Consumers can easily become complacent when they see so much media coverage of large enterprise hacks. After all, what could a hacker gain by compromising your pc? Well it happens and it's not just your PC you should be worried about.

Hackers are capable of compromising anything that is connected to a network (think cameras, baby monitors, printers, etc). One thing you need not worry about is your reliable Amazon Kindle. It's just an e-reader, after all.

Kindle devices may have a flaw that could allow remote attackers to gain control of them, according to Checkpoint Research. It works by using a specially designed malicious ebook, which, when opened, will compromise the device.

An attacker can extract information from a compromised device including your Amazon credentials, billing information and more. Checkpoint believes that this technique could be used to target specific groups (such as the population of a country, speakers of a particular language, etc).

Amazon promptly patched the kindle after Checkpoint responsibly disclosed the vulnerability. It has been said before and I will say it again: update your devices regularly.

Ensure that your Kindle is up-to-date. Navigate to Menu > Settings > Menu > Device Info

Compare your version with the latest version of the firmware listed here.

You can force an update when your kindle is connected to WIFI by navigating to Menu > Settings > Menu > Update Your Kindle and click ok.

Artificial Intelligence (AI) is slowly making its way into all aspects of our lives, whether it is profiling us on social media or making us buy that product at the perfect time on Amazon.

Companies can use AI for good or evil.

Google is known for search, but you may not realize that they apply AI to almost all of their products in order to help their users. Sometimes this added convenience may be at the expense of privacy. An example of this is Gmail's Smart Compose feature.

SmartCompose can be thought of as a more powerful form of autocomplete. This is a feature most of you want to leave enabled, but it is essential to know what it is.

What is it?

Based on the previous words, SmartCompose predicts subsequent words. Additionally, SmartCompose tries to understand the email's context.

This was a complex AI model trained on billions of emails, so it can even match your "normal" writing style. The accuracy of this feature gradually improves as more users pick correct predictions, which trains the model.

Google's models must be as accurate as possible while maintaining a fast inference speed (100 milliseconds or less). So the programmers walk a very fine line between usability versus accuracy and I believe they found the correct balance.

Privacy

Google analytics engine scans your emails to improve SmartCompose (and SmartCompose-like features). Personalized advertising profiles are no longer created by scanning your emails. If you want to turn off this feature, follow these steps:

• Navigate to Gmail.com

• Click on the gear icon on the upper right-hand side

• Choose See All Settings

• Choose the General tab

• Scroll to SmartCompose and choose "Writing suggestions off"

• Scroll to SmartCompose Personalization and choose "Personalization off"

• Scroll to Smart features and Personalization and uncheck the box

• Scroll to Smart features and personalization in other Google products and uncheck the box

• Scroll to Smart Reply and choose "Smart Reply off"

You have now dumbed down the Google services, wether that is good or bad is up to you.

Many security experts say don't use Google products, but if you do, this will be more secure and private.

Our smartphones are so much more than just internet access devices. They have become extensions of our brains. They remember our friends' contact information; they help us shop; they know where we have been and where we are going.

But what happens when someone gains access to this treasure trove of ultra-private information? I have written about how you can make your iPhone more secure here. This article will provide a handful of easy-to-implement tips.

In dots we trust

You may have noticed tiny coloured dots (green and orange) showing up on the top of your screen (upper right-hand side). 

A small orange dot means your microphone is active, while a tiny green dot indicates your camera has active. The purpose of these dots is to notify you can something may be watching or listening to you. If you are on a call, this is perfectly normal, but a little investigation may be warranted if you aren't actively using any apps. 

Remember that you can change what apps have access to your camera and microphone by going to Settings > Privacy > Microphone or Camera. You can then turn off access on an app by app basis.

Peekaboo i see you

There are situations where your iPhone application must have your precise location, like when navigating with your GPS app of choice. 

There are other times when the application doesn't need a precise location, like looking for restaurants in a given area. 

If you go to Settings > Privacy > Location Services and then click on an app, on the bottom you will see a switch for Precise Location. Turning this off will only deliver an approximate location. This is useful for apps that you have to use but are worried they are collecting your location information and probably sharing it.

A weather app is a good example of something that doesn’t need your street level accurate location and where an approximate location would be just as good while improving your privacy a little.

