Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

What’s eating you?: On-line Cannibalism in the darknet and clearnet

leave a comment »

 

There are so many mis-perceptions about the “Darknet” out there but when you really start to dig right down into the bone and sinew of it you start to see that it really isn’t so dark and certainly not as spooky as one might see on CSI Cyber. I for one have had a yen lately for a serving of cannibalism content on the darknet and boy I was kinda let down by the deep dark nopesauce that I found. See, when you look into the darknet and it blinks back you know you have come to the end of the line and it is time to go back to the clearnet for some real horror.

So yeah, I was messing about in the darknet with my spider looking for some marbled fleshy goodness that I had heard was available out there on the clearnet. You know how you Google something and the usual tinfoil alien type of search results come up? Well the same can be said for things like necrophilia and all the other paraphilias out there. The spiders turned up only one site that had cannibalism in there as a subject so I went there. The site is titled “Japanese Lady Extermination” and it is true to its name in content.There’s a lot of Japanese lady killin going on in there on film and yeah, no, I am gonna opt out of the bitcoin purchases there. No, what I wanted was full on cannibalism for realz and I was bound and determined to find it!

I finally found a link in the darknet to a clearnet Reddit site that had the url to an archived version of “The Cannibal Cafe Forum” a now defunct site that was archived by the nascent “Wayback Machine” at archive.org. Now this site was stood up in 2001 (May 2nd was the spider) and it served up a board feature for those who wanted to roll play cannibalism …Maybe? I am not quite sure on how many of these “Fine Young Cannibals” were serious about their desires and how many weren’t, well, except for the one case where the guy actually killed and ate the other guy!

…but now I am getting a head of myself….

*snicker*

OK! So this board on (necrobabes.org) was stood or was run by someone calling themselves “Perro Loco” or the “Mad Dog” and they ran the show using an email address for their own domain of perroloco.net (see whois data below *wink*) which still exists today and in fact has spawned another site in the aftermath of the flame out of necrobabes circa 2003. As you can see from the screen shots below this site was pretty active and they had a bunch of links for services, offerings, and an application to become …well …uh …meat?

Livestock available

Application to be …Livestock

Films and animations

“Stockman” Association I guess you could join the “club”

Loco’s actual daughter who wanted to get into porn….

Another one to be served up

I can’t even make this shit up!

Click me…

Right, well looking at all those images you get a sense of what the flip was going on in there back in the day. It was all good, if you can call it that, until it went bad for Perro and his merry gang of paraphiliacs. I mean, never mind that he is serving up his own daughter in this thing and all of the cray cray “eat me” discourse that is fairly graphic but man these people had no idea what they were doing OPSEC wise either. I understand it was 2001 and really the net was new but boy oh boy did they leave a trail to their real identities here. If you decide to take a look at the archive note that their IP’s were captured for each post as well as they were offering up their email addresses that they CONTINUE TO USE! I have looked up several and located their real names and locations today.

<BLINK>

OY VEY!

</BLINK>

Now I am going to pause here for a moment to take all this in and maybe say a couple things about pathology and psychological illness…

Eh fuck it.

On to the CRAZIER CRAZY!

So yeah everything was just super great in the Cannibal clearnet back in 2001 until a certain character showed up on the board. His name was “Franky” and he was a German dude who wanted to eat someone and this was the hot spot for this kind of thing right? Well, maybe it was and maybe it wasn’t. I mean all these folks may actually have been just living out their fantasies right? Well Franky would have none of that, he was gonna chow down and he was gonna have a nice time at it provided he could “meat” someone at necrobabes.

Oddly enough you all may know of Franky through the IT Crowd. Does everyone remember the IT Crowd episode titled “I want to cook with you” ? Well, this parody is based on Franky, the German IT guy who put an ad out for someone to eat.

Go on, click the video, I know you wanna… I will be waiting below.

