07/12/12

OSx -Tor Web Crawler Project

OSx Curl .onion sites -how 2 guide- Tor Web Crawler Project

gATO hAs - been looking into mapping the Tor -.onion network crawling it from aA to zZ , from 1-7 all 16 digits. I use OSx for most of my work and I wanted to curl an .onion site and check it out. As I dug around I found that if I just check my Vidalia.app it will show me were everything is located. Then the fun begins

find your /TorBrowser_en-US-6.app then click and look at the file Info  then go to: TorBrowser_en-US-6.app/Contents/MacOS/

cd - TorBrowser_en-US-6.app/Contents/MacOS/

once here :

- this will show you the files

ls -fGo 

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

Now I fire up the tor application ./tor

Next open up another Terminal box and check to see if Tor port is open and LISTENing on port 9050

netstat -ant | grep 9050 # verify Tor is running

Once you can see port 9050 LISTEN then your ready to use curl—

curl -ivr –socks4a 127.0.0.1:9050 http://utup22qsb6ebeejs.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://nwycvryrozllb42g.onion  

curl -ivr –socks4a 127.0.0.1:9050  http://2qd7fja6e772o7yc.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://5onwnspjvuk7cwvk.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6sgjmi53igmg7fm7.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6vmgggba6rksjyim.onion/

Here are a few site that you can check out:../ curl is just one of those tools that keeps on giving and of course if I can get one APP to work thru Tor on OSx, then I can get other apps to use Tor as a proxy for all my line command –time to have some fun- gATO oUt

Lab -Notes

  1. sudo apt-get install tor
  2. sudo /etc/init.d/tor start
  3. netstat -ant | grep 9050 # verify Tor is running

here is a good crawler  to play with

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

curl_setopt($ch, CURLOPT_PROXY, ‘https://127.0.01:9050/’);

curl_exec($ch);

curl_close($ch);

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

// Socks5

curl_setopt($ch, CURLOPT_PROXY, “localhost:9050″);

curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);

curl_exec($ch);

curl_close($ch);

Tor Web Crawler

http://stackoverflow.com/questions/9237477/tor-web-crawler

did not work – netstat shows it on socks4 not socks5

curl -s –socks5-local 127.0.0.1:9050 –user-agent “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;rv:1.9.2.3) \ Gecko/20100401 Firefox/3.6.3″ -I http://utup22qsb6ebeejs.onion/

turn on ToR

Run  /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

cd /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS

./tor

now check for 9050 running proxy

netstat -ant | grep 9050

Now run your network commands thru socks port 9050

./Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

ls -fGo

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

curl -S –socks5-hostname 127.0.0.1:9050 -I http://utup22qsb6ebeejs.onion/

HTTP/1.1 200 OK

Date: Thu, 12 Jul 2012 17:49:49 GMT

Server: Apache/2.2.22 (Ubuntu)

X-Powered-By: PHP/5.3.10-1ubuntu3.2

Set-Cookie: fpsess_fp-a350e65d=8hg0upuuhcpuf4pgvg45l9c2b2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<title>My Hidden Blog</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<!– start of jsUtils –>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-1.4.2.min.js”></script>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-ui-1.8.2.custom.min.js”></script>

<!– end of jsUtils –>

<!– FP STD HEADER –>

<meta name=”generator” content=”FlatPress fp-0.1010.1″ />

<link rel=”alternate” type=”application/rss+xml” title=”Get RSS 2.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:rss2″ />

<link rel=”alternate” type=”application/atom+xml” title=”Get Atom 1.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:atom” />

<!– EOF FP STD HEADER –>

<!– FP STD STYLESHEET –>

<link media=”screen,projection,handheld” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/style.css” type=”text/css” rel=”stylesheet” /><link media=”print” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/print.css” type=”text/css” rel=”stylesheet” />

<!– FP STD STYLESHEET –>

Some other curl switches =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

–connect-timeout <seconds>

Maximum time in seconds that you allow the connection to the server to take.  This only limits the con-

nection  phase,  once  curl  has  connected  this  option is of no more use. See also the -m/–max-time

option.

 

If this option is used several times, the last one will be used.

 

-D/–dump-header <file>

Write the protocol headers to the specified file.

 

This  option  is handy to use when you want to store the headers that a HTTP site sends to you. Cookies

from the headers could then be read in a second curl invocation by using the  -b/–cookie  option!  The

-c/–cookie-jar option is however a better way to store cookies.

 

When  used  in  FTP,  the  FTP  server response lines are considered being “headers” and thus are saved

there.

 

If this option is used several times, the last one will be used.

 

 

-f/–fail

(HTTP)  Fail silently (no output at all) on server errors. This is mostly done to better enable scripts

etc to better deal with failed attempts. In normal cases when a HTTP server fails to  deliver  a  docu-

ment,  it returns an HTML document stating so (which often also describes why and more). This flag will

prevent curl from outputting that and return error 22.

 

This method is not fail-safe and there are occasions where  non-successful  response  codes  will  slip

through, especially when authentication is involved (response codes 401 and 407).

 

 

 

–ssl

(FTP,  POP3,  IMAP, SMTP) Try to use SSL/TLS for the connection.  Reverts to a non-secure connection if

the server doesn’t support SSL/TLS.  See also –ftp-ssl-control and –ssl-reqd for different levels  of

encryption required. (Added in 7.20.0)

 

This  option  was  formerly known as –ftp-ssl (Added in 7.11.0) and that can still be used but will be

removed in a future version.

 

-H/–header <header>

(HTTP)  Extra  header to use when getting a web page. You may specify any number of extra headers. Note

that if you should add a custom header that has the same name as one of the internal  ones  curl  would

use,  your externally set header will be used instead of the internal one. This allows you to make even

trickier stuff than curl would normally do. You should not replace internally set headers without know-

ing perfectly well what you’re doing. Remove an internal header by giving a replacement without content

on the right side of the colon, as in: -H “Host:”.

 

curl will make sure that each header you add/replace is sent with the proper  end-of-line  marker,  you

should thus not add that as a part of the header content: do not add newlines or carriage returns, they

will only mess things up for you.

 

See also the -A/–user-agent and -e/–referer options.

 

This option can be used multiple times to add/replace/remove multiple headers.

 

-o/–output <file>

Write output to <file> instead of stdout. If you are using {} or [] to fetch  multiple  documents,  you

can  use ‘#’ followed by a number in the <file> specifier. That variable will be replaced with the cur-

rent string for the URL being fetched. Like in:

 

curl http://{one,two}.site.com -o “file_#1.txt”

 

or use several variables like:

 

curl http://{site,host}.host[1-5].com -o “#1_#2″

 

You may use this option as many times as the number of URLs you have.

 

See also the –create-dirs option to create the local directories dynamically. Specifying the output as

‘-‘ (a single dash) will force the output to be done to stdout.

 

-r/–range <range>

(HTTP/FTP/SFTP/FILE) Retrieve a byte range (i.e a partial document) from a HTTP/1.1, FTP or SFTP server

or a local FILE. Ranges can be specified in a number of ways.

 

0-499     specifies the first 500 bytes

 

500-999   specifies the second 500 bytes

 

-500      specifies the last 500 bytes

9500-     specifies the bytes from offset 9500 and forward

 

0-0,-1    specifies the first and last byte only(*)(H)

 

500-700,600-799

specifies 300 bytes from offset 500(H)

 

100-199,500-599

specifies two separate 100-byte ranges(*)(H)

 

 

 -v/–verbose

Makes  the fetching more verbose/talkative. Mostly useful for debugging. A line starting with ‘>’ means

“header data” sent by curl, ‘<‘ means “header data” received by curl that is hidden  in  normal  cases,

and a line starting with ‘*’ means additional info provided by curl.

 

Note  that if you only want HTTP headers in the output, -i/–include might be the option you’re looking

for.

 

If you think this option still doesn’t give you enough details, consider using –trace or –trace-ascii

instead.

 

This option overrides previous uses of –trace-ascii or –trace.

 

Use -s/–silent to make curl quiet.

07/6/12

Online Security Basic -should I use encryption

gAto fOuNd - this -/ Basic Security Guide /- a while ago in the .onion and while I don’t agree with everything in this write-up I learned some new things. At the end of the day –/ they can’t take away what’s in your head -always be a critical thinker - gAtO oUt

Online Security Basic - link are .onionLand

Transcribed from http://g7pz322wcy6jnn4r.onion/opensource/generalguide.html on 2011-04-16.

Contents[hide]

Basic F.A.Q.

What is encryption?

Encryption is a method of encoding information in such a way that it is computationally difficult for eavesdroppers to decode, but computationally easy for the intended recipient to decode. In practical terms, encryption makes it almost impossible for you to be successfully wiretapped. Encryption can also make it essentially impossible for computer forensic teams to gather any data from your hard disk drive. Encryption is the process of making information difficult or impossible to recover with out a key. The key is either a passphrase or a huge random number protected by a passphrase. Encryption algorithms fall into two primary categories: communications and storage. If you use a program such as GPG to encrypt your E-mail messages, you are using encryption for communications. If you use a program such as Truecrypt to encrypt your hard disk drive, you are using encryption for storage.

Is there a big difference between storage and communication encryption?

Yes. Data storage encryption often uses only symmetric algorithms. Communication encryption typically uses a combination of asymmetric and symmetric algorithms. Asymmetric algorithms are generally far easier to break than symmetric algorithms. In practice this is not significant as the computing power required to break either strong asymmetric or strong symmetric algorithms is not likely in the grasp of any agency.

Should I use encryption?

Yes! If you participate in the Internet underground it is essential for your continued freedom that you learn how to use encryption programs. All communications should be encrypted as well as all stored data. For real time communication encryption we suggest either Pidgin or Adium instant messages with the OTR plug-in. For non-real time communication encryption we suggest GPG. Truecrypt does a great job of encrypting stored data and can also encrypt the OS partition if you use Windows. Various flavors of Linux and Unix also allow for the OS partition to be encrypted although the particular program used will vary. If an alternative installation CD is used Ubuntu allows for OS partition encryption during the installation process.

What is plausible deniability?

When discussing stored data encryption plausible deniability means that an encrypted container can decrypt into two different sets of data depending on the key used. Plausible deniability allows for you to pretend to cooperate with authorities with out them being able to tell you are not cooperating. For example, perhaps they demand you give up your password so they can decrypt some of your communications or stored data. If you used a system with plausible deniability you would be able to give them a password that would indeed decrypt the encrypted data. However, the decrypted data they can now see will be non-sensitive data you intentionally allowed for them to decrypt. They can not see your sensitive information and they can not prove that you didn’t cooperate.

