Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘th3j35t3r’ Category

Shamikh1.info: The New Den of Scum and Villainy

leave a comment »

Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.

I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…

But..

You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.

Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.

Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.

“Bollocks” As they say in England.

DATA:

Domain ID:D38010794-LRMS
Domain Name:SHAMIKH1.INFO
Created On:14-May-2011 00:22:30 UTC
Last Updated On:27-Jun-2011 07:43:57 UTC
Expiration Date:14-May-2012 00:22:30 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:fce7ae13f22aa29d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com
Admin ID:fce7ae13f22aa29d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200

Core Server:

Ip address: 180.235.150.135

Location: Indonesia


Persons Attached: Daru Kuncoro & Yogie Nareswara

Names of Admins: Yogie Nareswara & Daru Kuncoro

Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com

Nmap Scan Report:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT
Initiating Ping Scan at 07:39
Scanning 180.235.150.135 [2 ports]
Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:39
Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed
Initiating Connect Scan at 07:39
Scanning 180.235.150.135 [1000 ports]
Discovered open port 80/tcp on 180.235.150.135
Discovered open port 110/tcp on 180.235.150.135
Discovered open port 993/tcp on 180.235.150.135
Discovered open port 143/tcp on 180.235.150.135
Discovered open port 21/tcp on 180.235.150.135
Discovered open port 443/tcp on 180.235.150.135
Discovered open port 3306/tcp on 180.235.150.135
Discovered open port 995/tcp on 180.235.150.135
Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports)
Nmap scan report for 180.235.150.135
Host is up (0.30s latency).
Not shown: 958 filtered ports, 34 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?

Meh.

Site Contact Data:

Daru Kuncoro:

Yogie Nareswara:

Current State:

Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.

More later.

K.

The force with no name: By Antonia Zerbisias of The Star

leave a comment »

 

 

The force with no name


OH NOES! THE MACIP’s WEREN’T PROTECTED! I Told You, Th3j35t3r Told You, But Did You Listen? Noooo.

with one comment


The FBI has joined in the hunt for those who participated in the retaliation attacks against companies that cut off services to Wikileaks, executing more than 40 search warrants across the United States on Thursday, the bureau announced.

In what seem to be timed raids, British police arrested five men Thursday morning who allegedly participated in the Anonymous group’s denial of service attacks on Visa, Mastercard, Paypal and Amazon in mid-December. Anonymous was seeking to bring attention to — and punish — the financial-service companies’ decisions to prohibit donations to Wikileaks. Amazon was targeted after it kicked Wikileaks off its web-hosting service.

OH NOES! THE MACIP’s WEREN’T PROTECTED!

Right now, there are at least several thousand kids in underoo’s frantically shredding documents and trying to wipe hard drives because the Feds have finally put the hammer down on Anonymous’ little DDoS attacks on anyone and everyone they feel needs the attention. They thought they were immune, they were naïve…

“With Great Hubris, comes great repercussions” one might say.. Well, hell I just did huh?

The LOIC as I reported before (link to previous post) was and is a flawed tool. Its coding was such that it did nothing to even to attempt to hide the IP addresses of the users who were connecting to IRC and performing the DDoS. Now, partially I think there was a good bit of ineptitude in the programming, but, I would also say there was a greater bit of stupidity on the part of everyone involved in the blowback that they are seeing come to fruition with these search warrants being carried out.

The stupid, as I like to say as an noun, for it has its own power and life today, was immense and dense within the LOIC user base as well as the C&C of Anonymous for allowing it to be used by unsuspecting “skiddies” The Anonymous leaders, will not be fessing up so soon I think and making acts of contrition for those who are being popped for using LOIC and downing sites. For this, they are doubly damned in my book because they ostensibly know better and willfully let the kids out there take the fall for their desire of troops on the digital front line.

And… As tacticians, either you are geniuses or, you are just a bunch of #FAIL. I am not sure which it is really.

So, now the Feds have served 40 warrants. Do you think that your advice that I wrote about before of saying that the machines were infected with LOIC is going to play? Or do you maybe think that the gubment is just that dumb and will say “ok” and walk away? Or, do you see those skiddies all going to court, bankrupting their families, destroying their futures, and generally losing any hope of a normal life as just payment for playing the game?

I guess what I am getting at is this; Was this a calculated risk or were you all just dumbasses?

