Conocimientos Libres of CiberGuerra Colombia Releases Leaks & Vulnerabilities of 11 Websites Across Colombia

Earlier this evening I came across a massive round of leaks dumped online by a South American hacker known as “Conocimientos Libres” on April 3rd 2019. What’s particularly interesting about the leak is that the hackers behind them claim to have carried out their operation in retaliation for what they call “false independence” offered to them by their Government.  While the hacker could not be reached for comment, I assume their operation steamed as the result of two recent political developments inside the country.

The first would be the fact that Ivan Duque recently attempted, but ultimately failed to assassinate the President of Venezuela – Nicolas Maduro. If not this, then surely they are referring to President Ivan Duques’s recent decision to overturn/veto portions of peace treaties signed with para-military groups, agreements which have brought the country increased levels of prosperity, growth and stability over the last several years.

Full Leak In Its Entirety:

1 > Sitio Web Bogota Hacked:

[+] https://ghostbin.com/paste/ygtqo
[+] https://ghostbin.com/paste/d48az

2 > Sitio Web Eseisabu Hacked:

[+] https://ghostbin.com/paste/yg3p7

3 > Sitio Web Sedtolima Hacked:

[+] https://ghostbin.com/paste/orx7r

4 > Sitio Web Dane Hacked:

[+] https://ghostbin.com/paste/tef6n

5 > Sitio Web amvcolombia Hacked:

[+] https://ghostbin.com/paste/or8qb

6 > Sitio Web esemorenoyclavijo Hacked:

[+] https://ghostbin.com/paste/mkgxj

7 > Sitio web minagricultura Hacked:

[+] https://ghostbin.com/paste/nzc2x

8 > Sitio Web mineducacion Hacked:

[+] https://ghostbin.com/paste/ed6rd
[+] https://ghostbin.com/paste/ed6rd/raw
[+] https://ghostbin.com/paste/kasje
[+] https://ghostbin.com/paste/kasje/raw

9 > Sitio Web educacioninicialtolima Hacked:

[+] https://ghostbin.com/paste/nxz5z
[+] https://ghostbin.com/paste/nxz5z/raw

10 > Sitio Web hsrespinal Hacked:

[+] https://ghostbin.com/paste/amz8r
[+] https://ghostbin.com/paste/amz8r/raw

11 > Sitio Web cavasa Hacked:

[+] https://ghostbin.com/paste/a8wgg
[+] https://ghostbin.com/paste/a8wgg/raw

8 Government Agencies Across Colombia Hacked, Thousands of Contractors, Users, Administrators, Employees & Personnel Exposed in Data Breaches

I’ve told different hackers and hacking groups in the past that I want to see them leave their hands off Colombia, but I cant control them anymore than I can control the news now can I? To this effect, throughout the course of the day Tuesday, March 19th 2019, “Al1ne3737” of “Pryzraky” announced a new round of hacks and leaks – this time effecting the six Government agencies across Colombia. More specifically implicated in today’s release were Colombia’s Secretary of Education, Observatory of Interinstitutional Environmental Agendas, Municipal Council of San Jose de Cúcuta, the Developmental Department of Planning of Tolima, Hospital of San Rafael de Tunja and ESE Moreno y Clavijo.

The most significant of the data breaches implicated the first round of leaks was the Secretary of Education, exposing the names, login and passwords of 313 global users, along with access to the emails of 517 users. The website was also defaced with Alne3737‘s cover photo and a repeating sentence reading “Hacked by @Al1ne3737.” Meanwhile, the logins of the primary administrator of the Observatory of Interinstitutional Environmental Agendas was also exposed in the data breach, as was the logins of 46 other users and access to the personal emails of 48 more – including government employees. Lastly, the hack of the Municipal Council of San Jose de Cúcutam revealed the logins of 2 site administrators, granting full access to the pages back-end.

Targets Round 1:

SedTolima: hxxps://sedtolima.gov.co/
Observatorio de Agendas Interinstitucionales Ambientales – CAR: hxxp://oaica.car.gov.co/
Corporación Concejo Municipal De San Jose de Cúcucta: hxxp://concejocucuta.gov.co/

Deface Location: https://www.sedtolima.gov.co/administrador/modulos/instituciones/noticias/vista_previa_noticia.php?cod=682
Deface Mirror: http://www.zone-h.org/mirror/id/32278133?hz=1
Original Leak: https://www.hastebin.com/aguqamuwav.nginx
Leak Backup: https://pastebin.com/3d9GxdFS

The most significant data breach of the evening hours effected the Developmental Department of Planning of Tolima, exposing the login username and passwords of 171 politicians. As of the early morning hours of March 20th 2019, the website belonging to the Department of Tolima has been shut down and remains offline, presumably “for repairs” – lol. Additionally, the login user names and joint passwords of 256 contractors of the Hospital San Rafael de Tunja were also exposed by the data breach, trimmed from a larger table of 758 contractors. Lastly, the hack/leak of ESE Moreno y Clavijo exposed the login usernames and passwords of 9 site administrators.

Serving as proof of how she gained access to each of the websites, Alne3737 also released the SQL Injection (SQLi) points of vulnerability attached to each website – as well as the SQLi point of vulnerability of two additional website not named in the leaks. As for why the hacks were pulled off or why she decided to hack Colombia here today, Al1ne3737 said she did it as a favor for a friend – lol. In a message accompanying each leak, Al1n3737 also left behind a message translated from Indonesian reading “A child will be born today and grow old with no conception of privacy. They will never know what it means to have a private moment to themselves, or thoughts which aren’t registered and analyzed. And this is a problem because privacy is important; privacy and peace of mind is what we all need to determine who we are and who we want to be.

