The Complete Privacy & Security Podcast – Episode 090
Posted on September 14th, 2018
EPISODE 090: Privacy vs. Online Dating
This week we talk with a group of singles about being private while dating online.
Listen to all episodes at https://inteltechniques.com/podcast.html
or Subscribe at:
RSS / iTunes / Google / Stitcher
INTRO:
Credit Freeze Updates:
https://inteltechniques.com/blog/2018/09/11/free-credit-freezes-for-adults-minors/
Telecom attempts to takeover online identity:
https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-your-online-identity/
SHOW NOTES:
Online Dating Discussion
OFFENSE & DEFENSE:
Skipped this week
LISTENER QUESTIONS:
When I make an online reservation for a car rental, they request what airline and flight number I’ll be arriving on. The government knows what airline I’m on and I haven’t figured out a way to rent a car in an alias name, yet. So, both the airline reservation and the automobile rental reservation are in my real name. However, is there any reason for Hertz (or Avis or whomever) to know my airline and flight number?
How did you start, in terms of it being your line of work? Would you have any advice for me, in terms of spreading privacy to the public? I hope to make a living related to Privacy Education/Promotion.
Please submit your listener questions at https://inteltechniques.com/podcast.html
Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast – Episode 090
Another Breach Data Search Engine
Posted on September 11th, 2018
Websites that allow you to search your email address to discover any presence within public data breaches are nothing new. Have I Been Pwned (haveibeenpwned.com) has been a staple in this community for several years. However, there are many limitations. First, you can only search an entire email address in Have I Been Pwned. It will disclose any known breaches that contain the address, informing you to change your passwords immediately. That is the limit of the possibilities. With a newer option, Dehashed (dehashed.com), you can perform practically any wild card search. Here are some examples.
Domain: Search your domain, such as inteltechniques.com, and discover that at least one email from my domain is present within three data breaches.
Username: Maybe you only know the user name of your target, such as mbazzell. This identifies several breaches that possess that exact string.
Password: Search your own password to see if it is present within a breach. If you have a very unique password, this can identify vulnerabilities before there is an actual compromise. Below we see that 203 people that use thisisnotmypassword have been compromised in public breaches.
Name: If you have a very unique name, you may identify breaches that include this detail. These could be voter database leaks, marketing data, or other general breaches. I highly recommend using quotation marks. Searching Michael Bazzell identified 42,000 results, searching “Michael Bazzell” identified 8. In the example below, I now know that my exact name appears in the ModBSolutions breach.
Address: Insert any physical address to identify breaches that could compromise your home location. This can identify potential addresses of a target that are not present within people search engines. Note that the wording must be exactly the same as present in the breach, so you may need to play with this option a bit. As an example, the following yielded no results.
“101 e. 3rd st, Alton”
“101 e. 3rd st., Alton”
“101 e. 3rd street,Alton”
“101 east 3rd street, Alton”
However, “101 e. 3rd street, Alton” identified one breach containing this address.
How does this help investigations? For me, it is a great indicator of a valid email address. If I receive any hit, I know the address is likely good. I also know at least one service where the address was used to create an account. This can lead to more discovery.
How does this help my privacy? This can identify weak areas where you have a public presence. Change any passwords associated with an exposed account. It also reminds us to never use valuable personal or business email addresses for online accounts.
You may have noticed the pricing feature. For a few bucks, you can see ALL of the data associated with a target, often including passwords. I don’t encourage this behavior, and I feel it exceeds the scope of Open Source Intelligence (OSINT).
Filed under OSINT, Privacy, Security | Comments Off on Another Breach Data Search Engine
Free Credit Freezes for Adults & Minors
Posted on September 11th, 2018
I have always encouraged readers and attendees of my live events to obtain a credit freeze. It is one of the most vital steps you can take toward protecting yourself from identity theft. Previously, the cost was $10 per credit bureau for every freeze/unfreeze, but there were ways around that. I am thrilled to report that beginning September 21, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes at no cost. Further, the law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting September 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.
