Minimizing macOS Telemetry

Both Apple and Microsoft collect hundreds of user metrics when we use macOS and Windows operating systems. They receive constant data about the apps we open, our location, any network configurations, connected devices, and our overall behaviors. This is why I never associate an AppleID with my Macbook Pro. I install software through Brew and have no need for the App Store. This prevents Apple from storing telemetry from my computer within an Apple account which eliminates much of the privacy invasion. However, this does not prevent Apple from collecting data from my machine during every minute of usage. For that we need a network firewall such as Little Snitch or Lulu.

I have explained Little Snitch in my books and on my show. It is a premium ($) product which I have used for many years. Lulu is a free option which may also suffice for most users. For this demonstration, I explain my actions through Little Snitch, but you could probably replicate with Lulu. Never install both Little Snitch and Lulu! Pick only one.

Little Snitch allows us to block network connection within specific applications. I have previously explained how I block Microsoft Office and Adobe products from sending out any data during usage. This prevent Microsoft and Adobe from knowing the names of files I am creating, my IP address, and other sensitive data. This is the traditional purpose for apps such as Little Snitch. However, we can use these apps to minimize much of Apple's invassive telemetry if we are willing to push the balance of privacy versus functionality.

First, I modified Little Snitch's default system setting within the "Rules" menu. You cannot delete the rules which allow basic macOS and iCloud functionality, but you can disable them by unchecking the options as seen below. This will immediately prevent iCloud and online Apple services from functioning properly, but I don't mind. Since I do not have an Apple ID associated with my machine, I am not using iCloud anyway.

You will likely now begin receiving popup messages from Little Snitch asking if you want to allow specific connections, such as "itunescloudd" attempting to connect to icloud.com. Even if you never use iTunes, iCloud, or Apple Music, your Mac computer is constantly sending data to Apple servers about your online activities. I believe this should be blocked. Below are the various Apple services which I blocked. While I could have blocked "All" outgoing connections for these apps, I usually choose to only block the domain which is trying to be accessed. This way, I can be alerted if a new domain is trying to be reached. In the following screen captures, you can see that I am blocking data from being transmitted from the App Store, Find My App, Music, News, Notes, Podcasts, and Stocks. Obviously, you would not want to do this if you use any of these apps. I do not. Furthermore, I am blocking data from being transmitted by underlying services such as calendar, commerce, cloud, games, and parsce-fbf (Siri).

There were a few settings which I did not disable, such as trustd (confirms security certificates for apps), timed (synchronizes time), softwareupdated (updates operating system), and a few others. I also had a lot of connection problems when I completely blocked mDNSResponder. Therefore, I allowed my DNS (1.1.1.1) but blocked everything else, as seen below. This prevents Apple servers from receiving data sent from software but allows those applications to connect to the internet.

This does not prevent 100% of Apple telemetry, but it eliminates much of it. I do not claim that these settings are optimal or appropriate for everyone. I only share the Apple telemetry which I blocked without limiting any daily functionality for my usage. Expect several annoyances as you find your perfect settings. I plan to continue further manual blocks until I begin breaking things again. More details on my show this Friday.

The Privacy, Security, & OSINT Show – Episode 227

EPISODE 227-Eleven Topics

This week I present Eleven assorted topics surrounding privacy, security, and OSINT including a Pegasus recap, ID.Me challenges, more Airtag concerns, the Protonmail audit, results from a ProtonMail search warrant, new uBlock Origin features, another email masking option, upcoming Google Voice changes, GrapheneOS updates, Librem 5 phone refunds, and a new NextDoor OSINT tip.

Direct support for this podcast comes from sales of my books, services, and online video training. More details can be found at IntelTechniques.com. Your support eliminates any ads, sponsors, endorsements, Patreon, donations, or commercial influence on this show.


