Skip to content

The Darknet’s Strangest Easter Egg Hunt


Loved the runes !
Also when you run snaggit.. it disables the screenshot. I laughed myself silly.
To disable snaggit… is a touch of genius – I salute you!

Originally posted on XeroCrypt Blog:


I’ve finally got round to finishing the post some of my readers have been waiting for. This is essentially just a rewriting of some notes I made the other weekend, so there’s very little here that’s not already known. Hopefully I’m presenting it in a new way.
Other than that, I’ve found sporadic bits of evidence after playing with the Internet routing system, and I received very cryptic email from someone claming to be 3301 – I was hoping to post about these, but it’s too patchy to definitively comment on how they fit the wider picture. Solving the mystery involves finding scraps of information that often lead to dead ends.

The Background
Each year, since January 2012, there’s a challenge that becomes an elaborate Easter egg hunt. The trail starts on 4Chan, one puzzle leads to another, and things get weird (even creepy) along the way. Cicada 3301 is…

View original 945 more words

Brilliant New Device Lets Protesters Jam Surveillance, Block Stingrays

Earlier this week an anonymous leaked recording exposed the agents monitoring the protesters’ movements by tracking their phones.

And that’s where a new product called Tunnel enters the scene.

To hide its own privacy, the NSA pays big bucks to install copper – yes, you read that correctly: copper – around the equipment in its buildings.

It turns out that copper has a unique conductive property that allows it block surveillance, letting those who use it hide their activities from would-be spies.

The main NSA headquarters is described as ”a building covered with one-way dark glass, which is lined with copper shielding in order to prevent espionage by trapping in signals and sounds.”

The question becomes: if they can protect their own privacy with copper, why can’t we use this same technique to protect our privacy from them?

Well now we finally can.

Tunnel is a portable Faraday enclosure that uses a 100% authentic copper shielding system to surround your phone. When your phone is inside, it forms a topologically near-complete surface to prevent non-ionizing radiation from penetrating its boundaries, letting you avoid surveillance.

Thankfully, it’s not going to cost thousands of dollars, which has come as great news for protesters and other privacy advocates.


The leak reportedly contained a raw audio recording of a federal agent assuring a police officer that he was “keeping an eye on it,” referring to a girl who was on her phone during the protests.

The audio was leaked just days after multiple protesters independently confirmed that a state vehicle equipped with a Stingray was following them and gathering information from their smartphones.



“Law enforcement is using this information to investigate and prosecute people without warrants – that is unconstitutional. At the national level, the same thing is happening.” said Kirk Weibe, a former NSA employee, speaking out against the use of Stringrays.

Citizens can start to protect themselves from this by Tunneling their phones.

It can work with all the popular smartphones and blocks the entire range of MHz needed for surveillance.

Disclaimer: we do not condone the use of Tunnel for illegal activities, of course, but it’s perfect for jamming up systems of surveillance that attempt to peer into your smartphone and track your location unlawfully.

You’ve gotta love it. The same kind of metal used by a government to protect their own data, now installed in a flexible phone case and able to be used by citizens.

EFF – SecUpwN/Android-IMSI-Catcher-Detector


Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. It was patented and first commercialized by Rohde & Schwarz in 2003, although it would be hard to maintain such a patent, since in reality it is just a modified cell tower with a malicious operator.


On 24 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness. But ever since it was first invented, the technology has been used and “improved” by many different companies around the world. Other manufacturers (like Anite) prefer to refer to this spying and tracking equipment in cozy marketing words as “Subscriber Trackers“. In the USA this technology is known under the name “StingRay“, which is even capable to track the people who are traveling together with the owner of a targeted phone across the country. Here you can see alleged StingRay tracking devices mounted to the roof of three SUVs. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location, or to find out who is in a given geographic area at what time. Identity thieves might operate an IMSI-Catcher in a parked car in a residential neighborhood, stealing passwords or credit card information from people nearby who make purchases on their phones.


There is more: Powerful, expensive IMSI-Catchers are in use at federal agencies and some police departments. And if you think that IMSI-Catchers are not used in your own town, think twice! If you ever happen to be near a riot or demonstration (hint: leave you phone at home if participating), pay close attention to cars standing along the path of the demonstration – those might be IMSI-Catchers. It is common practice for police to position IMSI-Catchers at the beginning as well as the end of roads where the demonstrating crowd moves to capture and compare data in order to find out who participated. But most of the time IMSI-Catchers are well hidden and can be even body-worn – therefore you won’t even discover these creepy devices. Current technology shrinks them to be as tiny as your phone! So again, if you really have to participate in a riot or demonstration, leave your phones at home or build yourself a signal blocking phone pouch!