Now, let me posit another little tactical glitch in your plans.. What if, some of the 40 warrants were on people who actually know who you are? Or know someone who knows who you really are? I mean, you are all about being anonymous, but, you seem to have failed on that account lately a bit. So, do you think that these kids, parents sitting next to them in the “box” are not going to quickly roll on you or someone they know who knows you?

Lets put it this way.. You are thinking “shit, they don’t know me, they only know my MACIP or my Hotmail address!” *blink* So you think that you have been so super slick that you haven’t screwed up somewhere and tied your real identity to such things? Yeah, trust me, you fucked up and the Feds are going to find that chink in the armor. Its only a matter of time before I expect to see more headlines that read “Anonymous leaders arrested”

… And when that day comes, I am gonna chuckle and cluck my tongue at you all….

“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability,” the FBI said in a press release. The FBI did not announce any arrests in conjunction with the searches.

See that cutline above? Yeah, that one saying that the FBI reminds everyone that it’s a crime to DDoS? Yeah, they kinda mean it. So, just how long will it be til  the 40 are arrested and arraigned? I dunno, but I can assure you, the PC’s have all been red flagged for the DOJ Cybercrimes lab and are likely already DD’d and being picked through as I write this. Oh yeah, you guys are fucked, fucked with a capital F. I also suspect that there will be more warrants being served on some more skiddies as February rolls by, so keep your eyes on the news kids. You may be seeing them knocking at your door on TV like a bad Geraldo Rivera show, LIVE!

Meh, it all matters not to you now. You all feel self delusionally empowered that you are making a difference with the LOIC…

Say, did you drop that whole other product that Jokey sabotaged your source on? I would if I were you, but wait, you aren’t that bright.. I mean, you couldn’t even protect your source from Jokey… Oh and BTW Jokey, WELL PLAYED! Props to you there even with our differences.

Where was I? … Oh yeah, the delusions of grandeur thing. You know that you are not solely the reasons for the things happening in Egypt and Tunisia right? Sure, there is an element I think on this idea that is true, but, you are not the “reason” for the revolts going on. Nope, they have been a long time in coming and frankly, one begets another. Egyptians looked at Tunisia in the news cycle and thought “FUCK! I am tired of the shit here, lets go protest!” and they have.

Let me tell you the secret kiddies, it’s not Twitter here, its BBC, Al-Jazeera, and other news sources on the radio that has incited these revolutions. Not you… Sorry. You see, that has been the history of the whole thing all along. Why do you think that revolutionaries take over the radio and TV stations first huh? They take command of the media to let the word out and stop the other guy’s propaganda to put their own out.

Wipe that spittle from the corner of your mouth and get your head off the school desk son! PAY ATTENTION!

I guess history escapes the new digital facey-space TMZ, Youtube generation… Anyway, back to the point. You are not playing the game well Anonymous. You are burning your troops and in the end, you will all get to see each other in court soon enough. You, like Assange, have become all too full of yourselves to realize that you are screwing the pooch and you are too blind to see it.

Next time you want a revolution.. Plan the security better.. AND for God’s sake read a little Sun Tzu!

EDIT It seems that my Alma Mater is now involved with the LOIC MACIP’S One of the morons at Uconn got popped as one of the 40 raids!

Derp Derp DURRR http://tinyurl.com/4p8bjkp

Krypt0s

Written by Krypt3ia

2011/01/29 at 11:24

Wikileaks to the Left of Me, Jokers to the Right, Here I Am Stuck in the Middle With You.

Well, it’s been an interesting week hasn’t it folks? We have Wikileaks leaking interesting if not, not earth shattering cables from US embassies around th globe. We have the US’ knee jerk reactions that are akin to a young girls naked photos being leaked on her Facebook page, crying foul and shaking their impotent fist at the “internets”. And we have a court jester who it seems, may have bitten off more than he could chew this time around and has gone into semi hiding post claiming a DoS that many in the security field feel was “weak” as one put it.

