Tor Wacky Times and the NSA

gAtO rEaD – that Tor (The Deep Dark Web) is now all messed up by the NSA, FBI and LEO so all you bad guys using the Tor network better watch out, or should they???fed_links_01

Aug 5 the FBI snakes in Freedom Hosting and put a number of websites out of business in the Dark Web. They let the flames go out that they caught a bunch of Pedophile sites with that bust, but it does not seem so.

The Attack on the Dark Net Took Down a Lot More Than Child Porn – http://gawker.com/the-attack-on-the-dark-net-took-down-a-lot-more-than-ch-1081274609 – gAtO contribute to this article–

fed_usCitizenship_01Aug 19 – Millions of Tor Clients start to go up in numbers. What’s this all about, we get a bunch of Tor clients just hanging around doing nothing in Tor. Some say it’s a Bot-net or something like that. Then it growns 4, 5  million Tor users and the last week or so it starts to go down again. So what is all this about all these Tor Clients and the Tor- Botnet?fed_rent_a_hacker01

Oct 3– Silk Road get’s taken down, Oh the FBI had a copy of the Silk Road servers back in June just before the AUG 5 take down of FH by the FBI. So the Feds had Silk Road all this time and this is all they can do, can’t even get a few Bitcoin wallets- what a cluster fˆ%k—//fed_cc-paypal_01

Now you got NSA saying that Tor is cracked and the bad guys cannot use it. They claim that they can hack Tor anytime and anywhere with documents that a summer student left on how to hack the Tor network back in 2006. By the Way – most of these hacks do not work in Tor, maybe on a regular network but not on the Tor network.fed_hit_man_01

So now gAtO goes in search of Tor sites and a lot of sites went down by hook or crook —BUT someone has started to replace these Tor Hidden Websites in the Tor Network – But something is FuNnY – all these sites us the same web templates –

So now you can take a walk down memory lane and see all the older Tor-Websites have gone away and new ones have magicly re-appear.

fed_apple4bitcoin_01Now if this was the only place were this has happens OK sure, but at other Tor- Wiki Tor Link sites you will see the same thing – Commercial sites are all FuNnY and all the non-commercial Tor-websites are Tango Down.

So now Tor goes round and round but nobody knows what the heck is going on- In the Tor network – The Deep Dark Web run by Criminals or the FBI – you can answer these questions yourself by visiting the site –trust but Verify– ((not me))– gAtO oUt

fed_counterfiet_euro_50 fed_counterfiet_usd_01 fed_links_01 fed_mobile_steal_store_01 fed_uk_guns_01

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

Anti Forensic Tales from the gAtO

gAtO iSa gRaY hAt thinker so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator — working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt

References:

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..

 

Today with a simple TorProject.org Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.

Profiling a Corporation -metadata attack vector

gAtO sEe – that in todays world getting a corporate profile for an attack plan has become easy thanks due to their own fault. This leads down the road to ruin corporate reputation, stolen IP-Intellectual property, competitive advantage and loss of data. Of course for social activist, criminals, competitor and national governments who use the technology against them to make available unhidden access to your networks. How? 

Metadata Information leaks by the corporation and their employees. According to retrieve information and the metadata in company documents 71% of Forbes 2000 companies may be using vulnerable and out of date version of Microsoft Office and Adobe software that allows hackers to Identify —>

Usernames – emails addresses network details and vulnerable software versions to implement a Advance Persistant Threat (APT).

Metadata in documents that your company distributes constitute information leaks and it can provide all kinds of information to any attacker. The high tech sector publishes more documents across websites than any other industry. Something else your employee on LinkedIn give all kinds of information about your company and your plans, even employment adds can help a potential hacker know what you are doing and maybe design the APT geared towards that subject.

