Featured post

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to a “splash” analysis of each leak on The Hacker News;
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. Analysis and examples of the subsequent use and deployment of theses hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  


Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user. The OutlawCountry project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data. *

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system. However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels. **

The 30th June 2017 WikiLeaks release overview:

“Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

Two documents were also published alongside this release:

OutlawCountry v1.0 User Manual

OutlawCountry v1.0 Test Plan

Previous and subsequent Vault 7 WikiLeaks dumps #1 – #13 and #15 – #17 synopses are available on WikiLeaks and analysis of OutlawCountry at The Hacker News.


Edited Image courtesy of The Hacker News – Twitter @TheHackersNews

* Content courtesy of The Hacker News – Twitter @TheHackersNews

** Content courtesy of The Hacker News – Twitter @TheHackersNews

“Where’s the Money?” as Orphaned AlphaBay Users Have Hansa Identity Crisis

There are many things that confuse me about this story despite spending days trying to unravel it. There are many unanswered questions that I have and there are many elements of the “story” that do not make sense to me. I have decided to write them down and see if someone more astute than I am can help me out.

Petra Haandrikman 

On the 17th July 2017, Brian Krebs published Exclusive: Dutch Cops on AlphaBay ‘Refugees’ on the Krebs On Security blog. Mr. Krebs had interviewed Petra Haandrikman, team leader of the Dutch police unit that “infiltrated” HANSA. 

Ms. Haandrikman’s LinkedIn bio reads as follows:

“Experienced Chief Inspector with a demonstrated history of working in the law enforcement industry. Skilled in Crisis Management, Coaching, Public Safety, Government, and Law Enforcement. Strong quality assurance professional graduated from OvD-P (engeland).” [sic]

Ms. Haandrikman does not appear to hold any specific IT or Computer related qualifications but that does not matter to me. You can read her interview with Mr. Krebs for yourself.

What does Ms. Haandrikman call what she did, for between 50 and 100 days, with HANSA?

Is it called surveillance, is it undercover work, is it entrapment, a combination, or is it criminal enterprise, or is it something else?

The official line is that it was the final part of an undercover operation in which the Dutch authorities seized control of the illegal market place in mid to late June following the arrest of two HANSA site admins from Siegen, NorthRhine-Westphalia in Germany.

Did they fulfil or allow the fulfilment of “orders”?

I cannot really find a definitive statement on what they actually did do? Wilbert Paulissen, Head of National Investigation of the Dutch National Police said “these servers and their corresponding infrastructure were seized and an exact copy of the market place was transferred to Dutch servers. Buyers and sellers could still access the darknet site, but without realizing the police and the public prosecution service in the Netherlands had seized control of Hansa.”

Do Ms. Haandrikman and her colleagues, in an effort to “erode confidence” in the criminal community with respect to dark markets, accept that they were active facilitators / actors in the community for between 50 and 100 days? 

As the US Drug Enforcement Agency was closing down AlphaBay, The Dutch National Police were operating HANSA. Mr. Paulissen explained : “The core is that we as the police and the justice department succeeded in taking over the complete website and have total control of Hansa.”. 

The joined up operation was structured so that orphaned AlphaBay users would find a new home at HANSA. The double-whammy of uncertainty that recently orphaned AlphaBay users would feel when they discovered that their new parent HANSA was an impostor would apparently cause large parts of the criminal underworld to have an existential crisis and would result in dark markets going quiet.

What are the actual figures we are talking about in terms of EUROs accounted for by transactions on HANSA from the date that it fell under the complete control of the Dutch authorities?

“Since the end of June, the High Tech Crime Team and the Darkweb Team of the police and the Public Prosecution Service have gained insight into large numbers of sellers and buyers, who traded chiefly in hard drugs. The usernames and passwords were intercepted. On average, 1,000 orders per day were placed in response to almost 40,000 advertisements. Last year, Hansa Market had 1,765 different sellers. Since the authorities seized control of Hansa Market there have been more than 50,000 transactions, mainly involving soft drugs and hard drugs.”

During the period that the Dutch authorities operated HANSA “Accounts with a total of more than 1,000 bitcoins, representing a value of some two million euros, were seized. The bitcoins were transferred to an account of the Public Prosecution Service.”

But an alternative analysis of the figures suggests that orders of potentially up to EUR€50 million could have been placed / fulfilled during the period that HANSA became fully compromised by the Dutch.


  1. How much money / assets were actually seized by the Dutch authorities and in what form – Bitcoins, contraband … – and where are they now?
  2. The exclusive operation by the Dutch authorities of HANSA after they seized the infrastructure following the arrests in Germany was the last part of the operation. But was it the last part of an undercover operation or was it the exclusive running of a criminal network, without the assistance of externals, by a law enforcement agency?
  3. During that period did a law enforcement agency in complete control of a criminal network explicitly allow and facilitate criminal activity?

Answers on a postcard.

