Saturday, November 14, 2015

How Tor Users Got Caught by Government Agencies

4 examples of people who have used Tor for illegal activities and how they were caught. Multiple de-anonymization attacks are shown at the end of the video.

Case 0: Harvard guy Eldo Kim getting busted by being one of the only users at Harvard on the tor network, and admitting he emailed the bomb threat
Case 1: Sabu getting caught for logging on to IRC one time without tor and FBI using correlation
Case 2: Freedom Hosting admin under attack from Anonymous group previously fighting CP might have helped the FBI, later they skip to when a box was compromised and made it host a javascript exploit (nothing mentioned what happened between the Anonymous attacks and when the FBI smashed in his door)
Case 3: Silk Road admin making too many mistakes including using his own real name then changing it later to a username

Eldo Kim [harvard bomb threat]:

Eldo makes a bomb threat to Harvard's student newspaper and some other Harvard officials. Of all the reasons under the sun to do something like this his was that he wanted to get out of a final exam!? Maybe if we put our heads together we could come up with a less incriminating way to get out of a final exam. Less incriminating, meaning no prison time if caught, though he uses tor to send the threat via email, all tor exit nodes are publicly listed. Unless you use a tor bridge, bridges are not publicly listed as tor nodes, you will give the authorities an obvious starting point from which to launch their investigation.

But that's not the worst mistake, it gets better. He connects to tor through his student account.
Because of this fact and the fact that he was the only one connected to tor at the time the email was sent it was easy for them to correlate that he may have sent the threat. As if that wasn't enough, Eldo puts the final nail in his own coffin by actually admitting that he was the one who made the bomb threat.

Lessons Learned from Eldo:
1) Don't be the only person using Tor on a monitored network at a given time
2) Use a bridge
4) Correlation attacks are a bitch

Hector Xavier Monsegur (Sabu) and Jeremy Hammond (sup_g) [LulzSec]:

Hector was already being watched by the FBI. However, his mistake was that he became lackadaisical. Slipping up, he connected to IRC without tor, when he normally would. This allowed the FBI to get his home IP address. He sang like a caged canary after being caught, and then proceeded to set up his cohort Jeremy Hammond.
Jeremy, otherwise known as sup_g, when speaking with Hector on IRC spoke carelessly of places he had previously been arrested and other groups that he was involved with. The FBI used this information to narrow their suspect pool and allowed them to obtain a court order to monitor his internet traffic.

Once again correlation proves to be a bitch [​IMG] I say this because although the FBI did not
exploit tor to bust Jeremy they were, however, able to correlate the times 'sup_g' spoke with 'Sabu' on IRC with when Jeremy was at home using his computer.

Lessons Learned from LulzSec:
1) Use Tor consistently
2) Don't give personal information
3) Correlation attacks are still a bitch!

Eric Eoin Marques [Freedom Hosting]:

Freedom Hosting was known for hosting child pornography. This is enough to make you a mark for all sorts. In fact, Freedom had already been under attack from Anonymous during Op Darknet because of the child porn. The FBI was able to compromise Freedom because they were using an outdated version, 17 ESR, of tor browser. This allowed the FBI to exploit bug CVE-2013-1690. Mind you, tor had already came out with a patch, but for some reason Eric did not think it important to update.

The FBI used a payload called Magneto that gave them Freedom's IP address, MAC address, and Windows host name with the unique serial number that ties a user to a site visit. One of, if not the, biggest mistake(s) he made was leaving a trail of payment records that linked him directly to the Freedom Hosting servers. The important thing to generalize in this case is that he probably wouldn't have got busted if he didn't host child porn in any form, or fashion. Oh yeah, I almost forgot, when the cops busted him he "dived" for his laptop to shut it down.

Lessons Learned from Eric:
1) Don't host Captain Picard [Child Porn] or Julian Bashir [Jail Bait]
2) Patch, patch, patch
3) Follow the money
4) Leave encrypted laptops in a powered down state when not in use!

Ross Ulbricht (Dread Pirate Roberts) [The Silk Road]:

I think, and I hope I'm not making an ass out of myself ;| most of you anons should have at least heard of the infamous Silk Road. Apparently, Mr. Ulbricht had linked himself to this onion on more than one occasion. In an effort, I believe, to market his site [The Silk Road] he would post around in clear net forums. The earliest references to "Silk Road" that the FBI could find over the clear net was a post made in a shroomery forum by a user going under the name of altoid. In fact, Ulbricht's habits almost made correlating a non-essential.