Although it is not yet time for the law to enforce these free credit freezes, it appears that all five credit bureaus are now offering free online credit freezes. Here are the links to get you started.
Equifax: https://www.freeze.equifax.com
Experian: https://www.experian.com/freeze/center.html
TransUnion: https://service.transunion.com/dss/orderStep1_form.page
Innovis: https://www.innovis.com/personal/securityFreeze
NCTUE: https://www.nctue.com/Consumers
I firmly believe that every citizen with a Social Security Number should have a credit freeze in place.
Filed under ID Theft, Privacy, Security | Comments Off on Free Credit Freezes for Adults & Minors
The Complete Privacy & Security Podcast – Episode 089
Posted on September 7th, 2018
EPISODE 089: More Privacy Problems
This week I discuss more privacy problems and solutions from my clients, a new OSINT Offense/Defense, and your listener questions.
Listen to all episodes at https://inteltechniques.com/podcast.html
or Subscribe at:
RSS / iTunes / Google / Stitcher
SHOW NOTES:
VPN Review Site Request
Contested Will vs. Privacy
Vehicle Registration
OFFENSE & DEFENSE:
Offense: carsowners.net
Defense: Discussion
LISTENER QUESTIONS:
Can you explain the latest T-Mobile breach and what it means for us on prepaid?
I have saved my cash for the past 20 years. I have enough to buy a small home anonymously. The title company wont take it and wants a wire! the bank wont take that amount of cash!
Please submit your listener questions at https://inteltechniques.com/podcast.html
Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast – Episode 089
OSINT Search Resource: Cars Owners
Posted on September 3rd, 2018
Only a few years ago, paid access to a premium database was required in order to search vehicle information such as a VIN or owner details. We are slowly starting to see this type of data leak into free public resources. One such tool is Cars Owners (carsowners.net). This site does not have much search functionality. Instead, you must navigate through make, model, year, state, and finally personal details. Instead, consider a custom Google search. If I were looking for any vehicles owned by John Smith, I would type the following into Google.
site:carsowners.net “john smith”
This produces numerous results. I may want to filter by state and make, such as the following search on Google:
site:carsowners.net “john smith” “mazda” “tx”
This leads us to a direct URL of https://carsowners.net/mazda/mazda3/2007/tx/page8. On this page, the following is an example of the type of details one should expect:
We can also search personal details such as a telephone number, address, or VIN. The following search examples have been productive.
site:carsowners.net “(618) 463-4164”
site:carsowners.net “4900 Ridgewood Ln”
site:carsowners.net “1G4GE5GD0BF256768”
Filed under OSINT, Search | Comments Off on OSINT Search Resource: Cars Owners
The Complete Privacy & Security Podcast – Episode 088
Posted on August 31st, 2018
EPISODE 088: No, We did not quit the podcast…
This week Michael is driving solo and tackles the latest threats toward your privacy and security.
Listen to all episodes at https://inteltechniques.com/podcast.html
or Subscribe at:
RSS / iTunes / Google / Stitcher
SHOW NOTES:
Defcon hotel issues:
https://www.the-parallax.com/2018/08/12/vegas-hotel-room-security-privacy-defcon/
Latest successes and fails for invisible home purchase:
Discussion
New Wired disinformation link:
https://subscribe.wired.com/subscribe/wired/116304
More DNA issues:
https://www.nextgov.com/emerging-tech/2018/07/drug-company-gains-access-23andmes-massive-dna-library/150072/
OFFENSE & DEFENSE:
Offense: Peoplemaven.com
Defense: https://goo.gl/forms/d2gQFkNqXBoblYKP2
LISTENER QUESTIONS:
Does it make sense to create SN accounts in order to “reserve” them?
I want to move into a more directly OSINT-related field. I was hoping you could share some insight as to what kind of work is out there for someone like me and how I can find it?
The Complete Privacy and Security Desk Reference Volume I
https://inteltechniques.com/book4.html
The Complete Privacy and Security Desk Reference Volume II
https://inteltechniques.com/book7.html
Michael’s Website
https://inteltechniques.com/
Justin’s Website
https://operational-security.com/
Please submit your listener questions to us at https://inteltechniques.com/podcast.html
Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast – Episode 088
Make Your Amazon Account More Secure & Private
Posted on July 29th, 2018
I am not sure how I would get by without Amazon today. I generally make a purchase at least once a week, and all of my shipments go to a secure Amazon Locker in whatever town I happen to be in. This convenience can quickly turn into a privacy nightmare if you allow specific information to remain public. I encourage all Amazon customers to make the following three changes to their account(s).
1) Remove your Amazon public profile
Your Amazon profile is created automatically, whether you want it or not, and it contains comments, ratings, public Wish Lists, biographical information, and other site interaction. This profile doesn’t include your purchases or your browsing history, but it’s very informative. If you want to control what activity is visible on your public profile, do the following:
Put your cursor on the “Account & Lists,” button and then click on “Your Account”
Scroll down to the “Ordering and shopping preferences” section. Click the “Profile” link above the social media preferences link
Click on the link in the orange box to the right that says, “Edit your profile”
Click the “Edit privacy settings” tab
Select “Hide all activity on your profile”
If your profile is showing your real name, or other biographical information you don’t want, go back to the profile settings page and click the Edit profile tab. You can edit or delete any information like your Bio, Occupation, Location, and more. You can even change the “public name” on your profile and post reviews anonymously.
2) Make your lists private
There are two main “lists” on Amazon; the Shopping List, and the Wish List. Many people use their Wish Lists for gift ideas, but we often use Wish Lists as a log of items we don’t want to forget. The trouble is, anyone in the world can find your Wish List by searching your name. To check the privacy settings of your Amazon Lists, do the following:
Click on the “Accounts & Lists” drop-down box then select “Shopping List” or “Wish List”
On this “Your Lists” page, click on three dots (next to “Share List”) then select “Manage List”
Change your list details like your list name, the name of the recipient, email, and birthday
Change the list’s privacy by clicking on it and selecting “Private” on the drop-down box
3) Stop Amazon from tracking your browsing
Amazon tracks all your browsing activity by default. The company saves your searches, including items you recently viewed and product categories you browsed. All of this information helps Amazon create targeted ads. Although your browsing history is hidden from the public, you may find this habit unsettling. To stop Amazon from tracking your browsing activity, do the following:
On the upper menu, click on “Your Browsing History”
On the next page, click on the “Manage history” drop-down arrow
Toggle “Turn Browsing History on/off” to Off
Clear your entire browsing history here by clicking the “Remove all items” button
Return to “Your Account” page
Under “Email alerts, messages, and ads,” click “Advertising preferences”
On this page, select “Do Not Personalize Ads from Amazon for this Internet Browser”
Hit “Submit”
Amazon is an amazingly convenient purchasing option. Like most merchants, they want your private data in order to sell you more product. These simple steps give you a bit more control of how they use your details. This list does not cover privacy considerations when using an Amazon Alexa, but my gut says that anyone concerned with privacy from Amazon would not possess a listening device such as the Alexa inside their home.
Filed under Privacy, Security | Comments Off on Make Your Amazon Account More Secure & Private
Enable Universal 2nd Factor (U2F) in Firefox
Posted on July 29th, 2018
During my Cyber Keynotes, I heavily preach the need for two-factor authentication (2FA), preferably with a Yubikey device. I have even been known to carry a few sealed units as giveaways when someone shows interest. This small USB device is required in order to access any of my accounts that support it. A username and password is not enough. This technology is the primary reason that Google has not had any of their employee’s accounts phished since 2017 (LINK). Until recently, the Chrome browser was required in order to use Yubikeys with some services, especially Google, Facebook, and Dropbox. While Firefox cannot log into a Yubikey protected Google account by default, we can make a small modification in order to allow it to function. The following steps will activate Universal 2nd Factor (U2F) within Firefox.
