2.15.2018

Philosophy

"We need to have the power to involuntarily restrain until seen by mental illness professionals."
What a world we live in. This is a phrase straight out of orwellian dystopia stories, justified by violent acts. I can't be the only one seeing this, but it seems this continues to happen.
For anyone who hasnt been in a psychward against their will, please know:

- "you can leave any time"
-- you litterally cant. trying to demand the paperwork to leave, they do not under any means let you leave until they feel you've conformed to their desires. You dont suck his dick, you dont leave. Yes, it is that bad.
-- you are there until they say you are ready. There is no deviance.
- situational depression is considered uncurable by confinement -> they will keep you for 4 weeks because they believed you wanted to die at some point in your life.

Been there, done that, my life is a dystopian world, a way of life i wish on no one. Even my most hated enemies. Praise the us for being so free right? We are what we used to claim russia was during criminal ruled states of russia.

---------------

Assumptions:

I find myself reflecting on assumptions. People learn from experiences. They identify traits with people they know or have known and put that forward into people they just meet. It's not racist if every white person you've ever met is lying scum, nor is it if every black person has shown you this. However as we associate traits to people, like race, eye color, personality traits, physical traits, any traits really, we develop predispositions to these people the way we develop math and reading skills. We all note that people can't always be determined based on traits alone, so lets look into some of these that people don't usually look at.

When women act like stereotypical cheerleaders in that they speak with nothing but snide comments to eachother, dress only the current popular way, and treat people who are unpopular as less than dirt. That doesn't mean they're also liars, cheaters, and desensitized from reality. It just means there is a high probability of it.

You've know men who cheated because they were controlling of a situation. Doesn't mean that every man will be a cheater if they control the situation, they might just be scared of losing control of the situation and/or abusive.

See, sometimes these assumptions build the wrong information trend, sometimes, they're still likely correct but without validation, can't be identified.

You've only known hateful people your entire life: doesn't mean that everyone is hateful, just that there is very little people who aren't hateful and even less should be trusted to not be hateful.

Again, see what I mean? We build associations based on experience, we build understanding based on these associations. Racism isn't something terrible and evil, it's something sad. It's sad to see that people didn't have decent experiences.

Maybe instead of demonizing people and blackballing them, we can move forward as people.


---------------

Money.

You fight everyone for money. You fight to live on money and drink the pool of money. You get money because you feel you have no choice. A society where you will get shot for going on someone's land to pick an apple, of course you're scared. Why wouldnt you be. But depts are another thing.

You should hold no depts for your family. This is asking for trouble. Give, help, cherrish your family. They are family after all.

If you have friends you can hold a friend to their word but there is no reason to let that word be so focused on depts. You will only ruin yoyr relationship.

Romantic relationships: depts are pointless here, so stop saying this for that or ill only do this if, just get off your asses and help eachother, or leave eachother. Its that simple. Further, you have no obligation to help eachother, you do it cause you want their success. That also means doing things that dont immediately help them, such as in the case of codependency. You want them to be better, not to give them reasons to depend on others to do things.

--------------

Espionage, spying, learning:

The learning cycle, despite being rewritten to include many steps by many people, is very simple in construct and the way every person learns. You have your sources you can learn from by reference, like books or man pages; you have your own history and the learned experiences you've developed, and you have ideological sources or hypothesis. These are sources of learning. You apply these sources to your day to day understanding and develope the most frequently reminded, and the actions associated to those, into personality traits over time. you could argue this only takes place at early ages and that sorts of thing but the idea here remains valid with or without age based limitations. If someone finds themselves wanting to learn:

- they look at sources they have
- hypothesise an idea
- act on that idea until acceptably valid.

Its the people who have harder times accepting that find themselves looking further than one man's word, or one book's reference. These are the kids who take apart toys to learn whats inside them. These are also hackers, spies, and cryptoanaysts.

As children develope, many see signs of being lied to and hunt to prove it. This trait helps them become skilled in espionage. I do not want my child to live like me, yet someone somewhere has been lying to him and i see it in his hunt for knowledge. He knows it. He senses it.

The way people are able to pick up on lies is actually very easy: Determine common patterns then identify deviance, when there is a pattern of deviance you have something to question. Why is this pattern here. Why does my mom keep bringing us to her friends house and leaving us outside for several hours? Why does my mom say she loves me only when in front of someone else? Why does my mom keep talking about magic and santa and faeries when none of that makes sense to be real?
Most people think these thoughts. Proving it is the problem. People with a natural affiliation to espionage later in life, grew up with habbitual liars in their lives. These are the people who want to find the truth no matter the cost. Hacking into fortune 500? who cares, we found that they lied to investors for years. Hacking personal emails? we found that they have access to things they shouldnt, commit adultery, and still have the gull to say we were bad for not doing our homework.

