Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for June 2018

2018 Krypt3ia Kryptos Crypto Challenge!

leave a comment »

 

Ok kids, here it is. You may start now.

Why now?

Well, because it’s hard and no one has time during DEFCON.

Solve the puzzle and you’ll know what to do.

Good luck.

K.

Written by Krypt3ia

2018/06/27 at 13:24

Dear Paul! : The Curious Case of A Letter In A Cache of Files from Andrea Manafort’s Phone Dumped In The Darknet

leave a comment »

 

 

The letter you see above was posted in a cache of pictures ostensibly from Andrea Manafort’s cell phone which was hacked back in 2016. The pictures, which were checked for metadata to be sure, are in fact hers and contain quite a bit of visual information that I will not release here including medical data and taxes etc. The interesting bits though were alleged pictures/images of documents in Cyrillic and in English that concern a media company that was set up by Dmitry Firtash and others during Paul’s time working in Ukraine for Viktor Yanukovych. It was during this time that many assume Paul made connections like his second in command Kilimnik (GRU) that are all becoming very important to the obstruction case of Donald J Trump, the 2016 election tampering by Russia, and Manafort’s centrality to it all.

The documents above purport to be either a letter or an email, but it is impossible to tell because there are no headers, and no way to determine which it is. In fact, this could be an outright fake. This is the caution I am making up front here concerning this document in the dump with the rest. Not only is there no data in the page to tell what the source is, there is also no metadata at all to prove out where it came from so it could be a fabrication, but to what end and by whom I wonder? As for the other documents in Cyrillic, they are checking out to be real but they are also elsewhere on the net from other sources in Ukraine and can also be verified by the companies involved.

 

A map of companies comprising the flow of ownership and money concerning a media company set up in Ukraine

So some of this tracks as real, but the document at the top of the page is not found that I could tell anywhere else. So, is this disinfo? Was Andrea actually the one who had these files sent to her by someone? I suspect that “could” be the case but once again, it is impossible to know completely without metadata that is forensically viable to prove it. So, I would have to ask Andrea, or maybe someone in the media can, if indeed she has seen these documents before and was she party to looking into what her father was up to at some point?

But wait… It get’s more interesting..

Did you really read the document at the top of the post?

Lemme draw out some things…

Paying attention here? It’s subtle but there seems to be some planning here and intonation of criminal conduct with regard to the Ukrtelekom deal there don’t it? My only question now is who is JN? Anyone? Hmmm JN? Oh well, the fact of the matter is that if this is real, well, there may be some ammunition that Mueller may have or want along with those documents in Cyrillic. On the other side, this could be some Ukrainian hackers attempt to drive the narrative. Perhaps Andrea can enlighten us all on the provenance of those documents in the dump…

While she is at it, maybe someone should tell her also not to take pics of her insurance card and other very personal things… Ya know, cuz they may end up in the darknet…

The other documents are being translated so I will have more on them later.

Enjoy,

K.

Written by Krypt3ia

2018/06/19 at 15:42

Posted in Manafort

Who’s Ian Smirlis or Giannhs Smyrlhs and Why Were They Hosting and Domain Owner of cicada3301.org in 2015?

leave a comment »

From Reddit /r/cicada3301:

  • On April 19, 2015, cicada3301.org went live, displaying the ASCII Cicada emblem seen in some of 3301’s tor sites and a countdown clock heading to August 17 2015, 10:33 AM, calibrated to the user’s clock. The metaheader of the countdown page reads “Willkommen” – ‘Welcome’ in German.
  • Upon reaching 0, most people report that the clock begins counting back up from 10:33 on August 17. (This is the case for this author.) It is unclear if this is intended or a default function of the basic countdown script used.
  • The index loads only for certain users – for those unable to view the index, see these screenshots. (imgur link)
  • Besides the index, there are four pages in the site’s navigation: an overview of the Gematria Primus, a description of the “technomystical” Cicadian order who hold 3301 sacred, the entire translated portion of the Liber Primus, and a description of Cicadian “broods” (which seem akin to congregations.)
  • No part of the site’s HTML or Javascript seems unusual in any significant way, though further investigation may yield some break on this front
  • No PGP has been found anywhere on the site.

