Spacerogue.net L0pht,@spacerog,Hacker News Network, @Stake, Tenable
THIS IS AN EXCERCISE
IN THINKING - AND - REALITY
Security can be defined as
the science of things that shouldn't happen.
"There's always a way in"
THIS IS REAL
You're only as secure as your least encrypted hop.
via Goldman "the #1 threat to the US electrical grid is squirrels." - John Inglis, Former Deputy Director, NSA 7/9/15
Squirrel Steals GoPro, Shoots Video Game Worthy POV Run Through a Tree
"L0pht also spread the word about security discoveries though the Hacker News Network, run by Space Rogue" and they told the useless bastards in Congress all about it back in 1998. BUT NO ONE LISTENED and the American Goverenment is unprepared in 2015!!!
Mudge has a long history in the hacker and security communities. While a member of L0pht, he and his L0pht colleagues testified to federal lawmakers in 1998 that the group could bring down the internet in 30 minutes using a serious flaw that still exists.
SO MEET THE REAL PEOPLE
OUR REAL HEROS
CHANGE THE WORLD
Those who've worked in the federal IT sector have always suspected it, but now it's official with an academic study of federal government IT systems. The reason why federal IT is so bad and outdated is ...wait for it, wait for it... P O L I T I C S !!!
Study documents why Federal IT is so outdated :
A ComputerWorld article reviews a recent study And the study itself (by Min-Seok Pang, assistant professor at the Fox School of Business at Temple University) can be downloaded from the Social Science Research Network, A related GAO report was released in May 2016. Many former federal programmers, now 70+ years old and retired, called back in to keep antiquated mainframes running the old Cobal programs.
Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)
Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together.
The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it.
@dotMudge "Make a dent in the universe. Find something that needs improvement: go there, and fix things. If not you, then who? :)" known for L0pht, L0phtcrack, DARPA Cyber Fast Track, Testimony to the Senate VIDEO, CULT OF THE DEAD COW
MUDGE recieves ORDER OF THOR thank you for your service to the nation.
2015 Peiter Zatko [ Mudge ] left his job at Google to explore ways to help U.S. government make software more secure.
2016 Peiter Zatko and his wife Sarah Zatko deliver the - Cyber Independent Testing Lab grading tool they were asked to develop to push software makers to improve their code. Now you know what you are buying and can avoid buying crap!!!
"Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a #CyberUL, so here goes! — .mudge (@dotMudge) June 29, 2015"
"The new gig is not in the Whitehouse. Thanks for the encouragement. It's all very exciting! I'll be out of pocket as I move back east. — .mudge (@dotMudge) June 29, 2015"
The CyberUL, Zatko referred to a body that many security pros have wished existed for nearly two decades, one inspired in by Underwriters Laboratories, the 111-year-old company that tests products of all kinds for safety, but dedicated to cyber security. The idea for a CyberUL was first proposed in 1999 by L0pht Heavy Industries, a hacker think tank based in Cambridge, Mass., of which Zatko was a member.
Mudge says he’s not upset about the prospect of lawyers finding joy in their scores. “We’ve been begging people to give a shit about security for a decade. …
2016 Mudge's interest in doing software security assessments dates back to a paper one of his L0pht colleagues wrote in 1998 about such evaluations. The idea moved from theory to practice when L0pht merged with a security startup called @Stake and began developing an automated way to do static analysis of code. That method became the basis for what a company called VeraCode does today: assess software for government and corporate clients before they buy it.Mudge announced on Twitter last year that the White House had asked him to create a cyber version of Underwriters Laboratories, praise poured in from around the security community. He says the method their lab uses to evaluate software is based on one he taught NSA hackers in the 1990s about how to find the softest targets on an adversary’s network. (During his run back then with the famed hacker think tank L0pht Heavy Industries, Mudge and his L0pht colleagues regularly provided advice to various parts of the government.)
