(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Digital Forensics’ Category

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments


Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?


Attribution: Fingerprints vs. Ballistics and Inductive vs. Deductive Reasoning

with 4 comments

The Problem

In the present day where the word “Cyberwar” is all the rage, and governments as well as private sector entities are seeking to cash in on the power grab that is mostly information warfare as the Chinese actually call it (信息战) too many are forgetting a core problem to the picture. This problem, is “attribution” as it has been termed in the community. To attribute an attack to an individual, government body, or group, is something that to date, has not been discussed as much as I would like to see with regards to all of the cyberwarfare talk as well as any other inferences with regard to forensics and geopolitical ascription to acts of “war” as this is has been labeled by this terrible terminology that we have latched onto.

Nomenclature aside, there are issues around trying to determine definitively where an attack has really come from because of the nature of computer systems, varying countries that they reside in, and the potential for the actor to be anyone from nation state to individuals of a collective privately, or a single determined individual. It is my contention that “attribution” can be very hard to prove in a court of law, never mind that a country may in fact be ready to wage war against another on the grounds of what is taken to be the truth of where an attack originated from and who the actors really were. There are too many variables that may never be one hundred percent certain to be basing any of these decisions on in my view, unless one has hacked back into the core final system that originated everything and that is rarely the case today.

So, where does this leave us? How do we even attempt to attribute an attack to any one person, government, or group? Can we ever be certain of any of this information? Can we base an aggressive action against a nation based on any of it?

Fingerprints and Ballistics

Some would approach the problem of attribution of digital attacks on the methodology that began the criminal forensics process we have today. Fingerprints were the first forensic model for determining who really may have created a crime if the evidence did not consist of an eye witness attesting to the fact that “they did it” Ballistics soon followed once guns began to have lans and grooves bored into the barrels to allow for more accuracy. Both of these examples leave telltale marks on the bullets or objects to determine which person or what gun were the arbiter of whatever crime was committed. Today though, we do not have the same narrow confines of data to examine as both of these examples allow for.

Code is the medium of today and while there are certain ways to tell if code was written in the style of a person or written on a particular computer, for the most part, these do not allow for absolute certitude as to who the actor was that created the code, nor for that matter, who used said code to effect an outcome (i.e. attacks on systems) conclusively. All one really has in most cases, are pieces of code, that, with the right coder, may in fact look like anothers, or, all attributions have been stripped from, or, lastly, copied directly from open sources and then tweaked. All of these scenarios allow for a great lassitude on determination conclusively on source or origin.

Digital Fingerprints 

With all that said, the digital fingerprints are there, and with luck someone can determine if the coder was sloppy and forgot something. Interestingly, much of this was out in the open and talked about with regard to the Stuxnet infections in Iran. Once the code was audited, there were many subtle clues as to who “may” have written, and in fact there were potential red herrings left in the code such as “mytrus” and other tidbits that may in fact just been placed there to mess with those seeking to perform forensics in hopes of finding out who did it. To date, many think that the US and the UK did the work, planned the operation, created the code, and implemented it, but, there is no conclusive proof of any of that is there?

Suffice to say, that everyone does make mistakes, but, with the right amount of diligence, it an adversary can make it incredibly hard code wise, to determine who did the writing. On the other side of the coin, the digital forensics arena also looks at the network and hardware side of the equation as well. Many attacks today are not directly coming from the home systems of the adversary, but instead they are coming from proxy machines that have either been rented or, more likely, hacked previously. This too can be heavily obfuscated and be something of a problem to gather information from if those systems reside in countries unfriendly to the attacked parties. One would likely have to hack into those already compromised systems and then attempt to gather intelligence as to where they were being controlled from and by. This is of course if the system wasn’t already burned or, as in many cases, the logging had all been removed and thus there were no logs to see.

From this perspective, yet again, there is a great amount of doubt that can be injected into the picture of just who attacked because of the nature of the technologies. Unless the systems are live, and in fact the adversary is either still using them or was exceedingly sloppy, it could be very hard to in fact prove conclusively any one actor or actors carried out and attack even from the digital forensics side of the house. This leaves us with a problem that we have to solve I think in order to truly be able to “attribute” an attack even tentatively to anyone. One cannot only rely on the technologies that are the medium of the attack, one must also use reasoning, psychology, and logic as well as whatever the forensics can allude to as to the attacker. This is very much akin to the process used by CIA analysts today and should be the SOP for anyone in this field, because the field is now truly global as well as has been brought into the nation state arena of espionage and terrorism, never mind actual warfare.

Inductive vs. Deductive Reasoning

First off, I would like to address Inductive and Deductive reasoning in this effort as one of the precepts core to these attribution attempts. By using both of these in a rigorous manner, we can attempt to shake out the truths to situations that may in fact seem clear on the face of them, but, once looked into further may be discounted, or at the very least questioned. Much of this lately has been the hue and cry that APT (Advanced Persistent Threat’s) are all pretty much originating from China. While many attacks have in fact been attributed to China, the evidence has not always been plainly clear nor, in many cases, has the evidence been anywhere in the open due to classification by the government and military.

There are many “secret squirrels” out there and they all pretty much squeek “CHINA” all the time. Unhappily, or perhaps unfortunately, these same squirrels end up being the ones talking to the news media, and thus a juggernaut is born in the news cycle. It just so happens that there are many other nation states as well as other actors (private/corporate/individual) that may well be the culprits in many of the attacks we have seen over the years as well. Unfortunately, all too many times though, a flawed inductive or deductive process of determination has been employed by those seeking to lay the blame for attacks like ghostnet or ghost rat etc. Such flawed thought processes can be shown by examples like the following;

All of the swans we have seen are white, thus, All swans are white.

This has pretty much been the mindset in the public and other areas where attacks in the recent past have been concerned. The attacks on Google for instance were alleged to have come from China, no proof was ever really given publicly to back this up, but, since the media and Google said so, well, they came from China then.. Right? While the attack may have in fact come from China, there has been no solid evidence provided, but people are willing to make inductive leaps that this is indeed the truth of it and are willing to do so on other occasions where China may have had something to gain but proof is still lacking. The same can be said with the use of deductive reasoning as well. We can deduce from circumstances that something has happened and where it may have originated (re: hacking) but, without using both the inductive method as well as the deductive with evidence to back this up, you end up just putting yourselves in the cave with the elephant trunk.

Psychology and Victimology

Another part of the picture that I believe should be added to the investigative process on attacks such as these, is the use of psychology. By using the precepts of psychological profiling as well as victimology, one can take a peek into the motivations of the attacker as well as the stance of the victim that they attacked into account on the overall picture. It is important to know the victim, their habits, their nature, and background. These factors can often lead to insights into who the adversary may in fact be. While the victimology paints the picture of the victim, it also helps flesh out the motives and possible psychology of the aggressor as well.

Of course one need not be a board certified psychiatrist or psychologist to perform a vicimtology in the way that we need to within the confines of determining who may have hacked a client. Many pentester’s do this very thing (though perhaps not enough today it seems) by profiling their targets when they are preparing for a test scenario. The good ones also not only look at what the target does, but also how they do it. They also look at how things work logically, as well as every other aspect of the business to determine how best to attack and what would have the most effect to replicate what an attacker “could” do to them. This is a key also to determining who may have actually attacked as well as why they did and this leads to another part of the puzzle, that of motives.

In trying to determine who attacked one must look at the motives for the attack. These motives can also show you the lengths that the attacker was willing to take (i.e. creating custom code and other APT style attack vectors/methods) to effect their end state goal. If there seems to be no real reason for their attack, and they have not stated it in other ways (like Anonymous and their declarations of attacks) then we are left to come to grips with seeking the reasons as well as what they took/destroyed/manipulated in the end. It is important to look at the whole picture instead of focusing on the minutiae that we in the INFOSEC field often find ourselves looking at daily in these IR events.

Hannibal Lecter: First principles, Clarice. Simplicity. Read Marcus Aurelius. Of each particular thing ask: what is it in itself? What is its nature? What does he do, this man you seek?

The Pitfalls of Attribution Theory

Another part of the picture that must also be assessed is that of the mindset of the assessor themselves. Today we seem to have quite the echo chamber going on with the likes of Beitlich and others concerning China and APT activities as I alluded to earlier. The media of course has amplified this problem threefold, but, the core problem is that we as investigators are sometimes easily tainted by the echo chamber. Thus I put it to you that the precept of “Attribution Theory” also play a key role in your assessments and that it can be a pitfall for you. In Attribution theory, one must also take into account such things as the motivations of the person doing the attributing. This means that even if you are a consultant in an IR, you too can allow your own leanings to sway your findings in such an endeavor as trying to determine who hacked whom with leading evidence but no definitive proof thereof.