In the address bar, enter about:config
Agree to any warnings
In the search field, type security.webauth.u2f
Double click the entry to change to “True”
You can now navigate to GMail and other U2F optional services and use your Yubikey as you would in Chrome.
Filed under Security | Comments Off on Enable Universal 2nd Factor (U2F) in Firefox
Firefox Tool: Download Star
Posted on July 29th, 2018
Prior to Firefox version 57, I relied heavily on the DownThemAll extension for bulk downloads of files, images, or embedded data. This extension is no longer supported, and will not work within fully updated versions of Firefox. While I could switch to Firefox ESR (Extended Support Release), that is only a temporary bandage to the problem. Instead, I now use Download Star for bulk downloads, which is available here:
https://addons.mozilla.org/en-US/firefox/addon/download-star/
This extension adds a small white icon in the upper right of Firefox. Clicking it executes a new window with numerous options. I will begin with a quick demo of my own home page. The following image displays my selection of “Images” and the default download folder on my Mac of ~/user/Downloads/images. This can be modified to any folder you desire. The “12” indicates that all twelve images on this page will be downloaded, and you can toggle off any images you want to skip. Once you see the desired files for download, click the small down arrow next to the “12” in the upper right. This will download all of these images.
In another scenario, I conducted a search of “OSINT” intitle:index.of in order to find an open directory containing files titled OSINT. This led me to https://cyberwar.nl/d/ which contains hundreds of PDF, PNG, and other file types. In the image below, you can see that I deselected the embedded images button (lower left), selected the links option (lower left), and selected the Document filter (upper middle). This immediately notified me that 559 documents are ready for download. In the image, you can see a “greyed” jpg that will not be downloaded, but green pdf files which will be retrieved. I could have selected all filters in order to download everything from this page.
You can also filter by terms. In my investigations, this tools allows immediate download of hundreds of files at once. I have used it for open directories of videos, documents, and audio files. It could also be used to download images from large social media profiles. Overall, this tool is a vital companion to the embedded Firefox Screen Capture Tool.
Filed under OSINT | Comments Off on Firefox Tool: Download Star
Firefox Tool: Screen Capture
Posted on July 29th, 2018
During my Live and Online OSINT Training Courses, I stress the importance of documentation during an online investigation. Over the years, I have demonstrated free screen capture tools such as Fireshot and Nimbus, and premium (much better) options such as Hunchly. While Hunchly is my preferred overall evidence capture tool, it currently only works in Chrome, which I try to avoid for privacy reasons. I prefer Firefox for all investigations and personal use due to the better privacy control and availability of their Containers Extension. Recent updates to Firefox introduced a native screen capture tool, which has been flawless for my investigations.
Directly to the right of the address bar in Firefox is three horizontal dots. Clicking this reveals a menu with an option to “Take a Screenshot”. Selecting this option activates the screen capture utility allowing you to select a single portion of the page, the entire page, or the visible portion of the page. In the image below, I have hovered over the title portion of this blog post with the full options visible to the right.
In almost every investigation, I simply choose the “Save Full Page” option and archive the result. The quality is good, but not superb. The result is a png graphic file, and I would prefer a pdf. However, the free tool gets the job done without installing additional extensions. Since I try to keep my Firefox add-ons to a minimum, I am using the feature much more heavily than Fireshot. However, I do not receive some of the Fireshot benefits such as custom file naming and archive type (pdf). Fireshot has had its own limitations, especially when capturing large Facebook and Twitter pages. The built-in Firefox screen capture has handled large social media pages with ease. I have yet to find a dynamic page that it could not capture.
The Firefox screen caprture tool is embedded into every updated Firefox install. I encourage readers to test and be antiquated with the options. My rule for online investigations is “If you do not document your findings, they never existed”.
Filed under OSINT | Comments Off on Firefox Tool: Screen Capture