Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Counter-Insurgency’ Category

BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda

leave a comment »

From GamerCrypt

Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.

As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.

Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.

Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.

So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…

Say.. You guy’s aren’t MI6 are ya?

HA!

More when I have it.

K.

Shamikh1.info: The New Den of Scum and Villainy

leave a comment »

Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.

I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…

But..

You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.

Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.

Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.

“Bollocks” As they say in England.

DATA:

Domain ID:D38010794-LRMS
Domain Name:SHAMIKH1.INFO
Created On:14-May-2011 00:22:30 UTC
Last Updated On:27-Jun-2011 07:43:57 UTC
Expiration Date:14-May-2012 00:22:30 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:fce7ae13f22aa29d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com
Admin ID:fce7ae13f22aa29d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200

Core Server:

Ip address: 180.235.150.135

Location: Indonesia


Persons Attached: Daru Kuncoro & Yogie Nareswara

Names of Admins: Yogie Nareswara & Daru Kuncoro

Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com

Nmap Scan Report:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT
Initiating Ping Scan at 07:39
Scanning 180.235.150.135 [2 ports]
Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:39
Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed
Initiating Connect Scan at 07:39
Scanning 180.235.150.135 [1000 ports]
Discovered open port 80/tcp on 180.235.150.135
Discovered open port 110/tcp on 180.235.150.135
Discovered open port 993/tcp on 180.235.150.135
Discovered open port 143/tcp on 180.235.150.135
Discovered open port 21/tcp on 180.235.150.135
Discovered open port 443/tcp on 180.235.150.135
Discovered open port 3306/tcp on 180.235.150.135
Discovered open port 995/tcp on 180.235.150.135
Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports)
Nmap scan report for 180.235.150.135
Host is up (0.30s latency).
Not shown: 958 filtered ports, 34 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?

Meh.

Site Contact Data:

Daru Kuncoro:

Yogie Nareswara:

Current State:

Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.

More later.

K.

The Eternal Game of Whack-A-Mole Goes On: Was Al-Shamukh Hacked?

with 2 comments

The Eternal Game of Whack-A-Mole Goes On:

Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.

Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;

British Hackers Take Down Al-Qaeda Websites

and

NBC News: Hacker attack cripples al-Qaida Web communications

*Facepalm*

None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:

From: robtex.com The domain and NS pointers have been suspended by GoDaddy

The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.

Whois data for shamikh1.net

Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.

In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.

Distributed Sites:

“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.

This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)

In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.

http://shamikh1.net

http://shamikh1.info

http://202.149.72.130/~shamikh/vb/

http://202.149.72.131/~shamikh/vb/

http://202.75.56.237/~shamikh/vb/

All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.

shamikh1.info whois data

This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.

So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?

Cupcake Recipies Instead of IED’s Do Not A Hack Make:

Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.

Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?

No one has said.

This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.

They are worried.

Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.

Whodunnit:

This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?

All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..

But, they will be back again… Let the great game of whack a mole begin!

K.

IMPORTANT SECURITY TIPS: Security Tips for Jihobbyists At Majahden

with 5 comments

Security Tips for Majahden2 Users and Jihobbyists

Important Security Tips from Majahden:

The boys at Majahden have been learning lately about how psyops, hacking, disinformation, and being pwn3d works. I suppose since Osama went to live in a pineapple under the sea, they have been taking stock of just how much information they are leaking on the boards out there on the internets. There have been a spate of timely deaths in the AQ camp of late as well as a few arrests, but really, the intelligence coup of finding OBL and whacking him has all the jihobbyists worried that they will be next.

Of course they should be worried, but not only because OBL was popped. You see, we have been inside their shit for some time now and they just did not know it I guess. I have written in the past about sites that I have been poking at and digging through and I know in the case of Al-faloja (may it rest un-peacefully) I was able to get quite a bit of data from them. Since Al-Faloja fell down and went boom, there have been many site re-vamps by many a phpBB admin but they still seem to be on the whole, lacking the skills to really secure their shit.

Oopsies!

