The cyber_militia is a proposed association of like minded patriots in the digital realm loosely based on the ideals of anonymous with no leaders and no official membership.
We are a collection of ethical hackers, white hats, privateers, cryptocats, tor enthusiasts, and coders. The only requirement to be part of the cyber_militia is an oath to protect and defend the Constitution of the United States against all enemies, foreign and domestic, and a willingness to use your mad skills in the defense of our nation.
So what does all that mean?
First, and foremost, that you use your powers for good. Political affiliation is irrelevant, as is philosophical (conservative or liberal) leaning. We all aspire to be independent minded constitutional patriots. Race, class, gender, or creed is also irrelevant. We are Americans. We also don't judge legalities. It is up to you to decide if you are living ethically.
We are starting this blog for communication and encouragement. Networked blogs and websites are welcomed as long as they are not dogmatic or offensive. Drop us a message with a link and we will add your affiliated site. Comments and guest posts are welcomed. Again, keep it civil. If you have a good walk-through or tutorial for the community let us know.
Communication through the twitter feed is encouraged. We are posting our feed in the side bar.
There is nowhere to sign-up or register – no leaders and no official members – but you can follow on twitter and click the link to follow this blog if you want the awesome distinction of showing up as a follower in the side bar. If not, that's cool. Anyone can comment without giving away your secret identity. We use TOR and burners, so this blog doesn't link to the authors.
We are not going to debate politics on these pages. We are all patriots. If you want to rage against government or burn flags go find a safe space. The powers that be are not always perfect, but We the People make it work when we keep our eyes open and our heads clear. Our Constitutional Republic is still the best show in town, even if it's a little tattered around the edges. Agreeing to disagree is the American way.
We will try to fill these pages with useful info on security and emerging trends. If you have a tip, share.
Thanks for visiting.
<0
Saturday, January 13, 2018
Tuesday, January 24, 2017
Routing Kali Linux Through Whonix Gateway
Adding Kali Linux to
your Torified Whonix Gateway is a simple task. If you haven't read
the walk-through on setting up your Whonix Gateway check it out HERE.
You can download the
Kali .ova file at
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
Once you have
imported the .ova file into VirtualBox click on the settings gear and
set the Network Adapter as shown. Note: We are using the Internal
Network named Whonix and checking the Cable Connected box.
Next start up the
Gateway, then Kali. Now you will need to edit some of Kali's
configuration files so she can see the network. At the terminal:
gedit /etc/network/interfaces
Add the following to the interfaces file and save:
iface eth0 inet
static
address
10.152.152.11
netmask
255.255.192.0
gateway
10.152.152.10
Now it gets a little squirrely.
All
of the online help we've seen says to edit /etc/resolv.conf
by adding:
nameserver
10.152.152.10
But
when we gedit the file in the newest version of Kali.ove we
find it is set
to read only. You can, of
course, change the permissions of /etc/resolv.conf and edit it
directly, but after
some investigation
we found that /etc/resolv.conf is auto generated from
/var/run/NetworkManager/resolv.conf and editing this file will
therefore change
the /etc/resolv.conf
file without changing
permissions.
Unfortunately,
in either case, we found that the edit does not persist after reboot.
This
leaves us in the place of needing to gedit
/var/run/NetworkManager/resolv.conf every time we start Kali.
Cumbersome, but we have yet to find a way to make Kali remember the
Whonix nameserver
in /etc/resolv.conf
We are sure there is a way to achieve this, but we simply haven't
taken the time to explore.
Our
work around involves
a few commands at the terminal when we want to connect Kali to
Whonix. We have settled on this approach after deciding we prefer
Kali not automatically connect to the network at boot and we can also
bypass the need to gedit
/etc/resolv.conf every
time with the following command string: simplifying
the process
echo
server name 10.152.152.10 >>
/var/run/NetworkManager/resolv.conf
This
command appends the edit we want to make to the resolv.conf file
without bringing up the editor, editing, and saving the file.
Now
we just need
to reset the interface with:
ifdown eth0
ifup eth0
Note: the ifdown ifup commands appear to throw an exception, but they
non-the-less work as expected.
We
are now connected
to TOR through the Whonix Gateway!
