Serious iOS 11 Privacy Issues

Posted on September 20th, 2017

I usually fully support software updates. This ensures that we run the latest versions of applications possible, which have the most bugs, exploits, and issues patched. When I saw the latest iOS update (11), it seemed inevitable that I would need to upgrade at some point, so I did. While I expected to see some minor tweaks of features I really do not care much about, I was immediately bothered by two very concerning issues.

iCloud

I do not use iCloud on my iPhone, I never have. I have my own internal systems for storing and synching my photos, contacts, notes, calendar, etc. I was shocked to see that immediately after installing iOS 11, all of the iCloud settings were enabled. I immediately switched them all off, but it was too late. From my laptop, I logged into the alias iCloud account associated with the iPhone, and immediately saw all of my (previously) locally stored photos in the cloud. My contacts and calendar were present as well. I was able to easily remove the calendar entries and contacts, but the photos would not budge. I was told they would be deleted in 30 days, as I had disabled iCloud from my mobile device. I had to re-enable iCloud Photos on the device, and manually delete them from within iCloud on my laptop. I only could then permanently remove the photos from the deleted items. It took about 20 minutes to properly remove all of my personal data from Apple’s servers. I was frustrated to say the least. Therefore, I encourage you to check your devices and see if you are sharing all of your data with Apple. Further, log into your iCloud account from your computer and see how bad the damage is.

Wi-Fi / Bluetooth

If the iCloud issue was not bad enough, I quickly learned that Wi-Fi and Bluetooth are NOT disabled from the Control Center as you would believe. The following is an actual test with my own device. On the lower left screen capture of my Control Center, I have the default setting upon initial boot, which is to have my cellular, Wi-Fi, and Bluetooth networks enabled. On the lower right, you can see that I disabled the Wi-Fi and Bluetooth.

Theoretically, those radio signals should be completely off. However, navigating to my Settings menu displays the actual status which is “Not Connected”. Disabling these networks from your Control Center does nothing more than disconnect you from any networks. Your radios are still on, and still “sniffable” to an outside intruder. The lower left image displays the “Not Connected” status. Clicking on these options and disabling the network connections completely is the only way to properly disable the radios, as seen in the lower right image.

I have usually been a big fan of Apple’s security and privacy. This makes me question their motives a bit.

Filed under Privacy, Security | Comments Off on Serious iOS 11 Privacy Issues

OFFENSE/DEFENSE: Gift Registries

Posted on September 19th, 2017

“OFFENSE/DEFENSE” is a recurring series of posts about online investigative techniques (Offense) and ways that we can protect ourselves from these invasions (Defense).

OFFENSE: Gift Registries

Decades ago, people were surprised at the gifts presented to them after a wedding or birth. Today, we create online registries identifying the exact products desired, and within moments someone can purchase and ship the “thoughtful” gift with very little effort. As an investigator, I have always enjoyed the plethora of personal details within these registries, which tend to stay online for long after the related event. Before identifying the best resources, let’s take a look at the types of details we can acquire from some random targets.

Partner Name:

When I am investigating someone, that person usually knows that they are under a microscope. He or she tends to stop posting to social media and start scrubbing any online details. However, their partner tends to ignore the threat of investigation and continues to upload sensitive information applicable to the target. Therefore, online wedding and baby registries helps me identify the most lucrative target aside from the original suspect. In the example below from the wedding registry website theknot.com, I receive over 200 results for Michael Wilson, which includes the name of the future spouse.

Maiden Name:

In the example above, the results only identified future weddings. However, modifying the year in the search menu allows us to view past weddings. This will divulge a woman’s maiden name. This can be beneficial in order to better locate a Facebook page or other family members that may be off my radar. I can also use this to search old yearbooks, criminal details, and previous addresses. The example below displays previous events not seen within a standard search.

Date / State:

Many counties will only share marriage certificates if the requestor knows the exact names of each party and the exact date of the event. We have everything we need in order to file a request. Marriage certificates often include full details of all parents, witnesses, and the officiant. Further, I now have their anniversary date which can be helpful during a phishing attack or social engineering attempt. You might be surprised at the number of people that use their anniversary as a security question to an online account.

Ceremony Details:

The Knot and other wedding registry sites offer the couple a free website to announce details about the upcoming (or past) event. This usually includes an embellished story about how they met, fell in love, and he proposed. While this could be good knowledge for social engineering, I am usually more interested in the wedding party. This will usually include the closest friends of my target, which will be next on my investigation list. The following example is from a public profile on The Knot.

Items:

While it may be fun to look at the items desired by a couple, there is much we can learn about their lives based on these details. In the example below, we now know that a random Michael Wilson, who is getting married in San Antonio in November, will be going to his honeymoon in Maui (#2), snorkeling (#3), at the airport carrying a Lowepro backpack (#4), checking red/black suitcases (#5), capturing everything on a Canon HD camcorder (#6), dining at the Lahaina Grill (#7), and staying at a fancy nearby hotel (#8).

