Tuesday, November 17, 2015

DVWA - Upload Backdoors into a Vulnerable Web Application

Hello Everybody.  On this topic I would like to discuss and show you a little bit about DVWA (Damn Vulnerable Web Application). This is an environment in which people can freely test flaws into web applications without getting into legal trouble.  It is really easy to actually set it up and test it. You only need to either:

1)Set it up on your machine (Apache or Xaamp + Java + Burp Suite)
2)Run it on a live CD without the need to setting it up yourself.
3)Run it on a website. No need to install anything.


Below is a simple Demo in how to bypass the upload form by changing the security level and the file type to upload a backdoor and remote execute code in the server machine.  Enjoy




Tuesday, October 6, 2015

How to determine your HTTPS is really secure






At this time when not even HTTPS is considered 100% secure, how do we determine we are going through a secure connection? How can we tell that our connection from point A to point B is not being eavesdropped by a man in the middle? Nowadays, regular and more IT inclined users must be equally aware of their dangers and how to mitigate it. With recent vulnerabilities such as FREAK and Heartbleed, how can we know the TLS/SSL security are not being downgraded after we click a link? Well, read on.

Definitions

So, how do we determine if a connection is secure/insecure? First of all: what is considered insecure? Well, we know that a secure HTTPS connection includes the SSL/TLS data encryption and authentication protocols. We also know that SSL (Secure Socket Layer) protocol is the predecessor of TLS (Transport Layer Security). We now know that SSL (even its last version 3.0) is really insecure from what we've seen in old and recent bugs and vulnerabilities such as POODLE, BEAST, Heartbleed and FREAK. We also knwo that TLS 1.2 is the most secure (yet) protocol that goes along HTTPS communications. But things are not easy as they might seem, even TLS v1.2 (if not properly configured) can also be a target for BEAST vulnerability attacks.



Determining Vunerability Vectors

Depending of the attack, bug of vulnerability, there are different and many ways of compromise a system but the vectors associated with them are to be accounted for. For example, if you're susceptible for a MiTM (Man-in-the-middle) attack, he can potentially downgrade your secure connection thus leaving your system unprotected from the beforementioned attacks. This is call "Downgrade Attack". Also, believe it or not

Plan of Action

In order to have a plan of action, it is very important to determine what products are installed in your computer(s).  By maintaining your browsers at the most minimum (is there a reason to have 3 different browsers on your computer?), it will simply mitigate risks. This is because we do not always remember to update our browser or simply if we think our Operating System is patched, our Browser(s) are too.

Check SSL/TLS in Chrome



Check SSL/TLS in Firefox
This is a common mistake for amateurs and rookies in the subject, but they must be aware of the risks and take action.  Also, by running OpenSSL and TestSSL utilities, we can determine what SSL/TLS ciphers are at risk for example RC4-MD5 or RC4-SHA.  Also, such protocols such as TLS 1.0 is not secure anymore and you should rely on 1.2 at least. By using these utilities, it will help you in knowing what should be changed in order to have a little more secure web application.

You have to be careful because if your web application uses the RC4 Cipher Suite, the connection might not be as secure as you might think.  The RC4 cipher is not a pseudo-random value that gets generated but the first 65 bytes can be decrypted in order to obtain passwords or cookie information stealing the session.  By having this "Invariance Weakness", it leads to an attack called Bar Mitzvah which can be used to steal your session information.




In the Bar Mitzvah attack, it only takes 65 bytes to decrypted data (after the handshake) stealing cookies or passwords.


The plan of action for RC4 is to totally deactivate it in order to mitigate these risks.


Sources


Definition of POODLE: https://isc.sans.edu/forums/diary/SSLv3+POODLE+Vulnerability+Official+Release/18827/

Definition of BEAST:  http://www.webopedia.com/TERM/S/ssl_beast.html

Definition of Heartbleed: http://heartbleed.com

Definition of FREAK: https://freakattack.com/

Downgrade Attack: https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack#MITM%20TLS%20Protocol%20Downgrade%20Attack 

OpenSSL: https://www.openssl.org

TestSSL: https://testssl.sh

RC4 Vulnerability: http://securityaffairs.co/wordpress/35352/hacking/bar-mitzvah-attack-on-rc4.html

Monday, July 6, 2015

BASH ShellShock Bug

By this time we all know that the BASH Shellshock Bug is now history, but think again. There are times when I have found servers with their BASH outdated. Since we know the versions affected are <=3.4, the good news is that it can be easily mitigated. By just updating BASH, you already are ahead of the game. The sad thing: not everybody update their system accordingly. Believe it or not, lots of companies still don't have their system patched and this has to change. They have to start being more conscious about their customers and clients and stop being lazy.
On this video, I will show you what the Shellschock Bug is, the risks of it, how to penetrate a vulnerable system as well as how to mitigate it. Enjoy

Friday, May 22, 2015

Hacking Conferences




Introduction

It is always fun, full of knowledge and at the same a little controversial to attend Hacking conferences nowadays. It even had a lot of controversy in the past decades and this has to change.  The full "Hacker" culture atmosphere does not only had big negative connotations in the past but also now but after a talk at B-Sides Chicago, it got me thinking and maybe the speaker is right:  The Hacker's culture might be dead. Some people argue that it is not dead but instead it is more closed because the gurus are having their own groups where the "noobies" are just enjoying their technical and orgasmic talks.