Lately I have been in a mood to look into the more darker and deeper corners of the darknet and one of the more interesting goups/puzzles/mysteries is the Cicada3301 group. While I was messing about with the Liber Primus and such, I decided to poke around cicada3301.org, which was a domain and site that popped up in 2015 and purported to be a part of the whole thing. It has been determined by Redditor’s that this is a fake site not part of the official 3301 and later on in fact 3301 said that all messages will be signed with a pgp key, and this site did not have it as far as I know. So this site is ostensibly just someone who is enamored with the whole thing or, maybe, someone affiliated. If you look at the site you can see some content that makes me wonder if they aren’t somehow a part of it. One of the things that I kinda key on is the whole “brood” discussion, but I could just be a bit crazy and not know when the term first came out in the public eye after one of the solvers talked about how cicada3301 is alleged to work as a group with “broods” of intelligent individuals working for the higher ups doing… “things”…

Wayback cicada3301.org_1

Wayback Cicada3301.org_2

Anyway, having stumbled on the site because I have not been paying close attention all these years, I decided to take a look at this site in Domain Tools because the Redditor’s seem to lack an account on this service. What I was able to determine was that the site was originally started/owned by a guy named Ian Smirlis, or Giannhs Smyrlhs out of Athens Greece. Now, this is interesting because once I started digging in on the names and the email address I started to find some odd things about our pal Ian.

Screenshot from 2018-06-15 16-21-13

Ian Smirlis is a kind of enigma on his own. Looking online for traces of the name you only come up with a few and what you get are, well, odd. For starters, one of the first hits you get is for a YouTube channel that he has out there. When you look at that channel you see five uploads and not much else. In fact, when you look closely, there is no bio page at all. Nothing else about this channel leads you to any further information about Ian at all. No favorites, no comments, no email address, nada. Now, if you look at the videos he has uploaded the first one in the group turns out to be the most interesting of the lot, save for a weird interest in “The Elephant Man” that he has. The first video is called “SCIgen talk

The SCIgen talk is the story about three MIT students who “fooled the world of scientific journals” using a program called SCIgen which is a paper generator intended to fool CFP judges and audiences. The video is really funny and the article linked here is a good read. Clearly these MIT kids are tricksters and it turns out that all three of them are now working in the tech area with jobs that concern information security and encryption technologies. It certainly is funny to me that this Smirlis character, also in the software and engineering field has their video as a direct upload to his pretty information free YouTube channel.

Watch the video and see just how amused these guys were with pulling off the talks they did with at least one audience member in attendance. However, ok, you might say, what do these guys have to do with Cicada3301 and this Smirlis guy’s alleged fake Cicada site? Well, if you look deeper at the article linked above about how these MIT guys fooled the establishment, there is mention at the bottom of the second gen of the SCIgen program called SCIpher that will steganographically hide messages in “innocuous scientific conference advertisements

ORLY?

Gee, isn’t there a lot of hidden messages in the whole Cicada3301 thing? Oh yeah, there are. In fact, to me this all seems to click a bit. I mean, these guys took on the scientific establishment and, well, they all have the chops to pull off a lot of what we have seen in the Ciacada3301 arc right? Also, what if a group of MIT students, not content to fool with the scientific community decided to move on to bigger and better things by fucking with the “internet” with hidden messages and a story line to get some giggles? It does kinda sound like an MIT prank in a way to my mind.

…But back to Ian Smirlis…

The thing that keyed for me is that maybe this guy isn’t real or that the name was an anagram. I spent some time on that idea and so far he seems real enough but still kinda sketch. The other name on the domain registry definitely turns up even less on the net. Giannhs Smyrlhs has a Google+ page and not much else on the Goog. He has some followers and I went down that rabbit hole a while and decided it was chaff.

Alrighty then Giannhs…

So, what am I left with here? Well, I find it interesting that these characters are so sketch and that but for a fuck up on the domain reg, the site would have remained anonymous unless you pay Domain Tools a chunk of dough for the service to look at historical WHOIS.

TAKE THAT GDPR!

