Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Author Archive

So Why Doesn’t Tor Blog Really Show You How To Set Up A Hidden Site?

leave a comment »

cp94jku

I was recently fiddle farting around on the TOR blog and looking at the setup tutorials for a ‘Hidden Site’ on TOR. When I really dug down into the alleged tutorial though, there wasn’t a whole lot of help there for someone isn’t let’s say, a “Dark Cyber Wizard”, to set up a site inside the onion. Sure they tell you to download the TOR and then to do ‘things’ and magically you have a tor site!

*blank stare*

No TOR blog not really. Since the disappearance of Vidalia and your pimping of the TOR Browser only really, you seem to be neglecting adding to the complexity of the onion with, ya know, actual sites to look at in there. So to that end I thought I would just write up this quick and dirty for Ubuntu (I hear the hisses out there already from some) and give you some guidance on what to do after you get it running. I am using Ubuntu because FUCK YOU is why! So just deal with it.

Anyway…

Phase one: Install your web server

Step one: Install lighttpd

sudo apt-get install lighttpd (or NGINX or whatever you like really but lighttpd is what is recommended by TOR)

Step Two: Start the server

sudo /etc/init.d/lighttpd start

Step Three: Check it is up

Open browser and go to 127.0.0.1 and see if you see the default page. If that isn’t working I suggest you google some things about how lighttpd works

Phase Two: Install TOR and configure Hidden Site

Step One: Install TOR

sudo apt-get install tor

Step Two: Edit TORRC

sudo nano /etc/tor/torrc

UN-comment these two lines (in red) and of course change the port from 80 to something else if you want to.

screenshot-from-2016-11-29-14-40-56

 

Step Three: Start TOR

sudo /etc/init.d/tor start

Step Four: Get the onion address

sudo nano /var/lib/tor/hidden_service/hostname

Step Five: Copy the address in the file and close out.

If you have followed these steps then you “should” have a working TOR hidden site and that default page in lighttpd will be showing up in the onions. Now this mind you is just to get the shit installed and working right? I mean, there is much more to this hosting an onion site that concerns security. For that I suggest you all learn how to secure your Linux install, your lighttpd version and install, and of course the TOR itself. You are gonna have to keep up on the vulns for TOR and everything else to insure you aren’t just hanging your dick out there on the internet for everyone to slap right?

But this all leads me back to the question of why TOR blog does not simply just give you the means to install and use this product? Are you guys afraid of being liable for a naughty site to be out there? Are you guys instead all trying to be dark cyber wizards keeping secrets like some cyber dragon in their cyber cave?

Hmmmm????

It’s not that fucking hard but man you guys really make all kinds of stupid about it.

Ok kids! Go install and play!

K.

PS.. if all of this Linux stuff is too arcane for you… well..

GO FUCKING LEARN.

 

UPDATE!

Oh yeah, by the way, you should really run an OnionScan against your new site to see what may be leaking or insecure. Go do that now… If you have issues please get in touch with @OnionScan

Written by Krypt3ia

2016/11/29 at 19:53

Posted in RTFM

Re-Counts and Forensics in 2016

leave a comment »

screenshot-from-2016-11-28-08-06-06

Since the election I have taken a break from the insanity as much as I could. I blocked off Trump on Twitter but he keeps leaking through the blocks anyway. I have been reading though on the usual source sites like the New York Times and other news sites and with each day I am seeing the utter unravelling of America. Thinking about it though I have to wonder if the unravelling happened long ago and this is all just an echo of the failure finally reaching us all like a radio wave from a distant dying pulsar…

Anyway, I wanted to write today about the current debacle concerning the vote and the calls for an audit of that vote. Since the Green’s have gotten the ball rolling and the Clinton camp finally agreed to look at the vote it seems to be happening and that is a good thing. In an election where blatant tampering through hacking and information operations (DISINFO and IFO-OPS) by the Russian state one can have some sense that perhaps the same adversaries ‘might’ have tampered with the actual votes as well. Now, had it been just troll propaganda wars I might say; “Ok we have been played, they did it, we lost because we as a people are unable to comprehend real news from fake news” but that is not all that happened here. We saw actual hacking campaigns carried out on our voting infrastructure and one of the parties outright and still no one is clamouring for a re-count AND an audit of the systems that are already known to be security challenged?

It is incomprehensible to me at times how our government works at all. The group think and the lackadaisical attitudes towards information security are staggering but this whole episode takes the cake. You mean to tell me that the DHS and the government, the ones who brought us the OPM hack and other massive data breaches are going to tell us that the vote could not have been hacked and it is silly to even consider a forensic audit? This is what I keep hearing in the media and out of the government as calls for the votes to be re-counted and audited. It is also what I am hearing post Halderman’s paper and blog post that says: “I’m not saying the vote was hacked but there is evidence enough to say maybe we should look into it”  What the fuck? We know things went down so why all the reticence to check?