Mudge and his wife, Sarah, a former NSA mathematician, have developed a first-of-its-kind method for testing and scoring the security of software — a method inspired partly by Underwriters Laboratories, that century-old entity responsible for the familiar circled UL seal that tells you your toaster and hair dryer have been tested for safety and won’t burst into flames. Called the Cyber Independent Testing Lab, the Zatkos’ operation won’t tell you if your software is literally incendiary, but it will give you a way to comparison-shop browsers, applications, and antivirus products according to how hardened they are against attack. It may also push software makers to improve their code to avoid a low score and remain competitive. The technique involves, in part, analyzing binary software files using algorithms created by Sarah to measure the security hygiene of code. During this sort of examination, known as “static analysis” because it involves looking at code without executing it, the lab is not looking for specific vulnerabilities, but rather for signs that developers employed defensive coding methods to build armor into their code. “There are applications out there that really do demonstrate good [security] hygiene … and the vast majority are somewhere else on the continuum from moderate to atrocious,” Peiter Zatko says. “But the nice thing is that now you can actually see where the software package lives on that continuum.”
Chris Wysopal, CTO of VeraCode and a former L0pht colleague of Mudge’s, says clients generally won’t purchase software his company finds problematic until the software maker fixes the problems, which he says is great for other buyers. “To me that’s like actually finishing the job; we’re not just pointing out the problems but helping make better software,” he says. They’re working with Consumer Reports, another inspiration for the lab, to develop a way to use their data to evaluate products the magazine tests. They’ve also had interest from AIG and other insurers who want to use the data to do risk-assessments of companies seeking cyber insurance.
In 2015 A disaster foretold — and ignored
LOpht’s warnings about the Internet drew notice but little action
The L0pht in Boston, where they hack. Standing, from left, are Brian Oblivion, Kingpin, Space Rogue, their associate Meg A. Haquer and Weld Pond. Seated are, from left, Stefan Von Nuemann, left, Mudge and Tan.
Chris Wysopal @WeldPond Co-founder, CTO of Veracode. Former L0pht researcher, developer, and de-obfuscator. Passionate about application security & security transparency. Boston, MA · veracode.com/blog/
"L0pht also spread the word about security discoveries though the Hacker News Network, run by Space Rogue"
No Patch For Incompetence: Our Cybersecurity Problem Has Nothing to Do With Cybersecurity there is no patch or security update for systematic, glaring incompetence. Put bluntly, the problem lies not in some esoteric computer science problem. Rather, it is a matter of continuously selecting for and rewarding incompetence. Heads have rolled in government for far lesser setbacks than the OPM hack, yet the administration evinces “confidence” in the woman that presided over the wholesale theft of millions of government workers’ sensitive information.
2015 "We have the same security problems," said Space Rogue, whose real name is Cris Thomas. “There’s a lot more money involved. There’s a lot more awareness. But the same problems are still there.”
2015 THIS IS REAL!
CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email from the are-they-that-clueless? dept
DISA’s explanation is “an unacceptable and technically inept answer,” and criticized the Pentagon for not taking security seriously and implementing STARTTLS. “I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”
The US government has no idea what it’s doing when it comes to cybersecurity. Government ranks last in fixing software security holes!
2015 You're a 60 year old judge w/ no tech background. Read this paragraph. Do you know the gov is talking about hacking?
ALL Officials in Washington and throughout the world failed to forcefully address these problems as trouble spread across cyberspace, a vast new frontier of opportunity and lawlessness. Even today, many serious online intrusions exploit flaws in software first built in that era, such as Adobe Flash, Oracle’s Java and Microsoft’s Internet Explorer. Hacking Team Flash Zero Day Weaponized in Exploit Kits.
Hi, I'd like to buy data breach insurance. Yes? I store unencrypted, sensitive data on tens of millions of federal employees.. *click*
OPM hack may have affected 32 million government employees
REAL-TIME VISIBILITY INTO GLOBAL CYBER ATTACKS from the world's largest dedicated threat intelligence network
Obama's Cyber Meltdown TOTAL FAIL
June 23, 2015 7:14 p.m. ET
If you thought Edward Snowden damaged U.S. security, evidence is building that the hack of federal Office of Personnel Management (OPM) files may be even worse.
When the Administration disclosed the OPM hack in early June, they said Chinese hackers had stolen the personal information of up to four million current and former federal employees. The suspicion was that this was another case of hackers (presumably sanctioned by China's government) stealing data to use in identity theft and financial fraud. Which is bad enough.
Yet in recent days Obama officials have quietly acknowledged to Congress that the hack was far bigger, and far more devastating. It appears OPM was subject to two breaches of its system in mid-to-late 2014, and the hackers appear to have made off with millions of security-clearance background check files.