Franky

Young Boys

MOAR FRANKY

Frankalicious

Armin Meiwes

Franky, aka Armin Meiwes literally wanted to eat someone and had wanted to do so since he was eight years old. He met a poor sod on the cannibal site who agreed (Bernd Brandes) of whom he ate about 20kg of his flesh. You can read the grizzly bit below on how that happened and the whole article right here. It seems that Bernd was rather tasty and Miewes took his time with the rest saving it in the freezer for later. I am guessing that after Miewes was caught and the searches were begun it quickly became apparent that he had been on the necrobabes site. I kinda have to wonder at how they all took it on that site. I mean, they were all into the cannibal thing, they talked a good game but just how many of them were all McConaughey about it…

So the site pulls the cannibal board and sometime later the site kinda dies itself. Meanwhile your friendly neighborhood “loco” is like “I am gonna start my own site now man, I need me some cannibalism!” and get’s a new domain started. This site is supposed to be private and you have to email to get an invite. So, me being me, I decided to use a cutout and send an email in to get that freaky e-vite! I got turned down though, so I was disappoint! That is until I decided to use my super Google Fu and shit, he really hasn’t secured the site. You can see all the shit in there with a good Goog session and in the end there isn’t much traffic in there at all. I guess you can’t keep a good cannibal down but you can not sign up for his whacky site and just move on to other places right?

His site is still up and MAN is it GEOSHITTIES

DUDE DUDE DUDE NO MENTION OF DOLCETTEGIRLS?

Who is this Poizner cat?

The perro himself…

dolcettegirls.com

Inside dolcette

More boards and it’s all quiet

For more just use the Google Fu: site:dolcettgirls.com
Now you can just say well that guy is a bit whack and move on but once you start going down the rabbit hole on him you kinda just get sucked into the Nick Cage level shit in Eight Millimeter. Ancillary searches on this guy turned up some real crazy shit. I mean just look at that photo of him above here!

Holy Church of Dolcette?

WHAT THE?

I CAN’T!

It seems like ol’ Perro wanted to have himself a cannibalistic religious org that could maybe be tax exempt? I can imagine that might be hard to get past the IRS, I mean, how are you gonna make that a religio… Wait.. Wafer and wine…

SHIT!

Whoa!

Anyway, Perro is still kicking around on the tubes and seems to have slowed down but where have all those cannibals gone since the necrobabes site went bye bye? Well, it isn’t to the darknet as far as I can tell from all my searches. Nope, it is once again the clearnet that hosts this kind of crazy and I found the new mother load by accident.

It seems all the kids are now at ForumJar which is a low end board much like the original necrobabes but this one is much more sedate and hidden. These people are offering themselves and looking for others to consume just like the old days so I guess you really can’t keep a cannibal down eh? These guys though seems to be a little more savvy about their security but even so, one I looked at is looking for a “chunky” female and offers a kik address to chat them up. I read this and just had a flash of Hannibal Lecter asking Starling if Bill’s ladies were “roomy”

New board

Secondary board

Take me!

“Chunky female”

Well, I guess it’s time to put the lotion on the skin…

Remember, this is what happens when I have idle hands kids. All in all, this is pretty twisted and it all lives mostly in the clearnet so don’t believe all the BOOGA BOOGA DARKNET shit you hear. The clearnet is maybe even more scary and when you think about it, kids today can just google this up and get an eye full.

…. Even if you have those filters on your router.

Heh.

K.

Written by Krypt3ia

2017/09/25 at 21:08

Posted in DARKNET

Equifax and Musicians

leave a comment »

Screenshot from Zerohedge

 

So here’s my thing; It isn’t about the fact she was a music major and had two degrees in that. What it is really all about is the fact that she had no discernible security experience in the time she was working in the position or before to make her qualified to handle the job. THIS IS THE ISSUE PEOPLE! It is not about that she had a degree in nothing to do with security. So please stop all the 140 character bullshit and get it through your thick heads that even if you have a degree in IT this does not make you qualified necessarily to handle a job in information security ok?

Now that the CSO’s and CISO’s linkedin pages are redacted you can’t see much of anything but before they took them down I looked and neither had the requisite experience that would make me consider them for a position as an executive in charge of insuring that the security of the company and more importantly, the security of the clients data was in capable hands. Look. let’s face it you can say that the exec is just there as an advocate or to manage Trust me though, if they have no experience in the arena either they listen to their guys in the field and implicitly trust them and advocate or they just are compliance monkeys of the worst order.

I have lived it and I have seen it throughout my career in security. So please stop all the fuckery about “I have a degree in animal science and woe is me I am unfit for security!”

