If there’s a Facebook in heaven….. well, mom, I know that you’re following me. (Hello, I can see my followers). With that being said, I think it’s only right that I be the first one to tell you feliz cumpleanos, mamita’. Happy Birthday! We love and miss you. I’m sure that you have a lot of partying ahead of ya when you guys get out of church this morning so I’ll let you get back to it. Tell everyone that I said, “what’s up?”. Ya me voy. Las nietas se despiertan. Besos…..
What started as an assignment for my Public Speaking course turned into an opportunity for me to quote what I feel is one of the most inspirational spoken word pieces of our generation. For short it’s called Exam Results by Suli Breaks. This is a message that speaks to and for an entire generation of students of all walks and ages who struggle with the stress of trying to make the grade, feeling that otherwise they’re future and place in society is useless. On the other hand, it also addresses the society and parents who hold these unrealistic standards over their children’s head. Enjoy….
The pot, the soil, and the water.
These are the three components that are crucial to the overall growth and development of the plant. The pot is the plants underlying temporary environment. The place where it is to be molded and shaped into what it will become. The soil is important because it holds the roots that provide support and store nutrients. And just as water is the life-blood of all living things, this is equally important to the plant. Without the proper amount of water it is impossible for the plant to grow and develop successfully. Now, if I were to draw upon a synonym (hence, symbology) and liken my life to a plant that needs the pot, the soil, and the water. I can see clearly how these three components are crucial to my overall development and have been in the past.
The pot, the soil, and the water.
The pot is a container. This container for me is representative of the communities that I have been fortunate enough,
unfortunate enough to be molded by.
Unfortunately these containers were by far, NO PLACE IDEAL
to nurture and foster the growth and development of a healthy individual.
these pots have taught me some of the greatest lessons that I have sustained,
and helped me navigate through this minefield of a maze that I call a chapter in life…..
The lessons on what NOT to do.
The pot, the soil, and the water.
The soil represents my relationships. Relationships have been the soil in which I’ve grown intellectually and psychologically. I’ve had soil around me of poor quality which has only served to stunt my growth. But on the other hand….
I’ve been in the midst of a lot of good sand which has helped me grow stronger and more mature as a man.
Thus, I’m a firm believer that there can be NO REAL GROWTH,
intellectually, psychologically or otherwise without good relationships. Bad relationships are poisonous soil.
The pot, the soil, and the water.
The water represents my flexibility. Just as the plant cannot survive without water,
I know that it is impossible for me to grow and continue to strive without being flexible.
The water represents my persistence.
Just as the plant cannot grow without a persistent flow of water,
I know that it is my long term persistence to my goals that will play out and prevail in the end.
slow and steady always wins the race.
The pot, the soil, and the water.
My relationships and my persistence.
These are the three jewels which nurture my overall development. Peace….
- He who hacks for blood soon finds it dripping from his own terminal.
- He who hacks for fame and glory never stays free long enough to hear his songs of victory sung.
- He who hacks for gold is already blinded by the glitter and glare of his own greed, all too soon led astray by all things shiny.
- He who hacks for sport seldom finds the network administrators in a sporting mood.
- He who hacks for the love of it must leave what he loves the most behind so he can dance with the one he hates the most.— The Federal Correctional System
- But he who hacks for security cannot be led astray.
( The above is what I call “ The Hackers Six Movers ”
First of all, it must be borne in mind that training for Kung-Fu Hacking is very demanding, calling for great discipline; and discipline in this field is defined more by what you do not do rather than what you do. This art calls for great endurance, perseverance, determination, as well as time and effort. Patience must be your greatest effort. Master Kung-Fu Hackers are not borne over night. As a matter of fact, some of the greatest hackers to date have been quoted as saying that it takes at least a minimum of 10 years before one becomes adept in the art. But the result is very rewarding, and the extent of your reward depends mainly on how much “ purposeful practice and training ” you have put in. Aimless training and practice, as was stated in part one of Kung-Fu Hacking, is a huge waste of time. It is therefore helpful to have some idea of your aims and objectives.
