Archive for the ‘Hacktivism’ Category

Anonymous Cambodia: The OPSEC disaster

Tuesday, June 17th, 2014


On the 30th August, 2012, a group of police officers met outside a local minimart near Riverside in Phnom Penh, Cambodia. Their mission was to raid and arrest anakata in his apartment located nearby as requested by Swedish authorities.

A group of hacktivists that calls itself NullCrew was quick to revenge carrying out attacks under the suitably chosen name: “Operation TPB”. On the 2nd September, 2012, they began leaking documents, usernames and passwords from Cambodian computer systems. They attacked the Cambodian Ministry of Public Works, the Institute of Standards, the general taxation department and the military. NullCrew’s attacks hit the local media and this is where the story about Anonymous Cambodia begins.

Most likely inspired by the press coverage of NullCrew’s attacks the Cambodian branch of Anonymous was formed. They adopted NullCrew’s OpTPB and on 12th September, 2012, the day after anakata landed in Sweden, it was reported that Anonymous Cambodia had broken into and leaked sensitive data extracted from the Cambodian Ministry of Foreign Affairs and defaced its website calling for anakata’s release.

The Cambodian branch went silent for a while only to wake up ready for the national elections held in July, 2013. They began defacing sites to spread their political message and DDoSing those that they could not deface accusing the ruling party of electoral fraud. Their mission was to topple the government lead by the Cambodian People’s Party which has ruled the country with an iron fist since the fall of Pol Pot and the Khmer Rouge regime.

“Because he has no formal training and uses programming scripts created by others, he said that he is a ‘script kiddie’ and not a true hacker.”

Less than two weeks before the election Anonymous Cambodia made their grand mistake. They participated in an interview with The Phnom Penh Post in which one of their members, “Black Cyber”, revealed personal information about himself and his agenda. In an interview with The Cambodia Daily he relied on “blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies”.

Black Cyber was portrayed as a twenty-something IT security consultant who had become involved in Anonymous by participating in Operation Payback targeting pro-copyright, anti-piracy organizations and payment processors which had withdrawn banking facilities from WikiLeaks, similar to the attacks which would later be carried out as revenge for the arrest of The Pirate Bay founder anakata. Black Cyber denied involvement in OpTPB.

The interview given by Black Cyber provided excellent profiling data for law enforcement agencies. He revealed the size of Anonymous Cambodia and claimed that three people had participated in attacks against the National Election Committee. Jao Kamsot, another individual who was interviewed for the article, said that he is a script kiddie and not a true hacker.

“I don’t think their group has many people, and we will wipe it out.”

Immediately after the interview given by Black Cyber the Cambodian Ministry of Interior Department of Security began collaborating with the United States’ FBI in an investigation against Anonymous Cambodia. On 7th April, 2014, 21 year old Bun Khing Mongkul Panha, known online as Black Cyber, was arrested together with 21 year old Chou Songheng, alias Zoro.

The pair was charged with cyber crimes conducted against 30 government websites including the National Election Committee, Ministry of Foreign Affairs, Ministry of Defense, Anti-Corruption Unit and Phnom Penh Municipality. They were charged with unauthorized access to an automated data processing system, obstructing the functioning of an automated data processing system and fraudulent introduction, deletion or modification of data. Black Cyber confessed immediately.

On 22nd April, 2014, an individual calling itself “Attacker Fiber” created a Facebook page named after the group vowing revenge and posting YouTube videos showing how to conduct DDoS attacks. He used the page to market his own page (Attacker-Fiber) on which he advertised “Website Security Learning to be Anonymous” [sic] including SQL injection, defacement and backdoor techniques for $100 per course. He also set up a site titled “Cambodia Security” advertising the same services and posting guides for trivial things such as XAMPP installation.

On 29th April 2014 Anonymous Cambodia claimed on its Facebook page that they had breached the site belonging to the Anti-Corruption Unit promising further attacks. Dim Chaoseng, the lawyer defending the members of Anonymous Cambodia arrested earlier, expressed his concerns saying: “All the activity that Anonymous is doing at the moment is not going to help my clients. It is going to get more difficult to release my clients on bail.”

“…he said using a blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies.”

Only days after the claimed attacks against the Anti-Corruption Unit, on 1st May 2014, two additional (unnamed) members of Anonymous Cambodia were arrested and charged with disrupting the ACU using the moniker Game-Over-xX23xX.

