Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for July 2011

Faux Security: @JosephKBlack, @ElyssaD, BlackBerg Security, and Shades of Project Viglio

with 4 comments

Blackberg & ElyssaD:

A while back, I ran across ElyssaD and her whack ass site which was scraping my content from Infosecisland. I later read  Jaded Security’s post filling in the gaps that I had given up on in my searches on her digital rats warren of sites and chalked it up to fucktards at play. However, since then, she has failed to remove my content from her sites, her ersatz ’employer’ Joe Black, has called me out as a supporter of Anonymous and LulzSec, and still, my content is on her frantically moronic sites.

So, the gloves come off.

I began to look around at her sites again to see what was being taken and scraped when I  began to not only see more of her erratic behaviour, but a pattern of baiting for attention not only on her part, but that of Joe Black. So much so in fact, that I have to really wonder if Elyssa is not just an identity scrape of a real person as opposed to actually being online herself and posting all this claptrap. After all, what was it that Ligatt and Aaron Barr were trying to do but create many sock puppet identities to control and use to sway opinion in PSYOPS fashion. So the questions for me now are these;

  • Is Joe Black just an insanely inept buffoon with some alleged connections to the defence base?
  • Is ElyssaD just a cutout for Joe to weave his insane batshit online for.. Well whatever purposes he has in mind?
  • Is all of this just the personal lulz machine for whoever Joe may really be and is having a laugh?
  • Are they both just batshit insane and useless wankers?

After picking through their digital trails, I still cannot say for sure what their goal is or just how real they both are. I am told that Joe is a real person and that some in my circles know of him. Personally, I had never heard of him until he started tweeting craziness on Twitter and came up with his craptastic site. Over time though, he just progressively got crazier and crazier with comments and challenges to the likes of LulzSec, who then allegedly hacked him and showed just how poor his site security was.

Of course now there are allegations that Lulz did nothing that that he (Joe) had hacked/defaced his page himself to garner attention (as seen below)

After his site went down this last weekend, we all thought perhaps he had been hit by another Anon attack of some sort, but then he popped up again yesterday, claiming fantastically, that he is the new Nietzsche of information security! Which is ironic, because Nietzsche went insane at the end of his life due to Tertiary Syphilis, which I think Joe has a head start on now. Then again, if you really know who Nietzsche was, and did, perhaps this is another nod to irony and a play on the ideas of putting crazy out to the world to see what happens.

Frankly though, from his tweets and writings, I think it is the former and not the latter. Joe is just an attention seeking whore and Elyssa, well, if Elyssa is truly the one posting on the Internet, hon, you need some mental health dollars spent on you STAT!

So, on to the  Ligatt worthy asshattery shall we? I will present it in short montages, somewhat like the montage scene in Team America. Mostly because I am listening to the soundtrack now and YOU are, well, you are a farce just like the film.

Joe.. Joe Black… CIA…:

Seriously Joe.. If YOU are a NOC, then I am the king of Prussia. What the Hell are you saying? I mean, this right here just screams that you are either out of your head or just a clown. If you are at all serious about this alleged business of yours and its ties to the military and government, then they, if they are indeed connected with you at all, should quickly pull out.

Then there’s this little ditty:

Holy WTF? Really? C’mon man! Who is going to buy this shit other than Elyssa? (to the tune of Freedom Ain’t Free.. It costs a BUCK OH FIVE!)

And then there is this other missive:

Huh? Wha? Elyssa, take your God DAMNED MEDS! With employees like this, Joe is gonna have to have one HELL of a insurance plan! Elyssa, I am sure the Feds took you up on your offer and will give you FULL immunity *snort* (to the tune of North Korean Melody.. So Ronery)

AND then there is my favorite!

SO! That’s how it works within the intelligence and hacking communities! I had NO IDEA! Really, Elyssa, if indeed you are real and this tweet wasn’t just some elaborate insane joke. YOU are not a hacker and it does not happen by “association” you morons. No more so than any of your degree’s (if real) make you an INTEL analyst or a Black OP specialist. (to the tune of Team America March.. just because it came on.. Can you smell the gravitas?)

Speaking of gravitas, if indeed Joe and Co. are real, that is what they are trying, and failing to convey to the would be clients that the site alleges to want. Therein, you have Ligatt-ed quite well Joey.

Board of Advisors:

Now, in another more interesting vein, Joe has added a board of directors to his site. Of course I had to look once Praetorian had pointed it out asking; “Who the hell are these people?” So, I put on the waders and got the gloves on to go looking. What I found kinda makes me wonder what the hell is going on yet again. So, lets have a look at these people shall we?

Fernando Patzan:

Alright, so Fernando was pretty easy to find. I mean how many Fernando’s are there in infosec who have government ties? Yeah, so Fernando, my first question is this; “Do you really represent in any way Joe Black and his particular brand of crazy?” Because if you don’t then this guy is dragging your reputation down with his easy use of your name as an advisor. Honestly, if half the shit that Joe has done and said was on your advice, well, I should think that your current employers might want to re-think your job status.

Of course I have yet to speak with anyone who really knows you.. So you too could be another cutout. However, I have found ancillary data through Google that you do really exist and you did work at GD. So, tell me my man, are you huffing the same glue from the same paper bag under that local underpass with Joe?

