viernes, 7 de julio de 2017

LeakVM will be published this month !!!

Research & Pentesting for Android, Run security tests instantly


  • Ptrace/ASLR/Yama Bypass
  • Linux common features
  • Dynamic library loading
  • SmartLock extraction
  • Private file extractor
  • Privilege escalation
  • KeyStore extraction
  • Advanced reflection
  • Core Observers
  • Library injection
  • Extensible

  • Android 4.4 to 6.0
  • Architectures Arm(32/64 bits), x86(32/64 bits)

Social Sites:

miércoles, 22 de marzo de 2017

Xtreme Tech LLC: An Offensive Security Startup

Finally are finishing our first commercial product 'LeakVM', and be published under our company 'Xtreme Tech'.

LeakVM fast security test on Android, by skipping the time consuming build pentest laboratories, you test on real devices, do not need root your smartphone. LeakVM makes researchers and pentesters more productive since they can run test on real time and on real environments.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and/or real attacks.

Current features:

  • Linux common features
  • Dynamic library loading
  • Native/VM library injection
  • Private file extractor
  • Privilege escalation
  • KeyStore extraction
  • Advanced reflection
  • Core Observers
  • Extensible

We are currently under development, in a short time LeakVM will be available to the public with 10 days Trial Free, you can test our Web Interface, and check our JavaDoc

Follow us on: TwitterLinkedIn, Facebook

jueves, 22 de diciembre de 2016

LeakVM: You team are ready for us ?

I be working hard for an long time on related projects: code transformation, reflexing, modify, remove, overwrite, hooking, injecting, bypass security, spy/crypt tech, oh well now i be very close to finish my first commercial version of LeakVM, on the next weeks i update info about, payment ways, documentation, code examples, SDK, etc.

Surely your team has a very important question, can everyone buy this? Yes absolutely everyone, we are not HackTeam, we sell our tools thinking on an good price, an price averyone can pay, there are no rules, it's the real world, The Free Market, no matter that they try to ban my accounts, I always will found how to trade this, we do not have stupid rules like in US or EU, simply our only rule is: you can pay it? 

LeakVM web interface

You team are ready for us ? LeakVM 

Insecure Cordova Banking App

This time i be exposes to: Davivienda Móvil, BANCO DAVIVIENDA S.A.

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography

This application allows cloning of credentials via VM Injection attacks, the company responsible for developing the app was "Todo1", too detect an insecure library developed by "Easy Solutions".


GitHub: ExposingIndustryMediocrity

miércoles, 12 de octubre de 2016

The Untold Truth about Zeus Case

So many publications on the case were made, this gave around the world, still does.

A judge sentenced two hackers involved in the creation, maintenance, and marketing of the SpyEye financial botnet to a combined sentence of 24 years in prison, the US Department of Justice has announced today

Aleksandr Andreevich Panin, 27, from Russia, known online as Gribodemon and Harderman, received nine and a half years in prison, while his accomplice, Hamza Bendelladj, 27, from Algeria, known online as Bx1, got 15 years in jail.

The official documents say that:

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS.

All of the supporting legal documents can be found on the Microsoft-registered server: 

The Zeus malware also goes under the name Ice-IX and SpyEye. Microsoft said John Doe 1, who goes by the name Slavik, Monstr, IOO, and Nu11, is the creator. John Doe 2, aka zebra 7753, lexa_mef, gss, and iceIX, created a Zeus family member called Ice-IX, Microsoft said, and John Doe 3, aka Harderman and Gribodemon, created another family member called SpyEye, the complaint said.

John Doe 5, aka miami and miamibc, John Doe 9, aka Kusunagi, and John Doe 38, aka jheto2002, are other developers involved, writing "Web inject" code that gets the malware onto victims' computers, the complaint said. Some other defendants also were involved in developing the software.

John Doe 4, aka Aqua, aquaSecond, percent, cp01, and other aliases, recruits "money mules" whose job it is to travel to different countries to create bogus bank accounts into which victims' money is transferred. Several of the other John Does are these money mules. John Does 23 and 24, aka jtk and Veggi Roma, respectively, also recruited money mules, the lawsuit said.

My mistake was publish an link of my PoC without source code on Hackforums, now not remember the post, that is the Source Code

For years i searching info about that, why , why, why, Until both found on LinkedIn, "Jorge Mieres" an researcher, he knowns all about Zeus, the he told me that had spent much time researching and long after demand also, we talk more for months, he explained that, the research was done lightly, without a thorough analysis, without facts simply they wrote down on paper, any damn profile fit on that, the investigation was not serious, just fish in a jumbled barrel, he spoke with many people from Microsoft and thought the same, but everyone kept his mouth shut, criminals, protecting criminals i always say, you do wrong things, you not like be "catched", especially if your company is "Microsoft" trying to "catch" Banking Trojans criminals.

