Search for: facebook friends

The Privacy, Security, & OSINT Show – Episode 241

EPISODE 241-Listener Questions

This week Jason and I tackle your listener questions.

Direct support for this podcast comes from sales of my books, services, and online training. More details can be found at IntelTechniques.com. Your support eliminates any ads, sponsors, endorsements, Patreon, donations, or commercial influence on this show.


SHOW NOTES:

INTRO:

Mythic Quest

UPDATES:

OSINT 9

LISTENER QUESTIONS:

More and more places are requiring proof of vaccination to dine in, work out, etc. Assuming the person is already fully vaccinated, what do you recommend showing to the establishment without revealing true name, DOB, and other sensitive info?

How do I set a series of "traps" online so I can tell if anyone is trying to research me?

When using a normal (non-VPN) connection, and querying DuckDuckGo.com, my ISP obviously logs that I visited DuckDuckGo.com -- but do they have a log of what my query was?

Going through my online presence and trying to remove my stuff from google. How can you get rid of a Facebook page from google? I’ve delisted the page and can verify the link is no longer available. However, google after months still has not delisted it. Tried googles removal tool but it says the site page still exists which is true, and then rejects my request. What can I do?

For removing content from the list you provide should I ever create an account?

How can I remove myself from this site? www.selfie.systems (many questions like this with other services)

Is it possible to remove your information from FCC websites? I deal with radio. I have tried in the past and always get told that it is public data and that they will not remove the information.

Should I ever use the names of previous tenants of my home for package deliveries? It seems like that would work since the post office has a history of them there.

Are their any privacy concerns using my previous residential address that I no longer live at as the home address on file with a bank while using a PMB as the mailing address in order to comply with the bank's KYC restrictions on PMBs?

Do you know how people that have their PMB address on their driver's license handle the situation when inquired by the police where they live when they get pulled over for a traffic violation? Have you heard of situations when having a PMB address became complicated concerning law enforcement?

In an earlier episode, he stated that nomad residency (for example, obtaining residency in South Dakota using a PMB from America’s Mailbox) as a government employee won’t work. Can he clarify and explain some of the reasons why not?

You advise against buying second hand devices. What’s your advice on selling devices?

I have always had mixed results when trying to activate Mint Mobile 3-month pre-paid sim cards & successfully obtain a working number. Hours of attempts later, what worked several months ago doesn't work the next time. Can you please share specific steps that have proven to work reliably for you?

Is the Librem 5 telephone by Purism worth it? I have a choice of declining the telephone and receiving a refund, or getting the telephone.

I’m having issues getting the camera to trigger on Haven – what sensitivity setting do you use?

Is there a work around to getting privacy cards on graphene if the web link keeps taking you to the google play store?

You mentioned on the show that you see battery drain on the latest GrapehenOS. Mine is terrible. Did you figure anything out?

Recently I uprgaded to Graphene OS 12 on a Pixel 4a, and in the app permission controls a new item appeared: Nearby devices. I can’t disable this for all of the apps. Is there any way to disable this feature? Is there a chance that the device is scanning for other devices beyond the user’s control?

If you dont use iOS any more, what device do you use in your home? -AND- To what extent would a GrapheneOS phone with anonymous service be compromised by connecting to home wifi (with pfsense firewall and VPN) AND using it outside the home? Also what is your opinion on preloaded GrapheneOS phones that try to appeal to privacy customers?

Google Voice is not available for me in the UK, could you suggest any alternatives?

I am using the VOIP Suite application which works fine. For some reason I cannot receive calls on my other VOIP apps any more. What can I do?

VoIP service JMP.chat looks pretty promising, but how does this service compare to the Twilio and Telnyx in terms of user privacy? -AND- Why did you decide to create your own open source SMS/calling solution instead of using the open source SMS/calling jmp.chat which has been under active development for 4 years?

You promote the use of VOIP numbers for privacy, but aren't you now just trusting them instead of your phone provider? I don't get the difference.

How do you talk your friends/family into using secure comms, especially when they are not tech savvy

How does one safely date in today's world, while being privacy conscious and safe? How do you bring up your personal privacy and security to a potential partner?

When it comes to data surveillance, what are your thoughts on (a neighbors) security camera usage capturing & collecting data from private citizens without their permission? Is there anything that we can do to prevent this from happening on private property?

My underage child is on a soccer team and oftentimes parents film their child playing with their phones. I wasn't really that concerned as I assumed the footage probably didn't leave their phones until I found out one of the parents from our team was filming the entire games and uploading each game publicly on YouTube without speaking to the other parents. I'm going to speak to this parent but, before I do, I'm wondering how you would handle that conversation. What's the best way to handle this situation?

I am looking at getting a Protectli Vault and installing PfSense. I use ProtonVPN consistently but notice from time to time certain servers go down for maintenance. If this occurs when using a server that goes down it would seem to be a pain to make changes for the firewall. That said, I have two questions. Is it possible for you to make a change in the settings you've provided to allow for a second or third server option if the primary goes down? -AND- I’m running Pfsense on a Protectli vault with protonVPN and killswitch. How often you see your connection drop?

Should I connect IoT devices to the guest ISP network or guest network behind the firewall?

Whilst you reccomend Proton VPN, is it possible to follow your Protectli / PF Sense approach using PIA or Mullvad? Can you scripts be tweaked or are we on our own?

Do manufacturers design backdoors into their products? For instance, should anyone purchasing a phone that is "made in China" be concerned about unknown eavesdropping methods through hardware exploits?

Does using Twilio Authy 2FA for multiple accounts allow Twilio to join up these accounts into one user?

My bank offers the below 2FA methods, and you can only choose one:
Which do you believe is more secure?

I've been using KeepassXC on windows and linux for a quite a while now based on your recommendations. I've noticed that the update frequency has slowed quite a bit. The last version (2.6.6) was released Jun 12th, 2021. Should we be concerned? -AND- Is it safe enough to use KeePassXC to store 2FA backup codes? If so, why not use it for 2FA TOTP instead of Authy?

I use 100+ character passwords where I can. Will this future proof likely technology advances including quantum computing?

I have been trying to regain access to my Facebook and Twitter account which are linked to a Gmail account which I can no longer access. If I could regain access to the gmail account then I will be able to regain access to my Facebook and Twitter account. Any thoughts and or ideas on the steps I can take to regain access to these accounts?

I have multiple free protonmail email accounts. How could they detect this and are they likely to care?

If I use an email forwarding service, like Blur or SimpleLogin, can my true email address get exposed by clicking on "click tracking" links in these forwarded messages?

Is Fastmail masked email a good alternative for Simplelogin?

Whats your finance/banking privacy strategy?

Do you still use a Chase credit card in an alias name for in-person purchases, or should I just withdraw majority of my money from the bank and only use cash? - AND - Hi, What personal details do retailers see at the back end when we buy something online or in a store with a standard credit card?

Any steps one should take with the new robinhood breach potentially exposing bank account information?

What are some dangers in using someone else as trustee for an interest generating savings account? Additionally, what happens to the savings account when the trustee dies?

Do ios or linux devices send home information about neigboring apartment wifi points that they can ‘see’ (even if they don’t connect) and therefore compromise the location?
-bigger concern is collecting data locally from beacons

What kind of information can iOS apps collect about you and your device even after you deny app permissions such as location access, contacts, microphone, camera, etc.?

I'm considering buying a new iPhone sometime in the future. It's not ideal and since Apple will eventually drop the TouchID button altogether, the only secure method to unlock my phone in public areas (ex. airport) is with FaceID. Do you trust that Apple is storing biometric faces locally on the iPhone and NOT uploading them to their database? Or should I avoid FaceID altogether?

How risky is running an older version of the mac operating system when checking email and doing online banking? I have an older Apple computer that I have not upgraded because I have legacy software.

Does synchronising a Signal account across my iphone and ipod allow Apple to join up the two Apple accounts?

What's your opinion about Signal not being 100% open source anymore?

Do you think TAILS is secure and anonymous?

How do you both feel about the EFF’s decision to deprecate HTTPS Everywhere? -AND-
Is there a reason you no longer mention/recommend the Firefox browser extension HTTPS everywhere in your latest book?

Earlier this year you said you wanted to push out Extreme Privacy V3 early because it was mostly ready and that you had a big project planned for this fall? Did that fall through or is that still in the works?

Do you think privacy for the individual will be better or worse in 10 years time? - AND - What are the emerging technological and social changes that you think will affect your privacy threat model (or that of your clients) over the next couple of years?

How do you personally store your personal pictures, music, movies, home videos and such?

What is your favorite podcast?

You follow only one account on Twitter. Anonymous Content. What is your relationship to them?

Is the 4TB stealer logs still online? AND What specific search terms and/or search locations would yield the best results for locating Stealer Logs to enrich our breach collections?

Would you share some best practices regarding the storage and access to post-filtered breach data? Do you export and convert the output to a different format for use with a database like MariaDB or MySQL? To keep from getting any viruses that may have been in the downloaded files, do you only access the post-filtered data via computers running virtual machines?

I have a two questions for you, would you ever create a data breach search engine project, and would you ever show us your methodology for finding breached data, and open databases?

how many terabytes your server in your office is with all of these breach databases and your work files

What does ur 5-min OSINT workflow look like for quickly looking up someone ur about to meet or talking to. (Specific resources, etc)

How should an OSINT researcher prepare to testify about their findings at trial?

Do you ever find osint tricks that you keep in house? Do you really show all your cards? Can you share one?

Be honest. do you use your OSINT skills on people in your personal life?