However, that does not represent that Hacker conferences are dead. At my first experience going to two of them lasting 3 days (in total), it got me thinking a lot.  Hacker's conference is not only about talks and about what you can have out of them, but it is mostly about connecting with people so they can all collaborate with each other in the future. Most people would think a Hacker's conference is a place where a lot of "spoiled" and "rebelled" people go to hack and break rules while getting drunk, but that is only a Hollywood and mass media mis-representation of it. I would not only suggest technical and IT, but also regular people to go to one of these events (some are free) and see it for themselves. Some of these talks are not really technical but conceptual and shows how much secure our mindset should be regardless of how much you use computers. It is about learning what the reality is and how can we face it today. How we face it and do to protect ourselves will make us more aware and thus more secure; because after all, we cannot hide the sun with our hands, but we should act on it. 

Conferences -- In depth 

Electronic Badges

It is a great idea to have the badges from the Hacker's conferences. For instance, for DefCon and Thotcon you are given your registration badge as a little Arduino circuit board in which you are able to connect it to your computer and program the lights on it so they go in sequence, change light colors and even enigmas hidden into the code which can be broken in order to win lifetime pass for those events. Some Hackers spend the whole conference (2-5 days) trying to break the enigma.





My First Experience

This year was my first time going to these conferences and I had some fun. First of all, I went to an event in Chicago named THOTCON which was split into 2 days (not full days) and I only went for a bit. The talks were not as detailed and motivating as I expected but maybe I was expecting too much out of it. The people were really cool and I got to make some friends with the same ideas and passions than me.

B-Sides Chicago was good in the sense that it was fun to listen up to date material as well as how to be more aware of it and how to protect yourself. I perhaps did not learn a lot from it but I had good connections from important people working in some projects I strongly support.  Something I will have to disagree on was the  heavily use of alcohol in these events because it kills the chance of meeting a lot of people sober and interact with them, in things such as showing your open-source project to someone else or offer yourself as a volunteer on their projects.  Jugging as much alcohol as possible can  prevent you from interacting with people, not in the sense of talking to them but also to share information or showing them your ideas. I believe control should be the mediator and too much alcohol is definitely not the way to contribute with the Hacker Community. I believe this too, has to change. Every time we as individuals try to differentiate between gifted, creative and collaborative people but get drunk in the process, we fail to do so.


Defcon

I haven't gone to DefCon yet but I know some facts. First of all, Defcon has a lot more people (about 15,000-20,000 per year) and it has increasingly growing over the years. It is one of the most popular Hacker Conferences (along with BlackHat) in the world. Hackers and non-hackers attendees as well as speakers all around the world attend this conference.  You can have an idea of what it is by watching some Youtube videos but there is nothing like going and seeing for yourself. That is why I cannot write enough about this event. What I can say though, is that this event has always been hosted in the Strip of Las Vegas, NV where this year it will be the first time that they are going to have 2 venues because of the growth of interested people. One venue will be to do the talks and the other to do all the other activities such as Capture the Flag (CTF), labs, and other fun and collaborative projects. Being bigger than the other events, Defcon brings more innovation and ideas to the Hacker's community as well as opportunities to participate and have participants work and join open source projects.


Not only talks and networking are being done on these events but also side activities. Challenges such as CTF (Capture the Flag), gunshooting or beer brewing contests. Those events haven't happened on Thotcon or BSides (or at least this year) but it does happen a lot in Defcon. There are also mazes and puzzles within the schedule of the event in which , if you solve them, you get awards; including free life pass for that event.  Be careful though, at DefCon, if you connect to their Wireless Internet connection, you will be hacked and put in the "Wall of Shame" just because is fun to do so.  Also, the atmosphere is great because of the great people, great music and positive learning vibe. Some of the music styles are brought back from the underground (or ex-underground) world such as: Dubstep, Techno, Drum & Bass, House and Raggae. These music styles do not represent the use of drugs of any sort but passion for "all things electronic", hence all of these styles fall under the category of Electronic Dance Music. Passion for all electronic things is the only antidote for attendees who want to share their experiences, projects, talks, opinions and even argue about today's hot subjects. It is the place where all the IT people (don't have to be a "hacker" in order to attend) really understand each other when they talk because they all know what they are talking about. Unlike the past where altruism was priority to boost knowledge and curiosity, nowadays it is not seen as much as that but more as a more organized, preplanned and structured way. Even though back then the Hacker Conferences were more like "technological rave" where there were a lot of DJs spinning their turntables and beers everywhere, now it is more like a sponsored planned security event.