Well let’s look at it another way shall we? let’s say the government, ya know the one who keeps claiming we have “cyber superiority” in fact is shown to have such a poor state of security (like OPM isn’t enough to cast doubt on that one) that the election systems, the ones that the security community has been warning about as insecure for years now, was in fact manipulated as part of a larger operation to fix the election for Putins puppet regime? What exactly would the outcomes be from that revelation?

  1. The system would not be trusted
  2. The country would be in chaos
  3. The government would be seen as incompetent
  4. Putin wins.

It seems to me that most of these things have already come to pass. Sure, we have not actually proven that the systems in key Electoral College states were tampered with by malware or added code yet. That code could have been put in the supply chain easily by infecting the key systems the polling places use (see Halderman’s paper *think USB and ballot templates*) but all it takes is a real forensic evaluation to determine if something was amiss right? Yet I still don’t hear a clamour to get this done. Why is that really? We have been sold the idea on many occasions that it is too hard to hack the election but really, with a limited target and a goal of manipulating it subtly one would not see it blatantly would they? I mean fuck, look, Clinton has what like 2 million more popular votes and this fuckwit wins the college? It is either fantastic strategy on the part of his campaign (I mean Putin’s campaign) or, given all of the other evidence of tampering and obfuscation that something could be amiss with the known insecure systems we vote with right?

Really what I am saying here is this; “We have been played. We have been played and now we have this kleptocrat in office who’s been placed there, whether or not you want to hear this, by the Russian governments intelligence apparatus. The least you can do now is do the due diligence to see if something more happened than the hacks and disinformation operations we already know about.” I suspect though that the government does not want to do this because it would call everything into question. It would openly call out the fact that a nation state fucked with us in such a fundamental way that the only real response would have to be, well, war? I mean what is the response to something of this scale anyway right?

Weigh the evidence.

Occams Razor this shit.

DO THE FUCKING FORENSICS.

K.

Written by Krypt3ia

2016/11/28 at 13:39

Posted in .gov, 2016

Dear Republicrats, You Are Now Comrade Putin’s Puppets.

with one comment

comradeputin

Well you did it GOP and America, you finally elected a person who seems to be on the face of it, aligned with Russia, is an asset of Russia, or in fact is just a “Useful Idiot” as Uncle Joe Stalin called it. Worse still, it seems that you also have given access to at least three people within the Trump campaign who have had ties, direct ones, to Russia, the Kremlin and Alfabank to the White House. These people too may in fact be outright assets of Putin and the KGB.

Congratulations America.

What’s worse is that the GOP has actively pursued this all in the guise of being alt-right or more American than most Americans all the while you have been Putin’s pawns as well.

Once again, congratulations America.

I fear for the country in more ways than one. I fear that our President elect can easily be led to foolish action. (just look at his Twitter)

I fear that his strong man sensibilities and his crazy ideas about NATO will make the world a more dangerous place.

I fear that he has no idea how to run the country and likely will not listen to those who do.

I fear that in an age of Cyber “Warfare” and espionage this man has no cogent ideas on how to protect the nation.

I fear that this man also has a hair trigger and will pursue actions both Cyber and otherwise in the warfare arena that will only end in escalation of tensions globally.

I fear that his minions, and by that I mean the neo nazi’s the white supremacists, and the general maladjusted nut cases like those Alex Jones has in his thrall will only be emboldened to take actions against anyone they don’t like.

In short people we are fucked.

See ya..

Or maybe more on point, “dasvidaniya

K.

Written by Krypt3ia

2016/11/09 at 20:28

Posted in 2016

Shits Gone Plaid: GDD53 and Slate

with one comment

screenshot-from-2016-11-01-08-12-48

 

Last night, Halloween Night, it turned out was the last of the last nights for October Surprises and this time I was dragged into the mire by piss poor reporting by Slate’s Franklin Foer. Evidently Franky has been talking to “Tea Leaves” the titular secret security squirrel who has been pimping this conspiracy theory about Trump email servers and Russian banks for a while now. I came across the story when someone I know got hold of me asking technical questions about the story. I then did the due diligence and began looking into it and wrote a blog post that in the end after a couple updates dismissed Tea as a fabricator and moved on with life. I then edited the post with an update that in fact, part of Tea’s story was right that the New York Times had looked into this. While this was true, it is also true they dropped it for lack of evidence that you could get past editorial, so my blog confirmed that much at least. Unfortunately Tea still  shopped this around until someone took the bait hook line and sinker (Foer) putting out speculation, anonymous testimony, and not much more as proof positive that Trump is in league with Russia’s Alfabank via secret emails and configured servers.