Aims are general in nature and long-term in perspective, whereas objectives are specific and immediate. How well we have achieved our aims calls for some subjective judgement, whereas the attainment of our objectives can be determined categorically.
A major aim of Kung-Fu Hacking training, for instance, is System Security- or more so being able to secure your own systems. This ability to defend ourselves is a general asset, and has long-term benefits as more and more vulnerabilities become exploitable to the general public. Generally we do not set a specific time frame for acquiring this aim; we adopt the attitude that as long as we keep on learning, practicing, and training, we will enhance our ability to defend ourselves. As the old adage goes: “ before one can protect others he must first be able to protect himself ”. We are clear that if we fail to defend ourselves effectively in cyber-warfare, it means that we failed in our aim. Sometimes we may set a time frame for our aim, but the period is usually reckoned in years rather than months….all the while waiting for someone to try to successfully attack our systems. ( Unless of course we hire a professional penetration team to exploit our systems in order to see where we really stand overall in the realm of security. ) Otherwise it may not be easy for us to measure objectively how well we have achieved our aim. For example, we can say that we have achieved our aim of self-defense if we can effectively defend ourselves against a single attacker; but when we are faced with a group of attackers, let’s say, a Hactivist Group that targets our organization for “ whatever reason ” , we may falter.
On the other hand, we may set an objective to acquire the knowledge and skills to defend ourselves against web application attacks within six months. Or from an offensive security point of view we set the objective to acquire the skills to launch successful attacks against web applications in a six month time frame. Hence, our objective is specific: for the time being we limit ourselves to defending against these types of attacks or learning how to carry out these types of attacks…leaving other types of attacks to be covered by later objectives. We can go a step further and be more specific by deciding on the types of web application attacks we want to defend against or learn to carry out. As we have set a time frame of six months, our objective is also immediate: we are not pursuing this objective indefinitely. We can easily decide whether we have achieved our objective within our set time. For example, after six months of training we can ask a few fellow hacking buddies to try to exploit our web applications using the types of attacks we have defined; or we can conversely set up a vulnerable system of our own in a virtual lab and try out these attacks ourselves.
Above all, even though aims and objectives are closely related, an appreciation of the distinction contributes to our monitoring of our Kung-Fu Hacking practice and training. Aims and objectives provide us with direction and purpose in our Kung-Fu Hacking training, thus enabling us to achieve better results more quickly.
“ Test your systems with fire and ice, sand and sea, bile and blood….before your attackers do! ”
- Hacking-Kung Fu: Aims and Objectives (petalocsta.com)
Conquest is easy. Control is not.—Khan Noonian Singh
Stay on the lookout for the terrorist Mr. L-O-C, all I need is some dip, and a couple o’ sticks of T.N.T. To bring this mutha fucker down like four flat tires, 86ing is my mission….dismissing tricks for hire. No mercy on the lives that got took off in that quake, diesel fuel and fertilizer, will make ah’ nigga block shake. Starting playing with nines, them moved to something bigger, now I’m working through the miz-ail…bombing on deliver.
Slightly seal the package, then I set the timer…I’m the SA-Town Assassin, worldwide Unabomber. Just a little off my rocker, conceived as a menace, I’m a loc until I die, til’ that day I’m never finished. Take my work to College Hills, perform it on your daughter..when I fall up out ya hood it’s gon’ look like Pearl Harbor. Bentwood and Pinehurst…you ho’s better run; C & C Estates, Southwest here I come!
Niggaz struggle in my hood, but y’all don’t give a fuck, so the whole Concho Valley…Tom Green better duck. Everybody with authority, get out my way- City Hall’s coming down when I have a bad day. The county jail and the courthouse is getting is done, when I get the extra time, I’m gon’ turn that bitch to crumbs.
I hooked up with this nigga straight out of the military, who gave me what I needed, to start me an obituary. Killer, killer, killer- killing on the cool…Westside lunatic, with the mind of a Damn Fool! I’m the one that told Koresh ( David Koresh ) to go out like a scout, had em’ all in that fort yelling, “ We Ain’t Coming Out ” ! [Waco.]