These include reports on Americans who work for, did work for, or attempted to work for the Administration, the military and intelligence agencies. They even include Congressional staffers who left government---since their files are also sent to OPM.
This means the Chinese now possess sensitive information on everyone from current cabinet officials to U.S. spies. Background checks are specifically done to report personal histories that might put federal employees at risk for blackmail. The Chinese now hold a blackmail instruction manual for millions of targets.
These background checks are also a treasure trove of names, containing sensitive information on an applicant's spouse, children, extended family, friends, neighbors, employers, landlords. Each of those people is also now a target, and in ways they may not contemplate. In many instances the files contain reports on applicants compiled by federal investigators, and thus may contain information that the applicant isn't aware of.
Of particular concern are federal contractors and subcontractors, who rarely get the same security training as federal employees, and in some scenarios don't even know for what agency they are working. These employees are particularly ripe targets for highly sophisticated phishing emails that attempt to elicit sensitive corporate or government information.
The volume of data also allows the Chinese to do what the intell pros call "exclusionary analysis." We're told, for instance, that some highly sensitive agencies don't send their background checks to OPM. So imagine a scenario in which the Chinese look through the names of 30 State Department employees in a U.S. embassy. Thanks to their hack, they've got information on 27 of them. The other three they can now assume are working, undercover, for a sensitive agency. Say, the CIA.
Or imagine a scenario in which the Chinese cross-match databases, running the names of hacked U.S. officials against, say, hotel logs. They discover that four Americans on whom they have background data all met at a hotel on a certain day in Cairo, along with a fifth American for whom they don't have data. The point here is that China now has more than enough information to harass U.S. agents around the world.
And not only Americans. Background checks require Americans to list their contacts with foreign nationals. So the Chinese may now have the names of thousands of dissidents and foreigners who have interacted with the U.S. government. China's rogue allies would no doubt also like this list.
This is a failure of extraordinary proportions, yet even Congress doesn't know its extent. The Administration is still refusing to say, even in classified briefings, which systems were compromised, which files were taken, or how much data was at risk.
Way back in March 2014, OPM knew that Chinese hackers had accessed its system without having downloaded files. So the agency was on notice as a target. It nonetheless failed to stop the two subsequent successful breaches. If this were a private federal contractor that had lost sensitive data, the Justice Department might be contemplating indictments.
Yet OPM director Katherine Archuleta (who finally resigned about a week later without ever acknowledging accountability) and chief information officer Donna Seymour. Mr. Obama has defended Ms. Archuleta, and the Administration is trying to change the subject by faulting Congress for not passing a cybersecurity bill. But that legislation concerns information sharing between business and government. It has nothing to do with OPM and the Administration's failure to protect itself from cyber attack.
The amount of the costs is still unknown
OPM passing hack response costs to agencies
OPM to federal agencies: We got hacked, but you have to help pay for the response.
One of the article commenters said, "they take their cues from Congress: We Fucked up, you're going to pay."
After it failed to safeguard millions of files filled with sensitive personal information, the government’s personnel office is now telling other federal agencies they will be expected to cover the costs of responding to the massive computer breach. The cost of addressing the breach – which compromised security clearance files affecting 21.5 million federal workers, military personnel and contractor employees – represents an unanticipated expense hitting late in the government’s fiscal year, when agency budgets are especially tight. And agencies whose employees have been put at risk should expect to absorb even more costs in the future, according to a previously undisclosed memo from the Office of Personnel Management, whose systems were breached. In addition, agencies will have to help fund costs in 2016 and 2017.
OPM to agencies: Sorry we lost your employees' private data. Here's a bill for your share of the credit monitoring. Reading between the lines, OPM didn't have data breach insurance. Do all fed agencies self-insure for cyber?
Rick Farina talks about why the government sucks at cyber security.