The FBI claims the former physics and engineering student even publicly alluded to his alleged criminal enterprise on his LinkedIn profile, with a statement describing how his goals had "shifted" in accordance with his libertarian economic views since leaving grad school at Pennsylvania State University.

This statement comes from a CNN web site under an article titled "How FBI caught Ross Ulbricht, alleged creator of criminal marketplace Silk Road." Of the other sites where the FBI found him marketing his site BitCoinTalk was one of them. With all of the effort he puts behind making sure that people knew how to get to The Silk Road, by explaining how to use tor and then by posting the link, as if the explanation wasn't enough, to his site. He makes it hard for me not to believe that he may be suspect. What makes it even worst is that Ulbricht's BitCoinTalk account handle was also altoid. He makes the very same mistake yet again by posting in the same forum [BitCoinTalk] a request for a "pro" IT guy, under an account also named altoid, and routing all replies to "rossulbritcht at" The request was titled "IT pro venture backed bitcoin startup."

The list goes on. He made little to no effort in shedding the connections between his true identity and the one with which he operated The Silk Road [Dread Pirate Roberts]. For instance, Dread Pirate Roberts had a link to the Mises Institute as part of his Silk Road forum signature and Ulbricht's Google+ profile show that he's also interested in the Mises Institute. He did stuff like this time and time again, like using tor to connect to StackOverflow and creating an account using his real name. Notice, he posted the operating system he uses, "ubuntu."

This is getting redundant so I think I'll stop here and just list what we can learn from Mr. Ulbricht. If you want to read in detail you can find slides and video here.  Basically, he made a plethora of connections to his real identity. He would go as far as the neighborhood Starbucks or library, which was just around the corner from his house, to logon to and administrate his Silk Road onion. The US Customs had intercepted all of his fake ID's, because although he changed his name on his id cards he never changed his face them. It was mistakes like these that lead to his arrest and the take down of The Silk Road.

Lessons Learned:
1) Keep online identities separate
2) Have a consistent story
3) Don't talk about personal interests
4) Don't volunteer information!

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ and Facebook and you can subscribe to me on Youtube if you want to keep up to date.

Wednesday, October 28, 2015

OS X VirtualBox No USB Devices Available

Visual Studio doesn't seem to run correctly in VirtualBox 5 and keep causing my Windows 8.1 guest OS to restart. I'm not certain this is because of VirtualBox 5, but the issue seems to have only happened after the update. I'm reverting back to VirtualBox 4.3.x by downloading it from here.

If you are running OS X El Capitan (10.11) and VirtualBox doesn't detect any USB devices, this is because Apple changed some security settings and VirtualBox 4 (even the current release,) hasn't caught up.

You can fix this easily by going to Oracle and downloading and installing the new VirtualBox 5. VirtualBox 4 won't detect the version 5 update, so you have to download it from Oracle. Some people recommend using the VirtualBox_Uninstall.tool to uninstall version 4.x, however I just installed VirtualBox 5 without uninstalling version 4.x and everything seems to be working fine.

Once you have installed VirtualBox and the extension pack, you will have full control of your USB devices again, including support for USB 3.0 devices.

In my case, I was running OS X 10.11.1 and VirtualBox 4.3.30 when I first noticed the No USB Devices Available so I checked for updates and updated to VirtualBox 4.3.32-103443 but the error remained, even when I rebooted. Installing VirtualBox 5.0.8-10 fixed the issue. Also, you should backup your virtual machines if you can just to be on the safe side.

Friday, October 16, 2015

Hacking the Vuse E-Cig to Fully Use Cartridges and Allow Refills

If you've ever used a Vuse e-cigarette, you may have noticed that eventually the unit will say the cartridge is empty and no longer allow you to use it. Unfortunately, the cartridge isn't actually empty but the cartridge keeps track of how much it was used and has a cut off when it reaches a certain value. In this article I'm going to show you three ways to prevent the cartridge from reaching this cut off point. One method is very simple and can be implemented by anyone. The second is more convenient but does require a bit of work initially, and the third I haven't tested. First though, let me give some background on how the unit works. From their website, 
VUSE is the only Digital Vapor Cigarette designed with a SmartLight™ Indicator to always keep consumers informed. The SmartLight Indicator informs on both the battery and Cartridge life. The SmartLight flashes white for two seconds when the Cartridge is getting low. When the SmartLight flashes white continuously, it is time to change the Cartridge.