So, lets cover my thoughts on the weeks events by the numbers…

1) Wikileaks and CableGate

Ahh, the infamous “CableGate” as the Wikileakers have named it for maximum effect. Cables that give the inside skinny on what people see as ambassadors and analysts in the foreign service of this country. After the dumps, I am still non plussed by the contents of the cables. Perhaps this is beacuse I read quite a bit and know people who have been in the service. Maybe its because the reality of the documents data is already common knowledge to those who pay attention to world affairs and read the news. Some of them though  really do hold a few interesting gems on actions that we have taken with other countries that may seem to the layman, as being shifty or dirty..  But If you leave this country and actually work in others, you will see that sometimes you have to do things as it was once said before; “si fueris Rōmae, Rōmānō vīvitō mōre; si fueris alibī, vīvitō sicut ibi

Is it so hard to believe that bribery is rampant in other countries such as Pakistan? Do you really think that Russians don’t hit the bottle really hard and then have gunplay as they make deals at weddings for territory and power? If any of you reading this blog are shocked and amazed by all this and that we as the United States have to placate these people with backdoor deals, then, well I just don’t know my audience, while you, the reader are exceedingly naive and should wake up to the realities of how the world works.

I’ll give you a hint right here, right now. There are no white knights, and Superman is a comic. “Truth, Justice, and the American Way” is just a saying that placates us to believe that we do things above board all of the time and as Dr. Gregory House says; “Everyone Lies” It’s just the reality kids. So, when the Wikileaks folks get their shorts in a bind over cables like these I tend to think that they are all Pollyana’s that don’t know what real criminality is because once again, these documents are not equivalent to the Pentagon Papers. Had Wikileaks dropped a bundle of docs that showed in clear and no uncertain terms that the WHIG, Cheney, and their ilk clearly fabricated every bit of data that they used to prod the US to invade Iraq, well, that would be another story.

But again.. We don’t have that do we? What we do have is some dirty laundry and that has tickled the fancies of us all because we abhor “secrets” Not so much that we hate them for their sake, but, that we want to know them! We are inquisitive and always love to be one up on the other guy. So after this big dump, where is the outrage? The protesting? The shoe banging by the UN and other nations that were promised?

*tumbleweeds*

Yep, no one really cares enough to say that these are all shocking and storm the government looking for redress. So, on that account I side with Jester and give it all a #FAIL Which brings me to the organization itself and its newfound pariah status. I will also go one step further and give a #FAIL to the United States of America’s efforts regarding Julian Assange, the INTERPOL’s new #1 bad guy.

2) Julian Assange:”No Glove, No Love Gate”

Julian Assange has issues I think. His issues stem from a great heaping load of hubris as well as ego, but, then there is the side of him that I think is just plain adolescent idealism. The idealism was what drove him to this model of Wikileaks, but soon enough, it was the ego and hubris that took over the drivers seat. What Wikileaks has become is more a terribly petulant child shrieking about not getting a lollipop than an organization attempting to change the world by “freeing the data”

The troubles that Wikileaks has had with attrition of staff recently shows that Assange has become drunk on the status of being able to poke at nations and get their ire. Its somewhat akin to a little brother taunting a big brother just for the attention that he craves.. Which reminds me of another party in this little passion play that I will speak of below. For now though, my focus is Julian and the United States of America’s play to have him become the next Osama Bin Laden.

The reaction from these dumps though on the part of the US Government have been poorly thought out at least on the face of it recently. By leveraging (assumed) the Swedish and other governments to put Assange on the “RED” list for INTERPOL, for alleged consensual sex sans condom (or perhaps rape, its fuzzy with all the reports out there as to what really happened) the US has only shown its weakest face. The charges are weak and the placement of someone being charged only with the crime cited, shows just how much the US would like to get their hands on Assange, but they know they don’t really have a case.

What’s more, these senators out there now calling for Assange and Wikileaks to be deemed a “Terrorist Organization” are just out of their minds to even attempt to propose such a thing. THIS shows though, just what Assange and others are alluding to when they say this government is corrupt and or over-reaching in secrecy, surveillance, and general use of chicanery.

And on that account, I am agreeing with Assange and Wikileaks. The us has in fact reacted like that big brother being taunted by the little one and is attempting to haul off and slug him without mom or dad seeing it. What’s worse is that I am sure the US is working on a plan to have Assange kept somewhere if not able to find a legal leg to stand on to bring him here to the states and put him on trial.

Of course there is the off chance that any country now might just be afraid enough of Assange as the titular head of the organization to not only allow the US to take him, but also for some, to just do away with him by having a “convenient accident” occur.