6/22/15 The US Navy's warfare systems command just paid millions to stay on Windows XP
The U.S. Navy is paying Microsoft millions of dollars to keep up to 100,000 computers afloat because it has yet to transition away from Windows XP. The Space and Naval Warfare Systems Command, which runs the Navy’s communications and information networks, signed a US$9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003. The entire contract could be worth up to $30.8 million and extend into 2017. The first three of those products have been deemed obsolete by Microsoft, and Windows Server 2003 will reach its end of life on July 14. As a result, Microsoft has stopped issuing free security updates but will continue to do so on a paid basis for customers like the Navy that are still using those products. The Navy began a transition away from XP in 2013, but as of May this year it still had approximately 100,000 workstations running XP or the other software. Approximately 10 percent of desktop PCs accessing websites using the StatCounter traffic reporting service during the current month were running Windows XP, giving it a market share just above that of Apple’s OS X. Data from Net Applications puts XP’s current share at just over 14 percent.
Maybe OPM should tell us what China did NOT get!!
Hackers got FBI files as part of OPM breach
Suspected Chinese hackers breached FBI agents’ personnel files as part of the broader attack on the federal government that has laid bare millions of people’s data, Newsweek reported. Putting FBI agents' data at risk could have national security implications; many investigate domestic terrorist plots and foreign spies. It’s still unclear exactly whose information has been pilfered following a massive digital siege on the Office of Personnel Management. Initially, the OPM said a hack had exposed 4.2 million current and former executive branch employees. A week later, the personnel agency revealed a second breach of a security clearance database that contained the background check files of millions of military and intelligence community. The FBI is part of the intelligence community. A widely reported estimate that 18 million people were affected by the second intrusion was disputed by OPM Director Katherine Archuleta on Thursday, who said that number could rise even higher. It’s not clear whether the reported FBI infiltration was part of the first or second breach. As an intelligence community agency, it would make sense it was part of the larger hack. But an unnamed FBI source told Newsweek the OPM notified him in May that his personnel file had been compromised, which was before the agency had started sending notices about the second breach. The FBI has more than 35,000 employees. The ramifications of those employees’ info getting out could be “mind boggling,” the source told Newsweek, “because there are counterintelligence implications, national security implications.”
Possible outcomes, from blackmail, to the unmasking of clandestine operatives, to a wholesale degradation of national security. The CIA "refused to have anything to do with the OPM and thus kept its own employees' information safe."
And if that doesn’t scare you enough, this will:
"At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops with critical data."
Hard to Sprint When You Have Two Broken Legs
You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN'T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email. I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies.
TECH COMPANY FINDS STOLEN GOVERNMENT LOG-INS ALL OVER WEB Company backed by #CIA's venture capital arm found logins and passwords for 47 govt agencies across internet. Recorded Future, a social media data mining firm backed by the CIA's venture capital arm, says in a report that login credentials for nearly every federal agency have been posted on open Internet sites for those who know where to look. At least 12 federal agencies reportedly don't require two-factor authentication to access their networks. Crazy.
IRS employees can use 'password' as a password? No wonder we get hacked. should use L0phtcrack
THE HACKING TEAM Italian surveillance tech company who is a Threat to the net
Organizations such as Hacking Team or Gamma International have developed the tools and tactics needed to help oppressive governments, enabling them with the ability to track people no matter their location or how they connected to the Web. [see ProxyHam]
Read this: The Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team's "crisis procedure," it could have killed their operations remotely. The company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down -- something that even customers aren't told about. To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they're targeting with it. It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this. Over 1 million emails from spyware vendor Hacking Team published by wikileaks is now hosting,in searchable format, entire email dump! Happy hunting!
105k$ for Flash Vuln + PrivEsc.
Finally some real prices available ;) and from
Giancarlo Russo COO Hacking Team
Milan Singapore Washington DC
mobile: +39 3288139385
phone: +39 02 29060603
Hacking Team orchestrated brazen BGP hack to hijack IPs it didn’t own Hijacking was initiated after Italian Police lost control of infected machines.
Google sold #HackingTeam access to its mapping system
- AECOM, a Los Angeles-based multinational with $19 billion in revenue that has built surveillance systems for the Super Bowl
- Cyberpoint International, another American firm headquartered in Baltimore, also became a Hacking Team “partner,” selling its software to the United Arab Emirates.The company was granted a special export license by the US State Department to develop defensive cybersecurity. Its chief strategy officer, Paul Kurtz, is also the chairman of a cybersecurity center at New York University's campus in Abu Dhabi.
