Posted on December 31st, 2018
Two weeks ago, I was made aware of a data breach that hit close to home for me. Abine, the company that makes the email/cell/credit card masking product Blur is the latest organization to announce that it has been breached. I have recommended Blur on my show and in my books, and I use it every day myself. I have been in communication with Abine since December 17th, 2018, and agreed to delay any reporting until they knew their systems were patched and had a chance to publicly announce the issue, which they did today in a blog post at https://www.abine.com/blog/2018/blur-security-update/.
Before we all panic, let’s take a look at the exposure.
Access was gained to their systems near the month of January 2018.
Data was stolen in reference to members registered prior to January 2018.
This data included the user’s:
First and last names
Password hints from the MaskMe product
IP addresses used to login to Blur
Encrypted Blur password (encrypted using bcrypt with a unique salt for every user)
There is currently no evidence that external usernames and passwords stored by the password manager feature, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed in this breach. There is also currently no evidence that user payment information was exposed in this breach.
I have accessed my personal details released in the breach. In it, I could see the email address I used during signup (unique junk account), my IP address used during signup (VPN), my name used (alias), and my password (encrypted and unique). I plan to release a special episode of my podcast today in order to tackle some of the issues learned during this breach.
If you used a strong and unique password for Blur, you have little to worry about.
If you used an alias and a VPN, no big concern there.
If you used your real information, you can be searched by those that have access to the data.
Everyone with a Blur account should change their password immediately.
I did not use their password manager, but if I did, I would change every password stored in it out of precaution. We never truly know the extent of the data accessed.
Posted on July 12th, 2018
I woke up today to find five emails from concerned clients. They all referenced the exact same phishing email that is making the rounds heavily today. First, here is the verbatim message to all five recipients that contacted me:
I do know, REDACTED (a real, accurate password), is your pass word. You do not know me and you’re most likely thinking why you are getting this e-mail, correct?
In fact, I actually setup a malware on the adult vids (porno) web site and you know what, you visited this site to experience fun (you know what I mean). While you were watching video clips, your web browser initiated functioning as a RDP (Remote Desktop) with a keylogger which gave me access to your display screen and cam. Just after that, my software gathered all of your contacts from your Messenger, FB, as well as email.
What did I do?
I made a double-screen video. 1st part shows the video you were watching (you have a nice taste rofl), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, in my opinion, $2900 is a reasonable price for our little secret. You will make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
BTC Address: 1PLrSKJmzww51A178UgGukF8bXood9ivaQ
(It is cAsE sensitive, so copy and paste it)
You now have one day to make the payment. (I’ve a special pixel in this message, and right now I know that you have read this message). If I do not get the BitCoins, I will definately send out your video recording to all of your contacts including relatives, colleagues, and many others. However, if I do get paid, I’ll destroy the video immidiately. If you really want proof, reply with “Yes!” and I will send out your video to your 8 friends. It’s a non-negotiable offer, therefore please do not waste my personal time and yours by responding to this email.
First, the emails did include accurate passwords for the recipients, but the passwords were old and no longer used for the majority. I assume that a leaked combo list was used to generate these messages. That is the last accurate piece of information in this entire message. The rest is scare tactic and never happened. The sender(s) likely hope for 1% of the recipients to pay the ransom, worried that their porn habits could be shared with their contact list.
A search of that Bitcoin address revealed no transactions and no history. A second address of 1BKo4NWp2a96QLZ7wCzdwbTaoofi2e4a94 also revealed nothing. Numerous addresses will likely be used, and I will keep watching for any payments.
Searching the wording within this message also revealed no results. This is a new variant of a worn-out phishing email. If you receive one of these, the only move is to delete it, and change any passwords similar to the cited example.
Posted on April 26th, 2018
During my live Cyber Keynotes, I discuss the ways that I would steal your online accounts, identify your recycled passwords, and craft and spoof unique phishing emails to infect your company’s network. Many of my audiences assume that all “hacking” occurs through large servers and hidden firewalls. In reality, I would prefer to attack you the easiest way possible. One abundant option is to use the public information you share on social networks against you. Consider the following selection of “security questions” required in order to create an Apple account.
The idea is that you choose a question, provide the answer to Apple, and then confirm the answer to them if you ever get locked out of your account. The reality is that anyone who can identify these answers online is one step closer to accessing your account. If you chose one of these options and provide a correct answer, and also happen to be one of 4 million people that take online quizzes at the Good Old Days Facebook page, I might be able to identify your answers quickly. Below are a handful of recent quizzes where people can share some fairly personal details.
If those did not help me, I would look on other Facebook pages to find the following posts where people respond with their personal answers.
The lesson here, which will be obvious to many, is to never provide real information within online security question challenges. When a service forces you to provide your first car, give them an answer completely unrelated to vehicles. Be sure to document this within your password manager.
On the OSINT side, we can get a bit creepy with the following searches on Facebook. The first identifies every user that has “liked” the Good Old Days Facebook page:
Next, we can isolate our query to display comments where a person replied “German shepherd” on a post from this same Facebook page:
The results include the following redacted post in response to “What was your first pet’s name?”
On the defense side, please revisit your security questions within your important online accounts. If the answers match the questions, and the details could be found online, change them immediately. On the offense side of the house, these online posts can provide valuable data for your investigations.
Posted on September 18th, 2017
I woke up to an inbox full of email this morning about the computer cleaning application CCleaner. I have used it for many years, and recommend it often. It was announced that they were hacked, and the emails ranged in emotion from “Help!” to “Is this a big deal?” There are numerous online articles discussing the attack, but I found that almost all of them offer nothing of value. They generate panic, sell a few clicks on ads, and we all carry on. I hope for this post to provide some actual details and actions to be taken.
WHAT HAPPENED? Criminal hackers infiltrated CCleaner’s systems to introduce a modified version of the software. This new rogue version contained malware. When a user installed this version, available from August 15, 2017 through September 12, 2017, the user’s system was compromised and infected. The infected systems then continuously sent data to the attackers including the name of the computer, installed software and running processes. It does not appear (at this time) to have sent personal data or files. 2.27 million people were using the compromised software.
WHY? This attack was likely part of a larger potential attack. The type of data stolen indicates that the plan may have been to create a large network of compromised computers (Bot-Net) which could then conduct DDOS attacks or other large-scale actions.
WAS I INFECTED? This is the part that no one is clearly explaining. You must meet ALL of the following criteria to have been impacted:
Windows Computers Only – The Mac version does not appear to have been comprised.
32-Bit Versions Only – If you have a 64-bit processor and use the default 64-bit version of CCleaner, you were not compromised. You can identify your version of Windows easily with THIS GUIDE.
CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191: You are much more likely to have the standard version, but some users may be using the premium cloud version. Opening CCleaner will identify the version in the top of the application.
WHAT DO I DO NOW? This is the most vital piece that I have found to be missing from every online article. Avast (who owns CCleaner) says no need to worry, as they have disabled the rogue server and removed all of the malware with the latest release. That is fine for them, but does not mean that your computer is clean. I recommend that EVERY CCleaner user, regardless of whether you were actually infected, take the following actions today:
1) Update your version of CCleaner: Open the application and check for updates, installing any updates. This is actually a better action than deleting CCleaner, because their update removes the malware that was installed. Direct Download link: http://download.piriform.com/ccsetup534.exe
2) Install, update, and run Malware Bytes: This will look for any other malware on your system, including any triggered by the CCleaner attack.
3) Run a complete virus scan: For Windows 10 users, I still recommend simply using the default Windows Defender option. Windows 7 users should use Microsoft Essentials. No AntiVirus is perfect, and finding any reputable third-party options gets more difficult every day.
This attack could have been much worse. I am very disappointed in Avast and CCleaner for allowing this to happen. Fortunately, the damage appears to be minimal and eliminating the threat trivial.
Posted on June 5th, 2017
I have always encouraged people to check their email addresses on sites such as HaveIBeenPwned. If present, your account is included in a known breach, and you should change your passwords immediately. This site has been the standard as far as reported breaches, and the owner stays on top of the latest threats. I recently found Hacked Emails, which offers a very similar service. However, there are two key advantages with this newer service.
First, Hacked Emails constantly scans paste sites and other release resources, and immediately updates its database. This may be redundant information, but the constant update could reveal a compromised account that may not be present on other similar sites. Overall, I now check both of these services monthly for any of my email addresses that may have been compromised.
