> I want to dedicate this guide to the victims of the assault on the Armando Diaz school, and to all those whose blood has been spilled at the hands of Italian fascism.
For those who don't know, they are referring to the 2001 Armando Diaz school attack [1] (warning: graphic), where hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time.
That was the one sentence that stood out to me as well. I can imagine this was an incident that had a high impact on "Fisher". I remember watching a live-stream of the incident broadcasted from the building on the other side of the road (which was thankfully the building where my friends stayed).
My friends went inside the school after the raid and took pictures that I can't get out of my head to this day. The whole building looked like a slaughterhouse with blood everywhere. Blood-stains on radiators indicating that peoples heads were repeatedly smashed against them. I also remember the screams you could hear on the live-stream. First it was people yelling "pacifisti" and then just screams for 20min until the screaming stopped and ambulances arrived.
That shit really paves the way for young activists continuous fight against facism of any kind.
>> "hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time."
If police commit crimes, they must be held accountable.
Thanks for the link. Im shocked that I never saw this on US media. Idk if it was censored or I just missed it. This is so brutal it puts Abu Grhaib to shame esp given the targets. Makes me want to get a team together and take a plane to Italy to clean house.
Doubt it would help much at this point. Damage is done. Still pisses me off though.
For anyone who doesn't follow infosec: This guy is responsible for two of the most impressive hacks recently and still hasn't been doxed or arrested. And so the linked doc is awesome if only for the opsec tips it provides. And it provides much more than that. It really gives you some perspective on how much work an attacker will put into breaking into your network and the kind of structured approach they're taking. Plus it's very hands on and is educational and current whether you're black or white hat. If you read nothing else in infosec this month, read this.
He's likely to be identified as he gets more brazen. Even authoring this volume of text is risky, and there are other notes from the same author linked within. Spelling can be used to approximate region and phrases or errors such as "the hard of the business" ("heart of") and "passtime" ("pastime") are even stronger markers. Of course there's no way to tell if these are unintentional or planted errata.
I'm grateful for the information. It's incredibly interesting, but it might come at great expense to the author.
Wow, this is great. Feels like reading phrack in the 90s. Anyone know of similar, contemporary resources on hacking?
This stuff is gold:
> NoSQL, or rather NoAuthentication, has been a great gift to the hacker community [1]. Just when I was worrying that all MySQL's sins of omission had finally been patched [2][3][4][5], these new databases appear, lacking authentication by design. Nmap found a few in Hacking Team's internal network:
Not to mention:
> As fun as it was to listen to captures and watch webcam images of Hacking Team developing its malware, it wasn't very useful. Their insecure security backups were the vulnerability that threw the doors open. According to the documentation [1], their iSCSI systems should have been on a separate network, but nmap count a few of them in their 192.168.1.200/24 subnet:
I can just hear some one saying to themselves, four years ago, "This backup stuff should be on a separate subnet, but for now this appears to be working. Make a note-to-self to secure it later." ....
>Thanks to the hardworking Russians and their exploit kits... many businesses already have compromised machines in their network. Almost all of the Fortune 500, with their enormous networks, have a few bots on the inside
I could definitely believe that, having worked at a few, they have massive infrastructure and many users that are extremely relaxed about security in general.
What then struck me was the way he casually decided to hack a VPN (!) is it really so straightforward? And the way he seemed confident about testing his exploit on other compromised machines without detection.
I'm always paranoid every time I type 'last' on my Linux box, wondering if the thing is really compromised and totally lying to me - now I'm even more so!
> What then struck me was the way he casually decided to hack a VPN
He's intentionally vague, but given he mentions two routers and two vpn systems, it's highly probable that he's referring to one of the two routers (which is embedded, and has firmware).
Furthermore, he refers to a website[1] which predominately deals with routers.
HackingTeam latest sample is a very fresh sample compared with what we got in the past, it is a sample created post July 2015 hack, and it’s using the same code base as before. HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us.
i'm really happy to see the translation getting around this far. it's an amazing text, & i'm glad my quick & dirty translation job got it out there mostly intact. i never really gave it a proper proofread, so thanks for catching those mistakes. more importantly, though, Phineas Fisher himself has just released his own translation. and, having just discovered that ghostbins are editable, i added a url to his version at the top of the text. here it is again: http://pastebin.com/raw/0SNSvyjJ
I was curious why he was using domain names instead of tor hidden service or other p2p networks. Turns out that using domain names provides a backup communications channel (DNS) that gets through pretty much any firewall.
The other thing to remember is that Tor traffic is generally rare and few places have a business case for it so it's more likely to be monitored, just as in the past many places used to watch for IRC connections since it was infinitely more likely to be a botnet control channel than Fred in accounting seeing whether #quickbooks existed.
DNS, HTTPS to some random AWS/Azure/etc. endpoint, etc. are common as dirt and enough harder to monitor that many places either don't try or struggle to do do effectively.
This is pretty normal for a paid penetration test - but it's got far more technical detail than you'd normally see. I don't think the person behind this has revealed anything particularly new, they just know their tools really well.
Wow this person is impressive, the details of the attack and the preparation almost make it read like a Hollywood hacker movie script (if they made good movies about hacking that is...).
[+] [-] sklivvz1971|10 years ago|reply
For those who don't know, they are referring to the 2001 Armando Diaz school attack [1] (warning: graphic), where hundreds of G8 pacific protesters were brutalized and tortured by Italian police. Whilst the police has been found guilty of this, none of the policemen is serving any jail time.
