Firefox Send was a fantastic tool that allowed anyone on the internet to send large files for free using encryption. Unfortunately, the bad guys started using it, and Firefox pulled the plug.

The concept is simple, by visiting the service page, you upload your files, and the service provides a link that allows anyone to download the content. The challenge with most free services is that they are insecure, and most are slow (encouraging you to buy their faster service).

Wormhole one such service that leverages WebTorrent for fast transfers, promises end-to-end encryption and is free (with no upsell). Wormhole doesn't even require registration. Transfers of 5GB or less are handled by their servers, which means your browser doesn't even have to remain open. 

Traditional torrents require special clients, but WebTorrent is a gateway that allows any torrent files to be shared through a web browser (no special client or unique configuration).

When you create a new transfer, your device generates a unique encryption key used to encrypt the content before it is sent to the Wormhole servers. 

The unique twist

Remember that Wormhole is built with a combination of traditional web technologies married to torrenting. This unique combination makes their service faster than most competitors. But the magic is that the recipient can start downloading the content before you have completed the upload. This streaming functionality is something no other competitors (that I am aware of) offer. This means you can share the link with the recipient while you are uploading the content (and not have to wait until everything is uploaded). 

It's good but not perfect

Perfection is the enemy of good and there are some limitations you should be aware of:

• If you upload content larger than 5GB (up to the 10GB limit), you have to keep your browser page open because Wormhole won't store the files on their servers (they do up to 5GB)

• Uploaded content is only available for 24 hours

• A file can be downloaded up to 100 times

If you are curious, they share their roadmap here.

Conclusion

This is a new service, but it has already found a place in my online toolkit. Obviously, the long-term viability will depend on some time of premium service, but there aren't any details yet. I guess that the premium service will allow larger transfers, longer storage and more download slots. 

The security write-up (here) seems interesting, and the product looks to be designed securely. Still, because it is not open-source, there is no way to be sure they have implemented the security controls they say they have. If something is very sensitive, encrypt it using 7-zip before uploading (using a unique password shared with the recipient out of band). 

I have written about general user security several times over the last years, and the recipe is always the same: 

• Install a good anti-malware product

• Make sure your applications and operating systems are patched

• Don't click or open unexpected or unknown links/attachments.

Even with the best practices, there is malware that is stealthy enough to avoid detection.

Recently security researchers from Nerdlocker followed a trail left by sloppy hackers. To everyone's surprise, they found 1.2TB of files, cookies, 900K images, 600K word files and credentials stolen from over 3M computers. The data was obtained through malware that stole data from user desktops and downloads folders.

• The data is relatively fresh, and ~30% of the cookies were still valid.

• 1M website logins (including the 4 horsemen of the internet) Amazon, Facebook, Twitter and Gmail. 

So what next

The malware is stealthy and cannot be easily detected by antivirus products. 

However, the information has been added to the HaveIBeenPwnd service. 

As previously described, you visit the site, enter your email address, and it will tell you if you are part of this breach (or any other).

How do you protect yourself in the future?

• Use long unique passwords for each site with the credentials stored in a good password manager (like 1Password and BitWarden)

• Use a good reputable antivirus, update your software and operating system.

• Make sure you regularly delete your cookies. I have written about extensions that automate this in the past.

• Install a good anti-malware product

• Make sure your applications and operating systems are patched

• Don't click or open unexpected or unknown links/attachments.

  
  Links: 

• Nerdlocker blog post

• Ed's favourite things - Best Password Manager

• Downloaded over a billion email addresses and passwords this weekend

Other related articles

• Popular Ransomware Darknet showcase websites

• How to access tor sites without the tor browser

• More Ransomware gang tor darknet sites

Today I bring you a link to the Arvin Club darknet (Tor) ransomeware showcase site

• Onion Link

• Tor2Web gateway link

Arvin Club offers ransomware leaks and leaks from breached sites.

As an example, they even offer the Clubhouse scrape data leak

Extensions are interesting little technical widgets. Most assume they are simply tools but some see it as art. I can learn a lot about a computer user by the browser extensions they have installed and use. As a security professional, I have a handful of security oriented extensions (in addition to the ones that make the web more usable or that save me money).

I regularly receive requests from readers to list my extensions and to be honest, they often change. I remove extensions I don’t use, deactivate extensions I sometimes use and add new ones that I learn about. So right now, here are the extensions I think you will find the most useful .They are Google Chrome extensions but they work in any Chromium browser (like MS Edge).

builtwith technology profiler

It shows the tech stack a website is built on

chaff

Generate random web browsing traffic to obfuscate actual browsing behavior to avoid profiling through 3rd party observation. Think of this as data poisoning for the companies that track you.