Second, Hacked Emails offers an API service, with a call from a URL. This means that unlike HaveIBeenPwned, you could submit a search request directly through the address bar of your browser. If your email address is email@example.com, the following address would retrieve your results:
The results may appear like awkward text, but the JSONViewer plugin to your browser would fix that. The main benefit of this type of search versus a standard search through their home page is that you could bookmark this page and always be a click away from the results. I have a handful of these bookmarked, one for each important email account, that I can quickly check for any new compromises. This is great for “Defense” when watching out for your personal accounts, but I also use this as “Offense”.
I often need to verify if an email address is real or fake. The various email verification services no longer work well on most domains, and are extremely unreliable under perfect conditions. Therefore, I use these services to check a target email address. If it appears in a breach, I feel confident it is a real address. If the breach was from 2015 or earlier, I know the account was not a “burner” created last week. Overall, I find these types of checks much more reliable than a traditional email validator. Below is an example of an actual email address search. It identifies the services used, which tells me more about the email address owner. Further, clicking on these links tells me the date of the breach and the types of information stolen and released publicly.
Posted on February 28th, 2017
This week, we discuss how we use YubiKeys as part of our daily digital security routine. We also welcome Yubico as our first sponsor.
Listen now at https://inteltechniques.com/podcast.html
TOPG Email Comparison
YubiKey White Papers:
YubiKey Personalization Tool:
YubiKey Static Password Guide:
The Complete Privacy and Security Desk Reference
Please submit your listener questions to us at https://inteltechniques.com/podcast.html
Posted on November 19th, 2016
In 2011, I first posted about the importance of a credit freeze. I believe that there is an even greater need today to protect your credit report. The following update includes a fourth service that should be contacted as well as mailing and website address updates. This information should replace the details in the books. A complete PDF guide to a credit freeze is absolutely free after signing up for my newsletter HERE.
People often ask me about paid services such as Lifelock and Identity Guard, and how effective they are at protecting your identity. These services can be very effective, but you pay quite a premium for that protection. Personally, I simply freeze my credit. It’s easy, usually free, and reversible. What is all this frozen credit nonsense? Wikipedia says it best:
“A credit freeze, also known as a credit report freeze, a credit report lock down, a credit lock down, a credit lock or a security freeze, allows an individual to control how a U.S. consumer reporting agency (also known as credit bureau: Equifax, Experian, TransUnion) is able to sell his or her data. The credit freeze locks the data at the consumer reporting agency until an individual gives permission for the release of the data.”
Basically, if your information stored by the four credit reporting bureaus is not available, no institution will allow the creation of a new account to your identity. No credit cards, bank accounts, etc. If someone decides to use your identity, but cannot open any new services, they will find someone else to exploit. I can think of no better motivation to freeze your credit than knowing that no one, even yourself, can open new lines of credit in your name. This does NOT affect your current accounts or credit score and are simple to suspend when needed.
Credit freezes are extremely easy today thanks to State laws that mandate the credit bureaus cooperation. I will walk you through the process.
The first step will determine whether your credit freeze will cost you any money. The fee for the freeze is $10 for each of the four bureaus ($40). While this is well worth the protection, most states have a law that entitles identity theft victims a waiver of this fee. There is a great comparison of state laws on this at THIS LINK, and an interactive tutorial at THIS LINK. Currently, each of the four credit bureaus voluntarily waive this fee for victims of identity theft. A large portion of my readers have had some type of fraudulent financial activity. This may be an unlawful charge to a debit or credit card, or something more serious such as someone opening an account in your name. If you have had any fraudulent charges or activity, contact your local police to obtain a police report. Many departments, such as mine, have a form that the victim completes which becomes the report. Request a copy when complete including a case number.
Complete four packets that will be mailed certified mail. One will go to each of the four credit bureaus. Each packet will include the following.
A letter requesting the credit freeze. This letter should include the following information.
Social Security Number
Date of Birth
The following is an example:
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19022-2000
January 1, 2016
To whom it may concern,
Please accept this letter as an official request for a Security Freeze on my TransUnion credit file. Per your instructions, I have included a photocopy of my driver’s license and recent pay documentation. Below are my details.
John Patrick Doe
1234 Main Street
Chicago, IL 61234
December 1, 1980
I further request waiver of any fees due to my recent status as an identity theft victim in the State of Illinois. I have attached a photocopy of my police report.
