06/22/13

China Hackers found in Tor

China Hackers found in Tor

gAtO bEeN crawling - Tor and found China — China, Fujian IP found in Tor but is it really the Chinese or someone else. As I work on the Tor-Directory-Project to map out every URL in Tor. I came to these site

Anonetchina-computer-hac_1963116c

http://yaiaqf3te6khr3nd.onion/ – This sites has 3 different sites in one – 3 index front pages-DOORS - fUnNy nO?

http://lw7b7t7n7koyi6tb.onion

Now what’s so weird about these 2 sites 4 IP address on the site for proxies and Tor in CHINA.  This ain’t right, China does it’s best to block Tor and keep it’s citizens away from Tor so why would a website in Tor place these explicit IP address and telling you to use them.  In Tor you try to hide not give IP out that can be traced, so why is this different???

So I back trace these 4 sites 3 in China 1 is Soul,Korea, then you google “Fujian Providence hacking”

Yeah there are a lot of things happening in that part of China but is it really the Chinese or others. Russians maybe??

These 2 sites are linked to “Anonet” the funny (ha ha) thing is this one person that keeps popping up – (Anonymous Coward ) on both these sites-  and he/she leads back to China too mAyBe -Si-nO. The Chinese use the Anonymous Coward to mock Anonymous which are very dangerous in China but this does not look good folks.

We talk about China hacking us and when people like myself find these sites and try to report them  – no way- I’m just a nobody that has one of the largest Tor search engines around. Just from these 2 sites I have 56 URL’s – Maybe one of these cyber Professional should check these 2 sites out – I have a subscription service for Tor Search engine any governments or law enforcement out there that need this — talk to gAtO—

They may find one source of China Hacking the US and other places – gAtO oUt

Chinanet Fujian Province Network

http://1.1.7.10/  IP Address:

Chinanet Fujian Province Network

http://1.1.7.7/  IP Address:

Chinanet Fujian Province Network

http://1.234.56.4/  IP Address:

1.234.56.4  ISP: SK Broadband Co Ltd Region:

Seoul (KR)

http://1.56.75.16/  IP Address:

China Unicom Heilongjiang Province Network

1.56.75.16  ISP: Region: Harbin (CN)

04/5/13

Tor Tells It’s Secrets

gAtO pLaYiNg with words in Tor- We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.output

Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.

We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor.  For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.

  • These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
  • As we crawl and add more data our picture will change as to the landscape of Tor. 
  • Bitcoins is the fourth most popular word – currency in the Dark Web is number 1  

Word Num. Occurrences
blog 1014
wiki 985
anonymous 966
bitcoin 837
sex 530
gun 492
market 458
I2P 400
software 372
drugs 365
child 353
pedo 321
hacking 314
weapon 221
politic 209
books 157
exploit 118
anarchism 105
porno 88
baby 87
CP 83
fraud 76
piracy 69

 

  • Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
  • Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.

This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.

We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.

Hope this gives you a better picture of Tor. -gAtO oUt

03/24/13

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share -

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

02/3/13

Offensive Cyber Capabilities

Companies Need Offensive Cyber Capabilities

gAtO hEaR - about banks seek U.S Help on Iran Cyberattack’s. We hear about cyber attacks in the financial sector, the oil and energy sectors, then Leon Panetta warned perpetrators to cease hacking the US while we have all kinds of sanctions against Iran -/ this is insanity. Your telling unknown hackers (we suspected Iran) to  just stop, or what. What can we do to prevent them from launching cyber attacks against America.

So Iran has only 3 NAT-access points and 1 submarine cable (Al-Faw, Iraq submarine cable)

 

Then you have all these security people putting up defenses without building a firewall so bad-ass that they cannot do business. If we keep building these defenses it will get to a point where it defeats the purpose of the Internet. So what is the logical next move, offensive cyber weapons and capabilities. We can find these attacks and pinpoint the IP of where they are coming from then all we need is offensive tools to find them and do a seal-team 6 extraction of something like that and get the word out that we will find you and hunt you down.

One little hacker can keep a bank tied up for days in the middle of the desert. They could go after our traffic system, our rail system we know that SCADA is so messed up and in some cases open with defaults passwords. So we beat our chest like some mad gorilla and hope to scare these hackers.