Do I need plausible deniability?

Possibly. It really depends on where you live. In the U.K. it is a crime to refuse to give law enforcement your encryption keys on demand. Refusal to reveal encryption keys is punishable by several years in prison, but this is quite possibly a lot less time than you would get if you did reveal your encryption keys. In the U.S.A. the issue has not yet gone to the supreme court and lower judges have ruled in both directions. In general it is a good idea to use plausible deniable encryption when possible. Truecrypt supports plausible deniability for all functions under Windows. For Linux there is no current software supporting out-of-the-box plausible deniability of the OS partition. With Linux you may be able to achieve a type of plausible deniability by encrypting your entire drive and putting the bootloader on another device. Then you can argue the drive was freshly wiped with a PRNG and there is no key to decrypt.

Of course the police can break encryption, right?!

If you are using a strong encryption program (such as GPG, OTR, Truecrypt, etc) and a long and random password (or automatically generated session key, such as OTR) the police are not going to be able to directly break the encryption. This is not to say they can not get your key in other ways! For example they could install a keylogger onto your keyboard or use various transient signal attacks to capture your key while you type it. An emerging method of encryption key compromise uses application layer exploits to remotely grab keys from RAM. These ‘side channel’ attacks need to have active measures taken against them (the best of which are using a strong anonymity solution and hardened OS).

What about the NSA?

The NSA is not going to be able to break strong data storage encryption algorithms (symmetric). They are also probably not able to break strong communication encryption algorithms (asymmetric). Very powerful quantum computers can be used to greatly reduce the bit strength of an encryption algorithm. Symmetric algorithms have their bit strength cut in half. Asymmetric algorithms are easily broken by such powerful computers. If you are using AES-256 a powerful quantum computer will reduce its bit strength to the still unbreakable 128. If you are using even a 4,096 bit RSA key with GPG, a powerful quantum computer can break the encryption. However, keep two things in mind; It is not likely that the NSA or anyone else has such a computer, and anyone sane will assure you that unless you are a foreign military or major terrorist the NSA will not act on any intelligence they gather by by breaking your communication encryption.

But anything can be hacked, right? Why not encryption?

Encryption algorithms are not hacked, they are cryptanalyzed. Not every single thing done with a computer can really be considered hacking. Hackers may be able to exploit the implemented code of a program using an encryption algorithm, but even the best hackers tend to know little about encryption. Hacking and cryptography are not the same field and most hackers who think they know a lot about encryption actually know very little about it. Encryption is a field of pure mathematics and good encryption algorithms are based firmly on the laws of mathematics as they are currently understood. Unless there is some very unlikely discovery in the field of mathematics the security claims made about most encryption algorithms will stand firm even if the best hackers (or even more impressively cryptographers) in the world try and attack them.

Note: Some hackers are skilled enough to side channel your encryption with application layer exploits unless you take hardening counter measures. This is not hacking the encryption algorithm although it is using hacking to counter encryption. Following our general security guide (later on this page!) will make it much harder for hackers to do this. To hack you through Open Source the attacker will first have to compromise Open Source, we have taken many security measures to make this very difficult to do.

Using encryption programs myself is difficult, but Hushmail, Safe-Mail or (Insert name here) will manage it for me!

Fully web based services can not really offer you strong encryption. They manage your keys for you and for this reason they have access to your keys. It does not matter what the company is named or what they promise, all of them are liars and some are probably honeypots. These services will not offer you strong encryption and law enforcement will be able to gain access to your communications. If you play with fire you need to learn how to protect yourself or you will be burned. It is not overly difficult to manage your own encryption and it is the only possible way for you to maintain your security.

What exactly is anonymity?

Anonymity is the property of being indistinguishable from a given set size (number of others). In the way the term is commonly used anonymity is the inability to be traced. A trace could mean that an attacker follows your communication stream from you to the end destination you are communicating with. A trace could also mean that an attacker follows a trail of logs from the end destination you communicate with back to your location. Anonymity solutions make it difficult to trace your communications and by doing so also make it harder to map out the networks you participate in. Anonymity can also be used to prevent censorship. If a server is hosted as part of an anonymity network and its location can not be determined then an attacker is incapable of demanding the censorship of the services hosted by the server.

Why do I need anonymity?

If you are not using an anonymity solution your presence on the Internet can be trivially traced back to your presence in real life. If you are participating in activities on the Internet which you would not want to be traced to your real life identity, you need anonymity. If you are participating in a network you need anonymity to protect yourself from network analysis. If no one on your network is using anonymity solutions and the police bust one of them, they will be able to see who all they communicated with as well as who all those people communicated with etc. Very quickly and with high precision the police will be able to map out the entire network, going ‘outward’ to many degrees. This may be useful for evidence (for use in court) and it is certainly useful for intelligence (so they know where to look next).

I already use encryption so there is no need for me to be anonymous!

Although encryption and anonymity highly compliment each other they serve two different goals. Encryption is used to protect your privacy, anonymity is used to hide your location and protect you from network analysis. Strong anonymity requires encryption, and encryption is greatly benefited when combined with anonymity (after all, it is hard to install a keylogger if you don’t know where the target is located!). If you use strong encryption but no anonymity solution the feds may not be able to see what you say but they will know who you are and who you are talking with. Depending on the structure and purpose of your network, a single compromised node may very well remove all benefits of using encrypted communications. Many of the most realistic and devastating attacks on encryption systems require the attacker to gain a physical presence; if you are not using an anonymity solution this is trivial for them to do. If the feds do not know where you are, they can’t bug your keyboard with a keylogger. Anyone who says you do not need anonymity if you use encryption should be looked at with great suspicion.

Tor exit nodes can spy on my communication streams so I should not use it!

If you use Tor to connect to the open Internet (.com instead of .onion) it is true that the exit node can spy on your communications. You can reduce the risk of this by making sure you only connect to SSL websites (https:// instead of http://). You can further reduce the risk of this by always checking the fingerprint of the SSL certificate and making sure it does not change with out an adequate reason being presented by the site administrator. You can eliminate the risk of a spying exit node in some contexts. For example if you encrypt a message yourself with GPG before you send it, the exit node will not be able to break the encryption even if they are spying.

Tor is not meant for privacy (unless you only access .onions) it is meant for anonymity! If you want privacy while using Tor you will need to either only access .onions or you will need to layer it on yourself by using GPG, SSL, OTR or other encryption on top of it. Using Tor to connect to the open Internet with out using any privacy tools yourself can actually reduce your privacy from some attackers. Remember, Tor to the open Internet is for anonymity it is not for privacy. Anonymity is just as important as privacy. Also, networking tools with a larger focus on privacy than anonymity (such as VPNs), will not offer you privacy from law enforcement anymore than Tor will and they also tend to offer substantially worse anonymity!

If I use Tor can I be traced by the feds?

So far, probably not unless you get very unlucky or misconfigure something. The feds are getting better at tracing people faster than Tor is getting better at avoiding a trace. Tor is for low latency (fast) anonymity, and low latency solutions will never have the ability to be as anonymous as high latency (very slow) solutions. As recently as 2008 we have documented proof that FBI working with various other international federal agencies via Interpol could not trace high priority targets using the Tor network. There is a large amount of information indicating that this is still the case. This will not be the case forever and better solutions than Tor are going to be required at some point in the future. This does not mean you should stop using Tor! It is quite possible that no VPN solution offers better anonymity than Tor, and the only low latency network which can be compared to Tor in terms of anonymity is I2P. Freenet is an anonymous datastore which possibly offers better anonymity than Tor or I2P. In the end it is very difficult to say what the best solution is or who it will hold up to, but most people from the academic anonymity circles say Tor, I2P or Freenet are the best three options. JAP is considered worse than the three previously suggested solutions, but better than most VPN services. You should at the very least use an encrypted two hop solution if you want a chance at remaining anonymous from the feds.

Traced is a very particular term. It means that the attacker either can observe your exit traffic and follow it back to your entry point or that the attacker can see your traffic enter a network and follow it to its exit point. Tor does a good job of protecting from this sort of attack, especially if you have not pissed off any signals intelligence agencies. Tor does not protect from membership revealment attacks! It is vital that you understand this attack and take measures to counter it if you are a vendor. To learn more about how to counter this attack keep reading this document, we discuss more in the applied security advice section on this page.

If I use Tor can I be traced by the NSA?

Probably. If you want a chance of being anonymous from the NSA you should research the Mixmaster and Mixminion remailer networks. NSA usually traces people by hacking them and doing a side channel attack. They have dozens of zero day exploits for every major application. This is also how they compromise GPG and FDE. Your best bet to remain anonymous/secure from the NSA is to use ASLR with a 64 bit processor to protect from hacking + Tor + Random WiFi location.Using airgaps can protect from them stealing encryption keys. This would involve using one machine with access to the internet to receive data, transfer the encrypted data to another machine with a CD which you then destroy, and decrypt on a machine with no access to the internet. Don’t reuse transfer devices or else they can act as compromise vectors to communicate between the machine with no internet connection and the machine with internet connection. Mixminion is better than mixmaster.

If I use hacked cable modems am I untraceable?

No, the cable company can trace you and so can the police and feds. However, it will make it more difficult for them to do so. People have been busted using this technique by itself!

If I use hacked or open WiFi am I untraceable?

The degree of untraceability you get by using WiFi access points depends largely on how you are using them. If you always use your neighbors connection, the trace will go to your neighbor before it goes to you. However, if law enforcement make it to your neighbors house before you stop the pattern of behavior, they can use WiFi analysis equipment to trace the wireless signal from your neighbors router and back to you. Many people have been busted this way. Also, if you use many different WiFi access points but they fit into a modus operandi (such as always from a particular type of location, maybe coffee shop) , you can eventually be identified if law enforcement put enough effort into doing so. Some people have been busted using this technique. If you use a brand new random location (harder than it sounds) every time you make a connection your identity can still be compromised, but the amount of effort required increases tremendously (assuming you are protected from side channel attacks anyway, be they CCTV cameras or remote WPS infections). We have not heard of anyone being busted if they used a brand new randomly selected WiFi access point for every connection.

If I send a package domestic to the USA with USPS do they need a warrant to open the package?

