Sunday, January 15, 2017

Anonymous Written January 2008


Written January 2008

When YouTube pulled down a leaked Tom Cruise video hyping the Church of Scientology, it unleashed the wrath of the hacker collective Anonymous. The group attacked Scientology websites and rallied protests of the church via social media. Over the next several years, Anonymous became a potent political force. During 2011's Arab Spring, the group launched Operation Tunisia to fight against government surveillance. The next year, Anons claimed to have attacked 650 websites in Israel after the country’s latest actions in the Gaza Strip.

Power Grids and Fighter Jets are where we are now. 

Fast forward to April 2009.  

Current and former U.S. officials revealed to The Wall Street Journal that Chinese and Russian spies hacked our critical infrastructure, including power  grids. One official said that the intruders had not yet sought to destroy these systems, but had left behind software programs that would enable them to do so at the flick of a switch. “If we go to war with them,” he warned, “they will try to turn them on." Department of Homeland Security head Janet Napolitano said that “the vulnerability is something [we] have known about for years.” Reports also implicated China for hacking into the plans for the Pentagon's $300 billion Joint Strike Fighter project. The Chinese Embassy responded in a statement that China "opposes and forbids all forms of cybercrimes” and called the reports “a product of the Cold War mentality…fabricated to fan up China threat sensations."

North Korea

July 2009

After sanctions were imposed on North Korea following nuclear tests in late May, the U.S. and South Korea faced days of sustained cyberattacks. In the U.S., computers at agencies including the Defense Department, the Treasury Department, the Secret Service, the State Department, the Federal Trade Commission and the Federal Aviation Administration were subjected to denial-of-service attacks, along with tens of thousands of computers in South Korea, according to that country’s National Intelligence Service. Though North Korea was suspected of having orchestrated the attacks, the source remains unknown.

Operation Aurora

January 2010

Google was attacked by hackers in China. Dubbed Operation Aurora, after the type of application the hackers used, the massive case of cyberespionage was later attributed to the Chinese government, with U.S. companies including Adobe, Symantec, Northrop Grumman, Morgan Stanley and Yahoo falling victim. U.S. government officials later said that the hackers breached a secret database with what the Washington Post called “years’ worth of information about U.S. surveillance targets,” specifically Chinese spies being monitored in the United States.


Summer 2010

Cyberwar entered a dangerous new era with Stuxnet, a computer worm said to have been created by the U.S. and Israel that attacked a uranium-enrichment plant in Iran. By compromising the industrial systems-operation software, Stuxnet was capable of spying on and controlling the computers, as well as destroying centrifuges. Stuxnet, which could be installed on infected thumb drives, spread out of control to at least five other countries, including the U.S. Defense Secretary Leon Panetta warned of a possible “cyber Pearl Harbor.”

Operation Shady RAT

August 2011

McAfee, the security-research firm, uncovered a massive five-year wave of hacker attacks against governments, nonprofits and corporations around the world. Called Shady RAT, for the remote-access tool used by the infiltrators, the breaches hit over 70 organizations including government agencies in the U.S., Taiwan, Canada, and India, as well as the International Olympic Committee and several defense contractors. McAfee attributed the attacks to a single state actor, though didn’t name the country, which some sources believe to be China. "This is the biggest transfer of wealth in terms of intellectual property in history,” a McAfee exec said at the time. “The scale at which this is occurring is really, really frightening.”

U.S. Weapons Plans Hacked

May 2013

In a report prepared for the Pentagon, the Defense Science Board found that hackers from China had accessed plans for more than two dozen of the U.S.’s most advance weapons systems. The targets included the Patriot missile system, Aegis ballistic-missile-defense system, Black Hawk choppers and the $1.4 trillion F-35 Joint Strike Fighter, the costliest fighter jet ever made. “When I look at the theft of intellectual property to the tune of $1 trillion,” said Texas Rep. Michael McCaul, “that’s a serious economic issue for the United States.” A Chinese Foreign Ministry spokesman responded by saying that “China pays high attention to the cybersecurity issue and is firmly opposed to all forms of hacker attacks.”

Iran Hacks U.S. Energy Companies

May 2013

Hackers, with the support of the Iranian government, were exposed for targeting oil and gas companies in the U.S. "This is representative of stepped-up cyberactivity by the Iranian regime. The more they do this, the more our concerns grow," one U.S. official said. "What they have done so far has certainly been noticed, and they should be cautious."