Accessing your photos

There has been an incredible amount of discussion in online forums about Facebook using the metadata of your photos to build a more complete profile of you and they probably aren’t the only one. Your photos show where you have been and who you have been with. So make sure only app that truly require photo access are given it and then only to selected photos.

To change which apps can access your photos, go to Settings > Privacy > Camera

For apps you have granted photo access to, it is important to choose which photos the app can access:

• None

• All Photos

• Selected Photos

To change this setting, go to Settings > Privacy > Photos, choose an app and then choose what level of photo access you want to grant. As an example Instagram for me has “selected photos” only and if I want to upload a photo, I change the settings to give it access only to that photo.

Local network access

With IOS 14, you have probably seen a message pop up asking you for permission to search your local network. If you are using an entertainment app that needs to cast content on a TV or a smart home control app, asking for this permission makes sense. You have likely seen this request from apps that that had no logical reason to request this permission and hopefully you denied them this request. This is one way apps will try to identify you by collecting information about your local networks.

You can find the configuration for this setting in Settings > Privacy > Local Network . Here you can see which apps you have granted access to this right and you can change the setting at any time.

As an example, Uber Eats asks for this permission yet there is no reason to grant it access to inventory my local network. Whereas my VizioTV app has a need for this permission so it can find my device.

We are going through a browser renaissance. The once stale segment has heated up with offerings from the most prominent players like Google offering Chrom and Microsoft offering Edge, all the way to small niche players like Opera, Brave and the DuckDuckGo Browser.

Browsers are typically chosen for their appearance and plug-in availability, but I believe privacy should be a more prevalent concern.

I am reminded of a 2004 BBC article that proclaimed, "More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found." hopefully, we have evolved past this now.

1- Google Chrome

Google’s Chrome browser is by far the most popular browser in the world. It has a robust ecosystem of extensions. It should come as no secret to any Chrome user that Google is tracking user behaviours such as location, web activity and other habits. These are then used to present you with relevant advertising across Google and non-Google properties (those amazon boots that keep following you).

We also know that incognito mode isn’t much better.

Recently Google announced, then pushed back, the death of the cookie. This was not an altruistic move to benefit users because they will use a new on device cohort creation model called FLoC. If you use Chrome and are curious about FLoC, check out the well written site by the EFF called AmIFLoCed?

You can ops our of third party cookies right now by clicking on Settings, Privacy and Security, select Cookies and other site data. Finally check the box that says Block third-party cookies.

Obviously anything set by a first party won’t be blocked (Google setting it on a Google property or Facebook setting it on Facebook, WhatsApp or instagram, etc). To block first party trackers, you should be using tools like uBlock Origin, although Google has slightly defanged those tools in newer versions of their browser.

2- Microsoft Edge

Microsoft’s newest version of Edge is powered by the free and open source Chromium project. Microsoft then adds layers of proprietary tools on top of it and some are to enhance user privacy. It is safe to assume that all the build in Google trackers have been removed (think telemetry). If you want a Chrome experience without the Google bits, Edge is a good alternative.

In Microsoft Edge, Tracking prevention is on by default.

Microsoft Edge has 3 pre-configured levels of privacy protection: basic, balanced and strict.

Go to Settings, then go to Privacy and services to choose your level of Privacy.

I have to remind you that researchers discovered Edge was sending user IPs and location to Microsoft servers. "According to the analysis, from Douglas Leith with the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages."

3 - Mozilla Firefox

Mozilla is one of the browsers that still uses its own web rendering engine. Mozilla is a not-for-profit organization that has done a relatively good job keeping users safe on the internet. 

By default, Firefox blocks trackers, cross-site tracking and social media trackers (you may not realize that any webpage that has a Facebook button allows Facebook to track you on that site). 

Like Microsoft Edge, Firefox allows you to choose a basket of privacy settings labelled Strict or Standard.

You can check out the Firefox privacy settings by going to the menu, choosing Preferences, then Privacy & Security. 

4 - Apple Safari

Apple has invested heavily in improving the privacy of its users and changes made to Safari over the last 3 years have markedly helped. By default, Safari blocks cross-site tracking. Apple uses Google as it’s default search engine in exchange for a significant rent check.

The DOJ cites “public estimates” saying that Google pays Apple between $8 billion and $12 billion per year to be the default search engine on Apple products. On one hand Google uses your searches to further build an digital profile about you, on the other hand their search engine ensures you aren’t taken to known bad sides, tries to protect you from phishing and other bad websites.