Remember todays cyber attacker have support from lot’s of eye’s and ears, like hacktivist they have many people that can scan your website and look for information that can help the attack. You have 3 different attack vectors to worry about today:

  • IP based attacks
  • Web-Software attacks
  • Information Attacks

Corporate American take care of your metadata or it will bite you hard -gAtO oUt

Cyber Jihad Intelligence last 6 months in 2012

Jihad Intelligence last 6 months in 2012

gAtO found the International Institute for Counter Terrorist pretty good site


 

Periodical Review: Summary of Information from Jihadi Forums

The Second Half of May 2012

This report summarizes notable events discussed on jhadist Web forums during the second half of May 2012. Following are the main points covered in the report:

  • Sheikh Ayman Al-Zawahiri calls on the residents of Saudi Arabia to organizemass protests to overthrow the Saudi regime.
  • The Pakistani Taliban publish a video of the storming of Bannu Prison, duringwhich nearly 400 Muslim prisoners were freed, among them Taliban involvedin an attempted assassination of the former president of Pakistan.
  • The Islamic State of Iraq exhorts Sunnis to realize that it is protecting theirinterests, while the Shiites are the real enemy, and must be fought.
  • Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for an attack against Yemen’s minister of defense and US military officers at a military basenear Sana’a.
  • Ansar Al-Din and the National Movement for the Liberation of Azawad jointlyagree to establishment an Islamic state in Azawad, northern Mali.
  • A new Libyan Salafi-jihadist group, “The Imprisoned Sheikh Omar Abd Al-Rahman Brigades”, publishes its first announcement.
  • The Islamic Emirate of Afghanistan publishes the second issue of the Urdu-

language magazine Shariat.


Fatwas, March-April 2012

This review reports the main fatwas [religious-legal rulings] appearing in March and April 2012 on Minbar Al-Tawhid wal-Jihad, a Web site
run by the Salafist ideologue Abu Muhammad Al-
Maqdisi.1 The fatwas are issued by the prominent

Salafists who comprise the site’s Sharia Committee, in
response to Web surfers’ questions.
Among those we have chosen to highlight in this review
are fatwas covering the following: the religious-legal
obligation of every Muslim to join jihad in Syria;
affiliation with a Salafist political party; enlisting in an infidel army for the purpose of espionage; involvement in Libya’s National Transitional Council; and the status of the Free Syrian Army vis a vis the Salafist-jihadist Front for the Defense of the Syrian People.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Jihad Intelligence last 6 months in 2012

28/6/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of May 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of May 2012. Following are the main issues raised in this report:   
• Sheikh Ayman Al-Zawahiri calls on the residents of Saudi Arabia to organize mass protests to overthrow the Saudi regime.
• The Pakistani Taliban publish a video of the storming of Bannu Prison, during which nearly 400 Muslim prisoners were freed, among them Taliban involved in an attempted assassination of the former president of Pakistan.
• The Islamic State of Iraq exhorts Sunnis to realize that it is protecting their interests, while the Shiites are the real enemy, and must be fought.
• Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for an attack against Yemen’s minister of defense and US military officers at a military base near Sana’a.
• Ansar Al-Din and the National Movement for the Liberation of Azawad jointly agree to establishment an Islamic state in Azawad, northern Mali.
• A new Libyan Salafi-jihadist group, “The Imprisoned Sheikh Omar Abd Al- Rahman Brigades”, publishes its first announcement.
• The Islamic Emirate of Afghanistan publishes the second issue of the Urdulanguage magazine Shariat.


14/6/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of May 2012

This report summarizes the most prominent events brought up in the Jihadi online forums in the first half of May 2012. Following are the main issues raised in this report:   
• Ayman Al-Zawahiri calls on the Muslims of Afghanistan, Somalia and Yemen to fight Western forces in the lands of Islam and revolt against “collaborator” regimes.
• Al-Qaeda again threatens to execute American-Jewish hostage Warren Weinstein.
• The Shura Council of the Islamic Emirate of Afghanistan declares “open season” against occupation forces in Afghanistan.
• Sheikh Fahd Al-Quso Al-Awlaki, a senior military leader of Ansar Al-Sharia, has been assassinated.
• The English-language jihadist magazine Inspire resumes publication after a hiatus with two issues on individual jihad.
• A new jihadist magazine about efforts to free Muslim women prisoners has hit the cyber newsstand: Majalat Al-Asirah [The Woman Prisoner].
• The second issue of the jihadist magazine Al-Qaeda Airlines appears.