References & Other Related Articles

Exclusive: Dutch Cops on AlphaBay ‘Refugees’

Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust

Darknet Takedown Authorities Shutter Online Criminal Market AlphaBay


The Biggest Darknet Market on the Deep Web Has Been Shut Down By International Authorities

Alphabay shutdown: Bad boys, bad boys, what you gonna do? Not use your Hotmail… …or the Feds will get you ♪



Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog


IBM Mainframe Ushers in New Era of Data Protection with Pervasive Encryption

Main take-outs in IBM Z Systems announcement:

  1. Pervasively encrypts data, all the time at any scale;
  2. Addresses global data breach epidemic;
  3. Helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations;
  4. Encrypts data 18x faster than compared x86 platforms, at 5 percent of the cost (Source: “Pervasive Encryption: A New Paradigm for Protection,” K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017);
  5. Announces six IBM Cloud Blockchain data centers with IBM Z as encryption engine;
  6. Delivers groundbreaking Container Pricing for new solutions, such as instant payments.

The new data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only four percent were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, IBM Z now dramatically expands the protective cryptographic umbrella of the world’s most advanced encryption technology and key protection. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, General Manager, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.”


* From an article originally published on July 17 2017 on my Peerlyst blog

Building A Global Nation State SMB Exploit Honeypot Infrastructure With A £50 Budget #EternalPot

Note to post: All words, IP ownership, analysis, opinions, data, graphs et al are the property of Kevin Beaumont and where altered and extracted are done so remaining true to the original meaning / assertions. From and article by “Kevin Beaumont InfoSec, from the trenches of reality. Email kevin.beaumont@gmail.com | Twitter: @gossithedog on Twitter” titled “EternalPot — Lessons from building a global Nation State SMB exploit honeypot infrastructure” athttps://doublepulsar.com/eternalpot-lessons-from-building-a-global-nation-state-smb-exploit-honeypot-infrastructure-3f2a0b064ffe

Worthy of note before beginning to read this beauty – Mr. Beaumont predicted that this would happen back in April 2017:

Now over to the expert ….

Extracts BEGIN (again full original article here

A week ago I started building #EternalPot, a honeypot for the Equation Group SMB exploits leaked by the Shadow Brokers last month.” (May 2017) – “My entire budget for one of this is £50, as I self fund all my InfoSec research — I work for a company that makes crab paste, so everything is done outside of work, on my own time. I highly recommend working InfoSec for a company where the CapEx tap is turned off temporarily, by the way, as you’ll find out how skilled your workforce are and you’ll get back to the most important part of InfoSec: the basics. Build simple solutions, always…..



There has been a lot of vendor and press coverage of WannaCry which has been inaccurate. Despite what has been said, WannaCry was not spread via phishing or email — in fact, it was an SMB worm. Seeing a constant stream of misinformation from InfoSec vendors still around this has been depressing — it still continues to this day, long since the major players and initial victims walked back the email line…..



The EternalPot data has shown advanced attacks, multiple coin miners, remote access trojans and lateral movement attempts into corporate networks — all via the Windows SMBv1 service. One of the exploits — EternalBlue — was used by the WannaCry ransomware spreader…..



As you can see pre-WannaCry (refer to diagram in article and below), these SMB attacks were almost non-existent. It’s an SMB worm like the ones from the prior decade. Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3…..




All the WannaCry samples seen so far — thousands delivered in real world honeypots — have two factors:

  1. They are one of two corrupt versions, where they spread but fail to execute ransomware as the PE headers are corrupt.
  2. They contain working killswitches.

If you’re pondering why WannaCry seemed to disappear almost completely, here we are. The authors simply disappeared. The Tor payment pages don’t even exist now. We owe MalwareTech more than pizza…..



Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3. Here’s Kaspersky’s graph of infected operating systems…..




One thing I will say — I don’t want to name the vendors, but some of the biggest next-generation security productssimply aren’t detecting SMB attacks nearly well enough. Malware regularly infects these systems, and they have to be reimaged as a result. It is amazing seeing next gen, premium tools with machine learning etc running Coin Miners andremote access trojans delivered via old exploits, with the tools not even noticing. It has been very eye opening for me. The marketing to reality Venn diagram here isn’t so Venn. At times it is so bad it is actually jaw dropping seeing certain attacks not being detected…..

Extracts END (again full original article here


#UK Government #Data leak in 2015, users warned today.

A recent routine security review discovered a file containing some users’ names, emails and hashed passwords was publicly accessible on a third-party system.

The names, emails and hashed passwords in the file belong to users who registered on data.gov.uk on or before 20 June 2015.

Network Programming in .NET

unnamed (1)

A recent routine security review discovered a file containing some users’ names, emails and hashed passwords was publicly accessible on a third-party system.

The names, emails and hashed passwords in the file belong to users who registered on data.gov.uk on or before 20 June 2015.

This effectively means that the security breach probably happened on the the 20th of June 2015, and the UK government only discovered it now, 2 years later!

View original post