Active Defense Intelligence for the dark web

bitcoin-gollum

good guys and bad guys use Bitcoins too

gAtO – reading about  tools to enable business to have a proactive intelligence of the dark web for an “ Active Defense”. This new model includes not only traditional but unconventional methods using OSINT to gather the intelligence needed.

Companies are getting sick and tired after years of focusing mainly on the defensive postures like malware used in data breaches and financially motivated hacks, some security experts have begun to turn the spotlight on the attacker himself, attempting to profile the bad actors stealing your blueprints or customer credit card numbers, or leaking your usernames and passwords on Pastebin.

The facts are that corporations are spending millions of dollars in defense and defense-in-depth and best practices, and it’s still not helping. With the new active defense we’re making the adversary earn their medals, but they are still getting in. It may take two days now instead of one but we have a fighting chance.

The corporate world have defense and now adding this new model Active Defense (means = offensive) now you need a little dark web intelligence to bind the two together – gAtO OuT

Advertisements

TTP – cyber -tactics- techniques- and procedures

TTP – cyber –tactics, techniques, and procedures

HUMINT in cyberspace- finding adversary activities in cyberspace with subject matter expertise in intrusion set tactics, techniques, and procedures (TTP)

gAtO tHiNk- we should all learn form the state actors and adapt – China – they profile a company- then the c-suite their likes, dislikes, social media, family – then build a profile and launch the phishing email to specific tageted c-suite that loves that new golf clubs, or watch they been looking for. Wham – PoW – were in..// we all know this.

Crawling Tor Hidden Service - websites

Crawling Tor Hidden Service – websites

Example in Tor there are a few under-web hacking sites were they trade small basic hacks and share information about weakness and exploits most of it is silly n00bs stuff, but once in a while you will see the real thing and you have to know better if it’s LE or a real gamer, faker or joker or a thief. You need a personas and make it trusted for a while – so it’s legit in that world-// then you just have to sit and look here and there, and find new places to search. From these sites you can gauge whats hot and whats new and real, but it’s all a game that you have to play. HUMINT in cyberspace that’s the way you see the real things come and go. Cyber fame is on some way a weakness in the geek squad that hack the codes that makes this all happen. So you have to sit and wait.

HUMINT in cyberspace can get insider intelligence if you do it right, the Tor-network is perfect for OPSEC countermeasures tool in anything in cyberspace. With a few proxies and/or VPN – it Boot’s up from a thumb drive and 100% secure in your possession and encrypted. Surf Tor or the real Internet secure and private- untraceable— add your own Tor-hidden service-website that you control without any DNS or domain registration -(with a laptop) your website can move from anyplace never the same spot twice with open WiFi-hotspots- for OPSEC websites that’s untraceable a thing like the Tor network is a great tool that a pro-adversary would use for secure communication (C2)c&c and distribution tool.

Source of new URL’s and websites: can be gathered with a simple crawler and search engine to store everything.- this will enable you to find new places to go in and check out – there is so much information on Tor, so many places to hide secrets – so it’s the most interesting place in cyberspace for a puzzle freak.

Tor comes in any flavor and rides on any Internet connection -KISS- With the information from the Search Engine —Now HUMINT in cyberspace has places to go and things to verify but it’s time spent in learning everything you think is crazy, just to see of it’s real. for example:Who may uses it?

TTP- We reverse-engineered a lot of Anonymous operations and saw a real interesting thing, in a loose based organized operations with many strangers never working together, they learned from all the OP’s and adapted every time, and I don’t mean simple attack methods or crap like that, it’s organized and well planned. Some were “placed” operations with state actors to see what can be done.—-tactics, techniques, and procedures

Some operations were too well organized. In some cases Anonymous was used as a ruse while the real threat hacked the side doors as they were kept busy with youngsters play toys. The real attackers hacked away and placed their logic bombs for later after things calm down…

It’s outside the box and thinking vulnerabilities not defense – every defense has a countermeasure. Once again HUMINT in cyberspace payed off to learn how the kiddies play, but learning most how the leaders think and plan and communicate and manage the people get’s the most miles.

As Anonymous’ cyber “activism” only increases in prevalence, many organizations—both government and corporate—have moved to protect vital, sensitive information, including NATO. By issuing this press release explaining their updated security procedures, NATO was acknowledging the rapid evolution in prevalence and sophistication of cyber terrorism since, well, not that long ago.

But if NATO—with the combined resources of 28 member countries—is that concerned about the protection of its sensitive data from admittedly sophisticated criminal enterprises, shouldn’t its announcement last week serve as a harbinger for other organizations without intercontinental alliances?