Some secrets, as countries and people do the mental calculus for them, are worth the price of a life or lives. No matter the laws or executive orders…

Of course Wikileaks current data does not in the least constitute anything close to one of those secrets worth whacking him. So, the show will go on trying to get him into custody. He will be the martyr to his followers and I am sure that Wikileaks will become an even more powerful organization because of the poor handling of this case. In the end, the US will only ham-fistedly attempt to cover up the fact that the SIPRNET system was not being monitored as per policy and procedures mandated by the military and government. This allowed for a low level PFC analyst to steal nearly half a million documents from an alleged “secure system” This very same government that created the likes of the DHS and TSA to keep us all “safe” from terrorists. I guess they just took a cue from the Bush administration and thought that a banner saying “mission accomplished”  was just as effective at ending a war as a banner that says “This system is protected and may be monitored” was to protecting secrets.

Hubris and the emperor has yet again been shown to have no clothes.

So, my suggestion to the US government and the military would be to actually clean up their act and perform the due diligence that they need to carry out to protect their “secrets” from being stolen so easily and forget about trying to “get” Mr. Assange for this. The damage has been done and unless you do a better job at protecting the assets you hold, then sure as shit, its going to happen again and the next time, it may be even worse.

3) The Wikileaks Zeitgeist and The Hacker Manifesto

Meanwhile, an interesting factional fracture has taken shape within the internet and specifically, the information security community. This has been something to watch on Twitter specifically as people on my #flist have been polarizing between saying much the same as me and others who are diametrically opposed to the government, secrecy, and the call for free access to information. Why this is so interesting to me is that many of these people who are on the feed are in fact workers within the information security industry. In short, those who are tasked with securing peoples information on a corporate and sometimes government scale.

“This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try to make us believe it’s for our own good, yet we’re the criminals. Yes, I am a criminal. My crime is that of curiosity. I am a hacker, and this is my manifesto.” Huh? Right? Manifesto? “You may stop me, but you can’t stop us all.”

The hacker Manifesto by The Mentor

The above quote seems to be the zeitgeist for many of the Wikileaks proponents. The information must be free and flowing. I am afraid that the reality is much different from this credo. Even more astonishing is that anyone who does actually work in the security industry would not have some pause about what Wikileaks is doing and perhaps take time to insure that it is indeed being taken to task for its aegis. It seems to me at this time, post the machinations on the part of the US to deny Wikileaks access to DNS, and site hosting, that the screeds are somewhat warranted, but still, they seem naive to me.

Then there is the thought that anyone who is working to secure people’s data (which are secrets or confidential) might be more scrutinized by anyone employing them “if” they are overly vocal in support of Wikileaks, a smart person might take the middle road on these things. Instead I see more wailing and moaning out there than I do calls for re-organization and rigor in what Wikileaks is doing. After all, it is pretty much singularly run by Mr. Assange, and you know my pov on his psyche.

I think that the security community needs to take up this issue and really hash it out. There are some big issues that need working out.

4) Staying Frosty? Really? Doesn’t seem so…

Lastly, lets take a look at the events surrounding Jester. You all know that I had my run in with him back last January. He DoS’d me a few times (not hard to do on a single IP running a low rent file server really) and made calls out to everyone that I was a terrorist sympathizer. It became clear to him that he had screwed up on that account because he did not do his homework and find out who I was and what I do.

We had words.

In the end, I am still here and still doing what I do. I have my reasons for my posts and for the work I do here as does Jester for what he does. However, I still feel that his methods are trivial in the fight against terror and his psyche is more that of a person with poor impulse control than any ex special forces operator that he would like you to believe he is. I think his motivation is more driven by a need for attention than it is for actual disruption and dismantling of terrorist networks online. You see, were he a real operator, then I think it would be much easier to make your hits even more ominous (were they not only for 30 minutes at a time) by saying nothing. This would leave it open for much speculation that the governments of the world are indeed carrying out the cyberwar. Instead, we have the legend of a lone patriot hacker saving us all from internet terror… But his services are not that unlike Domino’s Pizza: you can get it for 30 minutes or less and only with a couple of toppings.