- NICE Systems, an Israeli surveillance company run by a former Israeli intelligence officer.
- Robotec Corporation, handles much of Hacking Team's sales in Latin America.
- Hacking Team's Capabilities
The Federal Government Hypocrisy
Our government demands accountability from others but offers little itself.
The Office of Personnel Management (OPM) have exposed tens of millions of people’s most sensitive information. The Government Accountability Office has never fired anyone ever over security breaches.
The US NSA, UK GCHQ, Chinese govt, Russian govt, etc., are totally thrilled by this OPM hack, because incidents like these provide the political fuel for far greater govt control over the Internet. Intelligence agencies all over the world, from any and all sides, gain power when govts move in to better "protect" their citizens from spies very like themselves. The fact that the U.S. govt is criminally negligent w.r.t. not protecting its employees own private data will be completely lost in all of the hand-wringing. The press has not been holding politicians' feet to the fire on this issue, either.
Hackers Stole Secrets of U.S. Government Workers' Sex Lives. 24 Jun 2015 Infidelity. Sexual fetishes. Drug abuse. Crushing debt. They;re the most intimate secrets of U.S. government workers. And now they;re in the hands of foreign hackers. It was already being described as the worst hack of the U.S. government in history. And it just got much worse. A senior U.S. official has confirmed that foreign hackers compromised the intimate personal details of an untold number of government workers. Likely included in the hackers' haul: information about workers' sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity.
HOW MUCH MONEY DO THE BAD GUYS MAKE? Some hackers [wrong language should actually say crackers] make more than $80,000 a month — here's how.
ETHICS Public Institutions, Agencies Weakening the trust of the public.
Do you know a Ham Radio Operator? Cause when the net goes down - we all go down and the only thing left will be the ham radio which will continue to work.
All K12 Schools should have a ham radio in the office and someone who knows how to use it.
- Become a Lifeguard
- Guard our Airwaves
- YOU can save lives
- Emergency Communication http://www.arrl.org
This is real ...
Enron: The Smartest Guys in the Room Full Movie (Documentary) AKA Evil Corp.
Enron dives from the seventh largest US company to bankruptcy in less than a year in this tale told chronologically. The emphasis is on human drama, from suicide to 20,000 people sacked: the personalities of Ken Lay (with Falwellesque rectitude), Jeff Skilling (he of big ideas), Lou Pai (gone with $250 M), and Andy Fastow (the dark prince) dominate. Along the way, we watch Enron game California's deregulated electricity market, get a free pass from Arthur Andersen (which okays the dubious mark-to-market accounting), use greed to manipulate banks and brokerages (Merrill Lynch fires the analyst who questions Enron's rise), and hear from both Presidents Bush what great guys these are.
The New Enron: CEO William Reed - Castleton is the new model of commodity trading
Reed, 49, who started in the business as a junior trader of natural gas and electricity for Enron Corp. in the 1990s, put Castleton’s money to work buying power plants in Texas, coal terminals in Kentucky, oil storage tanks in Shanghai and natural-gas wells in Colorado. He capped off the dealmaking with Project Horizon: the codename for the acquisition of Morgan Stanley’s oil-trading business.
Tapes reveal Enron's secret role in California's power blackouts Enron shut down at least one power plant on false pretences, deliberately aggravating California's crippling 2001 blackouts with the aim of raising prices. The tapes also show that Enron, whose bankruptcy three years ago was the biggest corporate scandal of recent times, manipulated energy markets in Canada and was planning to rig the Californian market even before deregulation in 1998, for which the Texan corporation actively campaigned. The most damning revelations concern Enron's secret role in creating artificial power shortages in California, helping to trigger an energy crisis in 2000 and 2001 which cost residents billions of dollars in surcharges.
Movies and TV shows do a bad job of showing anything that "crackers or hackers" really do.
Enter the TV world of hackers.
"USA's Mr. Robot" is just a Hollywood TV show, where there is a long tradition of portraying hacking horribly, horribly wrong SO THEY ARE SHOWING YOU THE REAL THING NOW!
DOES SUFFERING FROM LONLINESS HAVE ANYTHING TO DO WITH THIS?
