Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Jihobbyists’ Category

MuslimCrypt and Clickbait

leave a comment »

MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.

So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.

Telegram Accounts:

The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.

MuslimCrypt.zip and .exe:

Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?

Nopesauce.

The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.

Interesting huh?

So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;

  1. MEMRI got played
  2. This was an OP by a nation state actor looking to own some jihadi’s

I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.

Reversal of the binary:

I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.

  1. The language set is German
  2. The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
  3. This was cobbled together by someone with some skills
  4. The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
  5. Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me

I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.

Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?

Hmmmmmmmmm…..

Oh, by the way MEMRI, your reversal skills suck.

An Op?

Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.

Could this be an operation by a nation state? Sure.

Could it be another group like Anonymous or some other vigilante group? Sure.

Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.

Nice clickbait though.

Derp.

K.

 

UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…

Screenshot from 2018-04-02 14-45-24

So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…

Just sayin.

Written by Krypt3ia

2018/04/02 at 18:06

Posted in Da'esh, jihad, Jihobbyists

Ahmad Rahami’s Journal: The Sycophantic Nature of Failed Seekers

leave a comment »

page-1

Ahmad Rahami, the new jihadi wannabe lone wolf du jour made a splash with his bombings of a dumpster and a trash bin on CNN and the other media outlets but let’s really take a closer look at Ahmed and his mindset with the release of his ersatz “journal of jihad” shall we? First off, I am tired of the media coverage and while this was serious, it just show’s you the level of recruit and planning that AQAP/AQ/da’esh have in the US presently and to wit, not very high. Frankly, looking at his journal pieces here I can only surmise that if Ahmad doesn’t have some sort of personality disorder it would greatly surprise me. On the other end of that spectrum, Ahmad clearly is a failed seeker acting out within the confines of his chicken shop malcontent diaspora in search of importance.

page-9

Ahmad opines the usual catch phrase diatribes seen in Inspire or Dabiq and on the web in general on the boards but seems to not really have a greater grasp of his own religion than most of the daeshbag recruits these days. Clearly he has been suckling at the tit of the jihadi propaganda machine and in fact had close contact with recruiters in Afghanistan and Pakistan where he spent a good deal of time in recent years on and off. These guys look for recruits who have weak wills and minds that can be easily swayed. Minds and hearts, ego’s in search of self importance that they lack presently but are told that they will be martyrs for the greater cause if they blow themselves or the far enemy up and it is bullshit.

page-4

page-3

 

page-5

page-6

page-8

All of the propaganda placed by these Khawarij are just a mental virus, neuro-linguistic programming, used to prey on the weak minded souls out there, those failed seekers in order to bring them in and turn them to the Khawarij will. For some time now the security services and governments of the world have been trying to see how they can combat these memetic viruses online and so far no one has been able to come up with a solid solution. Those wh0 are seeking will latch onto anything that they feel an attraction to and it has been since time immemorial. Cults, and religions both rely on this to build their base, belief is key and the means to that end is dogma.

In Ahmad’s diary we see this in action and we see the brain washing and self delusion that goes on here with the repetitive statements in this journal that he used to egg himself on to action. No doubt he wrote this out and continued to do so as he built the bombs. All of this, all the language is a means to an end to justify to himself his actions. Actions fed to him by the propaganda online, in person, and programmed into him and all the others who are willing to listen, to believe, and to act.

Weak minds.

Weak souls.

Pawns of the Khawarij.

I truly hope we can come up with a means to combat such memetic viruses but so far I see no hope of it. Prepare yourselves for the other weak minded jihobbyists out there to try and catch their own brass ring of importance. Just don’t let them enable fear to win and change the course of our governance to a fear based one… Well… One that is more so than it already is.

Dr. K.

Written by Krypt3ia

2016/09/23 at 14:25

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

Cyber Jihad Marketing: Yelling FIRE! In A Crowded Theater

leave a comment »

Screenshot from 2016-06-20 07:37:15

 

Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…

Screenshot from 2016-06-20 08:47:58

I shit you not..

Cyber Caliphate & Junaid Hussain:

The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)

Screenshot from 2016-06-20 07:45:48

Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?

No.

Just stop.

Jihadi Helpdesk

PSSSST hey morons.. There is no Helpdesk

Screenshot from 2016-06-20 07:46:05

I need not say more right?

… But I will.

DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!

CYBER JIHADI DARKNETS

Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.

