@flanvel sent me a link to the darknets with what he said “may” be a numbers station. Of course I had to look at that right away and they were absolutely right! The question is is this just a troll of some kind or is there something else at work? The site tutdwuh7mlji5we3.onion is a static page with four very large ogg files of what sounds like a series of what some claim as ten hours of numbers station like audio. I began the wget this morning and it is still going and I have yet to hear the whole thing but what I heard so far sounds like it starts with a Mexican numbers station from the diction/accent of the reader.
As the commentor on the Reddit says, there is no real way to tell what the deal is with this site because if truly a numbers station (one on the darknet at that) then the code will be random and from OTP so virtually uncrackable. However, it is an interesting notion to consider as I have recently, putting a static transient page on the darknet to use for covert communication through such means as OTP or maybe book code. A simple site with a simple block of text would all it would have to be and you are in bidniss right? In this case if this is a real numbers station at all then perhaps they are trying a signal to noise thing with one of those messages being the real one and the rest are just noisy red herrings. Interesting to ponder.
In any case this is worth a listen to those of you interested in spook world.
So I was looking at the bitcoin status of the #ShadowBrokers account and something interesting began to take shape. What I noticed, with the help of my trusty Maltego (@paterva) was that some transactions with “tainted” bitcoins was happening. Of course I am using the word taint in it’s original form here in that there be some funky shit going on. It seems that not only that ShadowBrokers are WAY short of the eleventy billion bitcoins they want (at about $990.00 last night) but that if I am reading this right, some of the bitcoin payments are coming from the seized Silk Road bitcoins and account.
Well now isn’t that an iteresting development eh? So, is this to say that these coins are still in the coffers of the feds and they are being sent to ShadowBrokers to chum the water here? Maybe get a conversation going? Maybe to get the bitcoins flying so others can trace some taint? Of course once you start to look at that address and the coins in and out there you get some other interesting hits. Suddenly you are seeing US Marshall service as well being in that loop. Which makes sense after the whole thing went down with the theft of coins and such by rogue agents of the USSS and DEA.
THEN we get into stranger territory…
Once you start really looking at the transactions for ShadowBrokers you get this sense of the l337 -ness you are going up against…
It’s all amusing but one has to wonder just what is going on here. Now, if the Silk Road coins are still in the hands of the US GOV then who is sending ShadowBrokers fractions of them and why? Now, I began to ponder the imponderables last night. What if, and you can see this once you start to dig around with Maltego, the coins being paid to the account so far also come from other accounts that are, shall we call them cutout accounts for the government?
I know, you are probably saying to yourself right about now that Krypt3ia needs to drink some more and chill the fuck out but lemme splain…
If you were the gubment and you wanted to maybe trace these fuckers would you maybe try to chum the bitcoin waters to see what wallets are used for any liquidation of the bitcoins later? I would.. Just a thought and with the hits there to the silk road and the marshall’s service I kinda wonder. In any case this is interesting and I am LOVING the l337 status on those transactions hahaha. You guys take a look and see for yourselves. I just thought this was an interesting development.
Alright, continue your cybers people and PUT ON YOUR HELMETS!!!
We all knew that this shit was going on but now it’s reaching epic cyber douchery levels kids…
Hey someone posted some shit on the Github and the everywhere! LOOK!
Shiiiit this stuff looks kinda real!
FUCK THEY TOOK DOWN ALL THE LINKS!
…EXCEPT MEGA OF COURSE…
LOOK! RC5 and RC6 Implementations match EQUATION GROUP!
SNOWMAN SAYS LAY OFF RUSSIA BECAUSE YOU WAKE DA BEAR! (Uhh hey, can I have my dacha now? I have been a good comrade)
ASS-ANGE FROM HIS EVITA BALCONY: WE HAVE ALL THE SHIT AND WE WILL BE POSTING IT BECAUSE FUCK YOU ALL!
SECRET SQUIRRELS FORMERLY AT NSA SAY HOLY SHIT!
