Archive for March, 2012

th3j35t3r and QR exploits exposed

Posted in Uncategorized on March 13, 2012 by sanguinariousrose

Greetings my children, I have been watching this but it appears no one has commented on the grand th3j35t3r’s epic fails and mistakes in his blog post “claiming” he pwned terrorists. Now, I would like you to refer to this image while we embark on a magickal train ride of fail.

So, you start out with this “highly targeted and precise attack, against known bad guys, randoms were left totally unscathed.” which is rather laughable at best. It appears only terrorists use QR codes and no innocents at all would ever out of curiosity scan it and look? You go one to claim using the “CVE-2010-1807 “ exploit and this is where the epic fail just starts. CVE advisories are numbered first by the obvious CVE prefix, the year, and the exploit number for that given year. So without even checking the advisory, you are telling me you are using a 2 year old, well known by now, and patched exploit? Do you have that such a low opinion and under-estimation of “terrorists” that they are using such outdated software and/or firmware on their “devices”? Should I mention Android devices have the ability to do updates the same as iPhones (newer versions of both can do auto updates)?

Now you claim “iPhone or Android devices” as your “known and narrow vector to exploit”. You do realize that shellcode is OS dependent AND device specific? Right…? This is like trying to force an execution of a windows program on a Tandy TRS-80, it just isn’t going to work. From your post you mention no such device detection is in place, there is nothing in the POC for this, and it just seems frankly, to be made up combination of technical terms with minimalistic grasp.

“Now for the really clever bit…” I almost peed myself at what was next, this is just pure fail on levels I am personally unable to express in words, but we shall try, oh we shall try. Netcat is unable to handle multiple simultaneous connections and it is not in any way a automated tool. Honestly, it would be more believable if you coded your own automated tool to download the phone’s data than this story. Netcat is far from an optimal tool to pull this rather outlandish story that smells rather bad off.  So this is the magic command the shell code runs “nc -v -l -p 37337 -e “/bin/cat /etc/motd””. He implies he has a super secret script running in place of printing the motd command. This, as he gives as an example, but he obviously did not read his manual. This would require a “-L” for a persistent connection, assuming he didn’t do “while [1] do jester_elite_netcat_command done”, which he does seem to imply he used. This also assumes that he will not take too long downloading his data from the devices possibly missing some other probably innocent persons cell phone data. I am not knowledgeable as to how such data is stored on such devices, but I have doubts over coding such a script to do the performed functions. This would require extensive research into all the major twitter clients and associated software, not to mention the the email clients, etc.

There is also the issue of the information possibly being stored in binary data and the availability of text processing commands on a embedded device. Then there is how do you extract data from binary data on a restricted/embedded system… The only optimal solution is a native executable installed to the device to do the dirty work, and multiple versions for compatibility/architecture. Either way you look at it, this is a very non-optimized method, and is prone to intelligence being lost.

“EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. “

I don’t really see the proof of concept taking a 2 year old CVE advisory, and exploiting people in mass with it. This rather reminds me of doing the same things the guys you claim fight would do, hypocritical much? How do you define the “bad guys”? How do you know they are “bad”? You seem to imply by listing “Anonymous Members” in the bunch that all anonymous people or related to “leak YOUR information , steal YOUR CC nums, and engage in terror plots around the world”. Are you that bigoted and single minded to classify all anons as credit card stealing terrorists? Granted I am not a fan or support anonymous but I not that full of blind bigoted hate.

The End of Lulz and Lies

Posted in Uncategorized on March 7, 2012 by xryujin

March 6, 2012 will be a day that will live in infosec history for quite some time. This is the day that it was made known to the world that the LulzSec/AntiSec/Anonymous hacker known as “Sabu” was indeed Hector Xavier Monsegur, something that many had believed for close to a year. This revelation came through a news story that was originally posted on FoxNews, and Sabu’s identity was just the tip of the iceberg. Not only had he been outed by a main stream news medium, the article also stated that he rolled on key players in the LulzSec group. A three part series with part one here, part two here, and part three here explained more about Sabu and his affiliation with Anonymous/LulzSec and his reasoning behind rolling on his friends online. (Not to mention you get to see the face of Sabu giving out the most love face of all internet glory, the duckface, as if to tell his friends to “kiss their asses goodbye.”)

One of the first mentions of Sabu being Hector was found in @backtracesec‘s file named namshub. This was posted in March of 2011. This was compliments of Hubris and Asherah, aka @fakegregghoush. This was broken FIRST by those in Backtrace Security, not from others, as many would have you believe.

This brings us to another point that we would like to make. Those who would have their garnered masses believe that they are something that they are really not. Today, which should have been a day of rejoicing for many, was tarnished a bit by one very egotistical hacktivist that we all know of by now named th3j35t3r.

th3j35t3r would tweet most of the morning, giving little snippets about how he “told everyone Sabu was the rotten apple” and that “he knew from the beginning that it was Hector,” etc. But that’s not the case. As seen in this blog post, th3j35t3r at one point thought that Sabu was a man by the name of Hugo. He stated that if he was wrong, he would apologize, which he did in this blog post. But oh wait. Something is wrong about this post. It’s not the original.

You see, th3j35t3r asked if he could use portions of a blog posted by x_ryujin_x for a post he was working on. It was agreed upon that he could use what he wished as long as he credited ReaperSec with the assist in information. But if you look at the above link as it is now, there is only one minor mention of don’t fear the Reaper(Sec). The original can be found right here. Notice there was more of a mention than what is currently up there. Pieces of his particular blog were taken from x_ryujin_x’s post written on November 17, 2011. th3j35t3r wrote his article on November 19, 2011. But th3j35t3r’s masses won’t know all of this, because it’s been long enough that things can get “fuzzy” in someone’s memory.

This isn’t the only thing that th3j35t3r has slipped upon. Stealing credit is minor compared to the all out lies that were written about LulzSec’s CloudFlare account. How would we know, you might be asking. Well, when it comes from the CEO of CloudFlare at a talk he gave at DefCon 19 stating that th3j35t3r was wrong, it’s kind of difficult to dodge the bullet on that one. Here’s the talk from Mathew Prince, part of Sam Bowne‘s presentation at DefCon 19.

Our advice to those following or keeping tabs on th3j35t3r: please take everything with a grain of salt and ask the anti-jihadist activist to show you undeniable proof of the things that he alleges.

Credit for calling it out first goes to Asherah and Hubris and Zud of BacktraceSec. They had the information before everyone else and gifted it to the world before everyone was ready to comprehend what was going on. Whether you agree with them, their methods, or their beliefs, it is without a shadow of a doubt that they said Sabu was Hector first.

For everyone else not trying to ride piggy back style on one of the biggest arrests in Anonymous’ history, remember that on June 7, 2011, Hector Xavier Monsegur was arrested and decided to begin cooperating with Federal Law Enforcement. At the peak of LulzSec’s hacks, understand that Sabu was already arrested quietly. Everything after that date was done as a lie. All the trash talking, all the hacks, all the direction given to Anonymous/AntiSec was seen by an FBI agent monitoring a government issued PC that was viewed remotely. Every thing that Sabu did from that point forward was seen by an agent. Every PM. Every DM. Every question, statement, or plan made was seen by an agent.

Sabu wasn’t the first to roll, and he won’t be the last. Get off of the boat, Anons, because it’s sinking fast and the good guys are winning. Are you wearing your floaties? port SSL 6697 #graveyard

Posted in Uncategorized on March 2, 2012 by CryptKper
%d bloggers like this: