The Privacy, Security, & OSINT Show – Episode 112

Posted on February 22nd, 2019

EPISODE 112: Privacy Lessons from the Road

This week I discuss some lessons learned when attempting anonymous travel, the most recent privacy related news, Facebook’s search changes, and a site that generates photos of people who do not exist.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

PRIVACY LESSONS FROM THE ROAD:


PRIVACY NEWS:

https://arstechnica.com/information-technology/2019/02/catastrophic-hack-on-email-provider-destroys-almost-two-decades-of-data/

https://www.businessinsider.com/nest-microphone-was-never-supposed-to-be-a-secret-2019-2?utm_source=reddit.com

https://www.techradar.com/news/major-security-issues-found-in-popular-password-managers

OSINT:

https://inteltechniques.com/menu.html
https://thispersondoesnotexist.com/


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 112

The Privacy, Security, & OSINT Show – Episode 111

Posted on February 8th, 2019

EPISODE 111: Back to Basics: Phones & MySudo

This week I revisit the need for an anonymous telephone and explain my latest use cases for MySudo. Later in the show, Paul Ashley, CTO at Anonyome Labs, joins me to give us the latest MySudo updates.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

BACK TO BASICS: PHONES & MYSUDO:

Mint Mobile Starter Kit:
https://amzn.to/2MRbGTI

MySudo
https://mysudo.com/

Paul Ashley, CTO Anonymome Labs
https://twitter.com/Sudo_Dr


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 111

The Privacy, Security, & OSINT Show – Episode 110

Posted on February 1st, 2019

EPISODE 110: Testing Your Online Security

This week I discuss easy ways to test your VPN, DNS, Browsers, extensions, and custom settings. I also revisit canary tokens as a test of your potential exposure.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

SPONSORS:

Privacy.com: https://privacy.com/inteltechniques

PRIVACY: TESTING YOUR ONLINE SECURITY:

https://panopticlick.eff.org/
https://www.deviceinfo.me/
https://browseraudit.com
https://browserleaks.com/
https://detectmybrowser.com/
https://ipleak.net
https://www.dnsleaktest.com/
https://www.emailprivacytester.com

OSINT:  TESTING DEFENSE TO CANARY TOKENS:

http://canarytokens.org/generate


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 110

The Privacy, Security, & OSINT Show – Episode 109

Posted on January 25th, 2019

EPISODE 109: Privacy News & Buscador 2.0 Release

This week I talk about the latest privacy news and David Westcott joins me to announce the official release of the free Buscador OSINT Virtual Machine.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

SPONSORS:

Silent Pocket: https://silent-pocket.com/discount/totalprivacy
Authentic8: https://info.authentic8.com/

PRIVACY/SECURITY:

Latest Breach Discussion:
https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/

Chrome Proposes to Eliminate Script Blockers:
https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

Archive.org Ignoring Robots.txt:

User-agent:ia_archiver
Disallow: /
User-agent: archive.org_bot
Disallow: /

MyLife Removal Update:
https://www.bbb.org/consumer-complaints/file-a-complaint/get-started

“Dumb” Blu Ray Players:
Magnavox 4K blu day player

A.I. is Now Watching Us:
https://www.cbsnews.com/news/60-minutes-ai-facial-and-emotional-recognition-how-one-man-is-advancing-artificial-intelligence/

China Crowdsourcing Debt Shaming:
https://www.dailymail.co.uk/news/article-6620879/China-launches-app-tells-500-yards-debt.html?ito=social-facebook

OSINT:  Buscador 2.0 Release:

David Westcott:
https://twitter.com/ninjininji

Buscador 2.0:
https://inteltechniques.com/buscador/index.html

LISTENER QUESTIONS:

Q: When I was in grade school, my parents signed a release allowing the school to publish my full name, school assignments/awards, and picture on their website. Since then, the websites been archived and cannot be removed. Besides that, the school says they wouldn’t remove it anyway since they have a valid release signed. Now, when I search my true name, pictures of me and the school I went to and my hometown and old friends and such are all readily available. Is this something I should be concerned about? Is there anything that can be done to remove it or bury it under disinformation or something?