On this time i be really desperate, months without job, freelance, nothing, all people call me criminal, that was the shit, and continues today, on this times i "decide" be "an criminal", an write a lot of shit on Pastebin, saying good bye, Jasper Hamill , write an article on Forbes "A Hacker's Guide To Finding A Job"

On 2011 the Source Code of Zeus was published on Github that contains the Server Code

On this days i try to demand this guys for that, but all layers on my country only talk about of lot money to review my case, and more money to send that to the court, well i continue with my life, doing more "PoC's", doing more reversing, cheeking Apps, Libs, API, a lot of things, is a lot of bullshit on the head, on this time i meet security people on LinkedIn (Kandy, Bob, Jorge, Hernan, Mayur, Dave, Remo, Marnix, Dhamu, and more) and Twitter (Disassembler, Claus, Odisseus, maldevel, and more), they always try give me ideas to get job or make tools to sell, sharing post's, or this type of things, really good people, while everyone called me criminal they always try to help me.

But the top news never says they spoke lies about me, I was never part of a criminal network, Internet all the idiots believe that "you are a criminal".

Some days ago, again come back this mother fucker, and sent an inbox message:

8 Oct, 21:57 Request: Please tell me a little bit about yourself. I remember your name from the Zeus botnet matter that I was involved with. I would appreciate learning a bit more about you. Thanks, Gabe.

That explode on my mind, this guy not have shame, i'm not "involved with", you say more crap about me, but i remember the words of Kandy: You are gifted, not an criminal, be an legend; That is the reason of this post and all my PoC's and Tools.

All my Twitter, LinkedIn and Blogger followers knowns what i can do with the code, if i be criminal, i be fully of money, and would not be seeking employment and/or trying to create my own LLC Company.

For this reason i send an email to "Public Defender on California", telling him this story, oh well, if these guys do not get charges, the legal system in the US sucks and is criminal, plain and simple.

How i probe i not be an criminal simple, i found and report this vulnerabilities:

Android CitiBank Colombia
Android IPC Communication 

Android Third Party Validation
Android Amazon AWS SDK 

Android Parse SDK

Technicolor TC7300 Bad configuration
Windows Privilege Escalation

Too i develop this things to detect vulnerabilities and protect the data of the people.

VectorAttackScanner - VAS
E2EE (End To End Encryption, RSA2048 + AES256 + PBKDF2 + RSA Signature Verification)

Too the news say that:

Thanks to Alexander Knorr for the research, and Security Scorecard by publishing: The Calm Before the Mobile API Data Breach Storm
Thanks to Jeremy Wagstaff for the research, and Reuters by
publishing: 'Billions' of Records at Risk From Mobile App Data Flaw  

Too if you compare My code and Zeus code is another thing, You need to be a very big ignorant if try to compare my PoC with the code of Zeus.

Or well, if i be an criminal spreading "Zeus", where are my fucking thousands or millions dollars ?  The reality is if i not finish my new tool LeakVM on few months, literally "we be on the street". 

When you say on an legal case, "jheto2002 (Jheto Xekri - Me), are other developers involved, writing "Web inject" code that gets the malware onto victims'", you are affirming, you need
facts, you defame me, you do damage the my public image, you doing damages their mental health and tranquility, and utterly destroy job opportunities on software/security industry, and maybe more, this makes you a criminal by you acts and by you words, you are a liar.

miércoles, 28 de septiembre de 2016

Exposing the Colombian Industry Mediocrity

This time i be exposes to: CitiMobile CO, Citibank Colombia S.A

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography

This application allows cloning of credentials via MITM attacks, It is something really serious in a banking application.

Details: CityBank.CO

GitHub: ExposingIndustryMediocrity

miércoles, 3 de agosto de 2016

Transformation Oriented Programming (TOP)

For some time now I can not stop thinking about how this built our world (opcodes), developing Vector Attack Scanner and Dark Ether, I've seen this is as primordial matter, apparently are only actions for a processor, but this is like elementary particles , all together form our universe, meet each other to create more complex elements, if all the matter of our universe is created by frequency (M and String Theory), this is almost the same, I can not sleep of thinking in this, so I stopped a few things that was developing and testing it out in my free time, I think to finish this is more important, not how long it takes to write me, you maybe a few months or more, but it will be great fun to do, so it will not be more PoC's for a while, just the usual publications on Twitter and LinkedIn.

All this on the theory of Dark Ether has made me think about a paradigm: "Transformation Oriented Programming" when this is over is the'll show you, I know you will love it, this is no longer tries to find an 0day, or bypass something, is like not to see a world solid in three dimensions, it is like seeing formless, multidimensional to infinity, where all dimensions are one above the other, communicating among themselves, where everything can be what you want it to be, if know how to do it, it sounded crazy, but it's always the same, only the crazy people can create different things.

Thanks for reading me and send me emails.

sábado, 7 de mayo de 2016

Turning Android on an Cyber War Camp

Again we come back with the same problems of Android and Java; Serialization and methods unvalidated.

This time, our new security flaw, It allows us crashing applications, creating a permanent denial of service (DoS), if runs that, can crashing repeatedly, and stop application completely and indefinitely, too, this security issue affects all applications Android from version SDK 2.0 to 6+.

Well, the reason this happens is very simple: Each application has a different ClassLoader, which has classes of the core android and the current compiled APK, referenced by a DexClassLoader, and only that, not the other clasess compiled in other APK's.

It is really simple to send a Parcelable or Serializable to an application, service, methods, etc, if the application does not contain these classes simply crash (explodes), Well with this simple theory, just enough to find entry points to send these Parcelable and / or Serializable.