Motives are key, motives of the assessor, motives of the victim, and motives of the adversary. One must take these all into account and be as impartial as possible and mindful of these things. It is my contention today, that all too often people are all too available to the idea that “China did it” is the go to assessment of a so called “APT” attack, especially so when APT is one of the most misused acronyms today in the information security field. It is just behind the term “Cyberwar” in my opinion in fact as one of the most misused and poorly constructed acronyms or terms for what is happening today.

In the end, one must take a step back and see the bigger picture as well as the minutiae that comprises its total while not being too easily swayed by our own bias or conditioning. I suggest you acquaint yourselves with these ideas and use them when involved in such cases where APT and Cyberwar are concerned.

There will Always Be “Reasonable Doubt”

In conclusion, I would like to assert that there will always be reasonable doubt in these cases. Given now that we are considering actions of war and legislation over attacks and counter attacks within the digital sphere, I would hope that those in government be made aware of the issues around attribution. I cannot conceive of going to war or launching missiles over a digital attack on some system somewhere. The only way I can see this actually becoming kinetic is if the attack is in tandem with boots on the ground or missiles fired from a distinct area of a foreign power. Unfortunately though, it seems of late, that governments are considering such actions as hacking the grid, as an acceptable trigger to kinetic response by the military. This for me is all the more scary given what I know about attribution and how hard it is in the digital world to determine who did what and when, never mind from where.

Presently I am working on a framework of this whole process model and will in the near future be presenting it as well as other aspects of determining the attribution of attacks on companies and systems at a conference in Ireland. It is my belief, with my partners in this presentation, that given more subtle cues of psychology, as well as sociological and historical inference, one can get a greater picture of the attacker as well as the motives for an attack if they are not openly stated by the aggressor. Of course none of this will eliminate “reasonable doubt” but, as CIA and other intelligence analysts have proven with such methodologies, one can make a more solid case by looking at all aspects surrounding a person, case, or incident to determine the truth.


Written by Krypt3ia

2012/05/18 at 19:15

Handwringing, Moralizing, Anonymous, Paedophilia, and Digital Vigilantism

with 2 comments


I recently posted about the Hidden Wiki and its prevalence in hosting paedophilia content. This post may or may not have left an impression on some of the  anonymous collective to take action and perhaps sow good will for their group by hacking into the “Lolita City” site within the DarkNet and releasing thousands of users email addresses and personal data (such as it is on such a site) for the Internet to feast upon. The Anon’s are doing this for their own reasons, but the upshot of it all is that they are causing the paedophiles pain in making it hard for them to get their content as well as potentially outing them online as purveyors and consumers of this wretched content.

Since my post applauding them and giving them some direction as to how to become more of an intelligence gathering apparatus for the LEO community, some in the infosec world have come forward and voiced concerns about this line of thought. All of the talk about the morals, legalities, and philosophical aspects of Anonymous undertaking such actions has gotten me thinking quite a bit.It all raises some interesting questions and philosophical challenges.

Anonymous and Digital Vigilantism:

What I think that most people with reservations about Anonymous taking up such operations as the DarkNet op have are that these people are for the most part kids without training and without any kind of oversight. Oversight in that they could get too big for their britches (one could say that many already have) and think that they are invulnerable to attack never mind the respective laws of our society. That said, it would seem that Anonymous, Antisec, and LulzSec have already decided to take up the mantle of vigilante’s already. However, the targets have been, for the most part, varied parties that could be seen as hapless victims or as malefactors, it all depends on the point of view really.

In the case of Scientology, well, aside from religious freedoms (trust me, they are not a religion) generally the Scientologists have been pretty much seen as getting what they deserved. Today though, years later, Anonymous has begun to take on the governments of the world as well as the likes of Paedophiles online. Once again, generally, people see what they want to concerning whether governments are good or bad. Paedophiles though, pretty much are outlawed universally. So, when Anonymous decided to attack, I could not fault them one bit. However, I could perhaps fault their methods.. Only in that they were bound to only let the paedo’s get away in the end.

