> I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those whose blood has been spilled at the hands of Italian fascism.
For those who don't know, they are referring to the 2001 Armando Diaz school attack [1] (warning: graphic), where hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time.
That was the one sentence that stood out to me as well. I can imagine this was an incident that had a high impact on "Fisher". I remember watching a live-stream of the incident broadcasted from the building on the other side of the road (which was thankfully the building where my friends stayed).
My friends went inside the school after the raid and took pictures that I can't get out of my head to this day. The whole building looked like a slaughterhouse with blood everywhere. Blood-stains on radiators indicating that peoples heads were repeatedly smashed against them. I also remember the screams you could hear on the live-stream. First it was people yelling "pacifisti" and then just screams for 20min until the screaming stopped and ambulances arrived.
That shit really paves the way for young activists continuous fight against facism of any kind.
Very possible that the reference is sunblock, that is a counter-measure to waste the time of anyone trying to track them down and burn them.
Fisher is experienced enough to know any information they leak will be used against them. My guess is that the event is either symbolic or meant build on a persona used to find people like them; post provides a means of contact.
Regardless of their intent, as made clear by my other comment, this was a tragic event, and the police should be held accountable.
>> "hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time."
If police commit crimes, they must be held accountable.
Plenty of police in jail in America. They're just harder to convict. Easier to get them fired. Italy is exponentially worse than America on this issue.
And I say that as an activist against police corruption here who also lives in a murder capital. Police pulling shit that bad here is rare outside the "hoods" where it's thugs and low income people nobody cares about. Still usually just a ticket, thrown on a car, or a brief taser. The worst plant shit on people but they're very rare.
Thanks for the link. Im shocked that I never saw this on US media. Idk if it was censored or I just missed it. This is so brutal it puts Abu Grhaib to shame esp given the targets. Makes me want to get a team together and take a plane to Italy to clean house.
Doubt it would help much at this point. Damage is done. Still pisses me off though.
So, it got some coverage but maybe not enough or not in what news I was reading. Still strange given magnitude of event and anti-fascist demographic here. Figured they'd do it gor ratings at tge least.
For anyone who doesn't follow infosec: This guy is responsible for two of the most impressive hacks recently and still hasn't been doxed or arrested. And so the linked doc is awesome if only for the opsec tips it provides. And it provides much more than that. It really gives you some perspective on how much work an attacker will put into breaking into your network and the kind of structured approach they're taking. Plus it's very hands on and is educational and current whether you're black or white hat. If you read nothing else in infosec this month, read this.
He's likely to be identified as he gets more brazen. Even authoring this volume of text is risky, and there are other notes from the same author linked within. Spelling can be used to approximate region and phrases or errors such as "the hard of the business" ("heart of") and "passtime" ("pastime") are even stronger markers. Of course there's no way to tell if these are unintentional or planted errata.
I'm grateful for the information. It's incredibly interesting, but it might come at great expense to the author.
This text is a translation. The original is in Spanish. It might have its own mistakes and traces, although I am not knowledgeable to detect country-specific patterns. http://pastebin.com/raw/GPSHF04A
Presumably, given that they talk about EU culture^W^W^W^W (see comment below) have a https://securityinabox.org/es/… link, the author is from Spain, which would make it easier to pinpoint an origin, as Spain has a wider spectrum of language differences than in most other Spanish-speaking countries.
Since there is a link to http://madrid.cnt.es/, they maybe live in the capital, which weighs 3 million inhabitants.
That's an error on the translation, "EEUU" is the Spanish acronym for "Estados Unidos", referring to the United States of America, not the EU (in Spanish, "UE" for "Unión Europea")
Did you verify that the stuff you refereed to as only being known if you follows Italian news is not on the net? Don't those Italian news outlets have websites?
This guy seems to be pretty good at googling around for stuff.
You comment about spelling and phrases reminds me of the NYT's Dialect Quiz Map. I tried it and it was accurately able to guess where I was originally from. While not useful by itself, I could see it being handy as part of an overall investigation.
Hadn't seen it before and so looked it up -- pretty neat. Unfortunately the "results page" was broken, but the individual questions & associated heatmaps were still very interesting. Thanks!
Thats the thing, HT or Gamma without the co-operation of international law enforcement presumably would have a very hard time finding these people in a legal manner. So whats going on up there.
Wow, this is great. Feels like reading phrack in the 90s. Anyone know of similar, contemporary resources on hacking?
This stuff is gold:
> NoSQL, or rather NoAuthentication, has been a great gift to the hacker community [1]. Just when I was worrying that all MySQL's sins of omission had finally been patched [2][3][4][5], these new databases appear, lacking authentication by design. Nmap found a few in Hacking Team's internal network:
Not to mention:
> As fun as it was to listen to captures and watch webcam images of Hacking Team developing its malware, it wasn't very useful. Their insecure security backups were the vulnerability that threw the doors open. According to the documentation [1], their iSCSI systems should have been on a separate network, but nmap count a few of them in their 192.168.1.200/24 subnet:
I can just hear some one saying to themselves, four years ago, "This backup stuff should be on a separate subnet, but for now this appears to be working. Make a note-to-self to secure it later." ....
I can't understand what you really meant with your questions, but no, usually you don't get the chance to vote law. As a citizen (at least an italian one) you are allowed to vote for parties which in the end vote for the laws. So i don't have the right to directly vote for a law. I can only delegate someone to decide laws for me and this is a broken system at least in 2016 when i think we have all the technology to allow individual votes or at least a better delegation mechanism.
>Thanks to the hardworking Russians and their exploit kits... many businesses already have compromised machines in their network. Almost all of the Fortune 500, with their enormous networks, have a few bots on the inside
I could definitely believe that, having worked at a few, they have massive infrastructure and many users that are extremely relaxed about security in general.