Evidence:

There was none. There was a lot of speculation and theory but what Tea had put on the darknet and had been shopping around was not forensically proven and in fact all of the metadata that may have existed had been stamped out of all documents or never existed in the first place as they were using text files. In looking at the so called evidence I called bullshit and began questioning Tea. Tea emailed me trying to pimp more of this story but I asked pointed forensic questions and about the provenance of their “data” after doing so, Tea claimed they “never got the email”. This was utter bullshit because I even created an account on the same encrypted email server as theirs to send it to them. Clearly they did not want to or could not answer my direct questions on authenticity.

Here were the questions:

screenshot-from-2016-11-01-08-39-45

I got nothing back so I walked away from this story updating the blog with the image you see at the top. This was a non story and this was someone’s troll or an IC operation of some kind. I left it at that… That is until last night when this fallacy laden report came out of Slate.

Anonymous Security Professionals

So here is what I believe happened with Slate and Foer. Tea, not happy with my ignoring their bullshit, went on to pimp at least five venues looking for a way to get this wide and Foer was the gullible one to do so. Now, with a live one on the line Tea spun their tale and added the new twist that they are in fact a group of “security professionals” with insider knowledge and that this story is really real. Of course once again they provided no real proof of Trumps servers being configured for this purpose, no evidence of actual emails, and no real forensically sound information that proves any of what they say can be proven in a court of law. This is a key thing and Slate may not care but others do. Even in the previous dumps on the i2p site that tea set up their diagram said “this is what it would look like” would is not proof, that there is speculation and not evidence.

screenshot-from-2016-10-05-14-38-53

So more fuckery and none of it can be proven out, in fact as many on Twitter last night including Rob Graham skewered the whole thing pretty well. In the end there is no proof here that these events happened as they are being stated and if there is evidence, solid evidence, then it is being hidden by those said same security researchers because… Because why? If you have evidence that Trump has been in league with Russia via email servers as a defacto hotline then give the evidence to the FBI! What the holy hell are you doing spinning tales to fuckwit reporters? Like I said on Twitter last night, you lack the courage of your convictions sir.

OPSEC

Meanwhile, the story spun by Tea and now Camp et al on Slate makes me wonder just who Tea is. Obviously Camp knows Tea and the others and this is a small world so let’s work out the connections shall we?

Camp –>Vixie –> ??? let’s just assume that Camp knows these persons well and if one starts to dig you could come up with a few names of people who “would” (there’s that would again) have the kind of access to DNS data that is needed. Let’s just start naming names like Dan Kaminsky for example as Tea just because fuck he has access to that kind of stuff! It’s fuckery sure, but it is just as valid as that fucking slate article am I right or am I right?

Just remember Tea and company, we all know each other in this biz and someday your anonymity will be blown because of your fucking bad OPSEC. When that day comes then you better produce some solid evidence.

Just sayin.

Reporter Fuckery

Lastly, let me just say that I never “softened” to Tea. I got some facts that NYT looked at this and I postulated that it is possible for this kind of stuff going on but in the end I said that there was no proof. So this line that I am sure Tea gave to Slate about my “incorrect assumptions” was outright fuckery.

Proof or get the fuck out.

K.

Written by Krypt3ia

2016/11/01 at 12:59

Posted in 2016

LinkedIN: The APT Phisherman’s Friend

leave a comment »

screenshot-from-2016-10-28-14-36-24

I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.

The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.

screenshot-from-2016-10-28-14-38-05

screenshot-from-2016-10-28-14-38-22

Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.

screenshot-from-2016-10-28-14-57-20

screenshot-from-2016-10-28-15-00-46

Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.

screenshot-from-2016-10-28-14-39-01

screenshot-from-2016-10-28-15-12-27

Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.

Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.

Does the name Robin Sage ring a bell?

Speaking of Robin….

Here are Elisabeth’s connections…

screenshot-from-2016-10-28-14-34-29

Do you see the irony there?…

I do…

*giggle*

Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..

Hmm….

Whatever.

Keep your eyes open kids and just don’t click accept on shit mmmkay?

K.

PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!

PPS!!

screenshot-from-2016-10-28-15-44-46

Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.

 

Written by Krypt3ia

2016/10/28 at 19:27

Posted in APT, CUTOUTS, OPSEC, Phishing

Darknet Numbers Pages Proof of Concept

leave a comment »

screenshot-from-2016-10-25-15-57-20

 

Numbers Station:

So with all the kerfuffle over crypto I decided to give everyone a big fuck you and do something low-tek just to mess with the narrative. Right, so you all know what numbers stations are right? Well, I decided that it was time that the internet have one all it’s own but not on the clearnet no sir-ee! I wanted a darknet spooky spooky impenetrable super scary numbers station! So I began to hatch a dastardly nation state level of fuckery that surely will have the gubment all  up in arms over my crypto darknet wizardry! I set up a site and I communicated with some people secretly and securely and no one was the wiser. Not one federal agency that I know of saw the site, no scripted scouring of the darknet cached my page that I am aware of (and I asked) and generally, I just pulled off the new age of tradecraft that the KGB should be jealous of!

