freedom of Communication

2.) Freedom of Movement

3.) Freedom of Economics

In todays world our technology-culture encourages people to give away every detail of our life away. On Facebook, Twitter, LinkedIn we tell people all kind of personal information. \\ everything you tell these website now belongs to them legally and they will do whatever they want with this data. They also want your shopping habits your reading habits and now they want to integrate it with other sites to extract more information. You don’t think so, how many cookies do you have on your computer??? -( I bet you don’t have a clue) what were you doing at 5:30pm last tuesday??? – Google knows, Facebook knows, Twitter knows —> they all know. They all know your friends and your enemies.

Today’s we are tied to cyberspace with almost ever aspect of our lives – Social – Economy – Culture – Political – Ethics – Money – Want’s – Desires – Greed – So me gAtO I want a secure -Freedom of Communication -Tor anonymized type networks for some of my personal questions.

 As more people use encrypted methods to browse the Web, it will become trickier for law enforcement agencies to intercept private communications in real-time, causing them to focus instead on tapping data that is stored in the cloud, according to the draft of an academic paper by a former privacy advisor to the Clinton Administration.

So this means that the legal beagles want to scare you more and more. I was just reading a post were someone said I don’t like to cruise the dark web because I’m afraid of Identity Theft…// In Tor-.onion network your secure with your identity, but if you log in to Facebook and start to give away your information well you just defeated what a Tor-style network does for you your anonymity is now gone.

Some segment of cyber-world will never need secure communication but we must ask what are our human values online? Are we ready to let everyone know the truth about oneself. The technology for anonymized network is here to stay and it’s not good or bad, but it’s powerful and a bit complicated. The watchers of the Watch need to keep our eye’s open for this one- gATo oUt