Q: I’ve been using Lastpass for a few years and have recently started looking into non-cloud options like KeePassXC. I just came across a few services, like LessPass, MasterPassword, and getVau.lt, which take contextual data like the site and your login ID along with a master password to calculate passwords for services. Because of this there is no need to store passwords and you can even generate a password directly from the websites by entering the site, login, and your master password. What are your thoughts on something like this?


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 109

The Privacy, Security, & OSINT Show – Episode 108

Posted on January 18th, 2019

EPISODE 108: Our TV’s, Doorbells, & Private Messengers Are Spying On Us

This week I discuss the latest smart-home threats and Justin Seitz joins me to talk about how you may be exposing your IP address on instant messengers.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

SPONSORS:

Privacy.com: https://privacy.com/inteltechniques
Authentic8: https://info.authentic8.com/

INTRO:

Smart TV Woes:
https://www.businessinsider.com/smart-tv-data-collection-advertising-2019-1?utm_source=reddit.com
https://www.techdirt.com/articles/20190114/08084341384/vizio-admits-modern-tv-sets-are-cheaper-because-theyre-spying-you.shtml

Ring Doorbell Issues:
https://boingboing.net/2019/01/10/surveillance-a-go-go.html

Home Assistance Devices Privacy:
https://www.theverge.com/circuitbreaker/2019/1/15/18182214/amazon-echo-google-home-privacy-protection-project-white-noise

GoDaddy Injecting Data Into Websites:
https://www.igorkromin.net/index.php/2019/01/13/godaddy-is-sneakily-injecting-javascript-into-your-website-and-how-to-stop-it/

OSINT:  How To Blow Your Online Cover With URL Previews:

Justin Seitz:
https://twitter.com/jms_dot_py

How To Blow Your Online Cover With URL Previews:
https://hunch.ly/osint-articles/osint-article-how-to-blow-your-online-cover<

LISTENER QUESTIONS:

Q: What are the risks of using a dedicated Sudo number for 2FA?
Q: I have a security clearance, and I’m about to have my 10 year re-investigation and am wondering how not having had a physical address other then a Texas PMB service the last 5 years might give me trouble.


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 108

The Privacy, Security, & OSINT Show – Episode 107

Posted on January 11th, 2019

EPISODE 107: Listener Questions

This week I attempt to answer the most common questions sent from listeners over the past month.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

SPONSORS:

Silent Pocket: https://silent-pocket.com/discount/totalprivacy
Authentic8: https://info.authentic8.com/

INTRO:

Cell Phone Data For Sale:
https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

New Training Videos:
https://inteltechniques.com/25

Buscador 2.0 BETA:
https://inteltechniques.com/buscador/index.html

PRIVACY LISTENER QUESTIONS:

Trusts:
Should I use a land trust or living rust?
Do you have a template?
Should I buy the land trust training or the book?
How do I find an attorney for this?

NOLO Trust Book:

2017 version: https://amzn.to/2T4VJLV
2019 version: https://amzn.to/2ASCmPs

I am seeing more stores require a fingerprint in order to use a credit card. What do you do in these situations?

I bought my car in cash, Title is in my name. If I transfer title into a trust, as you mentioned on the show, the VIN historical record will still lead to me. Should I just wait until I get a different car?

What do you provide for your address on your credit report? Are you specially updating it to your alternate physical address?

I have found that all financial institutions require that you have a physical address and cannot use a PO Box for the address. I have a PO Box that I signed up for with USPS however as part of their requirements, I cannot use the physical street address for financial purposes. So my question is, how can I prevent my physical address from being used by these financial institutions.

I recently purchased a new car from a local dealer, financing it through the manufacturer. Using the car’s GPS technology, does either the dealer or the finance company or the corporate manufacturer have the ability to track the location of my vehicle?