From supply chain attacks going after the big players thru small contractors get’s some of the best access to Intellectual Capital and other goodies. In cyberspacewe have found that when you select the target and keywords – then the TTP–tactics, techniques, and procedures become clear and make the rules to provide a solid plan for the operations.

HUMINT in cyberspace is the new skill set that will help you understand the new cyber enemy in the new digital domain with web-apps flying everywhere – by the time NATO put’s it all on paper, everything changed so adaptability and changing on a dime has to be the new rule in NATO and other corporations but are they too big to change with the times – if you don’t change and adapt then you loose in cyber-world -gAtO ouT.

ref:IAM and Cyber Terrorism: NATO Reassess Their Cyber Security Policies

http://www.aveksa.com/blog/bid/300679/IAM-and-Cyber-Terrorism-NATO-Reassess-Their-Cyber-Security-Policies

 

CrowdStrike Launches Security Service That Tracks Cyber-Attacker Tactics

http://www.eweek.com/security/crowdstrike-launches-security-service-that-tracks-cyber-attacker-tactics/

 

Weaponize the Tor Network:

weaponizing-the-web1-720x2808

Weaponize the Web

prism-01

if you got nothing to hide – you got nothing to worry about

 gAtO wAs – asked the Tor-Network is slow as heck, does not support sending outgoing email and does not support UDP packets of the TCP/IP protocol, so can it be weaponized? Maybe monitoring the Tor-Network like Prism and Nucleon or the Japan based Daedalus Monitoring program at the very least?

Data collection in Tor:

I guess this all depends on your definition of what a weaponize cyber weapon is-///-IP theft- here we have a vast collection of both /IP-(intellectual Property) and /copyright – /hacking /sql-i in Tor// -.- /hacktivism -how about /personal privacy online-collection of all internet transaction and data sharing with Google, Facebook, Microsoft and others— /government censorship of it’s people /Worldwide Internet monitoring-///  Like a room 641a for Tor only traffic.

prism-03

Daedalus Monitoring program

Mix a little more counter-offensive cyber class weapons like Stuxnet, Flame and DuKu – add a bit of misinformation and propaganda to the mix and we have a better question.

Next we have a more military type cyber weaponized solution. Control Drones planes in Tor -another one is dDos, attacks on the electric grid or sabotage satellites. Cyber attacks like power outage, hacking attacks on cell phones and wall street computers and add traffic lights and traffic in the northeast going wacko. Like they say trains, planes and automobiles are all connected to cyberspace from China to Canada… prism-02

Tor can also be used in all the above scenario- Yes big brother/sister it can. So the answer is Yes, but Tor is not the pony network that can do this work. There are other kinds of anonymized networks that can be used, and with your own relays all over the world you can create your own Tor-private network that only you use so it will be faster and side nobody can see it – well Tor is not the only network one to watch for cyber weaponized products – gAtO oUt

 

 

 

Government use of Cyber Weaponized Exploits

gAtO rEaD- The government is buying hackers exploits – not to stop these sophisticated cyber exploits but to use these tools against it’s own people- they are using the tools to infiltrate computer networks worldwide, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.network

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. So your computer is vulnerable and the governments knows it and will not disclose this information, but use it against you to place cookies,RAT’s or other spyware into your computer -maybe- I trust our government don’t you?

If you got nothing to hide, you should not be worried… right????

So our Tax dollars are going to Hackers and cyber criminals that sell these exploits all over the world. As a tax payer I don’t like this part at all. But the worst part is by us taking the lead of cyber offensive cyber tools -example.. Stuxnet – it is a plan book for other countries to do the same. So what we do in cyberspace has become socially acceptable to do in cyberspace and then we bitch about China. I don’t get it – mEoW

Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has beenmost widely reported – the use of a virus known as Stuxnet to disrupt Iran’s nuclear-research program – was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet’s development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.

