Recommendations for the Hackivist Community

8/10/2019 Recommendations for the Hackivist Community

1/19

R E C O M M E N D A T I O N S

F O R T H E

H A C K T I V I S T C O M M U N I T Y

- - -

Released o n this day of November the 5 th, 2014

Penned by The Humble Observer

Statement of Purpose

I have been observing the hacker and hacktivist communities, at times ve ryclosely, for many years. The exact de finition of hacker and hacktivistvaries f rom author to author, so I shall make my interpretation of these wordsvery clear. Let us de fine a ha cker as so meone who utilizes t heir knowledge ofcomputers and of computer networks t o make money via illegitimate means. Let usdefine a hacktivist as som eone who utilizes t heir knowledge of computers an dof computer networks t o do justice when justice is no t done by t he state. Ihave found that these t wo communities ar e inextricably linked, yet remain

completely separate entities. Many hackers d ouble as h acktivists i n their sparetime, although most hacktivists do not fancy t hemselves ha ckers.

Although hackers t urned hacktivists h ave the very b est of intentions, and theirinput and expertise is o f great value to the hacktivist community, they h aveinadvertently su ppressed the potential of the very co mmunity t hey a re trying toaid. The g et-in-get-the-goods-get-out methodology o f the st olen c redit carddriven hacker community that has be en transfered to the h acktivist communityvia ideological osmosis h as t ragically affixed blinders t o it. It ha s c ausedthe hacktivist community t o think linearly a nd strive to do nothing more thanto blindly infiltrate target organizations a nd immediately leak w hatever datathey happen to stumble across. This m ust change. Stealing and leaking d atamakes a po int, but it is sometimes ne cessar y to do more t han just make a p oint,to inflict r eal, measurable damage. In certain, extreme cases a n organization's


2/19

disregard for human rights w arrants i ts i mmediate and complete obliteration.

In this e ssay, I will discuss a multitude of ideological, operational, andtechnical changes t hat ought to be made to the hacktivist community. Theseproposed ch anges have b een derived from my pe rsonal observations. Some w illfind the ideas contained within this do cument to be the p roduct of commonsense. I have f ound these people to be few in number. If the co mmunity accep tsmy su ggestions i t will not only b ecome more effective, but the risks asso ciatedwith participating in it will be drastically lowered. My intent i n writing thisis n ot to aid criminals, but rather to aid people who wish to do battle withgovernments an d corporations t hat have become criminals. If freedom is t oremain on this ea rth, its pe ople must be willing and able to take arms t odefend it, both physical and digital.

Personal Security

Sound operational security is t he foundation from which all effectivecyber-offensives a re launched. You should, at al l times, put your own, personalsecurity a bove the success of your operations an d interests. The securityprecautions t aken by most hacktivists I have met ar e mediocre at best, andneedlessly so . Maintaining sound personal security is b y n o means d ifficult. Itrequires m uch caution but very l ittle skill. I have devised a series o fsecurity p recautions t hat hactivists sh ould take and divided them up into sixmain c ategories: environmental, hardware, software, mental, pattern related,and archaeological. We shall examine each individually.

(1) Environmental:

There are but two places you can work: at home or in public. Some people insistthat working at home is b est and others i nsist that working in public i s b est.The proper working environment debate h as be en raging on in the h ackercommunity for quite some time n ow, and has gr eat relevance t o the h acktivistcommunity, as m ost governments view hackers and hacktivists as on e in the sam e.

Proponents of the work in public argument claim that by always w orking at adifferent public l ocation, you significantly lower your chances o f beingapprehended. They a rgue t hat even if the a uthorities ar e able to trace many ofthe cyber-attacks yo u took p art in back t o the public p laces w here you tookpart in them from, that does no t bring them any closer to finding you. Mostretail stores an d coffee shops d o not keep survei llance footage for more than ayear at the most, and even if the authorities ar e able to get a p hoto of youfrom some se curity cam era, that does not necessarily lead them directly to yourfront door, especially if you wore a hoody t he entire time you where workingand the camera never got a clear shot of your face. On the other hand,proponents of the work at home argument argue that the risk of being see n andreported, or merely recorded while working in a public p lace far outweighs t hebenefits o f the significantly large increase in anonymity tha t working inpublic p rovides. Both sides h ave legitimate points, and I urge you to consider


3/19

both of them.

If you decide to work in public, the number one threat you face is ot herpeople. Numerous large criminal investigations ha ve been solved using theobservations of average everyday citizens w ho just happened to remember seeingsomething suspicious. If people sense that you are trying to hide something,they w ill watch you more closely t han they w ould otherwise. It is important toalways keep your cool as t he old saying goes. Always t ry t o sit in such a w aythat your screen is facing away f rom the majority o f the people in the room youare sitting in. Corners a re your friend. Try t o blend in with the crowd. Dressin plain cloths. Draw no attention. If you are in a coffee shop, sip somecoffee while you work. If you are in a burger joint, buy a burger. If you arein a library o r book st ore, set a few books b eside your laptop. Also, be veryaware of security ca meras, both inside t he establishment you are w orking in aswell as o n the street near it. Being captured on film is al right as l ong as t hecamera can n ot see what is on your screen. Some st ore cam eras ar e watched by

actual people who will undoubtedly report you if they find out what you aredoing. More and more governments ar e starting to place very h igh quality CCTVcameras o n their streets t o monitor their citizens, and these d evices can be aproblem if they are peering over your shoulder through a window you are sittingbeside. When working in public, it is po ssible that you may have to confront alaw enforcement officer face t o face. Law enforcement officers can smelluneasiness from a mile away, and if you look like you are up to no good it ispossible that a co p will come and talk to you. Always h ave some sort of coverstory m ade up before you leave home to explain why yo u are where you are. Ifyou are forced to confront a law enforcement officer you should be able to talkyour way o ut of the situation.