I have said it before and I will say it again.. “One man’s freedom fighter is another man’s terrorist” It all depends upon your perspective really. While I do not think all of their targets have been chosen wisely, I cannot fault the true believers out th4ere that they are doing something out of conscience and good. This is not to say that a certain element of the movement is in fact just in it for the lulz (i.e. Antisec and LulzSec) There certainly are factions at play who just want to see the world burn as well as garner themselves digital street cred.

Overall though, the term Vigilante denotes a person or persons (committee’s) who dole out justice summarily when the law is seen as ineffective by them. In this case, the Anon’s have taken up the mantle of vigilante in order to rid the DarkNet of paedophile content because law enforcement seems unable to effectively. Now this is also the crux of the issue in another way, as the police generally are not allowed to hack into sites and dump the dirt so to speak.. The Anon’s are unhindered here. Just as they have felt the same way about other operations where they have denied service to corporations (likening it to a digital sit in) they have crossed the line of the law, but, their methods and motivations are free of it… Until they get caught that is.

The essence of the thing is this.. “Don’t do the crime unless you can do the time” If they believe in it strongly and act upon it, then they must accept the risks of being caught and incarcerated. So far, much of the motivation I have seen by a good deal of anon’s has been motivated by convictions and beliefs. All others have been for Lulz, which is what made LulzSec even more of a problem as they just did not care. The current Antisec movement that LulzSec begat also seems to lack the conviction of their beliefs and seems more driven by ego than anything else by their writings.

And this is the difference between the chaotic Joker like actors and the Batman types.

Anonymous vs. PLA, vs. Patriot Hackers:

Pulling back a bit now, I would like to look at the macroscopic view of Vigilante behaviour versus nation state sanctioned or perhaps, a better word for it would be “condoned” actions and groups. I have written in the past about groups like the Honker Union in China as well as the colourful character known as th3j35t3r. both of these entities have had an effect on the collective consciousness concerning digital vigilante justice and I think it important that they form the contextual base for Anonymous’ actions in Operation DarkNet.

First off, ALL of these entities have been doing what they do (Jester DDOS of Jihadi sites and Anonymous, Honker, hacking against the enemies of China, and Anonymous, attacking sceintology, the gov, and paedo’s) with a mind toward doing “good” In the case of Jester, he thinks DDoS-ing jihadi sites out of a patriotic bent that will stop them from communicating. In the case of the Honker Union, they are patriots to their homeland and attack others who would do their country slight or harm. Anonymous though, started out of /b/ … Which really is a band of miscreants for the most part. However, a core group decided to take on the mantle of doing right somewhere down the line and we find swaths of them today supporting Occupy Wall Street and other political agenda’s.

The basic idea here is that they are all motivated by a belief in some greater good.. Mostly. I am sure there are on individual levels, many more motives (ego, greed, ego… the list goes on) but I will just put it to a gross generality that these people want to effect some kind of change.

At least I hope that this is the case…

What is really different though is that in the case of Jester and the Honker Union, they both are condoned if not outright supported efforts by the countries they reside in. In the case of the PLA and the Honker, there is clear connection between the state and their actions. In the case of Jester, there are allegations (made by him) that his is state sponsored.. But, I think more to the point he is condoned. Either way, the Anon’s may indeed be getting some support (moral or other) from state sponsors and not even know it. In the case of Anon, they could just become the tool of another nation state and not know any better.

Which is pretty scary.

All of these entities though, have had a greater or less effect upon the internet these last few years through their online shenanigans via hacking. The secret is this, they are just the first. There will be others to be sure.. The genie is out of the bottle on this one.

Anonymous vs. LulzSec & Antisec:

Conversely, we have LulzSec and Antisec, who both wreaked havoc on the corporations and the police of the world lately. Their reasons for doing so pretty much have been stated as “because we are bored” At the core though, there seems to be a couple of motives here from postings online. One is the afore mentioned Lulz, the other, seems to be a kind of abject hatred of authority and police. In recent hacks on the police though, there seems to be a bent toward supporting the Occupy movement as the police have had some transgressions against them. So.. They hacked the police and dumped all their data to spite them. Frankly, I see no value to this and once again, even if motivated by supporting the movement, it has no real effect on the police other than to make them more angry and reactive against the protesters.

Basically, I still see Antisec as the Penguin & Joker while Lulz as The Riddler though while Anonymous has become more like The Batman in certain quarters

Anonymous on the other hand has had its lulz, but seems to be growing up a bit and maturing. The social conscience of anon has begun to take shape and within it (movement wise) may well be the lasting component that will be its Raison d’être in the end. Time will tell though, and I hope that this is the case more so than just a bunch of malcontent’s seeking attention and excitement.