Other recent examples associated with actual targets identify the types of phones used, vehicles driven, and subjects of interest. While The Knot requires both a first name and last name to conduct a search, providing two asterisks (**) as the first name will present every entry online including the provided last name.

Children

The items within a baby registry will usually provide little to no value. Knowing the brand of diapers preferred or favorite crib style has never helped me in the past. However, knowing a due date and location of the target can be beneficial. In the example below, we see that our targets our expecting on September 22 in Lee’s Summit, MO. This would be the opportune date to call Michael’s assistant and claim “I don’t want to bother Mike while he and Lesley are having a baby, but I really need a document he promised me, do you have access to his email or network drive?”

Unfortunately, The Bump only allows searching of upcoming births, and not any past profiles. Fortunately, Google has our backs. The following Google search revealed multiple baby registries from the past few years associated with Michael Wilson:

site:registry.thebump.com “michael wilson”

The example below displays details from 2015 still available online.

Gifts

The most fruitful registries in regards to identifying personal preferences of a target are the various gift registries. Of all these, Amazon is the most popular. In the example below, I now know that my target likely has a Jeep, a 1911 firearm, a large dog, and a body to hide.

Resources

Below are the most common wedding, baby, and gift registries, with direct links to the most appropriate search pages. I highly encourage you to conduct a detailed Google “Site” search after attempting the proper method.

The Knot: https://www.theknot.com/registry/couplesearch
The Bump: https://registry.thebump.com/babyregistrysearch
Amazon Gifts: https://www.amazon.com/gp/registry/search
Amazon Baby: https://www.amazon.com/baby-reg/homepage/
Amazon Wedding: https://www.amazon.com/wedding/
Target Wedding: https://www.target.com/gift-registry/
Target Baby: https://www.target.com/gift-registry/baby-registry
Kohl’s Wedding: https://www.kohls.com/gift-registry/wedding-registry.jsp
Registry Finder: https://www.registryfinder.com
My Registry: https://www.myregistry.com

DEFENSE: Gift Registries

The most obvious defense to this type of intrusion is simply not to participate. Consider whether you want these details available online forever before posting. However, we cannot change the past. If you have an online registry that you would like removed, the following email addresses and websites can be used to demand deletion.

The Knot: help@theknot.com
The Bump: support@thebump.com
Amazon: https://www.amazon.com/gp/help/customer/display.html?nodeId=501090
Target: http://help.target.com/help/TargetGuestHelpArticleDetail?articleId=ka4i0000000EFYLAA4
Kohls: https://cs.kohls.com/app/ask/noIntercept/1
Registry Finder: info@registryfinder.com
MyRegistry: customercare@myregistry.com

Filed under OSINT, Privacy | Comments Off on OFFENSE/DEFENSE: Gift Registries

The CCleaner Hack: What You Should Do Now

Posted on September 18th, 2017

I woke up to an inbox full of email this morning about the computer cleaning application CCleaner. I have used it for many years, and recommend it often. It was announced that they were hacked, and the emails ranged in emotion from “Help!” to “Is this a big deal?” There are numerous online articles discussing the attack, but I found that almost all of them offer nothing of value. They generate panic, sell a few clicks on ads, and we all carry on. I hope for this post to provide some actual details and actions to be taken.

WHAT HAPPENED? Criminal hackers infiltrated CCleaner’s systems to introduce a modified version of the software. This new rogue version contained malware. When a user installed this version, available from August 15, 2017 through September 12, 2017, the user’s system was compromised and infected. The infected systems then continuously sent data to the attackers including the name of the computer, installed software and running processes. It does not appear (at this time) to have sent personal data or files. 2.27 million people were using the compromised software.

WHY? This attack was likely part of a larger potential attack. The type of data stolen indicates that the plan may have been to create a large network of compromised computers (Bot-Net) which could then conduct DDOS attacks or other large-scale actions.

WAS I INFECTED? This is the part that no one is clearly explaining. You must meet ALL of the following criteria to have been impacted:

Windows Computers Only – The Mac version does not appear to have been comprised.

32-Bit Versions Only – If you have a 64-bit processor and use the default 64-bit version of CCleaner, you were not compromised. You can identify your version of Windows easily with THIS GUIDE.

CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191: You are much more likely to have the standard version, but some users may be using the premium cloud version. Opening CCleaner will identify the version in the top of the application.

WHAT DO I DO NOW? This is the most vital piece that I have found to be missing from every online article. Avast (who owns CCleaner) says no need to worry, as they have disabled the rogue server and removed all of the malware with the latest release. That is fine for them, but does not mean that your computer is clean. I recommend that EVERY CCleaner user, regardless of whether you were actually infected, take the following actions today:

1) Update your version of CCleaner: Open the application and check for updates, installing any updates. This is actually a better action than deleting CCleaner, because their update removes the malware that was installed. Direct Download link: http://download.piriform.com/ccsetup534.exe

2) Install, update, and run Malware Bytes: This will look for any other malware on your system, including any triggered by the CCleaner attack.