My friends we must take initiative and find ways to counter these attacks no more just defense and I don’t mean a Ddos attack that can be circumvented. We need to plant Bot-nets on these people’s machines and monitor them and if we have to go physical and bring them to justice. Forget about Iran and let’s just talk about Chinese hacker attacks of our intellectual property. They just denied it and go about planning the next attack. We seen Skynet were thousands of computers were given a disk wipe and the blue screen of death. Why don’t we do the same to these hackers going after our infrastructure.

We must change our tactics and be a little more aggressive and become real cyber warriors not just defenders but attacking them and destroying their machines, their servers and routers. How about we just monitor the 1 submarine cable and 3 access points in Iran that should lead us to some of these people. The US monitors our own people then we stand by and allow other hostile countries to go and hack us. This is cyber insanity - gAtO OuT

 

01/21/11

Stuxnet – the wonder WoRm

Stuxnet or a similar worm will start the war at the industrial level. Industrial control system are so weak as to security they have no defense, OS is never updated so the holes are there waiting for any script kiddies to come and hack.. hack.. hack…

Stuxnet –

  • The worm reportedly knocked out one-fifth of Iran’s nuclear centrifuges.
  • its designers knew exactly how the centrifuges would react (including giving operators the false impression they functioned properly).

This is a weapon that the designers knew:

  • What equipment they had in the plant – siemen
  • Vary the speed on the centrifuges
  • Give false impression to operators
  • A flash ram was used to introduce the worm
  • It knew the OS and network ip address
12/1/10

APT-Advanced Persistent Threats- the slow hack is the WORST

………

Advanced Persistent Threats (APT)

What’s an APT? A Brief Definition

Advanced Persistent Threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of stealithiness over a prolonged duration of operation in order to be successful. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached.

Definitions of precisely what an APT is can vary widely, but can best be summarized by their named requirements:

Advanced – Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent – Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well funded.

How Advanced Persistent Threats Breach Enterprises:

APTs breach enterprises through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies:

  • Internet-based malware infection
  • Physical malware infection
  • External exploitation

Well funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems. Well-funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems.

Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization using the hijacked credentials of employees or business partners, or via less-secured remote offices. As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.

A key requirement for APTs (as opposed to an “every day” botnet) is to remain invisible for as long as possible. As such, the criminal operators of APT technologies tend to focus on “low and slow” attacks – stealthily moving from one compromised host to the next, without generating regular or predictable network traffic – to hunt for their specific data or system objectives. Tremendous effort is invested to ensuresure that malicious actions cannot be observed by legitimate operators of the systems.

Malware is a key ingredient in successful APT operations. Modern “off-the-shelf” and commercial malware includes all of the features and functionality necessary to infect digital systems, hide from host-based detection systems, navigate networks, capture and extricate key data, provide video surveillance, along with silent and covert channels for remote control. If needed, APT operators can and will use custom developed malware tools to achieve specific objectives and harvest information from non-standard systems
.
At the very heart of every APT lies remote control functionality. Criminal operators rely upon this capability in order to navigate to specific hosts within target organizations, exploit and manipulate local systems, and gain continuous access to critical information.

If an APT cannot connect with its criminal operators, then it cannot transmit any intelligence it may have captured. In effect, it has been neutered. This characteristic  makes APTs appear as a sub-category of botnets.

While APT malware can remain stealthy at the host level, the network activity associated with remote control is more easily identified. As such, APT’s are most effectively identified, contained and disrupted at the network level.


11/23/10

CyberPatriot High School Cyber Defense

Link How it works: by the US AirForce

The competition challenges students to find ways to ward off mock cyber attacks, what most people correlate to computer viruses and malware.

The team must correctly install antiviral and malware protection, check for vulnerable outside access points and perform other Internet security jobs within a certain timeframe.

Students are awarded points based on how well they defended the computer and established a secure network so that it couldn’t be attacked by an outsider.

11/22/10

Here are a few Security Links and Feeds

Exploits-Database GoogleHacking-DB
http://www.exploit-db.com/
DOD Sitemap
http://www.defense.gov/news/other.html

stuxnet
http://www.cnn.com/2010/TECH/web/11/17/stuxnet.virus/index.html?iref=allsearch

http://en.wikipedia.org/wiki/Stuxnet#cite_note-BBC-5

http://news.bbc.co.uk/2/hi/technology/7004750.stm

simens
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo?=en&objid=43876783&caller=view

Rhode Island
http://isaca-ri.org/cms/

Internet Crime Complaint Center
http://www.ic3.gov/default.aspx

Anton Chuvakin Blog – “Security Warrior”