U.S. Goes on the Cyberoffensive

June 2013

An unpublished presidential directive from Obama leaked, showing that the U.S. is going on the cyber offense. “Offensive Cyber Effects Operations,” the report stated, “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” Among other things, the report authorized cyberwar attacks when “U.S. national interests and equities” were at stake, but also left room for “anticipatory action” just in case. Adding fuel to the fire, National Security Agency leaker Edward Snowden claimed that the U.S. has already hacked thousands of targets, including computers in China.

  • I

Cyberwar, like any war, never rests. Neither does the simulated one taking place at HackMiami, where co-founder Rod Soto, a 38-year-old computer-security specialist from the area, is running a cyberwar game. Though the consequences of their hacking are fake, the technology they’re breaking is real. They actually are hacking Fedora, an operating system used by computers in China, infiltrating Zeus, a malicious “botnet” army of computers, and commandeering North Korean industrial controls for power-plant systems. It’s just that everything’s simulated and run on a closed network, so as not to inadvertently start World War III. The purpose of this event, besides the recruiting going on, is to teach the hackers how to find vulnerabilities in other nation’s machines. “It gives you the blueprint and the knowledge if you ever want to attack them,” Soto says.

So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen.

Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism

The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year, “Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology.” But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that “new options need to be considered.” It seems our government is already heeding the call.

A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that “Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming. HackMiami organizers James Ball and Alex Heid, security specialists for a major financial company they prefer not to name so as not to anger their bosses, say they have based this weekend’s cyberwar simulation on real-life hacks they conducted on their own of terrorist networks and organized-crime groups. Ball infiltrated an Al Qaeda forum online and posted the archives on his site, Heid became notorious for hacking the stealthy Zeus botnet in Russia.

But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t hear about it.” At least not usually.

Companies like Accuvant are capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they get can paid up to $1 million. For example, Humperdink says, they would be able to unleash an attack to take a country like China completely offline. “We could stop their cyberwarfare program,” he says. “Five years ago, I remember the North Koreans were doing missile testing, right? If [the U.S. government] came to a company like us and said, ‘Here’s $15 million,’ we could turn a North Korean missile into a brick. If you came to us with $20 million and said, ‘We wanna disable every computer there in Iran, and they’d have to replace them’ – not a problem.” For added flair, each program Accuvant sells gets its own cyberpunk handle – like Purple Mantis – and is delivered on a jet-black thumb drive inside a custom case with the name laser-etched on a plaque.

“So how many offensive plays are going on now?” I ask.

“A lot,” Bonvillain says.

“More than people would realize?”

“Yes,” he replies.

Then Bonvillain falls silent. He puffs his e-cigarette, considering a more diplomatic response. “The U.S. government,” he says, “is great at hiding everything they do.”

To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely.

The four-year-old NCCIC – employees pronounce it “enkick” – is the country’s nerve center for online threats. Twenty-four hours a day, teams drawn from a pool of 500 DHS cyberpersonnel sit at the ready in this sprawling, windowless command cave. Flickering diagrams on the front wall track the dangers in real time: traffic anomalies at federal agencies, cyberalert levels for each state’s website, a map of our country’s telecommunications system (“There’s no cyber without fiber!” a steely engineer tells me).

Fortunately, at the moment, the threat against the IRS and NASA proves to be relatively harmless. However, the number of cyberincidents is on the rise. Fiscal year 2012 saw 190,000; this year’s number is already over 214,000.

Overhauling the feds’ image to lure young tech talent has become a major priority. In a way, it’s akin to the shift in Silicon Valley – away from the business suits of IBM to the Adidas sandals of today. The National Science Foundation now offers a CyberCorps Scholarship for Service program that places winning students in government agencies. The DHS is among the sponsors of the invite-only “Cyber Camps,” which hold hacking contests for prospective employees. Aside from the “sense of duty” and high-level security clearance that NCCIC director Larry Zelvin tells me lures his team away from fat paydays elsewhere, the power of being inside the government system is the greatest perk. “You just don’t get that in a corporation,” he says.