Screenshot from 2016-04-29 13:12:15

So, the darknet… Not so much a terrorist haven kids. Sorry

https://krypt3ia.wordpress.com/2015/11/15/the-first-official-daesh-darknet-bulletin-board-has-arrived/

https://krypt3ia.wordpress.com/2015/11/18/daesh-darknet-under-the-hood/

Overall Analysis of Scare Marketing and Cognitive Bias

This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.

Please believe none of it.

Dr. K.

Written by Krypt3ia

2016/06/20 at 12:50

The Nuclear Bomb of the Mujahideen

with one comment

Screenshot from 2015-06-24 08:13:59

Nuclear Bomb of the Mujahideen:

AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.

WOOOO

Screenshot from 2015-06-24 08:24:57

So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.

Here are the details of the site:

  • Created Monday 6/22/15
  • Single page
  • 6 downloads
  • Email address of the creator is: sjpchm8723@mail2tor.com 
  • Old data
  • Excell and PDF’s uploaded are malware free (at this time)
  • Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
  • Data is taken from government and science files on clearnet
  • Files created on system with Latin as base language not Arabi
  • Yes.. the feds now know about the site.

So take a gander at the images below then meet me at the metadata section!

Screenshot from 2015-06-24 09:21:522006 manual

Screenshot from 2015-06-24 09:22:25Put that DIY nuke on a truck!

Screenshot from 2015-06-24 09:23:41

 Implosion calculator for the package (Nuclear material fission)

Screenshot from 2015-06-24 09:24:00

 Fallout calculator

advanced_nuclear_weapon_design

OLD (FATMAN)

implosion_bomb_schematic

OLD IMPLOSION

METADATA:

What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?

Screenshot from 2015-06-24 09:06:04

 Dude’s a Winderz user

Screenshot from 2015-06-24 09:06:16

 You can see where the 2006 files came from there…

Screenshot from 2015-06-24 09:06:31

 Using MS office and PDF machine!

Screenshot from 2015-06-24 09:07:20

Winderz 7!

Screenshot from 2015-06-24 09:10:11PDF details

Screenshot from 2015-06-24 09:10:37

MOAR PDF details

Screenshot from 2015-06-24 09:12:59

Excel

Screenshot from 2015-06-24 09:13:10

MOAR Excel

So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.

On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.

Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.

K.

Written by Krypt3ia

2015/06/24 at 13:58

Posted in DARKNET, jihad, Jihobbyists

Darknet Jihad: These Aren’t The Sites You Are Looking For

with one comment

jihobbyism

 OMG DARKNETS!

I recently gave a presentation at Mass Hackers on “Online Jihad” which went very well. While I was covering the online jihad, the topic of Darknet Jihad came up as well, it usually does when anyone talks to me about the subject. Well, since giving that presentation I have seen various and sundry gubment types claiming that the “Jihadi’s are using the darknet! OMG! It’s why we need to have crypto front doors and de-anonymize the darknets!!!!”

*Baleful stare*

I am writing this post to set the record straight and to make a point… A cryptic point that someone reading this will get and you know who you are. The darknet is on the whole NOT being used by jihadi’s to hide their comm’s in the sense of going to darknet sites. Please for the love of everything sane, all you gubment types and wanna be spies get that the fuck into your heads right the fuck now.

Yes, the jihadi’s are using TOR and other VPN’s in attempts to hide their traffic on the “clearnet” but no, they are not gathering in large groups in hidden services sites on the actual “darknet” This is an important difference that many in the media and in the government either don’t get or don’t want to get in favor of having a scary scary thing to say to get the other ossified gubment workers (aka the Senate and House) to capitulate out of fear to their crypto breaking desires.

So lemme mansplain for you all about just what is going on in the darknet and what is not ok?

Darknet Jihad Funding

fundjihad1

FundJihad2Credit for screen shot Joe Cox and a hat tip for pointing out that it was there on the darknets.

What you see above this text are two sites that have appeared in the darknet and these have been the most tangible and visible of anything out there to date. The top picture is from a site that had a real bitcoin address and appeared in 2013 I believe. I wrote about it back then at least so maybe it was around in 2012. In the end though it amassed about 1200 bucks and then it was cashed out. Personally I think it was a scam site but who’s to know really.

The second more recent site is directly supposed to be a Da’esh site and it appeared last month on the darknet. It’s bitcoin address is real as well but to date has had no money put on it. This site too smells more like a fake or a dangle by an agency than anything else. Why? Because the fact of the matter is that to date, I nor anyone I know in the know, have found ANY other sites out there on the darknet, in the hidden services, at all that is jihadi in origin or aegis. None. Niente. Nada.