Yes, if it is sent in such a way that it could contain communications. For example, a letter will require a warrant but perhaps a very large and heavy box will not. For the most part, they need a warrant. No other mailing company requires a warrant to open any sort of packages. International packages can be inspected by customs with no need for a warrant.

Should I use masking scents, such as perfumes etc?

No, masking scents will not prevent a dog from hitting on the package. Masking scents will however make the package seem more suspicious to humans. Vacuum seal the product and be very careful to not leave any residues.

Applied Security Guide

Step Zero: Encrypt your hosts HDD

If you use Windows this can be done with Truecrypt

If you use Linux there are various ways you can accomplish this, usually an install time option

Step One: Configure the base system, harden OS

Application layer attacks exploit programming or design flaws of the programs you use, in general the goal of such attacks is to take over your system. For a deeper look at application layer exploits please check out the this page. These attacks are very dangerous because they can circumvent a lot of the other security you use, like encryption and anonymity solutions. The good news is that Open Source acts as an application layer firewall between you and everyone you communicate with through Open Source. We have taken great care to harden our server from attack and even if you take no precautions yourself it should not be trivial for you to be hacked through our server. However it is still a good idea for you to harden your own system. You don’t know for sure if you can trust us and there is no reason to be a sitting duck if our server is indeed compromised.

The first step you should take is running the operating system you use to connect to Open Source in a Virtual Machine. We suggest that you use Virtualbox. Virtual machines like Virtualbox create virtual hardware and allow you to run an operating system on this virtual hardware. It sounds complex but you really don’t need to know a lot about the theory, Virtualbox does all the work for you. There are a few reasons why you should use a virtual machine. The primary reason is that if the browser in your virtual machine is hacked the attacker is stuck inside of the virtual machine. The only way they can get to your normal OS is if they find a vulnerability in the virtual machines hypervisor, this adds complexity to their attack. The second reason you should use a virtual machine is because it makes it easier to use Linux if you are used to Windows or Mac OSX. Linux is a lot easier to secure than those operating systems but it is also harder to use. By using a virtual machine you can use your normal OS and Linux at the same time, Linux runs as a guest OS in a window on your normal (host) OS.

It is very simple to set up a virtual machine. Download and install Virtualbox. After launching it you will need to create a new VM. It is pretty simple and the program will walk you through the steps. Make sure to create a large enough virtual drive to install an OS, I suggest around ten gigabytes. You will need an install image so you can put the OS of your choice on the VM. Download the most recent Ubuntu ISO and use this. Remember, it doesn’t really matter if you don’t know how to use Linux. All you are using this VM for is using Firefox to browse Open Source, security comes before ease of use! Now that your virtual machine has been created you need to point it to your Ubuntu install CD. You can do this by going to the machines storage tab in the Virtualbox manager and pointing the CD drive to your install ISO. You will possibly be required to configure your virtual machine to connect to the internet if the default settings do not work for you, but chances are high that they will. Now you need to boot the virtual machine and install Ubuntu. Installing Ubuntu takes a little over half an hour and is very easy, you can simply select to use the default options for almost all of the steps.

Now that Ubuntu has been installed in a virtual machine it is time to start hardening it. The first step is to make sure it is fully patched and up to date. You can do this by going to System -> Administration -> Update manager from the bar on the top of your screen. Make sure you install all new updates because the updates include important security patches. It will take a while to update your system.

Now it is time to do some more advanced hardening steps. These steps may seem to be difficult if you are not very advanced technically, but don’t worry it is all just following instructions and you only have to do it once. Go to Applications -> Accessories -> Terminal from the top bar on your screen. This will launch a command line interface. Now type in the following commands hitting enter after each:

sudo aa-enforce /etc/apparmor.d/*

 

This command enables every AppArmor profile that Ubuntu ships with, including one for Firefox. AppArmor is an application layer firewall and makes it a lot harder for a hacker to compromise an application configured with a profile.

sudo apt-get install bastille

This downloads a generic hardening script that will walk you through some automated steps to make your system more secure.

sudo bastille -c

This launches the bastille hardening script. It will walk you through every step, in general you should select the default option. Make sure you at least read every step, there might be some things you don’t want it to do but in general the default options are good.

Step Two: Configure Tor and GPG, harden Firefox

Follow these simply step by step guides in order

Install TorInstall GPGConfigure Firefox with Tor and Harden it

Although it is not required for customers to know how to use GPG they still should. Our system will protect your communications in some ways. Your messages are stored in encrypted containers set to dismount if an intrusion is detected. Our server is highly hardened and resistant to hackers infiltrating it and spying on your messages. We are also a Tor hidden service and therefor offer encryption from you to us and from us to the people you communicate with. Our server is still the weak point in this system, a particularly skilled hacker could compromise the server and manage to spy on your communications undetected. The server could be traced by an attacker who could then flash freeze the RAM and dump the encrypted container keys. As far as you know we could even be law enforcement, or law enforcement could compromise us at a later date (the first is not true and the second is not likely, but do you really know this?). Our system does not hide your communications from us if we are your adversary, the same is true for Hushmail and Safe-mail. You can protect your communications with high grade encryption algorithms simply by learning to use GPG and it isn’t hard so we highly suggest you do it. Vendors are required to accept GPG encrypted orders!

Step Three: Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

nother option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!

 

07/5/12

The Deep Dark Web -Book

gAtO sAy -mEoW you all- we have a new book coming out soon “The Deep Dark Web” and just wanted to write this as the foreword for the book, I thought it was interesting …//looking for peer review of book…write us

This book is to inform you about “The Deep Dark Web”. We hear that it’s a bad place full of crooks and hackers, but it is more a place were you have total anonymity as an online-user and yes there are ugly places in the dark web but it’s a small part of it. What it really is all about it’s freedom of expression, freedom of speech worldwide, supported by “us/we” the users of the network. It’s not controlled by any government, but blocked by a few like Syria, Iran, Ethiopia, China to name a few governments that want to deny their own people free access to information, to speak freely about their grievances and unite to tear down there walls of oppression.

Pierluigi and I (gAtO) share a passion for cyber security we write different blogs Pierluigi has http://securityaffairs.co/wordpress/ and my site is uscyberlabs.com . We also write at other blogs and print media. We did’nt know it at the time but, we were writing cyber history as the 2011- 2012 cyber explosion took off we were at ground zero writing about Stuxnet, HBGrays, the LulzPirates, Anonymous but the Arab Spring was an awaking :

The recent revolution in Egypt that ended the autocratic presidency of Hosni Mubarak was a modern example of successful nonviolent resistance. Social Media technologies provided a useful tool for the young activist to orchestrate this revolution. However the repressive Mubarak regime prosecuted many activists and censored a number of websites. This made their activities precarious, making it necessary for activists to hide their identity on the Internet. The anonymity software Tor was a tool used by some bloggers, journalists and online activists to protect their identity and to practice free speech.

Today we have lot’s of anonymity communication tools I2P, Freenet, Gnunet and Tor to name a few. Why did the TorProject.org Tor-.onion network become the facto application to get free, private, anonymized Internet access. My conclusion is it’s humble beginnings with “Naval Research Project & DARPA (Defense Advanced Research Project Agency) ” sponsored, maybe you heard of DARPA they kinda created the Internet a long time ago. The government wanted to have a communication secure media that would piggy-bak on the establish Internet. From my point of view when they saw how good this worked the government used it to allow it’s agents to quietly use the network for CIA covert operations (just to name a few alphabet soup government agencies that use it). For example a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Journalist got a hold of this tool and they too were able to file reports before governments agents censored their interviews and film footage. The EFF (Electronic Frontier Foundation) got a hold of the Tor-networks and promoted it to maintaining civil liberties online. When the common business executive visited a foreign country (like China know to monitor foreigners Internet access) they now had a way to securely connect to their corporate HQ data-center without being monitored and giving away IP (Intellectual Properties). The Tor-Network became to good and the bad guy’s moved in to keep their illegal business safer from the law. The Internet Cyber-criminal has used the claer-web since the start so of course they went over to the Tor-.onion network because it works if you use it right and keeps you anonymous online.

With all this happening and the “Year of the Hack 2011” you can see why security geeks like Pierluigi and I became intrigued with this subject and we teamed up to write this manuscript hoping to answer some of the questions our friends, and peers were asking us about this mysterious hidden world call the deep dark web. We outlined a table of content and started to write about it in our blogs and the story unfolds from here to you. We hope to educate you on how this network works without too much geek talk (ok just a little). We cover the cyber criminals and their ecosystem we cover the financial currency (bitCoins) that is replacing fiat currencies all over the world during this unstable financial times. We tried to cover all the good , the bad and the ugly of the .onion network. We hope it will answer some of your questions but I am sure that more question will come up so feel free to come to our websites and give us a shout and ask your questions about the deep dark web…. - gAtO oUT 

06/27/12

E-Commerce in the Black Market

gAtO hAs - found that e-commerce in the Black Market in the Tor-onion network is a little different than e-commerce in the clear web. Places like the Silk Road that deal with illegal drugs and other black market marketplaces have a lot to think about when they do business and the customers of these services have similar problems that can open them up to being caught and prosecuted. There a few thing that we must examine to understand e-commerce in the deep dark web. Once again gAtO does not recommend doing business with the black market but from a technical and SE view of how these transactions happened we may learn something. I have learned that China,Iran and Syria look for Tor traffic because of the fingerprint of the traffic stream – Tor traffic is padded to 512 byte size packets, normal VPN is not. But we know that the Tor-Project team is working on new and better ways to hide Tor fingerprint so everything is evoling.

Here are a few notes I found that makes you think – mAyBe sI-nO:

Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

Another option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!

 

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

 

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

 

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

Whew. A lot of editing. I’ll post the remainder in a bit.

 

 

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transactions and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

 

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

 

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from an open/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

This is only a small part of the e-commerce as you can see there are lot’s of opinions on how to do business in the Black market and understanding how it’s done can help us to figure out solution for legit business in the future. - gATO oUt

06/11/12

ToR Black Market CyberCrime EcoSystem

gAtO tHiNkS - the Black Market in cyber space exist in both the surfaceWeb and the darkWeb. For some reason the general internet user thinks of the ToR-.onion network is for bad guys only and only because of the Black Market in the onion network which is a small part of the network… The general concession is the black market rules in ToR onionLand is a joke let me tell you why.

