First Drafts in Money Laundering

In this post I would like to step away from all things computer. Here are a couple of what I think were excerpts from the first draft of a story about a wayward money-laundering task force brought to you by the great state of Florida, aka the land of 911 calls over chicken McNuggets. To summarize, the Bal Harbour PD and Glades County Sheriffs Office were involved in a task force to cut-off funding lines to various cartels, complete with cover bank accounts and loads of untraceable cash. This all went very predictably wrong when the police realized they had badges and started to spend money like Saudi Arabian Sheikhs, becoming ACTUAL money launderers in the process. Don't worry, once the Department of Justice realized they were getting screwed on their cut, the whole operation was shut down.






Above, we have poor Pat Franklin's original wording just before lawyers from the Department of Justice lodged a complaint that the comparison to the Mafia was inappropriate since caporegime refers to an underboss when clearly they are the Capo di tutt'i capi (boss of all bosses).

This is from the next installment where the cops were trying to decide on how they could use the potential drug money to finance their own departments. Surprise, surprise the Feds had a program designed JUST for the occasion.

My thoughts on the preceding blurb are that the two LEOs didn't know what the program was originally called, so they were a bit more descriptive in what they wanted until they found the actual name.

Of course, the above is all satire, but I would like everyone to take a second and ponder how the hell a program like "Equitable Sharing" exists or that ANY organization is allowed to feed a budget off the proceeds of a crime.





Thank you to the Miami Herald for posting this series of stories; if you would like to read more go to: http://pubsys.miamiherald.com/static/media/projects/2015/license-to-launder/index.html

Scrubbing your Creds

Here is my presentation about keeping your ident closes on the web if you want to purchase particular items and services. Enjoy.



Transcript of Cleaning your Creds Cleaning your Creds scrub them idents Get a number from pinger (need an existing mobile, or DO you?) What's your digits? Using your favorite livecd, hop on TOR and start using the tubes Hop on TOR Grab an Email address from mail.ru https://e.mail.ru/signup?from=main_noc The Russian Connection Use your mail.ru account to create a FB page, then allow pinger to use that for verfication Facebook fail to the rescue What are we doing? We want to be able to purchase services using an entirely unattributable network, from the comfort of our couch Click here and use a disposable email for verification Security in Layers Use your new phone number, FB profile, and email to start stacking layers (hushmail would be good cuz privacy) How to get moniez Really the only part requiring a physical presence somewhere MoneyPak from WallyWorld of Walgreens (pay cash dumbass) Find a MoneyPak to BTC service (they exist) Things to buy Private VPN using BTC (ipvanish) Maybe a ice VPS (bithost.io) Anonymize Further Use a mixer/tumbler to make your BTC more anonymous You can use this multiple times once you establish the unattrib chain

Net Neutrality and the FCC

Here is a post I did at March's SAHA! event. Note the March 4th date, and then check this link out: http://www.techpolicydaily.com/communications/title-ii-law-enforcement-and-surveillance/. The whole thing was a Prezi, but it was pointed out that may not be the best method to show it in. It's all about CALEA, Net Neutrality, and the cozy relationships between various government orgs with politically-connected corporations.

Transcript of Net Neutrality

Title I provider
What were they before?
FCC - Administrative Body
By virtue of your existence, and their regulatory purview, they don't need a warrant/reasonable suspicion/probable cause when operating in their domain (think TSA and pat downs or Terry stops)
Legal Differences
FCC+CIA+DHS+FBI
FCC, as any gov't org is wont to do, has relationships with all of the other agencies and several well-heeled corporate types.
Cozy Relationships
Can you see where this is going?
FCC Rules
DHS issues take-down notices
FBI administers DCS (a system to support CALEA)
CIA had FBIS (which worked in conjunction with FCC to tap domestic broadcasts)

https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/foreign-broadcast-information-service/3-FBIS-New-Service-in-FCC.pdf
Unreleased (for at most 60 days)
317 Pages
3-2 vote along party lines
ISPs are now a Title II Common Carrier
What Happened
About 10 subchapters to include LE requirements (although the CALEA stuff applied to fixed location broadband providers even though they are Title I)