3) Run a complete virus scan: For Windows 10 users, I still recommend simply using the default Windows Defender option. Windows 7 users should use Microsoft Essentials. No AntiVirus is perfect, and finding any reputable third-party options gets more difficult every day.

This attack could have been much worse. I am very disappointed in Avast and CCleaner for allowing this to happen. Fortunately, the damage appears to be minimal and eliminating the threat trivial.

Filed under General, Hacking, Security | Comments Off on The CCleaner Hack: What You Should Do Now

The Complete Privacy & Security Podcast-Episode 045

Posted on September 16th, 2017

EPISODE 045: Windows: Part II

This week we continue our discussion about privacy and security considerations fro Windows users.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

EU Funded Privacy “Tool”:
https://thenextweb.com/security/2017/08/17/eu-funded-online-privacy-tool-will-protect-your-data-and-help-you-sell-it/

Android Apps with Spyware:
https://www.pcauthority.com.au/News/470893,spyware-found-in-more-than-1000-apps-in-google-play-store.aspx

Reddit Combo link:
https://www.reddit.com/r/AskNetsec+Intelligence+SocialEngineering+blackhat+computerforensics+hackers+
hacking+netsec+netsecstudents+physec+privacy+privacytoolsIO+pwned+socialmedia+technology/

SHOW:

Virtual Machines
Linux flavors
VirtualBox vs VMWare
Backups: Windows-integrated backup vs Cryptsync
Password mgr (keepassxc)
VPN (PIA/Proton)
Browser selection and settings
VeraCrypt for docs/photos/etc

LISTENER QUESTIONS:

Do you ever use a Blur or Privacy.com card with your real name and either a PO Box that actually belongs to you or only with fake name and your address or real name and fake address?

I want to start using local NAS devices and get away from Dropbox. Any specific brand you recommend?

OSINT SEGMENT:

Usernames on Leaked Databses:
https://inteltechniques.com/osint/username.html


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 045

The Complete Privacy & Security Podcast-Episode 044

Posted on September 9th, 2017

EPISODE 044: The Equifax Debacle

This week we interrupt our scheduled release to talk about the Equifax breach and our recommended actions.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

Equifax Leak:
https://www.equifaxsecurity2017.com/

Equifax Victim Check:
https://www.equifaxsecurity2017.com/potential-impact/

Credit Freeze Guide:
https://privacy-training.com/CreditFreeze.pdf


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under ID Theft, Privacy | Comments Off on The Complete Privacy & Security Podcast-Episode 044

The Complete Privacy & Security Podcast-Episode 043

Posted on September 1st, 2017

EPISODE 043: Windows: Part I

This week, we offer our privacy & security considerations when setting up a Windows computer, tackle listener questions, and provide a new OSINT resource.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

ProtonMail now accepts Bitcoin:
https://protonmail.com/support/knowledge-base/paying-with-bitcoin/

Students Fingerprinting:
http://fox4kc.com/2017/08/16/excelsior-springs-high-starts-scanning-students-fingers/

SHOW:

Basic Operating System Hardening
Update, update, update
Standard User Account – Local Accounts vs. Connected Accounts
Full system clones & restoration
Privacy & Security Settings
O&O ShutUp 10
Spybot Anti-Beacon, etc.
Uninstall undesired programs
Disable default MS sync services
Anti-Virus, Anti-Malware (Win 7 vs Win10)
Avast, BitDefender
Malwarebytes, Spybot S&D
CCleaner CCEnhancer
Full Disk Encryption Options – BitLocker limitations
VeraCrypt

LISTENER QUESTIONS:

I was recently browsing mobile apps and noticed a browser called ALOHA , its a browser and has a “Free” VPN service. Its rated really high. 5 stars- out of 542 reviews. It seems to good to be true. Is it?

On one of your recent podcasts you mentioned that a site you went to could show you your yubikey serial number…. And you said that was kind of creepy. Could that ability be used to track someone on the web if a person leaves their yubikey plugged in? Does this change your opinion on yubikey?

OSINT SEGMENT:

BitcoinWhosWho:
http://bitcoinwhoswho.com


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 043

Who is Listening to You Through Your Devices?

Posted on August 31st, 2017

You have likely seen someone that had a piece of black tape or a sticker covering the internal webcam on their laptop. This was once believed to be paranoid bahavior, but it has become much more common today. The vast presence of malicious software which can enable and access a webcam remotely has created panic in regards to privacy. Many people have been extorted after a webcam unknowingly captured them nude or in an embarrassing situation. This is nothing new, but it raises a more concerning question to me. While I also block my webcam with an EFF sticker, could someone still enable and access my microphone?