The Hand Wringing by The Infosec Community At Large:

Alright, back to the hand wringing and the moralizing post the Op DarkNet…

Certain people in the community wrote that while the empathised with what Anon was trying to do with Op DarkNet, they felt that these people were not the folks they would have doing this to start. Most of this comes from the fact that many of the players are not trained investigators and not LEO’s. I can agree with this from the perspective of legal proceedings later on. If Anonymous hacks a server and then dumps data, it could have an effect on the court case from a few perspectives;

  1. Contamination: The defense could claim that the server was hacked and the data planted
  2. The data could have indeed been tampered with by anon’s
  3. The backend of the server/dbase could in fact be shared and all those who share could be swept up in the legalities/implications
  4. The hack is enough to raise reasonable doubt

So, yes, it could be counter productive to have a vigilante force actually hack a system and report it to law enforcement. However, I would advocate that in the case of Anonymous and the paedo’s at the least, they not just hack and dump data, but instead give that data to law enforcement to start an investigation. For that matter, if Anonymous just located the servers and authenticated (sans hacking) that the content was there, they could in fact just tip off the police.

And this is at least part of what they did with Lolita City in the DarkNet. They tried to locate the server location and this alone could be a great boon for the authorities.

On the other hand, there are moral/ethical objections on the parts of some who think that perhaps letting Anonymous do this type of thing, or even encourage it is setting a bad precedent. To them, Vigilante’s are outside the scope of good behaviour and the law.. They cannot be tolerated. Personally, I think that that is a sanctimonious load of crap, but, that’s just me.

Sometimes when the system cannot function other means need to be taken to effect change. In this case, within a network that is anonymized and the authorities have had little success in catching anyone trading in paedophilia, I see no harm in Anonymous outing them.. Though, I would rather they just passed the intelligence to the LEO’s instead. It is my opinion, that if done correctly, intelligence gathering of this type with a tip off to the police has a better chance at actual arrests and convictions than to just let them go on about their peddling of child pornography.

Just one man’s opinion…

Philosophical and Ethical Stands On Being The Digital Batman:


This is the philosophical and ethical standpoint I take in being the digital Batman. Strict utilitarianism dictates that maximizing overall good is key. In this case and perhaps others, the taking down of the paedophile’s content and capturing their login credentials is enough “good” to allow for the action to be seen as acceptable. This is really the basis of The Batman’s ethics in the comics and ideally, for me on this particular incident with Anonymous.

Now, this does not mean I agree with all of their operations as well as certainly not agreeing with the bulk of the actions carried out by the Antisec movement. However, the perspective is the key I suppose. It’s a slippery slope I admit, but, in this case of OpDarkNet, I agree with the greater good being served in this case.


Here we have the Deontologists like Sam Bowne. Deontology is a nice thing to cling to the ethical rules of a governing system of laws. However, it seems to me, and others here, that this system of laws is not working against these offenders in the hidden wiki. Sure, you could say that the LEO’s have ongoing investigations, but, just how many busts have there been as opposed to the massive amount of content located on the hidden wiki and within i2p, Freenet, and TOR?

So far, I have not seen law enforcement really winning this battle.

Oh well, the Deontologists have their point of view and others have theirs. The key here is that Sammy and others like Packetknife are entitled to their point of view. They are right for themselves, and that is the issue with all philosophy and ethics arguments. Like I said, it’s all about your world view. However, I do not ascribe to a moral absolute unlike someone like Sammy.

There are no right answers. There is only what you are willing to accept for yourself.

Legal Aspects of Digital Vigilantism:

Now, on to the legal aspects here.

18 U.S.C. § 2252 : US Code – Section 2252: Certain activities relating to material involving the sexual exploitation of minors 

The US code on activities related to sexual exploitation of minors alludes to the fact that one has to “knowingly” access such content and to have more than 3 pieces of “content” to be considered guilty of child exploitation/pornography. This of course also alludes to the trafficking thereof etc etc in legalese. Where this is important for the digital Batman is where there are caveats.