If you decide t o work at home, the n umber one threat you face i s your own ego.Just because you are a t home d oes no t mean that your working environment issecure. Be a ware o f windows in close p roximity to your computer as w ell as yo ursecurity-illiterate or gossipy fam ily members. Security issues i n relation tonetwork con figuration begin to come into play w hen you work at home. If yourcomputer were to somehow get compromised while you are working a t home,perhaps by yo ur government, it would be nearly impossible for the person orgroup of people rummaging around inside of your system to get your actual IPaddress ( provided that you adhere to the software security g uidelines t hat we

will discuss l ater). However, if your wi-fi password (or the name of yourprinter, or the name of another computer on the network) contains you r actuallast name and part of your address, tracking you down becomes ve ry e asy. A lotof people name their network devices an d structure their network passwords inthis w ay.

It is a lso possible that if an attacker that has i nfiltrated your computernotices ot her machines on yo ur network they ca n p ivot to them (infect them withmalware using yo ur computer as a spr ing board of sorts) and use them to getyour IP address. A lot of Internet en abled household devices h ave cameras o nthem (your smart TV, your Xbox, and yo ur high tech baby m onitor to name a few)and said cameras ca n potentially b e leveraged against you. It is in your bestinterest to not have a ny o ther machines r unning on your home n etwork while yo uare working. Also, change your wi-fi password every o nce in awhile and make


4/19

sure that the password on the administrative interface of your router issomething other than the out-of-the-box d efault. If your computer getscompromised, logging into your router using username admin and passwordadmin is el ementary for a moderately ski lled attacker. Most modern routerslist their WAN IP address o n their control panels.

Regardless of where you decide to work, be aware of mirrors an d glass pi ctureframes ne ar your workplace. In the right light, both of these i tems ha ve thepotential to reflect cr ystal clear images o f your screen to onlookers a crossthe room. In addition to this, understand that modern cell phones ar e yourworst enemy. Not only ar e they a lways go ing to be t he weakest link in yoursecurity set up, but if they ar e somehow compromised they a re equipped with acamera a nd microphone. Recent studies s uggest that it is po ssible for smartphones t o listen to the high pitched noise your CPU makes an d deduce yo ur PGPprivate key. Furthermore, the metadata co llected by your phone coupled withpattern analysis t echniques co uld potentially a llow your government to link

your real life and online personas t ogether after some time. We will discussthis in depth later. Leave your phones at home and if possible keep all phones,yours or otherwise, far away f rom your computer. Other portable devices such asiPods an d tablets po tentially p ose t he same risk t hat phones do and should betreated the same.

(2) Hardware:

Modern computers come e quipped with microphones, speakers (which can be used asmicrophones un der the right circumstances), and cameras. All of these f eaturescan potentially b e leveraged to identify yo u if your computer is co mpromised.To mitigate these r isks, these f eatures s hould be physically removed. Yourcomputer's m icrophone a nd speakers should be ripped out of it, but you shouldnot rip out your web cam, as i t will alter the o utward appearance of yourcomputer and p otentially draw attention to you. Instead, open your computer'sscreen and sni p the w ires t hat connect to your web cam. Wrap the e nds of thewires in electrical tape so sparks d o not jump in between them. If you mustlisten to an audio file while working, use h eadphones. Only ke ep yourheadphones plugged into your computer when you are using them. The com puter youuse for your hacktivist activities a lso should not contain a hard drive, asthey are unnecessar y for our purposes.

(3) Software:

Always use a T OR enabled Linux live sy stem when working. At the present moment,Tails ( The Amnesiac Incognito Live System) is b y far the best live distributionfor your purposes. You can read more a bout TOR at www.torproject.org a nd youcan read more about acquiring, sett ing up, and using Tails at tails.boum.org.The Tails o perating system lives o n a USB flash drive. Every t ime you start upyour computer, you must first insert your Tails f lash drive into it. The Tailswebsite will guide you through making said flash drive. Tails w illautomatically direct al l of your outgoing traffic i nto the TOR network in aneffort to hide your IP address. If you use Tails yo u will be completelyanonymous an d be able t o work with impunity provided that:


5/19

* You keep your Tails USB up to date. New versions of the Ta ilsoperating sys tem are released every few months.

* You do not login into your real world accounts w hile using Tails.Do not c heck you r Twitter feed while you are working.

* You do not use Ta ils t o create an account with an alias t hat you haveused before. If you have been 0pwn for the past seven years, nowis a g ood time t o stop being 0pwn.

* Yo u do not alter Tails' default security se ttings. They a re the waythey a re for a reason.

* You do not use Ta ils t o create an online account with a password thatyou have u sed before. Doing this on ly m akes d eanonymizing yo u easier.

* You do not install and use r andom packages t hat look co ol; they could be miscellaneous. Only u se packages an d scripts t hat you trust.Tails i s n ot b ullet p roof.

* If you decide to set a sudo password when starting up Tails, makesure that it is ve ry s trong.

* You stay conscious o f metadata analysis t echniques. We will discussthese later.

* You switch exit nodes eve ry ten to fifteen minutes. This can be done

by double clicking the little green onion in the upper right handcorner of your Tails de sktop and hitting t he Use a New Identitybutton.

* Yo u follow the communication guidelines l aid out later in this

document.

More information can be found on the Tails w arning page: https://tails.boum.org/doc/about/warning/index.en.html. Be aware that i t is ve ry e asy for your ISP(which is p robably w orking closely with your government) to tell that yo u are

using both TOR and Tails. It is p robably in your best interest to use somethingcalled TOR bridge mode. You can read more about how to configure Tails t ouse T OR bridges here: https://tails.boum.org/doc/first st eps/startup options/bridge mode/index.en.html.

Tails i s u nique in that it has a special feature that wipes yo ur computer'smemory b efore it shuts d own. This is d one in order to mitigate risks asso ciatedwith the d readed cold boot attack (a forensics m ethod in w hich a susp ects RAMis r ipped out of his o r her computer and then thrown into a vat of liquidnitrogen to preserve its c ontents f or later analysis). This f eature is a lsotriggered if you pull your Tails f lash drive out of your computer while you areworking. If while you are working you ever feel that the authorities ar e aboutto move in on you, even if you have a seemingly irrational gut feeling, yankyour Tails f lash drive out of your computer. Tails a lso has a feature that


6/19

allows i t to disguises i tself as a Windows d esktop. Using this f eature inpublic will reduce your risk of capture significantly.