BULLSHIT

If you have a degree or not, you have to have put in the hours of study and actually doing the things! If you haven’t then you are out of your depth and bad things will happen.

Just look at Equifax.

K.

Written by Krypt3ia

2017/09/20 at 15:14

Posted in FAIL, FUCKERY

The CYBER Wars

leave a comment »

We met in an old, drab, and odd Russian eatery cum bar this year. A matronly Russian woman made us order things from the menu as a young girl sang Russian kulturny songs on a cheap sound system in the back corner. I had come to talk to someone in the IC about “Cyber War” and hoped that our mutual experiences could give me an insight or direction for this post. After sitting with this person for about an hour I had to go but in that time I had several revelations from our discourse. This post is the culmination of that conversation and my further ruminations about the current state of “cyber warfare”

Firstly, the conversation that we had was very roundabout, going back to the dawn of the ARPANET and other systems but all the while with a bent on economics. This kind of threw me for a bit but I listened further and within that long and winding road two things became clear from this IC warriors career. All cyber war is really Information Warfare, and second that all information warfare has an economic component. These things had not really occurred to me in the past but the revelation made me think differently about all of it. Thinking about the economics certainly easily led to all the Chinese hacking and theft of IP surely, but on a macro scale all warfare has its economic drivers right? Someone wants the things you have or they want to stop you from getting those things to others. So the motivation is always there in some way on a nation state level and all of the techniques used in information war or hacking can be used to great effect on these problems.

Once I had some time to think about all that I had heard I started to contemplate everything that had taken place over the last election and what is still happening today. It became clear to me today that my convictions on “cyber” war were the same as they always had been but with some caveats. Primarily for me is the notion that “cyber” war is really just information warfare. It is even still information warfare when something physically is caused to blow up or eat itself like the centrifuges in Natanz back in 2011. Information warfare since then though has been escalated with the active measures by the GRU and SVR (KGB) that took place in our last election cycle. Clearly it was information being used to manipulate the populace and their opinions. The hacking or “cyber” as many like to call it was just a component, an element of this and it was the information that was a key to this. The net effect here is that once again I put it to you all, the “cyber” war doesn’t exist, it is all just information war using hacking and code as a force multiplier.

What you all need to worry about now is the use of technology to manipulate just like the active measures campaign did in 2016. The revelations on Facebook’s being used by Russia to manipulate public opinion is just one instance and a more nuanced approach needs to be applied to information warfare henceforth. I see articles every day now asking how do we fight this kind of warfare and honestly I see no easy way to do so. People are easily led and much more so now that the electronic media is so prevalent and easily manipulated by ad buy’s, hacks, and open source troll accounts. That people now have their digital bubbles cum echo chambers makes it even worse with their cognitive dissonance at eleven. Honestly, much of the time lately I feel like Joshua and have decided not to play the game at all and go dark.

Maybe you should too.

K.

Written by Krypt3ia

2017/09/14 at 13:02

Posted in CyberWar

EQUIHAX

with 3 comments

Trawling the darknet as one does, I came across this little simple page this morning. It claims to be the real EQUIFAX hackers, unlike the last darknet site that was soon taken down by morons. I have looked at all the data on the pages (see screen shots below) and have come to the conclusion that whoever this is they too had access to Equifax. As this is an evolving nightmare I thought it prudent to do a quick write up on this site and let you all know. These actors are offering a crowd source solution to the whole database for the same amount as the fake site the other day (600btc) but also are offering single records as well as 1,000,000 entries for 4 bitcoins or 56 ETC for the same amount of records.

This time the actors actually give you samples, a taste, as they say on the street as bona fides…

 

These samples are what makes me think that this actor had access. I know for a fact that as the ongoing arguments take place online over what the compromise consisted of (what attack worked) that I personally saw a tweet from an alleged Russian actor claiming to have shell access on one of their servers online. This later was proven out to have ADMIN/ADMIN as the log and pass which is just horrid security, or should I say lack thereof? Anyway, you can see above that those records seem legit as do the screen shots of the access to the systems using real internal server names etc.

An onion scan of the site turns up no real vulnerabilities…

The bitcoin wallet shows no activity as yet.