SECRET SQUIRRELS AT TAO SAY OOPS!
SECRET SQUIRRELS AT TAO SAY THIS IS RUSSIA BY GOD!
Fuckery. It’s all fuckery kids. The world is at war already and the populace never got a vote on this one. These scripts and exploits are just the tip of the 2013 iceberg and the reality is that knowing what the likes of J-39 and their ilk were hoping for back in the day we are well and truly fucked if they decide to go all out cyberdouche. Now we have this almost parity with this leak by who? The 2016 cyber equivalent of the Rosenbergs? I haven’t a fucking clue and no one else does as to who did this and why. No really, fuck you if you say you do. And if you attempt to “treat intelligence cyber attribute” this shit you are only trying to get clicks for ads.
But seriously, the biggest issue I have with all of this is that while we are all slobbering over the dump and the potential one to come no one seems to be talking about how fucked up this is. While these guys are making and buying 0days and pwning foreign nations our own infrastructure lays like a burned out whore in the missionary position. We are prosecuting the war but we are not securing the “homeland” for shit and we see it every day. See, the rub of it all is that corporations are the ones that hold the infrastructure and fuck all trying to make them become secure through legislation or any kinds of rules. So here we are with all our shit in the wind to start with, no mass movements to secure the nations everything, and now a dump of just some of our cyber weapons has been spilled online as a big fat fuck you.
Yeah, I feel good about where we are.
Still, the shit is three years old.. Who’s to say that those sploits still work on systems in China let’s say. Anyone checked by the way? Anyone?… Well in any case either someone fucked up and left this shit on a server in 2013 to now OR as some have intoned, this was an insider. Either case still leads to the inevitable fuckery the nations have all been up to and we are not alone, not by a long shot. Some have said that the NSA should be securing things and I just laugh and laugh at that. What the fuck do you think their operational aegis is anyway? It’s to break all the things and own them! So all you who look to Ft. Meade for any solutions are just deluded. Nope, the war is on, it is hot, and it is all under cover. When someone finally decides to go batshit they will unleash all the sploits in tandem with kinetic operations and that will be it. A real hot war will erupt.
It’s still true.. We are the reason we can’t have anything nice.
Oh well, at the end of the day there’s fuck all we can do. The shit is in the wind and now everyone has it. It will be used as a platform of attack until all the things are patched but in between they will be used for whatever ends lone actors or nation states feel like using them for.
IT looks like I may have fucked up on the file I uploaded so I re-uploaded it again and let people who I knew were working this problem. I will give this a couple days. If no one messages me then this will be released….
So here’s the decrypt…
The Templar code was: “seek within” and the file was stegged…
THE FINAL PUZZLE…. “What is my least favorite word?”
I made a concerted attempt to go see this talk at DEFCON 24 especially since like Danny Glover, ” I am too old for this shit” and braved the masses to get a seat. I went into this talk prepared for fun and games but came out of the other end with some constructive criticism and ideas about other talks that could be made and subsequently never given for fear of arrest. Now Chris is an Aussie and those people are generally nuts, I mean come on, it was a penal colony after all right? But aside from being entertaining enough, this guy just incited, or wanted to incite, the hacker community to be higher on the threat list than da’esh and terrorism in general?
Perhaps it was tongue in cheek but upon talking to someone in the know, DEFCON had to talk him off the ledge on a few things and he had to redact the preso because he was actually going to give even more directed info on how to carry off a coup digitally. I mean he came pretty close with what he presented in the end (without real numbers and amounts of planning and time it would take) but suffice to say, someone with the effort could make a pretty good stab at this now. Hell, this was pretty much the playbook that the J39 and other groups used on places like Serbia in the 90’s right? So the data is out there for others to grab I suppose, but to get up on stage at a con like DEFCON and tell the audience, however impressionable they may be, to do more?
What was that line from Dead Poets about the phone call again?
John Keating: Phone call from God. If it had been collect, that would have been daring!