Of course there may be super secret sites that only a select few know the address of or maybe they are just using other sites like market places as dead drops but even this sounds a little too esoteric for the nitwits we see today in jihad and jihobbyism online. There is just no there there man, nothing to hang your crypto is bad hat on Mr. gubment guy! Ok ok ok, there was one upload to a file server in the darknet for one manual but the link was given on the clearnet jihadi board so how the fuck super secret is that?

Meanwhile Back In The Clearnet….

Ok so now that I have made myself I think crystal clear, let’s talk about what the jihadi’s are doing that I and others like me have seen. For the most part they have taken to TOR and TAILS like a mother since the Snowman dumps. This is to be expected right? I mean, look at all of us in the security community talking about this shit too right? If we say that it is better to TOR up or use TAILS to protect our basic security and privacy it stands to reason that these jihadi mo mo’s will too huh?

This is not rocket science kids…

Oh and yeah, since TOR has become every so user friendly, it is a natch that these guys will install it and use it on anything and everything that can run it. If you look below here you can see how they are using various tools on various platforms like Android just to reach their Da’eshbag Twitter accounts so they can spew their derpy propaganda!

kasperskyTor

onionANDROID

OnionTweet

So yeah, they are using TOR, TAILS, and anything else they think will give them an extra layer of protection. I have seen tutorials in Arabi all over the place for them to use and the mandate from the Da’eshbag pooba’s on how to be secure online. This however does not stop them from getting a JDAM shoved up their asses though when they take selfies am I right?

Derp… KABOOM!

Right, anyway, the skinny is that until these guys are all digital natives they aren’t going to be living and lurking in the darknets. Sure, they will have TOR, and sure they will have encrypted chats but hey, WHEN THE FUCK DID WE NOT HAVE THOSE OPTIONS TO START HUH? Really, for fucks sake stop it with the scare tactics USGOV and every god damned three letter agency! How about this, you say fuck all to the tech fixation and the shortcuts and you all get your HUMINT game back on?

That is how you will win this war. Make friends, find out where they are, and then JDAM the fuckers.

K.

CORRECTION: According to a tip I got from @Apate1114 there was a site back in 2012/2013 that was alleged to be a standard jihadi type site. In looking for any kind of backstop on this all I could locate were links that described the onion site in question (http://p2uekn2yfvlvpzbu.onion) In February 2013 it is listed as “http://p2uekn2yfvlvpzbu.onion/ Armas entrenamiento militar etc” 

Another site lists a file on the site for that time showing a pdf for a .50 cal rifle: contru�ao rifle:p2uekn2yfvlvpzbu.onion/arm/50calRifleConstructionManual.pdf Neither of these says jihadi site etc and unfortunately I have not seen an archive of the site.

Correction II:

I had a chat with @Apate1114 and they gave me a correction to the above. They provided a bad link there. The link is in fact instead: aub35xzuj7wslusm.onion and is no longer up. The site that was linking it in 2013 is seen below:

Screenshot from 2015-06-16 10:34:15

Screenshot from 2015-06-16 10:34:34This site, aljyyosh, calls the onion site موقع عربي غريب  which is “weird website” Since then, nothing has been seen of this site in the onion but as you can see on aljyosh there are plenty of tutorials on how to Tor.

Screenshot from 2015-06-16 10:40:01

Written by Krypt3ia

2015/06/15 at 23:14

Much Ado About Nothing: Team System DZ and Defacements

with one comment

Screenshot from 2015-03-27 08:35:58

Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.

Screenshot from 2015-03-27 08:48:59

Screenshot from 2015-03-27 08:06:26

In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 41.100.113.208 and 41.100.76.152 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.

Anyway, the IP space is for the following in Algeria:

IP address: 41.100.113.208
inetnum:        41.100.0.0 – 41.100.255.255
netname:        RegChlef
descr:          region chlef
country:        DZ
admin-c:        SD6-AFRINIC
tech-c:         SD6-AFRINIC
status:         ASSIGNED PA
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered
parent:         41.96.0.0 – 41.111.255.255

person:         Security Departement
address:        Alger
phone:          +21321911224
fax-no:         +21321911208
nic-hdl:        SD6-AFRINIC
source:         AFRINIC # Filtered

Other Data:

Poti-Sadz aka PoTi SaD DaRkY
https://www.youtube.com/channel/UCnHsj8Q7xOgTGSB9S-6mZdA
https://plus.google.com/116132926353763071423/posts/MsJWpbiRn8Q
youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
http://video.exstrim-bog.ru/author/ahmedsaoudik

Skype: poti_sad-dz

There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?