BankInfoSecurity.com RSS Syndication

Cyber Risk Reports

CNET News.com

CSOONLINE.com Feed – Articles

CyberCrime & Doing Time

Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge

Secrecy News

FireEye Malware Intelligence Lab

F-Secure Antivirus Research Weblog

GovInfoSecurity.com Articles RSS Syndication

Naked Security – Sophos

Hack In The Box

Help Net Security – Vulnerabilities

honeyblog

Information Warfare Monitor

Security Central – Infoworld

Kaspersky.com / All News

HomeJARTRAN FEED

Krebs on Security

Malware Intelligence Blog

Mcaffe http://feeds.feedburner.com/McafeeAvertLabsBlog

Blog Central » George Kurtz

Metasploit

Microsoft Security Bulletins

Moreover Technologies – Computer security news

Network World on Security

NIST IT Security : News

PandaLabs Blog

PenTestIT

Russian Business Network (RBN)

Rootsecure.net – secnews

SANS Computer Forensic Investigations and Incident Response

SANS Information Security Reading Room

Schneier on Security

SearchSecurity: Network Security Tactics

SearchSecurity: Security Wire Daily News

SearchSecurity: Threat Monitor

Securelist / Blog

Security Database Tools Watch

SecurityTracker Vulnerability Headlines

Sophos latest virus and spyware detection

Sunbelt Blog
http://www.schneier.com/

DOD Media
http://www.dma.mil/dma_solicitations.shtml
2600: The Hacker Quarterly
rss feeds
feed://www.zone-h.org/rss/news
ZD-Net
http://feeds.feedburner.com/zdnetuk/news/security
US-Cert Technical Alert & Bulletins
feed://www.us-cert.gov/channels/techdocs.rdf
US-Cert National Cyber Alert System
feed://www.us-cert.gov/channels/cas.rdf
US-Cert National Cyber Alert System
feed://www.us-cert.gov/channels/cas.rdf
US-Cert Cyber Security Tips
feed://www.us-cert.gov/channels/tips.rdf
Trend Micro
http://feeds.trendmicro.com/Anti-MalwareBlog
The Dark Visitor -inside the World of Chinese Hackers
feed://www.thedarkvisitor.com/feed/

Security Global – http://global-security.blogspot.com/

Tenable Network Security
feed://blog.tenablesecurity.com/atom.xml
Anton Chuvakin Blog – “Security Warrior”
BankInfoSecurity.com RSS Syndication

http://taosecurity.blogspot.com/?http://ha.ckers.org/blog?http://www.gnucitizen.org/?

http://www.darknet.org.uk/?http://spylogic.net/?

http://www.liquidmatrix.org/blog/?

http://jeremiahgrossman.blogspot.com/ (a little light on good content lately imo)?http://www.theregister.co.uk/security/
http://www.planet-websecurity.org/
http://global-security.blogspot.com

11/20/10

Cyber Warfare – Country IP Block

Did a search on cyber China, India, Iran, North Korea, Pakistan, Russia and got some interesting  things

China has its nose in everything “cyber samurai” they are everywhere. Here is an article about “China’s Cyber Capability” This is a real thing that we as American have to all do the right thing just like using the new lightbulbs we can all open our eyes about SECURITY, at work and home think about what you have on your computers that are connected to the internet.

rIcArDo OuT..

About 100 countries are assessed as presently having cyber warfare capabilities. The advanced developed countries, which are the most ‘wired’ and consequently the most vulnerable, have taken the lead in initiating research not only on defensive measures, but also on methods of tracking, neutralizing and deterring cyber ‘attacks’. Because of their high vulnerability to cyber attacks, the developed advanced countries have commenced seriously debating on the manner in which the victim of a cyber ‘attack’ could retaliate. The US favours military retaliation including by precision ballistic missile strikes, while Russia feels that the matter should be taken to the UN for decision.

Country IP Block
Security Solution with Searchable IP Block Database
http://www.countryipblocks.net/

http://www.ists.dartmouth.edu/docs/cyberwarfare.pdf
CYBER WARFARE AN ANALYSIS OF THE MEANS AND MOTIVATIONS OF SELECTED NATION STATES – Nov 2004
INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE

Relying exclusively on open source information, our task is to assess the relative capabilities of certain countries identified in the literature (China, India, Iran, North Korea, Pakistan, and Russia) to wage an effective cyber attack against an adversary.