Include a copy of your police report if you have one. If you do not have a police report, and do not want the $40 fee waived, you can complete the entire process online at the EACH following three sites.
Enclose a copy of your valid driver’s license or State ID, and a copy of pay stub, utility bill, insurance statement, or another official document that proves your identity. I made a copy of my license and a pay stub, and included this copy to each of the four requests.
These four packets will be addressed to:
Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
Experian Security Freeze
PO Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
Innovis Consumer Assistance
PO Box 26
Pittsburgh, PA 15230-0026
Next, I recommend obtaining a copy of your current credit report, before it is frozen, at http://annualcreditreport.com. Look over this closely, and make sure everything is accurate.
Within a few weeks, sometimes sooner, you will receive a package from each of these bureaus confirming your credit freeze. They will also include a PIN number that you need to keep. This number will be required if you ever want to temporarily or permanently reverse the credit freeze.
If you want to reverse the credit freeze, you can do this online at the above websites. There will be a $10 fee per agency to do this. If you want this fee waived, you need to submit the request via mail again and include another copy of the police report. A temporary un-freeze would be done in the case that you want to establish new credit such as a credit card or loan. Be sure to generate this temporary reversal prior to the loan request, otherwise your loan may be denied. A permanent reversal will completely stop the freeze,and your account will be back to normal. Again, there is that $10 fee each time, which can be waived with a police report.
Unless you are constantly opening new lines of credit or use your credit to purchase real estate often, I highly recommend a credit freeze. It is simply the most effective way of stopping people from using your identity for financial gain. Lately, people are reporting that their under-age children are becoming ID theft victims. This freeze could apply to them as well. This will NOT stop someone from stealing your current credit card numbers. I have tips for that coming soon.
Posted on July 23rd, 2016
We all possess multiple passwords that we use every day. Some people keep them in their head, but most need a secure method of storing all of them. As I provide keynotes on digital security, the most common question lately is “How should I store my passwords?” or “What do you think about the ______ password app?”
My answer is “It depends…”
There is no perfect solution for everyone’s password storage needs, but I believe that I can offer two options that will suit practically anyone. Personally, I use a combination of BOTH of these options, but more on that at the end. Before proceeding, you should choose your path. Do you want to create a database of all of your passwords that will sync to all of your devices as you make changes and automatically enter these credentials on websites? If so, the first option is best for you. Do you only use one computer to log into your sensitive accounts and are not completely comfortable with your encrypted password floating around the internet? Then you should check out the second option.
LastPass: LastPass is my preferred web-based password manager. LastPass has a strong, well-deserved reputation for being very secure. Passwords stored in LastPass are encrypted locally on your machine, and then uploaded to the LastPass’ cloud servers. From there they can be accessed from any Windows, Mac, or Linux system with a simple browser add-on for the Chrome, Firefox, Opera, Safari, and Internet Explorer browsers, or from an Android, Blackberry, iOS, or Windows mobile device via the LastPass app. LastPass is also very user friendly. LastPass has auto-fill and auto-login functions that will automatically fill the login fields and log the user in as soon as you browse to a site requiring a login. In addition to this, and storing all usernames and passwords, LastPass has a secure notes function that allows you to record small bits of information securely. If you choose to use LastPass, I believe that the following configurations will create an account that is extremely secure and would be very difficult to compromise. If you are looking for a cloud-based solution that will sync all of your passwords, LastPass is the way to go.
Do not use the “remember master password” feature. This will eliminate the possibility of a digital attacker exploiting a stored password on your computer.
Setup two-factor authentication through either SMS recovery or YubiKey (preferred). This adds an additional layer of protection by requiring another verification step before the master password can be reset on your LastPass account.
Restrict access to trusted countries. In your Account Settings, ensure you restrict access to only the location(s) where you regularly access LastPass.
Disable TOR access. TOR is used to communicate anonymously on the internet, so it is often used by hackers. Disable access from TOR in your LastPass Account Settings.
Remove any “Trusted Devices” in the account settings. This will force you to enter your credentials upon each use of your browser. It prevents others from accessing your password while on your computer.
Use a unique, strong master password and never reuse your master password.
Overall, I have two main opinions about password management solutions that sync with the cloud. The first is that these accounts should be overly inconvenient. Password reminders, stored devices, and “remember me” type options should all be disabled. This is the most vital account to protect. Do not create unnecessary attack surfaces. The second opinion is that we must all remember that our information is stored somewhere out of our control. No one knows the exact server, or even the state, where their data is located. We also do not know exactly how our information is handled during transit to their servers. While services such as LastPass are the best option for online storage, they still possess security concerns. LastPass is a freemium service. LastPass on any single device is totally free. LastPass Premium costs $12.00/year and allows you to access LastPass from unlimited devices, share a folder with up to five other people, and use a YubiKey for two factor authentication. LastPass is available HERE.
KeePass: Keepass and its variants are completely open source solutions for password management. One advantage is the availability for all platforms. While Windows is the only official port of the software, options for OS X, Linux, iOS, Android, and Windows Phone exist. KeePass stores all data within any entry, including notes, within an encrypted database. The default actions are stored only locally to your computer, and not on the internet. Additionally, KeePass can import from over 30 common password management programs. The following represents my recommendations by platform if you are looking for a single password solution on all of your devices. A single KeePass database can be read and modified by all of these options.
Windows – KeePass 2.x Professional Edition: This is the standard version. In the downloads area, you have a secondary option of a portable version. I like this because installation is not required, removal if desired is complete, and transport to another device is easy.
OS X – KeePass X: The same encryption standards are in place and the databases can be utilized by other variants of KeePass.
Linux – KeePassX: This version of KeePass is the only option for Linux users and is available at keepassx.org. It is stable and functions identically to the official Windows port.
iOS – Keepass Touch: This iOS version works with the same KeePass databases but has a look and feel similar to other iOS apps. It can be found by searching KeePass Touch in iTunes.
Android – KeePass Droid: This staple for Android can be found at the Google Play store. Again, it will read and write to the most recent database versions created in any KeePass version.
Summary: When I hear people say that they have found a new free app that stores passwords, I cringe a bit. Trusting your most sensitive data with any questionable source could present a catastrophe. LastPass and KeePass are two of the most trusted options available today. I use both. KeePass resides on my encrypted computer and contains all of my passwords for everything. I have a very strong password to open KeePass. I use LastPass as convenience for the daily logins in my life that are not that important. The various websites that require me to log in to see content and all of my alias social network profiles that I use to search are all stored in LastPass. I use a Yubikey, which is required at every login.
There are only two things I do NOT store in LastPass. My personal email password, and my primary financial account password. THOSE stay in my head…
Posted on April 29th, 2016
IntelTechniques Search Tool: Several updates to the various automated searches
Google Newspaper Archives: Google’s growing collection of scanned newspapers
Google Index Search: Add keywords to receive public folders containing interesting data
YouTube Geo Search: Displays YouTube videos by location
Custom YouTube Tools: Large map version of the previous option
Nuwber: Impressive database of residential addresses and phone numbers
FreeCarrierLookup: Identifies most telephone number carriers
LeakedSource: Displays leaked account details from user names
Apigee: API console to test varios social network APIs
Facebook Group Members: Replace group number for full list of members
Posted on January 31st, 2016
IntelTechniques Email Search Tool: This new page allows you to enter an email address, populate it into every search field, and execute individual or automated searches across numerous websites.
IntelTechniques Person Search Tool: This updated page allows you to enter a person’s name, populate it into every search field, and execute individual or automated searches across numerous websites.
IntelTechniques Domain Search Tool: This new page allows you to enter a domain name, populate it into every search field, and execute individual or automated searches across numerous websites.
IntelTechniques IP Address Search Tool: This updated page allows you to enter an IP Address, populate it into every search field, and execute individual or automated searches across numerous websites.
IntelTechniques Social Network Image Search Tool: This new page allows you to enter any keywords and execute a search through Google, with filtering options for the major social networks.
Prompt Translator: An alternative to Google and Bing Translator.
Mamont: Another FTP search engine with impressive results.
Classic Maps: Google Maps with some of the classic features enabled.
Twitter Archiver: Google Docs sheet that fetches Tweets hourly.
The Phone Archive: A telephone search engine. Occasional results, but worth adding.
PhoneSearch.us: One free search per day with good results.
YouTube Country Restriction: Display country restrictions of a video.
DownSub: Download subtitles of YouTube videos.
Whatcha: Analytics for WhatsApp user numbers.
I will be offering an advanced OSINT course at this year’s Blackhat USA conference in Las Vegas. Details can be found HERE.