What is the Cyber Black Market:

A black market or underground economy is a market in goods or services which operates outside the formal one(s) supported by established state power.

From DHS CyberCrimes is a bigger threat than terrorism – From Symantec/Norton Cyber Crime Statistics in the SurfaceWeb:

Here are some quotes from their report.

1.Cybercrime cost $388 billion across 24 countries.

2.  69% of adults have been a victim of cybercrime.

3.10% of mobile phone users have experienced cybercrime, up 42% from last year.

4.Cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288B).

White Collar -Cyber Crime

In the Surface Web -CyberSpace- crime is well and dandy but we have become accustom to it – If your a Windows user how many security updates do you get a week, a month. That alone tell you that in the surface Internet we have lot’s of cyber-crime going on — and so pharmacy spam email are normal, offers from Africa millionaire that left you money come every other day. In these hard economic times offers to make big bucks $$ working from home -becoming a re-shipping mules for commercial criminals are normal offers from people looking for jobs. These are all organize cyber criminals groups. dealing in the surface web.

Blue Collar -Cyber Crime

Now take ToR-.onion Black Market: It’s a little more in your face drugs, guns, stolen goods, sex, hacked data- in the darkWeb you know that these merchants are crooks and criminals. In Silk Road or BlackMarket Reload they now verified sellers and now even buyers. To make it look more legit. What does verified mean in these .onion market-places. It usually mean that the admin of the site has somehow check that this is a real person w/real whatever. Or he has done business with someone and they write a nice review. Never thinking that the review could be the crook with another login name just like they do in the surfaceWeb. 

gAtO would not do business with any black market in the surfaceWeb or the darkWeb -If my products are bad at least I can complain to Amazon, I can’t do anything but write a bad review in BlackMarket-Reload in the darkWeb.

  -honest crooks? In the Tor-.onion Black Market you can assume everyone is a thief a crook or a criminal.

CyberCrime EcoSystem. 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Let’s look at the black market in the surface web.:

WHITE COLLAR CYBER CRIMES – cybercrime ecosystem

ATM skimming: – ATM skimming is proliferating, next to the overall availability of bank plastic cards, holograms and pretty much everything a carder needs to cash out the fraudulently obtained credit card data.

pharmaceutical e-mail spam problem: -The general public is addictive to drugs- legal – illegal – copy-drugs – fake claim drugs – and they e-mail you the consumer you seen them “Viagra” cheap -Canada – Europe – nah it from Asia or Russia.

Eastern Europe is the epicenter of the cybercrime epidemic-financially-motivated cybercrime – without question hackers in Russia and Eastern Europe are the most active, if not also the most profitable. sophisticated groups tend to be regional and stick to attacking their own (Brazil is a good example).

active malware/crimeware campaigns:

sophisticated cybercriminals:

Risk-forwarding cybercrime ecosystem

the rise of money mule recruitment

Are reshipping mules more popular than money mules 

advanced persistent threats (APT attacks)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Let’s look at the black market in the dark web.:

BLUE/BROWN/BLACK-(low end) COLLAR CYBER CRIMES

Selling Drugs

Selling Guns and explosives

Selling Stolen goods

Selling Hacked Data

Selling Sex

Buy an Assassin 

Rent a Hacker

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

So now we can see that in the Surface black market the legit merchants are watching everything you do and selling your information to the highest bidder. While the sophisticated crimes agains normal people backed by organized crimes is normal in the clearWeb. So in the Deep -Dark -Tor -.onion web the low end criminals haunt this area. The problem I have is that the same things that are in the deep dark web are the same things I can get at -EBAy- Guns – Stolen Goods, -CraigsList-  Assassin, legal/illegal Drugs, Sex, Stolen Damage Goods, Drugs, so in the surface web you can get the same as the dark web what’s the difference. Inside the matrix you have more anonymity –

No matter the anonymity gATO would not do business with the black market in the deep web or out. Use your own common sense my friends. We are judging that those people that use the ToR protocol to communicate with more privacy are all bad when only a few sites sell (bad) stuff there is some good in the network – and – bottom line –it’s all about freedom of choice  . The other thing is that the commercial cyber-criminals ecosystem in the clearWeb has not picked up on this newer technology (ToR-onion network) that is more secure and are harder to scam and gain your personal and their information while online.

The Black Market is the same or worse in the surface web than in the deep-dark web so- stay away from the black market period use the ToR network to be smarter, quiter without leaving digital bread-crums –

Below I have my notes and the ToR Cleaned Hidden Directory WiKi so you can see yourself some of the things that go into the black market Tor-.onion network- Remember that this is only a small part of the network their is millions of terabytes undiscovered in the ToR-.onion network it’s just hidden. They don’t want you too know.

Goerge Carlin said it best – Your not in the club- and they are not going to let you in – they are never going to let you in- 

They are going to scare you away from the ToR-.onion network because  “they” the powers that be –will hide their little business secrets in this network and they want to scare you away from it.  I found a great article from “Kerb on Security Interview” outlining the cyber criminal ecosystem where I drew a lot of the surface web black market anyway - gAtO oUt

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

lab Notes: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

ToR Cleaned Hidden Directory Wiki

http://3suaolltfj2xjksb.onion/hiddenwiki/index.php/Main_Page

Hidden services – HTTP/HTTPS

Volunteers last verified that all services in this section were up, or marked as DOWN, on: 2012-01-24

Introduction Points

OnionLand link indexes and search engines.

Hidden Wikis

Index pages in Wiki-based format.

Other indexes

Other places/directories you may be able to find links.

Search engines

Google for Tor. Search for links.

  • TORCH – Tor Search Engine. Claims to index around 1.1 Million pages.
  • Deepsearch – Another search engine.
  • Torgle – Torgle revived. Based on OnionWare’s server. Web crawler.
  • The Abyss – Administrator’s search engine. Supports submitted links.
  • Ahmia.fi – Clearnet search engine for Tor Hidden Services (allows you to add new sites to its database).
  • DuckDuckGo, clearnet – Clearnet metasearch engine with heavy filtering. Not like the aforementioned search engines to look up Hidden Services. Just searches the clearnet.

Other general stuff to see

Starting places.

Marketplace

See also: Marketplace Reviews – Reviews of the marketplace experience (ALL reviews go in this article, NOT in the listings below).
See also: The separate Drugs and Erotica sections for those specific services.
Remember that “feedback” can be faked in the Marketplace Reviews. Try to use escrow as much as possible to ensure you won’t be scammed.

Financial Services

Currencies, banks, money markets, clearing houses, exchangers.

  • Anonymous Internet Banking Anonymous Debit Cards with EU bank account and VCCs by A HackBB trusted vendor
  • The Bitcoin Laundry Service- Bitcoin Laundry service.
  • InstaCard – Sell your bitcoins for a virtual VISA credit card, in $25, $50, or $100 denominations. $5 fee.
  • Paypal4free – Hacked Paypal accounts for cheap, with balances
  • PayPal Store – Purchase clean, verified USA PayPal accounts with Bitcoin. (Host: FH)
  • Bitcoin Fog – Laundry service.
  • anonXchange – Ecurrency exchanger, exchange LR, Bitcoin, PSC, Ukash, Pecunix, Cash. Also doing Bitcoin washing.
  • Acrimonious – A bitcoin escrow checkout. Free if there are no disputes. Works with tor2web. (UNABLE TO REGISTER)
  • Bitcoin2CC, clearnet – Converts your Bitcoins into a virtual VISA credit card instantly.
  • The Bitcoin Washing Machine – Can launder large amounts of coins without same-coin contamination. (Host: FH)
  • Little BTC Ebook – The new way of selling and buying Bitcoin is through Second Life, more information here.

Commercial Services

Hosting / Web / File / Image

  • The Onion Cloud – Tor/ownCloud based cloud. Login/Pass: public/public. (Host: FH)
  • Megaupload.com Accounts for BTC – sells megaupload.com accounts in exchange for bitcoins
  • TOR host – Host your site anonymously in deep web for free. – DOWN 2011-12-24
  • bittit, clearnet – Host and sell your original pictures for Bitcoins.
  • Mystery File a Day – Want to see something cool?
  • Blolylo – Simple file uploads. Won’t accept plain text files. 2 MiB upload limit. (Host: FH) (Blank page) – Broken 2011-06-09
  • CircleServices – Mixie’s place. Provides: Circle-Talk, TorPM, ImgZapr, SnapBBS, qPasteBin, AnonyShares, Circle-IRC. (Provider: CS)
  • Anonyshares – File upload up to 10MB. (Provider: CS)
  • qPasteBin – A pastebin. (Provider: CS)
  • 5am – File dump and Image Board. 5MB Limit. DOWN 2012-01-05
  • Potaoto – Image hosting. Generates large thumbnails. DOWN 2012-01-05
  • Onion Fileshare – 2GB Upload file size limit. Upload any files you want.
  • ES Simple Uploader – Upload images, docs and other files. 2 MiB upload limit. (Host: FH)
  • IMGuru (More info) – Fast GIF/JPEG host. No images removed. If you get the error Invalid File, retry the upload. (Host: FH)
  • TorIB – Create and run your own imageboard. (Host: FH) (Neglected status note) – Broken 2010-06-16
  • SquareBoard – Upload and share high quality images. (Moderated)
  • sTORage – Upload files. Has WebDAV support.
  • Onion Image Uploader – Image Hosting. 2 MiB upload limit. Generates medium thumbnails. (Host: FH)
  • Freedom Hosting (More info) – Hosting Service with PHP/MySQL. As of 2011-06-04, it hosts about 50% of the live OnionWeb by onion. UPDATE 2011-06-05, probably owns a lot more than that now. Invite-only.
  • PasteOnion – Paste and share text, sources, whatever. You can make your paste public or set a password. (Host: FH)
  • QicPic – Upload any type of file. Caches and compresses uploaded files to decrease loading time. (Host: FH)

Blogs / Essays

Forums / Boards / Chans

SnapBBS

A relatively simplistic messaging board owned by Mixie. Various discussion boards. There’s lots of these, but here are a couple.

Other forums

Other forum types. Usually phpBB.

Imageboards

Non-CP or generally safe imageboards on Tor.

  • Torchan – /b/, /i/, programming, revolution, tons of other boards
  • Anonchan – Boards: /b/ – Random, /a/ – Anime/Manga/NSFW.
  • Hidden Image Site – HIS
  • TriChan – Revived, now only has /p/ Pokemon, /mlp/ My Little Pony, and /b/ Random
  • Lukochan – A Russian/English text discussion board in imageboard style.