Here’s how I did it.

Proof of Concept

The Plan

As I was thinking about a means of communication using the darknet to avoid prying eyes and to do so securely I came to the conclusion that I sure could use PGP and some email service out there but gee, lately those have been pwn3d too so fuck that. Instead I wanted to be more old skewl and opted for two way comms through OTP and a static page that could live on the darknet at periods of the day and night of my choosing with those I want to communicate with in the know as to timetables with, well, a timetable. Commonly on the air Numbers stations beacon at specific times of the day and week so this is kind of the same thing. So I set to making a highly portable TOR capable platform that I could take with me and connect to WIFI at hotels, bars, cafe’s, rando people’s houses etc. I could effectively have a transient site that would be hard to track and harder to narrow down where it lives because it is not in some rack somewhere stationary and waiting to be deanonymized and pwn3d.

20161025_155936

I opted for a netbook that I had laying around after doing the math on a Raspberry Pi. It was far cheaper to use an old old netbook I had than go spend money on a pi and it was just as portable. Once I got the laptop up and running on backbox, I then installed the TOR system and configured it for having it’s own hidden site. I then installed lighthttpd and created a very small stripped down page of text and color which I then hid the encoded text in the black space. No need to be all fancy here and it was a flourish anyway. It doesn’t have to be pretty to work and yet this lightweight site and the server it was on allowed me to communicate well enough while the whole thing was secure from being hacked. I had testing run on it and the tester was unable to own the box nor the site.

Once the testing was over I let the site run. It was up and down per specific times and communication was made using a second site on the darknet where people could post to a pasteit where we could have coded signals (basically; understood and complying) so that the communications stream would be innocuous enough using code words. You could use images on chan’s or the old trope of putting up an ad for something and even having more code in the text of that if you wanna get fancy and all.

The Tools

  • Net top laptop
  • Backbox linux distro
  • TOR
  • Lighthttpd
  • One Time Pads (plenty of places on the net to create them)
  • Timetable for uptime and downtime for comms
  • Assets to communicate with

The Tradecraft

Using this method of secret communication one could plan out all kinds of badness if they wanted to. Having a stealth site that is transient too also allows for more security but as always the people are the weak point. If an asset is caught then the means of communication is blown. Just like the analog counterparts (AM/SW Numbers Stations) this type of communication could go on untouched and unbroken for a long time because of the frequency changes, the IP address changes, and mobility of the asset. Just imagine if the analog version of Numbers Stations were actually not just in some building but in a backpack eh?

The hardest part of all of this is that you have to train your assets to use OTP and to have proper OPSEC. It can be done though, so this is a viable means of secret communication that is low tek enough yet high tek enough for the average person to easily carry out if they are determined to. It would bypass all the email shenanigans as well as texts, calls, chats, that can be intercepted by warrants to companies like Apple and AT&T. After all, how hard is it today to get a distro of linux on a box, install TOR, set up a hidden site, and start using OTP?

Wait… Ok maybe it is a little hard.

Still doable though… I mean it worked for me and my “assets”

Enjoy kids!

K.

Written by Krypt3ia

2016/10/25 at 20:41

Posted in 1984, Crypto, DARKNET

Scenarios on Outcomes from Russian Information Operations on the US 2016 Election

with 2 comments

1016374513

Assessment Goals:

With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.

The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?

Interesting times….

SCENARIO 1: VOTE TAMPERING

The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.

POTENTIAL OUTCOME:

  • Trust in the election system is diminished
  • Recalls are called for by both candidates and the public
  • The electronic systems will lose public trust and a re-assessment of the process will be mandated

SCENARIO 2: VOTER ROLLS TAMPERING

Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.

POTENTIAL OUTCOME:

  • Voters are unable to vote once they get to the polling place.
  • Voters are not allowed to correct these records and are thusly negated from the process
  • Attack key states once again, going for the electoral college and you can change the outcome of an election
  • All of the above once again have the amplification of causing distrust of the system and damage to the election
  • The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?

SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY

Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.

POTENTIAL OUTCOME:

  • Voters are unable to vote or the process takes so long that they walk away with a more analog process
  • Trust in the electronic system would be degraded or destroyed
  • The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
  • Continuity of government is challenged

CONCLUSIONS:

These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.

I suggest you red team these ideas yourselves and see what else you can come up with…

Written by Krypt3ia

2016/10/11 at 14:20