Hak4Kidz

Not only Hak4Kidz, but there are also more special events for your kids. It does not teach them how to become a criminal or how to break into computers or locks but the whole Hacker's mentality.  The hacker's mentality is not about doing damage or crime, but how to "think outside of the box". Activities such as solving puzzles, programming for kids and building their own artifacts are only a few of all the activities they are subjected to do and learn at their best capacity. It is also to make them think creatively and plan their future and be more aware about the world they're exposed to.


Conclusion

We must understand that complaining about how the scene used to be and flashing back to the past to have those chills will not help the situation in these present days. We need to be ourselves and if you liked what happened way in the back, why not doing your own event? It does not matter if it is small, medium or huge or where it could be (at your house, a secret warehouse or at the rooftop of an old building). What it really matters is the connection one gets and how rich the events are not only at the talks, but also doing workshops, helping people learn new concepts and stuff as well as participating doing projects and supporting them donating. For example, attending Thotcon opened a new opportunity not only to know my coworkers a little more but also to meet new people with the same ideas than me. Attending Besides was a great experience because not only I had a contact from someone to hook up in the future but also I've met really important people; someone close in working on a project which I strongly support.

Overall, going to Hacker Community events are about what you can bring to the table other than what to expect. Yes, they must accept feedback (maybe putting a feedback box for next year improvements?). But complaining of how it used to be will not change a thing, especially if you don't give out your feedback or host your own side activity. Get known, contact the right people for the event, get to work, get ideas, implement them and try them on your next year's HackerCon. After all, it is about sharing, learning and make contacts. Let's all make this possible. Hack on!!

Friday, April 10, 2015

Getting Closer to a New Machine Era



"Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666."   -Revelations 13:16-18

A Word from the Blogger

We are emerging to a new phase.  As passwords are slowly becoming more obsolete because of its nature of being insecure and hard to remember, a new era is emerging which will have a lot of controversy.  Since biometric methods of authentication haven't delivered what they promised,  they also been proven to fail a lot of times in these few years and we have seen how it can be easily bypassed in the last few months, we are now to wonder:  how are we supposed to store our information and do our "private" actions through the Internet without having our account (which, by the way, now contains everything we do) compromised.

www.slate.com


Even though I really love technology and I enjoy experimenting with it, I am completely against the ideology of merging humans with robots.  I am completely against the ideology of having robotic parts embedded into our body to surpass our average capabilities and nature of being what we are... humans.  By merging embedded robotic parts with our  body to make ourselves "more efficient", is a mocking to God because of the arrogance and pride of wishing to be not only like Got but better than God.  If God wanted us to be robots, he would have created robotic parts in ourselves.  Also, it goes against the laws of nature which is also enforced, controlled and mediated by God. If the laws of nature are altered, an endless of domino reaction cataclysms would occur.

The Article

I have read some news which I could not let them slip.  In fact, I had other Blog entries in production and ready to push into live publishing, but I believe this is more important; so I started on this topic right away.  This event will the start of a huge dystopian life change in which the human race will long regret.

On Friday April 17, 2015 in the Wall Street Journal, came an article, one of the most ever life changing in history.  "A PayPal executive who works with engineers and developers of Paypal said that "to find and test new technologies, embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive on-line interactions." Also, the head of PayPal's and Braintree's Global Development Advocacy Jonathan LeBlanc said that "The future of identification would not rely on passwords." As we know, PayPal has not only proven in the past to be a more secure than traditional forms of on-line payments but also has proven to have certain vulnerabilities which exposed its user's use-rnames and encrypted passwords but also two-factor authentication techniques were previously hacked.


The Problem - Fear to the Public

For these reasons as well as the fact that passwords (no matter how much encryption they have) are always eventually brekable, PayPal is turning its odds to a more "reliable", secure and easier to use: 

http://www.makeuseof.com






http://www.slideshare.net/jcleblanc/kill-all-passwords

As any seasoned salesmen and social-engineer already know, in order to sell a product or convinced someone to do a certain thing (a thing he wants you to do), he first has to create the need for it. One of the techniques used to accomplish this is to create fear. Once the fear and need is established, the solution comes next.  LeBlanc states his solution to authentication by using:

  -Fingerpring Scanning
  -Vein Recognition
  -Heart rate monitoring

 By the following methods:

  -Ingestible Technology: Ingestible capsules will be used and powered by stomach acids to detect glucose, blood pressure,digestive health and patterns.