Deaths (R.I.P):

  • RundaChan – Share ideas and ask or answer questions
  • Bobby’s board Channel with currently only 2 boards but growing – about 75% LOL 0% uptime

Forums Scripts Besides SnapBBS

  • PunBB 1.3.6 Forum script – During installation, you need not give your email address to create your forum! When registering you do not need feeding your e-mail! You can register without e-mail. The script does not register in the forum database your IP! nor the Administrator / Moderator cannot see your IP address gives you a much safer use of the forum because your IP is not logged anywhere in the database! Two mirrors download.

If anyone knows of anything else that provides this, send an e-mail.

Email / Messaging

See also: The compendium of clearnet Email providers.

Political Advocacy

Whistleblowing

WikiLeaks

See also: WikiLeaks Official Site and Official Submission Onion (temporarily closed).

Operation AntiSec

Other

H/P/A/W/V/C

Hack, Phreak, Anarchy (internet), Warez, Virus, Crack.

Audio – Music / Streams

Video – Movies / TV

Books

See also: Category:Novel – List of books on this wiki.

Drugs

Noncommercial (D)

These sites have only drug-related information/talk. No sales or venues.

  • Silk Road Forums – Silk Road Forums
  • Be Here Now – The North American Laughing Buddha (Folk medical advice from a pothead). (Host: FH)
  • TorDrugResource – Drug Chemistry and Pharmacology including limited Rhodium/Hive/Synthetikal mirrors. (Host: FH)
  • Serenity Files – Community-maintained library on growing illicit substances.

Commercial (D)

See also: Marketplace Reviews and Onion Reviews – Reviews of the marketplace experience (ALL reviews go in these articles, NOT in the listings below).

  • oxiD Shop – Marijuana, Cocaine (Bitcoin)
  • Silk Road – Marketplace with escrow (Bitcoin)
  • Pot2Peer – Marijuana and cannabis products delivered safely and discreetly to your door. Always anonymous. (Bitcoin)
  • Paradoxum – Cannabis, MDMA, LSD, Mushrooms, Coke, DMT (BTC, Dwolla, Pecunix, LR, Paxum)
  • DrugSpace – Dispensary Grade Sour Diesel Marijuana and Cambodian strain Psilocybin Mushrooms. Get the URL from the Onion Reviews, people keep changing it here
  • Trees by Mail Beta – Cannabis from Northern California (Bitcoin)
  • and – Yummy edibles and other cannabis related stuff. Nothing but the best. (Paypal and Bitcoin)

Erotica

Adult

Noncommercial (E)

Commercial (E)

See also: Marketplace Reviews – Reviews of the marketplace experience (ALL reviews go in this article, NOT in the listings below).

Paraphilias

Uncategorized

Services that defy categorization, or that have not yet been sorted.

  • Kenny – You killed Kenny! You’re a bastard! DOWN
  • Carson – Nature Boy poem. Previously The Ultimate Guide for Anonymous and Secure Internet Usage v1.0.1.
  • The LG enV2 – Very basic information and photo gallery about a wireless digital messaging phone. (Host: FH)
  • Questions and Answers – A little truth game. Ask questions and give answers anonymously. Answers also support image uploading.
  • noreason – Info and pdf files on weapons, locks, survival, poisons, protesters, how to kill. Hidden Wiki, TorDir, Steal this wiki, Telecomix Crypto Munitions Bureau mirrors. Guro, dofantasy / Fansadox Collection. DOWN D:
  • The Outlaw Project – “Free for all” – links to various files and known .onion sites. Onion address hosted an FTP service.
  • Fenergy file-server – File collection that includes books and other resources energy related.

Non-English

Czech / ?eština

Danish / Dansk

  • DanishChan – Scandinavian focused imageboard. Boards include drugs and IT security as well as a Random board. Fast and clean layout, little downtime.
  • drugs.dk – Danish Drug Trade. (Host: CS)

Dutch / Nederlands

Estonian / Eesti

  • Vileveeb – Anonüümsete raportite esitamine. DOWN 2012-01-24

Finnish / Suomi

French / Français

German / Deutsch

Hebrew / ?????

  • Samim.onion – Selling and shipping of drugs and medicine in Israel (Bitcoin). (Host: FH)

Italian / Italiano

Japanese / ???

Korean / ???

  • ?? – ??? ?? ??? (??????)

Polish / Polski

  • Torowisko – Forum Polskiej Spo?eczno?ci Tor. Nowe ogólnotematyczne forum bez rejestracji i cenzury. Godny Nast?pca Onionforum, ju? z ponad 8000 postami (codziennie przybywaj? nowe!). (Host: FH)
  • Fundacja Panoptykon, clearnet – Strona fundacji przeciwstawiaj?cej si? coraz powszechniejszej inwigilacji oraz tendencjom nasilania nadzoru i kontroli nad spo?ecze?stwem.
  • George Orwell “Rok 1984″ – polskie t?umaczenie znanej powie?ci
  • Polska Ukryta Wiki – PUW, wiki polskiej spo?eczno?ci Tor. (Host: FH)
  • FAQ – Freely Answered Questions – Portal typu Q&A, gdzie mo?esz zadawa? pytania zwi?zane z undergroundem (czyt. pytania niewygodne). (Host: FH)

Strony porzucone, nieaktywne lub ?mieciowe:

Portuguese / Portugues

Caravana Brasil

Russian / ???????

  • R2D2 – ????????? ?????, ??????? ????????????, ???????? ????????
  • Runion – ????????? ?????: Bitcoin, Tor, ????????? ?????
  • Runion Wiki – ??????? ?????? ? ????????? ? Runion ?? ???????
  • ??????? – ??????? ??????? ?????. (Host: FH)
  • ???? – ??????????? ???????? ???????? ?????????????. (Host: FH)
  • ??? – ????????? ????????????? ?????.
  • ????????, clearnet – ?????? ???????? ????????????? ????????? ????????.
  • ?????-?????? – ????? ??????? ?????? ? ???? ?? ??????? ?????. (Host: FH)
  • Russian Road – ??????? Silk Road(?????????, ??????, ?????????, ?????????)

Slovak / Slovenský

Spanish / Español

  • Abusos – Abusos judiciales en España.
  • Quema tu móvil!, clearnet – Interceptación de comunicaciones móviles. Cell phone eavesdropping techniques used by Intel agencies. DOWN 2012-01-24
  • HoneyNet, clearnet – Hacking ético, técnicas especiales de seguridad empleadas en los test de intrusión para evitar ser detectados. DOWN 2012-01-24
  • T0rtilla – Shoutox webchat. (Host: FH)
  • CebollaChan – CebollaChan, el tor-chan en Castellano.
  • T0rtilla – Shoutbox webchat. (Direct FH URL). (Host: FH)
  • Forocoches 2.0 – Torocoches – Forocoches 2.0 (Host: FH)

Swedish / Svenska

Hidden Services – Other Protocols

Volunteers last verified that all services in this section were up, or marked as DOWN, on: 2011-06-08
For configuration and service/uptime testing, all services in this section MUST list the active port in their address. Exception: HTTP on 80, HTTPS on 443.
For help with configuration, see the TorifyHOWTO and End-to-end connectivity issues.

P2P FileSharing

Running P2P protocols within Tor requires OnionCat. Therefore, see the OnionCat section for those P2P services.
IMPORTANT: It is possible to use Tor for P2P. However, if you do, the right thing must also be done by giving back the bandwidth used. Otherwise, if this is not done, Tor will be crushed taking everyone along with it.

  • The Pirate Bay – Download music, movies, games, software! The Pirate Bay – The galaxy’s most resilient BitTorrent site – Official(?)
  • GNUnet files sharing – GNUnet URI index site with forum. (Host: FH)
  • Sea Kitten Palace – Torrent site and tracker for extreme content (real gore, animal torture, shockumentaries/mondo cinema, and Disney movies)
  • AshANitY – Anonymous sharing of Humanity, torrents. (Host: FH)

Chat centric services

Some people and their usual server hangouts may be found in the Contact Directory.

IRC

See also: IRC Anonymity Guide

  • AnoNet – Each server is on its own network and connects to a chat cloud

running on: (various).oftc.net, ports:: plaintext: 6667 ssl: 6697

  • Federation: OnionNet – IRC network comprised of:

running on: unknown, ports:: plaintext: 6668, ssl: none

 

running on: (various).freenode.net, ports:: plaintext: 6667 ssl: 6697/7070

running on: kropotkin.computersforpeace.net, ports:: plaintext: none ssl: 6697

running on: unknown, ports:: plaintext: 6667 ssl: 9999

  • hackinthackint is a communication network for the hacker community.

running on: lechuck.darmstadt.ccc.de, ports:: plaintext: none ssl: 6697

running on: unknown, ports:: ssl: 6697

SILC

  • fxb4654tpptq255w.onion:706 – SILCroad, public server. [discuss/support]

XMPP (formerly Jabber)

  • xmpp:ch4an3siqc436soc.onion:5222 – public server. No SSL. Chatrooms. No S2S. – DOWN 2011-08-01
  • xmpp:okj7xc6j2szr2y75.onion:5222 – xmpp:jabber.ccc.de:5222 as a hidden service

TorChat Addresses

Humans are listed in the above contact directory. Bots are listed below.

  • 7oj5u53estwg2pvu.onion:11009 – TorChat InfoServ #2nd, by ACS.
  • gfxvz7ff3bzrtmu4.onion:11009 – TorChat InfoServ #1st, by ACS.

OnionCat Addresses

List of only the Tor-backed fd87:d87e:eb43::/48 address space, sorted by onion. There are instructions for using OnionCat, Gnutella, BitTorrent Client, and BitTorrent Tracker.