ICT’s Jihadi Websites Monitoring Group26/5/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of April 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of April 2012. Following are the main issues raised in this report:   
• The leader of Al-Qaeda in the Islamic Maghreb (AQIM) calls on the Algerian people to boycott the coming elections in Algeria.
• AQIM threatens to attack Britain following its decision to extradite Abu Qatada Al-Filastini to Jordan.
• The Front for the Defense of the Syrian People steps up terrorist activity against Syrian government forces.
• Abd Al-Ghnai Jawhar, an explosives expert for Fath Al-Islam, is killed in Syria.
• Senior Salafi-jihadists in Egypt increase their propagandizing in Tahrir Square.
• A new series on preparing poisonous substances is published.
• Fursan Al-Balagh, a new jihadist media outlet, appears. 


16/5/2012 Periodical Review: Fatwas – March – April 2012

ICT’s Jihadi Websites Monitoring GroupThis review reports the main fatwas [religious-legal rulings] appearing in March and April 2012 on Minbar Al-Tawhid wal-Jihad, a Web site run by the Salafist ideologue Abu Muhammad Al- Maqdisi. The fatwas are issued by the prominent Salafists who comprise the site’s Sharia Committee, in response to Web surfers’ questions. Among those we have chosen to highlight in this review are fatwas covering the following: the religious-legal obligation of every Muslim to join jihad in Syria; affiliation with a Salafist political party; enlisting in an infidel army for the purpose of espionage; involvement in Libya’s National Transitional Council; and the status of the Free Syrian Army vis a vis the Salafist-jihadist Front for the Defense of the Syrian People.


10/5/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of April 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of April 2012. Following are the main issues raised in this report:   
• The leadership of Al-Qaeda and of its Somali affiliate Al-Shabab Al- Mujahideen threaten Britain with retribution for its intention to extradite al- Qaeda spiritual leader Abu Qatadah Al-Filastini to Jordan.
• Waliur Rehman, deputy commander of the Pakistani Taliban, threatens the UK with attack if it refuses to release Islamist prisoners – or at least improve their conditions.
• The Islamic Emirate of Afghanistan takes responsibility for a series of synchronized terrorist attacks against embassies and other targets throughout Afghanistan.
• Sheikh Abu Ubayda Yusuf Al-Annabi expresses solidarity with the Syrian people in their struggle against the regime of Bashar Al-Assad.
• A new jihadist series on military affairs, Al-Qaeda Airlines, is released.
• A new jihadist magazine is issued in Swahili.
• Evidence increases of the involvement of contributors to jihadist Web forums, such as Shumukh Al-Islam, in actual jihad and in terrorist activities.
• Leading jihadist Web forums Shumukh Al-Islam and Al-Fida resume operation after a temporary takedown last month.


21/4/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of March 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of March 2012. Following are the main issues raised in this report:   
• In two separate audio files, Al-Qaeda leader Ayman Al-Zawahiri exhorts the Pakistani people to oppose their army and government, and the Afghani people to join jihad and beware of Muslims who collaborate with the US.
• Muhammad Al-Zawahiri, brother of Ayman Al-Zawahiri, is released from prison in Egypt.
• The Pakistani Taliban will wreak vengeance on the Pakistani regime and gain control of Pakistan’s nuclear weapons, according to top Taliban commander in Mohmand tribal region Sheikh Omar Khaled Al-Khurasani.
• Al-Qaeda in the Islamic Maghreb (AQIM) will strike at the heart of Germany, it says, unless the German government frees a Muslim woman prisoner in exchange for the release of a German hostage being held by AQIM.
• Contributors to jihadist Web forums praise Mohammed Merah, the terrorist from Toulouse, and urge Muslim youth in the West to emulate him.
• Leading jihadist Web forums Al-Fida, Shumukh Al-Islam, and Ansar Al- Mujahideen cease functioning during the latter half of March 2012. Ansar Al- Mujahideen and Shumukh Al-Islam resume activity in early April.