(4) Mental:

A skilled attacker is w ell disciplined and knows t hat he must keep his ac tionsand skills a se cret in order to remain safe from harm. Do not flaunt the factthat you are dissatisfied with your government, a foreign government, or aparticular corporation. Do not attend protests. Do not publicly a dvertise thefact that you have a n above average aptitude for computer security offensive orotherwise. And whatever you do, do not tell anyone, even someone you think youcan trust, that you are planning t o launch an organized cyber-attack o n anyorganization, big or small. If you draw attention to yourself no amount ofsecurity p recautions w ill keep you safe. Keep your real life mentallyisolated from your hacktivist life. One lapse in operational security co uldend you.

Be alert and focused. Remain mentally st rong. Come to terms w ith the illegalityof your actions an d what will happen to you if you are apprehended. As a w iseman once said, A warrior considers h imself already d ead, so there is n othingto lose. The worst has a lready h appened to him, therefore he's cl ear and calm;judging h im by h is act s or by h is w ords, one would never suspect that he haswitnessed everything. It is p erfectly a cceptable to be paranoid, but do notlet that paranoia consume you and slow your work. Even if you are extremelycautious a nd follow this d ocument's ad vice to the letter, you still may b ehunted down and incarcerated, tortured, or killed. Some countries do not takekindly t o hacktivists. It is b est that you be honest with yourself from thebeginning. In order to operate effectively you must be able to think cl earlyand see the world as i t actua lly is.

(5) Pattern Related:

When your online persona is ac tive your real life persona ceases t o exist, andan observant adversary ca n use t his t o their advantage. If your ISP, bank, andmobile phone provider are cooperating with your government and allowing themto browse through all of their records ( a fair assum ption in this da y a nd age)then, eventually, they w ill be able to deduce your real identity b y co mparing

everyone's da ta to information about your online persona. If the governmentlooks b acks o n all of the records t hey h ave collected in the past year andnotice t hat you never make a cr edit card purchase, watch Netflix, go on yourFacebook, Google, or Twitter account, or change your physical location while1337Hax0r64 is on line on some anti-government forum on the deep web, they willassume t hat you are 1337Hax0r64. Even information about your home n etwork'sbandwidth usage can give away your real identity.

Luckily, performing the type of metadata analysis at tack described above takestime, usually m any m onths. It is ve ry important that you change aliases oft en,preferably e very three or four months. Shed your old names like a snake shedsits skin. When you do change yo ur online name, make su re yo ur new identitycan not be tied back t o your old one.


7/19

DO NOT not launch cyber-attacks from your own co mputer. Launch attacks onlyfrom hacked servers, servers p urchased with washed bitcoins, or free shellaccounts. Certain types o f cyber-attacks p roduce a large amount of traffic o vera sho rt amount of time. If the bandwidth usage of your home network spi kes atthe same instant that a g overnment or corporate server is at tacked, the time ittakes t o deanonymize you is r educed significantly. This i s e specially true ifyou launch multiple attacks o n multiple occasions. Launching attacks i n thisway can be mentally e xhausting. Configuring a new attack server with your toolset every time your old attack se rver is ba nned (an inevitable occurrence) canbe a tedious t ask i ndeed. I personally recommend creating a bash script toautomatically install your favorite tools t o make this t ransition processeasier. Most hackers a nd offensive security professionals u se under thirtynon-standard tools t o do their job, so configuring a new server with everythingyou need should not take ve ry long if you know what you are d oing. Considerequipping your server with TOR and a VNC server (for tools t hat require GUIssuch as m ost popular intercepting proxies) as w ell.

(6) Archaeological:

You must insure that there is n o forensics e vidence of your actions, digital orotherwise. If the g overnment breaks into your house a nd rummages t hrough yourthings, they sh ould find nothing interesting. Make sure that you never make anyphysical notes p ertaining to your hacktivist activities. Never keep anycomputer files p ertaining to your hacktivist activities i n your home. Keep allof your compromising files, notes, scripts, and unusual attack tools ( the onesthat can not be installed with apt-get or the like), and stolen information inthe cloud. It is r ecommended that you keep all of your files b acked up onmultiple free cloud storage providers so that in the event that on e of theproviders ba ns you r account you still have all of your data. Do not name y ourcloud accounts in such a w ay t hat they can be connected back t o your onlinepersona. Never, under any circumstances, mention the n ames or locations of yourcloud a ccounts to the p eople yo u work with. Always hi t the Use N ew Identitybutton on your TOR control panel after accessing your cloud storage solutions.Every t ime you shed your old alias, shed your old cloud accounts.

Security of Communications

The majority o f hacktivists I have met communicate via public IRC. Using IRC isfine for meeting o ther hacktivists, but as so on as yo u muster a t eam of otherhacktivists w ho wish to attack t he same target as yo u, move to another moresecure form of communication. Some m eans of communication are m ore secure thanothers, but completely secure communication does n ot exist. The followingguidelines ar e meant to work in conjunction with the personal securityguidelines t hat w here discussed in the previous se ction. If proper personalsecurity measures are implemented e ffectively, compromised communication w illresult in operational failure at worst and not complete deanonymization. Sinceoperational failure may very w ell set you and your cause b ack several months,


8/19

it is in your best interest to attempt to communicate securely:

* Remember that any o f the people yo u meet on the clearnet, deep web,or public IRC channels who claim to be o n your side co uld actuallybe g overnment agents trying to sab otage yo ur operations.