PoC preview

Github: MissileGuidedForAndroid

martes, 5 de abril de 2016

The truth behind "How to Hack an Election" CTR+C/CTR+V

The truths behind a strategy of black political campaign conducted by the white strategy, and the truth about the news behind bloomberg about how to hack an election this post I not taken 9 months of research just taken first hand experience before I begin denote that I am not a journalist I have no economic or political motivation in the following points, good taking into account that in the structure of the political campaign there are the following steps:
  • Know the context (social, socio-political, national ideological and cultural, socio-historical references knowledge of your opposition and factors against you, media factors)
  • inventory of resources (not only financial resources but moral support, social, community, etc ..)
  • Investigate (approach of social reality and country)
  • Define the objectives (Objectives image positioning, campaign structure, adequacy, work, segmentation of votes, acquisition targets votes. Etc ..)
  • Estimate the associated costs
  • Develop strategies field
  • Budget
  • To develop the message or campaign messages
  • constantly readjusting the strategy, message and plan (as in a business a campaign should not and should never have a work plan but rather a map which can lead to constant changes meet the requirements of objectives and others)
For within these structured steps of the political strategy (not only each campaign structure according to their vision and experience and advisors) for a campaign at any level, must take into account the trunk channel of technology.
The technology is where we communicate, where we create and store information to be processed, where information is transmitted and where the information is analyzed, are just some vertebral points using technology focused from a definition "facilitate" for an observer political. 

Well before resuming the structure and techniques that can be taken technological equipment experts black campaigns I want to make an Inca-foot in the post of Bloomberg [1] on the statements and clarify the following: 

1. Andres sepulveda never had $ 600,000 to hack anyone, how much the contract of social networking campaign to the Democratic Center works both Colombia and the 2 brothers was valued at approximately 713 million Colombian pesos by then in 2014 some 300,000 usd to run all (not just black campaign and share profits with his wife)
2. Andres never had direct relationship with candidates Enrique Peña Nieto in Mexico, Honduras Porfirio Lobo Sosa and Daniel Ortega Nicaragua or Venezuela carpiles enrique hugo chavez or opposition (please check the dates and times of travel passports, in any election works from home in Bogota while your customers are more than 3,000 kilometers nobody hires you today and all require physical interaction and counseling) else is to come by personal motivation.
2.1 The only possible serious relationship and rapprochement with the Democratic center - Alvaro Uribe and Oscar Ivan Zuluaga thanks to his wife who helped them with the contract and his friend Carlos escobar that if you had a closer contact with Alvaro Uribe.
2.2.- With this I want to make clear the misunderstanding and the granting of rights, experience and echos that is Andres in the news Bloomberg taken, that counted by the same Andres before being imprisoned and nothing to lose, he never he was in charge of anything related to direct interaction with political campaigns outside of Colombia and the democratic center.
2.3.- Andres Sepulveda and his brother (luis S.) They worked for small JJ Rendón in Bogota in office has about the T-zone as web designers which Andres was responsible for the programming part and his brother part design and promotion twitter and facebook, which corroborates the same JJRendon in the interview findings on CNN
2.4 Another point I never said publicly is that mind Previous statements and motivations sustained by a person as a drug addict and inebriated at the time andres that was free in 2014 during the campaign and first weeks of his capture as an organ General Prosecutor's Office [FGN] Colombian taken as true multiple statements and changes of stories knowing that their problems with drugs and during the initial process of jailing their withdrawal problems that remained secret several trips llevaro by the CTI the FGN to hospital for treatment, that should itself be enough to knock down any iota of truth to be taken as the basis of tests for other cases currently being carried against members of buggly cases of the operation of the army of Colombia and as current motif 2016 please press media do not take a person who wants to become a kind "Kevin Mitnick" no evidence livelihood and only for pure media story, not become famous for the simple fact of making a sporadic readers, is already quite unfortunate that google appear several searches.
2.5.- also part of the article there are contradictions such as a journalist bloomberg I was delayed 9 months to find evidence to support the story if Andres Sepulveda himself in the story says that he participated but erased all at the end and destroy all evidence in the purest style series of hacking MR Robot (with microwave and other techniques) and as such an article of this type of "claim" to believe in just one word of a prisoner who still has 8 years jail.
2.6.- Especially you can see that nothing more motivation to start the news is attack against Enrique Peña Nieto of Mexico osea the interview is hacking the elections and tear of mexico should not attempt to that of Colombia ?, ami that causes me some media populism want to focus on emphasizing the damage to the current presidency of Mexico.
I want to emphasize and make it clear here and now and avoid false comments, I personally never and had direct connection with any Mexican politician, I have had no direct relationship with anyone from the presidency current mexico or past and that my views are totally impartial and unmotivated economic or any policies on Mexican appreciation and cash from the experience of having been in the campaign with Andres Sepulveda.
Also said by the editors themselves of the news leave a reply to my email I try to tell them they are misrepresenting the news (which incidentally are not the only means they have tried to get some information from the case with this and will be more than 20 media that try to contact with me to get the story told from another point of view since starting this, but in the end after all end up diverting to their own interests the news and misrepresenting the echos with professional manipulations) who tried to get in contact with other sources of history and I think it not become clear is that Andres never did anything real hacking (otherwise are illegal with the purchase and handling of classified information, use of tools interception or other actions if they are punishable by the law)
(Which is e-mail from one of the editors and researchers of the famous news Confessions of a political hacker)