This is the way people live their lives because they need to learn. They have a personality trait thay demands learning what others would rather keep hidden.

This is why we rat. This is why we hide trojans in legit programs. this is why we backdoor everything. This is why we gain network access and sniff traffic for months at a time. This is why we will learn the truth regardless of money, or fame, or jail time.

Espionage isnt a game, its a way of life. A taught way of life. A way of life easily spread by the willingness of the masses to lie about silly and arbitrary things. Lying at all is worthless, but people will lie about little things, and thats what tips off young children to react by studying. To react by spying. children used as spies, all the government has to do is pick up the ones they like. With current laws, they dont even have to hide it. There is no added conspiracy theory here, they can just walk up and take em "For security."

---------------

Remembering Security:

Layers
- are
-- the
--- key
---- to
----- obfuscation
----- but
---- causing
--- enemies
-- to
- spend
resources
- is
-- security.


-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour


2.09.2018

Sec ptsd?

When i saw this say cyber security ptsd, i though: wow did someone just recognize that cyber security is wartime activity? or wow, did someone acknowledge that people are often damaged by previous battles so they find it hard to overcome new battles?
nope.
Instead this is a high level overview of how people become burnouts if over or under worked.
Lets play a game here, lets pretend you and i are on a 6 man criminal hacking group together. Neither of us are the leader, but we are both considered appropriate for our ideas. My idea is to make conversation in reference sets only and pgp(rsa4096) encrypt files or data shared. To protect our operarions.Your ideas relate to targets, objectives, etc..
We find someone poking in one of our servers. Fuck, is there anything that can dox us? we dont want them knowing we're in and monitoring so lets step back and find a backdoor. Shit. we had to break in almost the same way as him and escalate up. He's probably setup everything he could by now. "find every inode change for the past 48 hours!" there it is, the orders given. We have to do analysis on a changing machine, while its changing, because some fuck nut forgot to patch services with the latest updates. We quickly throw together two bots, one to observe and remotely report (stdout piping) inode changes, another to pull every file as it is with md5s, sha1s, and the full file contents. Hell, half the team is googling inodes. Fuck. Because this isnt just a bot server but an operational server, we are both getting yelled at and spammed by everyone for how the fuck did we let it happen. At the end of the day, 3 days later, our attacker was just some faggot copy pasting. didn't even know what he was looking at. we destroyed the entire infrastructure and rebuilt, with our same roles. operations became more about tunnels, allusion, encryption, and responsive attacks (socket binding abuse, socket service takeover). Our objectives became to always have reversion and attack back structured plans. Our services became ran through a vm, on a server, through tor, through botnet proxies, then finally to a proxy host acting as an inproxy into our network. We did this because some kid found a single hole and used it. We later had members go back and dox, swat, and destroy that person. He didnt even know why he was going to jail.
When people mention the idea of cyber security ptsd, lets take our little example there and apply it to 5 of 6 members now work in security. 2 of 6 still communicate, sometimes. Everyone wants to forget. wartime tactics destroy innocent people and damage the people involved.
But i guess the purpose of the link is to shed light on soc activities and how it can be bad if alert fatigue sets in. Instead of opting to be in a more active environment where people sitting on ass become targets: lets say they need coffee and snacks. Lets say they're fine with youtube on one screen and 30 ignored alerts on the other.
(
Webpage in reference:
https://www-csoonline-com.cdn.ampproject.org/c/s/www.csoonline.com/article/3253627/leadership-management/cybersecurity-ptsd-affects-many-security-professionals.amp.html
)
-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour


Cryptomining with javascript: oh noes!

Most of anyone who may happen to find this page should know by now many antivirus companies, ad/script blocking companies, and blacklist companies have been blocking cryptomining tools like coinhive's javascript api tool. The reasons for doing this is basically despite it being obvious in the code that people /did/ want users of their site to help them mine while on the site, its also considered unknown to the user until their cpu usage goes waaay up. Like being on facebook, people are complaining more and more that their cpu usage is running crazy after visiting sites (maybe if they got off facebook they'd realize how much less of a waste it is than being on facebook, but who knows).