  -Brain-Chip Implants will be used (through
 
http://www.slideshare.net/jcleblanc/kill-all-passwords

These methods, LeBlanc  states they will be "natural body identification", which we already know it will not be true, because the machine (bits and bytes) will be required to analyze body patterns, which does not make it 100% natural.  Think about false positives of our body reaction through the use of drugs, anomalies, sickness, and unexplained pattern behaviors.

FIDO Alliance

PayPal has partnered with FIDO Alliance to incorporate better authentication systems for their users.  One of their projects is the Universal 2 Factor (U2F) authentication. As FIDO Alliance states on one of its videos, U2F offers a more "open, secure and easy to use standard by using a public and private key pair." The Bluetooth USB-like adapter device will not require drivers and will be used as a second method of authentication (after inputting the password) and will be the intermediate between the browser and the user to prevent keylogging, phishing (the most weak link) and MitM (man-in-the-middle) attacks.  It will be also used with the mobile devices which, with the integral part of Duo Push will be used as a phone App.

https://fidoalliance.org/about/overview

In my opinion, this will be the bridge and the temporary solution for PayPal before they go full speed with the new and so radical change which will change our lives forever.


Final Thoughts

We are now living a very crucial time when the fight for privacy,  human rights, wars, terrorist attacks made through false flag operations and our form of communication as well as authentication will be playing a huge new role and change to a more dystopian reality which will be combined with our "own form of control" by using our own medical record, health situation and body parts to keep our private data, the data that never had to be released to the public domain, secure.  It is now the time to change our dormant state and fight for our human rights, which is the last thing we have left.  If we don't anything, one day our future grand children will look at the past (if not altered) and ask: what has happened with our humanity?
 
 Sources

WallStreet Journal Article:  http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password

LeBlanc Presentation:  http://www.slideshare.net/jcleblanc/kill-all-passwords


FIDO Alliance: https://fidoalliance.org/news-more/videos/

PayPal FIDO:  https://www.paypal-pages.com/samsunggalaxys5/us/index-faq.html

Friday, April 3, 2015

The Evolution of Hacking: Advanced Persistent Threats (APT)

www.itbusinessedge.com

 Introduction

In the last couple of decades we had observe some of the most brilliant hacking techniques ever known. We also delved into a lot of sophisticated Malware which redefined the whole concept of security. As more and more simplicity are being worked on the tools and more people adapt to the whole security world, we have seen a substantial growth in not only sophistication but also security persistence.  Here is what becomes: APTs.

Nowadays, we are not only fighting against malicious and curious hungry people who want our data, identity and financial information but also against governments, mafias, and "terrorist" nations to gain trade and national secrets.  As this world might be coming to an imminent end (the end of humanity), it is logical to think that more and more havoc will be caused into our lives and in order to survive, we will have to accept a New World government, where everything will be monitored, judged, moderated and executed within one a World Organization in justification for total security and safety for all humanity.

As more havoc is being done in this society, so it happens in our digital world. Better autonomic, resillient and cognitive systems are also put into the market (and our society) and to the hands of the gifted ones (and malicious users) in order to provide this society with more advanced, smart ways to silently break into the most sophisticated and secure systems. Advanced Persistent Threats is defined as " a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity." By disseminating each word, we have a better idea of what APT really is:

Advanced - Multi-vector 0 day attacks.

Persistent - Undetectable attacks over a long period of time.

Threat - Manace over sensitive information to a critical infrastructure and assets.

Past Examples

Below there are only a handful of APT examples:

PoisonIvy
Stuxnet
NightDragon
GhostNet
Lurid

Past Targets

Moonlight Maze (1998)
Titan Rain (2003)
US Congressmen (2006)
Oak Ridge National Laboratory (2007)
Los Alamos National Laboratory (2007)
US Department of Defense (2008)
Office of His Holiness the Dalai Lama (2008)
Operation Aurora (2009)
Australian Resource Sector (2010)
French Government (2010)
Canadian Government (2011)
Australian Government (2011)
Comodo Affiliated Root Authority (2011)
RSA (2011)
Oak Ridge National Laboratory (2011)
L-3 Communications (2011)
Lockheed Martin (2011)
Northrop Grumman (2011)
International Monetary Fund (2011)


How APT Works


First, it is important to identify the phases of a successful APT.  In order to successfully attack a system without being detected, a series of out of the radar sophisticated techniques must be used.

First Step - Advanced (Infection)

Attack is conducted by sending the RAT's Trojan (server file) by tricking the user to run it.