"Which must be taken into account is that producing or designing a weapon is not illegal but kill someone with that weapon if it is illegal," that in any law contemplated fine, and the simple fact of designing and building fire tools or of electronic warfare is not a crime, in some jurisdictions prolonged possession whether it may constitute a crime only as explanatory note, retaking Andres has no experience and design knowledge or advanced techniques of political intelligence which is why we hired people who alleged mind in article collaborated with a group of hackers, i want to clarify that too:
1. No one paid them worked with for making a timely work results. (Hacker groups and individual computer security experts)
2. In many cases or payment! stealing time and work to real experts in computer security.
3. In this case both work smear campaigns Mexico, Venezuela allegedly participated and run as a graphic web designer, Andres S. leave without paying the work of others (not of the eye) as well as part of I work in Colombia leaving debts more than 13,000,000 pesos that never pay several members of different groups and individuals. (The names of other individuals and groups are not publicly be equipped with confidentiality and have no relation with me us.)
3.1 I do not understand is how dare you use the name of those people if not even I pay them for services, I am evil person including our team work itself in Colombia for the campaign of the democratic center and uses its experiences to earn a name in the interview bloomberg, that's a clear lack of moral.
4. Another issue is that social networking accounts and accounts and software development, to make clear in that office in Excel files where information from all accounts was there were never more than 3,000 twitter accounts impossible to manage and refine many accounts to look real with so few people, in both cases the software that advertises in the interview bloomberg here are the links, software twitter that certainly for updates api does not work and the hunter an iPhone application connected to a server to classify pictures and warn of potential criminals so they are not top secret applications were published in 2014 and now in 2016 come to be like super tools come Take "a beer and keep calm."
Current motivations of Andres S. apart from a possible financial contribution which I doubt, is the motivation for fame and possible false image at the end of eight years more in prison missing.
Do not fall into that readers deception, people who are really expert in these issues of security at its 99% prefer anonymity and has much more experience than only develop in PHP (programming language) or some websites, also generally for perform tasks of political intelligence it is a team of people can not do everything with just one person.

Returning to the subject of the truths behind hacking a choice, want to say that we do not live in Wonderland (which plenty of comment but for people to read it you remember) this is the real world, where economic powers financed certain people who believe they can build or enhance their positions or their business by acquiring a published in the government position, no one today gives nothing less thousands or millions of dollars and in countries where candidates must not only be played with those requirements of economic forces but of social problems such as crime, illegal drug trade, armed groups, lack of legislative and even countries with large natural resources, huge international doubts and outside interests, is why we must take intelligence techniques to that such persons are visible from the political pyramid are well prepared and trained against any issue that may pose a public doubt. (Knowledge is power potential)
Well some of the works that are made during political campaigns that help make key decisions:
From the point of view of social media campaigns or social Manager's their work lies in promoting news and make as much as possible between supporters and followers not see, but from the point of view of black campaign for social networks:
1. Classification of profiles opposition.

2. Monitoring profiles opposition.

3. By utilization multiple social networking profiles ask to block certain topics or accounts

4. Design news coming from confidential or sensitive information that harms the image of the opposition candidate recalling certain previous positions of the past.

5. Identify the "key-connectors" on social networks by RT or the like or share the news on their profiles can reach more people without the need for greater economic investment.

6. Generate studies social networks to shape hot topics (many of these tools are publicly accessible at low cost)

7. In 2014 certain app like whatsapp allowed the mass of messages sent without bans spam today is more complicated by the restrictions but also WhatsApp and Telegram used for the distribution of news is more expensive simply mind-operational use software to pass those controls spam using python

8. Verification news against opposition political meetings, internal use of photos of those attending closed Meetings are public meetings or open space use of satellite pictures for measuring gauging (which incidentally are a complication point a camera to more than 10,000 meters on demand)
But not only it will end there other techniques to other offensive stages are:
1. For stage during the previous campaign using DDoS attacks to websites (news minimize other opponents and maximize your own visualizations using anti-DDoS services)

1.1.- Possible brute force to access post on platforms like zimbra, cpanel etc ..
2. Using Client side exploits are the most economical to use to access the networks of headquarters of opposition parties with the help of social engineering and have back-channels to extract information about meetings, agendas and possible speeches.
3. Use especially human intelligence to acquire information that can assist in campaign issues.
4. Using TOR Networks to avoid trace-back of the IP in countries outside the USA.
5. To support real-time campaign strategies through rapid adaptation strategies and field layouts
6. Support and acquisition of information to provide information to fill in web pages on information candidates are publicized by the White campaign (this allows the voter information so profiled and publishing contacts / relationships with drug traffickers or scams or shady dealings that opposition candidate and all his assistants an opposition could have) for the undecided voter awareness makeup.
7. Development of software auto-filling online surveys that benefits your party (if 101% of the surveys are modified and arranged) also using point 4
8. Acquisition of information socio-political issues (eg in the case of Colombia to acquire information on the FARC that we only had intelligence organizations and publicly make available information to inform the voter).
9. Development and software implementation of psycho-demographic profiling based on records and online social metadata to outline socio-cultural, political people accessing facebook, news media and others as well as geo-positioning thereof all focused on the use of hot indecisive maps and oppositional people. (all this is done by using advanced artificial intelligence models), everything can be done with python, javascript, apache Thrift and social networking APIs.
The following graphic is an example for a single analysis of a single person from our previous experiences, to extract political orientations by api'sy profiled to cross the magic of artificial intelligence
This can be used without the need to ask the people who will vote because that usually lie to avoid are lists of population censuses.