* If possible, communicate mainly via privacy f riendly e mail accounts(not Gmail, Yahoo, AT&T, etc.) and encrypt all of your messages w ithPGP. When a cyber-att ack i s be ing carried out it is o ften necessaryto be able to communicate with your accomplices i nstantaneously.Since e ncrypting, sending, receiving, and decrypting m essages by h and

takes t ime, using PGP in time sensitive situations l ike this i s n otfeasible. If you have to confer in an IM environment, use a programlike TorChat that uses i ts o wn form of asymmetric e ncryption to sendand receive messages i nstantly.

* Use st rong p asswords for all of your online accounts. The b est way t omake a strong password is to pick ei ght or nine random words an dstring t hem together. Passwords like t his ar e e asy t o remember buthard to guess.

* Never give away any personal information (such as co untry, interests,hobbies, health, etc.) or give insight into your feelings o remotions. Your fellow hacktivists ar e not your friends an d shouldnever be talked to as su ch. Giving away t his so rt of information willmake tracking you easier.

* When you receive m essages, do not retain them, even if they a reencrypted. Read them, make n ote o f any ha rd to remember details(like long server passwords for example), and then delete them.Having a mile long digital paper trail can not lead to anything good.In so me cases de leted message s on email serves can b e recovered viacomputer forensics, but deleting m essages q uickly m ay r educe t he o ddsthat they can be.

* When typing messages, do so i n a word processor on your computer.Never write yo ur message inside of a co mmunication program (such as

an online e mail client, forum PM box, etc.). People have been knownto accidentally sen d unencrypted messages be fore. The effects of suchan error can be devastating.

* If you find yourself writing large swaths o f text intended for publicrelease (like essays o r manifestos) use a tool like Anonymouth toobscure your writing style. Your writing style is a s u nique as afinger print and can be used to identify yo u.

* Never, under any circumstances, execute a f ile on your computer or onyour server that ha s be en given to you by a fellow hacktivist. Youshould never run into a situation where doing this i s n ecessary.

* Do not disclose i nformation about your involvement in previous


9/19

hacktivist operations to p eople w ho where n ot also p art of the sam eoperation.

* If one of the people that you are working with gets cap tured, assum ethat the people who have cap tured them know everything that they do.

Philosophy o f Attacking

The hacktivist community, like e very co mmunity, has its ow n unique set ofphilosophical musings, taboos, and dogmas. While I do not advocate t he severealteration of the principles a nd philosophies o n which the community w as b uilt,I do wish t o point out a n umber of flaws in certain aspects of their

composition. These f laws serve o nly to hold back t he co mmunity an d sho uld beopenly discussed .

(1) When hacktivists t arget an organization, their goal is m ore often than notto force said organization to stop functioning permanently, or at least for thelongest time possible, in an effort to stall unjust actions f rom being carriedout or to seek r etribution for unjust actions d one in the past. Leakingdatabases, DoXing influential individuals, defacing websites, and launchingmassive DDoS ca mpaigns, four of the m odern hacktivist community's favoriteactivities, accomplish this g oal - to an extent. Infiltrating a targetorganization and sowing discord within its r anks i s m agnitudes m ore effectivethan leaking c redit card numbers or putting a CEO's s ocial security number onPastebin, yet it is r arely, if ever, considered to be a viable course ofaction. Subtly and silently fostering suspicion and distrust inside of yourtarget will have a longer lasting impact t han simply p ointing out that itssecurity p olicy h as som e weak points.

(2) Hacktivists cr ave publicity, yet they are the most effective when theyoperate undetected. Stay h idden. Although it may see m tempting at times, do notdestroy large amounts of information on your target's co mputers o r servers.Doing so will announce your arrival inside of your target's n etwork r ather

loudly. Flashy, public d isplays o f power have no place in the hacktivistcommunity. Just because you are h iding behind TOR does no t mean that you shouldnot make an effort to cover your tracks. Conceal your attack n ot to mask yo uridentity, but to convince your target that no attack w as ca rried out in thefirst p lace.

(3) Once your hacktivist collective has de cided to attack a n organization,strike fast and strike hard. Overwhelm your target. A well disciplined and wellorganized team of attackers can penetrate most networks w ithin a few hours.Far too often I have seen hacktivist collectives d eclare all out war on someoneand then attack t hem slowly a nd gain entry into their network da ys, sometimeseven weeks l ater. By a ttacking slowly, you give your target time to react andstrengthen their defenses. Detecting an attack from a large hacktivistcollective is a trivial task, but as h istory has sh own detecting the presence


10/19

of one inside of a network, especially a large network, can be tricky.

(4) Cyber-attacks s eldom go as p lanned. If you are attempting to do anythingthat i nvolves t he coordination of more than two people, keep this i n mind. Itis no t uncommon for tools t o stop working in the middle of an attack. It is no tuncommon for reverse she lls to d ie u nexpectedly. It is not uncommon forseemingly simple actions t o take hours t o perform. You must be ready to thinkon your feet and q uickly ad just your attack p lan to accommodate the e verchanging conditions w ithin the network yo u are attacking. Predefinedcontingency p lans ar e mostly useless.

(5) Remember that no system is impenetrable. On more t han one occasion I haveseen hacktivists g ive up on trying to infiltrate a target network b ecause theirNessus sca n did not yield any u seful results. As a hacktivist, you are notbound by the typical constraints o f a pentester. If you can not successfullyattack a website, try attacking its h osting provider. Try attacking the

administrator's e mail account. Try going after random social accounts b elongingto the administrator's f amily. Try planting iframes i n websites yo u suspect t headministrator frequents in an effort to infect him. If you cause extensivecollateral damage, who cares? It is no t your problem. Sometimes t he endsjustify t he means. Be creative.