Methods can be used as attachments, visiting a website which a vulnerability was taken advantaged of the malicious user which can download the Trojan of the RAT.  An indirect and less suspecious method is being used by simply throwing a USB drive with the RAT's Trojan software to the target's backyard, car, or personal item such as his coat, or pant's pocket.  If he plugs it in thinking he luckily found a USB he can use, the malicious user can craft an autoexecutable which executes the RAT's Trojan software in the background.  He can put random school documents or home-made pictures (not his own) to make it less suspecious.  A more advanced alternative is if the malicious user crafted a malicious software which downloads the server file (RAT's Trojan) when innactivity is detected on the target's machine, so he doesn't notice system's performace or hints when the connection, download and auto-execution is taking place.

The attacker, once the victim is infected, can manages the victim's PC through the Remote Administration Tool (the RAT).
 
When the victim is infected, it simply notifies the malicious user who is running the RAT on his end.  Then, the malicious user can conduct a series of activities:

  -Keylogging (logs every single keystroke)
  -Uploads and downloads system's files
  -Unrestricted remote shell login
  -Uses proxy services to hide attacker's identity (through HTTP/SOCKS)
  -Kills, lists and starts system processes
  -Spies on victim's webcam
  -Screen Captures
  -Full administrative access to files and system's registry
  -Used to send SPAM from the victim's machine
  -Logs-off, restarts and shutdowns the victim's computer
  -Update the RAT's server (trojan) on the victim's machine
  -Uninstallation of RAT itself

Second Step - Persistent (Methods)

The persistent phase comes when the attacker conducts such stealthy activities, such as:

  -Updating the server file on the victim's machine so it doesn't get detected by anti-malwar
  -Inject the server file to a specific system process. i.e: winlogon.exe, iexplorer.exe or rundll32.exe.
  -The server file's shortcut image can be changed as well as the name of the file to avoid detection.
  -Auto-runs and connects to attacker if the server's injected service is killed

Third Step - (Exfiltration) Threats

This serious threat can be used to make nefarious exfiltration of mass data such as:

  -Network footprinting
  -Assets enumeration
  -Usernames and Passwords
  -Administrative domain account creation for further access
  -Plant backdoors for evasion
  -Secret data and company secrets' leak
  -Data and infrastructure corruption
  -Compromise other hosts
  -Privilege Escalation
  -Encrypt critical files and demand ramson to decrypt it
  -Etc,Etc,Etc

Final Thoughts

As we are going through a war phase, a lot of attacks are being made with digital weapons.  More instrusive controls such as better digital IDS/IPS signatures, more skilled people, Firewall rules and Anti-virus behavioral scans as well as signatures (come on, they do help a little) are getting behind exponentially with the emerge of more sophisticated APT malware.  With the evolution of cognitive systems, soon we won't have to enlist to fight wars because machines will be able to fight them for us.  The hacking techniques now being used as almost automatic and will soon be cognitive and conducted with the help of a more accurate AI (artificial intelligence).  In this information age, not only critical infrastructure but also the whole society's information is the target and at risk minute by minute.  That is why we need to be our own Firewall and not only be diligent about our activities and actions (they do cause an effect), but also about how we determine our future.

Friday, March 27, 2015

The Bill of Rights


 Privacy is affected in many ways.  The Bill of Rights subjects to the privacy of not only conducting your own religion and assembly at your own place without being detained but also after you are being detained to testify for a crime that you haven't seen or have no more details to add.  Also, the freedom of having your own thoughts or ideas as long they do not affect a third party (freedom of speech), the right of bear arms (as long as you have a valid gun license) and the freedom of deciding whether a militia, navy or army man should stay at your house while the nation is “under peace.”  Certain rights impose the fact that we are still free but some of them, such as the freedom of speech are a double edged sword.  If one speaks badly about certain things just because it is his thought, and someone sensitive just feels annoyed or hurt, you could be in trouble.


The same goes for the government.  If the government thinks you have hurt them, your freedom of speech is no longer free, and you will be punished for it.  It depends a lot how people, entities, and governments take your argument.  Of course, this is more prevalent when there is an abusive system.  People, then rather not even express their opinions and there is where freedom of speech lacks.
 


Since after 9/11, not only we can see a proliferation of abuses not only to the Bill of Rights but also seen on top-secret papers exposed by whistle-blowers such as Chelsea (former Bradley) Manning and Edward Snowden as well as by journalists such as Glenn Greenwald and Julian Assange dismantling horrific projects and operations from the NSA as well as from the Five Eyes (intelligence alliance compromising Australia, Canada, New Zealand, United Kingdom and the United States).  Little by little our freedoms are diminishing for the name of “National Security” with freedom interfering Acts as the Patriot Act (especially Section 215), Net Neutrality, Trans-Pacific Partnership (TPP) and other mass-surveillance programs.  People need to wake up before it is too late, because we are now facing the end of “our own control” times.
 