Old Provisions for ISPs (very short)
https://www.law.cornell.edu/uscode/text/47/chapter-5/subchapter-II/part-I

New Provisions (very long)
https://www.law.cornell.edu/uscode/text/47/chapter-5/subchapter-II/part-I

What is the difference
“Because of its position as a working branch of FCC, FBIS was for nearly a year engaged in work other than monitoring of foreign broadcasts. It was made responsible for policing domestic foreign language broadcasts. This work was started by FCC in September 1940, a year and half before FBMS was launched. At the time there were more than 200 1I.S. broadcasting stations with programs in foreign languages, and with the war in Europe these programs continually cane under suspicion. Following a growing flood of complaints, FCC decided to monitor all foreign-language broadcasts. Under the direction of Dawson, a Foreign Language Broadcast and Translation Section was set up. At one time it employed 24 translators and a sizeable staff of typists to process the recordings delivered by FCC engineers. FCC announced on 29 July 1942 that their entire section had been transferred to FBIS. “
CIA Relationship
Net Neutrality
Agency operating in their domain sees/hears
an item of interest to LE orgs. LE orgs use
parallel construction to obscure the initial
tipper. What better than the content police
for this task?
FCC hearts Connected Companies
http://en.wikipedia.org/wiki/LightSquared#FCC_authorization

LightSquared was granted a special pass to operate in bands
others were not permitted to due to interference concerns

but wait...there's more!
Who is LightSquared, and y r they speshul?
On September 15, 2011, Representative Michael Turner (R-Ohio) asked the United States House Oversight and Government Committee to investigate LightSquared under the premise that the Federal Communications Commission waived a rule for LightSquared because Harbinger Capital's Philip Falcone had made sizable campaign contributions to President Barack Obama.

IE 10+ History Format

In keeping with my constant discovery of lost accounts and prior presentations, I just checked my Prezi and found a couple of jewels. This one is on the switch between Internet Explorer History formats. Binary to ESE database (Jet API). Enjoy

Transcript of IE 10 History (old format, new system)

IE 10 History (old format, new system)
What is ESE?
Extensible Storage Engine (ESE), also known as JET Blue, is an ISAM (Indexed Sequential Access Method) data storage technology from Microsoft.
Why should I care?
Problem
All IE versions from 4.0 - 9.0 used the index.dat binary format for internet history

IE10 changed that and now uses the JetAPI which builds upon the ESE database format

There are NO current tools to parse this new format, opensource or otherwise last I checked
Dirty Shutdowns
If the database is not shutdown cleanly, which it rarely is due to being locked ALL THE TIME by taskhostex.exe
What to do?
Microsoft's JetApi to the rescue - sort of...


- blatant wiki ripoff definition
This is where IE 10
takes off
According to GetClicky and other site stat counters IE makes up about 30% of all browser use and holding. The steady drop off in 9 and below versus the rise in 10+ is why we are interested
Where is the history file ?
C:\Users\\AppData\Local\Microsoft\WebCache\WebCachev1.0.dat
Now what?
Enumerate Process handles to find who has the db opened, then kill it:


Process Inject to Force Handle Closing:


all result in a dirty db
Options with the new file
Esentutl - Microsoft exe to restore/manage ESE dbs
usage: esentutl /p

OR!!

libesedb - brought to you by, some kind folks here:
https://code.google.com/p/libesedb/


Since esentutl's restore/recovery feature has popups and warnings about data loss, I think the forensics professional in me would rather use a parsing lib than use the M$ binary

VSS API
Volume Shadow (copy) Service allows you to take a snapshot of the file in question and then copy it over to a location of your choosing (including to memory locations)



Still results in a dirty db, but using a parser lib, I'm largely fine with this
How do I use this thing?
Compile it as a static lib, and include it in your C/C++ IR tool - traditional dev way

Add as resource and roll your own PE loader - the more awesomer way (x64 still needs some work)