I searched my name on various people search sites. Some had it, some didn’t. As these are the top 10, should we opt out of these with information we assume they have?
Should we opt-out with information we know they have? Can we assume the top 10 definitely have our information?

For those of us whose jobs require us to have a photo on a website, and where that photo has been used previously in press releases, etc, what are the best strategies for (a) choosing a new photo that has the least chance of being used in image recognition or for other unhelpful purposes; (b) asking news sites etc to remove your picture in prior stories, etc; and (c) getting the photos off Google Images?

What do you do with deleted/deactivated account information? Keep it in your password manager? Dump them onto some like an archive spreadsheet. I’ve got alot of accounts in my password manager and get overwhelmed trying to figure out what to clean out.

Airplane mode disables the cellular modem preventing cell tower triangulation. The GPS modem is still receiving location data. Do iPhones log GPS data and send it back when airplane mode is turned off?

OSINT LISTENER QUESTIONS:

What happened to the FB live map? Any alternative options?

I conduct a lot of online investigations and rely on Google, but I worry about how much privacy I lose. Any suggestions?

I use KeepasXC to store all of my covert account logins for my OSINT work. Having two databases is a pain when I need to access my own data. Any harm in combining all of this into one database as long as it never gets stored online?

I use several social network accounts as part of my covert online investigations. I use Google Voice numbers in order to receive 2FA sms messages to log into the accounts. Two questions: a) Is having the Google Voice app on an iPhone reckless? b) If so, what is the best option to get the messages?

How do I get started in a career in OSINT?


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 107

The Privacy, Security, & OSINT Show – Episode 106

Posted on January 3rd, 2019

EPISODE 106: Blur Breach, Fake Porn, & Domain Histories

This week I discuss the Abine/Blur breach, more fake porn issues for my clients, and revisit the power of domain registration archives for online investigations.

Listen to all episodes at https://inteltechniques.com/podcast.html

or Subscribe at:

RSS / iTunes / Google / Stitcher  / Spotify


SHOW NOTES:

SPONSORS:

Pay With Privacy: https://privacy.com/inteltechniques
Authentic8: https://info.authentic8.com/

INTRO:

Fake Porn Issues
New Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

BLUR/ABINE BREACH:

Discussion
https://www.abine.com/blog/2018/blur-security-update/

OSINT: DOMAIN REGISTRATION ARCHIVES:

https://whoisology.com/

LISTENER QUESTIONS:

Q: Any thoughts on “click them all” options such as adnauseam.io?

Q: I see that there are open-source third party email clients for Protonmail and Tutanota. Do you think these are safe and what is the benefit?


Data Removal Workbook:
https://inteltechniques.com/data/workbook.pdf

Please submit your listener questions at https://inteltechniques.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Privacy, Security, & OSINT Show – Episode 106

How To Blow Your Online Cover With URL Previews

Posted on January 3rd, 2019

Originally posted by Justin Seitz on the Hunchly blog (https://hunch.ly//osint-articles), and used with permission.

URL previews are a nice feature found in most messaging applications. It allows you to paste a URL to a friend or colleague, and have a handy miniature view of the website you are about to view. The downside is that a lot of applications generate these previews without you knowing that it is happening behind the scenes. In some cases this can equate to you disclosing your public IP address in a manner that you likely wouldn’t want. Don’t forget: when you browse to a website your public IP address is exposed. This is just how the Internet works unless you’re using Tor or a VPN to hide it. The difference with URL previews in messaging applications is that you are broadcasting to the website owner that you are discussing the website, as opposed to just browsing to it. This small and subtle change in context is actually quite an important distinction. You’ll see why very shortly…