Unlike other browsers, Apple’s Safari provides minimal configurability of its browser. Out of the box the product does a decent job protecting users but there are still a handful of settings you may want to check out.

5 - DuckDuckGo browser

I am not writing about Brave because I still consider it a niche browser used by a small subset of my readers. DuckDuckGo browser falls into the same category but because of their privacy first stance, I wanted to include it in this list. On mobile platforms they offer their own browser. On traditional desktop operating systems, they offer extension that are interesting.

.

Firefox Send was a fantastic tool that allowed anyone on the internet to send large files for free using encryption. Unfortunately, the bad guys started using it, and Firefox pulled the plug.

The concept is simple, by visiting the service page, you upload your files, and the service provides a link that allows anyone to download the content. The challenge with most free services is that they are insecure, and most are slow (encouraging you to buy their faster service).

Wormhole one such service that leverages WebTorrent for fast transfers, promises end-to-end encryption and is free (with no upsell). Wormhole doesn't even require registration. Transfers of 5GB or less are handled by their servers, which means your browser doesn't even have to remain open. 

Traditional torrents require special clients, but WebTorrent is a gateway that allows any torrent files to be shared through a web browser (no special client or unique configuration).

When you create a new transfer, your device generates a unique encryption key used to encrypt the content before it is sent to the Wormhole servers. 

The unique twist

Remember that Wormhole is built with a combination of traditional web technologies married to torrenting. This unique combination makes their service faster than most competitors. But the magic is that the recipient can start downloading the content before you have completed the upload. This streaming functionality is something no other competitors (that I am aware of) offer. This means you can share the link with the recipient while you are uploading the content (and not have to wait until everything is uploaded). 

It's good but not perfect

Perfection is the enemy of good and there are some limitations you should be aware of:

• If you upload content larger than 5GB (up to the 10GB limit), you have to keep your browser page open because Wormhole won't store the files on their servers (they do up to 5GB)

• Uploaded content is only available for 24 hours

• A file can be downloaded up to 100 times

If you are curious, they share their roadmap here.

Conclusion

This is a new service, but it has already found a place in my online toolkit. Obviously, the long-term viability will depend on some time of premium service, but there aren't any details yet. I guess that the premium service will allow larger transfers, longer storage and more download slots. 

The security write-up (here) seems interesting, and the product looks to be designed securely. Still, because it is not open-source, there is no way to be sure they have implemented the security controls they say they have. If something is very sensitive, encrypt it using 7-zip before uploading (using a unique password shared with the recipient out of band). 

I have written about general user security several times over the last years, and the recipe is always the same: 

• Install a good anti-malware product

• Make sure your applications and operating systems are patched

• Don't click or open unexpected or unknown links/attachments.

Even with the best practices, there is malware that is stealthy enough to avoid detection.

Recently security researchers from Nerdlocker followed a trail left by sloppy hackers. To everyone's surprise, they found 1.2TB of files, cookies, 900K images, 600K word files and credentials stolen from over 3M computers. The data was obtained through malware that stole data from user desktops and downloads folders.

• The data is relatively fresh, and ~30% of the cookies were still valid.

• 1M website logins (including the 4 horsemen of the internet) Amazon, Facebook, Twitter and Gmail. 

So what next

The malware is stealthy and cannot be easily detected by antivirus products. 

However, the information has been added to the HaveIBeenPwnd service. 

As previously described, you visit the site, enter your email address, and it will tell you if you are part of this breach (or any other).

How do you protect yourself in the future?

• Use long unique passwords for each site with the credentials stored in a good password manager (like 1Password and BitWarden)

• Use a good reputable antivirus, update your software and operating system.

• Make sure you regularly delete your cookies. I have written about extensions that automate this in the past.

• Install a good anti-malware product

• Make sure your applications and operating systems are patched

• Don't click or open unexpected or unknown links/attachments.

  
  Links: 

• Nerdlocker blog post

• Ed's favourite things - Best Password Manager

• Downloaded over a billion email addresses and passwords this weekend

Other related articles

• Popular Ransomware Darknet showcase websites

• How to access tor sites without the tor browser

• More Ransomware gang tor darknet sites

Today I bring you a link to the Arvin Club darknet (Tor) ransomeware showcase site

• Onion Link

• Tor2Web gateway link

Arvin Club offers ransomware leaks and leaks from breached sites.