So, from their sooper sekret squirrel lair we have the following text from the above screen shot on majahden entitled “Important Security Tips” From this post I can say that they have been learning though. The tips are good and if followed it will make it just a teensy bit harder to track them and eventually have them picked up. Here are some good ones:

  • Trust no one: See a new member asking all kinds of questions about going to jihad? Be wary of them they may be spies
  • Use internet cafe’s to log in and post to the boards because they can track your IP address
  • DO NOT use just one internet cafe! Move around and make sure that you go outside your usual area (where you live)
  • Use a PROXY at the cafe!
  • Be careful though at the cafe because they are on the lookout for swarthy types like us!
  • NEVER give out your real information to ANY forum! (i.e. Bday, phone, etc)
  • Beware of files published to the forums! They could be malware!
  • Beware of popup installs like Java on the boards, they are not proper and likely a means to compromise you!
  • Beware people asking you to email them from the forum (use the message program on the board)
  • DO NOT RE-USE PASSWORDS!
  • Be careful what information (personal) you put on the site
  • Be careful about posting anecdotes about seeing this or that imam speak (places you in a place and a time)

AND Finally, in the FUNNIEST note of the list;

  • This is not a dating site! You want to make friends do that separately from the jihadi forums.

*snort*

In all, these warnings are good solid rules of the road for anyone going anywhere on the internet never mind on a jihadi board being audited by the likes of moi. Just from a privacy standpoint these types of suggestions are valid as well and should be the standard for anyone not wanting their identity stolen or their stuff hacked easily. This however, is pretty new to all of these guys and are the rudiments of SECOPS for them. Up til now, they have been not following any of these precepts, and to have to say this is not a dating site? Well, that kinda says it all to me hehe.

Meanwhile another tasty tidbit came up from the same site and this one is a little more interesting. The above screen cap is for a posting called “Deceptive methods to extract information” and it covers primarily the idea of snitches being placed in cells at camps to elicit information from jihadi’s. Now, this is nothing new to anyone who has had a diet of movies or TV here in the US, but perhaps it is a new one for these guys. Informants in the form of turncoat prisoners or actual agents from the likes of the CIA etc, have been standard operations to get information without the enemy knowing it.

This post is written by someone though who has had first hand experience with being detained. They go on to describe very specific scenarios and methods to evade giving up information to the “birds” as they are calling them.  (I think they mean stool pigeons) The writer gives suggestions on how to detect the turncoats and or to deal with the interrogators methods in trying to cajole information from them. All in all, this is an interesting read that comes across as someone who has had direct experience and understands PSYOPS.

The Take Away:

These posts and others within the site have me thinking that they are starting to become a bit more sophisticated in their efforts online. There are numerous tutorials now on chaining Tor and proxy-ing as well as the use of crypto and other security oriented programs. TNT_ON has been busy posting more tutorials as well as lauding Younis Tsouli (aka irhabi007, now in jail) as the progenitor of the jihadi hacking scene. All I can really say is that it is maturing and we need to step up our efforts with regard to them.

With the new invigoration within the cyber-jihadi community since OBL’s great pineapple adventure, they have taken up the gauntlet not only to hack but to wage a cyber-propaganda campaign like never before. Presently, the jihadi’s on Majahden and other sites have been spinning up and creating numerous Facebook sites that conform to standards that will fly under the FB radar (FB has been pulling sites down just about as fast as they could put them up) this has become the new “stealth jihad” They are making the effort now to have innocent front pages that lead to many other more hidden pages containing hardcore jihadi content. This is something that was being espoused last year on the boards and is now coming into acceptance as the main modus operandi. This way they can have their content and not get it 0wned or taken down by the likes of Facebook or Blogspot.

Since the advent of the LulzSec crew, it just seems that we all have been focused elsewhere.. Time to wake up and go back to working these fools. I say it is time to start a program of 0day infected dox that will be downloaded from all those sharing sites that these guys love. Remember the whole cupcake thing with Inspire? I say we do it en masse for as many sites as we can. Added to this, we should also be using many more approaches such as PSYOPS, Disinformation, and all out penetration of their servers… No matter where they sit.

But that’s just me… I also think that perhaps the NSA might have that already covered… One wonders…

At the very least, we should keep an eye on these sites.. If not for the lulz, then for taking them down once and for all.

K.

LulzSec: How NOT To Run An Insurgency

with 8 comments

Oh how the Lulz turn…

Lulzsec seems to be imploding a bit with the pressure put on them by their own interpersonal issues as well as the likes of Th3j35t3r and the Web Ninja’s on their backs as well. I however, would like to point out the Lulz tactical failures that are directly leading to their ultimate party van special that seems to be coming soon. I say ‘seems’ to be coming because who really knows what will happen. Perhaps some of these guys will actually skate because they were smart enough to keep some of their personal details.. well.. personal.. Maybe not though as is evidenced by the ‘doxing pastebin-palooza’ of late.

Secrecy is important:

LulzSec seems to have misunderstood that secrecy is really really important when you are doing something like a digital insurgency. Sure, you can try to rely on all the technologies like proxies to hide your IP, but, you also have the human element to contend with. It is here where the Lulz have not thought things out too clearly. They attempted to use the Anonymous model, but, unlike Anonymous, they, had a smaller crew and a central core that, well, has been rather chatty. Chatty mind you, on IRC channels that have been compromised and monitored.