Angered by the four arrests, on the 4th May 2014, the group attacked the Royal Gendarmerie, Ministry of National Defense and CamCERT (Cambodia Computer Emergency Response Team) demanding the release of their “comrades”. Military Police spokesman Kheng Tito was quoted saying: “I don’t think their group has many people, and we will wipe it out.”

On 4th June Attacker Fiber, a 17 year old boy named Chin Neangleangmeng, became the 5th arrested member of Anonymous Cambodia. He confessed immediately.

Since the arrest of Attacker Fiber the small but very cocky group has been very quiet online. Anonymous Cambodia is now held in Prey Sar Prison in Phnom Penh, which was built for 500 inmates but was reportedly the home of 3,000 inmates in 2011, and they will most likely stay there until the authorities figure out how to punish them as Cambodia is currently lacking many internationally common cybercrime laws to regulate hacking and DDoS attacks.

Introducing panic_bcast

Thursday, December 13th, 2012

panic_bcast is a network protocol panic button operating decentralized through UDP broadcasts and HTTP. It’s intended to act a panic button in a sensitive network making it harder to perform cold boot attacks. A serious freedom fighter will run something like this on all nodes in the computerized network.

How it works

1. An activist has uninvited guests at the door
2. The activist sends the panic signal, a UDP broadcast, with panic_bcast
3. Other machines in the network pick up the panic signal
4. Once panic_bcast has picked up the panic signal it kills truecrypt and powers off the machine.

panic_bcast was written with the intention to support any form of UNIX that can run Python. It has been tested successfully on Linux and FreeBSD.

To trigger the panic signal over HTTP simply request http://…:8080/panic from a machine that is running panic_bcast. Whichever will do.

Please note that panic_bcast is a beta and more sophisticated ways to prevent cold boot attacks are planned. You can view these plans by searching for the word “TODO” in the source code.

The source code is available on Github.

Remember kids: there’s no home for swap in opsec.

FortiGate censorship analysis

Monday, September 12th, 2011

The S23K, also known as the Pirate Bay tour bus, had boarded a Scandlines ferry from Trelleborg. We were a group of pirates and hackers on our way to Chaos Communication Camp 2011 in Finowfurt, Germany. There was free satellite WiFi available on board, and after a while me and my friend jaywalk of Telecomix discovered that one of the project’s home domains,, had been blocked for being a “malicious website”. With approximately an hour left from reaching Germany we found this to be a perfect opportunity to warm up.

The blockade of, filtered as a “Malicious Website” most likely triggered by the occurance of the word “anarchy” in the domain, was quickly evaded by accessing the site using HTTPS. SNI (Server Name Indication) was ignored. We found that was blocked on IP level and so was

We found that blockades on the IP level were forwarded to port 8008 on the FortiGate gateway. Accessing the gateway directly gives a login prompt for disabling filters.

If you’re interested, their 756 page system manual is publicly available for download. If you read between the lines you’ll be able to extract information on how to work around their censorship or even disable it completely. :-)

FortiGate categories

  • Abortion
  • Abused Drugs
  • Adult Materials
  • Advertisements
  • Advocacy Groups
  • Alcohol and Tobacco
  • Arts and Entertainment
  • Brokerage and Trading
  • Business and Economy
  • Computer Security
  • Cult or Occult
  • Cultural Institutions
  • Dynamic Content
  • Education
  • File Sharing and Storage
  • Financial Data and Services
  • Freeware and Software
  • Download
  • Gambling
  • Games
  • Gay or Lesbian or Bisexual Interest
  • Government and Legal Organizations
  • Hacking
  • Health
  • Illegal or Questionable Information
  • Technology
  • Internet Communication
  • Job Search
  • Malicious Web Sites
  • Medicine
  • Militancy and Extremist
  • Military Organizations
  • Miscellaneous
  • News and Media
  • Nudity
  • Pay to Surf
  • Personals and Dating
  • Political Organizations
  • Pornography
  • Racism or Hate
  • Reference Materials
  • Religion
  • Search Engines and Portals
  • Shopping and Auction
  • Social Organizations
  • Society and Lifestyles
  • Special Events
  • Sports
  • Spyware
  • Streaming Media
  • Tasteless
  • Travel
  • Vehicles
  • Violence
  • Weapons
  • Web Hosting
  • Web-based Email

FortiGate classification levels

  • Unclassified
  • Cached Content
  • Multimedia
  • Search
  • Image Search
  • Audio Search
  • Video Search
  • Spam URL
  • Personal Privacy