10. Now in 2016 can be used easily dron's but previously had to use a little more rudimentary techniques for games that are not presently in the government and want to present to gain positions in government using software as Osmocombb or sniffers GSM for monitoring the transmission power of other bts in public places and avoid briefcases and interception of GSM communications on cellular candidates. (Currently you can do in android without using hardware and protect the mobile device)
11. Another thing if the candidate you support is already in the government and reelect be clear utilize intelligence if the intelligence service has a direct dependence of the executive body, will be used (tracking, purchasing information and other practices with use of reserved budgets)
12. Be prepared for possible leaks of information from within your campaign and how to react to that to identify who was then out (work as part of campaign management) and how to prepare a reaction to the exposed confidential information
13. It is likely that if the white campaign has no knowledge the black part have to use techniques of big data to process the material presented (which has nothing wrong with that) but always work computer experts they are taken as you can do anything, it is as if your campaign is your friend white and black campaign is the computer within the company whenever the computer is asked everything from clean usb antler access accounts facebook's of lovers and print documents (good because it is a real abstraction of what happens with steroids;))
referring to one of the most controversial political consultants and more experienced in latin america, cutting one of his presentations
The information at the right time is the key this does not happen to be in a chair waiting !!
Well this does not end here from the point of view of cyber defense campaign does not end here other mini-jobs that run for:
1. Teach people with technical knowledge 0 as political advisors and properly use data encryption technologies.

2. Provide training in the proper use of technologies to exchange information

2.1 Raising awareness in using apps like Wickr, secure phone, cell phone encrypt, Review HTTPS urls, good use practices iPhone and Android, training phishing techniques that can undergo to avoid them.

3. Implement firewalls, IDS, Active Directory correctly (if no one uses freebsd clear DA or Slackware for an office in a political campaign)

4. Monitoring network (usually through the logs or monitor perimeter devices

5. Train all the supporters directly working at the headquarters of the campaigns in the proper use of emails (although it is impossible but the dome advisers or candidates end up using technologies like PGP or e sure if an had business and technology consultants correct)
This not only end here plus everything you do you have to present periodically in the most readable way possible (if a 12 year old does not understand then for them is like you're not doing anything), and attend meetings emergency they call you.
Also it does not end and the completion of the voting concluded and the public results that come from the official body responsible count are known, not for nothing there you still have a bit more work identifying formats voting records public to download them all , store them in a NAS and develop software to identify potential fraud counts votes in minutes with the format chosen by the official organ of the elections.
  • Here at this point you encounter various difficulties
    1. There are hundreds of thousands of records per province or department and never ending climb all.
    2. Generally they are handwritten in countries that no electronic voting and electronic file (or in cases like Venezuela are disabled by unknown errors polling).
    3. Sometimes they choose people who can not add up! if it becomes the proceedings on March 1 in 8 and 1 in 7 things that certainly missed that class in school;) and the sums sometimes coincide it never is where the fraud lies, yes sir that day a person you may be entitled university forgets to add.
    4. The calligraphy of people who choose some sides are able to convert a 9 votes from the other party on a 0 to have as you explain that to your recognition algorithm clusters of pixels to get a number on Database for calculating fraud on mathematical errors in the minutes.
    5. Today is easier with the proliferation of artificial intelligence service trained as microsoft or google IA IA Tensorflow or amazon or others who have training algorithms that facilitate deepmind today adequacy image identification for electoral records and identification of fraud, but before the old software school was used as imagemagick with a good hand bash and python and connectors to NAS on NTFS systems (232-1 (4,294,967,295)) for you maximize the amount of clippings minutes in a single folder you can store for heavy-duty cutting images (threads) change of format and quality and then train brute force cases of minutes.
    6. Search for citizens' reports of fraud today is easier using cell high-resolution cameras on social networks.

    Well this is a summary of some of the most critical things that are done before, during and after from the computer technology of information operations, not counting techniques reaction to attacks by opponents and other areas of the political campaign as consultancies image, political marketing, political science, develop videos, meetings and other things that happen during the campaign and there comes the experience and making decisions that are added work.
"All you have to do for the information and protection of information in the political campaign in key moments where the future of a country and its history is decided next" ¨
Original article: La verdad detrás de "Cómo Hackear una Elección"

Article by: Rafael Revert

Translation: by Google, sorry guys is a long text, xD.

domingo, 3 de abril de 2016

How an community manager criminal believes is an "hacker"

Recently the news portal "Bloomberg" publish an article about: How to Hack an Election

This article talks about an "Great Colombian Hacker", he can manipulate any political campaign:

1- An man with an tattoo of a QR code that contains an encryption key at the back of the head.