Now though, the stakes are higher as he has decided to up the ante and attack Wikileaks. Which, I think he has begun to now understand, that it may have been a tactical error in a number of ways. You see, at first he was just hitting undesirables, jihadist sites outside the country. Sure he was pissing off some in the intelligence community, but for the most part people ignored him because he was not performing any kind of substantive attacks that effected change. The jihadi’s kept on talking on the same sites that they mirrored. In fact, they moved on to other areas like YouTube and Facebook unabated and often completely in the open. The jihadists didn’t care, and thus his fame died down… Until he targeted Wikileaks.

Since his claimed attacks on WL, he has been in the news more and more. Of course the big question became was he the sole source of the attacks that ended up bringing a 10gig a second hose being aimed at the WL Cablegate site? Was there government involvement there? Was he actually capable without help in doing this kind of attack with his Xerxes product? Those were all the questions that were going through my mind and I am sure others within the security community. Well, here is one answer that I have dug up.

Jester and others had recently been talking about “server time” in the #jester IRC it is possible that the server time could be a source of the 10 gig per second data flow. I can foresee the installation of xerxes on more than one box and using the big pipe to do the hit. This is supposition on my part, but, he did indeed talk to Mach and rjacksix about a request in a chat transcript.

As stated by the media and certain security analysts when asked about the Jester attacks, the consensus was that Jester had not done a stellar job at bringing down Wikileaks and in fact, as I said before here, that the attack was “weak” So, was the 10 gig a combined effort on the part of the likes of “anonymous” or 4chan? We may never know.

Since the initial DD0S and claim by Jester there have been some interesting if not really odd events in the last week. The biggest of these being the tweet ostensibly by Jester that his house had been raided by the local PD and his equipment confiscated. Yet, he was still able to re-access the internet and create a brand new domain name “th3j35t3r.net” and twitter account @th3j3st3r from whatever resources he could get to get online. The new site at the new domain was a clone of his WordPress site and both it and the new twitter account began to post data BAU. Shortly thereafter though, the site and the twitter account began to speak of a “legal fund” that Jester had begun and in fact, that if he reached 10K of funds, he would port and release Xerxes to the public.

After two donations though (see picture at the top of page) one of them being from Tom Brennan ($100.00) from OWASP? and another for $50.00, the site was pulled down. The donations site was run through paypal and gofundme.com. Shortly after the take down, the domain began to forward to Jester’s original WordPress site. As this was happening, the original Jester twitter account made a statement that in fact the new site and twitter feed was an “imposter” and that he now had control of the situation. This begs some questions though as the domain suddenly and swiftly began to forward its DNS to Jester’s site. Just how did he gain control so quickly?

Or, was it under his control the whole time?

It’s my belief that Jester was in control the whole time, but as to his motivations in doing this? I have no real clue other than perhaps this was a false flag to get people off of the trail. I think that perhaps at this time, he began to realize that when Wikileaks moved their domain to Amazon, he was crossing a line he hadn’t before and committing a potential crime that the US law enforcement community would follow up on. Maybe he just lost his nerve a bit..

Perhaps, as I said before, his habits were actually starting to become his undoing… You see, his acolytes now might be his Achilles heel.

Jester has for some time now, hosted IRC channels in various places, but he had been frequenting #2600 #jester. In this channel he had conversations with people who drifted in and out. However, often he had a few key people he talked with.

One of them is @rjacksix

http://twitter.com/rjacksix

http://www.internetevolution.com/profile.asp?piddl_userid=10389

http://wolfcreekbaptist.com/

http://www.dc406.com/

http://dc406.org

Robin Jackson  (406) 422-4685 or 406-465-0354 Helena Montana

blackcat[@]dc406[.]org

I know Robin from a rather bilious response on my blog as Jester was attacking me that said that I was a traitor blah blah blah. Rjacksix has been a chatty fellow and from his own accounts on the IRC and in other places, has claimed to know Jester well, has worked with him, and defends him when people dis his pal. The question I have is this.. Robin, are you in fact Jester? If not, then I am sure some people will be calling on you, if they haven’t already, asking just who he is. Several reporters and los federales have this data now too.. Perhaps you have gotten some calls recently? Like, say, Monday or Tuesday? Yeah…

Coincidentally, rjacksix and Jester have been missing from the IRC chat since Monday/Tuesday..

Why?