(6) Many hacktivists p ossess u nrealistic, self-constructed mental images o f theideal cyber-attack. In the majority o f these movie-induced delusions, the idealattack u tilizes nu merous 0 days, an arsenal of home made tools, and highlyadvanced, unimaginably co mplex n etwork intrusion techniques. In reality, thistype of thinking is i ncredibly d angerous an d causes so me hacktivists t o attemptto perform convoluted, elaborate attacks t o gain the respect of their peers.When b reaking into h ighly secured n etworks, such attacks o nly draw unnecessar yattention. The best attacks a re the ones t hat work. They are usually simple andtake little time to execute. Using sqlmap to spawn a shell on your target'sserver by exploiting a flaw in their website's se arch feature is a viable ifnot ideal attack. It allows yo u to access t he inside of your target's n etwork.Exploiting a vulnerable FTP daemon on one of your target's s ervers usi ng publicexploit code is a viable if not ideal attack. It allows yo u to access t heinside of your target's n etwork. Using Metasploit in conjunction with a fr eshGmail account to launch a phishing campaign against your target's em ployees is

a viable if not ideal attack. It allows yo u to access t he inside of yourtarget's ne twork. The media hates it when hacktivists use open source softwareto do their work. Whenever a hacker or hacktivist is ar rested for doingsomething that involved using someone else's tools, they a re publiclyshammed. Anyone could have done that they say. He's just an unskilled scriptkiddie they say . Claiming that s omeone is less of a hacker solely b ecause t heypartially de pend o n someone e lse's code b orders on absurd. It amounts toclaiming that Picasso is a bad artist because he did not carve his o wn brushes,synthesize hi s own paints, and weave h is own canvas. Do not shy a way from usingopen source tools an d publicly a vailable information to accomplish your goals.Hacking is an art, and nmap is you r brush.


11/19

Organization and Formation

Most of the hacker and hacktivist groups I have observed are unorganized andundisciplined. They claim to perform actions as a co llective, yet when it comestime to actua lly launch an attack they attempt to infiltrate their targets a sindividuals, each member launching attacks of their own without making thefaintest attempt to coordinate their actions w ith others. Here I shall describea schema that could be easily a dopted by a ny h acktivist collective to allow itto facilitate highly coordinated attacks i nvolving large numbers o f attackerswith great ease. It will be presented as a series o f steps.

Step One: Organize yo urselves into multiple small groups. These g roups s hall bereferred to as s trike teams. The ideal strike team is co mposed of three partsattack specialists, two parts so cial engineering specialists. Attack

specialists sh ould at least be able to identify a nd competently e xploitpotential vulnerabilities i n websites a nd be able to exploit vulnerable ormisconfigured services. Social engineering specialists sh ould have at leastsome real world experience before participating in a strike team. Attackspecialists s hould only co ncern themselves w ith launching attacks a nd socialengineering specialists sho uld only c oncern themselves w ith social engineering.Well-defined roles a re the key to a strike team's su ccess. This co nfigurationwill often create an abundance of social engineering specialists, and that isperfectly a cceptable. Having the capability t o immediately launch multiple wellplanned social engineering campaigns i s cr ucial. The size of a strike teamwill be determined by the skill of its m embers. Highly skilled individualsshould work in very sm all strike t eams (five member teams ar e acceptable)whereas u nskilled individuals s hould work in larger strike teams ( up to a fewdozen). The organization of strike teams sho uld be coordinated as a co llective.No one person should be given the authority t o sort people themselves. Striketeams s hould function as sub collectives and be autonomous. Hacktivistcollectives ar e co mposed of people a round the world, most of whom can not beonline all the time. This m eans t hat all strike teams s hould set themselves upknowing that their members w ill pop on and offline and that it is po ssible newmembers w ill have to be annexed at a later time.

Step Two: Within each strike team, agree upon a stratagem; a broad, realistic,nonspecific p lan of action that aims t o accomplishes o ne, very sp ecific g oal.Strike teams s hould only e xecute one stratagem at a time. Multiple strike teamswithin the same hacktivist collective can execute different stratagems at t hesame time in an effort to accomplish so me sort of final goal (perhaps t odestabilize an organization or to acquire trade secrets). The next section ofthis essay i s de voted solely to exploring t he concept of stratagems an d how tobest form and use t hem. Strike t eams should be allowed to do what they w ant,but their initial stratagem should be approved by t he collective so that no twostrike t eams at tempt to do the same thing at the same time.

Step Three: As a strike team, map your target's att ack su rface. If multiplestrike teams ar e all attacking the same network, they sh ould share informationvery c losely in this st ep. It is ve ry p ossible that multiple strike teams


12/19

working together to accomplish t he same goal could actually b e attackingdifferent networks, in which case mapping sh ould be done within individualstrike t eams. Each m ember of a g iven strike t eam should attempt to map thetarget network themselves, and then members should co mpare information. It isvery u nlikely t hat anything will be overlooked by every si ngle member of theteam.

Step Four: Divide your target network up into manageable chunks an d assigncertain individuals w ithin your team to each one of those chunks. Efficientdevision of labor is key to launching speedy a ttacks. Here is an exampleinvolving a network co mposed of four servers (two SQL ser vers, a DNS server,and a web server hosting a feature rich corporate site) and a strike teamcomposed of six attack specialists a nd four social engineering specialists:

* Have one attack sp ecialist attack t he SQL and DNS servers.

* Have one attack sp ecialist attack the website's m ultistage userregistration m echanism and login m echanism.

* Have one a ttack spe cialist attack t he co ntact and se ssion managementmechanism.

* Have one attack specialist attack any forms n ot assigned to otherattack specialists a s w ell as a ny other potentially exploitablescripts, pages, or mechanisms.

* Have one attack sp ecialist and two social engineering specialistsattempt to launch so me so rt of phishing ch ampaign against thecompany's em ployees.

* Have one attack sp ecialist and two social engineering specialistsattempt to convince the company's ho sting provider that they are therightful owners of the company's four servers an d have been lockedout of their email account.