 
We are rapidly and nefariously losing our freedoms for the name of “security” selling us a plethora of dystopia realities fabricated by false-flag operations such as the endless wars we are facing now as well as producing horror propaganda orchestrated by a shadow unified government with terrorists groups using their best weapon:  media disinformation.  We need to act and we need to act now because as Benjamin Franklin once said:  “Those who give up their liberty for more security deserve neither.”

Friday, March 20, 2015

Meet The Hidden Web

Terminology

Also known as the Dark Web, Deep Web, Darknet or darkweb, whatever is left out of search engine indexes is located in these darknet. Despite the name used, according to NPR.org, the deepweb is made out of 96% of all content, far more webpages than the World Wide Web. What we cannot see with our "naked" eye (or in this case with traditional methods) is known to be unkown, but thanks to services such as Tor or I2P, we can actually experiment the full potential of information flow.


Now, how can we know what is indexed and what is not? Well, for the most part it is very hard to know without delving yourself into the darknet itself, but some of it can be found in the "robots.txt" file of some websites. As previously stated in one of my Blogs, the robots.txt file can be easily accessed, for example, on this website.

When connecting to the deep web, you can determine it is non-indexed because the websites are randomly assigned and have a .onion extension after their domain name; for example, DuckDuckGo's search engine website is http://3g2upl4pq6kufc4m.onion.


How to Access It

Like everything on my Blog entries, I do not condone anything illegal or foolish. Use the darknet as your own discretion. You can find horrific, ugly things as you can also find beautiful lost pieces of information.


 The way to access the .onion sites is through Tor. As previously stated in my numerous Blogs, Tor was invented by the U.S. Navy in the mid-90's and it provides a pretty anonymous access to the Internet as well as I2P and .onion sites as well (darknets). Not only people who want to hide their "activities" can use Tor but also countries like Egypt, Lybia, Afghanistan, etc who don't have a complete access to the Internet and information.  Also, a lot of criminals such as paedophiles, hitmen, cyber-criminals, cyber-bullies, drug and gun dealers access the darknets as well as black markets to sell their good in an anonymous way.  These last uses are the reasons why darknets are considered dangereous.

There are easy and fast alternatives such as the Tor Browser which takes care of the tedious install and proxy configurations but it is not guaranteed that Tor will be 100% anonymous "out of the box". Further configuration is always required.


Even though Tor had some issues with bugs, security flaws and potentially NSA's surveillance and spoofed relays to spy on people, it is not wise to judge the whole Tor project because of some rotten potatoes in the past.  A lot of flaws were and are being fixed everyday as well as other software in the market. After all, Tor is also based on software and protocols which are being fixed and improved all the time. Also, it is not safe to consider Tor as a bullet-proof for all your "hidden" activities, but it is a good choice as an extra security layer to have in your security arsenal.

Where to Look


Once you connect to the Tor Network, you can find who are in the network acting as relays.  Each relay are the people helping your connection being more secure. The entry and exit nodes (you and the server) are the only who knows about the site you are trying to visit (not the relays) and they also think your connection comes from another country.  Also, it is important to note that the only unencrypted part is from the exit relay to the destination.



All of this is only to understand a little how Tor works, but let's get to how to surf the deep web.

For starters, let's first find a starting point. To find a starting point, we need either 1) an .onion site with a list of other sites or 2) a search engine for deep web sites.  The reason why the first one is not very reliable is because the list is always out of date and the links might not work. The original one is called CoreOnion.

1) There are sites that lists, or at least, tries to list the most up to date links. Some of them are: The Hidden Wiki, Tordir, and the Onion URL Repository (You will need to be running Tor to enter to these sites).


2) You can also look at search deep web engines for .onion sites. Some of them are: DuckDuckGo, DeepSearch, and Abyss. (You will need to be running Tor to enter to these sites).

Once you have a starting point, you can surf on your own discretion. You will find a lot of information just about anything, and I mean ANYTHING.

Deepweb and Censorship


One of the reasons governments cannot shut down the deepweb entirely is because governments also use it to hide their activities and make them more anonymous in order to avoid infiltration, eavesdropping and data leak. As anything in this world: one tool which is used for the good of humanity can and will be always be used as all things evil. Even though there are tons and tons of criminal activities in the deepweb and lots of them are being shut down such as "The Silk Road v1 and v2", it is impossible to shut them all at once without bringing down the Tor network.