In addition, all IMSI-Catchers can crack A5/1 encryption, which is most commonly used for GSM traffic, on the fly (passively)! A5/3 encryption which is used for securing 3G and is offered as new security standard for GSM encryption remains secure in practice while susceptible to theoretical attacks. Although 3G and 4G offer sufficient protection from eavesdropping, the security measures can be bypassed by IMSI-Catchers forcing a mobile device into 2G mode and downgrade encryption to A5/1 or disable it. For further reading on the algorithms, check out the Cryptome GSM Files.

There are almost no phones on the market which offer an option to check what kind of encryption is used to secure GSM traffic. And although the Issue of not having a convenient display of the Ciphering Indicator has been assigned to Google since 2009, it seems they’re getting paid (or are forced to) blatantly ignoring it. Just recently, a new open source project called the “Android-CipheringIndicator-API” opened its doors to finally craft an API which fixes this Issue and merge the resulting API into the Android AOSP branch. But currently, the only way to protect a mobile device from downgrade attacks is to disable 2G if this option is available. In this case, the phone will not be able to receive or make calls in areas without 3G coverage. This is why the original author named “E:V:A” started this project. Let’s detect and protect against these threats! Never think you’ve got “nothing to hide“.

Server 2012 – How to pass Exam 410 – Windows Server 2012 r2

The trio of Windows 2012 r2 exams are certification exams 410, 411 and 412.

Basically pass these, and an employer will feel comfortable with your base knowledge of Server 2012.  So what’s the step by step procedure to passing exam 410?

Step 1 – Best book

The best book that I’ve found so far, is the Microsoft Academic Press book by Craig Zacker.  There’s a 2012 and a 2012 r2 version.  They’re expensive, so buy them second hand or from a discount seller.  It’s almost 600 pages, so you’ll need to set aside an hour a day, to read it.  However there’s lots of screenshots, which are great for visual learners and memory retention.

exam 2012

Step 2 – CBT Nuggets for Exam 410

These keep being recommended.. yet I’ve never used them – so this time, I’m going to.  The site states that exam 410 comprises 31 video’s, and 19 hours of training.  IMHO, these are probably best to view at a time when you’ve too tired to read, or just need something to unwind too.  It’s either this or Lady Gaga on Youtube.  So no contest there then…

Step 3 – Transcenders – ACTIVE LEARNING

The “Mandatory” step.  Transcenders are a test engine… which offer “ACTIVE LEARNING”, through a questions and answer format, similiar to the real certification exam.  They cost approximately £90 – but are cheaper than failing an exam.

So why am I a die hard fan of the Transcenders test engine?  It’s because their format provides ACTIVE LEARNING, in a format identifical to the real exam.  You’ll learn to “read” the question, understand the question and learn to time yourself.

Most importantly Transcenders will identify your weak areas.  Previously I’ve put back a certification exam by a month, if I’ve got a weak spot.. to allow extra time to revise that topic.

In certifications such as Linux, Transcenders are mandatory.  I’ve had a Transcender question that didn’t appear in 6 separate Linux Certification books.  So you can have EVERY book on a certification topic, and Transcenders will still catch you out.  It’s better to be caught out in a test engine that during the real certification.

A lot of Certifications are not complex, but require you to remember a lot of information.  Give yourself time to read, understand, memorise and apply this information.

Step 4 – 3 months later

University courses run induction from the end of September and lectures start the first week of October.

So you decided to buy the certification book… buy it September/October and by the end of 3 months you should have read all 600 pages and started to cram and prepare a lab to test your skills.

Around mid December get your Transcenders ready and start to answer questions… what scores are you getting?  Where are your skills and knowledge weak?

Step 5 – Christmas Holidays

The Christmas holidays are no excuse to stop revision.  Just like in University, the Christmas holidays are a time to double your workload.  You must start revising between 2-3 hours a day at a minimum during the Christmas break.

If you wake up at 6.00 am, you can revise for 1- 2 hours before anyone will realise –  Stay in bed with your books…

A key question is what time of day is your best time to revise?

Some people memorise best, first thing in the morning (myself included), some find it best to revise at night (which is a waste of time for some of us).

Do you need to be warm or cold (I have to be very warm for some reason).

Do you need total silence or have music on (I need total silence).