EDIT/UPDATE:

In the process of watching this a change has been made to a small point of data that leads me to believe that this is a fake. Someone pointed out that the data for Bill Gates address was incorrect. Since then it has changed…

Oopsies… State : WA

BEFORE

Screenshot from 2017-09-14 14-16-55

AFTER

Screenshot from 2017-09-14 14-07-43

UPDATE TWO:

A new story has surfaced online that makes the claim that the site creators have access to Equifax and there are other screen shots. I am still concerned with the changes to the data seen here but for what it’s worth here’s the link to the story.

https://t.co/IGoKPCXcDD

Written by Krypt3ia

2017/09/14 at 11:38

Posted in Uncategorized

Extortion Phishing: So, closer to the point. You surfed the internet with роrn, which I’ve placed with the virus…

leave a comment »

A series of extortion emails have gone out this last month that caught my eye. The phish are simple straight forward attempts at extorting users by claiming they had been hacked and watched surfing porn. The phishers then demand that the user pay a certain amount of bitcoins to them and all their trouble will go away. Basically it is the equivalent of the old “Say, that’s a nice family you have there, it’d be a shame if something happened to it” routine familiar to anyone who has seen a mafia movie. I had a user get one and so I began the usual looking around to see if more came in and what the deal was with it. Once I began Googling key words and phrases I saw that this had been making the rounds since at least August 14th and that this last round had actually made some money for the extortionists.

I then began the usual OSINT on the domain that the emails came from after collecting as much info as I could from Reddit and other places where people had mentioned the extortion attempts. What I came up with is an arcology of malware and phishing that seem to tie back to one individual in Ukraine who may be the nexus of it all. Before I go down the OSINT rabbit hole though, I just want to take a moment to consider this threat and the psychology of it. One might think that if you got this email you would just laugh it off and then trash it. Some people though had guilty minds or had in fact been surfing “the porn”, as we all do mind you, (come on you all do and you know it!) so they got worried and they actually paid this guy off to make it all go away and this is interesting to me. Do those who paid really think that an extortionist, once successful at getting them to pay them will just walk away after such an easy exploit?

*shakes head*

You fools…

Anywho, it seems that even a non exploit exploit of just threatening a user’s browsing habits with “I am gonna email all your contacts with your pron habits” is can work and potentially give the attacker some pin money at least. So I tracked the emails and the IP’s that these came from to Ukraine. Specifically to a subnet of systems owned by one guy: Roman Shurbarev.

From: return@aukcion.org

Received: from nat5.aukcion.org (nat5.aukcion.org [188.225.27.25])

As you can see there are porn like sites in there…

The domain owner of not only the domain in question that was set up as a mailer for these phish but also a string of other domains that he owns connected to other malware and phish sites and activities that include, wait for it… Wait… Ransomware! Yup, this guy has it all goin on! Now, when I started poking at the system that this all came from I ran an Nmap and the shit is tight, there were no open ports and the firewall as filtering everything so I kinda doubt that this guy has been popped and being used as a relay for these. So I went on to profile all his domains and got the following malware connections:

 

PICK A MALWARE! ANY MALWARE!

So yeah, this guy has many bad connections but not anything directly connected to his domains themselves that I could see, at least in the sense that they were hosting the malware or being used as a C2. Now though I would like to talk about the money. These poor fools who actually paid this scammer have netted him about .28794615 Bitcoins which is about 80516.75 Rubles or $1,375.29 dollars as of yesterday when I looked. The money has been moved around a lot from the series of wallets used in this extortion scheme:

156eSKJU22jHHUEr6zznqMiDyR1L7DFFPY
1FJND3abrT4TjwijUbfYPD8jogCFeSbL
1Pku8VSnjgZePRt8yLF3QWfUYMTAjhA3io
1DGgLh6xeDmasCBHaLEQXwJ7C9gEvpYvWr
12pRJwZfZKi3RZa2eFijVCjmjCbB1YcXXXrA
15YhkTnuTprtPDRsdxiE2y8sMqiSmLPx2g
17qDi9fFG8C7a4mmTBBjsV7QmUN9QUBScZ
1H6DRf3XvHYudc7g6RvCiMbunHHKpbjhD2
1Nu2hju7Bs4vkUw2xyqi4E3ktSgx2VJEJq
13HSMufjTvzGJKoHdSQsLiJbsPcQcVMf4K <— 7 transactions