A Little History

A few years ago I was on a penetration test where I was attempting to spearphish executives at a well known corporation in Europe. They had one of the most brilliant CISOs I had ever met and an absolutely amazing incident response team on staff. After I sent the initial round of phishing emails I was monitoring my command and control server to look for connections from users, anti-virus, or anything else that might indicate that I was either having some success or was about to be caught. After a few hours there was not a lot of activity until my web server received a connection from an IP address that resolved back to Skype. This was a WTF moment for me since my phishing server was brand new and there didn’t seem to be a good reason why a Skype server would be touching it. A few minutes later another hit from a different Skype server. Now I was really pondering what was going on. Then it dawned on me: someone was discussing my command and control system during a Skype chat, and Skype was generating previews of the phishing site I had setup. I performed a couple of quick tests using my own Skype account, and sure enough, I could reproduce the issue easily. I now knew that the incident response team was on to me, and it was time to switch tactics. But this also raised a much larger issue in my mind when it came to online investigations, incident response and running covert online operations.

How Does This Apply to Online Investigations?

There are two viewpoints here: one is from an investigative standpoint and the second is from the standpoint of you running a covert operation through a website. From the investigative standpoint, if you are passing URLs back and forth with a fellow investigator you may end up notifying your target that you are talking about them. This is exactly how I figured out that the incident response team was on to me during my penetration test. You likely don’t want this to happen. The second standpoint is where you are running a website for a covert online operation. You can monitor for these URL previews and determine that someone is discussing your site, potentially letting you know that your ruse is working or that you might be caught out (again, context is important and mission-dependent here). Either way, it is a unique set of behaviours that can be observed that is not general browsing activity.

Test Results from Various Platforms

I did some quick testing of various messaging clients and services. The test was to simply setup a Python web server on a Digital Ocean droplet ($5/month plan is sufficient). The Python web server just printed out the IP address and headers of the connecting client. I also setup a DNS record specific for this testing so that I could try using IP addresses vs. domain names. WhatsApp was the only service tested that responded differently for IP addresses vs. domain names. Every other service was happy to generate previews for an IP address. There was also no difference between using an HTTP vs. HTTPS URL. Here is a summary of findings:

Slack

We, like many other companies, live on Slack so this was the first test I performed. Slack was happy to generate URL previews and identified itself with the following User-Agent:

User-Agent: Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)

The IP address of the request was from my publicly facing IP address through my office connection in both mobile and desktop versions of Slack.

Apple Messages

So Messages was an interesting test that had some pretty unique behaviours. If you post a link from Messages on your desktop/laptop it will generate the preview directly from your public IP address as can be expected. The user agent shows:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0

Pretty interesting that you see the Facebot Twitterbot pieces in there but this was actually picked up by a Reddit user as well. Here is where things can be a bit more interesting: if you are sending an SMS phish to a target you can enhance the URL preview experience a little by ensuring you have a file named:

apple-touch-icon-precomposed.png

The Messages app will attempt to retrieve this file once it determines that it can successfully reach the target web page. This file will be used in the preview that is generated and could help to entice your target to click the link. It can also be a way of acknowledging the fact that Messages was the application doing the URL preview in the first place.

Wire

Wire is pretty interesting. When you post a URL from the app both on desktop and on your mobile phone your public IP address will show up in the logs. However, there are no User-Agent headers that show up. In fact the only header that Wire sends is:

Connection: close

So this in itself is interesting because many of your HTTP clients (browsers, crawlers, bots, etc.) will send additional headers. By Wire stomping out all information this does become a “tell” that perhaps someone is discussing a target site in the Wire application. Further tracking of how often you see this limited set of client headers would have to be done in order to come up with something more statistically relevant than my single observation. Note that in Wire there is a setting in Preferences -> Options called “Create previews for links you send.” If you disable this it will prevent Wire from doing these URL previews. I recommend you do this. Thanks to Michael Bazzell for assistance with this one.