Get to know the “conditions” that you need to revise well.  Adapt your routines to suit your body clock.  There is no single answer to this – *YOU* must find what works for you…  If you find that your memory retention is “useless” regarding what you read at night… then stop revising at night.

On to the Timetable…

You should begin testing using the Transcenders over Christmas.  When you find yourself failing a topic – get out the books and start studying everything you can about that topic.  Understand why this topic is so important.

Step 6 – Sit your exam mid to end of January

The University timetable will schedule exams for mid to end January.

Keep this timetable in your real work certification.  During January you will sit exam 410 Windows Server 2012.  This focus on a deadline will keep you motivated.

If you aren’t getting a 100% pass rate in Transcenders, then put back your exam to February.  This will give you some extra revision time if you think you’re going to fail.

Final thoughts.

During the long cold winter, revising a certification in bed in the mornings means that you:

1. Get to stay in bed longer

2. Get to drink your morning coffee in bed – every day!!

3. Get to read the book – when your mind is empty, and able to take in new information.

4. Get to study your Certification, rather than wishing you could find the time to do them.

5. Even passing a single Certification is better than having none at all.  So chip away at them.  Just like learning a musical instrument, prepare yourself with an hours practice a day.

Study from 6 am to 7 am every morning, if that’s the only time of the day that you can. All those “an hour a day” mount up – VERY quickly.  Within 2 months you’ll become “addicted” to the revision and passing. It’ll become a routine – that will make you more effective at work, and more qualified – it’s a win win.  But you need that “hour a day” to turn it around.

So what’s your New Years Resolution?

To drink coffee in bed every day and pass those certifications?

InSSIDER – How to monitor WIFI for higher speeds and clearer signals – Windows 7 and MAC

This is only one free WIFI scanner that I rate highly, namely, InSSIDER Home, which works on Windows and MAC.

You can download the free home version here:

Version 4 is the paid for version – the Home version is free from copyright restrictions, so don’t worry about downloading this from torrents.

Step 1 – Install InSSIDer

The main menu screen appears – click on Networks.

metageek networks

Step 2 – Find the SSID of your home Wifi

metageek no erasure

1. Find the signal strength of your home wifi – the lower the better.  30 db is sitting on top of the WIFI.  Metageek have provided a signal strength guide, which I’ve copied for you – at the end of this article.

2. Look at the Link Score – the higher the better!  This shot is messy – as for privacy reasons I’ve had to remove the SSID and MAC addresses of the routers detected.

metageek readig

Often your neighbours WIFI will interfere with your signal.

The best channels are 1, 6 and 11 – and now you’re going to want to know why these channels are the best.  The 2.4 GHZ frequency has 11 channels – which are crowded and overlapping.

Metageek explain this well  ” The 2.4 GHz Wi-Fi (802.11 b/g/n) spectrum is 100 MHz wide and made up of 11 channels centered 5 MHz apart. Each 2.4GHz channel is 20 – 22 MHz wide.”

If each channel is 20 MHz wide, this means there will be a minimum of 10 MHz of overlap with neighboring channels (overlapping channel interference). For example, if your network is on channel 9, it will overlap with channels 7, 8, 10, 11.

metageek chart wifi

However, Channels 1, 6 and 11 don’t overlap each other.

Your neighbours WIFI will transmit and interfere with your signals… here’s the kind of odd interference that I suffer from… caused by a WIFI across the street from me (it’s the red dotted line… it spikes constantly).

metageek conflicting channelsor

metageek conflict no ssid

InSSIDer will also split the channels by frequency eg 2.4 GHZ or 5.0 GHZ bands and any overlapping channels.

metageek ghz band

Cool tool right!

What signal strength do you need?

Wi-Fi is generally measured with dBm, with is not an absolutely value, being logarithmic instead.

A 3 dB gain means *TWICE* the signal strength, while a 3 dB loss *HALVES* the signal strength.  Remember these rules when designing your WIFI.

Metageek have provided a signal strength guide, which basically means that if you can get 50-60 db’s, then that’s fine for most applications.

metageek signal strength



GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages

Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Behind the malware — which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages — lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom’s subversion by this malware — comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) — led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn’t. Belgacom’s infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

What’s currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.

Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

Snoopers Charter part 2 – IP Matching

The blessed government is attempting to bring us the “Snoopers Charter” part 2, in the guise of “IP Matching” laws.  Here we go again.