Skype: ahmed.saoudi1992

Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.

HOLY WTF PEOPLE! CUT THIS SHIT OUT!

Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.

Enjoy the lulz…

K.

Written by Krypt3ia

2015/03/27 at 15:08

OpISIS and CharlieHebdo: Whack-A-Mole Without A Plan

with one comment

opisis

Cyber WAR indeed… <Shakes head>

Since the Charlie Hebdo attacks it seems that Anonymous has finally become self aware about the online jihad that has been going on for years now. While I can laud their determination and willingness to… Help… I cannot agree with what they are doing with their blunderbuss approach to the taking down of ISIS online. You see kids there is more to all of this than just knocking off some poorly secured sites that the jihobbyists run to end the threat of daesh. Oh, and yeah, by the way call them daesh at least huh? If you do a little reading about them you will learn that daesh loosely translated from their Arabic acronym means “to crush under a boot” they don’t like it.

Anyway, back to what I was saying here. Look, I know you want to help (some of you that is) Others are looking for a quick fix and media attention, which hey, if Mandiant and Crowdstrike can do it so can you right? The main thing though is that if you are going to prosecute a war on terror then you should at least try to be helpful to the IC while you are at it okay? The second thing is that you are all fighting a battle you cannot win here and no matter how you try you are only getting in the way of things in reality. What do I mean? Well, let’s look at it this way;

If you take all the sites down for however long you will only force them to make other sites that are more under the radar. You will be also teaching them about security and you don’t want to be doing that do you? Say, did you see the article from Glenn Greenwald about how Iran learned from our Stuxnet attacks on them and are now a real threat? Yeah, see, it’s a double edged sword kids.

AnonOPS TASKINGS:

http://pastebin.com/RniQXzqx

http://pastebin.ca/2903248

http://pastebin.com/6nPeHM77

I have looked at all your plans and really only one site in the lists there was important to the jihobbyists as a platform of getting the word out. On the other front though, your Twitter war has been interesting to watch as well. Take it from one guy who has been doing this a while *cough jihaditwits cough* it is not really all about taking down the accounts. It’s about learning who the talkers are, who they talk to, and what the pipeline is for propaganda to take down, not just scatter-shot take-downs of accounts. Moreover let’s talk about doxing these guys and providing that to LE huh? I know, I sound like a broken record right? Look, we could use all the help we can get out there.

irhabs

Back to the Twitter war though, let’s talk about this a bit. You see that graphic above? Yeah, those are just a small sample of accounts that I have collected recently. There are ZILLIONS of these guys out there on twitter re-tweeting links to content from Syria and other places. Have you stopped them? What? You haven’t gotten them yet? Let me tell you, you won’t either. The sad fact is this is the biggest game of whack-a-mole there ever was. I recently stopped altogether because I had to take stock of what I was doing. Was it having any effect at all? Even with my targeting of players who were really plugged in was I having a positive effect? Well, I guess I was from the point that I got the fatwa’s and the warnings about the account but in the end I was kind of meh about it so I took a break. I am back though and I wanted to share with you my thoughts on your “digilante” war.

So here are my parting thoughts…

  • MMD, you gotta stop bein so derpy.
  • Anonymous, work smart and not just carpet bomb here
  • Share your dox with LE
  • If you are going to go after Twitter accounts make them count. QUALITY OVER QUANTITY PLEASE
  • Do your research and understand the propaganda war going on here kids. You knock out one channel they will open another
  • Understand that you are teaching these idiots! You will eventually make them smarter
  • It may feel like you are doing something but you really aren’t from the perspective of the GWOT
  • While you may feel like the propaganda war is being won by you, the reality is that they love to be martyrs so you are only going to make them work harder and gather more followers

With all that said, I am sure you will continue doing what you are doing. Even more so once the news cycles start stroking the collective ego’s involved. Just know that you are not stopping them. Stopping them is up to the governments of the world and the military forces that will eventually have to kill or capture them all.

K.

Written by Krypt3ia

2015/02/11 at 16:44

Posted in jihad, Jihobbyists

JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?

with one comment

fednet

AZIJ XXRZ HMCKIDACVA GZ UZZW!

The Legion of DOOM!

Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call”  which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources”  The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.

You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.

Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…

Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!

As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?

Makes you wonder huh?

DISINFORMATON & OPSEC

So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!

WE. ARE. DOOMED!

That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.

*SHUDDER*

The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;

  • The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.
  • The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!
  • The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.
  • As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.

There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.