F.B.I. tried to fade us, we put em’ on a freeze…left you pigs full of holes like a block of cottage cheese. You tried to burn us up, and thought you killed Koresh, but you didn’t cause he’s living deeply planted in my flesh. Schizophrenically insane, a
Charles Manson figure, the only difference is he’s a whacker…and I’m a real nigga! Daily chances for survival, is getting kinda slim, I’m the nation’s most wanted; BKA- double M. That lic that happened in that Luby’s in Killeen wasn’t it, but that Oklahoma bombing was the mutha fucking SHIT! When it comes to pulling murders, I’ll always hold the title, Jeffrey Dahmer
is my nigga,
Jim Jones is my idol. In the body form I’m one, personality I’m two, they tried to lock me up in Rush, they tried to lock me up in Skyview. But they couldn’t hold me, cause I was bringing noise…let my conscience get me crunk like the
John Gotti Boys.
I’m hungry for destruction, that’s the reason why I’m agg, every prison in this country’s getting dropped to the slab. Hold a grudge against society, that’s how I am….a Young Nigga with a complex that doesn’t give a damn. Schizophrenically insane. Stay out of my path…I reach a natural high when I hear the devils laugh. If you living then you dying, there ain’t no pity…and don’t let it slip your mind what I done in New York City to the World Trade Center! I’m the SA-Town Assassin….bitch.
Reward all those wise enough to join you, utterly crush all who oppose you and do so in so savage a manner as to completely cower any others who might dream of resisting your will.
“ With the right information, you can attain in six months what uninformed students would not attain in many years ”
In this post the term “ Hacking-Kung Fu ” is being used to point out the similarities between Hacking and Kung Fu. Thus, one should read the term Hacking-Kung Fu with the understanding that the two words, Hacking and Kung Fu are being used interchangeably across the two respective disciplines.
Getting Better Results in a Shorter Time
Kung Fu, like Hacking, ( or any other art for that matter ), is a practical affair, not just a question of gathering knowledge. In other words, one becomes proficient in both disciplines through hard, regular practice, not by reading about it. Nevertheless, some background information is not only useful but necessary; otherwise the student may waste a lot of time groping about in the dark.
While many people spend years practicing Kung Fu and achieve little, some spend only a third of the time and achieve a great deal. The main reason is that while the first group learn aimlessly, usually by acquiring more and more sets or exploits without improving their force or practical Hacking-Kung Fu skills, the second group know exactly what they want to get from Hacking-Kung Fu and pursue their objectives accordingly.
To be able to set the appropriate objectives for getting the most from your training, it is necessary to have a clear understanding of the scope and depth of Hacking-Kung Fu, including its history, philosophy and various styles. See here for a historical perspective of hacking and it’s philosophy:( http://www.catb.org/~esr/faqs/hacker-howto.html ) For example, if you are unaware of the four dimensions of Kung Fu – form, force, application and philosophy – you may carry on learning sets for many years, and perhaps also teach them, but your training will be incomplete. Likewise, if you are unaware of the phases of ethical hacking – Reconnaissance, Scanning and Enumeration, Gaining access, Maintaining access ( escalation of privileges ), and Covering your tracks – you may also carry on learning exploits for many years with the end result being an incomplete training. And since form is in many ways the least important aspect of Hacking or Kung Fu, you will at best achieve less than 28 per cent of what you could have done had you been more informed.
Worse still, people with this superficial knowledge may be mistaken for Kung Fu Hacking masters, especially if they are elderly, simply on the basis that they have taught the art for many years and now hold various certifications on the subject. Even if they hide nothing from their students, there is not much the students can learn apart from ‘ flowery fists and embroidery kicks ’. Translated-> Script-Kiddies! Such masters may, wittingly or unwittingly, give the impression that they know more than what they are teaching. If they are asked questions touching on the deeper aspects of Hacking-Kung Fu ( i.e., underground BlackHat tactics ), they would often give excuses to cover their lack of knowledge, such as that the answers are too profound or complex for “ beginning students ” to understand. If the students suggest sparring practice or actual demonstrations of exploiting a real system, the ‘ masters ’ may become angry and reprimand them, warning them that Hacking-Kung Fu is too dangerous for them to fool around with, or that they should practise it for their own intellectual health. Students who are uninformed will continue learning from these teachers, and they in turn will succeed them and teach only ‘ flowery fists and embroidered kicks ’. This is in fact what has been happening for at least a decade in the cyber-securities field, with the result that much of Kung Fu-Hacking today has been degraded into a merely demonstrative form.
Having a theoretical understanding of Kung Fu-Hacking enables you to realize that there is much more to it than merely learning form or exploits. Such an understanding will lead you, if you are still not able to confidently defend yourself in real world situations or compromise systems outside of lab environments, to ask why. The reasons can be traced to three factors, called the Three Requirements for Attainment, which will be explained in the next section.
The Three Requirements for Attainment
There are countless reasons why students fail to achieve their objectives in their Kung Fu-Hacking training, but to help us understand the factors that contribute to success, great masters have from their long years of study and experience, summarized them into what are called the Three Requirements for Attainment. If you have these three requirements, you will succeed in whatever you set out to do, in Kung Fu, Hacking , or any other field. These three requirements are:
Obviously if you do not have the method you cannot even start training towards your objective. For example, you may like to acquire the art of Iron Palm or attacking Web Applications, but without the method you cannot practice. If you ever acquire Iron Palm or the art of attacking Web Applications on your own, it will be by sheer luck and will take a very long time. Moreover, the result is unlikely to be as good as that developed from the proper method, and you may have harmful side effects.
But more important than the method is the teacher. Nowadays one can read up on many Kung Fu-Hacking training methods from books, web sites, and blogs, but without the instruction of a competent teacher it is difficult – though not impossible – to get good results, especially in the more advanced inner arts. There are at least two reasons why a teacher is necessary. First the teacher can explain the finer points and overcome individual problems, both of which cannot be done adequately in books or blogs. The second reason is , more important, although it is less obvious. The teacher provides the confidence students need, so that they are assured that whatever happens the teacher is around to help, sometimes even save, them.
Taking time choosing a good teacher is highly recommended. Even if you have to pay a higher training fee, learning from a good teacher is always more cost – and time – effective. But what are the qualities we should look for in good teachers? Here are five guidelines.
- They must have achieved a reasonably high standard in the art they are teaching.
- They must be knowledgeable. If you ask how you can achieve your objectives or any other relevant questions, they should provide satisfactory answers.
- They should preferably be systematic and methodical, and have the means to help you accomplish your objectives.
- Even if they have all the other qualities, they must also be generous and willing to teach you, otherwise you must seek another teacher or try to overcome the obstacles that prevent them from teaching you.
- The most important quality, however , the quality that distinguishes true Kung Fu-Hacking masters, is that they teach and practice high moral values. http://www.hackerhighschool.org/ Also see: http://hackingdojo.com/ And especially see: http://www.elearnsecurity.com/
The most important requirement for attainment in any art, however, is not the teacher but the student. You may have the best method and the best teacher, but if you are unwilling or not ready, you will not achieve the objectives of your training. When you have the right method and a competent teacher, what you need to do is in theory is very simple: you merely have to practise regularly and persistently according to the method and teaching. But in reality, regular and persistent practice can be very difficult. Lack of practice, probably more than anything else, is the reason why many students fail in their objectives.
Stay tuned for Part 2….
My so humble bows go out to Master Wong Kiew Kit. I’m honored and grateful for the wisdom that you bestow upon the Sangha.
- Three Principles of Kung Fu (chaiteataichi.wordpress.com)
It is a doctrine of war that we must not rely on the likelihood of the enemy not coming, but on our own readiness to meet him: not on the chance of his not attacking, but on the fact that we have made our position invincible- Sun Tzu
Part 1: Targeting Artist & Fans using social-engineering tactics
Sample site: Gazzmic.com
When it comes to the vulnerabilities presented by the online aspects of the music industry, the opportunities for penetration tester’s to employ their skills are far and wide. However; as numerous as these opportunities may be, they are still for the most part often overlooked. And with great peril.
Think about something for a moment. When’s the last time that you or anyone that you know have gone into a brick and mortar record store and purchased the music that you felt like listening to? Why would you when you can just as well go online and obtain whatever type of music that suits your taste for free or at a far lesser price than what you’d pay at the record store? Sometimes what you pay for that music may be as simple as registering to a site and creating an account. Ta’Dah! Unlimited music. It cost you nothing. Or did it?
We’re all aware that there are computer systems floating around in cyber-space minding their own business without any human interaction. However, I personally stand on the belief that behind every active operating system online there is a human being at the other end of it. And humans my friend, are vulnerable. Human beings can be hacked. And so the story begins…If I were an attacker.
If I were an attacker and I decided to go phishing into this gigantic ocean called the music industry, here’s an example of how I could very easily put together a social-engineering scheme. We’ll take this website as our target. Mainly because I am personally okay with one of the writer’s over there. I am a die-hard fan of the Gazzmic Revolution. But more so, the entire theme of this site to me was a perfect model to use showing how easily an attacker could take just the content of the site alone and use it against itself to craft a social-engineering scheme. (Note: Notice how in this example the actual web site was never even tampered with by the attacker. All gathered information was passive in nature.)
The attacker would be making use of only two tabs within the entire site to construct his scheme around. Namely, The Gazzmic Manifesto Tab and The Invite Code tab.
Now. Whoever wrote The Gazzmic Manifesto did one hell of a good job. That Manifesto reads brilliant. However, to an imaginative social-engineer, the attacker could very easily fire up SET in conjunction with The Harvester and have a mighty fun field day with the content and theme of this site by making use of the mass mailer attack. Here’s how the original Manifesto reads:
Now imagine an astronomical number of artist and fans being targeted with an email containing the original manifesto with the last line reconstructed to read:Join The Gazzmic Revolution!Gazzmic is your revolution. We believe that we are on the cusp of a new Renaissance in music, made possible by web technology. Fear not the future! Join the grass-roots movement that will take on the corporate giants head-on. With your help, we can take back music for the artists and fans. That’s why we’ve exclusively chosen you as one of our artist/fans to be featured in our upcoming SKYPE interviews where you’ll have the opportunity to introduce the world to the new revolution. Remember, this is your revolution!To assist our artists/fans with claiming their exclusive spot in the revolution, we’ve created a members only access page on [NAME OF SOCIAL MEDIA SITE]. This link will direct you to a custom page that we’ve created for security purposes to protect the privacy and integrity of our members. By signing into this page you will be directed to the official public page. At this point there’s nothing more to do. You’re account will be automatically created. You will receive a follow-up email asking you to confirm your account. Click here [link with attackers ip address] to begin the revolution.
( Of course, given that the victim fell for the attack, if you were an attacker the results are apparent right there inside your command terminal. If on the other hand, you were a penetration tester, depending on the scope of the penetration test, you could send follow-up emails to all of the victims containing their usernames and passwords revealing to them that their accounts have been compromised. You could even outline the details of the attack and offer tips and recommendations on how they could defend themselves from future attacks. Imagine how valuable these type of findings would be to a music industry executive? )
Now the other part of the site that we’ll make use of is the Index Tab? I thought this was ideal because it hints at exclusivity. It plays on the psychology of the victim in such a way that it makes them feel “ chosen ”.
Here’s the original invite code presented along with the same message reconstructed by the attacker. Look here to see how the page looks on the actual site.
Now here’s the attacker’s message, mind you, presented to the victims in the form of an email:” Invitation codes were provided in the past to select bands for testing purposes. We are no longer accepting nor using invitation codes. Instead, we have set up an exclusive screening process of all artist/bands. We will now send you an email containing the link to an exclusive page that we have created for all artist and bands located here on this [NAME OF SOCIAL MEDIA SITE] Follow the link inside of the email and sign into the site using your current credentials. (Note: we’ve created an exclusive page to ensure the privacy and integrity of our members accounts. Once you log in you’ll be directed to the official public page of this social media site. At this point, there’s nothing more that you need to do. You’re account will have been automatically created for you. ) You will receive an email asking you to confirm your account. Music Will Never Be The Same! Click on this link [the attackers ip address] to be invited into the revolution.
Now this is just a very basic case study. It is in no way intending to point out a vulnerability in the Gazzmic Movement and what they have going over there. Nor was it meant to instruct one in the use of tools like The Social-Engineering Tool Kit. If you wish to learn more about the tool and it’s usage you can either visit the link provided at the top of this post or just Google it own your own. There’s tons of information covering it. This was just an example pointing out one of the ways an attacker could carry out a social-engineering attack in the arena of the online music industry. People love music. People love having the shot at being the star. But people are vulnerable, my friend. Humans…can be hacked!
Find more interesting topics like this one covered at The Hacker High School.
- Wow! Was I Just Socially Engineered? (petalocsta.com)
- A Quick Primer On Social Engineering Attacks in the Cloud (And How to Stop Them) (backupify.com)
- Protect Yourself from Social Engineering (bizsecurity.about.com)
- Anonymous downs government, music industry sites in largest attack ever – RT (zemantified.wordpress.com)
- Using the tag to clone a web page for social engineering attacks (community.rapid7.com)
Generally, in battle, use the normal force to engage and use the extraordinary to win. Now, to a commander adept at the use of extraordinary forces, his resources are as infinite as the heaven and earth, as inexhaustible as the flow of the running rivers. They end and begin again like the motions of the sun and moon. They die away and then are reborn like the changing of the four seasons. -Sun Tzu
In the world of cyber-security things transform at the speed of light. From exploits to methods.What worked yesterday is not promised to be the solution tomorrow. Given that a vast majority of everyone’s lives are being conducted online, ethical problem solving students would do themselves as well as their dependents a huge favor and study the ways of the infamous idea known to us as Anonymous. And before you make the claim that you do not shine the ethical light upon the activities of “the idea”, I’d purpose that you examine the definition of ethical hacking through the context of intention to weigh whether or not an attack/hack is ethical. Now….
I have not searched the actual statistics on missing children, teens, and adults who’ve vanished in recent times vs. a few years prior give or take so I don’t have actual numbers to go by. However, just going by the news and the increase of missing people posters around…it’s safe to say that either those numbers have increased or the notification system(s) that we have in place these days have evolved to the point of more people having access to these numbers. Or a combination of both. What can’t be denied is that communication devices of some sort, being a must have, by everyone has played a major role in society having access to real time information. And social media is by far the most successful and reliable means of getting information delivered to a massive amount of people in a very short amount of time if the channel is correctly exploited. Which brings me to this….
Kids come up missing everyday that society doesn’t even know about or haven’t been made aware of until it becomes too late. Sure, we have the Amber Alert, ( and have had the Amber Alert for quite some time now) but if we were to compare the results of the Amber Alert with Twitter or everyone’s favorite Facebook, when it comes to getting important information noticed, the Amber Alert pales in comparison. Take the example of the cool kid who makes a video with a smartphone, uploads it to YouTube, then shares it on Facebook= Viral. Some entertainer or athlete does something out of the ordinary and Tweets about it=Trending Topic. On the other hand, baby Kyron comes up missing and we’re still waiting to hear back from him. http://www.aolnews.com/2010/06/08/no-sign-yet-of-missing-7-year-old-oregon-boy/ An unfortunate dilemma indeed. When I look at these situations through the eyes of an ethical problem solver I think to myself: what if there was such an application that worked across platforms and blogs in such a way to where anytime someone’s child came up missing, the use of this application would ping everyone’s account on all social media channels updating their status to display the news of the missing person? Although we do have applications capable of delivering such a result ( in theory it would be relatively simple to pull off ) we also have tons of policies and security mechanisms in place to prevent those applications from performing as such. Not that the service wouldn’t be noble and ethical. Far from that. It’s just that within such an application lies the potential for abuse by not so ethical individuals who harbor a habit to tinker. So on a grand scale, ideas like these if implemented then abused, produces their own devastation which actually hinder the situation as opposed to helping it.