Last year, the DHS assembled a cyberskills task force, which drew from hacker hubs including Facebook and DefCon, to recommend changes in their recruiting. To get the estimated 600 more hackers the DHS needs, the report concluded, the agency should “focus more attention and resources on…‘branding’ of cybersecurity positions,” including “cool jobs.”

Napolitano says that “the money and the culture” are the chief obstacles the Department of Homeland Security runs into when recruiting hackers to join. “We don’t require our folks to wear a coat and tie,” she says, “and I’m not interested in the precise hours they work as much as I’m interested in getting the work done” – but she stops short of saying hackers can work from home in Teenage Mutant Ninja Turtle pajamas.

But maybe if you’re young and brilliant and looking for online action, there’s something undeniable about working for the biggest, baddest government on the planet. Sitting here under the dormant red warning lights, there’s a sense of being at the center of the matrix – and this is plenty tantalizing for some, including th3_e5c@p15t, winner of the cyberwar contest back at HackMiami. With his skills, he can write his own ticket, which he hopes to cash in with the feds. He says he wants to be as close to the front line as he can get: “I see it as a righteous cause.”

Wednesday, January 4, 2017

The Gab Security Chronicles

Cross posted via: 

The Gab Fail Chronicles: LOL DDOS, EULA, and NAZIS

Club Pepe

The dishonesty of Andrew Torba knows no bounds in the latest postings. The reality of the mater, as I understand it, is most of the down time was related to fixing the major security issues I’ve raised over the past few days. I do not know how much of it was fixed, but I’m sure there still is major problems to be found. Mr. Torba was well schooled the past few days, the usage of CloudFlare isn’t a magical shield of protection against everything.


It is common knowledge trying to do any kind of DDoS attack on a ClouldFlare IP will be futile with little to no needed intervention to block such an attack. His screams of DDoS is fairly laughable as the vast majority know, I do not engage in such ineffective behaviors, and I have always been against it. He will continue to tell lies to rile his angry Neo Nazi Muppets for exposing how bad Gab really is as an alternative to Twitter. It would be really ironic, if he rallied them for the real reason, exposing Gab as a massive fraudulent security black hole. I’m just not intimidated by his Neo Nazi Muppets and there isn’t anything anyone can do to stop me from publishing write ups about Gab. My words, on a computer screen, are far more deadly to Gab’s platform than any silly illegal attack nonsense.


The greatest issue I see here is why was any of this never fixed to begin with, or even considered to be an issue? If it took me 10 minutes to see major issues all over the place, does Gab really take the security of it’s users seriously? It’s just no, they don’t take security seriously, if the most basic skiddiot Hack Forums (There has been some claims Torba is regular of Hack Forums for irony) style methods work unchecked. This further solidifies Gab as being another pump and dump scam by Torba when a lot of the basics are not covered at all. Gab doesn’t even have a logout button, but they have an account delete link, that’s curious indeed!



I don’t wish to keep this post longer than it has to be but it’s worth mentioning parts of the updated EULA were a result of us. It’s humbling that Torba spent the day at his lawyers thinking of us, as he pushed out a new EULA from his nether regions, that still didn’t impress Apple enough. Even the greatest eJournalist to ever live, Ron Brynaert, noticed this updated EULA with the “snitch” clause. I’m not going to spoil the rest of it but any users of Gab really do need to read the updated EULA as well as the Privacy Policy.


Tuesday, January 3, 2017

Exposing Gab Vulnerabilities

Destroying Gab, with words, on a screen, but at least it’s not LiveJournal!

“build it yourself social media back end for blog comments”

Greetings Kids,

It’s been a while since I did a post exposing and pointing out major flaws while laughing hysterically. This might be the worse one yet, especially if the information about Gab’s founder, Andrew Torba, are correct. The reason he got kicked out of the big kid clubs was because he kept doing pump and dump schemes selling everyone’s data afterwards. I don’t know if his new social media platform will be the one project he isn’t going to abandon after raking in all his donations, we can hope this “Free Speech Warrior” will surprise everyone? 😉Tigers can change their stripes guys, you just gotta wish and believe really hard? Is Gab running off of a $49 build-it-yourself social media kit an indicator of possible doom? Did Gab stopped doing live notifications for some nefarious reason? Nah! Of course not!