(c) Affirmative Defense. - It shall be an affirmative defense to
a charge of violating paragraph (4) of subsection (a) that the
defendant -
(1) possessed less than three matters containing any visual
depiction proscribed by that paragraph; and
(2) promptly and in good faith, and without retaining or
allowing any person, other than a law enforcement agency, to
access any visual depiction or copy thereof -
(A) took reasonable steps to destroy each such visual
depiction; or
(B) reported the matter to a law enforcement agency and
afforded that agency access to each such visual depiction.

So, as I said before, if you are trying to take one of these sites down, then do turn off your browser’s images capabilities.. Hell, why not just use Lynx for that matter so as to negate the issue. However, there is a key point here that you all should take into account. It’s the bit about making the LEO’s aware of the content. This is what I was trying to get at before. If Anonymous or anyone is going to go after this content, then it would be best if you tipped off the LEO’s to the site and the content. Now, the above statement implies that if you make the tip, then you are going to let the police have your system to look at… And we all know Anonymous is not going to do that. So, just be judicious about your tip off’s to the authorities. Do your homework and dump the data to them directly, not on Pastebin.

Of course, then there are the issues of hacking a system in the first place… Well, in the DarkNet, the only thing as I see it that is key would be not leaving a trace that you were there. You know, kinda like the whole hiking ethos of only leaving footprints.. But in this case I would suggest not even a footprint should be left behind. It seems to me, that if you hack a paedo site, even with good intentions, you could get the double whammy from the authorities of hacking as well as accessing child porn…

And that could really be problematic.

So, in the end, I circle back to recommending that you become intelligence gatherers and locate the sources to report. If you locate them, and you get some good details for the authorities without having to SQLi them, all the better. You will be doing a good thing AND you will be satisfying the Deontologists in the room.

Keep your wits about you kids.


Anonymous #HQ: Inside The Anonymous Secret War Room

with 7 comments

John Cook and Adrian Chen — Dissident members of the internet hacktivist group Anonymous, tired of what they call the mob’s “unpatriotic” ways, have provided law enforcement with chat logs of the group’s leadership planning crimes, as well as what they say are key members’ identities. They also gave them to us.

The chat logs, which cover several days in February immediately after the group hacked into internet security firm HBGary’s e-mail accounts, offer a fascinating look inside the hivemind’s organization and culture.

  • Sabu
  • Kayla
  • Laurelai,
  • Avunit,
  • Entropy,
  • Topiary,
  • Tflow
  • Marduk
  • Metric
  • A5h3r4

So, Hubris/A5h3r4/Metric have broken into the inner circle of at least one cell of Anonymous. I say cell because I do not think that these users are the actual full scale leaders of Anonymous, instead, as I have said before, there are cell’s of Anon’s that perform operations sporadically. These folks, if the chat transcripts are true, are the ones just behind the HBGary hack and at least one of them, with the Gawker hack.

Once again, I will reiterate here that I think Anonymous is more like a splinter cell operation than anything else. There is an aegis from the whole as an idea, but, they break off into packs for their personal attacks, or whatever turns them on. They coalesce into a unit when they feel moved to, but, they do not overall, just get together and act without direction on the part or parts of leaders.

The example below of the transcripts for #HQ show that these characters though, are a little high on themselves after the hack on HBG… And you know what happens when you don’t pay attention to the hubris factor. You get cocky and you get burned. As you can see below, some of them are at least nervous about being popped or infiltrated.. Those would be the smart ones…

04:44 <&Sabu> who the fuck wrote that doc
04:45 <&Sabu> remove that shit from existence
04:45 <&Sabu> first off there is no hierachy or leadership, and thus an operations manual is not needed


04:46 <&Sabu> shit like this is where the feds will get american anons on rico act abuse and other organized crime laws
04:47 <@Laurelai> yeah well you could have done 100 times more effective shit with HBgary
04:47 <@Laurelai> gratted what we got was good
04:47 <&Sabu> if you’re so fucking talented why didn’t you root them yourselves?
04:47 <@Laurelai> but it could have been done alot better
04:47 <&Sabu> also we had a time restraint
04:48 <&Sabu> and as far as I know, considering I’m the one that did the op, I rooted their boxes, cracked their hashes, owned their emails and social engineered their admins in hours
04:48 <&Sabu> your manual is irrelevent.