VUSE is an electronic cigarette designed with "Smart Technology," according to their website. The VUSE Digital Vapor Cigarette contains a VaporDelivery Processor that uses algorithms in the same way a computer does, therefore it is "digital." The VaporDelivery Processor in the PowerUnit, working with the SmartMemory™ microchip in the Cartridge, monitors and adjusts the power and heat delivered to the Cartridge up to 2,000 times a second, ensuring consistently satisfying puffs.

As you can see from the picture above, the main processor (Atmel ATtiny84A) is in the battery pack, but the cartridge also contains an 8 pin eeprom or microcontroller where, among other things, it keeps track of how much it was used. While I don't know for sure how it works since I don't know the technical specifications of the chip used, I do have a pretty good idea what it is doing.

This is a picture of the main processor on the battery pack, this is located at the tip of the unit under the LED's that light up.
And this is the circuit board from the cartridge.

There are three main operations that happen when you take a puff.

  1. The Vuse battery will only work with Vuse cartridges, so the cartridge authenticates itself with the battery's processor and this communication (and possibly all communication between the processors) is encrypted. This makes it much harder to eavesdrop on this communication. 
  2. Power the heating element, as mentioned above, the battery's processor monitors and adjusts the power delivered to the cartridge using data it receives from the cartridge unit. I won't go too into how this works, but from the numerous patents (excerpts quoted at the end of this article,) of theirs that I've read, it likely monitors the airflow through the battery pack, and the resistance of a fusible link and the heating element located in the container. Keep in mind that the unit is calculating and adjusting the power up to 2,000 times a second.
  3. Having calculated how long or intense the puff was, a value is incremented (or possibly decremented) in the cartridge's microcontroller's eeprom. Note that some people think this is a simple puff counter, but I think it is more advanced than that. If you don't know what an eeprom is, it is just memory that can be read and written like a hard drive. An eeprom doesn't need power to retain its contents, unlike other types of memory. 

Step number 3 is the one that we care about. Because the puff value is written to the eeprom at the completion of a puff, the easiest way to keep a cartridge from expiring is to disconnect it quickly as you take your puff. Unfortunately the connector that connects the battery and the cartridge isn't very dependable and will probably end up breaking at some point. So another option is to carefully take the battery compartment apart and rig a tiny push button switch to the tip of the unit that disconnects the negative terminal of the battery. You can see this connection in the image below, the black wire is the negative terminal and it connects just below the LEDs and main processor.

One way for Vuse (R.J. Reynolds Vapor Company) to prevent this would be to increment the counter to the maximum value a puff can be before the puff starts and then once the puff is done, subtract a value if the puff didn't reach the maximum. Eeprom writes take a few processor cycles to initiate and around 5 to 10 milliseconds to complete. This along with the fact that eeproms can only be written to a limited number of time before they fail (usually 100,000+ but could be less on cheaper components,) is why you wouldn't want to constantly save the value during the puff.
There is a third method that others have reported that will allow you to reuse a cartridge and this method is easier than adding a switch and far more convenient than removing the cartridge every time. This is to sever the connection of the LED on the end of the battery pack. I believe it is this LED

I haven't verified that this will work, and you need to be careful not to damage other components, especially since the main processor is on the other side. If it does work though, it is fairly simple and the only downside is that you no longer have the white LED to indicate that the device is in use.

Thanks for reading, if you like it please share. Leave a comment and let me know if this worked for you or if you have another idea. Before I end this with some more pictures (my own and some from anticommander,) check out my YouTube videos. Follow me on Twitter, @gFogerlie, Google+ and Facebook and you can subscribe to me on Youtube if you want to keep up to date.

Here is a link to the photos I took during the teardown.

The big pads on the image above are likely ISP pinouts for programming the ATtiny microcontroller. 

Here is the pinout of the main processor. Pin 14 connects to the white LED, and pin 15 to the red.

So here are some extra images. This is the inside of a cartridge.

This is the battery charging circuit located in the battery pack where the cartridge would connect.

 Here are some excerpts from some of R.J. Reynolds Vapor Company's patents.