Anyway, I kind of have to wonder at the thought process behind this but meh, likely no one will take heed and try even more grandiose shit just because they can right?
Oh well time will tell I suppose. This preso got me thinking though of other presentations that could be made. I pondered on the plane ride home all the different scenarios that could be carried out by a small group of hackers and suddenly I was feeling like I was in an episode of Mr. Robot. *shudder* Yes, we could carry off these kinds of attacks with the right direction, planning, and OPSEC but really do we want to? Do we want to because this guy says we need to be scarier than terrorists? Is there some kind of psychopathy at play here?
I will leave it to the nation states to play these games. Instead, how about we all maybe concentrate on getting our own shit secured so no one can do the things Rock was showing us all is so easy to do..
Now there’s a novel idea.
Yep, yet another Da’esh darknet site popped up this morning. This one is a rather bare bones effort that relies on free DynDNS, Tor2web and links back to things like WordPress and imgur and Cloudflare. The site came up and then went down after the kids from OpISIS came and went. The cloudflare though seemed to help as well as the tor2web linkage. As of this writing Cloudflare started to act up and the site was losing bits of itself as I was interrogating it for information.
Anyway, this site is pretty sparse design wise but has a lot of content to click. As you can see below it is low tek but the content is brand new. No mention of official ties but it has the flag in the tab as you can see. All of the links go to external clearnet sites for content so much of the work is being placed on the clearnet sites that the daeshbags upload shit to like mega and the like.
Overall, not much to write home about. The site I assume will be down and up for a while but this just shows you that the daeshbags are trying to get content in the darknet but they seem to be unable to host it all themselves on a single server. Until they can do this, then technically they will continue to be taken offline pretty easily by the kids.
I will be pulling all the metadata since I have already archived the site en toto with wget… More when I have it.
I ran an onion scan on this site for all you kids.. Go.. play..
————— OnionScan Report —————
High Risk Issues: 0
Medium Risk Issues: 0
Low Risk Issues: 0
Informational Issues: 4
Info: Missing X-Frame-Options HTTP header discovered!
Why this is bad: Provides Clickjacking protection. Values: deny – no rendering within a frame, sameorigin
– no rendering if origin mismatch, allow-from: DOMAIN – allow rendering if framed by frame loaded from DOMAIN
To fix, use X-Frame-Options: deny
Info: Missing X-XSS-Protection HTTP header discovered!
Why this is bad: This header enables the Cross-site scripting (XSS) filter built
into most recent web browsers. It’s usually enabled by default anyway,
so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
To fix, use X-XSS-Protection: 1; mode=block
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: The only defined value, “nosniff”, prevents browsers
from MIME-sniffing a response away from the declared content-type.
This reduces exposure to drive-by download attacks and sites serving user
uploaded content that, by clever naming, could be treated as executable or dynamic HTML files.
To fix, use X-Content-Type-Options: nosniff
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: Content Security Policy requires careful tuning and precise definition of the policy.
If enabled, CSP has significant impact on the way browser renders pages (e.g., inline
CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
To fix, use Content-Security-Policy: default-src ‘self’
Alright, I am gonna say what others may not say for fear of reprisals or coming off as an asshole….
I FUCKING MISS DEFCON
Yes, I am at Defcon 24 and yes, it is the same con in theory but in spirit it is not any more. Gone are the days when this felt more like a family affair (i.e. seeing folks you know and partying until stupid drunk with each other pulling hacks and pranks) where you could see a everyone around one pool. It used to be about hanging out and showing off your stuff as well as just blowing steam off. Now, it is a fubar festival of lines and fuckery that makes one just not want to go because you know you won’t be able to see the talks you want and you will be cheek to jowl with people the whole time. Today’s attempt to just get to one talk felt like you were in a cattle chute waiting for the nail gun to put you out of your misery.
That is no longer DEFCON, that is now instead a marketing money machine grinding everyone into security sausage.
I know, some people are gonna take offense but fuck it. It’s how I feel and I think it is how some others have felt this go round. Maybe I am just the asshole…