2- On his nape are the words “</head>” and “<body>” stacked atop each other, dark riffs on coding.

3- For eight years, Sepúlveda, now 31, says he traveled the continent rigging major political campaigns. With a budget of $600,000, the Peña Nieto job was by far his most complex.

4- His services were extensive. For $12,000 a month, a customer hired a crew that could hack smartphones, spoof and clone Web pages, and send mass e-mails and texts. The premium package, at $20,000 a month, also included a full range of digital interception, attack, decryption, and defense.

5- As a child, he witnessed the violence of Colombia’s Marxist guerrillas. As an adult, he allied with a right wing emerging across Latin America.

6- He says he traveled for eight years across the continent manipulating the major political campaigns.

7- Manipulate social networks to create false feelings of enthusiasm.

8- Joined to "the right" starting in Latin America (on few words an "paramilitary")

Sepúlveda says the program has been able to identify recruiters ISIS minutes after creating Twitter accounts and start publishing and hopes to share information with the United States or other countries fighting the Islamist group.

10- he declares. "In any case I do illegal things", oh well, all this are not illegal (recording calls/sms, spam sms/email, phishing, defacement, ddos, spread spyware, etc ...)

Well all this points sounds an the new "Colombian Rambo", Hacker and Military guy, shit this guy is amazing, is my hero, oh await one sec WTF ???

It's funny how no one hacking group in the country/world, supports the knowledge of this guy, and people who have worked with he, always refer to him as one who is devoted to "talking".

Now let's put all this fancy on technical words and explain what it is and how it is done.

Social engineering: in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

Phishing: is the attempt to acquire sensitive information such as user names, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Defacement: is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

DDos: In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Well the "Hacker Sepúlveda" has a full name "Andrés Fernando Sepúlveda Ardila" with ID "80.851.062" and the brother has a full name "Luis Carlos Sepúlveda Ardila" with ID "91.523.017", you can download personal info about this guys HERE, the documentation and info are in original language "Spanish".

Analyzing the QR code, which contains an encryption key, according to the news portal "Bloomberg", i see some lies, this tattoo not match with the QR format, and really does not represent any encryption key, you can download the files HERE, this fake QR code has been created to deceive ordinary people who know absolutely nothing about QR codes, i used ZXing Decoder Online to test that.

Analyzing the words “</head>” and “<body>”, tattooed on the neck of this guy, when the portal news say "dark riffs on coding", really is not true, this words ar part of an markup language HTML(HyperText Markup Language), really is a language that is useless in itself, only lets you draw tables (<table> or <div>), breal line(<br>), tittle(<tittle>), paragraph(<p>), etc, etc, you can see an tutorial about this language HERE, well, the HTML language, without CSS, Javascript, Java (Applets), ActionScript (Flash), C# (Silverlight) really can't do nothing, and much less if these additional lenaguejes are not aimed at a webserice on a server on the Internet, the WebService can be writed on PHP, C#(ASP), Java(J2EE), Javascript(Node.JS), really this words is only other part his false image of "Great Hacker", who manipulate any political campaign.

The news portal too say "he traveled the continent rigging major political campaigns. With a budget of $600,000","His services were extensive. For $12,000 a month", we have a big problem with this lie, let us sum 600k USD per campaign, does not know the sea, he has not had, nor has a car, he lives in house rent and is reported in the central bank risk, oh well now undertand, how an guy with access to this lot money can have this problems ??? his brother talk about it in this video on youtube, the video are in original language "Spanish" "ANDRÉS SEPÚLVEDA: ¿EL ARCHIENEMIGO DE LA PATRIA?" - HERE

Sepulveda reveal who tried to obtain information from the FARC creating false identities on Facebook and by mail masquerading as supporters of the guerrilla group and contacting them in their social networks and email: "" with this method were accepted got his friend requests by the Ecuadorian journalist "Dax Toscano" and the guerrilla "Hermes Aguilar".

Since the information that exposes Sepulveda in videos posted was not secret and he did not have the training to intercept the bodies of the government, aircraft tech US or FARC, prosecutors point out that actually Sepulveda would have bought a package of 20 emails with their keys to "people in Havana, which is on the negotiating table". Information which paid only three of the eight million to be asked. In turn he would have been given a "base of demobilized guerrillas data obtained by a contact known as Torres in the COA, under the Ministry of Defence unit". To confirm these arguments appear about three videos where agents of the Metropolitan Police of Bogotá showing and handing a gun to Sepulveda who gave money in return would be revealed.

Sepulveda has had a behavior on social networks like a "script kiddie", everyone knowns that, much has been published about it.

Sepulveda has no university education, nor any experience in security or pentest, nor empirical experience.

It's not a security expert much less an ethical hacker, Too it's not an expert programmer and need to resort to aid the tutorials on YouTube and call for help GitHub, to perform tasks that are basic to an expert.

Yes, you have probably learned to handle some tools or some commands for BSD Terminal Mac or Perl or Python. They may have gotten even infect used by government actors, members involved in political campaigns or negotiations Havana devices. Still, it does not take an expert to buy a kit virus, design and implement a campaign and shooting attacks: by a not very expensive you can get very easy to use kits that bring instructions, automatic updates and support technical, any moron can do it, if you have money to pay.