It was a critical mistake the attacks on Wikileaks, the attention is going to be trouble for you both, and now doubly so that one thing has happened. Someone, made the claim that they would port Xerxes and release it to the kiddies. You see guys, that right there is of MAJOR interest to the feds. They do not want this tool out in the open for anyone to use if they can avoid it… That is until they can come up with a means to combat the attack, which is already being worked on in certain quarters I am sure (pcaps in hand) So, the jig may be up either by your own hands Jester/Robin through this little stunt with the donation scheme. Even more so now that actual money was “donated” to the cause.

Oh well, Jester, you have the attention you have been seeking in spades. Your goal has been achieved for that. However, your techniques and your tool seem to have fizzled in really having great effect against either of your targets.

TANGOS NOT DOWN #FAIL

CoB

Written by Krypt3ia

2010/12/04 at 15:33

Al-Ansar Jihadist Site: Mapping Jihad

with 8 comments

Seeing the traffic lately on Twitter between @allthingsct and Jokey, I thought it prudent to once again put some perspective on jokey’s little venture and how futile it really is. So, I bring to you this report I have generated on “Ansar-AlJihad”, a consortium of sites that are run by the same “persons” of interest and serve up jihadi content and links.

The picture above is a stealth mirror site of Ansar. The site is located in the US on a server that I assume the owners do not know has been compromised. This is just one of twelve sites that Ansar has stood up on varying servers and domains. Several of these sites all reside on IP addresses out of the US but being registered domains whose owner claims to be in Brussels.

The stealth site is physically located in Provo UT:

While the other sites primarily reside in Washington State:

The last site is physically located in Malaysia, which interestingly enough is a very active area for jihadi activity these last few years. All of these sites though, mirror the data that is updated consistently over all sites. Thus, should any site be taken down or denied service, one can just go to the next in line located on the main page, and get your jihadi content.

The addition of the stealth site proves the point that even IF all of the sites were to be taken down, they would indeed back up to the stealth site strategy and just keep popping sites to upload to. So, jokey’s little idea that just annoying them offline forever and they will just go away is a fallacy at best and half baked logic at worst.

Meanwhile, let’s consider the other way to deal with these sites. By tracking them, their users, and their data.

By looking at the domains, the home IP addresses, and the links as well as the data on these sites you can get a pretty good picture of who may be setting up these sites and who may be using them. In the case of Al Ansar, I was able to use Maltego to get a line on one site of interest that gave up a solid name and email address.

Maltego’s here:

The Maltego made the connection between the Ansar site and three Blogspot accounts. The one that was the most of interest was pathtomartyrdom.blogspot.com:

The owner of this site actually used a hotmail address and a name to set up the blog.

hassankhalid025@hotmail.com

This address was used in a few posts on Yahoo and not much else. However, I am sure that the authorities would be able to talk to M$ about opening that one up and seeing who said what to whom. Of course given the recent flap with Cryptome and the M$ guide for LEO’s I am quite sure they have all the logged traffic and can provide it when asked.

So, as you can see, with a little footprinting, a little digging, and some patience, you can do a lot more than just DDoS a site offline. You can in fact provide the authorities with the data needed to maybe catch these guys instead of drive them under the digital carpet.

My hope is that these sites are already in the hands of the authorities here in the states and their traffic being logged. It would be great to see that the server had been set up to have all the captures taken so even if the jihadists were using proxies they could at least track those too. It’s all links in a chain that can be followed to the source.

It may also be a key practice that these sites are not only watched, but also being actively added to by the authorities here. One would hope that they would be members on these sites also, adding content to “disinform” the jihadi’s and catch them in the act.

Ahh well.. One can hope huh?

Needless to say, I have posted the findings report to the feds and will wait to see what they do…

CoB

Fair and UN-Balanced

with 2 comments

Hacktivist Tactics Raise Ethical Questions

Wednesday, January 27, 2010

Contributed By:
Anthony Freed

D7abe7b28ded56be631510c3a6caa996


By Anthony M. Freed, Director of Business Development at Infosec Island

Recently we have witnessed the emergence of international hactivist and vigilante “the Jester” through his crusade against jihadi and militant Islamic networks, and some third party networks that contain evidence of having been infiltrated by rogue elements.

Jester’s activities raise an important question: Where do cyber vigilantes fall on the infosec ethics spectrum?