To make the connection easier we can create a shell script with the
following commands and name it something like TorConnect.
echo
server name 10.152.152.10 >>
/var/run/NetworkManager/resolv.conf
ifdown eth0
ifup eth0
Now
when we run the script from the terminal prompt we connect to TOR
through Whonix without all the typing. We have found this to be a
good implementation as it allows us to connect to TOR when we need
to, but Kali doesn't automatically connect to any network on boot.
Friday, January 20, 2017
Citizen Soldiers - Security vs Liberty
Citizen Soldiers have a long tradition in American History. The basic premise of self government and liberty demands self defense. Ben Franklin is credited as saying, if we trade liberty for security, we shall have neither. That is true today in a world of international terrorism and cyber attacks.
If we depend on our government to provide our security we trade away some of our liberty. If we desire freedom and liberty we must be responsible for our own security. We of course need a standing military for common defense. We need law enforcement, and some government involvement, but the more we delegate to government the more we restrict our own freedom.
One area which has been long in contention is gun rights, but an emerging battle is our electronic freedom, rights of privacy, free association, free speech, and many others related to information and the internet. Much like patriots of old being armed and equipped for physical defense todays patriots must be trained and equipped for information security.
Dependence on the government to regulate, control, and defend our information systems requires increasing restrictions to our freedoms - our liberty. If we wish to remain free we must step up and take responsibility for defending those freedoms and providing security.
Our infrastructure and information systems are under constant attack. Bad actors scan and search for weak links in our defenses. A network is only as secure as its weakest password. One of the simplest things we can do as free citizens is to secure our personal connections and our own personal information.
If we do not inform ourselves about security, arm ourselves with the knowledge and tools needed to secure ourselves, we abdicate our responsibilities and trade our liberty for government imposed security. There are instances where government intrusion is necessary, as in the context of common defense, but the better we defend our private information security the less government needs to intrude on our freedoms.
Big government is happy to take that responsibility and power. The more we empower government the more we abandon liberty.
Our rights and our ability to defend ourselves in the electronic frontier is under continual attack from our benevolent defenders in the government. But it is because we neglect or refuse to take responsibility as citizens. As we've said many times, the weakest link opens the network to attack.
One person with poor operational security practices can open their system to attack and then connect that system to a network and cause it to be compromised.
Imagine a worker taking their laptop to a coffee shop at lunch, their system being infiltrated by a bad actor, and then returning and reconnecting to the work network and infecting it with malicious code. Said worker could be at a power facility, a nuclear reactor, or any critical infrastructure facility. Another worker might click on a malicious email, or visit an infected site on the internet.
We are all responsible for information security and operational security.
We hope this blog will help you begin to learn and implement best practices, whether you are a white hat ethical hacker or a casual user of information technology. We are not all cyber warriors, but we are each responsible for basic security.
If we depend on our government to provide our security we trade away some of our liberty. If we desire freedom and liberty we must be responsible for our own security. We of course need a standing military for common defense. We need law enforcement, and some government involvement, but the more we delegate to government the more we restrict our own freedom.
One area which has been long in contention is gun rights, but an emerging battle is our electronic freedom, rights of privacy, free association, free speech, and many others related to information and the internet. Much like patriots of old being armed and equipped for physical defense todays patriots must be trained and equipped for information security.
Dependence on the government to regulate, control, and defend our information systems requires increasing restrictions to our freedoms - our liberty. If we wish to remain free we must step up and take responsibility for defending those freedoms and providing security.
Our infrastructure and information systems are under constant attack. Bad actors scan and search for weak links in our defenses. A network is only as secure as its weakest password. One of the simplest things we can do as free citizens is to secure our personal connections and our own personal information.
If we do not inform ourselves about security, arm ourselves with the knowledge and tools needed to secure ourselves, we abdicate our responsibilities and trade our liberty for government imposed security. There are instances where government intrusion is necessary, as in the context of common defense, but the better we defend our private information security the less government needs to intrude on our freedoms.
Big government is happy to take that responsibility and power. The more we empower government the more we abandon liberty.