Getting Over the Jitters

Every now and then I am asked to give back to the community for all that I have taken away. It happens to us all. There's something that some of us forget in these "all eyes on me" times. Each one of us started somewhere. With me, it was a series of lies, damned lies, and mild obfuscation. I had a help desk gig I managed to parlay into a security career. Now, the Ferraris  and Lambos promised to me by scorpion and every other CBS crapfest haven't exactly manifested yet, but I have some hope for the future.
I was asked to do a small pep talk for a group of students going through a coding bootcamp. I'm leaving their name out since I haven't asked for permission to single them out as a beacon in a vast sea of talent-pool regenerative darkness. Plus, I curse a lot and have a generally shitty attitude on several aspects of our field; mostly things I have to put up with regarding outreach and spreading the love.

In performing this public speaking task I noticed I was much more on-point than in the past, without really prepared notes. I had a general idea of what I wanted to touch upon, but nothing incredibly detailed. People want to hear what is going to help them regarding their careers versus some nuanced view on security. I can speak to both, however I like to give the folks what they want. The way I got over my typical jitters, though, was by doing a few open mics at a local comedy club.

Nothing gets you more nervous than trying to make it through a hack bit, in front of the surliest and most critical individuals on Earth; stand-up comics. Bombing is one of the worst feelings on the planet; especially when no one knows who you are with NO respect for your previous accomplishments. You are just a face, on a stage, with a mic, talking to the masses. For extra points, try telling a racial joke in these PC times. The amount of sweat pouring out of you due to stress, and some serious stage lights, is incomparable.

Slowly, I started to notice a small part of my nerves lifting. I was quicker on my responses to an audience. My flow was better. The points I made were more cohesive. I even managed to moderate myself for a more cultured audience. Everything simply worked better.

Long story cut extremely short, find your local Giggles/LOL/Chuckle-hut and crank out some jokes. Make them as un-PC as possible. Get out of that comfort zone. After all, most of them prohibit cameras so there's no Youtube to worry about.

xoxo,
vesh

A Welcome Suicide in the Uncanny Valley

I love the world of computer graphics and gaming. I recently started fooling around with drawing sprites and backgrounds for my creating my own games.Then, I saw this tweet https://goo.gl/6Vux1Z. Basically, computer vision was being used to gauge fashion trends. They were taking the human out of the equation. At this point, my wheels started cranking. I wondered how easy it would be to take George Clooney, I mean, an anonymous actor and replace them with a 3D model? How long would it take me to understand the modelling process.

Here is another attempt after having some creases I couldn't understand how to get rid of.

I think this is pretty damn fine progress for a grand total of eight hours. Someone with some skill or significantly more experience probably could have done an almost perfect CG render of the actor above. By the way, this is Blender. It is FREE. With absolutely no training aside from a tutorial - http://goo.gl/OPpmgn - I was able to outline both George Clooney's, I mean, anonymous actor's face and some stupid drawing from The-Blueprints.com (not really stupid; I mean, I couldn't have drawn that). 

The brilliance of this program and field begs the question; what happens when the CG world overtakes the movie world? I don't mean Lord of the Rings style. I mean FULL replacement. Take Archer for example. Several of the fans know the titular character is voiced by H Jon Benjamin. Who knows the model for Archer though? Some may, but do you give a shit about his political opinions? Do you care who he marries, and the shitastic name some rag has given them. No, you don't. The dude is just a symmetrical face that looks good to a computer animation system. What happens when all of these actors and actresses are no longer necessary to the process? What happens when we get over that Uncanny Gap (Google it, I'm not your search engine). Let's do a quick exercise!

Name some of the top voice actors
1. Frank Welker
2. Bob Bergen
3. Billy West
4. Tara Strong
5. Johnny Yong Bosch

Now some of the top actors
1. George Clooney
2. Matt Damon
3. Susan Serandon
4. Ben Affleck
5. Tim Robbins

And then name the top CGI models

1. ?????