11/4/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of March 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of March 2012. Following are the main issues raised in this report:   
• Given what he calls the Iranian-Shiite conspiracy to attack and take over Saudi Arabia, Sheikh Abu Sufyan Al-Azdi Al-Shari, the deputy head of Al- Qaeda in the Arabian Peninsula (AQAP), urges Sunnis to wage jihad against the Shiite population of Saudi Arabia.
• Al-Qaeda in the Arabian Peninsula (AQAP) takes responsibility for assassinating an American military intelligence officer in Aden, Yemen.
• Ansar Al-Sharia declares Shabwa Province the Islamic Emirate of Yemen.
• Ahmad Faruq, Al-Qaeda’s head of the propaganda department of Al-Qaeda in Pakistan, calls for jihad against the Pakistani Army. He confirms the death of Ilyas Kashmiri, the operations officer of Al-Qaeda in Pakistan.
• Al-Balagh, a new jihadist magazine that focuses on events in Syria, is published.
• Majlat Al-Salafiyya, a new electronic Tunisian Salafi-jihadist weekly, is published.
• Leading jihadist forums embark on a massive campaign advocating Ansar Al- Sharia in Yemen.


30/3/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of February 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of February 2012. Following are the main issues raised in this report:   
• A new video clip was issued, in which Ayman Al-Zawahiri calls for the revolution in Egypt to continue until the representatives of the previous regime have been eliminated, ties to the US have been severed, and the peace treaty with Israel has been nullified.
• The Islamic Emirate of Afghanistan encouraged Afghans serving proximate to Western security forces to attack them, and cited the Afghani chef who poisoned American soldiers as an example.
• Propaganda has increased against the Syrian regime, as have appeals to assist the Syrian people in their struggle against the regime.
• Al-Qaeda in the Arabian Peninsula (AQAP) took responsibility for an attack on the presidential palace in Yemen on the eve of the transfer of power from Yemen’s former president, Ali Abdullah Saleh, to its former vice president, Abd-Rabbu Mansour Hadi.
• Two new jihadist media institutions have been established: Al-Tahadi, and Inform Foundation for Media Production.
• A new jihadist Web forum called Al-Qital has been established.


19/3/2012 Periodical Review: Fatwas – January – February 2012

ICT’s Jihadi Websites Monitoring GroupThe following report details the main fatwas published in January and February 2012 on Minbar Al-Tawhid wal- Jihad, a Web site run by the Salafi ideologue Abu Muhammad Al-Maqdisi. Web surfers’ questions are answered by the site’s Sharia Committee, which comprises a number of prominent Salafi sheikhs.This publication presents some of the religious-legal rulings [fatwas] handed down in January and February 2012. Among them, we highlight fatwas concerning the Islamic laws regulating participation in Libya’s National Transitional Council; the status of property looted from the estate of the deposed tyrant Muammar Qadhafi and, similarly, the status of property looted from members of the Syrian regime; the stance one should take toward Sunni soldiers fighting in the Syrian Army; and whether or not it is permissible under Islamic law for a Muslim to work for one of the security forces (police, military, FBI) in the West.


6/3/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of February 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of February 2012. Following are the main issues raised in this report:   
• Ayman Al-Zawahiri, the leader of Al-Qaeda, announced that the Somali movement Al-Shabab Al-Mujahideen had officially joined Al-Qaeda.
• Al-Shabab Al-Mujahideen organized a large celebration in honor of its having joined the ranks of Al-Qaeda.
• Ansar Al-Sharia in Yemen executed three Yemeni citizens suspected of collaborating with US forces.
• The Islamic State of Iraq took responsibility for assassinating Mullah Nadim Al-Juburi, a former leader who had left the organization.
• Abu Muhammad Al-Tahawi, an influential Salafi-jihadist in Jordan, called for jihad against the regime of Bashar Al-Assad.
• A new volume was published of Al-Shamikha, a jihadist magazine for women.
• New volumes appeared of three publications that cover the jihad in Afghanistan.
• The Salafi-jihadist media outlet Al-Faroq, which focuses on Egypt, launched a new Facebook page.