Oh, and if you don’t know him.. Well dude, you better get on the horn with your lawyer…

Patricia Ellington:

Oh Patty, Patty, Patty, your creds are kinda.. Well ‘meh’ aren’t they? You also have connections to me like Fernando now that the LinkedIn is working right. So, why have I never heard of you? Well, I suppose that that is a bad question. So I will go back to the credibility issue and your connection to Joey here. Do you know Joe? Is Joe taking YOUR advice too in posting his whack ass diatribes about being in the CIA and allegedly outing Team Poison?

You too might want to call your lawyer…

John Berry:

John… Well.. John is a blank slate to me. Of course his name is pretty common and bland, but I could locate no one with that name within the infosec community nor by using the sooper special word “CYBER” that all of the morons are using as a catch phrase today.

So he is a ghost.. OOOOH maybe he is a super spy like Jason Bourne! I bet Joe knows you through his adventures in Thailand chasing heroin smugglers!

Not.

Justin Johnson:

Justin.. Well Justin was a bit of a puzzle. The only one who came up with network cred was this one. Are you an advisor to Joey? Once again, I say you should get a lawyer if you don’t already have one because this guy may be trading on your good name and credibility (VERY Ligattworthy!) Justin, if you do in fact know Joey and you are working with him let me know.. I have more questions like; HUH? Why?

Kevin G. Coleman:

Lastly, and most interestingly, we have Kevin. Oh Kevin, I liminally have heard of you before and I cannot believe that you would have anything to do with Joey, but, then again, maybe you like the glue huff now and again? Do you really advise Joe to do the crazy shit he has been up to? Do you really approve of, or even know about this Elyssa character?

Dude, you are the most credible of the group and now you have this stink upon you!

If you know him and are working with him, best sever those ties now sir… EVEN if you are SEMI retired! This Joey character is only going to lead you down the path to smelling like a dog after a skunk attack while standing in the poop factory while it exploded due to a SCADA hack.

Please.. Someone tell these people their names are on this fool’s site!

Ugh…

Ok, so in the end, as “I’m So Ronery” plays on the headphones I end this psychic barf of a post. Joe, Elyssa, …. Time for your meds! And as always “Remember to fade away in a montage”

K.

Written by Krypt3ia

2011/07/13 at 16:12

Following CJR’s Cue on Plagiarists

with 2 comments

Following Chris John Riley’s lead, I thought I would also make a comment or two.. Or.. Oh Hell, how about a whole rant on the subject?

So, here I go.

Lately, my blog has become more popular with folks through my affiliation with Infosecisland. Since all of this new found interest in my lunatic ravings, I have noticed that some sites ahem, who’s owners have certain histories with the issue of content theft have been scraping MY content as well either from the aforementioned infosecisland site, or even my own dingy little spot on the internets.

Now, as of today, post filing 6 DMCA violation letters to someone’s Internet provider, I have seen ‘some’ of my content come down. Of course I believe that it was really the efforts of infosecisland and their legal team that really made things happen. That said, the last couple of days have shown true and epic irony on the part of said plagiarist copying content that was clearly negative towards him… Wait, what am I saying.. The Rothke article was all ABOUT him! Yet, he still just scraped the content and put it happily on his own page.

Duh.

It just goes to show you that someone is not paying attention to what and from whom they are thieving from.

Meanwhile, there are others who I only recently have found doing the same thing… And now, I turn my attentions to you Elyssa.

DMCA’s coming your way via blogspot soon!

K.

Oh, and I truly would love to see this post scraped and on those sites! The LULZ will be epic.

Written by Krypt3ia

2011/07/12 at 15:58

Posted in Plagiarism

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit – 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda

leave a comment »

From GamerCrypt

Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.

As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.

Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.

Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.

So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…

Say.. You guy’s aren’t MI6 are ya?

HA!

More when I have it.

K.

Shamikh1.info: The New Den of Scum and Villainy

leave a comment »

Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.

I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…

But..

You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.

Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.

Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.

“Bollocks” As they say in England.

DATA:

Domain ID:D38010794-LRMS
Domain Name:SHAMIKH1.INFO
Created On:14-May-2011 00:22:30 UTC
Last Updated On:27-Jun-2011 07:43:57 UTC
Expiration Date:14-May-2012 00:22:30 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:fce7ae13f22aa29d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com
Admin ID:fce7ae13f22aa29d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200

Core Server:

Ip address: 180.235.150.135

Location: Indonesia


Persons Attached: Daru Kuncoro & Yogie Nareswara

Names of Admins: Yogie Nareswara & Daru Kuncoro

Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com

Nmap Scan Report:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT
Initiating Ping Scan at 07:39
Scanning 180.235.150.135 [2 ports]
Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:39
Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed
Initiating Connect Scan at 07:39
Scanning 180.235.150.135 [1000 ports]
Discovered open port 80/tcp on 180.235.150.135
Discovered open port 110/tcp on 180.235.150.135
Discovered open port 993/tcp on 180.235.150.135
Discovered open port 143/tcp on 180.235.150.135
Discovered open port 21/tcp on 180.235.150.135
Discovered open port 443/tcp on 180.235.150.135
Discovered open port 3306/tcp on 180.235.150.135
Discovered open port 995/tcp on 180.235.150.135
Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports)
Nmap scan report for 180.235.150.135
Host is up (0.30s latency).
Not shown: 958 filtered ports, 34 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?

Meh.

Site Contact Data:

Daru Kuncoro:

Yogie Nareswara:

Current State:

Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.

More later.

K.