As an example, they even offer the Clubhouse scrape data leak

Extensions are interesting little technical widgets. Most assume they are simply tools but some see it as art. I can learn a lot about a computer user by the browser extensions they have installed and use. As a security professional, I have a handful of security oriented extensions (in addition to the ones that make the web more usable or that save me money).

I regularly receive requests from readers to list my extensions and to be honest, they often change. I remove extensions I don’t use, deactivate extensions I sometimes use and add new ones that I learn about. So right now, here are the extensions I think you will find the most useful .They are Google Chrome extensions but they work in any Chromium browser (like MS Edge).

builtwith technology profiler

It shows the tech stack a website is built on

chaff

Generate random web browsing traffic to obfuscate actual browsing behavior to avoid profiling through 3rd party observation. Think of this as data poisoning for the companies that track you.

ClearURLs

This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing the Internet.

Click&Clean

A tool that lets you clean browser tracking tools.

Disconnect

Let’s use block invisible web trackers

Distill

A tool that allows you to monitor a webpage and alert you when it changes.

DuckDuckGo Privacy Essentials

This is a swiss army knife of internet privacy. Here are the feature this extension offers

Escape Advertising Tracker Networks — Our Privacy Protection will block all the hidden third-party trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.

• Increase Encryption Protection — We force sites to use an encrypted connection where available, protecting your data from prying eyes, like Internet Service Providers.

• Search Privately — You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.

• Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available.

DuckDuckGo has said “DuckDuckGo has announced that its Chrome browser extension has been updated to block Google's new tracking technology.” You can test if your browser currently supports flock using this EFF AmIFloced website.

EFF Chrome extensions

• https everywhere Switches you to a secure https connection when available

• Privacy Badget Privacy Badger automatically learns to block invisible trackers.

Robots Exclusion Checker

Robots Exclusion Checker is designed to visually indicate whether any robots exclusions are preventing your page from being crawled or indexed by Search Engines. But a security person could then take those robot files, manually check those pages and find out why the organization doesn’t them indexed. Sometimes the exclusion is because they don’t want Google indexing active pages, other times it’s because those pages contain information the organization doesn’t want outsiders to easily find (pricing, org info, etc).

Social Disconnect Plus

Social Disconnect Plus is a browser extension that removes all sorts of Social Media content on webpages (i.e. the Facebook like button and other widgets).

uBlock Origin

uBlock Origin is the best ad blocker available but it does so much more. It is a powerful HTML firewall to protect you from several web attacks.

UA Spoofer for Chrome

With this extension, you can quickly and easily switch between user-agent strings. Also, you can set up specific URLs that you want to spoof every time.

Wayback machine

Easily determine if the Internet Archive has previous versions of the webpage you are on.

I wrote a blog post about popular ransomware group TOR (darknet) showcase sites (here).

The purpose of this entry is to add additional sites to the list (so you should check that one out first).

Astro Tream

anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion

CUBA FREE

cuba4mp6ximo2zlo.onion

Babuk Ransomware

wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion

Ragnarok ransomware

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Everest Ransomware

ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion

Ransomex ransomware

rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

The free market determines pricing based on the intersection of supply and demand. For the longest time, an IOS Full Chain Compromise with Persistence (FCP) demanded a significantly higher payout from vulnerability vendors than Android ones. This was a simple question of economics: Android had more easily exploitable vulnerabilities thus each one was worth less. On the other hand IOS was built like Fort Knox. Vulnerabilities were few and far apart and dictatorial regimes and evil doers were willing to write much bigger checks to buy those rarer exploits.

The chart above shows the pricing as of April 2 2021 and clearly shows that an Android FCP demands a $500,000 bonus over an IOS one. We know demand for these has not dropped so the only possible explanation is that there are more IOS vulnerabilities in the market than Android ones.

Although Google doesn’t use security to market its smartphone OS, it has a best-in-class security team that is making Android more secure with every release. IOS is improving as well but not as fast as Android.

Before you start throwing things at me, remember that privacy and security are two very distinct qualities. There is no question that IOS offers a fairly secure computing environment and world class privacy.

Android on the other hand asks you to trade in some privacy in exchange for a super functional assistant but has done a fantastic job making it’s operating system more secure.