28/2/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of January 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of January 2012. Following are the main issues raised in this report:   
• The Nigerian group Boku Haram has taken responsibility for a series of coordinated attacks perpetrated on January 20, 2012, against several police institutions in Kanu, the second-largest city in Nigeria.
• Using a car laden with explosives, the Somali group Al-Shabab Al-Mujahideen carried out a suicide terrorist attack against the regional headquarters of the Ethiopian Army in the city of Beledweyne.
• Ansar Al-Sharia has succeeded in taking over the city of Rada’a in Yemen.
• The Shari’a Council of Al-Qaeda in the Arabian Peninsula (AQAP) has ruled that the faithful may kill the Houthis in Yemen, and stating that, in fact, it is the duty of every Muslim to wage war against the Houthis.
• The spokesman for the Islamic State of Iraq has emphasized that the jihad in Iraq will continue even though the US has withdrawn its troops, and that now the majority of effort will be directed against Iran’s agents in Iraq and their Shi’ite allies.
• A new jihadist group called “The Aid Front for the Syrian People” has been established, with the central goal of overthrowing Bashar Al-Assad.
• A new Salafi group has been established in Egypt named “Followers of the Sunna for the Salvation of Egypt” and headed by Hani Al-Sibai and Tariq Abd Al-Halim.
• A new jihadist Turkish periodical, ?slam Dünyas?, has been published.


12/2/2012 Periodical Review: Summary from the Jihadi Forums – The First Half of January 2012

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the first half of January 2012. Following are the main issues raised in this report:  • The Chairman of Al-Qaeda in the Islamic Maghreb’s Political Committee addresses the Algerian people, telling them to bring down the Algerian regime.
• The Emir of the “Al-Tawhid wal-Jihad” Group in western Africa threatens France with war and claims responsibility for the abduction of three Europeans from south Algeria.
• The Emir of the Nigerian “Boko Haram” Group promises to continue with the operations against the Christians.
• The leader of the Kenya branch of the “Al-Shabab Al-Mujahideen” movement stresses that Kenya is a legitimate Jihad arena.
• The “Al-Qayrawan” Tunisian Salafi-Jihadi media institute expands its propaganda activity and is embraced by the “Shumukh Al-Islam” Jihadi forum.
• Three new issues of the Islamic Emirate of Afghanistan.
• A new newsletter called “Shahada”, focusing on the Somali jihadi arena.


22/1/2012 Periodical Review: Fatwas – November – December 2011

ICT’s Jihadi Websites Monitoring GroupThe following report details the main fatwas published in November and December, 2011 on Minbar Al-Tawhid wal-Jihad, a Web site run by the Salafi ideologue Abu Muhammad Al-Maqdisi. Web surfers’ questions are answered by the site’s Sharia Committee, which comprises a number of prominent Salafi sheikhs.This publication presents some of the religious-legal rulings [fatwas] handed down in November and December 2011. Among them, we highlight fatwas concerning joining the Free Syrian Army and the revolutionaries in Libya; participation in protests against the continued rule of the Supreme Council of the Armed Forces in Egypt; participation in demonstrations against the regime in Morocco, alongside elements whose principles contravene those of Islamic religious law [shari’a]; the appropriate response to a French newspaper’s having derided the prophet Muhammad; and the essence of the relationship with the Al-Nahdha Party in Tunisia.


16/1/2012 Periodical Review: Summary from the Jihadi Forums – The Second Half of December 2011

ICT’s Jihadi Websites Monitoring GroupThis report summarizes the most prominent events brought up in the Jihadi online forums in the second half of December 2011. Following are the main issues raised in this report:   • Abu Yahya Al-Libi summarizes the key events of 2011.
• A new video clip in memory of Anwar Al-Awlaki is produced by Al-Qaeda in the Arabian Peninsula (AQAP), and a message is sent to Muslims living in the US to join the battlefields of jihad or to fight the US on its own soil.
• In an audio file, Ibrahim Al-Rubaysh discusses the achievements of the Arab revolutions, especially as reflected in the weakening of the US in the Middle East.
• A new jihadist organization, calling itself Ansar Al-Din, is established in northern Mali.
• Al-Tawhid wal-Jihad in West Africa takes responsibility for abducting three European citizens in Algeria.
• A new jihadist organization calling itself Ansar Al-Mujahideen is established in the Sinai Peninsula.
• Three new jihadist media outlets are established: Al-Ibda, Ibn Taymiyyah (identified with the Palestinian Salafi-jihadist Army of Islam), and Al-Faroq (based in Egypt).