The present disclosure relates to an aerosol delivery device including a variable output flow sensor. The variable output flow sensor particularly can be a flex/bend sensor wherein output from the sensor varies based upon changes in electrical current flow (e.g., resistance) along an extension of the sensor relative to flexing or bending of the extension resulting from airflow across the extension. The disclosure further provides methods for controlling operation of an aerosol delivery device through utilization of a variable output flow sensor. In particular, control of functional elements (e.g., a heating member, a fluid delivery member, and a sensory feedback member) can allow for real-time changes in the operation of the aerosol delivery device relative to airflow through the device.
Read more:

In various embodiments of the smoking article, the heating connection comprising a fusible link and a heating element is in electrical connection with the power source and the control component when the control body and the cartridge body are engaged with one another. The control component can comprise a microcontroller. Furthermore, the control component can be configured to selectively actuate a first electrical current flow of a first set of conditions from the power source to the heating connection when the control body and the cartridge body are engaged, wherein the conditions of the first electrical current flow are insufficient to initiate heating by the heating element. The first set of conditions can comprise a voltage that is substantially the same as a voltage that defines a working voltage for the heating element and a current flow duration of about 45 milliseconds or less (e.g., about 5 milliseconds to about 25 milliseconds). The working voltage can be about 2 volts to about 6 volts.
Read more:

Various embodiments of the smoking article further comprise a current sense resistor, wherein the current sense resistor is adapted to establish an indication of the fusible link status. The control component can be further configured to initiate a command function based upon a cartridge status interpreted from the fusible link status indicated by the current sense resistor. Specifically, the current sense resistor can be adapted to sense a first resistance across the fusible link and a second resistance across the heating element. Sensing of the first resistance can be indicative of an unused cartridge. Sensing of the second resistance in the absence of the first resistance can be indicative of a used cartridge.
Read more:

The control body 80 includes a control component 20, a flow sensor 30, and a battery 40. Although these components are illustrated in a specific alignment, it is understood that various alignments of the components are encompassed by the present disclosure. The control body 80 further includes a plurality of indicators 19 at a distal end 12 of the control body shell 81. Such indicators 19 can show the number of puffs taken or remaining from the smoking article can be indicative of an active or inactive status, can light up in response to a puff, or the like. The indicators can be provided in varying numbers and can take on different shapes and can even be simply an opening in the body (such as for release of sound when such indicators are present).
Read more:

Generally, in use, when a consumer draws on the mouthend 11 of the cartridge, the flow sensor 30 detects the change in flow and activates the control component 20 to facilitate current flow through the resistive heating element 50. Thus, it is useful for air flow to travel through the control body 80 in a manner that flow sensor 30 detects air flow almost instantaneously.
Read more:

The control algorithm may call for power to the resistive heating element 50 to cycle and thus maintain a defined temperature. The control algorithm therefore can be programmed to automatically deactivate the smoking article 10 and discontinue power flow through the smoking article after a defined time lapse without a puff by a consumer. Moreover, the smoking article can include a temperature sensor to provide feedback to the control component. Such sensor can be, for example, in direct contact with the resistive heating element 50. Alternative temperature sensing means likewise may be used, such as relying upon logic control components to evaluate resistance through the resistive heating element and correlate such resistance to the temperature of the element. In other embodiments, the flow sensor 30 may be replaced by appropriate components to provide alternative sensing means, such as capacitive sensing. Still further, one or more control buttons can be included to allow for manual actuation by a consumer to elicit a variety of functions, such as powering the article 10 on and off, turning on the heating element 50 to generate a vapor or aerosol for inhalation, or the like.
Read more:

In particular embodiments, the smoking article can include components that define an electrical circuit whereby a control component is configured to controllably deliver a low power pulse from the power source to the heating connection according to one or more defined algorithms. As a non-limiting example, the control algorithm can include pulse width modulation, which can be based on comparison of a battery voltage with a lookup table. As a further non-limiting example, the control algorithm can include a constant voltage feedback loop, such as through utilization of heater voltage measurements. Specifically, in various embodiments of the smoking article, appropriate wiring can be included such that a cartridge engaging a control body defines a closed electrical circuit through which the control component can controllably deliver a low power pulse (as well as a higher power pulse). The low power pulse can be defined as an electrical current that does not exceed the limits of a fusible link as described herein. By contrast, the higher power electrical current that defines a working status of the heating element (i.e., wherein the heating element heats to a temperature sufficient to vaporize the aerosol precursor material) can exceed the limits of the fusible link.
In some embodiments, a low power pulse can have a voltage, a current, or both that is substantially similar to the same property of the higher power pulse, and pulse power can be defined by current flow duration. In particular, time can be adjusted such that the average power delivered to the circuit is constrained appropriately. In certain embodiments, the fusible link can exhibit a resistance that is lower than the resistance of the heating element. In some embodiments, the fusible link and the heating element are provided in parallel, a majority of the current entering the closed circuit can preferentially flow through the fusible link. When the duration of the electrical current flow is sufficiently long, the lower resistance fusible link will fail and thus allow all of the delivered current to pass through the heating element. Depending upon the type of material from which the fusible link is formed, a sufficiently long current flow time can be about 50 milliseconds or greater or about 100 milliseconds or greater, particularly about 50 to about 500 milliseconds. In various embodiments, the heating element can require that the current be applied for a time of about 0.5 seconds or greater or about 1 second or greater, particularly about 1 second to about 4 seconds for sufficient heating to occur. Therefore, in some embodiments, conditions defining a low power pulse can comprise a voltage, a current, or both a voltage and a current that is substantially the same as the same corresponding voltage, current, or both that is utilized for normal functioning of the heating element, and can also comprise an active flow unit time of about 45 milliseconds or less or about 25 milliseconds or less, particularly about 5 milliseconds to about 25 milliseconds.
In other embodiments, the low power pulse can be defined by a current and/or voltage that can be less than the current and/or voltage that define the working status of the heating element. For example, the electrical current that defines a working status of the heating element can exceed the current delivered by the low power pulse by a factor of 2 or more, 5 or more, or 10 or more. A voltage that defines a working voltage for the heating element can be about 2 volts to about 6 volts, about 2.5 volts to about 5.5 volts, or about 3 volts to about 5 volts. The working voltage is the voltage at which the heating element sufficiently heats to form the desired amount of aerosol during a current flow time as described above.
Read more:

Saturday, September 5, 2015

How to Install Firefox in Kali 2.0

Iceweasel is often out of date, and this is true with Kali 2.0. So if you want a current version of FireFox then I will show you the easiest way I have found to install it. Unlike some other methods, this one shouldn't cause problems with other programs, and I've heard, but cannot confirm, you may not need to uninstall Iceweasel. I'll explain why I cannot confirm this after I show you how to install it.

So open terminal and enter the following to uninstall Iceweasel:
apt-get remove iceweasel
Now we need to tell Kali how to get a project that will get the latest version of FireFox for Kali (or other Debian systems.) To do this enter the following in terminal, it is all one line:
echo -e "\ndeb all main" | tee -a /etc/apt/sources.list > /dev/null
Next we need to add a key via apt-key in terminal:
apt-key adv --recv-keys --keyserver C1289A29
All that's left is to update and install firefox:
apt-get update
apt-get install firefox-mozilla-build
 That's it! Now you can find FireFox in the Application menu or run it from terminal by typing `firefox`. Don't worry if you see a GLib error when running it from terminal.

I said you may not need to uninstall Iceweasel but I cannot verify this because I uninstalled it while attempting a previous FireFox install. Now that I have installed FireFox via the method I showed, I tried to reinstall Iceweasel but I get the following error that is caused by having FireFox:
diversion of /usr/bin/firefox to /usr/bin/firefox.real by iceweasel' clashes with `diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by firefox-mozilla-build

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ and Facebook and you can subscribe to me on Youtube if you want to keep up to date.

Install the Newest Version of Tor in Kali 2.0

You can install the Tor service (not the browser bundle,) from the repository by using `apt-get install tor` however since Kali doesn't keep its repositories up to date, you will get an older version of Tor. This post will show you how to install the most current version of Tor. Due to Kali 2.0 not having some libraries installed that older versions of Kali had, and some other issues, this process is harder than it should be and used to be.

To start, visit and expand the Source Code section. Then click the Download Source Code button and save the download.

Next open the file you downloaded and extract it to wherever you want, I chose my Desktop. If you try to build Tor at this point, you will run into some errors. To fix these errors, we need to install the missing dependencies. To do this, enter the following in terminal:
apt-get install libevent-dev libssl-dev 
Now that we have all the dependencies installed, go ahead and in terminal change to the extracted tor folder, in my case this is `cd ~/Desktop/tor-`. Now enter the following:
make install 
If you encountered any errors, please leave a comment below and I will try to help you promptly. If everything went well, typing `tor` in terminal should launch it, however I received the following error, "bash: /usr/sbin/tor: No such file or directory," but running `man tor` opened the manual. I don't know why it was trying to run tor from that directory, perhaps it was because I had installed and then removed Tor using apt-get. Restarting Kali seemed to fix the issue.

If you have previously installed Tor via apt-get, then run `tor --version` to make sure it is the version we just built. If it isn't, run 'apt-get remove tor' to uninstall the old version.

Another helpful tool to use with Tor is TorSocks. Torsocks allows you to use most applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you're using. Type `torsocks` in terminal to see if it is installed. If it doesn't run, then you need to use `apt-get install torsocks` to install it. To use TorSocks, you simply enter torsocks appname to proxy most applications through Tor. You can test this by running, `torsocks curl` this should return the IP address of the tor exit node, to verify that it isn't your own IP address, just run `curl` to display your actual IP address.