Speaking with a security consultant buddy that advises many large companies and special interest private organizations about operational security, he confirms that the “underground” demand for FCP android vulnerabilities is skyrocketing. He mentioned that patched Android vulnerabilities are becoming harder to find but that the demand is skyrocketing (because so many of his customer targets use the lower cost android platforms"). Zerodium isn’t the only vulnerability broker in the market but it is the only one that publicly publishes its payout tables.

My contact said Android’s open source nature is yielding many of these security benefits (e.g. Google regularly upstreams security improvements made by AOSP fork operators like the GrapheneOS).

The bottom line is that these operating systems are typically weakened by bad user decisions (configurations, app choices, etc), but out of the box, Android running on a Pixel device is probably more secure (but less private) than IOS.

The challenge on Android is the fact many phone vendors do not offer timely upgrades (if ever) which makes these phones super vulnerable. That is why if you use Android, stick with a Pixel device with guaranteed security upgrades for 3 years and OS upgrades for 2 years.

We know Apple invests heavily in security so we’ll have to see what security improvements, if anything, Apple implement in IOS 15.

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

Some Interesting conclusions

• 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

• Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

• This equates to extra time worth $30,319 per annum

• 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

• 83% of CISOs spend at least half of their evenings and weekends thinking about work

• Only 2% say they are able to switch off once they’ve left the office

• Over a third have failed to take all entitled annual leave

• 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

What are the most stress inducing elements?

• 44% being responsible for securing the organization and preventing breaches

• 40% the need to stay ahead of threat intelligence

• 39% the long hours worked

• 65% of those surveyed had suffered a breach in the past 12 months

• 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

• A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

What are the effects of the stress?

• Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

• 35% also reported that their stress had impacted their physical health

• 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

• 31% said the stress affected their ability to fully perform at their job

How are CISOs coping with the stress?

• A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

• A fifth have taken a leave of absence due to stress (21%)

• 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

• 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

The last couple of articles I wrote referred readers to TOR (darknet/darkweb) sites. These sites are easy to identify because the terminating marker is .onion (instead of .com/.net/org).

The right way of accessing TOR sites is with the secure TOR browser designed and distributed by the TOR project. This purpose-built browser uses a hardened firefox to deliver maximum anonymity while browsing the "normal" web or tor sites.

There may be times when you are on a device that doesn't have the TOR browser and when speed is more important than privacy or security. In these situations, web-based services allow you to browse these tor (.onion) sites from a standard browser. That is the purpose of this blog article.

The following sites are web services that will allow you to access tor sites without using the tor browser (using a normal browser like Chrome, Firefox or Safari).

These services are called TOR gateways or TOR proxies. the TOR2WEB project was designed to allow users to access all onion services without using the TOR browser. The project site is here.

Remember that using these gateways means the gateway operator can see where you are going, and you lose all privacy and anonymity features of TOR.

To use use TOR2WEB gateways

Using most sites is very simple, you take your TOR address

Here is the secushare onion service at http://secushare.cheettyiapsyciew.onion/

you append the gateways domain name to the end of the onion address. As an example, if you want to use the gateway called onion.ws you simply add .ws at the end of the URL like this

http://secushare.cheettyiapsyciew.onion.ws

Some rare ones require you to remove the .onion at the end and replace it with their gateway url (e.g. like darkness.to) the above address would need to be

http://secushare.cheettyiapsyciew.darknet.to

List of TOR2Web gateways

Be aware as free services, many of these sites are flaky and will periodically be down. Try another one or try later.

If you visit the main domain with your browser, most will provide instructions (in case you forget how to use them)

• Onion.sh

• Onion.ws

• Onion.pet

• tor2web.to

• darknet.to

New sites pop up everyday so if these sites don’t work for you, just search for tor2web gateway in your favourite search engine (startpage.com, duck.com, etc)

Warning

I mention above to only use these services when security and privacy aren’t a concern. You may be wondering why. Here is a list

Session leakage

This is the same risk you experience when using any VPN service. Because the service is the one routing you to your final destination, they see everywhere you go and everything you see. A malicious operator can log and record your entire session with all traffic send back and form (between you and the TOR service). Never enter login credentials (or anything personal) when using these gateways.

Service enumeration

When using the TOR browser with long random TOR URLs, your browsing is relatively private. When using these gateways, you are on the “normal” web and any dns server used by your browser will see the URL you are visiting (e.g. http://secushare.cheettyiapsyciew.darknet.to)

Assume any DNS in your configured DNS chain or the providers chain will know what URL you are trying to resolve through your TOR gateway service.

User correlation

When using these gateways, the gateway operator can log all of your publicly available user identifiers (IP address, browser, OS, fingerprint, etc) and then log that you visited X tor site.

Conclusion

Although these gateways aren’t considered secure, there is a use case for them and it is another tool in your online tools arsenal. If you use them knowing their limitations, you will be fine and they could save you a lot of frustration.

The recent explosion of breaches by the CL0P Ransomware gang has renewed an interest in the darkweb showcase sites used by these threat actors to prove that they successfully broken into a company and to encourage victims to pay, Many have asked me to share some of these site and I was always hesitant. I recently learned that some “consultants” are charging customers to provide these publicly available links, which is wrong.

Most of these are on the TOR darkweb so you will have to use a TOR browser or VPN that bridges to TOR.

Mobikwik Indian data leak

mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onion

Cl0p ransomware gang

http://ekbgzchl6x2ias37.onion/

DopplePaymer

http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/

AKO group

http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion/

Ragnar Locker

p6o7m73ujalhgkiv.onion

Nefilim Group

hxt254aygrsziejn.onion

Avaddon Ransomware

http://avaddongun7rngel.onion/

Darkside Group

darksidedxcftmqa.onion or darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion

Suncrypt

nbzzb6sa6xuura2z.onion

REvil Ransomware

http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/

Mount Locker

http://mountnewsokhwilx.onion/

Pay2Key Leaks

pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion

Lockbit Ransomware

http://lockbitkodidilol.onion/

Ragnarok Leaks

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

There are hundreds of write-ups about the CL0P Ransomware and the grand behind it. They came back into the spotlight recently claiming to have exploited the Accellion FTA (old file transfer service) and thus customers running unpatched version of the Accellion product.

Over the last couple of weeks, more “leaks” have come out claiming many more companies have been breached through this vulnerability and then infected with the Cl0p ransomware.

Many have asked if I knew where (on the Darknet, aka TOR network) the CL0P gang is publishing the list of infected companies. the answer is yes : http://ekbgzchl6x2ias37.onion/

Now a word of caution. We aren’t certain who created this site. We don’t know if data on the site is actual CL0P infected organizations or simply someone that found the leaks and is claiming they are infected.

My research leads me to believe that the CL0P group is behind this TOR site and that the data on it is indicative of infected organizations.

If you click on Canadian Bombardier, you get this page with some data provided as proof.

Here is a sample of the “proof” they provide for Bombardier

The moral of the story is that there are bad people our there that want to profit from the misery of others. These threat actors are getting more creative and have improved marketing skills trying to “encourage” victims to pay up.

Hire a good CISO and invest in your security program.

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

• never open an attachment from an unknown person

• never open an unexpected attachment from a known contact

• never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person

• never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

Disable Airdrop

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

2. 3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)

3. Choose Receiving Off to disable AirDrop

Disable Bluetooth

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

2. Click on the Bluetooth icon to turn it off

Disable JavaScript in Safari

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

1. Open the Settings App

2. Find Safari

3. Scroll to the bottom until you see Advanced

4. Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

1. Open the Settings App

2. Open Personal Hotspot

3. Turn off Allow Others to Join

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

The third source you can check is a site called cybernews

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

• My favourite password managers (free and paid)

• five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

• If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

• If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

• If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

• Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

• Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

• You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

• Never reused a password for multiple sites.

• whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.

If you. are performing Open Source Intelligence (OSINT) or Signals Intelligence (SigInt), you may need to generate fake identification information.

The information in this article is being provided for educational purposes only. Don’t do anything illegal.

Fake Name Generator

This site generates believable fake identities with name, address, Date of birth, telephone number and much more. If you need a “complete” fake identity then this free site may be useful.

Data Fake Generator also performs the same function.

Fake IMEI

The International Mobile Equipment Identity (IMEI) number is a unique identification number that all mobile phones and smartphones have. If you need a fake one, this simple page may be useful. You click on generate and it creates a new one for you.

Elf Wrin’s lair

This is a classic site that can generate a ton of useful fake information such as:

• complete fake ID

• credit card

• Social Security Number

• car license plate

Although the information is fake, all of the information will pass the generic algorithmic checkers.

PIC/CIC Database

The site describes its usefulness as follows:

“Many PIC and CIC codes can be manually dialed before placing a long distance call by dialing 101 followed by the PIC/CIC code. This forces your call to be carried by that PIC/CIC code's carrier instead of your normal long distance carrier.”

This is a more niche service and will only be useful to a very small group of readers.

Fake photo generator

There may be times when you need to create a fake profile (dating site, social media, etc) and this site will generate an AI (Generative Adversarial Network) created picture for you. Simply refresh the page to get a new image. If you like the image, save it as it may never come back. Also double check the entire image to make sure there aren’t any weird artifacts.

The purpose of this blog article is to share some useful sites that will allow you to create temporary contact mechanisms for OSINT, SIGINT or other cyber activities.

This is not an exhaustive list and I am simply listing these here to help you. This listing should not be considered a personal endorsement by me. Do your own research ;-)

Disposable email

10 minute email offers a quick way to receive email with an email address that disappears in 10 minutes. This free service can be useful if a site requires registration with email verification but you don’t want to give away your real email address and this is a one time use activity.

Email forwarding service

There may be times where you want to protect your email address but need to regularly receive emails from an untrusted source or from a service you need to hide from. This is here AnonAddy comes in. They have a free plan for casual use and paid plans if you need a bit more functionality,

If you are technically inclined an require additional security or privacy, the service is based on an open source project so you can host this solution yourself as well.

Send faxes anonymously for free

FaxZero is a fax service that allows you to send faxes for free. They do require that you click on an email confirmation link before they process your fax. Hence why I listed the other email services above. FaxZero does offer a paid service if you need priority faxing of higher volumes. The best recommendation is to use the free service during times when you believe they should be less busy therefore your faxes will go our sooner. In my testing (over 3 months), 95% of all my faxes (with the free fax service) were sent within 20 minutes.

Send a Free anonymous text message (SMS)

Globfone is a free web based service that allows you to send SMS messages to almost any smartphone on any network anywhere in the world. it is anonymous and does not require a registration. It adds a small ad at the end of your SMS that reads “/try Globfone”.

The other services listed on their site seem much less reliable but the SMS one has worked every time.

Receive SMS messages

There may be times when you need a temporary disposable inbound SMS number. This is where SMStoMe shines. It is a free service and requires no registration to use. Remember that inbound numbers are shared. Numbers are refreshed every 30 days and are capable of receiving SMS messages from any network in the world.

Free WIFI cellphone number

There are many free WIFI calling and SMS services out there but the one I have found to be the most reliable is TextNow. You can buy an add free service with number protection for about $40 a year but the basic service (that should meet your OSINT needs) is free.

Everyone on the internet knows what a search engine is. It allows you to find internet connected resources (webpages) quickly and easily without having to catalog the web yourself. Well Shodan.io is a search engine used by researchers and hackers to find Internet of Things devices connected to the internet (printers, webcams, industrial systems, WindowsXP, etc).

The purpose of this article is to provide some hyperlinked examples to help the Open Source Intelligence student play with Shodan and make it immediately useful.

This article will provide some examples of how to find webcams connected to the internet.

While you will find thosands that are unprotected (no username or password required) others will be protected but have the default password enabled. Where can you find webcam default passwords? Just search the net but here is one called iSpy to get you started.

Many of these searches will require a free Shodan account so make sure you create one.

I am providing this information for educational purposes only. Don’t do anything illegal.

html:"DVR_H264 ActiveX" - Security Digital Video Recorders

title:camera - This is a quick search that lists anything with the word camera in it

webcam has_screenshot:true - This search lists any device that self identifies as a webcam and where Shodan has a screenshot.

Server: IP Webcam Server "200 OK" - android IP webcam server

server: webcampxp - Looking for a very popular windows Webcam server software

title:”blue iris remote view” - Webcams using the Blue Iris webcam management software

product:”Yawcam webcam viewer httpd - Yet Another Webcam is a free webcam publishing server software.

title:”IPCam Client” - Devices using the IPCam software

title:”+tm01+” - loads of unsecured Linksys webcams

Others

I will be posting more articles about other interesting Shodan searches but here are a couple extra to wet your appetite.

"230 login successful" port:"21" - Find FTP servers without logins