I have been using faraday bags for my cell phone when I am in sensitive meetings in order to prevent any transmission of audio from my device, just in case it had been compromised. However, my laptop has a built-in microphone, and it would be much more likely to have malware than my mobile device. Plugging in a set of headphones with a microphone disables the internal microphone in my laptop (software level, not hardware), but then the headset could still monitor the audio in the room. I could cut the earbud directly before the in-line microphone, but that would destroy the headset. Cutting a junk set directly at the plug will not confuse the laptop into thinking that a non-existent microphone is plugged into the device. The solution to all of this is the product Nope by the company Bungajungle.

Nope is a webcam and microphone privacy solution which makes it much more difficult for you to be remotely monitored. The webcam blocker allows the ability to quickly uncover the camera when you want to participate in a video call. This idea has been around quite some time, but this aluminum device is more elegantly executed than the plastic versions given out at conferences. Personally, I only need the audio blocker that they have created. This small plug, which fits flush into your device, informs your laptop or mobile that you have inserted a microphone headset, which causes your device to disable the internal microphone and switch to the non-existant headset mic. Since this plug does not possess a microphone, your audio in the room cannot be captured, transmited, or recorded through malicious means. Could this be defeated with software or hardware interception? Of course. However, that would be a highly targeted attack, and is simply not likley for the average user.

These devices are on pre-order through a Kickstarter campaign. After testing a prototype sent directly from Bungajungle, I purchased the Essential Pack for $25, which includes two webcam covers and two audio blockers. The audio blockers will be inserted into my laptop and phone at all times when audio not in use.

Filed under Privacy, Security | Comments Off on Who is Listening to You Through Your Devices?

Internet Search (OSINT) Resource: Username Leaks

Posted on August 30th, 2017

I have been using sites such as HaveIBeenPwned and Hacked-Emails for a long time in order to search a target email address. The results identify any public data breaches that possess the address. This is beneficial in order to establish whether an address is real, but also to learn of which services where the address was used. Those details can also tell us how long the email address has been in use. This is all fairly common knowledge, but we should also consider applying this technique to usernames. Hacked-emails does not offer a username search, and the option at HaveIBeenPwned is extremely limited. I began tackling this issue, and I have an awkward partial solution.

Consider an example where https://twitter.com/lorangb is the target. A search of this username on HaveIBeenPwned reveals no leaks:

If I make an assumption that this username is associated with a Gmail account, I get a positive hit for the Dropbox, LinkedIn, MySpace, and other breaches:

While we could keep making assumptions across the other more popular email providers, this can be time consuming. Therefore, I decided to take advantage of the API offered by each provider and allow a PHP script to do the heavy lifting. I reached out to Justin Seitz over at AutomatingOSINT, since my PHP skills are far inferior to his (I am still learning from his teachings). I first created an option to take a username and populate it to create assumed email addresses for Gmail, Yahoo, Hotmail, ProtonMail, Live, Outlook, iCloud, Yandex, GMX, Mail, Mac, and Me accounts. This takes each email address, and opens it within a new tab in your browser, searching the API of both breach notification services. I find this a bit ugly, but it is very stable. Justin and I then created the PHP script that will fetch these same responses, and populate them back into the Username Search Tools page. On this page, I now have four additional options with the following uses:

Leaks-HIBP (Web): Creates new tabs for HaveIBeenPwned Searches
Leaks-H-E (Web): Creates new tabs for Hacked-Emails Searches
Leaks-HIBP (API):  Conducts API request within the page from HaveIBeenPwned
Leaks-H-E (API): Conducts API request within the page from Hacked-Emails

We can now apply the API searches based on the previous username. The response below identifies lorangb@gmail.com and lorangb@yahoo.com as valid email addresses that appear in various database leaks, as reported by HaveIBeenPwned:

If we repeat this search for the Hacked-Email API, we get even more results:

Within seconds, we now know that there are two email addresses associated with that username which appear on data breaches. It does not prove that those email accounts are connected with the target, but it quickly creates a new lead that should be investigated. This simply takes the process of making email address assumptions from a username, then searching those within breach sites, and automates it all. This has allowed me to conduct this type of search on every target username without much effort. Huge thanks to Justin Seitz for helping make it all work.