What then struck me was the way he casually decided to hack a VPN (!) is it really so straightforward? And the way he seemed confident about testing his exploit on other compromised machines without detection.
I'm always paranoid every time I type 'last' on my Linux box, wondering if the thing is really compromised and totally lying to me - now I'm even more so!
> What then struck me was the way he casually decided to hack a VPN
He's intentionally vague, but given he mentions two routers and two vpn systems, it's highly probable that he's referring to one of the two routers (which is embedded, and has firmware).
Furthermore, he refers to a website[1] which predominately deals with routers.
HackingTeam latest sample is a very fresh sample compared with what we got in the past, it is a sample created post July 2015 hack, and it’s using the same code base as before. HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us.
My heart bleeds. The question is, how hard is it for a company like that to get an individual license if they have a cozy relationship with law enforcement, which wouldn't be very surprising in their case?
i'm really happy to see the translation getting around this far. it's an amazing text, & i'm glad my quick & dirty translation job got it out there mostly intact. i never really gave it a proper proofread, so thanks for catching those mistakes. more importantly, though, Phineas Fisher himself has just released his own translation. and, having just discovered that ghostbins are editable, i added a url to his version at the top of the text. here it is again: http://pastebin.com/raw/0SNSvyjJ
I was curious why he was using domain names instead of tor hidden service or other p2p networks. Turns out that using domain names provides a backup communications channel (DNS) that gets through pretty much any firewall.
The other thing to remember is that Tor traffic is generally rare and few places have a business case for it so it's more likely to be monitored, just as in the past many places used to watch for IRC connections since it was infinitely more likely to be a botnet control channel than Fred in accounting seeing whether #quickbooks existed.
DNS, HTTPS to some random AWS/Azure/etc. endpoint, etc. are common as dirt and enough harder to monitor that many places either don't try or struggle to do do effectively.
This is pretty normal for a paid penetration test - but it's got far more technical detail than you'd normally see. I don't think the person behind this has revealed anything particularly new, they just know their tools really well.
Agreed. However, in a formal penetration testing engagement, the tester will usually only record and document their exact steps because they have to provide a detailed report to their client. This hacker didn't have that same obligation. I'm speculating that he is probably a habitual note taker. In this way, if he ever comes across similar challenges when attacking a new target, he has his notes to refer to.
I was curious to read this piece to see how closely the approach, techniques and tools he uses compare to how penetration testers are formally trained in the info sec industry. For what it's worth, the methodology in terms of reconnaissance, privilege escalation and lateral movement within the network are typical. Also, most of the tool set he uses (e.g. mimikatz, responder, meterpreter, powersploit, psexec) are part of any good penetration tester's arsenal.
I'm not trying to down play the achievement though. He is clearly very skilled and knowledgeable. Of particular note, it seems that the initial intrusion was only possible because 'after about two weeks of reverse engineering, I discovered a remote root exploit' in an embedded system. He doesn't provide technical details of the exploit but finding a 0-day in an embedded system is usually far from child's play.
Well, the author's day job might be as a "whitehat" for a state sponsored entity -- its even possible/plausible the author could be one of the HackingTeam -- perhaps motivated by company politics to expose them.
Wow this person is impressive, the details of the attack and the preparation almost make it read like a Hollywood hacker movie script (if they made good movies about hacking that is...).
I think they're saying that's how much time it took them from the position they started from. Obviously if you have to learn it all and study its going to take an order of magnitude or two longer.
Could you expand on your comment? My understanding is that if a party can't tie a wallet to an identity then it is anonymous. So if you can acquire bitcoins (eg. mining) and purchase something (eg. VPS) without giving up your identity then you are solid.
I've heard conflicting information as far as this goes.
Thinking this through- an adversary who's watching the block chain probably knows some inputs and some outputs. As in, these addresses belong to an exchange, these addresses belong to a hosting company.
Okay, fine. Now remember than any user can literally create wallets out of thin air, and in fact doing so is considered basic security hygiene. Let's say Joe User transfers one coin from one wallet to another wallet under their control. Let's say they do this 20 times, sometimes with the full amount, sometimes less.
How does the adversary attach an identity to those transactions?
You have to use your bitcoins someday. Either to buy real currency or real goods. Then you know where the money went TO. Tracing the transactions back (where the money came FROM) is then not a big deal - full history is in the blockchain.
So as long as you don't do a transaction that connects your identity to any bitcoin address, you are fine. but to use bitcoins you are almost always required to do it (its an electronic financial transaction, they are governed by law to have an identity, but of course you can find entities who do not follow these laws).
Only as you say if you convert them into a "real" currency. If they only used their Bitcoin to purchase goods (such as VPS) which was not tied to a physical address, then they could still remain anonymous.
As for where the Bitcoins came from, I'm sure the author of this document would have some digital assets they could sell on the darknet to acquire some Bitcoin. Where those Bitcoin originated then would not be their problem.
Nobody that I can remember has been able to identify the large bitcoin thefts over the years by tracking the coins, those people cashed out somehow. However the SEC filing on Pirateat40's ponzi scheme was remarkably detailed, they were able to track every single coin he received and prove he spent it on himself.
I would imagine others use JoinMarket to mix up the coins[1], use coin control[2] to exchange for other cryptocurrency p2p, or other obfuscation methods like buying up high demand items with bitcoin then selling them remotely for other bitcoins.
Just by following the flow of the money between wallets? Assuming that at least one of the wallets can be connected to an identity, guessing that the others belong to the same person shouldn't be too difficult, just by observing transaction patterns.
For those who don't know, they are referring to the 2001 Armando Diaz school attack [1] (warning: graphic), where hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time.
[1]: https://en.wikipedia.org/wiki/2001_Raid_on_Armando_Diaz