 

References:

read More –>http://www.ict.org.il/

Information Leakage -Scrubbing Document Formats

gAtO tHiNk that our documents have too much information about us – it’s called metadata  and it’s embedded in the picture you just took with your iPhone/android phone. It has your geo-location and other information that you should clean up before you post it on Facebook  or Pintrest -so here a re a few tips to keep you paranoid.

Many document formats conveniently embed personally identifying attributes, and sometimes even attempt to limit redistribution. This can be problematic to whistle blowers who need to produce/deliver incriminating memos and photos to journalists, and also to academic researchers who wish to electronically publish their work anonymously.

 Microsoft Office

Microsoft Office embeds your name, machine name, initials, company name, and revision information in documents that you create.

According to Microsoft’s knowledge base article on the Metadata, the best way to remove all personal metadata from a document is to go to Tools | Options | Security Tab | “Remove personal information from this file on save”. Be warned that this does NOT remove hidden text and comment text that may have been added, but those tasks are also covered in that article.

Microsoft also provides the Remove Hidden Data Tool that apparently accomplishes those same functions but from outside of Microsoft Office.

This NSA Guide to sanitizing documents might also be of some interest, but I think the Microsoft KB articles cover the info better and in more depth.

StarOffice/OpenOffice

By default, users of StarOffice/OpenOffice are not safe either. Both of these programs will save personal information in XML markup at the top of documents. It can be removed by going to File | Properties and unchecking “Apply User Data”, and also clicking on “Delete”. Unfortunately it does not remove creation and modification times. It’s not clear how to do this without editing the file raw in a plain text editor such as notepad.

 Document DRM – Digital Rights Mangement

Document DRM can come in all shapes and sizes, mostly with the intent to restrict who can view a document and how many times they can view or print it (in some cases even keeping track of everyone who has handled a document). For whistleblowers who need to circumvent DRM to distribute a document, the most universal approach is to use the “Print Screen” key to take a screenshot of your desktop with each page of the document and paste each screenshot into Windows Paint and save it. Some DRM software will attempt to prevent this behavior. This can be circumvented by installing the 30 day trial of the product VMWare Workstation and installing a copy of Windows and the DRM reader onto it. You can then happily take screenshots using VMWare’s “Capture Screen” or even the “Capture Movie” feature, and the DRM software will be none the wiser. With a little image cropping, you can produce a series of images that can be distributed or printed freely.

The VMWare approach may be problematic for DRM that relies on a TPM chip. The current versions of VMWare neither emulate nor provide pass-through access to the TPM. However, TPM-based DRM systems are still in the prototype stage, and since it is possible to emulate and virtualize a TPM, it should only be a matter of time before some form of support is available in VMWare.

Depending on the DRM software itself, cracks may also be available to make this process much more expedient. Casual searching doesn’t turn up much, most likely due the relative novelty (and public scarcity) of document-oriented DRM. Note that when doing your own google searching for this type of material, be sure to check the bottom of the page for notices of DMCA 512 takedowns censoring search results. It is usually possible to recover URLs from chillingeffects’ C&D postings. That, or use a google interface from another country such as Germany.

 Image Metadata

Metadata automatically recorded by digital cameras and photo editing utilities may also be problematic for anonymity. There are three main formats for image metadata: EXIF, IPTC, and XMP. Each format has several fields that should be removed from any image produced by a photographer or depicting a subject who requires anonymity. Fields such as camera model and serial numbers, owner names, locations, date, time and timezone information are all directly detrimental to anonymity. In fact, there is even a metadata spec for encoding GPS data in images. Camera equipped cell phones with GPS units installed for E911 purposes could conceivably add GPS tags automatically to pictures.

The WikiMedia Commons contains a page with information on programs capable of editing this data for each OS. My preferred method is to use the perl program ExifTool, which can strip all metadata from an image with a single command: exiftool -All= image.jpg. MacOS and Linux users should be able to download and run the exiftool program without any fuss(for Ubuntu install package libimage-exiftool-perl). Windows users will have to install ActivePerl and run perl exiftool -All= image.jpg instead. Running exiftool without the -All= switch will display existing metadata. The -U switch will show raw tags that the tool does not yet fully understand. As far as I can tell, the -All= switch is in fact able remove tags that the tool does not fully understand.