Filed under OSINT, Search | Comments Off on Internet Search (OSINT) Resource: Username Leaks

Internet Search (OSINT) Resource: Telephone Update

Posted on August 30th, 2017

Telephone Search Tool: I noticed during a live event that the options on my Telephone Search Tool were not optimal. A few of the resources were no longer active, and others now demand payment. I re-visited all of the resources, and added several new options. The automated submission now includes the following services:

Facebook
USPhonebook
WhitePagesPlus
ThatsThem
TrueCaller
TruePeopleSearch
ReverseGenie
Sync.me
411
Pipl
WhoCallsMe
Spokeo
ZabaSearch
DexKnows
Burner

 

Filed under OSINT, Search | Comments Off on Internet Search (OSINT) Resource: Telephone Update

The Complete Privacy & Security Podcast-Episode 042

Posted on August 25th, 2017

EPISODE 042: A Conversation with KeepassXC

This week we talk with Jonathan White about the KeepassXC Password Manager, tackle listener questions, and provide a new OSINT resource.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Firefox Send: https://send.firefox.com/
OnionShare: https://onionshare.org/

SHOW:

Jonathan White:
https://github.com/droidmonkey

KeepassXC:
https://keepassxc.org/


LISTENER QUESTIONS:

When getting married is it best to get a new PO Box for OUR stuff, while maintaining my own private box, or should we EACH get our own private boxes, or just combine our lives into one?

In reference to the iPod touch strategy, does the device receive updates over WiFi or do you have to plug it into a computer with iTunes? If I have an iPhone that I do not want to associate with Wi-Fi, then how do I get updates (Apple has a 100mb file download limit on cell data)?


OSINT SEGMENT:

Slack OSINT Channel:
https://openosint.signup.team


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 042

The Complete Privacy & Security Podcast-Episode 041

Posted on August 19th, 2017

EPISODE 041: Just 30 More Things…

This week we clear out our inbox yet again and tackle your questions.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Disney Fingerprint Scanning:
http://www.huffingtonpost.com/entry/disney-world-fingerprint-scanning_us_57d062cbe4b0a48094a7329a

HotSpotShield Issues:
https://www.bleepingcomputer.com/news/technology/vpn-provider-accused-of-sharing-customer-traffic-with-online-advertisers/

SHOW:

What do you guys do when you come across a website requesting personal information but they do not have SSL enabled?  Do you email them?  Boycott the site?  If you do contact, what do you ask of them?

Michael said that he was done with Uber, but has he found anything else?

If one were to have a mac as the primary OS, for the second…..do you recommend windows 7 or windows 10 or neither?

I noticed both you and Michael use GoDaddy for domain registration. Using them with the privacy option is that my best option to remain private? I know they have good pricing and coupons so I was wondering if that is the recommendation before purchasing some new domains.

NameCheap

Once in a while when I start my vehicle I get an audio message “this vehicle is connected to OnStar limited services”. I phoned OnStar to make sure I wasn’t being billed for the service and found out the limited services are offered ongoing at no cost and provides the ability to remotely unlock the vehicle and for roadside assistance. The “free” limited OnStar service does not provide car accident detection assistance. a) What are the privacy threats for having a service like OnStar in the vehicle having GPS, microphone and cell data. b) Can the microphone in the vehicle be activated without the owners knowledge by government/state actors or even (unlikely) the car manufacture for unknown reasons?

I have recently renewed the insurance for my wife’s car. When searching for quotes, the option includes the use of telematics. Of course I chose not to use this as they collect all your driving data to provide you with a “more accurate risk profile” which will be reflected in renewal costs. What I wanted to know is whether Google maps scrapes data from users about their driving profile and sells this to the insurance companies without your knowledge? I.e. telematics through the back door?

So how exactly are my passwords more secure in a Lastpass vault than in a Google doc

For anonymous purchases (Privacy.com or Sudopay), what happens if there is either a need to dispute a charge or if somebody boosts your generated card number and starts racking up charges?

If one were to purchase a used iPhone and secure pre-paid service through Verizon w/o ever revealing one’s actual name is it safe to use apps on the phone with associated with your actual name or should one keep all personal references off the phone? I believe Verizon places a cookie on your phone for their use as soon as one opens a web browser for the first time. Although they offer an opt-out option this would require providing a name. Is it possible for Verizon to see what apps one might be using on your phone and pull info from those apps?

In your example of using Sudo phone number for travel, in what circumstances would you wipe it out and get a new one? If you start getting too many spam calls? If so, then will that mess up all the accounts you’ve given it to? Do either of you have experience with the consequences of wiping a number out after you’ve used it substantially?

I’ve installed PIA and Little Snitch and I have found Firefox calling home quite a bit to sites such as  mxr.mozilla.org,disconnect.me, eff.map.fastly.net, etc. Should I be concerned here, and how do I stop this?

Other than the T-Mobile plan, have you ever tried other prepaid options like Straight Talk, Cricket, MetroPCS, Boost or Walmart Mobile, etc…?  The reason I ask is in terms of being able to sign up without needing to give your real name and address. Not all of my students have good T-Mobile Reception and we’re curious about how they may be able to do the same with another provider.

Once I am secure enough with strong passwords, 2FA, encryption, backups, and multiple email accounts, how do I document all of this for my spouse or child should an accident happen and I (or we) are killed or incapacitated? I currently have a “living document” with listing our accounts, assets, and will and trust documents in both print and pdf form stored in our safe deposit box. These documents also include a living will and healthcare power of attorney for my spouse and I. ….