Targets Round 2:

Ejecutor Tolima: hxxp://www.ejecutortolima.gov.co/
Hospital San Rafael de Tunja: hxxp://www.hospitalsanrafaeltunja.gov.co/
ESE Moreno y Clavijo: hxxp://www.esemorenoyclavijo.gov.co/

Additional SQLi Target 1: hxxps://www.idrd.gov.co/SIM/CS_RendimientoDeportivo/Presentacion/MedalleroDeportista.php?id=1016084157
Additional SQLi Target 2: hxxps://www.emserpa.gov.co/modulos/contrato.php?id=38

Leak: https://www.hastebin.com/yomipemozi.nginx
Leak Backup: https://pastebin.com/ubjnir0y

Screen Shot of Defaces:

Image may contain: 1 person

Image may contain: text

https://twitter.com/al1ne3737/status/1108046306847744001

https://twitter.com/al1ne3737/status/1107845965522845696

Colombian President Duque Promotes 9 Officials Guilty of War Crimes To Lead National Military Efforts

(HRW) – The Colombian government has appointed at least nine officers credibly implicated in extrajudicial executions and other abuses to key positions of the army, Human Rights Watch said today. At least three of the officers are under investigation, and prosecutors are investigating killings by forces under the command of the other six.

On December 10, 2018, the government of President Iván Duque appointed General Nicacio de Jesús Martínez Espinel as the new head of the country’s army. On December 21, Gen. Martínez Espinel and Defense Minister Guillermo Botero appointed other new commanders to key army positions. Human Rights Watch has identified evidence linking eight of these officers, as well as General Martínez Espinel, to “false positive” killings and other abuses. From 2002 through 2008, in the cases that have come to be known as false positives, army personnel carried out systematic killings of innocent civilians to boost body counts in the country’s long-running armed conflict.

The Colombian government should be investigating officers credibly linked to extrajudicial executions, not appointing them to the army’s top command positions,” said José Miguel Vivanco, Americas director at Human Rights Watch. “By appointing these officers, the government conveys the troubling message to the troops that engaging in abuses may not be an obstacle for career success.

Human Rights Watch reasearch has shown that patterns in false positive cases – including their systematic nature and the implausible circumstances of many of the reported combat killings – strongly suggest that commanders of units responsible for a significant number of killings knew or had reason to know about them. Under international law, commanders are not only responsible for war crimes or crimes against humanity that they directly order and carry out. They must also be held criminally responsible if they knew or had reason to know that subordinates under their effective control were committing such crimes and failed to take all necessary and reasonable steps in their power to prevent or punish the act.

Summary – Evidence of Senior Army Officers’ Responsibility for False Positive Killings in Colombia: https://www.hrw.org/report/2015/06/24/their-watch/evidence-senior-army-officers-responsibility-false-positive-killings#
Download Full 111 Page Report: https://www.hrw.org/sites/default/files/report_pdf/colombia0615_4up.pdf

The newly appointed officers credibly linked to abuses are Martínez Espinel, head of the army; Jorge Enrique Navarrete Jadeth, Head of General Staff for Human Resources and Logistics; Raúl Antonio Rodríguez Arévalo, Head of General Staff for Planning and Policies; Adolfo León Hernández Martínez, head of the Army Transformation Command; Diego Luis Villegas Muñoz, head of the Vulcano Task Force; Edgar Alberto Rodríguez Sánchez, commander of the Aquiles Task Force; Raúl Hernando Flórez Cuervo, commander of the National Training Center; Miguel Eduardo David Bastidas, commander of the 10th brigade; and Marcos Evangelista Pinto Lizarazo, commander of the 13th brigade. All of them are army generals.

Gen. Martínez Espinel was second-in-command of the 10th brigade from October 2004 to January 2006. Prosecutors have opened investigations into 23 killings by 10th brigade troops in 2005.

Human Rights Watch had access to a access to a document signed by then-colonel Martínez Espinel certifying a payment of COP 1,000,000 (US$400) to an informant who provided information leading to “excellent results” in two military operations. In one of them, troops reported the “kill of a female ‘no name’ subject and a male ‘no name’ subject, apparently belonging to the Front 59 of the FARC.” Yet courts have concluded that the people killed were Hermes Enrique Carrillo Arias, an indigenous civilian, and 13-year-old Nohemí Esther Pacheco Zabata.

Official Court Docs:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/combinepdf.pdf”%5D

In 2011, a court convicted two soldiers and a former paramilitary member for murdering the pair. It found that troops abducted the victims from their home at dawn, murdered them, placed weapons on their bodies, and reported them as FARC guerrillas killed in combat. In 2013, an appeals court asked the Attorney General’s Office to investigate “possible [criminal] conduct due to [possible] lack of control by the superiors.”

Gen. Navarrete Jadeth, the new General Staff for Human Resources and Logistics, was the second-in-command of the 8th brigade between July 2007 and August 2008. The Attorney General’s Office has opened investigations into at least 19 killings by the 8th brigade in 2008.

Human Rights Watch reviewed a document signed by Gen. Navarrete Jadeth in March 2008, certifying a 2,000,000 Colombian pesos (US$1,000) payment to an informant for information that led to the “death in combat of two terrorists.” In April 2012, a court concluded that the “terrorists” were unarmed civilians who had been recruited from a nearby city and extrajudicially executed.