That is the issue my fellow editors and I have been wrestling with while considering our options for covering the Jester’s exploits – on the one hand, he is acting against some very unsympathetic targets, including the website of the Iranian president.

But on the other hand, he is employing what would be considered Black Hat tactics which violate multiple international and domestic laws, as well as possibly interfering with covert intelligence operations.

Full article Here:

So, this is the new story making the rounds on twitter, LinkedIn and other places on the internet concerning jester. In reading this article, the writer says he “mostly” agrees that what jester has been doing is wrong, however, he does not I think really believe it completely. In fact, I think that Mr. Freed is just looking for a good byline that will be picked up by the mainstream media and thusly give him more exposure.

Anyone who reads my blog here will already know the saga with the jester and I. Suffice to say jester is a pedant and I am tired of the whole affair. However, when I saw this article and how much this “reporter” seems to be just soft peddling the story with a bent toward jester as a “patriot” it made my blood boil. This is especially true considering the emails between he and I just post my first run in with jester. I have made it quite clear that I have no afinity for his methods and feel that overall, his methods are ineffective if not downright useless.

The legality issues of his methods also do not fall into the grey area of whether or not its a moral issue. It’s simply illegal to carry out a DDoS attack by law. So, there you have it. Instead, Mr. Freed is making this more than it is and thus with this article drumming up more applause for an “alleged” former soldier who is empassioned to move against Jihad online.


Emails from Anthony Freed:

LinkedIn
Anthony M. Freed has sent you a message.

Date: 1/28/2010

Subject: RE: Q about your crabbyolbastard site

I didn’t say he vets his targets – he did. I am not a blogger, so I don;t tend to write overly emotive or subjective pieces. My intention is to provoke some consideration of the larger issues at play.

I was clear that I do not support Black Hat tactics, or meddling in intel ops.

And I am in contact with the authorities – I am working with both the FBI and a fmr White House CIO on the issue.

Please reread the article, because I just don’t see your point with these criticisms – perhaps you are too emotionally involved with this story to be objective?

It seems you have pretty much ended what could have been a good relationship for you with Jester by being so combative.

I continue to have lengthy daily chats, and will continue to cover his exploits objectively.

Fell free to join the discussion.

Thanks!

On 01/28/10 5:09 AM, Scot A Terban wrote:
——————–
Anthony,
Kind of a one dimensional piece there. He vettes his targets? He certainly did not vette mine. Jester is more than one person, and the one who dos’d me for spite 30 minutes at a time is no special operator. Other responses in my comments purporting to be jester belie another writer with more control.

His argument of coin is bogus too. As I pointed out before, these sites are mirrored and multiple as you can see from the maltegos I have been generating. He so os only hitting the “popular” or well known sites. There are many more out there he is not touching nor likely knows are there.

I suggest you talk to some JTTF types or other intel operators to get an opinion other than jesters on mode of operation and affect.

Cheers,
S.

Mr. Freed, my problems with your story are clear here. You do not call into question or investigate jester at all. You do not do anything but become a mouthpiece for him and that is not reporting. That instead is commentary or propaganda. Even more importantly, your lack of understanding of why I was unable to stomach your story is driven even further to the point when you remark that I passed up a chance at being friends with jester because I was combative.

You miss the point sir and I do not know how I could have made it more clear.

I do not wish to be his friend and I do not approve of his methods. I never have.

Now, on to your comment on being objective. How can you be objective when you say you are working with the authorities? Are you just stringing jester along here? I mean, at least I have told him outright what I think of him. You sir, seem to be using jester as much if not more than he might be using you for attention.

Such Hubris.

You’ve been burned buddy.