SHOW NOTES:

INTRO:

Mark Herring

UPDATES:

Online Video Training Price Increase
Ransomware Breach Update
"Watermarked" IDs

ELEVEN TOPICS:

Pegasus
https://inteltechniques.com/blog/2021/07/22/diy-pegasus-spyware-scan/

ID.me

AirTags: https://lukaszkrol.net/airtags_stationary/

Protonmail Audit: https://protonmail.com/blog/security-audit/

ProtonMail Search Warrant

uBlock Origin Updates

DDG Email Forwarding

Google Voice SMS Forwarding

GrapheneOS Sandboxed Google Play

Librem 5 Refunds

OSINT:

NextDoor
Settings > Neighborhoods > Explore Neighborhoods


Free Workbooks: https://inteltechniques.com/links.html

Affiliate Links:
ProtonVPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=282
ProtonMail: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=267
SimpleLogin Masked Email: https://simplelogin.io?slref=osint
Silent Pocket: https://silent-pocket.com/discount/IntelTechniques
Amazon: https://amzn.to/3eCjp7J


Personal Ransomware Exposure

Note: This post is a supplement to the podcast episode with the same title located at https://soundcloud.com/user-98066669/226-personal-ransomware-exposure.

When we think about ransomware victims, I suspect most of us think about companies having their data encrypted and being extorted for Bitcoin payments in order to obtain the decryption tool which will unlock their documents. With more companies possessing proper backups due to the awareness of this criminal activity, we are now seeing ransomware groups focus more on exposure of data instead of decryption. This presents a new problem for all of us. It is now OUR data which is often exposed to the world when companies refuse to pay the ransom.

To be clear, I never support or encourage ransomware payments. However, I do support resistance when companies and government institutions demand our information and then store it insecurely. On my show, I talk a lot about my methods to sanitize my personal information when requested because I know it is likely to appear online due to poor privacy policies or accidental exposure. Let's take a look at some recent ransomware data dumps which are now publicly available and may be leaking YOUR personal details.

Accountants often demand to store copies of IDs and tax forms on your behalf. My account/attorney rolls his eyes when I insist on storage within encrypted containers and transmission only via encrypted email. I believe this is all justified. Clients of a California law firm now have all of their data exposed within a ransomware dump made public last week by a group called "Clop".

This includes tax forms displaying names, DOBs, and SSN, as seen below.

This is the main reason I insist that my attorney either store data within a secure encrypted container or allow me to be responsible for storage of my own docs.

Employers demand tax forms from us to legally pay us, but then store them with the same security as the rest of their daily documents. The following is one of many employee tax forms collected by a nutritional foods company which was hit with ransomware this year by a group called "Clop" which is now publicly available.

This is one of the many reasons I conduct all business in the name of an LLC and only provide EINs issued by the IRS for all transactions.

Universities and colleges demand our personal details and then include them within documents stored insecurely. The following Miami university breached document publicly discloses full name, address, DOB, ethnicity, phone, cell, email, and relatives. I suspect people search websites will soon start including ransomware dumps within their infrastructure.

A Colorado school went further by releasing class schedules and grades after they were hit with ransomware.

Digging into the files further identifies every student's overall GPA which allows the public to now monitor his progress as a student.

I have no secure options for this problem. We have no control over school storage of our data.

All of the forms your doctor or dentist makes you sign are rarely securely stored. The following redacted partial form was released after a dentist office refused to pay a ransom to a group called "Conti" and terabytes of data were exposed online.

This is the reason I always resist signing unnecessary paperwork and scrutinize HIPAA release forms. We cannot refuse everything, but we can minimize our exposure.

The apartment or home you have leased includes numerous contracts. When the property management company, in this case a business in Canada, gets hit with ransomware and ignores the extortion demands, all documents get released publicly.

This is one of many reasons I title any home ownership or lease within the name of a trust or LLC.

Physicians, surgeons, and dentists often capture digital photographs of various conditions. A hospital suffered a ransomware breach by a group called "Vice Society" and did not pay the criminals. As a result, all of their stolen data was published to the internet, including images of their patients' illnesses, including the following redacted image.

This is one reason I SOMETIMES ask doctors to either avoid unnecessary images or delete them after any procedure is complete.

If the images present within the data dump were not enough, a Word file titled "Login and Passwords" is included for access to third party services. I may or may not have confirmed that all of the passwords still work. This is why I never recommend storing passwords locally in an unprotected document, and only recommend locally-stored secure password managers with encrypted data.

Since my company often assists clients with ransomware attacks, I find the chat logs between businesses and the criminals especially valuable. Many of these logs are stored within the victim computers and become part of the data dump through the offender's website. The following is a partial display of a chat between a dermatologist office and the criminals who attacked their network. These can be a great source of education before engaging with ransomware criminals.