Step Five: Drill yourselves. This st ep is o ptional but highly r ecommended.Procure a ser ver with a large amount of RAM and multiple p rocessors. Have one

member of your strike team set up a v irtual network o n it that, to the best ofyour knowledge, mimics t he network you are p lanning to attack. This on e t eammember should not participate in the drills t hemselves, and they sh ould notgive other team members d etails p ertaining to the virtual network. If you areplanning on attacking a large cooperation, set up the virtual network l ike alarge cooperate network w ith a labyrinth of firewalls, routers, switches, anddomain controllers. If you are planning o n attacking a small cooperation orhome business, set up your network a ccordingly. You should never have tovisualize m ore than 12 workstations, even if your team is do ing a complexpivoting exercise. As a g roup, attempt to break into your virtual network a ndexecute your stratagem. The virtual network sh ould be deliberatelymisconfigured so that there is a way for your team to infiltrate it andaccomplish their simulated goal, but the misconfigurations sho uld be extremelysubtle. The t eam should have to work ve ry hard to find them. Run multiple


13/19

drills. After each drill, the misconfigurations i n the network, an d potentiallythe layout of the network itself, should be altered to force your team toattack it in a different way o r to exercise a different skill. The purpose ofthese d rills ar e two fold. Firstly, they a llow your team members t o getaccustomed to working together. Secondly, they will prepare your team for theday w hen they actually go up against your real target network.

Step Six: Execute your stratagem on your target network. Your strike teamshould a ttack m ethodically an d silently. Every m ember should know what theyneed to do and how they ne ed to do it. No mistakes s hould be made. Every toolyou use should be well honed and function flawlessly. Not a second should bewasted. Use t ime to your advantage. Your target organization will be the m ostunprepared for an attack i n the middle of the night when all of its IT staffare at home sound asleep. If your stratagem calls for being e mbedded in yourtarget network for a long period of time, tread very lightly o nce youinfiltra te it.

Interlocking Stratagems in Theory

In this sec tion I will give multiple examples o f stratagems t hat an actualstrike t eam could make use o f. You should combine multiple stratagems t oaccomplish your ultimate goal. Individual stratagems a re like pieces o f ajigsaw puzzle, and are intended to be pieced together. A strike team shouldexecute multiple stratagems in succession, possibly in cooperation with otherstrike teams in an effort to accomplish a common goal. This s ection is no tintended to be a play book. I encourage you to build off of my st ratagems o r,better yet, devise yo ur own. Some stratagems ar e:

(1) Collect information on individuals w ithin the target organization. Mount aphishing ca mpaign against the organization and gain access to as m anyworkstations as po ssible. Once yo u have breached its ne twork, do not pivot.Attempt to locate any useful information on the workstations you havecompromised, and then remain in the network for as l ong as p ossible doing

nothing more than idly g athering intelligence.

(2) Take complete or partial control over the target organization's m ain meansof communication (usually e mail). Review a few of their message s an d learn howthey a re st ructured and formatted. Then, send a n umber of blatantly falsemessages t o one or more members of the organization using the credentials ofanother member of the organization. Multiple false m essages sho uld be sent oversome period of time. When members of the organization begin to receive falsemessag es f rom their colleagues, distrust will begin to take root.

(3) Take complete or partial control over the target organization's m ain meansof communication (usually e mail). Review a few of their message s an d learn howthey are st ructured and formatted. Then, devise so me way t o intercept andinspect or modify m essages in transit within the target organization


14/19

(essen tially, perform a man in the middle attack). Every once in awhile, altera m essage in a sub tle b ut disruptive w ay. Perhaps change a d ate o r a t ime socertain individuals d o not arrive at their meetings o n time or do not arrive atall. Once you have reason to believe that yo ur modifications h ave taken theirtoll (i.e. the person you targeted missed their meeting), undo the changes yo umade t o the m essage you intercepted so upon a udit it appears as t hough themessage was n ever tampered with. Doing this is usu ally h ard to detect and willslowly c ause the target organization to destabilize itself as t ensions b etweenindividuals w ithin it begin to rise and their employees b egin to question theirown sanity.

(4) Take complete or partial control over the target organization's m ain meansof communication (usually e mail). Review a few of their message s an d learn howthey a re structured and formatted. Use the credentials o f a high rankingindividual within the target organization to distribute a message that ap pearsto be f rom them that claims a t errible tragedy has o ccurred that warrants an

immediate, brash, resource intensive response from the rest of theorganization. You will most likely not be able to pull this o ff more than once.This st ratagem works e specially w ell against militant groups w ith poorlydefined command structures bu t has o ther applications as w ell.

(5) Once inside of the target o rganization's n etwork, acquire a small amount ofclassified data intended for the eyes o f high ranking personnel only.Strategically plant the d ata o n the co mputer of one o r more lower rankingindividuals. Make it look like an espionage attempt. If many ke y individualswithin the target organization are accused of trying to siphon out its sec rets,it will be forced to suspend a large portion of its o perations w hile aninvestigation is d one.

(6) Use a DDoS attack t o disrupt the target organization's co mmunications for ashort period of time when they a re most in need of it. For a corporation, thiscould be during a n important international Skype call. For a g overnment, thiscould be immediately following a devastating a ttack f rom an insurgency g roup.Doing this w ill cause panic, which will make the target organizationtemporarily more susce ptible to other kinds o f attacks.

(7) Pose as a legitimate company selling legitimate software and befriend the

target organization. Create a piece of software with a very h ard to detectsecurity f law in it and sell it to them. The flaw could be as si mple as apoorly implemented encryption library o r as co mplex a s an insecure m ultistageparsing algorithm. It must be incredibly su btle. So subtle that if it isdetected you will be able to write it off as u nintentional. It should beplausibly deniable. Once the target organization installs t he vulnerablesoftware on their machines, leverage it to perform targeted attacks o n keyindividuals w ithin it. Do not use it to infect entire subnets, as t hat willdraw to much attention.

(8) Locate a small software provider your target organization already d oesbusiness w ith and infiltrate their network b y u sing other stratagems. Modifytheir source code slightly so that t heir software becomes vu lnerable to remoteattack. Do not m odify just any co de you come across, study the software


15/19

provider's de velopment process an d t arget code t hat has al ready be en checkedfor bugs an d is days away from being released to customers. When the t argetorganization installs t he latest version of software from the company t hat youhave infiltrated, they w ill become vulnerable. Leverage this vu lnerability t operform targeted attacks o n key individuals w ithin the target organization. Donot use it to infect en tire subnets, as t hat will draw to much attention.