In November 2014 it was announced that the Government would bring forward proposals to enable IP address matching. The measures would require internet firms to keep records of customer information to enable law enforcement bodies to decipher who was using a device such as a smart phone or computer at a given time.
What is it with this government and the Snoopers Charter… have they never heard of the Virtualised network adapters, VMWare, Server 2012 (uses virtualised switches), proxies, VPN’s, OpenVPN all of which dislocate the IP from the device.

What next…  I know – lets ban Server 2012?   And heaven help VMWare… they’re definitely on the extremists watch list.

DHCP is clear evidence of extremism.. anyone that doesn’t have a static IP definitely has something to hide.

Is it the 1st of April today, and I’ve missed it?

GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users’ searches

Google’s “encryption everywhere” claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.

The move described as ‘privacy seppuku’ by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.

 Customers were told that the network, rather than the Chocolate Factory, “has turned off SSL search”, a statement Forbes proved to be false.

Google engineer and security bod Adam Langley in a forum comment confirmed the SSL strip and said it would be removed ‘soon’.

“At the moment, yes, no nosslsearch VIP will do this. However we’re getting rid of it soon and replacing it with one that enables SafeSearch, but still over HTTPS,” Langley said.

“However, if you want an encrypted search option, ‘’ is always encrypted and isn’t affected by these methods.”

Google and BT have been contacted for comment.

Forbes speculated in a blog detailing the SSL strip that BT may have removed the security measure to facilitate content filtering for kids or ‘more likely’ for data mining.

“It’s reasonable to expect that BT knows the location of every BT WiFi router within 10 to 15 metres, because it has a home address for every one of them,” Forbes said.

“… knowing what is searched by location is a marketing gold mine.”

A curl request examining whether public DNS could get around the security gap demonstrated Google was redirecting users to unsecured http through a 302 found header.

“What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK — one that exchanges the privacy of my searches for BT and Google’s commercial gain,” Forbes said.

Duckduckgo it is then.”

Note: Use or as your search engine, as neither will track your IP. 


Take Home Message

1. Use a VPN – with OpenVPN.

2. Always consider BT or any ISP as the “enemy”. 
Historically OpenVPN was designed to combat Russian & Chinese ISP’s.

3. Use Strong encryption – AES 256 for your symmetric cipher, along with at least 4096 Pubic keys.

4. Select your VPN provider from neutral third party information.
Use the or EFF membership (as in IVPN).

The use of a VPN is basically mandatory. If Google has the data – so does your government, council, benefits agency and divorce lawyer.
Get real – get a VPN.


Which is the safest VPN on the market? Who do I use for a VPN?

Alternatives to Getting Busted


I agree that a degree in INFOSEC alongside CCNA or MSA, is the only way to get a job. Employers LOVE INFOSEC qualifications, but won’t hire you unless you have the old tried and trusted CCNA or MCSE, MCSD. Certifications are the key ingredient. I’ve seen Phd’s in INFOSEC who are unemployable… give those same Phd’s a CCNA and they’ve got 10 jobs. The combination is unstoppable. All Universities should make year 1 and year 2 students sit their CCNA exams as part of the course.

Originally posted on XeroCrypt Blog:

The KPMG’s survey and the Wall Street Journal’s coverage of it needed a response, beyond my slightly facetious reply to the latter’s Twitter operative.
Now, I’ve done quite a lot to distinguish myself over the past several years, worked on a few things here and there, been in some interesting places, and I’m still (roughly) in the same position as most computer/INFOSEC security graduates. I’ve also done a bit to mentor (God knows how many) people attempting to learn every tool and technique under the sun, in their attempts to tick all the right boxes, without much success, for some entry-level position. When it comes to the ‘skills shortage’, the media’s evidently reporting things wrong, and I think most of us (myself included) have completely misunderstood the way things work.

So the idea being promoted that firms are more likely to hire people convicted of hacking-related crimes in order to…

View original 528 more words

Windows 7 – How to find out which websites are listening in

Applications often dial home to their mothership – but how do we detect this?  It’s quite easy, but often we need to know the application that’s dialing home, so that we can prevent the data leak.

Step 1 – Admin CMD

Start > Accessories > Command prompt > right click > run as Administrator

Step 2 – Netstat to find connections

This netstat command will save the connections into a notepad file called “activity.txt”.

netstat -abf 5 > activity.txt

websites connected

Leave this for 2-3 minutes, then press Ctrl+C – to cancel the logging.


Step 3 – Open activity.txt

Here we can see Firefox and IVPN connections.

websites connected resultsIt’s that easy!

More reading:


Get every new post delivered to your Inbox.

Join 173 other followers