Loose lips sink ships.. Yeah, I went there…

Nope, while Lulzsec has been attempting to be secret, they failed to follow through and actually carry out their insurgency behind a wall of utter secrecy or even a cell based infrastructure it seems. Of course most of these efforts have been planed out and talked about on said IRC channels (even the sooper sekret ones) and advertised so others could revel in the lulz.

This and the other things I am going to mention will be their undoing.

Communications Should be COVERT:

Ok, so,  how long did Osama have runners with USB keys on donkey’s going to Peshawar Internet cafe’s without being caught? Oh, yeah, 10 friggin years! It took the CIA a long time to catch on to the runners/couriers and even then they did so only from a VERY FEW pieces of hard SIGINT. The key here kids is that the AQ guys were practising ‘tradecraft’ unlike the Lulzsec kids. They took pains to insure that their communications were not easily picked up by the NSA or anyone else listening and watching.

You guys in Lulzsec? Not so much….

Instead, you have relied on technology to keep you safe while flagrantly whipping out your collective pee pee’s and waving them at forces who are much better equipped, trained, and funded to hunt you down and make you go bye bye. Some might see that as daring… Others see it as just plain stupid. Either way, since you have failed to use real covert channels that you do not advertise, you have highly increased the likelihood that you will soon see those party van’s you speak of so often (mockingly) in your yards as they start taking all your computers out the door, and you to the local orange jump suit palace.

Next time, just have your meetings in the parking lot of the local PD. It will cut out the middle man.

Ego is the mind killer:

I must not have too much Ego. Ego is the mind-killer. Ego is the little-death that brings total obliteration. I will face my Ego. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the Ego has gone there will be nothing. Only I will remain.

Ah yes, I have been ruminating on this one for some time and even adjusted this quote from Dune, which I think fits nicely. Your ego’s have been writing checks that you aren’t likely to want to have cashed kids. You have said that you do it for the lulz, you have also made intimations that its about how poor security is within the internet ecology, but, I think mainly your motivations have been ego driven. What this means is that you are getting quite the buzz off of being so darn smart and snarky. You have been having fun poking the badgers in the eyes and feeling invincible.

Well, you aren’t geniuses and you aren’t invincible. Eventually everyone gets caught, especially those who do not take care to cover their tracks and act smartly.

Simply, your ego’s have done you in… Be sure to check that ego at the door to the federal penitentiary that will be your new home, because there are bigger and nastier people in there who will be trading you for smokes soon. Oh, and remember to buy a lot of tucks pads.. You are going to need them.

Untrustworthy Assets Should NOT be Trusted With Operational Details:

This brings me to the bust of your minimally affiliated IRC op Ryan. It seems from all of the press and from the kids history, that he was unstable to start. This is the guy you want to trust with any data, no matter how small, on who Lulzsec is and how they operate?

Really?

Well then, who else do you have running your servers and running errands? Because I think they are likely to be just as whacked as Ryan and likely to be caught and roll within the first few minutes of interrogation!

Bravo, well done!

If you guys had any operational smarts, you would have to know that you cannot trust anyone with the whole picture. You pretty much are claiming that now after his arrest, but I think secretly you are all leaving fudge stains in your pants presently. According to the police Ryan had A LOT of data laying round and how are you to know who he talked to and how much he really knew about you all? Even IF you tried to be as careful as possible, you more than likely slipped up and gave him information that he will be giving.. Nope.. wait.. HAS GIVEN to the FBI and the Met.

Another failure on your part in the game of insurgency… I guess you will learn the hard way. Just as you will learn that outing your pals yourselves because they decided they wanted out, or did something to piss you off, will only lead back to you. Not the smartest of moves should any of these guys have data on you that they can use to turn against you.

“Never burn an asset unless you burn them and then shoot them between the eyes.. Or they will come back at you”

LulzSec Fall Down.. Go BOOM:

Finally, as if you could not tell from everything I said above, you are going to go down and likely go down hard. It will be a learning experience for you and for everyone else who wants to let their ego run free to gather 220K of followers on twitter by poking the badger. I am imagining that Ryan and his volumes of digital data, are being disseminated throughout the community of Feds and other agencies as I write…

Oh well, like I said, there’d daring and then there is stupid… Remember what John Keating said in “Dead Poets”

“Phone call from God. If it had been collect, that would have been daring!”

Be seeing you soon as your being put in the back of the party van kids…

K.