04:51 <&Sabu> ok who authored this ridiculous “OPERATIONS” doc?
04:51 <@Laurelai> look the guideline isnt for you
04:51 <&Sabu> because I’m about to start owning nigg3rs
04:51 <&marduk> authorized???
04:52 <@Laurelai> its just an idea to kick around
04:52 <@Laurelai> start talking
04:52 <&Sabu> for who? the feds?
04:52 <&marduk> its not any official doc, it is something that Laurelai wrote up.. and it is for.. others
04:52 <&marduk> on anonops
04:52 <&Sabu> rofl
04:52 <@Laurelai> just idea
04:52 <@Laurelai> ideas
04:52 <&Sabu> man
04:52 <&marduk> at least that is how i understand it
04:52 <@Laurelai> to talk over
04:53 <&Sabu> le sigh
04:53 <&marduk> mmmm why are we so in a bad mood?
04:53 <&Sabu> my nigga look at that doc
04:53 <&Sabu> and how ridiculous it is


04:54 <&marduk> look, i think it was made with good intentions. and it is nothing you need to follow, if you dont like it, it is your good right
04:55 <&Sabu> no fuck that. its docs like this that WHEN LEAKED makes us look like an ORGANIZED CRIME ORGANIZATION

My observations though have always been that the groups would be infiltrated by someone and then outed. It seems that this may indeed be the case here if the data is indeed real. It seems to me that a certain j35t3r said much the same before, that he could and did indeed infiltrate the ranks, and had their data. Perhaps J has something to do with this? Perhaps not… Still, the principle is sound.

  1. Infiltrate
  2. Gather INTEL
  3. Create maps of connections
  4. Report

It would seem also that these guys are liminally aware of the fact that their actions can be seen as a conspiracy and that the government will not only get them on hacks potentially, but also use the conspiracy angle to effectively hogtie them in court. Let me tell you kids, there is no perfect hack… Well unless the target is so inept as to have absolutely no logging and does not even know for a very long time that they had been compromised.. Then the likelihood of being found out is slimmer, but, you guys popped and then outed HBG pretty darn quick.

I am willing to bet there are breadcrumbs.. And, those said breadcrumbs are being looked at by folks at some three letter agencies as I write this. You see kids, you pissed in the wrong pool when it comes to vindictiveness. I agree that HBG was up to bad shit and needed to be stopped, but, look at the types of things they were planning. Do you really think that they are above retaliation in other ways than just legal? After all, they were setting up their own digital plumbers division here huh?

Anyway… Just sayin…

Back on topic here with the Backtrace folks and the logs. I have looked at the screen names given and have come to the conclusion that they are all generic enough that I could not get a real lock on anything with Maltego. I had some interesting things pop up when you link them all together, but, overall not enough to do anything meaningful. The other issue is that Maltego, like any tool using search engines and data points, became clogged with new relational data from the articles going wide. I hate it when the data is muddied because of this.

So, yeah, these names are not unique enough to give solid hits. Others though who have been re-using nicks online as well as within the confines of Anonops, well that is another story. I just have this feeling that there are larger drift nets out there now hoovering all you say and do on those anon sites, even if they are in the .eu space. I still have to wonder if any of those IRC servers have been compromised yet by certain intelligence agencies.

One wonders too if China might also be playing in this area… How better to sow discontent and destabilize than to use a proxy like Anonymous for operations?

For that matter.. How about the CIA?


Think on it… Wouldn’t Anonymous make a perfect false flag cover operation?

For now, I am going to sit and watch. I would like to see the full chat transcripts though. Now that would be interesting.

“May you live in interesting times”



Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »

From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data


Interesting times….

The force with no name: By Antonia Zerbisias of The Star

leave a comment »



The force with no name

Abo Yahya and Metadata Cleaning

with one comment

I recently came across the site above through some searches and I have to say that it kind of surprised me as to the contents sophistication in the hacking/security area. This Abo Yahya is adept at understanding the security intricacies needed to prevent easy detection online (using TOR) and seems quite plugged into the hacker community with videos from a European hacker conference to boot. What really struck me though is the above picture where Abo talks about the metadata problem and how it was used to capture Dennis Raider.

Abo goes on to talk about a script to remove the data from word docs as well, which I guess has been on the minds of some and has been used in tracking the files that the jihadi’s are making. One wonders if the doc files are the only ones he (Abo) has worked out or have they done so with say PDF files? All I know is that there are many more files than just doc files out there that can be used to track you all. However, there is much more to learn isn’t there? Now it seems that Abo and Song of Terror have plans to teach the ways of hacking and information security.