Then you have the Prism disclosure and PoW- US Cyber Agents Disrupt Publication of Popular Al Qaeda Magazine – This means that Obama’s cyber military is potentially capable of more targeted attacks, specified at damaging particular pieces of information or infrastructure. I wonder where they got those vulnerabilities? maybe some bad guys—/Nato_cyber_plat

What worries me is as the U.S engages in these attacks our enemies are learning what is acceptable in cyberwar. So we must be careful not to lose the fact that everyone is watching what we do and how we treat cyberspace and others governments will follow, defensive and offensive, they are learning from the best the U.S. Government -gAtO oUt

ref: http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

 

http://www.businessinsider.com/us-cyber-agents-disrupt-inspire-magazine-2013-6

 

 

Tor Websites over 1/3 TANGO DOWN

gAtO bEeN- doing some work on his Tor- search engine and finding Tor-websites IP but other are doing the same thing and publishes the news-

I guess the news is getting out and people are bringing their Tor-hidden service-websites are going DOWN. Not by my work – I wish – but by a simple little report -:tor-revealing_guard_nodes

IEEE 2013 just put out a report: Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization

http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

yes kiddies wee can find your Tor-Website and find the IP and get the geo-location and track you down. The worst part now others know and Tor-websites are being taken down by their own administrators  so they can do countermeasures and not be caught.

2013-05-29 we had 16,000 Tor websites

2013-06-04 we have 3,517 Tor Websites

Application Server Details
Cache Last Updated (Local Server Time): 2013-05-29 23:19:07 MET
Last Update Cycle Processing Time (Seconds): 645
Current Cache Expire Time (Seconds): 300
Number of Routers In Cache: 3582
Number of Descriptors In Cache: 16099
Approximate Page Generation Time (Seconds): 0.1987
Application Server Details
Cache Last Updated (Local Server Time): 2013-06-04 02:11:43 MET
Last Update Cycle Processing Time (Seconds): 553
Current Cache Expire Time (Seconds): 300
Number of Routers In Cache: 3599
Number of Descriptors In Cache: 5817
Approximate Page Generation Time (Seconds): 0.01

So what happened to all the Tor-hidden serve-websites? All I care about is that my work now backed up by this reports shows we are on the right track and we can do what we say we can do and that is to bring down pedophiles websites down in the Tor-network.

The Tor-network is great but these monsters are making Tor a bad place to work and do legit business. Let’s hope other get the message that we are hunting you down even in Tor cowards- gAtO oUt

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share –

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

Tor Website 36% are Criminals Sites

gAtO iS CrAwLliNg websites-We just completed our new crawl of Tor URL that we found. We started with 2,000 URL’s and we got about 550 positives from this first run. This will change since some sites go up and down for no rhyme or reason. I went back to verify one site that my crawl picked up with all kinds of good information but later when I went back it would not come up. So this is an ongoing thing in order to map out all of Tor’s hidden service websites. From the preliminary data Pedo sites are about 18% of the sites we discovered another 4-6% guns and assassins and another 14-16% of different criminal type’s of sites or scams. So that is over 36% of the sites we found were criminal type, that is not good for anyone.

Crawling Tor Hidden Service - websites

Crawling Tor Hidden Service – websites

Tor is an excellent software for being private and having some level of safety but this new light is not good for the people that want to use Tor and the Dark Web to do good things and positive things. Now we see that the bad guys are all over Tor-Dark Web we hope this list will help it become better.

This list is only available to Law enforcement, governments and selected security companies, you must be verified first before you can get a hold of this list of Onion websites in Tor. This is not a free list (we have to recover our cost of r&d) and this is only the first steps we have gained over 12,000 new URL in Tor from this crawl and will be doing more crawls and adding more information to the list.

What really freaked us out was the undocumented website that are not in any hidden wiki in Tor and the number of them being put out by criminals. Now some of the other information that we collected see list below will give us a baseline like — Last-Modified: — will give us an indication of how active they are. The —Server: & Web Application:— will give us the web app they use and from the looks of things some are vulnerable to all kinds of hacking attacks. Tor websites are the same as any site and if you don’t update your website, well your vulnerable to hacking from anyone and in Tor you don’t have a clue because they are protected just like the site.

This will be an ongoing crawl for the next year or so, so expect the list to grow and as new data is collected more will be revealed about the how, and the use of Tor and who uses Tor will become not just theories but facts that we can verify – gAtO OuT 

Internal URL’s – 

 [url] 

    [content_type]

    [http_code]

    [header_size]

    [request_size]

    [filetime]

    [ssl_verify_result]

    [redirect_count]

    [total_time]

    [namelookup_time] 

    [connect_time]

    [pretransfer_time]

    [size_upload] => 0

    [size_download] => 124

    [speed_download] => 7

    [speed_upload]

    [download_content_length] 

    [upload_content_length]

    [starttransfer_time]

    [redirect_time]

    [certinfo] 

Cache-Control

Expires: 

Pragma: 

HTTP

Server:

Crawl Date:

Content-Type: 

Content-Length:

Last-Modified:

Connection:

Accept-Ranges:

Proxy-Connection: 

Set-Cookie:

Content-Length: 

Accept-Ranges:

Web Application: