1) Introduction?

For educational purpose, ONLY!

Waffles, is my 'stage name'. I'm a senior security researcher that doesn't follow any rule make to limit my abilities and skills in order to reach the unlimited of the cyber world. In other word, I'm a rouge employer. Greyhat by trade.

Off-note: :) if you find my music is interesting then thank you.

2) Purposes for our existence

Know your target and know yourself

Officially founded in 2008, Black Tiger Security is an international tiger team joined forces from former hackers, software crackers, phishers and rouge goons of all type in computer security. We have foreseen the ongoing potential warnings and dangers of an all out cyber war between nations and international attackers.

As one of the key members from our tiger group, I commanded and helped the members to carry out monthly massive and sophisticated blackbox attack on several government, business and industrial infrastructure and database of US/CA/ME and DE/NL/UK/FR/IL sections. Started with well planned phases, tactics and ended with devastating strikes.

Our attack purposes are to carry out simulation of massive industrial espionage, possible cyber terrorist attack and all-out cyber war. To be corrected by anyone who knows us, we are not security thinktank. We are just simple a bunch of computer experts who like to tweak and breach limited things. We rarely write whitepapers and reports. We only provide them if our clients need detailed information on what we do.

3) Example of our simple attack

We rather sink the Lulzboat and drown ourselves than be all pirates with the Lulzlosers.

http://www.2shared.com/document/nAIR4Y8T/Militar ySinglecom.html

Our dumps, bitches.

MilitarySingles.com REViSiTED aka RePwned!

A few weeks ago, remain of disbanded Lulzsec dumped data of over 100,000 accounts (mostly US military data) from MilitarySingles.com and let they web knows 'they're still alive, duh!'

Admin of MilitarySingles.com denied the breach and called the hack was 'bogus, never happen...'

Our group isn't ordinary script kiddies but we were reluctant and had to jump on the same Lulzboat as those kids to prove the points that MilitarySingles admin is a jerk.

Phase 1: Scan for footprints (1 hrs)

NorskeDrittsekk, f0ny and I carried out the attacks.

We scan for target's server, database type, security measurement, administration's information...

f0ny masters this phase. He wrote a custom search engine just for footprinting finding. With f0ny's tools and combined with his clever placed dorks we ale to find out MilitarySingle.com data info such as MySQL version, SSL, Apache version, administration login site, open/close ports, leaked sensitive info.

Phase 2: Blind Strikes (3 hrs)

NorskeDrittsekk carried out this phase. He is an excel hacker in web-app security. ND and I sit back together and bring out our secret weapons only use for APT attack and simulations.

simple code injections, SQLi, XSS, RFI, LFI up to Man-in-browser, IFi, path traversal attack, session hijack, XPath, CSRF.

After 3 hours we got over 10 results of possible vulnerability. One is 0-day in MySQL. But we focus on basic SQL Injection this time. We found a bug. Big one.

Phase 3: The Heist (30 min)

I planned this phase. ND provided massive proxies and bot harvested by ZionJD. This phase is quick, dirty and deadly. We were able to extract over 170,000 user datas out of MilitarySingle.com and send it to a semi-isolated server located somewhere in Eastern Europe.

Cleaned our path, all done.