  • 62bwjldt7fq2zgqa.onion:8060
  • fd87:d87e:eb43:f683:64ac:73f9:61ac:9a00 – ICMPv6 Echo Reply
  • a5ccbdkubbr2jlcp.onion:8060 – mail.onion.aio
  • fd87:d87e:eb43:0744:208d:5408:63a4:ac4f – ICMPv6 Echo Reply
  • ce2irrcozpei33e6.onion:8060 – bank-killah
  • fd87:d87e:eb43:1134:88c4:4ecb:c88d:ec9e – ICMPv6 Echo Reply
  • [fd87:d87e:eb43:1134:88c4:4ecb:c88d:ec9e]:8333 – Bitcoin Seed Node
  • taswebqlseworuhc.onion:8060 – TasWeb – DOWN 2011-09-08
  • fd87:d87e:eb43:9825:6206:0b91:2ce8:d0e2 – ICMPv6 Echo Reply
  • http://[fd87:d87e:eb43:9825:6206:0b91:2ce8:d0e2]/
  • gopher://[fd87:d87e:eb43:9825:6206:0b91:2ce8:d0e2]:70/
  • vso3r6cmjoomhhgg.onion:8060 – echelon
  • fd87:d87e:eb43:ac9d:b8f8:4c4b:9cc3:9cc6 – ICMPv6 Echo Reply

Bitcoin Seeding

Instructions

  • bitcoinbudtoeks7.onion:8333 – DOWN 2011-08-20
  • nlnsivjku4x4lu5n.onion:8333 – DOWN 2011-08-20
  • xqzfakpeuvrobvpj.onion:8333
  • z6ouhybzcv4zg7q3.onion:8333

Dead Hidden Services

Main article: List of dead hidden services

Do not simply remove services that appear to be offline from the above list! Services can go down temporarily, so we keep track of when they do and maintain a list of dead hidden services.

  • In addition to an onion simply being gone (Tor cannot resolve the onion), sites that display 404 (and use a known onion/URL based hosting service) are the only other thing that is considered truly DOWN. Presumably the account is gone.
  1. If a service has been down for a while, tag it with ‘ – DOWN YYYY-MM-DD’ (your guess as to when it went down).
  2. If a tagged service on the above list of live hidden services has come back up, remove the DOWN tag.
  3. If a tagged service is still down after a month, please move it (along with the DOWN tag) to the list of dead hidden services.
  • The general idea of the remaining four service states below is that, if the Hidden Service Descriptor is available, and something is responding behind it… the service is considered up, and we track that fact on the Main Page. If any of these subsequently go offline, append the DOWN tag and handle as above.
  1. Hello world’s / statements, minimal sites, services with low user activity, etc (while boring)… are listed as usual.
  2. Broken services are those that display 404 (and do not use a known hosting service), PHP or other errors (or they fail silently)… any of which prevent the use of the service as intended. They also include blank pages, empty dirs and neglected status notes. Presumably the operator is in limbo. Broken services are tagged with ‘ (reason) – Broken YYYY-MM-DD’ (your guess as to when it went broken)
  3. Services that automatically redirect to another service (such as by HTTP protocol or script), have their redirection destinations noted in their descriptions. These are tagged with ‘ – Redir YYYY-MM-DD’ (your guess as to when it went redir)
  4. Sites that are formally closed via announcement are tagged with ‘ – Closed YYYY-MM-DD’ (your guess as to when it went closed)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Kerb on Security Interview:

Black Market : Tales from the underground

http://www.zdnet.com/blog/security/q-a-of-the-week-tales-from-the-underground-featuring-brian-krebs/12414

ATM skimming

ATM skimming is proliferating, next to the overall availability of bank plastic cards, holograms and pretty much everything a carder needs to cash out the fraudulently obtained credit card data. From ATM skimmers with bluetooth notification, to ATM skimmers with SMS notification, what are some of the latest innovations in this field that you’re observing?

Brian: One innovation in skimming that I wrote about recently is that crooks are starting to turn to 3D Printers to make these devices. An investigator in California shared with me some photos of was was believed to be a 3D printed skimming device, which was the news hook for that story. But as I was researching the topic, I discovered that a skimmer gang had recently been convicted of creating skimming devices made with a 3D printer they had purchased with the proceeds of their previous skimming crimes.

pharmaceutical affiliate networks

Brian: I think there are a few trends emerging, and they all have to do with the fact that it’s getting harder for rogue pharmacies to make money. One is a shift toward more generic and herbal medications. The affiliate programs seem to be looking for drugs to sell that don’t incur intellectual property violation cases, which can get them shut down in a hurry. But I think it is becoming much harder for the larger volume spam and scareware affiliate programs out there to retain reliable processing, and that’s a long overdue but welcome development.

Eastern Europe is the epicenter of the cybercrime epidemic

Brian: If you mean financially-motivated cybercrime that affects the rest of the world, I would say without question hackers in Russia and Eastern Europe are the most active, if not also the most profitable. I think there are cases where (dis)organized crime groups have and are conducting a lot of cybercrimes, but many of these sophisticated groups tend to be regional and stick to attacking their own (Brazil is a good example).

But generally speaking I think it is a mistake to try to measure cybercrime by actual losses, which almost never comes close to the real losses and damage done by cybercrime, costs incurred by software and hardware and personnel defenses, etc. Don’t get me wrong: I strongly believe that all nations should be working harder to quantify and publish data about cybercrime losses, particularly in the financial sectors. But the reality is that even some of the most active criminal groups — such as the rogue pharmacy “partnerka” programs like SpamIt and GlavMed and Rx-Promotion — employed some of the biggest botmasters with the biggest botnets, and while some of them made a lot of money, most did not. And the spam partnerkas are excellent examples of cases where there are huge asymmetries between their earnings for these activities and the tens of billions of dollars companies and individuals need to spend each year to try to block all of its attendant ills.

active malware/crimeware campaigns:

I think we can continue to expect to see Microsoft doing whatever it can to disrupt cyber criminal activity, because 95 percent of it or more is aimed squarely at their customer base. Whether the gains from those take downs and targeted actions have long or short-term consequences may not be so important to Microsoft. From my lengthy interviews with Microsoft’s chief legal strategist on this subject, it was clear that their first order of business with these actions is raising the costs of doing business for the bad guys, and I think on that front they probably will succeed in the long run if they keep going after them as they are.

cybercrime ecosystem – sophisticated cybercriminals

I consider it a badge of honor that these guys bother to thumb their noses at me. The most recent one I’m aware of was whoever was in charge of coding the Citadel Trojan added some strings in the malware that said, “”Coded by BRIAN KREBS for personal use only. I love my job & wife”. Sort of a friendly jab and a vague, nonspecific threat rolled into one. Sometimes it is just kids looking for attention, but by and large I think most of these guys truly resent having any outside light — especially from “amers” or Americans — shed on their operations. They also don’t like it when you distill their operations, norms or processes into bite sized chunks that demystify their ecosystem or forums.

I can’t speak for law enforcement activity, but as a journalist and investigative reporter, I’m always sad to see these communities go away. I think it’s safe to say that most of them are already infiltrated by several national law enforcement organizations. I’d be very surprised if they were not. Some operating right now probably were even set up by law enforcement. We’ve seen them do that a few times before. I think most of the fraudsters who’ve been doing this long enough probably understand that and act accordingly. Others do not, and that is why you tend to see lots of people come and go, but the same core group of a few hundred guys are the top dogs on most important forums.

Communities and crime forums are great places to learn intelligence about upcoming and ongoing attacks, breaches, 0days, etc. Shutting them down seems to me to be counterproductive, since you almost always force the forums to go more underground and use more security features to keep untrusted people out, and known sources of intelligence go away, or worse yet change their nicks and contact info and all of a sudden a source you have developed you may never see or hear from again.

Risk-forwarding cybercrime ecosystem

the rise of money mule recruitment

Brian: I’ve identified quite a few distinct money mule recruitment networks. I don’t know about templates, but many of them tend to recycle the same HMTL content and change the names of the fake companies. That’s handy I guess for keeping track of which group recruited which mules, but beyond that I’m not sure it tells you much. What I have noticed is that money mules are the bottleneck for this type of fraud, and often
times the cyber crooks will leave money in the victim’s account because they simply didn’t have enough mules to help them haul all of the loot. So with any one victim, it’s typical to find mules recruited through 4-6 different mule recruitment gangs, because the fraudsters who outsource this recruitment will simply go from one to the other purchasing the services of these recruitment gangs until they’ve got enough to help them haul the loot, or they’ve exhausted the available mule supply. But usually, the mule gangs don’t have any problem finding new recruits.

Are reshipping mules more popular than money mules 

Brian: I think reshipping mules tend to be more useful. Most regular money mules are one-and-done. They’re used for a single task and then discarded (although one group I am following re-uses money mules as many times as they can before the mule starts to ask for their monthly salary). Typically, a reshipping gang will get 3-5 packages reshipped per weekday per mule, and the average reshipping mule works for 30 days before figuring out they’ve been working for free and great personal risk and they’re never going to get paid, or the check they got from their employer just bounced. But several mule gangs I’m aware of do both reshipping and money mules interchangeably.

Online gambling

advanced persistent threats (APT attacks)

Brian: I think if there has been a net positive about the shift in focus (at least from the mainstream security industry) away from traditional threats to APT attacks it is in the increased attention paid to social engineering attacks, which form the basis of most successful attacks today. 0day threats get a lot of press and are frequently associated with APT attacks, but it is far more common for these attacks to leverage known vulnerabilities for which there are patches, much like exploit packs that are used in many Zeus attacks and other more traditional cyber crimes. Unfortunately, educating users about what not to click on or trust or open is always an uphill battle. There are some things that companies could be doing more on this front, and I’d like to see more firms randomly test their employees to help speed the process of learning how not to fall for phishing and social engineering scams.

scareware industry, scareware remains one of the most profitable monetization strategies within the cybercrime ecosystem

Brian: I don’t think scareware is the same scourge it used to be, although it’s clearly still a problem. I would say this problem — like the pharma spam problem — must be attacked at the payment processing point; that is where it makes the most sense. There are some things afoot in the payment processing space that I think will probably start to show major results in the coming months on this front, but the proof will be when the scareware partnerka programs start dying off completely because the business model has dried up. I think we can expect to see the costs of acquiring banks taking on this business continue to rise, and that will help make the scareware industry less profitable and less attractive for scammers.

like the pharma spam problem

 

06/6/12

ToR 0.2.2.36 is released

Tor 0.2.2.36 updates the addresses for two of the eight directory
authorities, fixes some potential anonymity and security issues,
and fixes several crash bugs.

We're going to be following it soon with 0.2.2.37, which works around
a bug in OpenSSL's TLS renegotiation (currently being tested in the Tor
0.2.3.16-alpha release). Stay tuned.

Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many
known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download/download

Changes in version 0.2.2.36 - 2012-05-24
  o Directory authority changes:
    - Change IP address for maatuska (v3 directory authority).
    - Change IP address for ides (v3 directory authority), and rename
      it to turtles.

  o Security fixes:
    - When building or running with any version of OpenSSL earlier
      than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
      versions have a bug (CVE-2011-4576) in which their block cipher
      padding includes uninitialized data, potentially leaking sensitive
      information to any peer with whom they make a SSLv3 connection. Tor
      does not use SSL v3 by default, but a hostile client or server
      could force an SSLv3 connection in order to gain information that
      they shouldn't have been able to get. The best solution here is to
      upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
      or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
      to make sure that the bug can't happen.
    - Never use a bridge or a controller-supplied node as an exit, even
      if its exit policy allows it. Found by wanoskarnet. Fixes bug
      5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
      and 0.2.0.3-alpha (for bridge-purpose descriptors).
    - Only build circuits if we have a sufficient threshold of the total
      descriptors that are marked in the consensus with the "Exit"
      flag. This mitigates an attack proposed by wanoskarnet, in which
      all of a client's bridges collude to restrict the exit nodes that
      the client knows about. Fixes bug 5343.
    - Provide controllers with a safer way to implement the cookie
      authentication mechanism. With the old method, if another locally
      running program could convince a controller that it was the Tor
      process, then that program could trick the controller into telling
      it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
      authentication method uses a challenge-response approach to prevent
      this attack. Fixes bug 5185; implements proposal 193.

  o Major bugfixes:
    - Avoid logging uninitialized data when unable to decode a hidden
      service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
    - Avoid a client-side assertion failure when receiving an INTRODUCE2
      cell on a general purpose circuit. Fixes bug 5644; bugfix on
      0.2.1.6-alpha.
    - Fix builds when the path to sed, openssl, or sha1sum contains
      spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
      on 0.2.2.1-alpha.
    - Correct our replacements for the timeradd() and timersub() functions
      on platforms that lack them (for example, Windows). The timersub()
      function is used when expiring circuits, while timeradd() is
      currently unused. Bug report and patch by Vektor. Fixes bug 4778;
      bugfix on 0.2.2.24-alpha.
    - Fix the SOCKET_OK test that we use to tell when socket
      creation fails so that it works on Win64. Fixes part of bug 4533;
      bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.

  o Minor bugfixes:
    - Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
      Fixes bug 5346; bugfix on 0.0.8pre3.
    - Make our number-parsing functions always treat too-large values
      as an error, even when those values exceed the width of the
      underlying type. Previously, if the caller provided these
      functions with minima or maxima set to the extreme values of the
      underlying integer type, these functions would return those
      values on overflow rather than treating overflow as an error.
      Fixes part of bug 5786; bugfix on 0.0.9.
    - Older Linux kernels erroneously respond to strange nmap behavior
      by having accept() return successfully with a zero-length
      socket. When this happens, just close the connection. Previously,
      we would try harder to learn the remote address: but there was
      no such remote address to learn, and our method for trying to
      learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
      on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
    - Correct parsing of certain date types in parse_http_time().
      Without this patch, If-Modified-Since would behave
      incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from
      Esteban Manchado Velázques.
    - Change the BridgePassword feature (part of the "bridge community"
      design, which is not yet implemented) to use a time-independent
      comparison. The old behavior might have allowed an adversary
      to use timing to guess the BridgePassword value. Fixes bug 5543;
      bugfix on 0.2.0.14-alpha.
    - Detect and reject certain misformed escape sequences in
      configuration values. Previously, these values would cause us
      to crash if received in a torrc file or over an authenticated
      control port. Bug found by Esteban Manchado Velázquez, and
      independently by Robert Connolly from Matta Consulting who further
      noted that it allows a post-authentication heap overflow. Patch
      by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
      bugfix on 0.2.0.16-alpha.
    - Fix a compile warning when using the --enable-openbsd-malloc
      configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
    - During configure, detect when we're building with clang version
      3.0 or lower and disable the -Wnormalized=id and -Woverride-init
      CFLAGS. clang doesn't support them yet.
    - When sending an HTTP/1.1 proxy request, include a Host header.
      Fixes bug 5593; bugfix on 0.2.2.1-alpha.
    - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE
      command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
    - If we hit the error case where routerlist_insert() replaces an
      existing (old) server descriptor, make sure to remove that
      server descriptor from the old_routers list. Fix related to bug
      1776. Bugfix on 0.2.2.18-alpha.

  o Minor bugfixes (documentation and log messages):
    - Fix a typo in a log message in rend_service_rendezvous_has_opened().
      Fixes bug 4856; bugfix on Tor 0.0.6.
    - Update "ClientOnly" man page entry to explain that there isn't
      really any point to messing with it. Resolves ticket 5005.
    - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
      directory authority option (introduced in Tor 0.2.2.34).
    - Downgrade the "We're missing a certificate" message from notice
      to info: people kept mistaking it for a real problem, whereas it
      is seldom the problem even when we are failing to bootstrap. Fixes
      bug 5067; bugfix on 0.2.0.10-alpha.
    - Correctly spell "connect" in a log message on failure to create a
      controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta.
    - Clarify the behavior of MaxCircuitDirtiness with hidden service
      circuits. Fixes issue 5259.

  o Minor features:
    - Directory authorities now reject versions of Tor older than
      0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
      inclusive. These versions accounted for only a small fraction of
      the Tor network, and have numerous known security issues. Resolves
      issue 4788.
    - Update to the May 1 2012 Maxmind GeoLite Country database.

  - Feature removal:
    - When sending or relaying a RELAY_EARLY cell, we used to convert
      it to a RELAY cell if the connection was using the v1 link
      protocol. This was a workaround for older versions of Tor, which
      didn't handle RELAY_EARLY cells properly. Now that all supported
      versions can handle RELAY_EARLY cells, and now that we're enforcing
      the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
      remove this workaround. Addresses bug 4786.
06/5/12

Iran Cyber Problems -bad antivirus software

Iran Cyber Problems

gAtO mOnItOrEd – Iran Tor-Relays last night they had blocked all public relays so nobody could use the ToR network. Of course as long as you have private unlisted ToR relay people from Iran could still use the ToR network on the Internet. On the other side of Iran’s Cyber Warfare the Flame cyber worm – is still kicking ass and taking names in Iran. U.S and Israel have accepted the role of chief cyber warrior of the Stuxnet, DuQu and Flame. Some of the first cyber weapons ever made and deployed on a covert mission’s. Do you think that this cyber weapons did not use ToR networks to hide their C&C server never to be found??? So here we have a country suppressing ToR communication  (and suppressing Flame, DuQu and StuxNet C&C ToR Communication) and being attacked by 2 of the largest countries in the world. gAtO would call this cyber warfare. 

cyber war profiteers –> Who stands to make the most business ($$$) in this cyber warfare. We in the west have Norton, McAfee and other’s to protect our computers and business and government computer enterprise systems – but they cannot do business with Iran- We just had Symantec pull out of a deal with China’s Huawei because of a U.S-DOD contracts-/ a friend pointed to eset.com as the number one anti-virus software distributor to Iran./ When the Iranian government want’s to protect their computers they turn to Eset corporation for their enterprise cyber security support and service. So who are they?

Alexa the number one SEO company – http://www.alexa.com/siteinfo/eset.com – shows Iran is their number one customer—. Why? Eset is based out of the Slovak Republic , Bratislava the capital of Slovakia. It’s not silicone valley – I never heard of a high tech center and educated cyber security experts from that side of the world—  We know this area more for cyber criminals but now this little company out in the middle of know-where has some interesting customer. Those countries that nobody wants are becoming their cyber customers, and it looks like Eset is a growing business.

Eset – Contact info: – http://www.eset.com/us/about/contact/ – They have offices in Czech Republic, Singapore, Argentina and the U.S.A – —/$#@! – So the company that is providing the anti-virus software for Iran has offices in America, with American business as customers- gAtO don’t like that much that is why I mentioned it.

Anti-virus software controls every aspect of the safety and security of your computer, your anti-virus software has deep ties to your computers. So this little anti-virus company is now a world player. It could also be our allied and work with us.

From a business point of view – First of all I would fire them. If I was the Iranian government, Stuxnet, DuQu and Flame the same MO and my anti-virus software does not catch it -new business but, oh well if Iran fires them who else would step into this position. This show to gAtO that the old weapon dealers have turn to legit, cyber counter weapons dealers/

customers metric’s: Imagine the statistics from Eset on Iranian government sites? 

As a security researcher I just don’t like that Eset is in the U.S.A if they get American customers they can maybe sell their stats to Iran. Security companies like anti-virus have a lot of power. Just a simple update and the new spy-ware can get in and turn on your camera or just record your speech in your house or office. I would stay away from Eset anti-virus software solution – just for me gAtO oUt…

Reference:

Iran Top Sites : http://www.alexa.com/topsites/countries;0/IR

Bratislava: http://en.wikipedia.org/wiki/Bratislava

Alexa-Eset – http://www.alexa.com/siteinfo/eset.com

Eset about page –  http://www.eset.com/us/about/contact/ .

WhoIs – http://whois.domaintools.com/eset.com

Registrant:

ESET, spol. s r.o.

Peter Pasko

Einsteinova 24 Aupark Tower, 16th Floor

Bratislava,   85101

SK

Phone: +421.232244111

Email: sysadmin@eset.com

 

Registrar Name….: Register.com

Registrar Whois…: whois.register.com

Registrar Homepage: www.register.com

 

Domain Name: eset.com

Created on…………..: 2001-04-18

Expires on…………..: 2013-04-18

 

Administrative Contact:

ESET, spol. s r.o.

Anton Zajac

610 W Ash St, Ste 1900 Suite 1900

San Diego, CA 92101

US

Phone: +1.6198765404

Email: sysadmin@eset.com

 

Technical  Contact:

ESET, spol. s r.o.

Anton Zajac

610 W Ash St Suite 1900

San Diego, CA 92101

US

Phone: +1.6198765404

Email: sysadmin@eset.com

 

DNS Servers:

e.ns.lanechange.info

ns4.lanechange.net

ns2.lanechange.net

ns3.lanechange.net

ns1.lanechange.net

06/3/12

Difference between Tor -network -.onion network -deepWeb -darkWeb -invisibleWeb

Difference between Tor -network -.onion network -deepWeb -darkWeb -invisibleWeb

gAtO wAs aSkeD – what is the difference between the /ToR network- /.onion network- /Deep Web /Dark Web /Invisible Web – simple question not so fast. First we have the surfaceWeb the Internet were Google, Yahoo, Facebook, Twitter take your information and sell it to the highest bidder to marketing people so they can sell you things you don’t want or need but they make you buy the junk anyway. Yes the surface web is were we live and do our banking – (that’s monitored too) research our medical problems well for gAtO it’s Twitter- as i tweet my dispatches from security crazy, twitter looks at my pattern and sells my information because when I go to Huffington Post to read stupid shit twitter follows me and monitors every article I read. /cRaZy -sI -nO/.