The connections with the MIT guys and the whole SCIpher and SCIgen thing also kinda makes me wonder. Also, the fact that there is so much mythos around the Cicada in Greek history as well kinda makes me wonder. See for yourselves if you feel like reading up:

Cicada’s in Ancient Greece: Orkin

Cicada Mythology: Wikipedia

All of it is interesting to say the least. Whoever Smirlis is, whatever he is up to, he is pretty serious about Cicada3301 at the very least. Now with these other clues, I just wonder if he is somehow involved or has some knowledge and is tipping the hat ever so subtly to the MIT guys on this one…

Just something to make you go HMMMMMMMMMM….

K.

UPDATE: I got an email from Ian and well, he says he has nothing to do with Cicada3301, he was only interested in it and wanted his information taken down. I have smudged out his personal info from the WHOIS image but the post stands.

K.

UPDATE 2: So I was in the darknet looking at Hunchly’s scrape of urls and came across the following address: http://honmnaapxzpk2rg7.onion/blogs/3301.html on there I see at the bottom of the page something interesting…

Screenshot from 2018-06-26 09-40-00

Whaaaaat? Some rando guy in the darknet is saying that 3301 is really a group of MIT students who wanted to play with people and ciphers…

NO. WAY.

UPDATE 3: Sooooo it turns out the snippet I found in the darknet is paralleling a post on Reddit two years ago by someone named “Dave” The post was made on Reddit 1/7/17 and was deleted soon after (comments are here)

Screenshot from 2018-06-26 10-15-59

So what Dave is saying here in 2017 is that Cicada was 4 guys from MIT who decided to troll the internet and it got outta hand. Gee, why does that sound familiar? Oh yea, I said as much by looking into this fake Cicada site and the links to the three MIT guys video that Smirlis made.

Please note I came to this independently and am now finding out more by looking at links sent to me by Switch’d on Twitter. It also is interesting that Smirlis posts the link to the video of the MIT students troll in 2014.

Screenshot from 2018-06-26 10-26-13

Does this mean Smirlis knows something or that he was making a guess? Does it mean that he is “Dave” ?? It is amusing to see all the comments where people are like “NO WAY MAN, THIS IS ILLUMINATI LEVEL SHIT!”

But wait, now can anyone confirm the vulnerabilities that Dave speaks of in the pages that they put up? Also, it makes TOTES sense they would use a VM for all this and that it all gets out of hand so they back off.

All I have to say is that this is all rather interesting. Especially since we have not seen the Cicada for a while. Oh, and yeah, in my traversing the players here I also did come across a connections DeviantArt page and her drawings look kinda like the same hand as that which made the grand grimoir “Liber Priumus” so there is that too.

What do you guys think? I already know the Redditor’s thought rather little of my last post…

Evidence kinda mounts.

HEY DAVE! SPEAK TO ME!

K.

Written by Krypt3ia

2018/06/16 at 12:38

Posted in Uncategorized

Supernotes and Poorly Cloned Darknet Sites

leave a comment »

I was on safari in the darknet this morning and I came across the site above. The address is druglixdfcb3gda3.onion and as you can see it proclaims it is selling supernotes of American currency. Of course this is always of interest to me and they are making claims about printing specs and things that sound right. However, when you look  closer at the site you see that it is not quite finished. It has some lorem ipsum text in there and it also has a lot of broken image links so you get no sample images at all even though they are linking to them.

 

They even have testimonials! Yet they don’t work either. Now, it got my interest at the bottom there where the site is claiming that you can contact them on the information below. Which, well, is all clearnet addressing and contains a physical address in Italy as well as a domain and email address in the UK! I had to look twice there to make sure I wasn’s seeing things. So I began looking more closely at the code and pulled up the information on the domain that they listed with a contact email of contact@andia.co.uk.

Once I pulled up Domain Tools, I saw that the domain has been around since 2014 and has not changed hands. I did some looking on the Wayback Machine and saw that there really never has been a site and that the names attached to the firm were a couple guys in London, which matched the address in the domain data. I then looked up these guys and found some interesting congruences. Andia LTD has been dissolved as of 2016 and dig this, one of these guys is a specialist in “bank fraud”

*blink blink*

 

 

So, um, how coincidental is it that this domain of a dissolved company of a couple thirty somethings in the UK has one that is a specialist in banking  and fraud? Hmmmmm… Well, it goes down the rabbit hole pretty quickly and I was thinking OK! I am on to something here but then I started to look at the code some more… It turns out that if you start to Google the code and key words on the page you get a LOT of hits elsewhere. It turns out that this site in the darknet was using code from a free template created by this guy Anli Zaimi, who has a bunch of these templates. So, was this all just for naught? I mean, there are a lot of sites that seem really really sketch using his template and many do not bother to redact the contact details that he put in there.