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ and Facebook and you can subscribe to me on Youtube if you want to keep up to date.

Thursday, July 16, 2015

DOJ Cyber Security Takes Down Darkode Hacker's Website

The Department of Justice's Cyber Security division launched a 20 country coordinated takedown of the hacking website/forum Darkode, codename Shrouded Horizon. About 70 of its members have been identified and many arrested across the world, including 12 from America. Darkode has been a marketplace to purchase and trade hacking tools since at least 2008. It's considered the largest, most sophisticated English-language criminal marketplace in the world, and hackers go there when they need the latest malware, spam programs, and access to botnets and 0-day vulnerabilities.

Want to steal information from hundreds of Android phones? A member of Darkode was selling a program that does that for $65,000. Looking for a virus that can lock a computer or a network until the victim pays you a ransom? Darkode has that too. Darkode was the cyber clubhouse where all of these sophisticated hackers and coders could come together in secrecy and trade their wares.
Investigators say that while the forum's existence was widely known, they hadn't been able to penetrate it until recently. Darkode operated under password protections and required referrals to join.

Now however, if you go on, you'll see a splash board that indicates that it has been taken down by the FBI here in Pittsburgh and the U.S. Attorney's office.

Here are the defendants who are facing charges in the U.S., from the Justice Department news release:

  • Johan Anders Gudmunds, aka Mafi aka Crim aka Synthet!c, 27, of Sollebrunn, Sweden, is charged by indictment with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. He is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to create botnets. Gudmunds also allegedly operated his own botnet, which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.
  • Morgan C. Culbertson, aka Android, 20, of Pittsburgh, is charged by criminal information with conspiring to send malicious code. He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones. The malware was allegedly offered for sale on Darkode.
  • Eric L. Crocker, aka Phastman, 39, of Binghamton, N.Y., is charged by criminal information with sending spam. He is accused of being involved in a scheme involving the use of a Facebook Spreader that infected Facebook users' computers, turning them into bots that Crocker controlled through the use of command and control servers. Crocker sold the use of this botnet to others for the purpose of sending out massive amounts of spam.
  • Naveed Ahmed, aka Nav aka semaph0re, 27, of Tampa, Fla.; Phillip R. Fleitz, aka Strife, 31, of Indianapolis; and Dewayne Watts, aka m3t4lh34d aka metal, 28, of Hernando, Fla., are each charged by criminal information with conspiring to send spam. They are accused of participating in a sophisticated scheme to maintain a spam botnet that utilized bulletproof servers in China to exploit vulnerable routers in third world countries, and that sent millions of electronic mail messages designed to defeat the spam filters of cellular phone providers.
  • Murtaza Saifuddin, aka rzor, 29, of Karachi, Sindh, Pakistan, is charged in an indictment with identity theft. Saifuddin is accused of attempting to transfer credit card numbers to others on Darkode.
  • Daniel Placek, aka Nocen aka Loki aka Juggernaut aka M1rr0r, 27, of Glendale, Wis., is charged by criminal information with conspiracy to commit computer fraud. He is accused of creating the Darkode forum, and selling malware on Darkode designed to surreptitiously intercept and collect email addresses and passwords from network communications.
  • Matjaz Skorjanc, aka iserdo aka serdo, 28, of Maribor, Slovenia; Florencio Carro Ruiz, aka NeTK aka Netkairo, 36, of Vizcaya, Spain; and Mentor Leniqi, aka Iceman, 34, of Gurisnica, Slovenia, are each charged in a criminal complaint with racketeering conspiracy; conspiracy to commit wire fraud and bank fraud; conspiracy to commit computer fraud, access device fraud, and extortion; and substantive computer fraud. Skorjanc also is accused of conspiring to organize the Darkode forum and of selling malware known as the ButterFly bot.
  • Rory Stephen Guidry, aka, of Opelousas, La., is charged with computer fraud. He is accused of selling botnets on Darkode.
  • In a related case, Aleksandr Andreevich Panin, aka Gribodemon, 26, of Tver, Russia; and Hamza Bendelladj, aka Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28, 2014, and June 26, 2015, respectively, in the Northern District of Georgia in connection with developing, distributing and controlling SpyEye, a malicious banking trojan designed to steal unsuspecting victims' financial and personally identifiable information. Bendelladj and Panin advertised SpyEye to other members on Darkode. One of the servers used by Bendelladj to control SpyEye contained evidence of malware that was designed to steal information from approximately 253 unique financial institutions around the world. Panin and Bendelladj will be sentenced at a later date.
Here are some screenshots of what Darkode used to look like before it was taken offline: Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot

Here are some screenshots of some of the files from the Hacking Team's data breach (the torrent is currently available at

Hacking Team Data Dump Files

Hacking Team Data Dump Files

Hacking Team Data Dump Files

Hacking Team Data Dump Files

Wednesday, July 8, 2015

Install Tor Browser Bundle in Kali Linux

This video covers installing the Tor Browser Bundle v3.6+ (older versions work too, there is just an extra step with the new version,) on Kali Linux. There are 2 errors you will run into when trying to install it, and I cover how to easily fix them.