So the idea is fine. But such an idea is still just…“ an idea ”. The idea alone doesn’t do justice should the situation arise where it could be of immediate benefit to one of your missing family members and you need this message spread far and wide….while in the meantime…. Tom, Dick, and Harry are Trending on Twitter. What do you as a parent do in such a situation? How about trying a variation on something that I did when I was faced with such dilemma?
The scenario: Your teenager gets into a verbal disagreement with the grandparents ( whom she’s living with at the time ) and it spirals out of control to the point of the kid leaving the house. Cool. It happens. (We’re teens, they’re old and not hip to our lives so we’re leaving. ) No big deal. It’s called growing up…it happens. But it’s happened and your teen does not come back to the house! Not only has your teen not returned to the house, but your teen has not even made a phone call back to the house. Enough time has passed to where your family now has a situation on their hands. Your teen is officially M.I.A. She hasn’t called and now you have family members spread across the entire United States starving themselves and not sleeping.
The solution: Approach the situation as if it were a penetration test. Define your immediate objectives. And proceed with the Information Gathering phase. We are all aware of the massive and reliable amount of tools at our disposal to perform this phase of the test. With the overall objective being to initiate contact with the missing person if for no other primary reason than just to know that person is alive and safe= everyone in the family can now eat and go to sleep. :) Here’s what you do:
- Footprint the missing person’s social network ( for best known working results- Facebook ).
- Identify all potential targets associated with your victim= missing person. Initially you want to look at those closely associated and involved with the person’s life on a day to day basis but in the end you want the exploit executed in such a way that everyone’s account will either directly or indirectly be pinged by your delivered payload=message to get the teen to contact someone and let them know that they are still alive. ( in order to up the possibility of your exploit being a success, the content of your message is important here. The more graphic and emotional the better. Get creative, i.e. make a home video expressing your concerns etc. )
- Ping the social network for all alive targets on the network. Remember…timing is everything.
- Flood the wall and the message box of your victim and all alive targets that you discovered in your foot-printing phase with your payload. ( Flooding in most social networks are considered an act of spamming. However, at this point you as the parent nor the recipients of the payload who claim to love this person I doubt would be too upset given the circumstances. Regardless…you have an objective. By design, the flood will get some reaction triggered that no matter what the reaction of the recipient of the payload is, that reaction will accomplish that objective=the contact with the missing person. Quick note to the parents here- be prepared for another argument with your teen over how their friends think that they’re a loser because of what you did to their accounts. This is the time that you can kindly remind them to blame no one but themselves and that it’s all a result of their initial actions in the first place. Hence…the other argument. )
The result : Not even ten minutes after delivering the payload=Contact was initiated. :)
With that being said. This is just one of the reasons why I love the “ idea ” that we’ve come to know and love as Anonymous. At a time when everyone around me has exhausted all other options ( oh…did I forget to mention that those who protect and serve us were notified=nothing that we can do…she’s 17.) and I’m faced with being a parent asking myself what is it that I can do? It’s one of those times when you draw upon all of your knowledge of hacking and ask yourself…“ Hmm, I wonder what Anonymous would do? ”
Although the aim of this post was not to arm one with the skills to protect themselves and their loved ones, tactics like the one used above plus a multitude of others can be acquired and further explained at The Hackers High School. http://www.hackerhighschool.org
Now, the reason that the enlightened sovereign and the wise general conquer the enemy whenever they move and their achievements surpass those of ordinary men is that they have foreknowledge. This “ foreknowledge ” cannot be elicited from spirits, nor from gods, nor by analogy with the past events, nor by any deductive calculations. It must be obtained from the men who know the enemy situation. -Sun Tzu
If you’ve ever experienced this then you’ll know exactly where I’m coming from. If not, let me be the first to wish it upon the entire human population. It’s called: One Of Those Moments!