(9) Locate a small software provider your target organization already d oesbusiness w ith and infiltrate their network b y u sing other stratagems. Mostsoftware co mpanies offer rewards to security researchers w ho findvulnerabilities in their products. Determine how reported vulnerabilities ar emanaged by the co mpany you have infiltrated and devise a way to monitor themin real time. As so on as a se curity researcher reports a m ajor vulnerabilityin a product your target organization uses, use it to perform targeted attackson key individuals w ithin it. Do not use it to infect en tire subnets, as t hatwill draw to much attention.

(10) Using other stratagems, infiltrate the computers o f a number of influentialindividuals w ithin the target organization. Monitor their activity constantlyand closely. If possible, listen to them through their computer's m icrophone.When you believe that one of them has left their computer, undo things t heyhave just done. Delete the last sentence t hey wrote. Hit the back b utton ontheir web browser. Close t he program they just opened. Over time, this w illlead them to question their sanity.

(11) Using other stratagems, infiltrate the computers o f a number of influentialindividuals w ithin the t arget organization. Most modern governments an dcorporations a re at least partially c orrupt. Find evidence of this co rruptionand use it to compel one or more of these influential individuals t o aid yourcause. If you are unable to find any e vidence of corruption, do not be afraidto bluff. If you make a m ysterious w indow pop up on, say, a CFO's computer thatalludes t o some sort of dirty se cret, it is ve ry p ossible that the CFO willassume that the hacker who caused the widow to appear knows something aboutthem that they a ctually d o not. A lot of powerful people have skeletons in thecloset. The media has i nstilled a fear of hackers i nto the general populace,and this fear can be used to your advantage. Most normal people, upon beingconfronted by a hacker that ha s ga ined complete control of their computer, will

be inclined to believe plausible sounding white lies. Having an inside manwithin your target organization can be extremely u seful.

Interlocking Stratagems i n Practice

In this se ction I shell present an example of a plausible situation that couldwarrant the involvement of hacktivists a nd a corresponding attack l oosely b uiltupon the stratagems f rom the last section. I have tried to make the situationrealistic, but it is ve ry likely that if you use my writing to plan and executeyour own attack i t will play o ut nothing like the attack d epicted below. Most


16/19

actual attacks ar e far more complex than the one presented here. The purposeof this exa mple is t o demonstrate t he way i n which multiple strike t eams s houldwork together. Notice h ow at all times each t eam has on e o r more sp ecificgoals.

Situation: A hacktivist collective has d ecided to attack the terroristorganization Bina Al-ar-mal after they ca ptured and executed a t ourist inSyria. Bina Al-ar-mal is be lieved to consist of over 40,000 people, hashundreds of public Tw itter feeds a nd Facebook acco unts, and runs a sm allterrorist news s ite hosted on a Russian server. It has t hree known leaders, whowe shall refer to as H ead Terrorist 1, Head Terrorist 2, and Head Terrorist 3.Twenty-se ven hacktivists ha ve joined the effort. They have been split intothree teams: team 1 co nsists o f five of the most highly sk illed hacktivists,team 2 consists o f seven moderately ski lled hacktivists, and team 3 consists offifteen amateur hacktivists.

Time Line:

(Day 1, Hour 1) Team 1 is i nitially tasked by the collective with infiltratingas m any terrorist Twitter and Facebook a ccounts as po ssible. The t eam startsenumerating the accounts immediately. They d ecide that no drill will beexecuted, as b reaking into Facebook a nd Twitter accounts i s a trivial task.

(Day 1, Hour 1) Team 2 is i nitially tasked by the collective with infiltratingthe web hosting provider hosting the terrorist group's w ebsite. They b eginreconnaissance.

(Day 1, Hour 1) Team 3 is initially t asked by t he collective with attackingBina Al-ar-mal's w ebsite directly. They begin to map the website.

(Day 1, Hour 2) Team 1 finishes en umerating the terrorist Facebook a nd Twitteraccounts. They begin attempting to break into them.

(Day 1, Hour 2) Team 3 finishes m apping Bina Al-ar-mal's w ebsite and begins t oattack.

(Day 1, Hour 3) Team 1 has br eached a few terrorist Facebook an d Twitter

accounts. After examining their contents t hey determine that the terroristsare using SpookyMail email service t o communicate off of social media. A fewterrorist email accounts a re identified and the team begins t o try t o breakinto those as w ell.

(Day 1, Hour 3) Team 3 gains r ead/write access t o a limited portion of theserver Bina Al-ar-mal's w ebsite is h osted on. The other teams ar e alerted.They set up a simple php based IP logger script to capture the IP addresses ofBina Al-ar-mal members at tempting to check t heir organization's ne ws feed.

(Day 1, Hour 6) Team 2's reconnaissance ends. They h ave located the web hostingprovider and gathered information on said provider's w ebsite and servers. Theybegin attacking them.


17/19

(Day 1, Hour 7) Team 1 br eaches t heir first few terrorist email accounts.

(Day 1, Hour 9) Team 2 locates a v ulnerability in the the terrorist's w ebhosting provider's w ebsite. They a re not able to fully co mpromise a ny o f theirservers, but they a re able t o get a list of customer names, domain names, andbilling addresses b y exploiting a flaw in the website's sh opping cart feature.Upon inspecting the list, they d iscover that the person paying Bina Al-ar-mal'shosting bill has a British billing address. The other teams a re alerted andScotland Yard is n otified of the terrorist threat immediately.

(Day 1, Hour 23) Team 1 is ab le to get Head Terrorist 1's em ail address of f ofthe contact pane of one of the hacked terrorist email accounts. They makeready for a sp ear phishing a ttack against him, but decide to wait some time tolaunch it, as i t is cu rrently the middle of the night where Head Terrorist 1 isbelieved to be.