Written by Krypt3ia

2010/01/29 at 02:09

DD0S

1.16.2010 DD0S


122.166.145.121:26201 ABTS (Karnataka),
122.166.145.121:26205 ABTS-KK-dynamic-121.145.166.122.airtelbroadband.in
122.177.210.215:62585 ABTS-North-Dynamic-215.210.177.122.airtelbroadband.in
153.91.127.62:49462 CMSU-NET
166.137.138.217:52732 mobile-166-137-138-217.mycingular.net
174.129.104.29:19365 AMAZON-EC2-5
195.148.124.67:44787 tor-exit.research.netlab.hut.fi
206.53.157.33:34759 Research in motion
207.46.199.180:34748 Microsoft
208.74.66.38:56268 Centauri Comms
212.42.236.140:34414 torproject.org.all.de
216.129.119.81:40460 Layer42.Net, Inc
216.24.142.46:36536 flx1-ppp46.lvdi.net
216.24.142.47:30721 ViaWest
216.24.142.47:30790 ViaWest
217.109.117.196:3039 FR-METALLERIE-VILLEMIN
38.105.83.12:1045 PSINet, Inc.
58.120.227.83:53110 skbroadband.com
62.141.58.13:33615 gpftor3.privacyfoundation.de
64.13.147.189:65129 Silicon Valley Colocation, Inc.
65.28.107.32:56901 Road Runner HoldCo LLC
66.249.65.154:56038 crawl-66-249-65-154.googlebot.com
66.65.83.160:1129 Road Runner HoldCo LLC
66.90.75.206:33389 tor-proxy.fejk.se
67.187.160.163:64024 COMCAST
67.218.99.195:36592 Layer42.Net, Inc.
68.171.233.136:36907 68-171-233-136.rdns.blackberry.net
69.171.160.51:2915 Cricket Communications Inc
71.163.48.147:52814 pool-71-163-48-147.washdc.fios.verizon.net
72.13.91.40:50761 Edgios Inc.
72.134.34.115:3023 Road Runner HoldCo LLC
72.24.119.58:64443 CABLE ONE Inc.
75.18.162.20:55596 adsl-75-18-162-20.dsl.pltn13.sbcglobal.net
76.14.6.39:65380 Wave Broadband
76.21.215.156:50094 c-76-21-215-156.hsd1.dc.comcast.net
76.64.53.68:60084 bas1-toronto48-1279276356.dsl.bell.ca
78.111.32.200:2998 TELINEA BOSNIA
78.142.140.194:49621 SIL-UBIT
83.149.199.54:29898 dvina.ispras.ru
85.114.136.243:36674 SK-Gaming via gamed.de Gameserver
89.151.116.54:41502 Asuk Creative Limited
91.121.85.14:52998 OVH SAS
92.228.132.21:62133 g228132021.adsl.alicedsl.de
93.182.186.79:56824 anon-79-186.ipredate.net
97.125.27.9:51773 97-125-27-9.eugn.qwest.net
98.90.16.193:61547 adsl-90-16-193.mob.bellsouth.net
1.17.2010 DD0S


109.196.50.26 ip-109196050026.syrion.pl
121.162.45.7 KORNET TOR node
123.243.14.14 123-243-14-14.static.tpgi.com.au
125.160.110.139 139.subnet125-160-110.speedy.telkom.net.id
137.99.167.41 d167h41.resnet.uconn.edu
166.90.142.9 nat.kosmix.com
166.90.142.9 nat.kosmix.com
174.6.186.66 SHAWCABLE.NETE.NET
192.251.226.206 BLUTMAGIE Olaf Selke
193.86.233.2 anonymizer2.blutmagie.de
201.13.162.63 201-13-162-63.dial-up.telesp.net.br
204.8.156.142 cs-tor.bu.edu
208.187.80.130 goliath.word-to-the-wise.com
209.44.114.178 pasquino.netelligent.ca
216.224.124.124 tor-exit.aof.su
217.114.215.227 hosted-by-vps-hosting.co.uk
38.103.37.243 Exploit Prevention Labs
58.65.72.42 SCSNET-CATV-SEOKYUNG
61.32.46.4 BORANET-1 Seoul
62.75.185.133 tor-readme.spamt.net
64.252.57.54 64-252-57-54.adsl.snet.net
66.230.230.230 Neucom Inc.
71.224.152.176 c-71-224-152-176.hsd1.pa.comcast.net
87.118.104.203 spftor1.privacyfoundation.de
89.77.30.227 chello089077030227.chello.pl
91.121.67.117 isp.futursite.net
96.225.135.36 pool-96-225-135-36.nrflva.fios.verizon.net


Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.

The basics of the attack as of his last hit on me are these:

  • Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
  • Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
  • Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
  • 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
  • He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
  • In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
  • He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
  • The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…

Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.

Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.

… And me? My site? Still up.

Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.

Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.

It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.

Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.

Cheers,

CoB

Written by Krypt3ia

2010/01/21 at 03:19