Archive | June, 2013

PRISM, Edward Snowden, Big Brother & More Stuff We Already Knew


So there’s been 100s of articles posted about PRISM, which also now has a lengthy Wikipedia article – PRISM (surveillance program). Apparently PRISM (2007-present) is the program that replaces the previous (2001-2007) NSA warrantless surveillance program.

So the US government has been watching everyone, no shit (Nineteen Eighty-Four?).

PRISM is a clandestine national security electronic surveillance program operated by the United States National Security Agency (NSA) since 2007. PRISM is a government codename for a data collection effort known officially as US-984XN. It is operated under the supervision of the United States Foreign Intelligence Surveillance Court pursuant to the Foreign Intelligence Surveillance Act (FISA).

The existence of the program was leaked by NSA contractor Edward Snowden and published by The Guardian and The Washington Post on June 6, 2013. A document included in the leak indicated that the PRISM SIGAD was “the number one source of raw intelligence used for NSA analytic reports.”The President’s Daily Brief, an all-source intelligence product, cited PRISM data as a source in 1,477 items in 2012. The leaked information came to light one day after the revelation that the United States Foreign Intelligence Surveillance Court had been requiring the telecommunications company Verizon to turn over to the NSA logs tracking all of its customers’ telephone calls on an ongoing daily basis.

It’s a revelation for a lot of people however, who are unaware of how easy it is to capture data online (that isn’t encrypted) – like e-mail for example. I’ve always told people don’t write anything in an e-mail that you wouldn’t write on a post-card – because reading them both is at about the same difficulty level.

Most people think because they are logged onto Gmail/Hotmail etc using https, that their transmissions are secure. But unfortunately the majority of the e-mail infrastructure is using zero encryption – so all your messages are floating around in plain text, unless of course you are using PGP/GPG – they you are pretty safe. But how many people do that, and it requires both sender and receiver to using the same system.


There are of course specialist e-mail services for the paranoid like Hushmail Tormail.

It’s a big kick in the face for the US Government though with their hyperbole about freedom, now it turns out they are invading the whole World’s privacy and ignoring human rights.

There have been statements from Microsoft, Yahoo!, Google, Facebook, Apple & Dropbox stating they do not take part in PRISM and that they do not give any direct server access to any agencies.

The guy that kicked this whole thing off was Edward Snowden, who intentionally revealed his identity and is ready to deal with the consequences. More here – Edward Snowden: the whistleblower behind the NSA surveillance revelations.

He was basically a sys admin for a government contractor called Booz Allen Hamilton, parked under the NSA in Hawaii. As we all known, sys admins typically have full access to EVERYTHING, ever server, every system – as they need it to do their job.

Very few companies implement silos, or transparent encyrption to protect themselves from sys admins. More on that discussion here – Prism doesn’t have CIOs in a panic — yet .

Either way, it’s a pretty interesting story and it’s getting spectacular global press coverage – there’s plenty more to read if you’re interested.

Posted in: Legal Issues, Privacy

Topic: Legal Issues, Privacy


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


OWASP Bricks – Modular Deliberately Vulnerable Web Application


Bricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to ‘break the bricks’.

Road Map

  1. Demonstrate maximum variations of most common vulnerabilities
  2. Help people to learn the need of secure codding practices and SSDLC
  3. Attract people to design more bricks
  4. Become a test bed for analyzing the performance of web application security scanners.
  5. Help people learn the manual method of testing the applications
  6. Demonstrate the possibilities of various security tools and techniques
  7. Become a platform to teach web application security in a class room/lab environment.

It’s a great way to learn the basics of web security, both from a developers perspective and from someone interesting in learning pen testing for web apps, if you want to check out more projects similar to Bricks, there a whole bunch here:

Vulnerable Web Application

You can download Bricks here:

OWASP Bricks – Torsa.zip

Or read more here.

Posted in: Exploits/Vulnerabilities, Web Hacking

Topic: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.