Difference between Tor -network -.onion network -deepWeb -darkWeb -invisibleWeb

The ToR network: It’s software that you get and install on your computer that allows freedom and privacy, confidential business activities and relationships without anyone knowing what your doing-

Install and you login too the .onion network but you can also use it to surf the surfaceWeb too. When your in the surfaceWeb you have -.com  -.edu -.org in the .onion network you have sites that end with .onion the site names are kind of hard to read: http://4eiruntyxxbgfv7o.onion/snapbbs/19cc6d6e this is the USCyberLabs web site in the Tor-.onion network it is part of the deepWeb and the darkWeb too.

How so — it’s on a need to know basis -and your not in the 1% club- you don’t need to know my friend -mEoW that hurts—

The Deep Web (also called the Deepnet, the Invisible Web, the Undernet or the hidden Web) refers to World Wide Web content that is not part of the Surface Web, which is indexable by standard search engines. The deepWeb is the part of the web that Google, Yahoo and other cannot index so nobody knows were they are – except a few people. NASA has over 200 teraBytes un-indexed databases and all kinds of reports that are part of the deep web. Any un-index websites or web-services are part of the deep web, not the dark web that is only accessible by using the ToR-software.

USCyberLabs is in the .onion now it is part of the deepWeb/ but also part of the un-index deepWeb/  because it is not indexed nobody knows about it – it is hidden- unless I tell you about it. The USCyberLabs in the .onion is also part of the darkWeb because part of the dark web has a .onion after the website name. But it’s not part of the blackMarket in the .onion network.

SO now we have a ToR-network that can access the darkWeb and be invisible, untraceable so this is why crooks, and criminals use this network. Don’t get me wrong the good guy’s use the ToR network too. Why do you think that the PhycOps is the deepWeb is for criminals the governments and business that want secure private communication are doing business on ToR while we stay away outside.

The fact of the matter is the more people use ToR-network to be safer the better it is for everyone, just go surf your normal sites, Facebook, Twitter it’s ok your just safer. When there is normal ToR-traffic it becomes harder to see the dissidents that need ToR- network to save lives. Look at who donates to the ToR- project come on the -National Christian Foundation (2010-2012) https://www.torproject.org/about/sponsors.html.en  this is not a criminal network - gAtO oUt

 

05/31/12

Monitoring Cyber Iran and Syria in the ToR network

gAtO wAs mOnItOrInG – bad ToR-Relays and found that during this unrest in Iran and Syria. We have 17 bad ToR-Relays 95% in Iran and Syria. This is how the shut down the network to suppress information communication securely to the outside world. Time stamp is 05-31-2012 00:52:05 MET.
Tor Network Status – http://torstatus.blutmagie.de/index.php you can find all kinds of information about the .onion relays that make up the networks.
While back in cyber world —:Stuxnet – Flame – I can tell you that lot’s of Iranian site use older web apps , cms, jommla and they have vulnerabilities.
http://uscyberlabs.com/blog/2012/02/10/1890/
But they are educated and everyone learns from being attacked. When you underestimate your enemy you are going to lose.
Example :-gAtO been working on a ToR project and last night I was monitoring the ToR-Relays for bad ones and 15 out of 17 -ToR-Relays all doing exit node were Iranian and Syrians all bad and compromised. With the unrest in the news with Iran and Syria these two countries were playing with Tor-Relay nodes to extract exit information on dissidents. If they catch some dissident posting anti-Iran, anti-syria online and they will find their IP and kill them. In the middle-east hacktivist may pay the ultimate price and the CIA and others are communicating with the rebels using the ToR-.onion network the invisible web takes on a new importance during crisis time.

All goes underground under the radar but it show’s that they have an active cyber policy, with countermeasure and surveillance. These guy are fighting back anyway they can.

Cyber and culture must be understood, the more you invest in your infrastructure the more vulnerable you will become and how a society integrates the technology into it’s culture will make changes, trust me business will love it but in the middle east religion is very important geo-political tool and propaganda is the number one thing I see while surfing the Iran. Syria websites.

Today I see “cyber ambiguity” from Israel –On Tuesday, a day after a Moscowbased security company revealed that a new cyber weapon called “Flame” had struck Iran, Vice Premier and Minister of Strategic Affairs Moshe Ya’alon fueled speculation of Israeli involvement by praising Israeli technological prowess in response to a radio interview on the issue.

Israel, he said, was blessed with superior technology. “These achievements of ours open all kinds of possibilities for us,” he said.

Prime Minister Binyamin Netanyahu said when he spoke that evening that when it comes to cyberspace, the size of a country is insignificant – but that there is great significance to a country’s “scientific strength, and with that Israel is blessed.”
http://www.jpost.com/Features/FrontLines/Article.aspx?id=272264
As all these state actor play cyber games with cyber war, gATo will keep monitoring the ToR network to look and see and learn about societies in cyberspace -gATO oUt

05/30/12

Hide SCADA in the ToR network – ..-hiding in plain site..

Hide SCADA in the ToR network – ..FREE-hiding in plain site..

any internet connection 2-ToR

gAtO cAn -now provide your company a FREE .onion network – reliable 24/7 secure / encrypted / untraceable communication between your SCADA systems talking to each other and the main office giving you real-time data from any remote SCADA  site. As an example from Scheider Electric white paper on – Video Surveillance Integrated with SCADA – White Paper  – we can now take that physical video security of all your remote video assets and transmit them securely, encrypted and untraceable to anyplace in the world to your datacenter. When going in and out of the invisible .onion network, you can control the entry and exit relays so picking safe verified relays to use is easy, or you can use your own relays, the more relays the better the system becomes at making you more invisible. The more people that use it the more untraceable and unmonitored it becomes. This kind of SCADA  communication in the ToR- onion network redefines geo-political digital boundaries. Since it rides on any Internet connection it can be used anywhere.

in the ToR-.onion network merchants can’t spy on you and they can’t steal your information

Not if but when —business take over the ToR- .onion network it will change the landscape and give it more order but it will still give the user anonymity thats the key to this network your signal, your voice cannot be found but you can still communicate. The ToR- .onion network rides not on top or the bottom of the digital super-highway but thru it.

Let’s keep in mind that access to the ToR-.onion network is FREE to anyone and your company’s use of the network makes it safer for everyone since the more people use it the more unreachable-undetectable you become. But in business you also have to deal with hostile governments and protecting your people and assets thru a ToR .onion network becomes even more critical. You can still operate but be safe and secure in your business communications.

The ToRProject.org is something that is making an impact on the very lives of people that want to have a free safe secure voice. Just look at Mr Chen a dissident from China he was jailed because he spoke up about the disable in China. The ToRProject.com helps people like Mr. Chen speak and to remain in anonymity. But by adding real business -reays into the ToR- .onion network we will give these people and the business more transparency, it makes you more invisible on the internet. You can donate to the ToR project and it’s a 501(c), so it’s deductible. Look at the donors list and see who support this invisible network. U.S Naval Research, National Science Foundation- DARPA – National Christian Foundation are some of the people supporting the ToR Project, it’s not so bad if they use it— see lab Notes below –

How you gonna hack what you can’t find, can’t see and can’t trace to you?

Just think mr. bankers a free secret untraceable encrypted-communication place were you can do your banking deals -in secret- and nobody but you and your closes friends know it even exist, not the government, not your spouse and harder for criminals to find your valuable data. It hides you in an Internet bubble of packets were nobody knows who you are or how to find you. Try can’t even tell it’s a ToR- .onion network it hides it’s signal to blend into the bit’s and bytes of the landscape in the digital noise.

Technically it pretty cheap get the free software as many copies as you need FREE!!! No volume pricing no updates FREE!!! Once your computer that talks to the internet hooks up to a ToR- Relays it’s in the matrix. If you add your own ToR-Relays you can use trusted Relays as entry and exit nodes into the ToR-.onion network so you can let the program use it randomness or choose a path into a FREE invisible communication media accessible from any Internet connection. –

The ToRProject.org is currently still fighting censorship and monitoring in China, Iran, Syria and others were people are being killed and sent home in small boxes to their relatives. Because that person could not use a ToR-network access to his gmail account that was monitored they showed him his emails and his guilt and killed him. That’s how brutal it can become if you cannot have a safe secure access to a basic email to communicate with the world. Government will kill you for what you say. Donate to the ToRProject.org

It’s easy -if all else fails call the gAtO I can help your business become invisible in/on the Internet- gATO oUt.

We use the ToR network for all communication in SCADA systems.  Here are a few SCADA White papers try them with ToR- .onion Networks.

 

lab Notes— gAtO 5/29/12

Tor: Sponsors

The Tor Project’s diversity of users means we have a diversity of funding sources too — and we’re eager to diversify even further! Our sponsorships are divided into levels based on total funding received:

Magnoliophyta (over $1 million)

Liliopsida (up to $750k)

Asparagales (up to $500k)

Alliaceae (up to $200k)

  • You or your organization?

Allium (up to $100k)

Allium cepa (up to $50k)

Past sponsors

We greatly appreciate the support provided by our past sponsors in keeping the pre-501(c)(3) Tor Project progressing through our ambitious goals:

WiKi-Pedia

http://en.wikipedia.org/wiki/SCADA

SCADA (supervisory control and data acquisition) generally refers to industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below:

  • Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes.
  • Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems.
  • Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.

A SCADA system usually consists of the following subsystems:

  • A human–machine interface or HMI is the apparatus or device which presents process data to a human operator, and through this, the human operator monitors and controls the process.
  • A supervisory (computer) system, gathering (acquiring) data on the process and sending commands (control) to the process.
  • Remote terminal units (RTUs) connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system.
  • Programmable logic controller (PLCs) used as field devices because they are more economical, versatile, flexible, and configurable than special-purpose RTUs.
  • Communication infrastructure connecting the supervisory system to the remote terminal units.
  • Various process and analytical instrumentation