(Day 2 , Hour 3) Team 3 has gat hered over seven thousand IP addresses of peopleviewing Bina Al-ar-mal's ne ws feed and tries t o attack them all using knownrouter vulnerabilities. When all is sai d and done they h ave infectedthirty-se ven routers an d forty-six w orkstations. They d etermine thatthirty-four of these w ork st ations be long to active members of Bina Al-ar-mal.They o bserve these w orkstations pa ssively, hoping t o gather information. Theother two teams ar e briefed on their succe ss.

(Day 2, Hour 8) Team 1 launched a sp ear phishing a ttack a gainst Head Terrorist1 usi ng the hacked email account of another terrorist.

(Day 2, Hour 9) Team 1's spe ar phishing attack a gainst Head Terrorist 1 is asuccess. They n ow have full control over his W indows XP laptop and inform theother two teams of their success. After searching t he laptop's ha rd drive anddownloading a h alf gigabyte of confidential documents an d IM logs, the teamdecides t o plant a PDF of the Christian Bible on it along with some reallooking fake papers f rom the CIA. After gleaning Head Terrorist 2's an d HeadTerrorist 3's em ail addresses f rom the stolen IM logs, the team sends t hem bothemails f rom the hacked email account of a lower level terrorist claiming thatHead Terrorist 1 is d irty.

(Day 2, Hour 9) Team 3 decides t o take the sensitive information stolen fromHead Terrorist 1's com puter stolen by Team 1 along with other fake CIAdocuments a nd place it on all thirty-four of the terrorist workstations t heycontrol. They u se a hacked email account belonging to an uninvolved terroristto inform Head Terrorist 2 and Head Terrorist 3 that Head Terrorist 1 is atraitor an he has a t least thirty-four moles i nside of their organization, allof whom they mention by name.

(Day 2, Hour 10) Head Terrorist 1's l aptop is sea rched by security f orces u nderthe control of Terrorist 2. Head Terrorist 1 is d etermined to be part of theCIA and is pl aced into a cell to be used as leverage against the United States.

(Day 2, Hour 17) Head Terrorist 2 and Head Terrorist 3 raid all thirty-four ofthe suspected moles and find the p lanted documents. They b egin to interrogate


18/19

all thirty-four of them in order to find out how deep the CIA has p enetratedtheir organization. None of them know anything but most of them make u p realsounding false information to make the interrogations e nd.

(Day 3, Hour 3) Team 1 determines that most remaining Fa cebook an d Twitteraccounts can not be breached. Several team members leave and a few stick aroundto try and finish off the remaining accounts.

(Day 6, Hour 17) Scotland Yard arrests t he person allegedly p aying for BinaAl-ar-mal's w eb hosting. It is l ater determined that the person is a ctuallypart of a Lo ndon-based Bina Al-ar-mal cell.

(Day 6, hour 20) Team 2 destroys B ina Al-ar-mal's w eb site after catching wordof the Scotland Yard raid.

End Result: One of three head terrorists i s b eing held by t heir own

organization as a tr aitor and thirty-four unrelated terrorists a re being heldby t heir own organization and brutally interrogated about actions t hey d id notcommit. One terrorist is i n the custody o f the Scotland Yard, and a Britishterror cell has be en exposed. Bina Al-ar-mal's en tire communication network iscompromised (but they d o not know that yet), and their website has be en takenoffline permanently. All members of Bina Al-ar-mal are now becomingincreasingly su spicious o f their fellow members a nd the hacktivist collectiveis no w in a p osition to launch further attacks o n Bina Al-ar-mal (using thecompromised email and social media accounts) at a later time. This ha s al l beenaccomplished in under a week.

My p ublic ke y is a vailable here:

http://pastebin.com/VhW0bmAt https://paste.ee/p/C5M3U http://tny.cz/c9 b82da0 http://hastebin.com/jikebijifu.hs http://chopapp.com/#w04dkx06

SHA1: cb36db996bb684e569663ca7b0d93177ecc561be

Grab it while you still can.

Disclaimer: All information provided in this d ocument is f or educational


19/19

purposes on ly. The ideas presented h ere a re so lely aca demic an d sh ould n ever beacted upon or put into practice. The author of this do cument will not be heldresponsible in the event any cr iminal or civil charges be brought against anyindividuals m isusing the information in this d ocument to break the law.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUWbobAAoJEDWMWw6MLtALcMgP/3FVybGLvoK2rigce8BoxlVxI06UKO0jh8iUpWxSKFC1mI9phCed8Dhx1nb9bwuY6CWa5NPnn8+R8O98wyvzW5aX4UVytZ8aqxn83RocLGjkRF6TaCBFaD3V81IHaNY1ODuXBGVR7IG4djS6pDw9BJdaf19L3a8zdr8yoczisdpckIWEqWfLSRgwkOcJ9xtDYG6FuDjs++4ZdncUfwCg76awxYJVACdXsI1VDjVtGr1Fx756DuPkFr5APQG64dor5iOxhXw+9sEVD7AnzjpSCxCKMtaHzkuiwwnp38z9PlaSPqxwyNZ6t8F9FPsgf76x7+egqZ0/Q158NR7gGb1XqaL9V6mopDiGeQveHePG1zpOv22YBMkrxi0KjFDDTOM/xYBw/+wZnjXjoL+eC2vegQxU

cvcntSXN8l5Wtjc+mX9GdKF+RmjQvN62TmpxB9i35ZhdR7ogk1uqPGqxbova6v/f3VSfroFWoOo2wkx/aZLpo3Sqe6JS+lRBpZkysWsJHcbNjUfYG6BDWameXvBuIecBQ1kdRhrQKayoaVOVrzLTmm4T+Nu9/0Vcdx9AO5FF4eShHNa93ybDVOcUaweYoO/KCngW+eRkz2B+YOOTOeAq9JfvAlo89HUWCRj+OOvWsjJAy5eEQWYcH2X7b7CyGkZbU4SaSVZVhGFN1kQgCIlV=QuZa-----END PGP SIGNATURE-----

Date post:	02-Jun-2018
Category:	Documents
Upload:	mark-malone
View:	214 times
Download:	0 times

Recommendations for the Hackivist Community

Documents