Facebook

Facebook also announces itself, but it uses Facebook-owned infrastructure to hit the site for a preview. You will see a User-Agent header of:

User-Agent: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)

It doesn’t use your public IP address but does indicate that someone has posted a link to the target site on their Facebook profile or have sent it via Facebook Messenger. The IP address you see show up will be registered to Facebook so you can use a site like ipintel.io to look it up.

WhatsApp

WhatsApp behaves somewhat differently than the other services. It will not honor IP addresses directly but if you type in a domain (and any port) it will attempt to do URL previews. Additionally, it will do continuous requests as you type the URI of the target page as well which generates a lot of traffic. The User-Agent looks like this:

User-Agent: WhatsApp/0.3.1649 N

The request comes from your public IP address.

Services That Didn’t Generate Previews

There were some services that didn’t generate any previews or traffic when pasting links, or typing URLs. Of course you should test this yourself to verify.

Signal (Desktop/Mobile)
Skype (Desktop/Mobile)
Sudo (Mobile)
Threema (Mobile)
Twitter DM (Mobile/Web)
Wickr (Desktop)

All of the mobile testing was done on an iPhone X so there may be differences with Android that aren’t covered here. There are probably a ton of other messaging apps out there that you could test, and you absolutely should. Feel free to let me know and I can update this post with your results.

Mitigations

There are a few things you can do to help mitigate the risk:

Defang your URLs — This is simply the method where you replace the dots and colons with other characters, or use brackets. An example could be:

Regular: https://www.hunch.ly

Defanged: hxxps://www[.]hunch[.]ly

Use a VPN — this is a secondary suggestion really as it is isn’t mitigating the original problem but for the services that are spitting out your public IP address this will at least obscure it.

Filed under OSINT, Privacy, Security | Comments Off on How To Blow Your Online Cover With URL Previews

Data Removal & Credit Freeze Workbook Update

Posted on January 2nd, 2019

Happy new year everyone! What better way to start off than to remove your personal details from the internet and lock down your credit? The latest version of my free workbook is now available at the following link:

https://inteltechniques.com/data/workbook.pdf

Change log:

Several new sites added
Several dead sites removed
Three service links updated
Top 10 list added
Dates with every update. Search “January 2019”

 

Filed under ID Theft, Privacy, Security | Comments Off on Data Removal & Credit Freeze Workbook Update

Data Breach at Privacy Company Abine/Blur

Posted on December 31st, 2018

Two weeks ago, I was made aware of a data breach that hit close to home for me. Abine, the company that makes the email/cell/credit card masking product Blur is the latest organization to announce that it has been breached. I have recommended Blur on my show and in my books, and I use it every day myself. I have been in communication with Abine since December 17th, 2018, and agreed to delay any reporting until they knew their systems were patched and had a chance to publicly announce the issue, which they did today in a blog post at https://www.abine.com/blog/2018/blur-security-update/.

Before we all panic, let’s take a look at the exposure.

Access was gained to their systems near the month of January 2018.

Data was stolen in reference to members registered prior to January 2018.

This data included the user’s:
Email addresses
First and last names
Password hints from the MaskMe product
IP addresses used to login to Blur
Encrypted Blur password (encrypted using bcrypt with a unique salt for every user)

There is currently no evidence that external usernames and passwords stored by the password manager feature, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed in this breach. There is also currently no evidence that user payment information was exposed in this breach.

I have accessed my personal details released in the breach. In it, I could see the email address I used during signup (unique junk account), my IP address used during signup (VPN), my name used (alias), and my password (encrypted and unique). I plan to release a special episode of my podcast today in order to tackle some of the issues learned during this breach.

If you used a strong and unique password for Blur, you have little to worry about.
If you used an alias and a VPN, no big concern there.
If you used your real information, you can be searched by those that have access to the data.
Everyone with a Blur account should change their password immediately.

I did not use their password manager, but if I did, I would change every password stored in it out of precaution. We never truly know the extent of the data accessed.

Filed under Hacking, Privacy, Security | Comments Off on Data Breach at Privacy Company Abine/Blur

Search

Recent Posts