 

 

 

It ain’t Wannacry money but it would buy some shit in Ukraine I guess. There has been some movement of money around so I am wondering if they are trying to mixmaster or what. I did not go down that rabbit hole so if you all want to go right ahead. As for me I thought that this post should be put out there for others to see the actor, the act, and maybe as a PSA to put a stop to it. So, here are the other variations on the theme. The emails all pretty much say the same thing with some variations on “I see you have been surfing porn because I infected your machine with porn!” and ask for the money;

So there you have it. You don’t have to be anyone special, you don’t have to be 1337 to scam people with an email…

Yay internet!

K.

Written by Krypt3ia

2017/09/01 at 11:51

Posted in Extortion, Phishing

Inspire 17 Train Derail Operations

leave a comment »

 

Inspire is back trying to “inspire” the jihadi’s after taking a forced hiatus after many of the AQAP magazine’s creators got whacked by some raptor hellfire missiles. The latest installment is a call for those would be “lone wolves” in the USA to take up arms against our trains it seems. As usual from Inspire we have the normal calls to jihad using their interpretations of the Koran to push the agenda of radical terrorism. The long winded screeds on the rationalization of killing civilians is just that, long winded, and overall does not conform to anything but their own desires to kill and maim anyone who does not believe as they do. Honestly, I think if Saladin came back from the dead and saw this shit he would be bitch slapping them all the way back to Medina but here we are today again dealing with AQAP and AQ as Da’esh’s alleged caliphate crumbles and the movement dies a slow death.

To be honest the actions of those who claimed to be with Da’esh here in the States were to me just mentally unstable persons who needed an outlet to feel important and not impotent, so they went on rampages. Da’esh has never had the reach in the states that they seem to have had for a brief time in Europe but now they are marginalized enough to say that they are not a serious mass casualty threat in the way that AQ and AQAP still is. As terrorist groups go AQ and it’s subs has a far better grasp of OPSEC and operations as well as money and capabilities that we should still be worrying about. With this issue of Inspire not only do we see that they have re-constituted their graphics department but also that they also see the power vacuum that is taking place as Da’esh declines and becomes more marginalized.

Not only are they seeing their opportunity, they are also kind of calling out Da’esh as well in this issue for stealing their ideas down to the fact that Da’esh whole cloth plagiarized their magazine format and ideas for their own with the Dabiq knockoff’s they pimped over the years. It is amusing to watch as AQAP calls out Da’esh with the graphic above and chides them over failed operations as well as calling into doubt the operators choices like that of Sideeq (Orlando) for going after only “one” group. Basically they spent some time on the graphic to slap Zarqawi’s monsters for their lack of righteousness and operational planning. All in all it is just a slap fight between the overly pedantic AQ org with Ayman as their leader and Da’esh, with their Schrodinger’s Imam Baghdadi. The problem is that the precepts of both of their movements are advocating this open source jihad that AQAP invented, something that is now even being used by the white supremacists in actions like those in Charlottesville VA this last weekend.

This the new old problem that we always have been facing but never seem to be able to grapple with on how to stop. These magazines are passed out online and end up in many places including archive.org for anyone to grab. I got this one from <REDACTED> when it came out over the weekend but seriously, the genie is out of the bottle with this stuff. With this latest iteration though, the AQAP has given a lot of thought to honing their exhortations to open source jihad with a simple yet effective attack and vector; trains. The choice of trains is kind of a change for the AQ set in that for the most part they have advocated going directly for people and places where they congregate in the past. Now, with train attacks they can maximize damage and buzz with events that could not only cause deaths but mass deaths as well as huge news coverage.

Train attacks to me always remind me of T.E. Lawrence and the attacks he and the Arabs carried out on Turkish trains in WWI. These actions really did help stop Turkey from retaining power in the region during the war using asymmetric destruction of trains and tracks to damage or halt the supply chain for the Turks. In this modern scheme put forth by AQAP, they have moved the bar lower in many ways by not calling on their lone wolves to create and use explosives as much as use a tool to derail the trains in hopes of a 1970’s car flip explosion kind of thing. I have to say though, were they able to carry off the attack that they direct their followers to perform it could be rather messy depending on the train and it’s load.