Also, since this domain is real (andia.co.uk) how does that fit in? Then there is the whole thing with the banking connection and failed businesses. I am letff scratching my head a little here. I mean, who puts up a forgers site so poorly in the darknet? OK ok ok, the darknet really is the Geoshitties of the 2000’s right? So yeah some nitwit just flung this hapless piece of shit up there…

But…

This site has been around a while. Why? No changes? Static and just bad.

 

 

Oh well… I even did the due diligence and emailed the contact address and it bounced, so, it ain’t there. I guess in the end it just shows you that the darknet is a garbage heap full of the strangest detritus. I did learn one thing though, this guy’s template is the go to for scammers it seems.

It’s just that most of them are so code illiterate that they don’t take out the dummy data and leave a long trail on google.

K.

Written by Krypt3ia

2018/06/15 at 17:28

Posted in DARKNET, Forgery

USA Really: New IRA Troll Farm Site and Twitter Account

with 2 comments

So this morning I saw a tweet come across the feed by RVAWonk that was proclaiming that the IRA was back with a new site and the fuckery was pretty much just naked on their part. In the article she goes over the salient technical details of the site and the accounts. It also has another nice linked post that does a bit more in that area as well and I recommend you all read that too. However, I took a bit of a deeper dive looking at the site itself and it’s coding as well as did some Maltego mapping of it and the Twitter account. My overall take on all of that is pretty much “meh” … What really intrigues me and has been bothering me for some time now is that everyone is busy mapping all this shit but the fact of the matter is that mapping does not stop the cognitive dissonance that the Russians are playing on to win this game.

The Russians here are basically at a point where they aren’t even trying to hide the fact that the site is a Russian propaganda/disinformation effort and this is the important fact we all seem to be missing in this community. This shit works and even though most people do not have the technical abilities to look deeper into the code and the domains, it is pretty plain when you look at the site itself where they use Cyrillic and Russian in their image names and such that it is in fact a Russian operation.

We will all likely go down the rabbit hole on the how many followers they have on Twitter and who they follow. We will collate all the data and sift it and parse it all to put out reports on how they did this. My problem though is that we can investigate the shit out of this all we want but unless we come up with strategies to deny, degrade, or destroy the content, it will reach those tribalists out there who want it and the damage of 2016 will continue on unabated. What’s even more galling here is that the Russians have basically pulled a Babe Ruth by announcing this site and putting it out there so flagrantly with cyrillic in it and on domains owned by a russian domain hosting service. In reality they just gave us the bird and we are now going to just have to sit by and watch as they inflame the Trumpists to hopefully affect the mid terms with this crap.

 

Of course maybe Twitter will catch on here and swat this account offline? You hear me Jack? … *tap tap* this thing on?

 

Oh well, so there’s a new site and it seems they have also employed an SEO in there as well. The site has a lot of means to track posts, likes, geolocations etc as well. I have mirrored the whole site and am still poking through the code. The SEO is a new old site too with an anonymous domain resister back in April of this year that likely is also the Russian’s doing as well. I am sure many of the community will keep an eye on it as we go along so someone will eventually write about this as well with rapt verbiage not really doing anything about the problem as well.

 

So here’s my thing, we are all spending all this time nattering on about it but what can we do to stop such propaganda sites and Twitter accounts from spreading the mind virus? If we cannot stop them, how can we innoculate the general public from the effects of such mental plagues? These are the questions we should be asking and I just don’t hear it happening. I know that it is a rich and difficult problem dealing with the psyche and cognitive dissonance but we really need to lay off all the techno babble and focus on real solutions. Solutions that conern the human animal, not the technology kids. The Russians already know this and they are leveraging it. I mean, how much more blatant do they have to be? How about they just post billboards now in Cyrillic for Trump in all those Trump states?

Focus people.

K.

Written by Krypt3ia

2018/06/06 at 13:38

Espionage In The Age of Modern Information Warfare

leave a comment »

Slide deck and link to the video from Circle City Con 2018

 

Written by Krypt3ia

2018/06/02 at 11:06

Posted in Keynote