So lets play some games here:
https://coinhive.com/

Gonna generate a username for a gmail account, then use that gmail account for this experiment. This also lets me provide y'all with a gmail account because you lazy security people won't do it yourselves. For this, I'll hitup randomuser.me's api page:

Welcome to Scapy (2.3.3)
>>> import requests 
>>> requests.get("https://randomuser.me/api", verify=False).json()['results'][0]['login']['username']
/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
u'crazyfish907'

 crazyfish907@gmail.com - SuperTux - (both gmail account and coinhive account)
site Key (public): VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl
 
Now that this junk is out of the way, lets go through this and see what we can do to get ourselves flagged or blacklisted or whatever else we can do.  https://coinhive.com/documentation/miner -> under the synopsis part should be basic enough to get us running. But I'm going to load the js miner from my own copy of it, because why not. ;)

<html>
<title> Experiment Miner Party </title>
<body>
<script src="coinhive.min.js"></script>
<script>
        var miner = new CoinHive.Anonymous('VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl', {throttle: 0.9});
        miner.start();
</script>
</body>
</html>
See, this should be easy enough.  http://0daz.io/miner.html of which, wow trust wave already has this set to malicious (https://www.virustotal.com/#/url/f3d7e1faefed7ee1d6e58450b645d26f131debfb85a50563d28cd24c3f8aa0da/detection).

So, I realized I don't have a monero account, lets fix that. My private key from MyMonero (well, private enough for me to share publicly ;) ): gutter boss being budget army umbrella ethics eternal jittery offend afield stellar gutter -> address: 49pJYQxPDkE7fzM1rqeg6sUn5RizMuj1TULqpCPLwMmdTzxg3n3pLjEV95KfnMxSAKGDjRL9qBYsn6cFyxjBzw2XAgVV2v3


Now then, we're all set. Guess this makes me a criminal right? Settings up a mining software on a public website?

/sigh/



BUT WAIT! THERE'S MORE!

Lets also go ahead and see just what that javascript file I stole from them does. To start with, I'll set the entire script up in the online javascript beautifier (http://jsbeautifier.org/) and hopefully we have a nicer output.

http://0daz.io/coinhive.min.js

It looks a little nicer, but still pretty much like shit. But anyway lets see here.

- function for the window
-- variable miner which takes parameters associated and the site key
--- site key is used for CoinHive.Auth
---- coinhive auth seems to spawn from asmjs worker function so lets dig into that. (https://coinhive.com/lib/worker-asmjs.min.js)
----- Because I wanted my output beautified, I'm going to again clone the code for educational purposes and post a copy after being ran through the jsbeautifier. http://0daz.io/worker-asmjs.min.js
------ On this code we can see the Auth_URL, miner_url, and captcha_url. I really only care at the moment about miner and auth data. Really this is pretty much just the entire part of the cryptonight worker blob part shown in the first page. Looks nicer now though. ;)
----- miner_url: view-source:https://coinhive.com/media/miner.html -- this pretty much shows us examples of how this could/should be made.
----- Auth_URL: view-source:https://authedmine.com/authenticate.html The following part is pretty much all I care about on this page:


if (queryParam('theme') === 'dark') {

document.body.className = 'dark';

}

document.getElementById('content').style.display = 'block';





// Adjust IFrame height

var p = window.parent;

p.postMessage({type: 'coinhive-auth-height', params: {

height: document.body.clientHeight + 32

}}, "*");



// Handle buttons

document.getElementById('cancel').addEventListener('click', function(){

p.postMessage({type: 'coinhive-auth-canceled'}, "*");

});



document.getElementById('accept').addEventListener('click', function(){

var xhr = new XMLHttpRequest();

xhr.onreadystatechange = function() {

if (xhr.readyState === xhr.DONE){

p.postMessage({type: 'coinhive-auth-success', params: {

token: JSON.parse(xhr.responseText).token

}}, "*");

}

};

xhr.open('POST', '/auth/');

xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");

xhr.send('auth&key='+encodeURIComponent(siteKey));

 Which seems to be:
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl"}).text
u'{"token":"1518280609.777d618e78957ca66a55517f7bd0e3c0"}'
------ What do you suppose this here token is?
------- some little games to play, for study purposes:
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNpl"}).text
u'{"token":"1518280609.777d618e78957ca66a55517f7bd0e3c0"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp2"}).text
u'{"token":"1518280843.dd6de251c1edd0df3de9e445500c65b4"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp3"}).text
u'{"token":"1518280848.87d106d9b0ffb41887eaa4ff4b44e034"}'
>>> requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).text
u'{"token":"1518280853.586ce5cb2a256fd3bb728d7053935f03"}'
>>> len(requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).json()['token'])
43
>>> len(requests.post('https://authedmine.com/auth/', headers={"Content-type":"application/x-www-form-urlencoded"}, data={"auth":"","key":"VkhSGrRAeoIC2nuWiAnBFBQ3LWpyzNp4"}).json()['token'].split(".")[1])
32
Did you see it? did ya? predictability patterns maybe? Generate whatever you want? Anyway, that's not my point here.