Our rights and our ability to defend ourselves in the electronic frontier is under continual attack from our benevolent defenders in the government. But it is because we neglect or refuse to take responsibility as citizens. As we've said many times, the weakest link opens the network to attack.
One person with poor operational security practices can open their system to attack and then connect that system to a network and cause it to be compromised.
Imagine a worker taking their laptop to a coffee shop at lunch, their system being infiltrated by a bad actor, and then returning and reconnecting to the work network and infecting it with malicious code. Said worker could be at a power facility, a nuclear reactor, or any critical infrastructure facility. Another worker might click on a malicious email, or visit an infected site on the internet.
We are all responsible for information security and operational security.
We hope this blog will help you begin to learn and implement best practices, whether you are a white hat ethical hacker or a casual user of information technology. We are not all cyber warriors, but we are each responsible for basic security.
Sunday, January 15, 2017
Operational Security - Hiding in plain site
Anonymity on the net is tricky and hard to maintain. It seems every server you access wants to tag you, track you, and gather as much information on you as possible. The big networks like Google, Facebook, and Amazon are the worst, but virtually every website tries to grab some information. And if you refuse/block their attempts you may be denied service.
In a previous post we discussed setting up a secure anonymous system, but we also warned that the more secure you become the more restrictions you have. It is a balancing act. If you completely wall yourself in you cut yourself off from the rest of the world, but you still don't want to walk around naked. If you do, you don't want people to know where you live and work.
The best way to stay “anonymous” on the net is to be someone else. Misdirection and obfuscation is the key. In the previous post we showed you how to run multiple systems on one machine in order to compartmentalize your footprint on the net. Now we shall look at setting up some of those systems for various purposes.
Operational Security is key. Strictly adhering to assigned scope of a protocol is essential. We suggest at least three systems and their relevant protocols.
1) A clear system where you are who you are and allow servers to positively identify you – banks, credit card sites, etc., where you can not be anonymous.
2) A secure system where you allow little or no information to leak and obfuscate what you can not block.
3) A spoofed system that presents a false identity allowing you to visit services that require you to allow tracking and/or positive identification.
In the system described in the previous post we set up a base Linux system with Whonix running in a VirtualBox.
The base system is your clear system. Whenever you use that system you should assume your identity is open to scrutiny. You are walking about in the buff. But we don't want to be totally without protection, so this should only be used for visiting sites that are completely trusted and checking your real/personal email. You should be very careful while operating in the clear.
Whonix, through the gateway and the workstation, provides strong protection through the Tor Browser. Unfortunately a large number of websites are not compatible with the Tor Browser. Portions of websites will not load, services are not available, and some sites will deny the connection all together.
Google often views your Tor connection as a bot and harasses you with endless Captchas to solve, but you shouldn't be connecting to Google with your secure system anyway.
Google is one of the worst offenders of anonymity. They make it their primary mission to gather as much information as they can on you and link your secure sessions, and your spoofed sessions, to your clear sessions. But they are not the only systems trying to tag and track you. They are just the best at it – probably better than the NSA. After all, that is Google's business. So stay off Google and beware of sites that use Google Analytics.
Your secure system should only be used for visiting .onion servers and on open servers that do not require authentication. If you ever log in anywhere with your secure system it is compromised and should be deleted. Clone a new secure virtual workstation and keep it secure. If you want to use a secure virtual machine for IRC or other purposes, dedicate a virtual machine for that task only and occasionally delete the machine and start fresh.
For good general browsing on the net we need to develop a VM that is spoofed.
To do this we will set up a Whonix Workstation in VirtualBox dedicated to that task. When using this spoofed system we will use Firefox in lieu of the Tor Browser. This will still send traffic through the Tor enabled Gateway, but with less security. We can configure our Firefox browser to offer false and misleading information to allow us access to sites which require that information.
To accomplish this we need a pseudonym and a completely spoofed profile.
We start with the absolute basics on the net – an email address. If we want a twitter account or a snapchat account, we need an email, and many other sites which require some type of authentication require an email or cell phone number. That brings us to our first, first step – setting up a burner phone. After all, if you use your cell phone you are tagged from the start.