Loneliness sets off a warning system that alerts us of damage to our 'social bodies', lead researcher Dr Abraham Palmer explained in the study published on September 15 by Neuropsychopharmacology. And that's what we mean by "genetic predisposition to loneliness" - we want to know why, genetically speaking, one person is more likely than another to feel lonely, even in the same situation.' The study is not the first to try to find a biological link to loneliness.
The researchers also determined that loneliness tends to be co-inherited with neuroticism - a long-term negative emotional state - and depression. Weaker evidence suggested links between heritable loneliness and schizophrenia, bipolar disorder and major depressive disorder.
Dr Palmer and team are now working to find a genetic predictor - a specific genetic variation that would allow researchers to gain additional insights into the molecular mechanisms that influence loneliness.
- How the Real Hackers Behind Mr. Robot Get It So Right
- The Unusually Accurate Portrait of Hacking on USA’s Mr. Robot
- 'Mr. Robot' may be fiction, but its hacking plots are all too real
- The Unusually Accurate Portrait of Hacking on USA’s Mr. Robot
#Fsociety - The Ethics of Hactivism: a Political agenda that distrusts corporate structure.
see SOVERIGN immunity in the United States
Sometimes you have to "Out Monster the Monster"
Motication can be money, ideology, ego, revenge, or coersion.
Example: 2016 Ghost Squad Hackers Just Leaked Personal Data of US Military Officials and it’s Legit
The final release for #OpSilence Army database leaked, your empire ran by banks will fall US GOV. You must view these leaks in Tor Browser we are not jeopardizing our freedom. https://archive.is/s6dlh
Example: Notice Of Proposed Rulemaking. SUMMARY
The Secretary proposes to amend the regulations governing the William D. Ford Federal Direct Loan (Direct Loan) Program to establish a new Federal standard and a process for determining whether a borrower has a defense to repayment on a loan based on an act or omission of a school. We propose to also amend the Direct Loan Program regulations by prohibiting participating schools from using certain contractual provisions regarding dispute resolution processes, such as mandatory pre-dispute arbitration agreements or class action waivers, and to require certain notifications and disclosures by schools regarding their use of arbitration. We propose to also amend the Direct Loan Program regulations to codify our current policy regarding the impact that discharges have on the 150 percent Direct Subsidized Loan Limit. We also propose to amend the Student Assistance General Provisions regulations to revise the financial responsibility standards and add disclosure requirements for schools. Finally, we propose to amend the discharge provisions in the Federal Perkins Loan (Perkins Loan), Direct Loan, Federal Family Education Loan (FFEL), and Teacher Education Assistance for College and Higher Education (TEACH) Grant programs.
Are you a 1 or a 0
Follow @marcwrogers @ @ryankaz42 @wearefsociety @dotMudge @thedarktangent @fmkaplan @lancejssc @russellbrandom JΞSTΞR ✪ ΔCTUAL @th3j35t3r
Chris Wysopal @WeldPond Oct 8
Understanding the hacker culture that inspired Mr. Robot
YOU ARE EITHER A 1 or a 0
DA3M0NS.MP4 is the theme of reality, the daemons are running underneath the surface and drive our actions.
| grep root
connect to freenode IRC
YOU ARE NOT ALONE
where you will find a base64 encoded string.
I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale. – Thomas Jefferson
t.startCursor("MzkzMzUzNTM5NTMzMzk1Mzc5OTUzNzMzMzM1MzUzOTM1Mw==") is what controls the speed of the cursor clicking, this can be converted into ASCII, 3933535395333953799537333353539353. 3 is a dot “.” 5 separate letters ” ” 7 represent a space for morse “/” and 9 is a dash “-” 3933535395333953799537333353539353
.-.. . .- ...- ./-- ./.... . .-. . == LEAVE ME HERE
Marc Rogers Ramblings of a Mad English Hacker: Hacker behind BBC's The Real Hustle & USA's Mr Robot. Head of SecOps for DEF CON. Head of Infosec for CloudFlare.
Andre McGregor, a consultant who formerly worked in the FBI's cyber division said his advice extended beyond helping the show's writers understand how the FBI and law enforcement agencies investigate cyber intrusions and conduct interviews.
Do you know a Ham Radio Operator? Cause when the net goes down - we all go down and the only thing left will be the ham radio which will continue to work.