Another easy way to remove all metadata from an image it to open it in MS Paint, copy it, and paste it into another copy of paint. The Windows clipboard only copies the raw pixels and leaves the metadata behind. -gAtO oUt

Russia’s Million Dollar Hackers

“Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud (See infographics here*). The Russians are hacking into your computer and your cell phone and they’re making millions as a result… Not all hacking is intolerable, or illegal. But a lot of it is, and the Russian computer geniuses walk the red carpet within the international hacker community. On the A-list of Russia’s multi-million dollar spammers and online fraudsters include the talents of Koobface members Stanislav Avdeyko (aka leDed); Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav Polichuck (PsycoMan). That’s just the now defunct Koobface posse. There’s also Vladislav Khorokhorin (aka BadB), the 30 year old Russian who lived in Israel and ran the online stores Dumps.name and BadB.biz specializing in sale of compromised data of bank card users. He’s been at it for more than 8 years on the front lines of credit card fraud… Traditional crime syndicates are beginning to organize the previously disorganized Russian cybercrime market. In addition, these crime syndicates are beginning to work more closely together, sharing compromised data, botnets, and cashing schemes… in 2011, the largest type of Russian cybercrime was online fraud valued at $942 million; followed by spam at $830 million; cybercrime to cybercrime, or C2C (including services for anonymization and sale of traffic, exploits, malware, and loaders) at $230 million; and Denial of Service attacks, or DDoS, valued at $130 million.”

– http://www.forbes.co…dollar-hackers/

Cyber threats the joker and the thief

gAtO FoUnD– the continued threat of vulnerabilities within Web applications, mobile applications, and outlines specific vulnerabilities with cloud-based implications.  Also an alarming trend for security professionals, in the form of continued prevalence of critical application layer vulnerabilities, such as Cross Site Scripting (XSS) and SQL Injection. Though there are existing fixes for these well-known vulnerabilities, these flaws continued to dominate with XSS climbing to a staggering 38 percent of total Web vulnerabilities, increasing slightly from the second half of 2010. SQL Injection accounted for 15 percent of the total number of Web vulnerabilities.

Web vulnerabilities —  In the first two months of 2012, 59 percent of all reported security

vulnerabilities were Web vulnerabilities

—  In 2011, Cross Site Scripting (XSS) accounted for 38 percent of total

Web vulnerabilities

“As businesses worry about the next big security threat, they fail to realize the threats that are right in front of them,” said John Weinschenk, CEO of Cenzic. “From an industry-wide perspective, the fact that the amount well-known vulnerabilities continue to persist is a signal that education, diligence, and proper coding during the development phase are a necessity in today’s cyber world. Real change can only happen by adhering to these principles.”

Mobile vulnerabilities —  A total of 89 mobile vulnerabilities were made public in 2011 and so

far in 2012 (Jan-Feb) 11 mobile vulnerabilities have been made public.

—  Sensitive Information Disclosure (28 percent) and Session

Authentication and Authorization (28 percent) make up the bulk of the

vulnerabilities.

In recent report it is also details the vulnerabilities related to cloud and mobile device usage, noting a total of 89 mobile vulnerabilities were made public in 2011, while out of a set of 1201 publically reported vulnerabilities 855 had cloud-based security implications. As mobile devices continue to be used to access online cloud computing platforms, emerging hybrid vulnerabilities haved developed as well.

Cloud vulnerabilities —  In 2011, out of a set of 1201 publically reported vulnerabilities 855

had cloud based security implications

—  Specific security vulnerabilities were found in cloud-based

applications including EyeOS, OrangeHRM, The Parallels Plesk Panel,

Oracle Fusion Middleware, Batavi E Commerce, deV!ls ClanPortal, and

more.

The growing demand for cloud applications and mobile devices that access them is creating a unique problem. Each has its own set of security issues, but when used in tandem, they can produce hybrid vulnerabilities that compound threats and increase the complexity of secure coding. By exploiting vulnerabilities in a mobile application a hacker can open up an attack vector to a preexisting vulnerability on the cloud based application -gAtO oUt