A cheap prepaid phone can be purchased at Walmart or other outlets relatively inexpensively. You need to pay cash – your credit or debit card tags you. Order one online and you've automatically linked the phone to your clear ID and your home address. Not good. Use cash for the phone and the prepay plan. All you need is a plan with calls and text, you don't need to pay for data.
When you activate your phone they will want an email address. This is the tricky part. You need the phone number to verify the email and the email to verify the phone. Services are all about getting you to verify your identity in some way so they can track you and link your possibly numerous identities. If you use an email that is already verified as you, you just wasted your money on a burner phone.
Here is a little trick. Go on Google with your secure virtual workstation. You will need to use Firefox because Google doesn't like the Tor Browser. Sign up for a gmail account under your pseudonym. When you get to the page where you are asked to enter a phone number stop. At this point you know the email address is available so you can use it when you activate the phone. Activate the phone, then give Google the number.
Now you have an active cell number and an active email address. Google can send you a text to verify your email account and the phone service can send you an email to verify your service.
A few considerations for setting up both accounts. You will need a complete profile – name, date of birth, realworld address (in both cases you may be able to get by with just a city or zip code), the phone number for Google and the email address for the phone. Keep it all consistent. You are setting up a profile you will use with this virtual machine.
You are now, when using this VM profile, John Doe from Anytown, USA with a working phone number.
Make your new identity plausible. Don't be John Doe, and don't be some famous person or try to get cute and play off of your real identity. That is bad opsec. Pick a plausible name, date of birth, and use a town nearby where you bought the phone. You can even travel to a nearby town to buy the phone and use the wifi at the corner coffee shop to set things up.
When you connect with Firefox through Tor, Google may see you connecting from Moldavia, but that doesn't matter. They know you are using Tor. The phone will tag your general geographic location by the area code. If your connection is traced it will confirm that info, but it is unlikely anyone will break Tor and trace your location on one connection to Google. But don't use some location hundreds of miles from where you bought the phone – that isn't plausible.
Developing and maintaining a spoofed profile is all about plausibility. If you offer believable information there is no reason to dig deeper and it is accepted. If there is a red flag, that triggers elevated scrutiny. The more mundane and average the personae is the less likely it is questioned. You are already waving a red flag by using Tor, you do not want to add to that suspicion by calling yourself Dick Jerkson from Hellsgate, Wyoming with an area code in Newark, NJ.
Your online personae should be seamless and credible without giving hints to your real identity, and it should be consistent with your planned activity. If you are developing this personae for a blog and twitter account to write about hacking and security people will assume your name and possibly your location are false anyway. But you need to use strict opsec to assure you are not divulging info which links to your true information.
Stick to your part, but assume no one believes you and you are under scrutiny.
Using a spoofed personae is risky, but it's the best way to use services which require authentication without opening yourself to easy identification. You should use a dedicated VM workstation for limited activity and only the activity that requires the lowered security. If you can accomplish the task with the more secure workstation using the Tor Browser, do so.
Over time the new personae will gain a reality of its own in cyberspace, but over time the likelihood of your real personae bleeding into your spoofed personae increases. The spoofed personae should only be used for a limited objective and then discarded. If it is going to be used for communication on a blog or social network it should be used for that exclusively. Even following links others post can add to the likelihood the Googleplex will link your activity to your clear activity or another spoofed personae.
At this point you should have a secure Linux machine running Whonix in VirtualBox with multiple workstations for different tasks – one secure for browsing/searching and at least one with a spoofed ID for sites requiring authentication. Now it is up to you to keep your operational security tight and guard against leaking your own information. Google and other information aggregators are constantly looking for links between seemingly divers sets of data. Stay safe out there.
Friday, January 13, 2017
Securing Your System
No system is secure.
If you are connected to the internet you are vulnerable. Agents from innocuous cookies to malicious actors are tracking you, mining your identifying information, planting code on your system. But the more you secure yourself the less usable the net becomes. Many pages will stop loading if they can't identify you. If your browser refuses to supply information, websites refuse connections or refuse to reply.
In the information age being too secure becomes a red flag. If you are too dark servers see you as a threat. You are the guy in a black hoodie and mask walking in the liquor store. You are hiding your identity so you must be up to no good. That's how security sees it. So that's how you must see it.