2. Ummmm

3  Whats-his-name?

4. That model who played Angelina Jolie's tits Beowulf, god who was she?

5. Failed actor #5

Cross the top two lists with the number of asinine appearances before congress or attendance at political fundraisers.Do you see the difference? One is a group of talented people who voice some of your favorite characters. No one cares how they vote  or who they bang. The other is a group of similarly talented individuals who you have to see every other week going in front of some congressional beg-a-thon with an inflated sense of self-worth and recommendations that are taken seriously for Christ's sake. Large swaths of citizens and political heavies actually formulate opinions around what the second group thinks. Take them out of the equation with rendering software. Now, you tell me if we aren't solving some problems with tech.These voice actors may have an opinion or two that has made its way to the halls of our nation's capitol, but I can't find any instances.

Walk through a world with me. A world where actual writing talent rules the day. No more US Weekly. Goodbye the last thralls of Scientology. Goodbye to an entire segment of Americana that is best sent to the farthest dustbin history can provide. So long having to listen to some vapid, empty actress begging for our tax dollars to entertain her cause du jour. 

I can't wait - CAN'T WAIT - for the day when no one gives a shit about what a celebrity has to say. Get ready for your opinions to matter about as much as any other waiter in LA hoping to break into the acting scene. Get ready for no one to care what you think about whales or the environment, or tax policy as if you are some authority on the subjects simply because you pretended to be a marine biologist one time. Not a soul is going to care. What do you do then? Are you ready to pick up a pen and create some art of your own instead of leeching off the truly talented?

Everybody who even has a remote interest, go learn this 3D animation skill. Help push the lemmings over the cliff. Make them as obsolete as an Apple Pippin, a NeoGeo, or George Lopez's act. It took me ONE day to get this far. For anyone that ever worked with 3D Studio Max in the late 90's, this is an impressive turnaround. Imagine what a year with Blender and some grid paper will yield? We could eliminate the need for Ben Affleck in a heartbeat. Don't we all want Batman from the Arkham Games to be the next Batman anyways? Why wait, let's get this shit done now.

-vesh

You down with OTP? You know me (how to fail at encryption by M$)

In their relentless pursuit of the Holy Fail, Microsoft has managed to screw up one of the best message encryption techniques; the One-Time Pad (OTP). The way OTP traditionally works is you give the user either the encrypted message itself or some manner of access token where the key is a one-time, single use, preferably randomly-generated item. Your implementation may vary, but that's a very ground-level explanation.

This all works very well together because the recipient gets an encrypted message in his inbox, and the key to unlock it via some other channel. VIA SOME OTHER CHANNEL!!! Those are the key words in this whole scheme. Microsoft has forgotten this seemingly important part of the idea. You be the judge. I will give you the link. You read around the marketing and cyber-dust to get to the meat of the concept they outline here: https://technet.microsoft.com/en-us/library/Dn569285.aspx and their OTP idea here: https://technet.microsoft.com/en-us/library/use-a-one-time-passcode-to-view-an-encrypted-message.aspx

Did you spot the problem? Good, I knew you could do it. In case it is not obvious, Microsoft is sending the message AND the key through the same channel with a few layers of indirection. Admittedly it took a trip to Scriptjunkie town (@scriptjunkie1) for me to really dig into what they were actually trying to do. At first, it sounded pretty good. Then Scriptjunkie asked "So, what attack vector is taken out of the picture by using this?" The answer was, of course, none.

If the message with the super-special-encrypted link goes across the non-enciphered transom, they only need to grab the link to get their OTP and finally their message. I'm sure there's some fancy client-side tricks they employ to try to make sure you are who you say you are, but how well has that ever worked? If the connection the email passed over was encrypted all the way (meaning in-transit, and at rest at all links), you wouldn't need the OTP in the first place.

With just a touch of the Kafkaesque, the name of the offering is Azure Rights Management Service. The literature is not very forthcoming with how they do key management, they just say they do the key management FOR you. Considering the cozy relationship between US companies, the cloud, and certain three-letter agencies, I don't know how much I would put stock in something that is not end-to-end. I'm sure this pricey add-on will check a few boxes on the CISO checklist, though...maybe that's all anyone really wants. Sigh.

TLDR;
Azure Rights Management IRL: I walk up to you and give you a bag containing a lockbox, then tell you the key is taped to the bottom.

Thanks to Scriptjunkie for the sanity check at the beginning.