  • Right wing nutbag Eli Lake
  • The “anonymous sources of intel”
  • The “anonymous sources handlers”

These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?

Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?

*blink blink*

Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….

  • The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
  • So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
  • HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!

Could it be that simple?

All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?

Right…

How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?

Political Wag The Dog

It seems after all once all the dust has settled that either one of two things happened here;

  1. Eli Lake did this on his own and played the system for hits on his paper’s page
  2. Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.

It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.

Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.

K.

 

Newest U.S. Counterterrorism Strategy: “Trolling”… Say, Doesn’t Someone Already Have The Corner On This Market?

leave a comment »

X

Trolling VS. Jihad

Well, once again I hear a story about CT efforts that I just have to facepalm and say WTF? The story was evidently posted while I was on vacation and not looking to enrage myself with the stupid (thus meaning I was reading Hunter and other classics whilst sitting on a beach) So, someone tipped me off the other day that this little gem was out there. The premise of the story/program is that the Dept. Of State has given the go ahead to this 20-something to put together a coalition of people across the globe to subtly (maybe) troll the jihobbyists and jihadi’s out there online to break them up as groups.

*blink blink*

Really? Sooo, you are going to go on to say Shamikh and start to troll the players there in hopes that you will shame them into dropping the notions of radical jihad? Why am I surprised that a hair brained scheme like this would come out of State? My initial reaction was tempered when I read the piece again and the tempering was that this was going to be aborted before it got anywhere in the first place as the article describes scope creep already and a certain sense of other agenda’s on the parts of the players. In the end, I suspect there will be a failure to launch, but, what if they were to pull their act together? Would this in fact have any net effect on the jihadi’s and the forums they frequent?

I certainly think so… But… Not in the way that the creator of the idea has in mind….

The Psychology of Jihad and Trolling Them:

In reading the article the use of the word “Trolling” is somewhat a misnomer really I think. I would use “cajole” more than troll because the goal here is to subtly shame them and make them not only uncomfortable with wit and sarcasm, but also to lead them to drop jihad. Now, will this actually work? I suppose a dialog with certain folks as peers might actually work if you don’t alienate them with your “wit and sarcasm” but really, take a look at the mind set and the social norms of the people being targeted here. You are going to troll people who, though maybe misguided by doctrine or imam, or their personal histories, are rather devout about their beliefs, to the point that some actually take on jihad literally and go fight.

… And you seriously think mocking them will make them say; “oh, wow, I was being silly”

Good luck with that. Its my feeling that given the nature of the people I have seen/dealt with on the boards, that this will just not work. In fact, in certain spaces (and those spaces are now consolidating rapidly online creating a clearer channel) you will get yourselves banned rather quickly from the board. This too will also cause them to close ranks further and to become very selective about who they let in and who gets to talk, not to mention maybe force their hand to go to other places like the darknet to host their content. So, overall, I just don’t think that this line of action will be productive in any way.

Now, if you are going to go after more “moderate” sources of dialog like muslim.net or some of the other sites out there, you may have more luck and might be the right territory to hunt in and dissuade people from acting on jihad. It’s all a matter of how hard core these people are and how new they are to the whole thing. Sure, AQ/AQAP/Global Jihad is seeking new recruits all the time online but, they are also not really gaining a huge amount of traction there either. I do appreciate the idea of trying to debate these nascent jihadi’s with smart dialog, but, in the end, “trolling” will likely only make them angry, ban you, and then make vague and useless threats. Remember, these are giant crazy echo chambers and it’s not that easy to default them to sanity just by saying they are being stupid.

I would also say that using the moniker of “Troll” for this article on Wired was disingenuous if not just wrong for the circumstances. In the article, further down in graph 2 or three, the creator of the program clarifies that it’s not really trolling per se by the netspeak definition of it. Usually today’s troll is someone who is just maladjusted and looking for an outlet for odious behavior while usually enabled by anonymity. If one were to go troll (trollhard… haha..just had an image of another Bruce Willis movie there) hard at the jihadi’s it would be quite counterproductive. Unfortunately, this kind of thing already has been happening a little bit. It seems that some people have been not only inserting themselves into boards, hacking them, ddos’ing them etc. This has served only to cause them to be much more suspicious and clamp down on security.

This is not what we need.

YOU TROLL ME! I KILL YOU!

In the end, I just see this program having the net effect of creating a bunch of Ahmed the Dead Terrorist skits online…

… And that may be hilarious to some… It just won’t help us in the GWOT.

Written by Krypt3ia

2012/08/08 at 15:21