Although I use Threema and Wire, I often must refer to Whatsapp because most of my friends and acquaintances are using this tool. How dangerous is this and what’s your take on the newly introduced encryption in Whatsapp?

Speaking of Threema ….I never heard you talk about Threema, another highly secure Swiss product like Protonmail and Wire, why now?

Do you recommend using PIAs’s client app on Mac or should we use some other alternative? Little Snitch shows way too many outbound connections and it blocks incoming connections for PIA pretty regularly.

I was checking my firewall app in my android device and I noticed that Wire keeps sending traffic to Amazon servers. I felt a little uncomfortable after seeing this. Does that mean all Wire’s metadata pass though Amazon servers?

How safe or private are tracfones?

When transitioning from a telephone number (your only telephone number) you have used for 10 years or more which is on a postpaid plan, do you suggest just getting rid of it since so many things are tied to it or is it better to port it to Google Voice in order to still get things from it as you transition away from it?

Michael mentioned having 3 networks at his home and described one of their uses. Would you mine explaining the other two networks and their uses?

Do you think it’s a futile or worthwhile effort to change passwords on various important accounts every 90 days or so? These accounts don’t allow 2fa, password is limited to 12-16 characters. Moving to another provider is not an option.

Is TSA precheck worth the information needed or is this all something the government probably has anyway?

In my job I was issued a company mobile phone. It is an iPhone 6s which for nearly a year is still sealed in the UPS box it arrived in. No one has asked me to use it ever but I wonder if this just me being paranoid or is there a good reason to shun employer issued equipment?

Are your Apple ID’s / Google Android accounts registered in your names or are they also anonymous?

Is there a reason to use a mail provider app instead of the native mail app on a mobile device (other than Protonmail since it is not possible without the mobile app)?

Also would you mine disclosing what gyms would be good to go to for IDs? I’ve tried a couple local ones to me, and none provide a photo ID.

Do you know any apps on Windows and iOS like snitch so you can know when your microphone and camera are being used ?

Do you guys sometimes use Wireshark to see what program tries to go which IP address ?

Listener Suggestions:
-eBay is removing token second factor in favour of sms second factor.
-syncing keepass between the two devices: AirDrop works without issue.
-Linux, there is a really simple “app” with a GUI, present in most Linux distros that is called “DejaDup”. It does incremental backups, encrypts them, uses rsync to sync the files to other medias
Program which removes any saved open wifi networks:
https://github.com/secopsconsult/powershell
https://github.com/mubix/osx-wificleaner

 


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 041

The Complete Privacy & Security Podcast-Episode 040

Posted on August 12th, 2017

EPISODE 040: A Conversation with The Tor Project

This week, we talk with Colin Childs from the Tor Project, answer your questions from last week’s cell phone episode, and present a new OSINT technique for telephone number search.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Firefox Send:
https://send.firefox.com/

SHOW:

Tor Project:
https://www.torproject.org/

EFF:
https://www.eff.org/

Tor Metrics:
https://metrics.torproject.org/

Ahmia:
https://ahmia.fi/

LISTENER QUESTIONS:

I’m interested in hearing your guys’ thoughts on Authentic8’s SILO browser (https://www.authentic8.com/overview/). Understanding that it leaves a completely different browser fingerprint which may be suspicious…how useful/secure/private will it be for quick and easy web searches or investigations?

With the iPod Touch phone from a year or so ago, is this something you use exclusively when traveling or possibly only at home instead of the device you carry around as a means of avoiding linkages between the two? If this is the case, to keep some consistency I assume you would use the same Sudo numbers?

OSINT SEGMENT:

OK Caller:
http://www.okcaller.com/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 040

The Complete Privacy & Security Podcast-Episode 039

Posted on August 5th, 2017

EPISODE 039: What Cell Companies Know About Us

This week Mike Dowd stops in to tell us what cell phone companies know and store about us.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

https://arstechnica.com/tech-policy/2017/07/white-house-voter-commission-publishes-names-numbers-of-worried-citizens/

SHOW:

Mike Dowd https://twitter.com/intellectmusic1

Best Case/Worst Case

Jim Clemente & Francey Hakes
https://twitter.com/BCWC1
https://itunes.apple.com/us/podcast/best-case-worst-case/id1240002929?mt=2
http://www.stitcher.com/podcast/wondery/best-case-worst-case

LISTENER QUESTIONS:

I understand having a physical credit card to present at the front desk that matches the name(s) on your hotel accounts.  However, I find the hotels also often ask for ID such as a driver license.  Sometimes, one can avoid this by checking in online or with the hotel app on one’s telephone.  However, another app leads to a greater potential attack surface.  Which is worse?

Are there any resources to removing info regarding California LLC businesses or adding an extra layer of security or anonymity?