"I really do not think he has the ability to do everything he says the prosecution. When I met had economic problems, and experts in computer told me that this man was a con man, who was not able to develop all programs what did he say", say the engineer "Jhon Arias".

The alleged "Hacker Sepulveda" attempt to negotiate with the development of anti terrorist software, to reduce his sentence, but his little knowledge on this subject, did not give good fruit.

"Carlos S. Álvarez" he share and known more about cybersecurity and cyberthreats, he write an article about the totally discredited as "Dread Hacker" Twitter:isitreallysafe, but unfortunately people in my country is very ignorant and do not understand any of this.

"Fernando Álvarez" Kienke columnist says "During my campaign for the Senate I had the opportunity to approach what these supposed experts on social networks and am fortunate to be among the few who understand what these gentlemen who are experts in what is in getting unwary. First, not strictly manage social networks. Social networking alleged invent and create ghosts amounts of users to believe the gullible who have exponentially increased their number of followers. Deceive their customers hundreds of visits, they really are ghosts hits showing them that indeed they are nonexistent users, apocryphal Internet and parallel accounts, which sometimes will supplant some famous to believe their clients are followed by those personalities.", and it's true i see companies that do this work, they hire about 10 guys and start to write garbage on the internet, crating large list of fake profiles/accounts to do fake publications, this is really far from being able to manipulate political campaign.

All portal news shows this guy as "A Fearsome Hacker or Great Hacker", really is not true, in hacking forums as Хакер, HackForums, BlackHatWorld, Rohitab, ElHacker, You can see children of 14 years old with more knowledge than this guy, this guy not have the level to write an exploit or an shellcode, is simple, he can't have knowledge to do that.

None of this is located, nor about even, to the category of security expert.

And definitely not making it a hacker, this guy just tarnishes the image of the guys working around things IT and Security, who spend many months disassembling and analyzing code, to detect vulnerabilities, it is very hard work , and this type of idiots only destroy the name of the true hackers.

Why this alleged "Hacker Sepulveda" He claims to be what it claims to be, is really simple, is in jail for 10 years, is in bankrupt, he is a liar and compulsive swindler, does not have any solid on cyber security knowledge, only buys criminal waste (maleware / spyware) and awarded a title that does not have, being a "Great Hacker" to follow the same path from which started in this, he only like cover his and get a reduced sentence, speaking more crap.

Then we explain what it supposedly does this "Super Hacker" and as is done:

The list of his alleged services are:

- Make dirty war and psychological operations, black propaganda, rumors (Trolling/Defamation)
- Send emails and bulk text messages (SPAM)
- Falsify and clone websites (Phishing)
- Wiretap / Intercepting SMS messages
- Fake likes and followers
- Encrypted file handling
- Intercept emails
- Defacement
- DDoS

How doing this things:

Trolling/Defamation: is really simple, you create a fake social accounts and fake emails, with names that any idiot can believe, and publish fake rumors, black propaganda, this technique was created on 4chan ( they are the masters of trolling time, this "Super Hacker", call that "Dirty War/Psychological Operations", and allegedly charged thousands of dollars for doing this, i think only a moron would pay for that.

SPAM for email/sms: again is really simple, exist more ways to do that, by email accounts, Hosting for SPAM or API bulk system.

- By email accounts: the email accounts as gmail have an limit diary for send emails around 300 emails by day, you only need coding an SMTP/POP client to manage this accounts and you can send a lot of email diary, in the case of SMS some countries have an service as email to sms, you only need send an the phone number and the text message.

- Hosting for spam: you need buy an hosing with an send_mail enable and sockets enable, and use an lib for send a massive emails from this server to any email large list.

- API bulk system: you need create an client to connect WebService API and send a lot emails or SMS.

Phishing: is really simple, any idiot can do that, you only need create a fake copy of and loguin of any site and put that on an hosting server, the most hosting sites used for that is this: 110mb, Ripway, SuperFreeHost, Freehostia, Freeweb7, t35, Awardspace, PHPNet, Free Web Hosting Pro, ProHosts, FreeZoka, 000webhost, AtSpace and this and this is accompanied by SPAM, sending emails to unsuspecting users, saying things like, change the password, or any other stupid excuse (Social engineering), MITM attacks are also used for these purposes.

Wiretap / Intercepting SMS messages: well this can divide on this common methods

- Without Hacking: The Stingray/ GSM interceptor/IMSI catcher is equipment that can gather data from hundreds of phones over targeted areas and they can also perform denial-of-service attacks on phones and intercept conversations. Though these products are not available legally but they can be bought through black markets or through deep web.

Law enforcement and the military use these devices to track cellphones. A stingray system involves an antenna, maps, and a signal device. The device mimics as a cellphone tower BTS (Base Transmitting Stations) and gets the phones in the area to connect to it. Then it collects IMSI (International Mobile Subscriber Number) and the ESM (Electronic Serial Number) numbers associated with the phone and can connect any phone.

There are two ways to use the devices:

One way is to use antenna in a given area to collect International IMSI (Mobile Subscriber Number) and the ESN (Electronic Serial Number) numbers of mobile phones in that area and see who is in that given area.