Why does the Tor Browser Bundle (TBB) give us this running as root error? In any operating system, you want as to have as few processes as possible running at root (or any privilege above their requirements,) especially user processes like TBB or a textpad, games etc. This greatly reduces the ability for a hacker to exploit a flaw in the service and gain root access to your machine. A web browser is more prone to attacks overall because it runs unknown code from anywhere (JavaScript, malicious HTML, ActiveX, Java, PDF exploits, favicon, and many MANY more,) so it is best to avoid running any browser as root if possible!

Despite the Firefox and TBB developers' best efforts, it is possible that there may be vulnerabilities in TBB, and since there is no actual need for it to be run as root and the good people at Tor are concerned for one's safety, they add the warning/error. It is simple to create a non-root account on Kali and install it fine from there, but most people don't need/want to. If you are concerned about the items I mentioned, I'd recommend doing that, and just remember to use `sudo` to run any apps in Kali as root from your non root account.

To extract Tor:
tar -xvf tor-browser-linux64-3.6.1_en-US.tar.xz

To fix the second problem, change to the directory where the Tor files are, then type:
chown -R root *

If you like my videos, please subscribe to me on YouTube:

Follow me on Twitter, @gFogerlie and Google+

If you have a video request you can let me know in the comments here or on my channel:

Kali Linux v2.0 - Kali Sana New Look and Lots of New Features

Kali Linux 2.0 pre-release video showcasing some of the new features and new user interface. New features include GNOME 3, built in screen capture, redesigned menus and tool categories, native Ruby 2.0, and updated wifi tools. Release date set to 11th of August, 2015.

Follow me on Twitter, @gFogerlie and Google+

If you like my videos, please subscribe to me on YouTube:

If you have a video request you can let me know in the comments here or on my channel:

Saturday, June 13, 2015

Google Blocks Hydra Attack and Sends the Victim the Hackers Information

So after helping someone get the correct syntax to use Hydra against an SMTP mail server, I decided to try it against my Google hosted email account and not only did Google block the attempt, alert me of the attempt via email to both my primary and secondary account, they also allowed me to see the IP address and the what the device was (presumably from the user agent, but since this was Hydra it was just unknown since there was no user agent sent.)

Great job Google, providing the victim with actual helpful information is what every company should do. I recently had my bank account locked down after a hacking attempt and after several phone calls, and going to the bank they still would not release the IP address or any other information like the password attempts. As you can see by the image below, Google even points out that they knew my correct password. If my bank would provide me with this information I could figure out if the hacking attempt was random or from someone who knows me. 

Special thanks to Joe Smith, for making me attempt this is the first place. Here is the (edited) Hydra syntax I used: 
hydra -l -P ~/Desktop/gmTest.txt -S -s 465 -v -V smtps://

If you like my videos, please subscribe to me on YouTube:

Follow me on Twitter, @gFogerlie and Google+

If you have a video request you can let me know in the comments here or on my channel:

Saturday, May 16, 2015

Record Snapchat Videos and Images without an Alert on your iPhone - 4k V...

This video shows you how to discreetly record one time viewable videos and images from apps like SnapChat using an iPhone and a computer running QuickTime. No one is notified that the video or picture has been recorded. It requires OS X Yosemite and iOS 8 running on your device.