So I’m at the local bowling alley and this guy we’ll call – Diablo, to protect the innocent. Remember: We never snitch.
Out of no where, the guy starts rattling off pieces of my blog. VERBATIM. Telling me how much he reads and looks forward to my post.
So like I said…if you’ve experienced that..then you know where I’m coming from. However….
This is…Not A Game; This is…Not why we Came!
On behalf of all ethical hacking students; here’s a lesson that hasn’t been stressed enough in our training, guys:
- What they are not teaching you. “ The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. And among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal. http://arstechnica.com/tech-policy/news/2012/03/inside-the-hacking-of-stratfor-the-fbis-case-against-antisec-member-anarchaos.ars
So which type of enemy are you learning to think like? The fanatic? The prankster? The desperate? The lonely? The zealous? The frustrated? The crazy? The poor? And even then, can you really think like them when they embody a mindset built from years of thinking and living a certain way? Can you really understand the motives of an attacker when your large take-out coffee might equal a day of their wages?We like to think we can because movies tell us it’s possible. But it’s not.For a little perspective, consider how many times have you heard from a friend/neighbor that they don’t worry about intruders because they have a dog? And criminals don’t have dogs? Some types of criminals have dog rings where the meanest dogs fight each other and these criminals have no problem handling those dogs. Just because you or your neighbors find a big, barking dog alarming or intimidating doesn’t mean the attacker will. To not understand that is to already admit you might not be in their mindset. But if you can, let’s try something harder: now try to think in the mindset that it’s a morally correct and civilized thing to blow up a crowded market or a federal building. I can get even harsher, but it’ll likely get censored here… so catch me at a seminar to discuss this further. ” http://www.infosecisland.com/blogview/20607-What-They-Dont-Teach-You-in-Thinking-Like-the-Enemy-Classes.html
So what’s the code and how do we crack it? The code is The Ormeta. The code of silence.-
Omertà is a code of silence, according to one of the first Mafia researchers Antonio Cutrera, a former officer of public security, that seals lips of men even in their own defense and even when the accused is innocent of charged crimes. Cutrera quoted a native saying first uttered (so goes the legend) by a wounded man to his assailant: “If I live, I’ll kill you. If I die, I forgive you.” http://en.wikipedia.org/wiki/Omert%C3%A0
So..being a ethical problem solving student myself, I see the Omerta code from a scientific point of view. Why not, as programmers, creators, problem solvers, protectors, write an Ormeta code for security? Don’t know how to program? How could you even dream of being a security professional? http://www.udacity.com/ Here’s one place to start. Hmm’…let’s see- http://www.hackerhighschool.org/ There’s another. But the list goes on. And so does security breaches!
“It’s very likely you trust way too much for far too little reason. And you likely trust in the wrong way. People generally don’t discriminate what they trust where so that they will take financial advice from their dentist and dental advice from a close friend. Just because they trust them. Some people will trust corporations with their private lives and private info. Others even trust their politicians to actually represent them and have their best interests at heart. But in reality we need to have reasons to trust someone or something and having these reasons makes it very hard to be duped. In an ISECOM research project, 10 criteria were classified for trusting someone or something. And we find in practice most people are satisfied with just one of those criteria being met. Usually it’s consistency, the trust criteria that shows this has happened to us before. Even the truly cynical however are still often satisfied with just 3 of the 10. We can blame society! ”
Generally, whether it be armies that you wish to strike, cities that you wish to attack, or individuals whom you wish to assassinate, it is necessary to find out the names of the garrison commander, the aides-de-camp, the ushers, the gatekeepers, and the bodyguards. You must instruct your spies to ascertain these matters in minute detail. – Sun Tzu
- Sabu the Betrayer: Hacker Tweets Outrage While Conspiring With FBI (readwriteweb.com)
- Living With Lies and Liars (petalocsta.com)
- Spy Agency To Hackers: Crack This Code, Win A Job (huffingtonpost.com)
- Cracked CAPTCHAs and lost ISS codes (netsecurityit.wordpress.com)