OSINT SEGMENT:

http://ohiovoters.info/
http://arkvoters.com/
http://coloradovoters.info/
http://connvoters.com/
http://delawarevoters.info/
http://flvoters.com/
http://michiganvoters.info/
http://oklavoters.com/
http://rivoters.com/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 039

Internet Search (OSINT) Resources – August 2017

Posted on August 1st, 2017

Below are multiple new resources that have been added to my OSINT Links Page and my Online Video Training:

Sync.me: Very impressive caller ID database for cellular telephone number searching. Much of the data is crowd-sourced from apps, which often identifies owners of pre-paid phones. No login required, but captchas are present on most searches. The image below displays my name as appearing in a user’s contact list.

OK Caller: This people search site allows query by name, address, and phone number. It has a mix of official databases as well as crowd-sourced content. My own name revealed a previous address with cell number. Below is a reverse search of that cell number which revealed that someone had me listed as “M B” in their phone. This can be useful to convert pre-paid phone numbers into a real name and physical address.

IntelTechniques Voicemail Tool: I recently added audio files that can be used to identify a cellular carrier. After listening to a stock voicemail greeting, compare to the audio files here to identify the carrier (Verizon, AT&T, etc).

FindPeopleSearch: People search website with the usual entries. Strengths here include historical physical addresses, multiple email addresses, and associated names. Opt-out is best through an email HERE.

Who.com: Another people search website. Strengths include full physical addresses, email addresses, and relatives. Opt-out is best through email HERE.

 

IntelTechniques YouTube Tool: The YouTube tools have been updated to include a new option to bypass country blocking restrictions. When you encounter a video that will not play in your country, the tools should bypass and also identify all countries where the content is blocked.

BlockChain: This is a great resource for tracking Bitcoin payments. It does not include the identity of the owner of the Bitcoin, but displays the transactions from one account to another. All entries are hyperlinks to continue following the financial trail. This can be interesting when following transactions associated with ransomware attacks.

BitcoinWhosWho: If BlockChain does not satisfy your curiosity about Bitcoin payments, Bitcoin WhosWho offers much more detail. In the example below, we can see the bitcoin address, balance, transactions, and dates. Further, it identifies websites that contain the target Bitcoin address and confirms that it is associated with a ransomware attack.

OpenStreetCam: Similar to Mappilary, this is another crowd-sourced street view mapping system. This is extremely beneficial because these images often contain license plates that have not been redacted.

VisualSiteMapper: This tool can quickly display a graphical view of a website’s internal links. In the first image below, I highlighted my main landing page, which displays the internal pages linked from within. In the second image, I highlighted the Live Training page, which is connected to more pages. This can be useful to identify the most and least connected pages of a website. In the final image below, I can see an overall view of my site. The green dots in the upper left are my tools pages, the middle is my main website, and the lower right is my blog. Each page can be selected and all connections are displayed. This has helped me identify connections to “hidden” pages within a domain that were not easily visible on the main landing page.



Filed under OSINT, Search | Comments Off on Internet Search (OSINT) Resources – August 2017

The Complete Privacy & Security Podcast-Episode 038

Posted on July 28th, 2017

EPISODE 038: Balancing Privacy and Sanity

This week, “Jason” gives us tips for applying privacy strategies while maintaining a family and normal life.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Privacy Forum: https://inteltechniques.com/forum.html

SHOW:

“Jason”

LISTENER QUESTIONS:

Overall, is it more secure to use a designated app versus a web browser on a mobile device? Do I lose enough privacy by installing the app to justify using a mobile browser for a specific service, such as Twitter?

Are there dangers of using Virtual Machines as a non-techs person? I hear about VM escapes?

OSINT SEGMENT:

http://www.cnn.com/2017/07/04/politics/kfile-reddit-user-trump-tweet/index.html
https://www.ceddit.com/
https://uneddit.com/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 038

The Complete Privacy & Security Podcast-Episode 037

Posted on July 18th, 2017

EPISODE 037: The Forensic Evidence on Our Phones

This week, Josh Huff stops in to talk about the data left behind on our phones.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

KeePassXC 2.22 Released
https://keepassxc.org/

SHOW:

Josh Huff: https://twitter.com/baywolf88

LISTENER QUESTIONS:

Suppose you already own a phone which you bought on your own bank card and you have postpaid SIM service in your own name and have registered it to a Google Account or Apple ID in your own name already.  Is there any advantage to reformatting the phone, registering a new Google or Apple ID to it and switching to a cash prepaid plan with a new sim card?  Obviously a totally new phone and new accounts, etc… would be better but is there any benefit to parts of that until a new phone can be bought?

I recently bought a new burner Android phone through eBay, and the phone is supplied by a Chinese seller and paid via PayPal through my real CC.  The phone is brand-less and it’s one of those typical Chinese products that are manufactured by the millions in Chinese sweatshops. What’s you take on this?  Am I assuming that tracking to me is much more difficult than what really is?

OSINT SEGMENT:

Foxified
https://addons.mozilla.org/en-US/firefox/addon/chrome-store-foxified/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 037

The Complete Privacy & Security Podcast-Episode 036

Posted on July 11th, 2017

EPISODE 036: Andy Yen is back to discuss ProtonVPN

This week Andy Yen stops by to talk about the new release of ProtonVPN.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Issues with daily VPN usage.

SHOW:

Andy Yen: https://protonmail.com/blog/author/andy/
ProtonVPN: https://protonvpn.com/
ProtonMail: https://protonmail.com/

LISTENER QUESTIONS:

I’ve started to notice that Twitter always displays advertisements that related to my real location, never related to the VPN server location. Why?
Any opinions on https://www.sync.com/features/?

OSINT SEGMENT:

Web Recorder
https://webrecorder.io/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 036

The Complete Privacy & Security Podcast-Episode 035

Posted on July 4th, 2017

EPISODE 035: WIRE CEO ALAN DURIC

This week we talk with Alan Duric, CEO of the encrypted communications app Wire.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

Encrypted Communications App Fatigue

SHOW:

Wire
https://wire.com/

LISTENER QUESTIONS:

I’m a bit confused about what the recommended method is for secondary level encryption – is it veracrypt or filevault? and is it a secondary level whole disk encryption or just a container for all sensitive files?

In a prior episode, Michael says we should get rid of Mint. According to their TOS, they only provide anonymized data to third parties. Is that true, and should we really give up the benefits over data that cannot be tracked back to us?
Banktivity – https://www.iggsoftware.com/banktivity/

OSINT SEGMENT:

Signal App Emulator
GenyMotion – https://www.genymotion.com/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 035

The Complete Privacy & Security Podcast-Episode 034

Posted on June 28th, 2017

EPISODE 034: OUR SUDO STRATEGIES

This week we explain in detail how we use Sudo as part of our daily privacy strategies.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

INTRO:

GMail Scanning:
https://www.theguardian.com/technology/2017/jun/26/google-will-stop-scanning-content-of-personal-emails

SUDO:

Sudo
https://sudoapp.com/

SudoPay
https://sudopay.com/


LISTENER QUESTIONS:

If I move from Gmail, Hotmail, Yahoo, etc… to another provider, set up forwarding to a new address and have it POPed over, would Google or Yahoo still have access to the content during the time it had the messages to forward?

What do you think about the risks associated with posting things on online forums?


OSINT SEGMENT:

TweetBeaver
https://tweetbeaver.com


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 034

Twitter Investigations with TweetBeaver

Posted on June 26th, 2017

I have incorporated the Twitter API into my Live and Online training classes for several years. This always required a collection of programming scripts or configured applications that must be present on your system in order to be used. Today, I find myself relying on the website TweetBeaver as a replacement. The home page of this site offers ten unique Twitter search options, which I outline below, including direct URL’s for bookmarking.

Convert Name to ID: https://tweetbeaver.com/getid.php: This translates a username, such as IntelTechniques, to a user number, such as 257644794. This is useful for documenting the ID numbers assigned to Twitter handles.

Convert ID to Name: https://tweetbeaver.com/getscreenname.php: This does the opposite of the above. This is useful for identifying accounts after the Twitter handle has been changed.

Account Follows: https://tweetbeaver.com/mutualfollow.php: This identifies whether two accounts follow each other. This is useful when two targets have many followers.

Download Favorites: https://tweetbeaver.com/getfavorites.php: This saves a spreadsheet of all favorites by the target. The file includes the date of the post, the author of the post, the text of the Tweet, and the URL.

Search Within Favorites: https://tweetbeaver.com/index.php: This allows filtering by keyword, but the previous technique is a more complete option.

Download Timeline: https://tweetbeaver.com/gettweets.php: This will download the previous 3200 Tweets of a target to a spreadsheet. This includes URL, Date & Time, Content, and Activity. Below displays the Tweets with online activity.

Search Within Timeline: https://tweetbeaver.com/searchtweets.php: A filter for the previous utility.

Account Data: https://tweetbeaver.com/getdata.php: This provides a summary of account data from the Twitter API.

Download Friends: https://tweetbeaver.com/getfriends.php: This will download a spreadsheet that contains the people that your target is following on Twitter. Date includes Name, Screen Name, Twitter ID, Location, Bio, Account Creation Date, Followers, Following, Tweets, Favorites, Website, Time Zone, and Language.

Download Followers: https://tweetbeaver.com/getfollowers.php: Similar to above, but for the people following your target. These two options are the most thorough I have found online.

There are a ton of Twitter tools out there. This is one of the most impressive I have found, and is completely free.

Filed under OSINT, Search, Twitter | Comments Off on Twitter Investigations with TweetBeaver

Previous Posts