The Repercussion: In Numbers

Since the military, governments, navy, airforce and secret societies also use the I2P and Tor networks to hide their daily "secret" activities, it would be a total loss for all of them if they shut it down. Governments always try to keep control of the darknet by shutting down criminal content most popular sites but they re-open soon after with a new random .onion address, or better yet, a mirror somewhere else. The repercussion, however was not a lot comparing with the profit. For example, The Silk Road v2 had approximately 1 million members and was making 1.2 billion in yearly profit. When the Silk Road was shut down by the F.B.I. on November 5, 2014, they sized about 26,000 bitcoins (equivalent to 4 million U.S. dollars at that time). Bitcoins is the anonymous form of purchasing services and goods in black-markets through the darknet. Used as BTC in the stock exchange and now (by April 6, 2015) it is worth 258.19 U.S. Dollars. Suprisignly, Silk Road's operator made $80 million in commissions from its members. When the silk road re-opened its value went 3 times what it was worth both in members and financially.

Net neutrality and Last Thoughts

After the EFF winning over net neutrality on March 12, 2015, ISPs and Cable companies don't have access to a lot of their client's control but since they lost the battle (but not the war) they are finding new ways to supress their clients' browsing actions which is not included in the Net Neutrality rules. For example, Comcast is currently performing DPI (deep packet inspection) techniques to ensure they alert governments (if asked) if a customer is using Tor.  Since, they deeply analyze their customers' packets, they can determine who is using Tor and who isn't. One easy (but not bulletproof) way to avoid this is to use Tor Bridges. Since using Tor relays which are indexed from the Tor network, if Comcast (or other ISP company) has access to this list, they can easily determine who is using Tor thus blocking access to it so the customer cannot access any site through it.  By using bridges, they cannot determine if their customer is using Tor because the bridge address is not listed as "public" in the Tor network, thus they cannot discern between a Tor or non-tor connection. They just don't know what it is. Bridges are being used in highly-oppressing countries, countries such as China, Hong Kong, Lybia, Egypt, Labanon, Syria, etc. to bypass their government Firewall.  They also use Proxy Chains which intercorrelate their connections and bounce it through a series of proxies to anonymize traffic even further.

Additionally, you can use a VPN with Tor and Bridges to ensure more layers of anonymity, since by solely using Tor does NOT guarantee 100% anonimity.


With the emerge of a new, faster (even more controlled) Internet and free Internet such as Kim Dot Com's MegaNet, it is hard to conclude that Tor will be long enough to live our end of times.  Perhaps, a less centralized, non-IP address based network will be used for Freedom Fighters as the rest of the civilization will be using a faster but more controlled (and censored) Internet like the emerge of the Internet v2, which is already in progress and perhaps will be using HTTPS/2 (founded by Google).  It would be soon be a matter of speed and reliability vs privacy. The decision, hopefully, will be ours to make.


Sources:

Exploring Onionland: The tor .onion Darknet
DarKnet or DeepNet: What is it and how to access it?
Going Dark: The Internet Behind The Internet
Deep Web Links
How FBI brought down cyber-underworld site Silk Road
BTC in Dollars - Current Stock Price
EFF wins over Net Neutrality

Friday, March 13, 2015

Keeping yourself off of the Radar of the NSA. Only fiction? Part 2

Our privacy deminishes every day, day by day and the facts stated on part 1 of "Keeping Yourself Off the Radar of the NSA" is only the tip of this huge iceberg.  The recommendation I gave for part 1 was to use Tails, even though it is not bullet-proof and the person who has the most knowledge wins in this cat and mouse game.  In part 2, we will go through more risks which increase everyday while getting more complex as well.


On this week, we not only found out about software surveillance but also hardware and network-based data mining through big and wealthy corporations as well as the net neutrality law which, by the way, temporarily won the battle but certainly not the war.

Last week, we found out about a vulnerability on Linux systems which are taking advantage from physical DRAM memory chips to gain kernel access to the system.  We also found out how Apple is sending the voice recordings consumers send to "Siri", the iPhone Intelligent Personal Assistant, to third party companies for advertisement and other undocumented purposes.

Further last week we have found out about certain phone brands such as Xiaomi Mi 4 is preloaded with malware by the manufacturer's customer ROM which then they denied and stated that those phones were fake replicas.  But don't worry, not all news are bad news in regards with surveillance.  Earlier this year, we have also found out about new ways to make it harder for governments and corporations to track our digital fingerprints.  The British multi-millionaire Kim dot Com did not only invented a secured end-to-end encrypted way to chat with your friends, but he is also now reinventing a new non-IP based "Internet" called "MegaNet" which, he states, will defy the whole surveillance essence.




But this is not the only attempt of defy tyranic global spies.  There are also other systems right now which are in Beta testing that will be used to form their own Internet and share information as free as people want it, because, after all, information should be free for the world to use it, manipulate it and see it however they would like as long there is no harm to others.



If you watched documentaries such as "Track me if you can" and "Terms of Conditions May Apply" (2003), you will realize that we have no or little control over our privacy. Even secret programs are out there that can track our identity by just finding our walking pattern. How are we then safe from the prying eyes?