Many ransomware data leaks contain full Outlook PST files which include every incoming and outgoing email associated with a specific email address. The following is a partial list of these files, each several gigabytes in size, downloaded from a ransomware publication after a city refused to pay the extortion. The content of these files is incredibly sensitive.

This is why I consider every email I send to be public information. I never send anything I would worry about becoming publicly available. I reserve sensitive conversations for E2EE ephemeral messaging.

The next time a business demands your personal data or a copy of your ID, consider this post. When they ignore your resistance to provide personal details which are not required for the business being conducted, explain your concern through these examples. When your friends and family call you paranoid or difficult for wanting to keep your information private, know that you are not alone. If you would like much more information about the ways I protect the privacy and security of my clients, please check out my book Extreme Privacy.

The Privacy, Security, & OSINT Show – Episode 226

EPISODE 226-Personal Ransomware Exposure

This week I discuss the personal impact of published ransomware data and the OSINT potential for researchers. You might have more to lose than the companies being targeted by criminals, but there might be huge gains if your investigative target is within a leak.

Direct support for this podcast comes from sales of my books, services, and online video training. More details can be found at IntelTechniques.com. Your support eliminates any ads, sponsors, endorsements, Patreon, donations, or commercial influence on this show.


SHOW NOTES:

INTRO:

Ransomware Landscape

UPDATES:

None

PERSONAL RANSOMWARE EXPOSURE:

https://inteltechniques.com/blog/2021/07/23/personal-ransomware-exposure/

OSINT:

edteebo2w2bvwewbjb5wgwxksuwqutbg3lk34ln7jpf3obhy4cvkbuqd
site:https://app.hacknotice.com "onion"


Free Workbooks: https://inteltechniques.com/links.html

Affiliate Links:
ProtonVPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=282
ProtonMail: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=267
SimpleLogin Masked Email: https://simplelogin.io?slref=osint
Silent Pocket: https://silent-pocket.com/discount/IntelTechniques
Amazon: https://amzn.to/3eCjp7J


DIY Pegasus Spyware Scan

You have probably heard the news that Pegasus, the spyware created by NSO Group, is still potentially infecting targeted fully-patched Android and iOS phones. The new interest in this software comes after a list of over 50,000 phone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 was leaked to several media outlets. The leak itself provides no evidence of any infection or compromise, but that shouldn't stop websites from panic-brokering in order to sell ad clicks. One of the main announcements came from The Guardian, which delivers 22 trackers to your browser if you want to read their version of the story.

I highly doubt you have Pegasus on your device, but countless people have been asking me about ways to scan for potential infection. The following could be executed on a Mac computer to check an iPhone.

Make sure you have Brew installed. If you do not, execute the following within Terminal:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

After you have Brew installed, execute the following commands within Terminal.

brew install python3
brew install python3 libusb
pip3 install mvt

You now have the MVT tool which can scan for CURRENT Pegasus infection.However, it cannot scan a mobile device directly. You must generate an iOS backup through the Finder app by connecting your device via USB, selecting the device within Finder, then choosing "Back Up Now".

Since I encrypt my device backups, I must first make a decrypted version. If you do not encrypt your backups. Skip this step. Enter the following within Terminal but do not execute.

mvt-ios decrypt-backup -p THE.PASSWORD.TO.YOUR.DEVICE.BACKUP -d ~/Desktop/decrypted/

Open Finder and navigate to your home directory, then locate Library/Application Support/MobileSync/Backup. Find the randomly generated folder in this directory and drag and drop it into Terminal at the end of your previous command. The entire command should now be similar to the following.

mvt-ios decrypt-backup -p PASSWORD -d ~/Desktop/decrypted/ /Users/YOURUSERNAME/Library/Application\ Support/MobileSync/Backup/5587346598736592834765928345932

This command will decrypt your backup and store it on your Desktop. The following command will scan this backup.

mvt-ios check-backup ~/Desktop/decrypted/ --output ~/Desktop/results/

You now have a folder on your Desktop with the results. Look through it for any files which end in "_detected.json". These COULD indicate infection, but the content would need to be scrutinized.

Android users have a bit more hassle. See the official MVT docs at https://mvt.readthedocs.io/en/latest/ios/records.html if you want to check your own system.

I highly suspect that you do not have any infection, but these steps could set your mind at ease if you believe you were targeted by this software between 2016 and today. All of my devices were clean.