Abstraction, subterfuge, and misdirection are all better than stealth and secrecy. Give them what they want, but not who you are.
The best way to protect your privacy, and your identity, online is to offer servers false or misleading information that is plausible and acceptable. Deflection is better than blocking. It is one of the oldest magician's tricks – give them something to look at and they will not notice what you don't want them to see. Hackers call it spoofing.
For the purpose of operational security we need to do a little work before we venture forth.
This post will help you set up a simple, secure, obfuscated system to obscure your activity online. This isn't 100% secure. Nothing is. Operational security, or lack thereof, is most likely to blow your cover even using a completely spoofed system. You can have the best security in the world, but if you make your password - p@ssword you are screwed. If you log into your ISP email or your online banking from your “secure” system, it is no longer anonymous.
You can not take your mask off and put it back on with the security camera running.
Operational Security is the key. Secure your system. Set up a secure (spoofed) online identity and stick with it. Have another system for clear, unspoofed, browsing – checking your bank, your mail, and your facebook – and keep your secure system secure.
We're going to show you how to do that on one system, but it's tricky. Separate computers would be better. Logging in from a different location in a different state would be better. But we trade security for convenience in a constant tight-wire walk.
Keep in mind no system is secure. Nothing you do online is secure. Nothing you put on your system is ever really deleted. You leave a trail wherever you go, whatever you do. We can confuse the trail, but a persistent tracker can uncover the real trail which leads right back to you.
The first step is securing your system. We suggest a dedicated system that will only be used for secure work, but we also realize not everyone can afford multiple systems, so we will create virtual systems on one machine.
The first step is cleaning your system to give us a fresh starting point. As said earlier, nothing is ever completely deleted, so a fresh new system would be best or at least a new hard drive. But we can work with a good refurbished or re-purposed machine. We will clean the drive, as well as it can be cleaned.
First download a live copy of Debian Linux from the Debian website and burn it onto a stick. Even if you're already using Linux, start fresh. Follow the instructions on the Debian site. Once you have the stick you will use it to install Debian on your system. Choose the complete install using the whole drive and encryption.
This will reformat the drive, wiping it clean, overwrite the drive multiple times with random bits, then encrypt the drive. Create a really strong password/pass phrase for the encrypted drive. I suggest at least ten characters mixing upper case, lower case, numbers, and special characters.
Once Debian is installed and running you should update and upgrade. Then restart.
Now you have a fresh clean system. Next we want to install VirtualBox. Instructions are on their website. It's free. VirtualBox allows us to run virtual systems that are isolated from our main system. Once VirtualBox is installed you can install Whonix inside VirtualBox.
Whonix is an obfuscation platform based on the TOR network. You will need both the Whonix Gateway and the Whonix Workstation. Once you download the files you can import them into VirtualBox. Both the Gateway and the Workstation are Linux virtual machines and come with both user and root passwords set to “changeme” - Change them!
Start up the Gateway first. Change the passwords to something secure. Update and upgrade. Then start the Workstation and repeat. Once the two are up and running you can click the link on the Workstation's desktop to install the Tor Browser. With everything updated and working, we suggest shutting down – shut down the Workstation first, then the Gateway.
The Gateway should always be started first and closed last.
It's my suggestion that you now right click on the Workstation and clone it. Click the box to generate a new mac address and name the new system whatever you like. This will be the one you use as a workstation, keeping the other for future cloning. You can have several virtual systems for different tasks to add to your obfuscation. This allows you to dump an entire virtual system if you think it is compromised and clone a new one.
For better security you can also clone the Gateway, but using a single gateway for all your workstation clones is adequate security in most cases.
In a future post we will discuss spoofing an online personae for Google, Twitter, Facebook, or whatever social media site you prefer. The cloned workstations configuration allows us to have one virtual machine for social networks and another for deeper stealth.
Once you use a workstation for connecting to social media it is tagged to the personae you will create, so we need to keep them separate.
Again, we trade security for convenience. But Virtual Box and cloned workstations allow you to have systems with different levels of security for different purposes all nicely sectioned off in the sandbox. Multiple systems on a single piece of hardware – and you can burn the systems without the cost of burning the hardware.
Subscribe to:
Posts (Atom)