Gimmie Info

A lot of people heard of this social media platform because of Twitter’s lack of sanity and political censorship, which gets worse every year as stock prices keeping going lower and lower. Gab’s marketing was literally just “Got banned on twitter? Come to Gab! We’re different!”. When I eventually got in, it was a pro-trump utopia, but I never saw anything I’d really say is that bad. It was the biggest self serving hugbox I’ve ever seen and puts any SJWs to shame. You’d get live notifications with a frog croak that sounds like a small animal dying, 300 char posts where you could write something meaningful, but it was lacking a lot of basic features. A major one was private messaging as well as a lack of an API, which becomes apparent why the further I dug into it.

Pusher Gab APIPusher Gab API

External Images Loading

When I first started looking into the back end with my favorite debugging proxy fiddler, I noticed literally everything is written in JavaScript (can I emphasize literally?), and all the interactions between between gab’s server and the browser was all JSON. The biggest issue I saw was the Cross Site Scripting potential of this setup, as gab was actually pinging every single website, then having a client’s browser do direct requests to the website in order to having a fancy display summary images and such. This effectively has the potential to harvest any user’s IP address, and since it’s all in JavaScript, high potential of Cross Site Scripting drive by deanonymizing. After announcing a bit of this in public, some people have in private confirmed this not just likely but they can do Cross Site Scripting attacks on Gab. Say what you want about Twitter, but at least they have CDN caching to prevent leaking their own user’s information. But Gab DOES have a CDN from Microsoft Azure for static assets, so why are they not protecting their user’s information? The conclusion I’ve come to is Gab is made to be as cheap as possible but still somehow work dangling off a cliff. The reason why they have no API is because the API is pusher.

No Infrastructure

This isn’t suspicious at all!

The next surprise was looking at the home page on Gab, and seeing there was some kind of stats collector. I initially overlooked it, but I didn’t realize the significance until I did a second glance. This was some kind of build it yourself social media rapid deployment kit for dummies that handled all the back end work done. I browsed over to the pricing plans they had, did some collection as to current Gab’s usage of approximately 30k posts per day they seem to just fall into the $49 Startup plan at present. I suspect live notifications stopped working for a bit sometimes, because it might be a way to save from having to upgrade to the next paid plan, or it could just be incompetence, it’s honestly hard to tell.

Pusher Pricing

I do know someone is going to say the what if they did the custom solution consultation but pusher is for stuff like live chats and blog comments, not a knock off improved twitter, which is really 300 char blog comments. The amount of money spent doing that kind of consultation is way above making a deal with a single developer (or many) to help build it at a fraction of the price, or in this case a single developer rigging pusher. I think they use pusher as a means to not spend money on proper hosting and a better solution, like GNU Social, which would require a back end with their own servers, or at least Amazon Cloud.

What can you do in minutes?

This is a very significant discovery, as it explains the lack of coming out with features that are trivial for even a single developer to do, because there just isn’t any support for their build it yourself social media back end for blog comments. Gab has been doing donation drives and giving people check marks to help support it but there really isn’t much cost to run it as biggest parts of it are cheaply outsourced like pusher. The “beta testing” of uploading images before it becomes available to everyone is likely related to Microsoft Azure’s CDN prices per GB.

I’m not going to claim this is some kind of scam like the rest of Andrew’s projects but if I was doing an exit scam, this is how I’d do it! Low overhead! He’ll get that sweet user data and PayPal logins via password reuse, that is in my opinion!

Disclaimer: !LOL! Hacking is illegal !LOL!

Last Minute Update:

The notorious hacker, known as 4chin, has contacted me to include a list of things you really shouldn’t do on Gab. There is no input validation and issues with authentication so don’t use wget or curl, passing the cookies + UA + appropriate POST data anywhere, that is just naughty. The Grand 4chin also informed me that their data was already being sold by Gab and they have no hashing on their passwords. LOL! This might be in relation to the current PayPal donations and those silly people who reuse their passwords donating (Just a theory). I’m not saying anything but I think those people are going to have a bad time. There goes the neighborhood, oh well, epic sad face emoji that😦can’t express

This Is Libel


I accept legal documents, requests, inquiries, and other related legal stuff I can post and publicly ridicule via email at LOLUMAD @ OCCULTUSTERRA DOT COM. You can optionally rage like a Muppet at 1-860-263-9252.