From hardware, to software to global surveillance to secret programs to track people and break our privacy, we are in a dystopian world where our only weapon is knowledge.

Friday, March 6, 2015

Keeping yourself off of the Radar of the NSA. Only fiction? Part 1


What if I tell you that it is almost (if not) impossible to keep yourself out of the Big Brother's radar?  What if I told you that even though you take the most paranoid precautions, you are still caught on the net along with the other fishes? What if I told you that everything you have found out, everything you know about keeping yourself more secure is totally useless and you are hopeless when it comes to keep your data and digital prints safe? Well, let's dive into some facts....

I have published last year a Blog in how to keep yourself more secure on the net and in the physical ("real") life.  You should know that by the time I have published that Blog with solutions in how to better your privacy, more than a few Snowden's revelations have been surfaced even into the most naive people's eyes. The first thing you should know is that this is a mouse and cat game. This means that when the cat (the NSA for example) is trying to find new ways to push surveillance and autonomous systems to keep track of every single move we do, the mouse (freedom fighters and originalists) are sneakly moving forward finding new ways to keep their privacy a little more... private.

Edward Snowden who is now a refugee, along with the American journalist Glen Greenwald, had revealed some (not anymore) confidential U.S. Government files which pointed out the fact that we, as living beings in this world, are not free anymore.  Having a huge radar and a non-stoppable fierce, we have found out from the Citizenfour movie, that the U.S. is not the only "evil" on this game. Other countries, such as the U.K., Rusia, China, Germany, France, Sweden and Brazil (to name a few) are also joining this surveillance of humans' dystopia.


How everything got changed

In the last couple of years we have not only found out the "secret" surveillance programs and secret projects the NSA and its partners were (and still) using such as Carnivore, XKeyscore, PRISM, Muscular, Tempora and Project 6 (to only name a few).  We also now found out what I believe is the worse of the worst.



For now, the before-mentioned projects and programs work on a infrastructure level of networks (through spying big junks of data from big pipes) helped by Google, Facebook, Youtube, America Online, etc.  We all know how BIG Google is and how they also have access to most of the residential wireless passwords of the whole world via Android phones.  Also, through the Muscular program, we found out how the NSA is able to launch an exploit to any computer they want (regardless of the Operating System) in a matter of seconds. So, they have control over everyone's email, potential visited sites, potential personal information, habits (good and bad ones), data, metadata and every single piece of your life via Internet infrastructure and software. But this is enough for the NSA and its partners to have a total and perfectly shaped profile about their citizens, right? .. WRONG!!


Early last month, we have found out that China was putting Adware (Superfish) to Lenovo laptops by breaking and impersonating HTTPS certificates and also China was blamed for placing backdoors and surveillance software to routers in the past. Whether Superfish was software, now we are facing a new model.  Not only the NSA but also other governments are using hardware to spy on users inadvertently.  Earlier this month another Snowden revelation made a lot of people's jaws drop. This time, hiding "special, deletion-proof" spying software on the most common hard-drive brands, such as: Hitachi, Western Digital, Seagate, Toshiba within others.  This poses a huge risk because now we do not and cannot trust not even our own brand new laptops.

Now that we know where we stand it is fair to ask ourselves: how can I protect myself? Is having a VPN, sitting behind 7 proxies or using TOR with a vast number of proxy-chains as well as using a live (read-only) USB drive running a live distro of Tails secure enough?

The Solution?


One thing we know. We know that this is a cat-mouse game and whoever knows more wins.  But this is not quite enough. Whoever is faster by staying up to date, develop the most (cryptographically) secure software as well as having a paranoid (security concious) attitude might be ahead of the game.


What about phones? As we know in the recent news, Gemalto encryption keys were stolen by the NSA and British Intelligence Communities and as we know cloning SIM cards in order to evade some tracking is illegal in most countries such as the U.S. and the U.K.  How can we protect against not only the big monsters of the digital information such as Google, Yahoo, Facebook, etc? What about the exploits blindly launched by the NSA to our devices? We could have the best Firewalls and IDS/IPS but are they really enough against any Government which has the top cryptographic and evading software in the world?  What about defending against the spying hardware chipsets, hidden backdoors in our communication media such as routers and perhaps also Firewalls?  How can we also be safe against phone surveillance now that we know our SIM card data (or metadata) is being watched, analyzed and profiled?


The only thing I can think of is to be abstinent, and run a live copy of Tails. Remove your hard-drive, disable services (hardware and software) you don't need,  use and maintain your Firewalls, IDS and IPS, use TOR with Proxychains and of course, avoid doing anything stupid online.




Sources:

https://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29

www.huffingtonpost.com/2015/02/16/nsa-computer-spying_n_6694736.html

http://www.zdnet.com/article/nsa-gemalto-sim-card-encryption-hack-key-questions/