[1]: https://en.wikipedia.org/wiki/2001_Raid_on_Armando_Diaz
[+] [-] rawfan|10 years ago|reply
My friends went inside the school after the raid and took pictures that I can't get out of my head to this day. The whole building looked like a slaughterhouse with blood everywhere. Blood-stains on radiators indicating that peoples heads were repeatedly smashed against them. I also remember the screams you could hear on the live-stream. First it was people yelling "pacifisti" and then just screams for 20min until the screaming stopped and ambulances arrived.
That shit really paves the way for young activists continuous fight against facism of any kind.
[+] [-] iaskwhy|10 years ago|reply
[+] [-] carlom|10 years ago|reply
[+] [-] nxzero|10 years ago|reply
If police commit crimes, they must be held accountable.
[+] [-] nickpsecurity|10 years ago|reply
Doubt it would help much at this point. Damage is done. Still pisses me off though.
[+] [-] mmaunder|10 years ago|reply
[+] [-] nerdy|10 years ago|reply
I'm grateful for the information. It's incredibly interesting, but it might come at great expense to the author.
[+] [-] richard_mcp|10 years ago|reply
[+] [-] nickpsecurity|10 years ago|reply
1. Great choice of targets where the leaks are less questionable in terms of ethics.
2. A great write-up with references that could benefit attackers, defenders, and students alike.
[+] [-] cypherg|10 years ago|reply
[+] [-] e12e|10 years ago|reply
This stuff is gold:
> NoSQL, or rather NoAuthentication, has been a great gift to the hacker community [1]. Just when I was worrying that all MySQL's sins of omission had finally been patched [2][3][4][5], these new databases appear, lacking authentication by design. Nmap found a few in Hacking Team's internal network:
Not to mention: > As fun as it was to listen to captures and watch webcam images of Hacking Team developing its malware, it wasn't very useful. Their insecure security backups were the vulnerability that threw the doors open. According to the documentation [1], their iSCSI systems should have been on a separate network, but nmap count a few of them in their 192.168.1.200/24 subnet:
I can just hear some one saying to themselves, four years ago, "This backup stuff should be on a separate subnet, but for now this appears to be working. Make a note-to-self to secure it later." ....
[+] [-] celticninja|10 years ago|reply
[+] [-] andretti1977|10 years ago|reply
I think people should be grateful to the ones that as he did, fight against what is legal but definitely wrong.
[+] [-] woodman|10 years ago|reply
https://en.wikipedia.org/wiki/Alignment_%28Dungeons_%26_Drag...
[+] [-] wzy|10 years ago|reply
Better yet, when was the lat time you got to vote on a law that was passed in your country?
[+] [-] mintplant|10 years ago|reply
Whoisology [1] is good for this, though they've been more aggressively pushing their paid options as of late. Also WhoisMind [2], to some extent.
[1] https://whoisology.com/
[2] http://www.whoismind.com/
[+] [-] nikcub|10 years ago|reply
[+] [-] moyix|10 years ago|reply
https://github.com/Neohapsis/creddump7
[+] [-] enjoy-your-stay|10 years ago|reply
>Thanks to the hardworking Russians and their exploit kits... many businesses already have compromised machines in their network. Almost all of the Fortune 500, with their enormous networks, have a few bots on the inside
I could definitely believe that, having worked at a few, they have massive infrastructure and many users that are extremely relaxed about security in general.
What then struck me was the way he casually decided to hack a VPN (!) is it really so straightforward? And the way he seemed confident about testing his exploit on other compromised machines without detection.
I'm always paranoid every time I type 'last' on my Linux box, wondering if the thing is really compromised and totally lying to me - now I'm even more so!
[+] [-] klapinat0r|10 years ago|reply
He's intentionally vague, but given he mentions two routers and two vpn systems, it's highly probable that he's referring to one of the two routers (which is embedded, and has firmware). Furthermore, he refers to a website[1] which predominately deals with routers.
> is it really so straightforward?
Routers, yes[2], VPN daemons, not as much.
[1]: http://www.devttys0.com/training/ - which can also contain a vpn daemon of course.
[2]: https://github.com/darkarnium/secpub/tree/master/Multivendor...
[+] [-] nexar|10 years ago|reply
[+] [-] mercurial|10 years ago|reply
AFAIK, they are still operating and still doing exactly the same thing.
[+] [-] Kristine1975|10 years ago|reply
HackingTeam latest sample is a very fresh sample compared with what we got in the past, it is a sample created post July 2015 hack, and it’s using the same code base as before. HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us.
[+] [-] chinathrow|10 years ago|reply
[+] [-] nicelynicely|10 years ago|reply
This means they sell black market now to outside EU.
[+] [-] MatthiasP|10 years ago|reply
[+] [-] 0xdeba5e12|10 years ago|reply
[+] [-] noobie|10 years ago|reply
[+] [-] acdha|10 years ago|reply
DNS, HTTPS to some random AWS/Azure/etc. endpoint, etc. are common as dirt and enough harder to monitor that many places either don't try or struggle to do do effectively.
[+] [-] csmajorfive|10 years ago|reply
[+] [-] voltagex_|10 years ago|reply
[+] [-] kumarski|10 years ago|reply
[+] [-] nxzero|10 years ago|reply
[+] [-] Mendenhall|10 years ago|reply
[+] [-] djvdorp|10 years ago|reply
[+] [-] kombucha2|10 years ago|reply
[+] [-] timothyschmidt|10 years ago|reply
[+] [-] colejohnson66|10 years ago|reply
[0]: http://securityweek.com/
[+] [-] bluesilver07|10 years ago|reply
[+] [-] bluesilver07|10 years ago|reply
[+] [-] SCHiM|10 years ago|reply
[+] [-] DyslexicAtheist|10 years ago|reply
[+] [-] millzlane|10 years ago|reply