Free Workbooks: https://inteltechniques.com/links.html

Affiliate Links:
ProtonVPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=282
ProtonMail: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=267
SimpleLogin Masked Email: https://simplelogin.io?slref=osint
Silent Pocket Bags & Wallets: https://slnt.com/discount/IntelTechniques


Privacy and OSINT lessons from the IronMarch Leak

Last week, an unknown "hacker" released a copy of a user database from the IronMarch forum, which was an online neo-nazi meeting place until it was shut down. An archive of the public site can be found at https://web.archive.org/web/20170509142136/http://ironmarch.org/. The dumped data includes a full copy of all content, including details such as emails, IP addresses, usernames, and private messages. I decided to dig into it a bit and see what could be gleaned. The original leak has been removed from Pastebin, but several clones appear daily. The following is a redacted version of a few entries.

Four Suited Jack:[email protected]:e0e501f3e4e49d6c67378d9d06763298:?ET\"e
Jamie M:[email protected]:8ecdc4d6401055df380ab007c0c31b5b:t32hj
Ritz:[email protected]:159e7b09066e91fcb15008943d114b6e:vy:I0

This represents the username:email:encrypted password of each user on the forum. My first task was to parse out all of the email addresses. I saved the original leak file as Ironmarch.full.txt and executed the following command in Linux.

grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" < Ironmarch.full.txt > Ironmarch.emails.txt

This presented a clean file containing only the email addresses of every user. I then connected to a covert Gmail account, accessed the Contacts, and exported the only contact in this account to a CSV file. This provided the template desired by Google for import. I copied and pasted the entire list of email addresses within this template and gave each of them a unique last name of 1,2,3,etc. This presented a CSV file ready for import. The following is a partial view.

I imported this CSV into my Google Contacts which now tells Google these are my "Friends". I then launched a new Android virtual machine through Genymotion and connected to the covert Google account. This virtual mobile device now associates all of these email addresses with my own address book. I connected to the Facebook app, asked it to "Find Friends, and was immediately presented with numerous Facebook accounts which were associated with the email addresses of the Ironmarch members. Below is an example.

I then repeated this process with Twitter:

and Instagram:

OSINT Lessons Learned:

Breaches and leaks of online forums are very common. Lists of email addresses may identify interesting information about the types of members. However, identifying social network accounts of members of hate groups can be much more revealing. I quickly located numerous personal accounts registered in real names, all from the connection to an email address.

PRIVACY Lessons Learned:

I also identified many accounts which were likely used during covert investigations. When I submitted the email addresses as contacts through a foreign dating network, I observed an account connected to a police cyber-crimes investigator. This is probably due to him using a real address when registering for an account on the forum. This is sloppy, but I have been guilty of this myself many years ago. If you are tasked with investigating online hate groups, or anything else really, be sure to always use a unique email address and password, which will never be used anywhere else. Social networks and other online communities make it very easy to connect accounts with real people.

 

 

 

The Privacy, Security, & OSINT Show – Episode 109

EPISODE 109: Privacy News & Buscador 2.0 Release

This week I talk about the latest privacy news and David Westcott joins me to announce the official release of the free Buscador OSINT Virtual Machine.


SHOW NOTES:

SPONSORS:

Silent Pocket: https://silent-pocket.com/discount/totalprivacy
Authentic8: https://info.authentic8.com/

PRIVACY/SECURITY:

Latest Breach Discussion:
https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/

Chrome Proposes to Eliminate Script Blockers:
https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

Archive.org Ignoring Robots.txt:

User-agent:ia_archiver
Disallow: /
User-agent: archive.org_bot
Disallow: /

MyLife Removal Update:
https://www.bbb.org/consumer-complaints/file-a-complaint/get-started

"Dumb" Blu Ray Players:
Magnavox 4K blu day player

A.I. is Now Watching Us:
https://www.cbsnews.com/news/60-minutes-ai-facial-and-emotional-recognition-how-one-man-is-advancing-artificial-intelligence/

China Crowdsourcing Debt Shaming:
https://www.dailymail.co.uk/news/article-6620879/China-launches-app-tells-500-yards-debt.html?ito=social-facebook

OSINT:  Buscador 2.0 Release:

David Westcott:
https://twitter.com/ninjininji

Buscador 2.0:
https://inteltechniques.com/buscador/index.html

LISTENER QUESTIONS:

Q: When I was in grade school, my parents signed a release allowing the school to publish my full name, school assignments/awards, and picture on their website. Since then, the websites been archived and cannot be removed. Besides that, the school says they wouldn’t remove it anyway since they have a valid release signed. Now, when I search my true name, pictures of me and the school I went to and my hometown and old friends and such are all readily available. Is this something I should be concerned about? Is there anything that can be done to remove it or bury it under disinformation or something?

Q: I've been using Lastpass for a few years and have recently started looking into non-cloud options like KeePassXC. I just came across a few services, like LessPass, MasterPassword, and getVau.lt, which take contextual data like the site and your login ID along with a master password to calculate passwords for services. Because of this there is no need to store passwords and you can even generate a password directly from the websites by entering the site, login, and your master password. What are your thoughts on something like this?


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html