My point:
  • There isn't really anything malicious with the code, and just because something uses the "CoinHive.CRYPTONIGHT_WORKER_BLOB or anything related to cryptonight, doesn't make it malicious. 
  • Yes, you can make this entire chain run without needing a secondary validation, that's why people are weaponizing it. 
    • To weaponize, which we didn't really discuss, simply setup the page to a single blob, run blob with cscript (you know how to get there already if you are wanting to do this sort of thing. I shouldn't have to explain that one). 
    • If you find other ways to escape, drop it in the registry and load your key from a dynamic page online, use a bitly link if you want statistics on your campaign's success once on the systems ;)
    • Pretty much weaponizing this into malware requires the already well known javascript tools and iocs leveraged with any driveby download if they want it to escape being part of a single webpage. 
      • If you want to weaponize it under the sense of cryptomining procedures leveraged for other purposes, like the entirely well written chain of events to dump onto the runtime stack? Maybe leverage this to play some games with some people? leverage this as a driveby download technique involving escape patterns due to replacing stackalloc with something else? idk, that's up to you and your art to determine. 
  • I was asked what the real risk is with this and it's largely thus:
    • Enterprises should be using best practices, like script blocking, ad blocking, etc... before hand. They should also be using exploit monitoring tools (malwarebytes anti exploit anyone?) and antiviruses (some have exploit monitoring built in), which should be able to determine and block this type of activity. 
    • Facebook games will be the biggest threat.  People allow whatever the hell the page tells them in order to play facebook games. You could drop a rat, mine for days, really whatever you wanted and no one would know the difference.
    • Let people get paid for their sites so we can once and for all STOP using ads. 
    • If someone weaponizes it, you should be used to monitoring for signs of infection, not signs of day to day activity.
With all that said, have a good day. When you see the next news or blog article about how terrible the "problem" of "Cryptojacking" or "unauthorized mining" is, remember: its either this or we continue supporting ad networks. One of these two options is intrusive, aids in infecting computers, and wastes resources even when not on page. The other is mining tools.

K thnx. 

-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour





2.02.2018

hackers attack local restaurant, no wai!

Just wanted some satirical reference to people's surprise when hackers hit their services.
Now, lets pretend you own a local, family owned burger stand. You pay for the internet like its your home network, you use square, or paypal business, or whatever to take credit cards. Lets even go ahead and say you've been around a while and bought an actual network connected, service driven, credit card machine. Lets say its even through the town's primary bank: because, small town, small business, no one would hack them. There is nothing in it for them right?
Bam, it happens.

You thought hackers would target bigger and bigger companies because bigger payoffs. You were thinking this because people say hackers are mostly in it for the money, or revenge. So next you're thinking who hates us enough to have done this? Well, that one guy who was disappointed with our food last week? maybe? Lets tell the cops we know it was him because it's the only person it could have been. Hackers always have a motive.

But wait, lets step back, how long from entry until noticing it did they actually stay in?

Well, we could look at statistics and all or we can look at the evidence. In this case, the router password was changed at some point. No idea when. So you get some tech guy to come in and reset it. Well, there goes your evidence from that point. What about the systems themselves maybe? We found a computer in the back that was connected for doing social media for the establishment. This computer was, as expected, infected with multiple viruses going to multiple domains. But they had antivirus, it's the AV company's fault! That's it! no... no it's not. Lets look some more. As it turns out, with all that social media presence all anyone has to do is be friends with them on socialmediasite1 and share an infected page.

But then, how did they get everyone's money? Why is the bank saying thousands went missing overnight to multiple accounts?

With the assistance of the police, and forensics firm comes into play because well, money. They try to recover data from the router and image everything. They then dig through what they have and find a number of other issues.

- The register systems they use has a way outdated linux kernel, which has been exploited.
- Those registered also have outdated vpn software, known to be capable of mitm for vpn traffic.
- The credit card machine itself, has an outdated linux kernel but otherwise pretty solid service structure. But it also has a web interface for management from a computer. They found evidence the web service was exploited, er well... abused, with default credentials no one told them to change. File upload via updating form, changed location, launched from web viewing.
- All communications appear to be coming from a well known vpn service hosted in another country.

Well shit, what now? if we don't pursue this the bank won't let us keep the money they gave us as a business insurance agreement.

So, please take the time to consider your local businesses and the security they uphold. Telling them about security flaws ahead of time may actually prevent this from happening.

K thnx.
-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...