Official Docs:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/3.pdf”%5D

Colombian courts have convicted hundreds of soldiers for their role in extrajudicial killings, the vast majority of them low-ranking. But the authorities have failed to prosecute senior army officers allegedly responsible for illegal killings. Instead, the authorities have promoted many of these officers through the ranks, allowing several to hold top positions in the armed forces.

The administration of former President Juan Manuel Santos also appointed officers linked by credible evidence to false positives to key army positions. Gen. Juan Pablo Rodríguez Barragán, under criminal investigation for such killings, headed the Colombian armed forces from 2014 through 2017.

A portion of United States military aid to Colombia is subject to human rights conditions. In 2018, the conditions included that “military personnel responsible for ordering, committing, or covering up cases of false positives are being prosecuted and appropriately punished, including removal from positions of command.”

For an analysis of the evidence against the nine military officers, please see below.

Evidence Against New Commanders

Human Rights Watch reviewed dozens of judicial rulings, testimonies, Attorney General’s Office reports, and other files relating to the army officers who were appointed in December. At least three of the nine are under investigation by the Attorney General’s Office. Prosecutors are investigating numerous killings by soldiers in units under the command of the others. The following is a summary of the evidence implicating the nine officers (the information is presented following the officers’ hierarchy in the army).

Nicacio de Jesús Martínez Espinel (Head of the Army)

Gen. Martínez Espinel was second-in-command of the 10th brigade, which operates in the northeastern provinces of La Guajira and Cesar, between October 2004 and January 2006. A 2016 report by the Attorney General’s Office indicates that prosecutors have opened investigations into 23 killings by 10th brigade troops in 2005.

For example, in a ruling in June 2011, a court found that in February 2005 soldiers from the Popa battalion of the 10th brigade abducted Carrillo Arias, an indigenous civilian, and 13-year-old Pacheco Zabata from their home at dawn, murdered them, placed weapons on their bodies, and reported them as FARC guerrillas killed in combat. The court that convicted the soldiers concluded that the victims were shot in the back and that their alleged weapons had never been fired. It also found that the battalion lacked the legally required documents on the operation, including those that should have recorded the amount of ammunition used in the alleged firefight.

Human Rights Watch reviewed a document signed by then-colonel Martínez Espinel certifying a payment of COP 1,000,000 (US$400) to an informant who provided information that led to the “excellent results” in this and another operation.

Download Document Here: https://www.hrw.org/sites/default/files/supporting_resources/doc_2_1.pdf

Human Rights Watch identified other serious inconsistencies in several documents signed by Martínez Espinel allegedly certifying payments to informants who supposedly led 10th brigade troops to engage and kill enemies. These include the following:

  • In four separate instances, based on documents in an Attorney General’s Office file, prosecutors found that the names and ID numbers of alleged informants did not match.
  • In two documents certifying payments to informants, the dates of the alleged operations do not make sense. In one case, on May 17, 2005, Martínez Espinel authorized payment of 1,000,000 Colombian pesos (US$400) as a reward for information that, according to the same document signed by Martínez Espinel, led to an operation conducted on May 20 – three days later. In this supposed operation, a “no name” person “apparently belonging to the FARC 41st front” was reported killed.

Past Human Rights Watch research had shown that between 2002 and 2008 military officers fabricated documents to obtain economic perks for reported kills on multiple occasions, including in false-positive cases. Human Rights Watch was not able to confirm whether any of the kills for which Gen. Martínez Espinel authorized payment, aside from the murder of Carrillo Arias and Pacheco Zabata, were false positives because, in the relevant military documents reviewed, the people killed were not named. Most of the dead were reported as “no name.”

Jorge Enrique Navarrete Jadeth (Head of General Staff for Human Resources and Logistics)

As the head of General Staff for Human Resources and Logistics, Gen. Navarrete Jadeth oversees several army commands, including those in charge of personnel, logistics, and recruitment. Gen. Navarrete Jadeth was the second-in-command of the 8th brigade from July 2007 through August 2008. The Attorney General’s Office has opened investigations into at least 19 killings by the 8th brigade in 2008, the Attorney General’s Office files show.

A document signed by Gen. Navarrete Jadeth in March 2008 certified a 2,000,000 Colombian pesos (US$1,000) payment to an informant for information that led to the “death in combat of two terrorists.” In April 2012, a court concluded that the “terrorists” were unarmed civilians who had been recruited from a nearby city and extrajudicially executed.

A 2015 file indicates that prosecutors were investigating Gen. Navarrate Jadeth’s role in alleged cooperation with paramilitary groups. The investigation was triggered, the file says, by the testimony of a former paramilitary fighter, Adolfo Enrique Guevara Cantillo, who said that Gen. Navarrete Jadeth cooperated with paramilitaries. The Attorney General’s Office has not publicly indicated whether it has closed the investigation or whether it intends to charge the general.

Raúl Antonio Rodríguez Arévalo (Head of General Staff for Planning and Policies)

As the new Head of General Staff for Planning and Policies, Gen. Rodríguez Arévalo oversees several army departments, including those in charge of intelligence, counterintelligence, and military education.

Gen. Rodríguez Arévalo was commander of the Popa battalion of the 10th brigade during parts of 2005 and 2006. The Attorney General’s Office has opened investigations into 21 killings in 2005 and 13 in 2006 by Popa soldiers, an Attorney General’s Office report shows. These include at least four cases in which Colombian courts have convicted a total of nine soldiers for their role in 10 killings.

Attorney General Report:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/doc_1_1.pdf”%5D

In one case, on November 20, 2005, Popa soldiers murdered three civilians in San Diego, in Cesar province, reporting them as enemies killed in action. The night before, lured by bogus job offers from two men, the victims had traveled the more than 300 kilometers to San Diego from the Soledad municipality in Atlántico province. In 2014, a court convicted a lieutenant and a sergeant of the murders. A radiogram signed by then-lieutenant colonel Rodríguez Arévalo described the alleged operation, indicating that “four ‘no name’ male bandits” were killed in action as they tried to “extort a coffee producer of the region.

Copy of Radiogram:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/doc_6_1.pdf”%5D

In February 2017, a soldier told prosecutors that Gen. Rodríguez Arévalo was directly involved in false positives. The following testimony regards one of many cases the soldier described (italics added):

[W]e took two people from their houses. The first one was a black man whom we took from a house that was like a store. The other house was at a diagonal to this one, to the left… then a guide took us to [another area], and there, [a] lieutenant ordered me to kill the man from the store. I executed him.

The lieutenant gave [another] soldier the order to kill the other man. We asked asked the lieutenant how we were going to [report these kills] since we didn’t have any weapons. He said,don’t worry, my uncle [will help], referring to Colonel Rodríguez Arévalo. “When we arrived at battalion headquarters, in Loma Seca, we waited [until] a helicopter arrived. Colonel Rodríguez Arévalo and [another officer] were there. They took down some black bags, I didn’t know what they contained. Then, they started organizing landmines with detonating cords, a rifle, a pistol and explosives. They put these by the [dead] people and took photos to say that there had been combat; but there was none… due to these kills, the colonel [Rodríguez Arévalo] sent his nephew to do a pilot course [apparently as a reward].

Adolfo León Hernández Martínez (Head of the Colombian Army Transformation Command)

Gen. Hernández Martínez was named head of the Colombian Army Transformation Command, a unit that advises the head of the army on policies to modernize the force. From December 2007 through June 2009, Gen. Hernández Martínez commanded the Popa battalion of the 10th brigade. Prosecutors have opened investigations into seven killings by the Popa battalion in 2008, an Attorney General’s Office report shows.

In one case, on January 23, 2008, Popa troops killed a 16-year-old civilian, Aldemar García Coronado, and reported him as an enemy killed in action. In 2013, a soldier and a sergeant were convicted of the crime. A radiogram signed by then-lieutenant colonel Hernández Martínez, indicates that soldiers involved in the operation “entered into combat” with “5 terrorists” of “criminal bands,” resulting in the killing of one enemy.

Diego Luis Villegas Muñoz (Head of the Vulcano Task Force)

Gen. Villegas Muñoz was appointed head of the Vulcano Task Force, a special unit that operates in the northeastern zone of Catatumbo, on the border with Venezuela. He is currently facing criminal prosecution for the killing of Omer Alcides Villada, a farmer with mental disabilities. Soldiers of the Pedro Nel Ospina battalion allegedly murdered the farmer in March 2008 and reported him as a FARC fighter killed in combat. Villegas Muñoz commanded the battalion at the time.

A document signed by Villegas Muñoz certified a payment of 1,500,000 Colombian pesos (US$800) to an informant who supposedly provided information that led to the operation in which Villada was killed. But in the alleged informant’s testimony to prosecutors, he said that he had never provided information to the army or received a payment.

Villegas Muñoz also signed two reports regarding the operation. The reports reveal several irregularities, a prosecutor said in a hearing on the case, including that the operation was in a different municipality than the military order specifies.

In December 2016, a judge issued an arrest warrant for Gen. Villegas Muñoz. But a 2017 decree linked to the justice component of the peace accord with the FARC prevented execution of the warrant, an Attorney General’s Office letter indicates. The decree allows authorities to suspend arrest warrants in cases linked to the armed conflict.

Presidential Decree:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/DECRETO-706-DEL-03-DE-MAYO-DE-2017.pdf” title=”DECRETO 706 DEL 03 DE MAYO DE 2017″]

Edgar Alberto Rodríguez Sánchez (Commander of the Aquiles Task Force)

Gen. Rodríguez Sánchez was appointed commander of the Aquiles Task Force, a special unit that operates in the northern area of Bajo Cauca. From July 2006 through December 2007, he commanded the Magdalena battalion of the 9th brigade. Prosecutors have opened investigations into at least 22 alleged killings under his command, files from the Attorney General’s Office show.

Raúl Hernando Flórez Cuervo (Commander of the National Training Center)

Gen. Flórez Cuervo was named commander of the National Training Center in Bogotá, where soldiers take specialized courses. Flórez Cuervo commanded the Domingo Caicedo infantry battalion of the sixth brigade for at least part of 2008. The Attorney General’s Office has opened investigations into at least five killings by the battalion in 2008.

Investigation:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/doc_9_0.pdf”%5D

In May 2014, a court in Bogotá convicted five soldiers from Flórez Cuervo’s battalion of the January 2008 killing of Israel González, a trade unionist whom battalion soldiers reported as a guerrilla fighter killed in combat. The court concluded that the combat never took place. Instead, soldiers murdered González and placed unused weapons and a broken radio containing Army batteries on his body. Gen. Flórez Cuervo signed the “operations order” authorizing the operation.

The court asked the Attorney General’s Office to “carry out investigations regarding other people possibly responsible for these crimes who could have been involved in signing orders for the operation in which Israel González was killed.Human Rights Watch was not able to confirm whether any investigations were pursued due to this request. An official within the Attorney General’s Office told Human Rights Watch, in July 2017, that no record existed of investigations into Flórez Cuervo’s possible role in killings by the Domingo Caicedo battalion.

Conviction of Soldiers:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/Sentencia-Rad.-2008-80027.pdf”%5D

Miguel Eduardo David Bastidas (Commander of the 10th brigade)

General David Bastidas was named commander of the 10th brigade.

David Bastidas is currently facing prosecution for his role in abuses during parts of 2004 and 2005, when he was second-in-command of the Jorge Eduardo Sánchez artillery battalion of the fourth brigade. In a November 2017 indictment, a prosecutor charged him in connection with his alleged role in 32 cases of murder, 14 enforced disappearances, and 10 cases of torture. The prosecutor contended that Gen. David Bastidas failed to act on these crimes despite the implausible circumstances of the reported kills.

Copy of Indictment:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/doc_10_0.pdf”%5D

Marcos Evangelista Pinto Lizarazo (Commander of the 13th brigade)

Gen. Pinto Lizarazo was appointed commander of the 13th brigade, which operates in Bogotá. From October 2006 through April 2007, Gen. Pinto Lizarazo commanded the Anastasio Girardot battalion of the 4th brigade. Prosecutors have opened investigations into 23 alleged killings by the battalion’s troops in 2006 and 22 in 2007, files from the Attorney General’s Office show. For example, in 2011, a court convicted four Anastasio Girardot soldiers for the murder, in December 2006, of two civilians who were falsely reported as being FARC militiamen.

Gen. Pinto Lizarazo also commanded the Magdalena battalion of the 9th brigade between December 2007 and September 2009. Prosecutors have opened investigations into 18 killings allegedly committed by the battalion’s troops in 2008, the Attorney General’s Office files show.

On January 18, 2008, Magdalena troops killed Ever Urquina Rojas, a peasant, in the San Agustin municipality and reported him as a “no name” enemy killed in action. Sargent William Andrés Vargas Capera confessed and pleaded guilty. In his plea bargain, he said he intentionally hid the victim’s ID and clothes. A document signed by Pinto Lizarazo certified a payment of 1,500,000 Colombian pesos (US$770) to an informant who supposedly provided information that led to the operation in which Urquina Rojas was killed. But prosecutors concluded that the alleged informant “did not provide any information related to Ever Urquina Rojas,” an Attorney General’s Office document shows.

Copy of Docs:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/combinepdf-1.pdf” title=”combinepdf (1)”]

In a December 11, 2015, hearing, procescutors questioned Gen. Pinto Lizarazo on his role in false positives when he was commander of the Magdalena battalion. Under Colombian criminal procedure, such hearings are one of the first steps in forming a case. The case against Gen. Pinto Lizarazo is still open, but no progress has been made since December 2015, a lawyer representing victims in the case told Human Rights Watch.

Question from Prosecutors:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/02/doc_13_1_0.pdf”%5D


This article was originally published by Human Rights Watch on February 27th 2019. It was republished, with permission, using a Creative Commons BY-NC-ND 3.0 US License, in accordance with the Terms & Conditions of Human Rights Watch | Formatting edits & PDF Files added/embedded by Rogue Media Labs

Op-Ed: Understanding How The Future of Cyber & Data Security Is Directly Tied To History’s Strongest Banking Sectors

I haven’t really spoken much publicly about it yet, but outside of building my websites and publishing new material online, over the course of the last several weeks and months I’ve also begun the process of putting together different proposals in an attempt to launch my own cyber security business. More specifically, I’m interested in starting a data hosting/data security service with the possibility of launching a world class VPN service along side of it.

Knowing full well that this is a venture I can not successfully achieve here in the United States, I’ve begun approaching various international banking institutions and Government agencies worldwide to get a feel for how likely they’d be to stake and/or sponsor me with a business loan, as well as to gauge how different countries or Government agencies would react to my proposed businesses plan – which would essentially lock out all Government requests for data/information on all of my customers, something I’d also be unwilling to compromise on. This is also why I say that I could never operate my business in an ideal way inside the United States, because given this countries laws and current administration, it’s literally impossible to block to the US Government from seizing any/all corporate data hosted inside US borders or out if they really want it – just ask Microsoft or LavaBit about that.

To date, I have either sat down with or submitted proposals to representatives at Toronto-Dominion Bank here in New York City, the Bank of The Bahamas in Nassau, CBH Bahamas and Ministry of Foreign Affairs in Colombia. During my presentations I have essentially explained to each of them the same concept, which is the fact that one of the newest trends inside the cyber/data security industry is a switch over to countries with historically strong banking industries, because these countries actively host the most stringent business confidentiality and data privacy laws – something growing ever more precious for international cyber security companies, especially headed into the future.

Learn More – Country of Origin & How It Relates To Data Security Choices or Decisions: https://roguesecuritylabs.ltd/misconceptions-nationalism-and-security/

In my presentations, I’ve explained to them how it’s my intention to start a new business model capitalizing on data confidentiality laws in countries such as the Bahamas, by hosting data servers outside the reach or jurisdiction of invasive Government agencies – which are perhaps THE single largest threat to data security in the world today, right Russia? Think of the conception of my business in the same context as starting a new bank, only instead of securely holding money for customers I would be locking up and securing/guaranteeing data files. This is also a unique business model or selling point that no one on Earth is currently offering, which is why I believe I can be successful at it. For the purposes of this article, I will keep the methodology through which I intend to secure my customers data confidential.

As an example, here is a sample of an exchange between me and a representative of Toronto-Dominion Bank in New York City dated December 10th 2018:

Image may contain: text

And here is another sample of an exchange between me and representatives at the Bank of the Bahamas earlier that same day on December 10th 2018:

No photo description available.

And lastly, here is a sample of an inquire filed with Colombia’s Ministry of Foreign Affairs on January 26th 2019:

No photo description available.

Needless to say however, despite however interested and/or fascinated they were by my proposals, no one has ever actually offered me a loan – and presumably never will. What’s interesting though is that I distinctly remember telling TD Bank in a sit down interview that I was afraid to put together a full research report for them, fearing that someone would think my business was a great idea, but would just reject my loan and use the information for themselves to advance their own agendas. As fate would have it, this also appears to be exactly what has happened – welcome to America.

Imagine my surprise this morning when I wake up and read a ‘new report‘ originally published by an Israeli based security firm known as Radware on February 7th 2019, entitled “What Do Banks and Cybersecurity Have In Common? Everything.” In it, researchers loosely explain how cyber security companies of the future need to begin thinking of their their brands, business and product much in the same way as banks do, employing the same safe guards to protect data as banks do to protect money. Essentially, their report is just a “bastardized” version of everything I had been presenting/proposing to international banks for month/weeks beforehand.

In other news, sure would like to see #OpIcarus keep rolling along……….. 😉

Corporación Universitaria Minuto de Dios In Bogotá Hacked, Student Database Contents Leaked Online

In news first brought to my attention via DefconLab earlier today, January 12th 2019, a hacking group by the name of “KelvinSecurity” (KelvinSecTeam) has announced a hack and data leak effecting the Corporación Universitaria Minuto de Dios (UniMinuto) in Bogotá, Colombia. In a leak posted to Pastebin, hackers released the school ID numbers, names and email addresses of hundreds of students, along with the name and email addresses of a little more than half a dozen school administrators. Investigating the leak further, the hackers also list the file folder names of 16 other data tables, including login information/credentials, school documents, department IDs and much more – indicating that hackers were able to gain administrator level access over the entire website.

While the group has traditionally been associated with Venezuela, today’s leak featured a message written in Belarusian, reading “KelvinSecurity is a person looking to gather information for talented people all around the work, connecting to networks exploiting their systems.” Historically, the group has been known to announce hacks in hopes of selling any data obtained from it online, though there is no indication the hackers are attempting to sell any data uncovered from Colombia today.

Website: hxxp://uniminuto.edu/

No photo description available.

Wikileaks Releases “US Embassy Shopping List,” +16,000 Procurement Requests/Documents Released from US Embassies Worldwide

Less than 24 hours after Twitter locked Julian Assange and Wikileaks staff members out of their online accounts, perhaps in anticipation of this very event, Wikileaks announced the release their latest leak. Officially entitled “US Embassy Shopping List,” the leak contains access to a searchable database of over 16,000 procurement requests posted/received by United States embassies around the world. While the majority of documents are rather mundane in nature, some of them shed light on some very interesting material/topics, including the US’s sponsorship of mass surveillance programs and operations – documenting the distribution of spy equipment to various countries around the world.

Not only do the documents shed light into what the US Government does with at least some of its seemingly endless foreign aid, it also shows the true extent to which so many countries and Governments around the world are utterly dependent on US assistance – having to suckle at the US Government’s tit for even the most basic of jobs/tasks. About the leak, as was explained by Wikileaks in a press release dated December 21st 2018:

All US embassies post requests for quotations and job listings on their websites when they need to purchase goods or services. In some cases, these requests may hint at covert activities performed by US agencies in the country. For example, in an August 2018 procurement request forTactical Spy Equipment,the US embassy in El Salvador asked vendors to provide 94 spy cameras, most disguised as everyday objects such as ties, caps, shirt buttons, watches, USB drives, lighters, and pens. Similar spy cameras were also requested by the US embassy in Colombia.

The majority of the procurement requests focus on mundane activities required for the day-to-day operation of embassies and consulates, such as construction projectslaundry service, and gutter cleaning. In one case, the US consulate in Guayaquil, Ecuador lost track of the number of fish in its fishpond and needed someone to count the fish and clean the pond. Interspersed among these banal requests are documents that provide insight into the priorities and agenda of the US Government abroad. For example, to promote trade interests in China, the US consulate in Shanghai requested the production of “three marketing and promotional videos that highlight U.S. beef quality”.

Even the banal requests may be worth scrutiny because numerous secret programmes are operated out of US embassies. WikiLeaks’ Vault 7 publications showed that the CIA’s Center for Cyber Intelligence runs a covert hacking base out of the US consulate in Frankfurt and the documents disclosed by Edward Snowden revealed that the NSA and CIA jointly operate a covert signals intelligence programme called the Special Collection Service, which uses US embassies around the world as bases for interception of communications and clandestine operations. These procurement documents do not appear to include details related directly to these programmes, but they do include information about the actual activities of the divisions used as cover for CIA programmes, note which jobs require security clearance, and provide clues about the existence of infrastructure that may be potentially useful to US intelligence services operating abroad, such as the data center at the Frankfurt consulate.

While these procurement requests are public information, they are only temporarily linked to from US embassy websites while the request is open. But even after the links to the requests are removed, the files remain online. This is because all US embassies use WordPress and the procurement documents are stored in their WordPress uploads folder. So although older procurement documents may not be obviously available, the WordPress uploads can be searched via both the search function on the embassy’s website and third-party search engines. The US Embassy Shopping List preserves these requests and makes them more accessible by collecting the documents uploaded to US embassy websites, filtering for the procurement-related files, and presenting them in a searchable database.

Browse Entire Procurement Database Here: https://shoppinglist.wikileaks.org/

New Report Highlights Global Failure of “The War On Drugs”

A new study has been released highlighting the combined/collective global failure of “the War on Drugs.” Not only does the data/information outline how an authoritarian approach to anti-drug policies has failed over the years, but it also goes on to explain why these same policies have actually had tremendous negative impacts on organized societies around the world at the same time – including global health, human rights, public safety and economic progress.

As a result, the International Drug Policy Consortium (IDPC), the international group behind the report featured blow, is calling for major political reforms to international policy when it comes to drug abuse and drug enforcement, going just short of calling for an outright end to the War on Drugs itself.  “This report is another nail in the coffin for the war on drugs,” said Ann Fordham, IDPC’s executive director of IDPC, in a statement. “The fact that governments and the UN do not see fit to properly evaluate the disastrous impact of the last ten years of drug policy is depressingly unsurprising.

The report, entitled “Taking stock: A decade of drug policy,“ evaluates the impacts of drug policies worldwide over the course of the last decade, using data from the United Nations, peer-reviewed academic research, as well as a collection of grey literature from civil society.

What Did It Find?

The study concluded that drug enforcement policy has failed to decrease both drug consumption and production. Not only this, but these same failed polices have only made many countries, cities and communities less safe. At the same time, many countries, such as Afghanistan, have only seen opium production/distribution increase. In other countries such as the United States for example, the failed War on Drugs has only led to a self proclaimed Opioid epidemic/National emergency. Meanwhile, as a result of these same drug policies, the United States literally arrests more citizens per capita than any country on Earth.

Instead of reducing the overall scale of the illegal drug market,” notes the executive summary (pdf), “overly punitive drug policies have often exacerbated violence, instability and corruption.

Moreover, while global drug policies were specifically designed to reduce the spread/production of 3 major crops, opium poppy, coca, and cannabis, the study found that all 3 crops have only increased in production over the course of the last ten years. For example, the report estimates that opium yields are up 130% from this time in 2008, while coca production has also increased another 34%. While Cannabis figures were a little harder to calculate, given marijuana’s growing legal status all around the world over the last several years, it is safe to assume that Cannibus production has also increased.

What we learn from the IDPC shadow report is compelling. Since governments started collecting data on drugs in the 1990s, the cultivation, consumption and illegal trafficking of drugs have reached record levels,” wrote Helen Clark, former Prime Minister of New Zealand and a member of the Global Commission on Drug Policy, in the report’s foreword. “Moreover,” she added, “current drug policies are a serious obstacle to other social and economic objectives and the ‘war on drugs’ has resulted in millions of people murdered, disappeared, or internally displaced.

View Report In Its Entirety:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/10/Shadow_Report_FINAL_ENGLISH.pdf”%5D

Data Servers, Country of Origin & Sound Cyber Security

The other day I sent out a “Tweet” and proceeded to lose 30% of my combined followers, literally overnight. The Tweet explained how the 53rd Street Library in New York City had expressed weariness over allowing me to instruct or teach lessons at their facility after coming to the realization I work with and source a great deal of my content through international partners. I had cracked the joke; “Rogue Security is getting the Kaspersky treatment? Must be moving up in the world?…

For those of you who might not be familiar with the backdrop or sarcasm expressed here, Kaspersky Lab has recently become one of the most polarizing names in cyber security dating back to the 2016 US Presidential election. This is because many people have come to believe that the Kremlin deliberately altered Russian Law in order to corrupt/compromise Russian based businesses, which Kaspersky is, into handing over confidential information relating to customer databases. Moreover, considering that Kaspersky Lab was one of the most widely utilized software developers purchased by US Government employees and contractors over the years, it is now believed that Kaspersky Lab itself was one of the key players behind the whole Russian hacking election fiasco – whether they voluntarily intended to be or not. For this very reason, dating back to December 2017, all Kaspersky products have since been banned on the Federal level and their software has been pulled off the shelves of stores including Staples and Best Buy – though their products still remain legal on the civilian level.

However, it must be noted that what the Kremlin did is nothing new. In fact, this practice has been employed by the United States Government for far longer. You might be surprised to know that it is 100% illegal for any computer, privacy or cyber security company based out of the US to refuse to hand over their data, servers or customer records to the US Government, provided those servers and data are stored within United States borders. Believe it or not, it is even illegal for US based businesses operating servers/companies overseas to refuse to hand over their data if requested by US authorities. While Microsoft is currently taking this obligation to the Supreme Court, throughout the course of 2016 and 2017 multiple lower courts have upheld the US Governments right to demand this information. Not only this, but the acting attorney General, Jeff Sessions, has also vowed to make unfettered end-to-end encryption illegal as long as he is in office.

Therefore, at least when it comes to your data privacy, claiming that “those Russians” are any better or any worse than “those Americans” is nothing more than farcical, and your information is no more protected in the hands of The White House than it is the Kremlin. So, no matter how strong your sense of Patriotism or Nationalistic pride may be, the fact of the matter remains that your computer isn’t more secure just because you buy from an American company. In fact, you might be surprised to know that multiple independent tests and studies have confirmed Kaspersky Lab is the most secure software platform for Windows based devices, and other studies list Microsoft’s own platforms as the worst. Moreover, there is a very real reason none of the world’s top privacy/security companies host their services inside US territories.

With that established, let’s take a closer look at some of the other most notable countries in the field of cyber security these days.

Dont Necessarily Buy Into The Swiss Hype

Over the course of the last 3-4 years one of the biggest trends I’ve noticed is all of the “hype” surrounding Switzerland and their world renown reputation for protecting business privacy and confidentially. Traditionally, Switzerland has acquired this reputation for protecting foreign investors within their banking systems. However, it must be noted that the same protections afforded/granted to the multi-billion dollar banking system are not necessarily extend to the cyber security industry, and you can bet your ass that you are never going to get the same level of privacy or protection from the Swiss Government for your $50 a year VPN connection or email account that an investor is going to get for their multi-million dollar bank account – get it? Any thought to the contrary is just, well, dumb – really.

For lack of a better term, in 2018 it is a generally known fact that many companies are simply trying “bank” on Switzerland’s historic reputation and turn it into a few extra dollars for their cyber security companies. This is not to say however that there are not some top notch countries currently operating out of Switzerland.

In fact, for the very laws as they now exist inside Russia, Eugene Kaspersky has vowed to move all of his companies servers out of Russia and into Switzerland to provide his customers with a greater level transparency in hopes of regaining their trust. Other companies such as ProtonMail and Tutanota also operate out of Switzerland and are two of cyber securities most trusted vendors. Many of the industry’s top VPN service providers also operate their servers out of Switzerland. As always though, do your research and just be weary/cautious of all new tech startups in the country.

Don’t Trust The Netherlands

The Netherlands really started to lose the trust of the cyber security community dating back to 2016, following the closing of GhostMail email servers and a series of raids on VPN service providers around the country. Dutch authorities have remained quite about their recent change of policy, but prior to 2016 the Netherlands was considered by many to be one of the worlds fastest growing and most trusted names in cyber security/digital privacy. Because of this, the underground hacking community has long since speculated that the Dutch Government was ultimately pressured to crack down on digital privacy providers following a joint effort undertaken by the US Federal Bureau of Investigation and European Police (EUROPOL), whom had essentially had enough of criminals and/or terrorists taking advantage of security platforms operated out of the country. Fast forward into 2018, while there are still a few legacy companies operating out of the country, almost all new startups know not to do business there.

In March of 2018 I personally reached out to GhostCom Ltd, the original founders of Ghostmail, for comment on their closing and the true extend of the operation undertaken by Dutch/International police, but their legal team has declined any comments to this day.

Belgium & Ecuador Offer The Strongest Privacy Protections In The World

Ecuador is world renown for protecting digital privacy, internet rights and international freedom fighters. This is not only evidenced by Julian Assanges continued political asylum, Ecuador has also granted asylum to some of the worlds most elite and dangerous hackers over the course of the last several decades. By now, it is a well known fact that the Government of Ecuador is willing to do more than almost anyone else to shelter/protect political activists and members of the digital underground, helping them to continue doing what they are do safely and securely. For example, despite all of the “hoopla” surrounding Wikileaks, the Ecuadorian Government actually controls 100% of Julian Assanges internet connectivity. Yet, have you ever heard of any one of Assanges sources being compromised over the years? That is also exactly my point. For all these reasons, Ecuador is considered one of, if not the most trustworthy country in the world when it relates to data privacy and cyber security related practices.

Belgium on the other hand has a legal system in place which ensures Government accountability and restricts potential abuses of privacy/authority. This is because every request, subpoena or warrant for information, data, servers and digital accounts made in Belgium must first be brought in front of a judge, officially in court, and proven to be valid or legitimate before any Belgium authorities can have access to it. In other countries such as the United States for example, Federal employees can simple print out a file document, sign your name onto it and automatically have the right to search your accounts – it’s literally that easy for them. For this very reason, Belgium is considered to be one the most trustworthy and accountable countries in the world to do cyber security business with, leading the way in terms of informational security. On a side note, if I was a betting man, I would expect to see many more privacy/cyber security companies start popping up all over Belgium throughout the course of the next 5-10 years, especially given all of the recent changes/overhauls to internet/data laws now being enforced by the European Union.

Colombia On The Up & Up?

This really has nothing to do with computer security, it’s just a growing trend you might have started to pick up on recently. Starting around 2015, first led by small time internet activists and Anonymous, more and more website owners across the world began shifting or creating new domains with .co – this was done for a multitude of reasons. First off, .co is often times much cheaper than .com domains. Second, it is becoming harder and harder to find an original, unique or appropriate .com domain for your business, third because more people associate the word “company” with .co instead of .com, and lastly, .co helps make your website that much more unique and stand out from the crowd – which can be an asset in today’s overcrowded online marketplace.

As for Colombia itself, I think the rise of the .co domain only helps the country look that much more innovative comparatively to the rest of the world, which is why the Colombian Government has never really pushed back on all the international vendors registering new domains through their country, including myself.