Second way is to locate a mobile phone with IMEI (International Mobile Station Equipment Identity), IMSI (International Mobile Subscriber Number) and the ESM (Electronic Serial Number) number like apple Find my phone application but in this case the phone can be traced even if the phone is formatted, as IMEI remain associated with the hardware not the software. Based on the signal strength of the device you can find the exact location of the mobile phone.

Also in some cases a DOS attack can be done on mobile phone but in terms of GSM signal not in term so of Data packets. When under DOS attacks the phone cannot receive or make any calls.

These devices can be used with software to eavesdrop on mobile phone conversations and spoof calls and SMS. These softwares are known as Over-The-Air special signal software like FISHHAWK, PORPOISE.

These devices are also knows as GSM INTERCEPTOR OR IMSI CATCHER. There are various devices like these in the market easily available.

- Injecting Malware/Spyware: abusing of exploits and/or threats, the mobile devices installing a RATS (Remote Administration Tools), this tools normally are sold on the deep web, this tools contains a lot of features: record calls, record camera/mic, record screen, grab email/sms messages, execute code and other things, this tools be controlled by C&C (Command & Control) systems, is really easy uses that, all noobs uses that.

- Abuse of Global Telecom Network: The critical flaw lies in the global telecom network known as Signal System 7 that powers multiple phone carriers across the world, including AT&T and Verizon, to route calls, texts and other services to each other; SS7 (Signaling System Number 7) is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data. It allows cell phone carriers to collect location information from cell phone towers and share it with each other. A United States carrier will find its customer, no matter if he or she travels to any other country.

Encrypted file handling: is really simple and exist 3 ways to do that.

- ZIP encrypted file: select and password and uses that, is simple for idiot noob's.

- Volume Encryption: After having appeared multiple vulnerabilities on TrueCrypt software, has practically been the replacement of the VeraCrypt, this software supports multiple platforms and works perfectly well so far.

- Secure USB: exist an brand of USB devices "Ironkey" this be created with an AES-256 encryption standard and is the best, is some expensive.

Fake likes and followers: as such idiots, are far from being able to create a stable and effective Botnet, the only thing they can do is pay for it, normally this idiots buy services as that Buycheapfollowersfast, Bestfollowers exist an large list to similar companies, only search on Google.

Intercept emails: exist some common methods for that:

- By Phishing: you create an Phishing site and store the data collected, only noob's uses that.

- By MiTM: The MiTM have a 5 normal methods, but the most common is a "Poison ARP Table", and i sure this guy can't dev that, need pay for an tool to do that, select you target IP, and redirects to the new Fake IP and store the data collected, is really simple, well for us.

- Inyecting spyware: when the spyware are installed on the system, you only use the C&C to extract data, is really simple.

Defacement: only need use tools and check if the site is vulnerable, if the site is vulnerable, you enter easily, the common tools for that are: NMAP, WPScan (For Wordpress Scanning), Joomscan (For Joomla Scanning), OpenVas (For Vuln Scan), all script kidies start to win money do defacement's.

DDoS: again he not have knowledge to create botnet's, would use jMeter, XOIC, HULK, GoldenEye, LOIC(Low Orbit Ion Canon), or similar tools, other guys can rent a Botnet services for that, here i not explain how to create Botnet's to do DDoS attacks.

Some of the methods described above are outside the scope of our "Super Hacker", already stated above that no has knowledge to software development oriented to security or hacking and the only way, he can do this is to pay for it, is more advanced for him.

Really install tools and see videos on Youtube not turn you on "Great Hacker", the old school is all, and well this is all the fantasy of our "Super Hacker", There is a lot of really tough people in the world, but this guy is not one of them.

Oh I almost forgot something, our "Super Hacker", according to him is part to "the right", in few words is an "paramilitary", It's funny, because I'm sure that if one day an "real paramilitary" sits with a 9mm at his side, he pee in his pants, the brother says in self twitter account "Now, from prison, helping in the technology fight against ISIS.", this is really super fun, as an fucking joke, I just hope this does not reach the ears of these terrorists, because they loved behead and record that and publish it on the Internet, Mom did not tell you not to play with fire ?

Conclusion, this guy sees much TV, he see some hacking videos on Youtube, he buy some malwre / spyware on the deep web and is a liar and deceiver compulsive.

My sincerest apologies for "Jordan Robertson", "Nick Casey", and "Thomas Fox-Brewster", should stop being so naive, and need contact with true security experts to validate the information, sorry.

I only like see this "Super Hacker" playing with "Real Hackers" on sites as: Defcon, BlackHat, MalCon, or other Security Conferences.

We are the Internet's immune system, and he is no part of us, a lot "Hackers and Security Guys" are agree with that.

Why i write this post, is very simple, I hate the liars and criminals, and the that people speak crap.

And a big lie have an part of true and more parts of false, remember that.

The New York Times - Nick Casey: Twitter:caseysjournal
Bloomberg - Jordan Robertson: Twitter:jordanr1000
Forbes - Thomas Fox-Brewster: Twitter:iblametom

"Hacker Sepúlveda" - Twitter:hackersepulveda
"Capitán Sepúlveda" - Twitter:zappsepulveda