The device the OSJ is proposing is a tool that the railroads have themselves but may be harder to acquire so these guys have plans to make your own in your mom’s kitchen (old joke) Anyway, the device is called a derailer, a simple piece of metal that attaches to the tracks. It’s function is simple enough, it raises and diverts the wheels off the track and boom, derailment. This has been used as a stopgap for runaway trains I hear and other functions that I do not care to go Google up right now. In this case though the Inspire folks want their minions to use it to derail trains off of high cliffs or into buildings from what they allude to in the magazine. Of course their solution to making one seems a bit too low tek DIY and might just smash into bits as the train hits it from what I am looking at.

I will not go into detail on the fabrication of the device they present to the lone wolves but suffice to say that I believe the percentage of success from this thing are low in my opinion. Perhaps if they had access to a serious 3D printer and some strong plastic maybe but not what they have laid out in this issue. However, I could be wrong and others out there may do their own mods to the fabrication process to make something more sturdy. If the thing works then it could be problematic and we could see some derailments come to pass. So yeah, the tech may work and the magazine spends some more time after the fabrication phase into the planning and carrying out of the attack phase with targeting advice that includes quite a bit of open sourced information on the railroads in the USA.

Recently at BlackHat myself and Kodor talked about OSINT being used to attack infrastructure by targeting leaked documentation and information. Well, it seems that the Inspire folks have the same idea here. In laying out the attack scenarios they give up some key points on the railroads, their weak spots, and the collateral damage from various scenarios of attack using the derailer. They also allude (as you can see from the picture above) that the attack is easier to hide and harder to detect if done properly. Honestly I think that last bit will be easy to see, I mean are they expected to run into the derailment and grab their tool back? One would assume too that unless you do a real job of it, one would leave forensically viable evidence in the device too so it could be tracked back to the culprit(s).

Frankly I should think that the DHS and other groups have a copy of this open on their desktops too right about now and working up some TLP’s for the railroads and authorities. I hope that is the case because this one is easy enough for the usual lone wolf jihobbyist to try at home and not blow themselves up without much effort. The question for me now is where will these guys try this? The exhortations are to do so with the most flare to cause the most fear. Honestly if they wanted to just be a pain in the ass and mess with the supply chain they could go out anywhere in the wilds where tracks are and pull this off. I guess time will tell but a recent link sent to me at least has this idea in the forefront of the minds of the security wonks for railroads.

Let’s hope they take this Inspire’s scenarios as seriously.

K.

Written by Krypt3ia

2017/08/15 at 16:52

Posted in AQ, AQAP, Inspire

Flash Drives for Freedom

leave a comment »

At Defcon the one highlight of the con for me was seeing Flashdrives for Freedom having a booth in the vendor area. If you have not heard of them before, they are a group that is infiltrating news, movies, and messages into the hermit kingdom by passing USB’s from China over the river. The information reaching the general populace in DPRK is a fundamental means of attempting to bring some freedom, at least of information and thought, to the North Korean populace who only have the propaganda machine of Un constantly pressuring them into utter compliance.

Some of you may be asking yourselves; “Wait, they have computers that can use USB?” The answer to that is yes, some do, but many more have phones that can take USB (many asian phones have USB ports as well as micro USB) in addition to media players that can handle USB and play videos of varying types. So yes, if you send a drive these people can then turn that into a means of getting real news and information from the free world to North Korea. If we can get more USB’s to Flashdrives for Freedom, that means more data can be infiltrated which in turn means that more people in the North can get the truth.

In turn, if more people have a feed of information then perhaps more of them can in turn pass that along to others there …And if more people pass that on …Well, maybe some change can happen there right? At the very least given everything that is happening RIGHT NOW would it not make more sense to get as much information to the North Koreans as we can? So please, go through your junk drawers and pull out all those old USB sticks and micro drives and send them to Flashdrivesforfreedom.org by going to their page and following the instructions there.

I know you wanna.

If for no other reason than to poke ol’ Un in the eye right?

Go on… Empty that drawer of USB’s

Dr. K.

Written by Krypt3ia

2017/08/09 at 12:57

Posted in PSA