Sunday, April 5, 2015

Setting Terminal Colors

Just a forewarning, this has been sitting in my drafts folder for a very long time, and I'm not sure if it is complete but figured I'd publish it now otherwise delete it.
  • On FreeBSD and Mac OS Xls shows colors if the CLICOLOR environment variable is set or if-G is passed on the command line. The actual colors are configured through the LSCOLORSenvironment variable (built-in defaults are used if this variable is not set). To show directories in light blue, use
    export LSCOLORS=Exfxcxdxbxegedabagacad


export CLICOLOR=1
export LSCOLORS=gxbxhxdxcxhxhxhxhxcxcx

. ~/.bash_profile

Colors for Dark Terminal Themes:
export CLICOLOR=1
export LSCOLORS=GxFxCxDxBxegedabagaced

Dark Terminal Colors

Colors for Light Terminal Themes:
export CLICOLOR=1
export LSCOLORS=ExFxBxDxCxegedabagacad

Light Terminal color theme

The color designators are as follows:

a black
b red
c green
d brown
e blue
f magenta
g cyan
h light grey
A bold black, usually shows up as dark grey
B bold red
C bold green
D bold brown, usually shows up as yellow
E bold blue
F bold magenta
G bold cyan
H bold light grey; looks like bright white
x default foreground or background

Note that the above are standard ANSI colors. The actual
display may differ depending on the color capabilities of
the terminal in use.

The order of the attributes are as follows:

1. directory
2. symbolic link
3. socket
4. pipe
5. executable
6. block special
7. character special
8. executable with setuid bit set
9. executable with setgid bit set
10. directory writable to others, with sticky bit
11. directory writable to others, without sticky bit

Complete Online Defensive Driving In Minutes Not Hours - 4k Video

Ever have to take online driving class? If so, this video will show you how to breeze through it in a matter of minutes instead of hours. Just a simple JavaScript command allows you to bypass the timer that forces you to wait 7-12 minutes per page. You don't need to know anything about JavaScript to use this cheat, and you can do it in most any modern browser. I used Google Chrome for this video, but it is a similar process in Firefox and Internet Explorer; all you have to do is get to the console (press F12 in Internet Explorer and Firefox is pretty much the same as Chrome.)

Here is an image of the script that got me started. After looking at this I thought I could just set minute to 0 and that would be it, but it turned out that this is not being used, still interesting to look at:

If you like my videos, please subscribe to me on YouTube:

Follow me on Twitter, @gFogerlie and Google+

If you have a video request you can let me know in the comments here or on my channel:

Tuesday, March 31, 2015

Google is Trying to End Add Injectors!

Add injectors are a major nuisance causing pop-ups and web page redirection against your will. More than 5% of people visiting Google sites have at least one ad injector installed, and they run on Windows and Mac!

Add injectors are malware programs that are deceptive, difficult to remove, secretly bundled with other downloads, and have other bad qualities. Google's made several recent announcements about their work to fight unwanted software via Safe Browsing, and now they're sharing some updates on their efforts to protect you from injectors as well. 

People don’t like ad injectors for several reasons: not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software “bundles.” Ad injection can also be a security risk, as the recent “Superfish” incident showed. 

But, ad injectors are problematic for advertisers and publishers as well. Advertisers often don’t know their ads are being injected, which means they don’t have any idea where their ads are running. Publishers, meanwhile, aren’t being compensated for these ads, and more importantly, they unknowingly may be putting their visitors in harm’s way, via spam or malware in the injected ads. 

How Google fights unwanted ad injectors

We have a variety of policies that either limit, or entirely prohibit, ad injectors. 

In Chrome, any extension hosted in the Chrome Web Store must comply with the Developer Program Policies. These require that extensions have a narrow and easy-to-understand purpose. We don’t ban injectors altogether—if they want to, people can still choose to install injectors that clearly disclose what they do—but injectors that sneak ads into a user’s browser would certainly violate our policies. We show people familiar red warnings when they are about to download software that is deceptive, or doesn’t use the right APIs to interact with browsers.
red warning.png
On the ads side, AdWords advertisers with software downloads hosted on their site, or linked to from their site, must comply with our Unwanted Software Policy. Additionally, both Google Platforms program policies and theDoubleClick Ad Exchange (AdX) Seller Program Guidelines, don’t allow programs that overlay ad space on a given site without permission of the site owner.

To increase awareness about ad injectors and the scale of this issue, we’ll be releasing new research on May 1 that examines the ad injector ecosystem in depth. The study, conducted with researchers at University of California Berkeley, drew conclusions from more than 100 million page views of Google sites across Chrome, Firefox, and Internet Explorer on various operating systems, globally. It’s not a pretty picture. Here’s a sample of the findings:
  • Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test.
  • More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed.
  • Thirty-four percent of Chrome extensions injecting ads were classified as outright malware.
  • Researchers found 192 deceptive Chrome extensions that affected 14 million users; these have since been disabled. Google now incorporates the techniques researchers used to catch these extensions to scan all new and updated extensions.

We’re constantly working to improve our product policies to protect people online. We encourage others to do the same. We’re committed to continuing to improve this experience for Google and the web as a whole.