How do you Backdoor a Repository? Backdooring GIT
What Is the Surprisingly Commercial Android “Backdoor” Depicted In Mr. Robot?
FlexiSPY (this is real)
In the “Debug” (“eps1.2_d3bug.mkv”) episode of the awesome Mr. Robot TV series, Tyrell Wellick, the show’s antagonist so far, is shown installing a backdoor on a lover’s phone in order to steal corporate secrets. The target is in the shower and his phone is unattended — Tyrell only has a few minutes to install his spyware. The installation sequence shows granting root privileges to the backdoor app named “System Update” — apparently, Flexispy’s “safe name”, on the Android phone. The root privilege is granted by an access management tool called SuperSU. Then, SuperSU’s icon is hidden by the spyware so that the unsuspecting target wouldn’t realize that his phone had been tampered with. After the process is done, the phone looks absolutely clean and untampered. This kind of attention to details is what makes an awesome show!
The Social-Engineer Toolkit (SET) v6.5 “Mr Robot” released! (this is real) The codename is in celebration of the TV show Mr Robot featuring SET last night! eps1.4_3xpl0its.wmv - Fsociety attempts to penetrate Steel Mountain the most secure data ...
This version incorporates a new HTA web attack vector (thanks Justin Elze aka ginger) for sharing the attack vector with me. This attack allows you to clone a website and inject an HTA file which compromises the system.
Video below of the attack:
"Social Engineer" This is Real
TEEN WHO HACKED CIA DIRECTOR’S EMAIL TELLS HOW HE DID IT
“[W]e told them we work for Verizon and we have a customer on scheduled callback,” he told WIRED. The caller told Verizon that he was unable to access Verizon’s customer database on his own because “our tools were down.” After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card. “[A]fter getting that info, we called AOL and said we were locked out of our AOL account,” he said. “They asked security questions like the last 4 on [the bank] card and we got that from Verizon so we told them that and they reset the password.” AOL also asked for the name and phone number associated with the account, all of which the hackers had obtained from Verizon. On October 12, they gained access to Brennan’s email account, where they read several dozen emails, some of them that Brennan had forwarded from his government work address and that contained attachments. The hacker provided WIRED with both Brenann’s AOL address and the White House work address used to forward email to that account.
HERE ARE THE REAL TOOLS OF MR. ROBOT
(THIS IS REAL)
Threatbutt Internet Hacking Attack Attribution Map
We can empathize with a guy or a gal like Elliot the lonely socially awkward person in Mr. Robot. They’re just trying to be normal but they aren’t. It’s an ancient character archetype that’s been around for a long time, and applies to the nerdy hacker mold.
This is Real - Nmap, IRC, Linux boxes, Kali LInux, Wget, Shellshock and , John the Ripper, Canbus, AVAST anti-virus, btscanner, Bluesniff, Meterpreter Metasploit Framework, Social Engineer Toolkit (SET), researching LinkedIn for social engineering attacks. The great thing about all these open source tools is there are lots of tutorials and documentation available.
'Mr. Robot' creator on the evils of Facebook and hackers in Hollywood
HAX YOUR FAX this is all cell site data, triangulating the phone’s location based on the strength of the signal from nearby cell towers, the data isn’t accurate enough to place someone at the scene of the crime. It’s completely useless on the vertical axis, so even if you’ve found the building, it’s anyone’s guess what floor it’s coming from.
City police are pretty good at finding phones. If they get a call that presents an immediate danger of death or bodily injury, they can get fast-track help from the phone company by claiming "exigent circumstances." Generally a fax, a phone call and some verifiable personal details are enough to get you all the information the phone company has. The whole "exigent circumstances" system runs on faxes.
All Elliot has to do is fake a fax. He reinstalls the firmware on a printer / scanner, which lets him edit the fax’s metadata to make it seem like it’s coming from the police station. Then he calls in and does a little light social engineering to close the deal.
Calls with blocked Caller ID data can still be found because it’s the phone company that’s stripping that data out in the first place, so they still have a record of where each call came from. It’s different if you actively spoof the Caller ID, as in swatting attacks.
"Swatting," or making false emergency calls to get law enforcement dispatched to a location, has entered the popular lexicon. Swatting usually describes someone targeting an individual's home, not a public institution. Swatting is not a schoolboy prank, it’s a federal crime