The site goes on to show tutorials in linux command line as well as the flavors of Linux including video tutorials. It would seem that they have been paying attention quite well to the security communities posts and chatter about how to be secure online. Abo also brings out the old jihadi crypto program (mujahideen secrets 2.0) and does a little how to on encrypting all their transmissions. All of these files and programs including a tutorial sweet by GIMF are available for download in various places.. All of which I assume, will give us all the chance to check the metadata and see what they might offer in leads as to who made them.

Meanwhile, there was an interesting little passage below Song of Terror’s video on Linux basics…

Peace be upon you and God’s mercy and blessings be upon you

After reading the topic to Brother, “the grandson of bin Laden,” may God preserve him for a script Rapidleech
The fact was the subject of a great and a quantum leap in the world of Jihad in the era of fighting jihad
In squares, in particular the field of media jihad there is no secret to you delete thousands of links to movies jihadist pretext of combatting terrorism. Here, a modest contribution to me for how to publish links rapidly and participation comes after reading the topic to Brother, “the grandson of Bin Laden,” more than once since the beginning has not sunk in but please God I understand that after you apply some examples so I would recommend reading the first issue of the brother by watching this video

So, Bin Laden’s grandson called all of this a quantum leap in jihad huh? Well, in a sense it is really.. They are learning…. However, just how much can they learn and does anyone really think that they can be as “secure” as they need to be to not get popped? I mean, with all the warning and hand wringing that we in the security community do about the lack of security in the general populace, just how much actually works? All too often the security is lacking in all quarters and I am sure that these guys too will also fail when it comes right down to it.

… And in the case of Abo.. I already know who he is in real life I think… And where he lives… How you ask?


So, what I have learned from this site is that there are certain factions that are more learned about hacking and security. They are now making inroads into the jihadi forums and in fact, this site is directly linked to the alfaloja boys. The very same site that was hacked and brought down by CAUI efforts on the part of certain governments. I guess they took from the incident a certain fear of being popped and recruited more people with the help of Song Of Terror I assume. Of course though, just as the security community posts things or creates software/hacks and releases them, they only serve to allow for follow up and obfuscation due to it being in the open. In the case of this site and others that are showing how to hack, we too now know exactly what they are up to and how we can turn that around on them.

Additionally, one of the nice tasty bits that Abo left for me was a hash for mujahideen secrets:


Which I put into Maltego and began some searches…

I have to do some more tweaks to searches with Maltego here, but, you can see where this program is being mentioned, served out, and talked about. All of these sites make nice launch points with Maltego and some Googling to further explore who is using it… If I can’t read what you’re saying kids, I can at least know WHO YOU ARE. Funny how those little features that make something more secure can be used against you huh?

Anyway, for those interested.. Here is the data using Maltego on the site and its connections. Maktoobblog is a Yahoo site and this particular one is out of the UK. Perhaps soon Yahoo will get wise to the site…

I see you Abo…

inetnum: - org:            ORG-YE1-RIPE netname:        UK-YAHOO-20070216 descr:          Yahoo! Europe country:        GB admin-c:        KW3969-RIPE tech-c:         KW3969-RIPE status:         ALLOCATED PA mnt-by:         RIPE-NCC-HM-MNT mnt-lower:      YAHOO-MNT mnt-routes:     YAHOO-MNT mnt-domains:    YAHOO-MNT source:         RIPE # Filtered organisation:   ORG-YE1-RIPE org-name:       Yahoo! Europe org-type:       LIR address:        Yahoo! UK Ltd 125 Shaftesbury Avenue London WC2H 8AD London United Kingdom phone:          +44 207 131 1495 fax-no:         +44 207 131 1213 e-mail: admin-c:        DR2790-RIPE admin-c:        IG1154-RIPE admin-c:        NA1231-RIPE mnt-ref:        YAHOO-MNT mnt-ref:        RIPE-NCC-HM-MNT mnt-by:         RIPE-NCC-HM-MNT source:         RIPE # Filtered person:         Kerry Woods address:        125 Shaftesbury Avenue address:        London address:        WC2H 8AD phone:          +44 020 7131 1000 fax-no:         +44 020 7131 1213 e-mail: nic-hdl:        KW3969-RIPE mnt-by:         YAHOO-MNT source:         RIPE # Filtered