ClearURLs

This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing the Internet.

Click&Clean

A tool that lets you clean browser tracking tools.

Disconnect

Let’s use block invisible web trackers

Distill

A tool that allows you to monitor a webpage and alert you when it changes.

DuckDuckGo Privacy Essentials

This is a swiss army knife of internet privacy. Here are the feature this extension offers

Escape Advertising Tracker Networks — Our Privacy Protection will block all the hidden third-party trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.

• Increase Encryption Protection — We force sites to use an encrypted connection where available, protecting your data from prying eyes, like Internet Service Providers.

• Search Privately — You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.

• Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available.

DuckDuckGo has said “DuckDuckGo has announced that its Chrome browser extension has been updated to block Google's new tracking technology.” You can test if your browser currently supports flock using this EFF AmIFloced website.

EFF Chrome extensions

• https everywhere Switches you to a secure https connection when available

• Privacy Badget Privacy Badger automatically learns to block invisible trackers.

Robots Exclusion Checker

Robots Exclusion Checker is designed to visually indicate whether any robots exclusions are preventing your page from being crawled or indexed by Search Engines. But a security person could then take those robot files, manually check those pages and find out why the organization doesn’t them indexed. Sometimes the exclusion is because they don’t want Google indexing active pages, other times it’s because those pages contain information the organization doesn’t want outsiders to easily find (pricing, org info, etc).

Social Disconnect Plus

Social Disconnect Plus is a browser extension that removes all sorts of Social Media content on webpages (i.e. the Facebook like button and other widgets).

uBlock Origin

uBlock Origin is the best ad blocker available but it does so much more. It is a powerful HTML firewall to protect you from several web attacks.

UA Spoofer for Chrome

With this extension, you can quickly and easily switch between user-agent strings. Also, you can set up specific URLs that you want to spoof every time.

Wayback machine

Easily determine if the Internet Archive has previous versions of the webpage you are on.

I wrote a blog post about popular ransomware group TOR (darknet) showcase sites (here).

The purpose of this entry is to add additional sites to the list (so you should check that one out first).

Astro Tream

anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion

CUBA FREE

cuba4mp6ximo2zlo.onion

Babuk Ransomware

wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion

Ragnarok ransomware

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Everest Ransomware

ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion

Ransomex ransomware

rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

The free market determines pricing based on the intersection of supply and demand. For the longest time, an IOS Full Chain Compromise with Persistence (FCP) demanded a significantly higher payout from vulnerability vendors than Android ones. This was a simple question of economics: Android had more easily exploitable vulnerabilities thus each one was worth less. On the other hand IOS was built like Fort Knox. Vulnerabilities were few and far apart and dictatorial regimes and evil doers were willing to write much bigger checks to buy those rarer exploits.

The chart above shows the pricing as of April 2 2021 and clearly shows that an Android FCP demands a $500,000 bonus over an IOS one. We know demand for these has not dropped so the only possible explanation is that there are more IOS vulnerabilities in the market than Android ones.

Although Google doesn’t use security to market its smartphone OS, it has a best-in-class security team that is making Android more secure with every release. IOS is improving as well but not as fast as Android.

Before you start throwing things at me, remember that privacy and security are two very distinct qualities. There is no question that IOS offers a fairly secure computing environment and world class privacy.

Android on the other hand asks you to trade in some privacy in exchange for a super functional assistant but has done a fantastic job making it’s operating system more secure.

Speaking with a security consultant buddy that advises many large companies and special interest private organizations about operational security, he confirms that the “underground” demand for FCP android vulnerabilities is skyrocketing. He mentioned that patched Android vulnerabilities are becoming harder to find but that the demand is skyrocketing (because so many of his customer targets use the lower cost android platforms"). Zerodium isn’t the only vulnerability broker in the market but it is the only one that publicly publishes its payout tables.

My contact said Android’s open source nature is yielding many of these security benefits (e.g. Google regularly upstreams security improvements made by AOSP fork operators like the GrapheneOS).

The bottom line is that these operating systems are typically weakened by bad user decisions (configurations, app choices, etc), but out of the box, Android running on a Pixel device is probably more secure (but less private) than IOS.

The challenge on Android is the fact many phone vendors do not offer timely upgrades (if ever) which makes these phones super vulnerable. That is why if you use Android, stick with a Pixel device with guaranteed security upgrades for 3 years and OS upgrades for 2 years.

We know Apple invests heavily in security so we’ll have to see what security improvements, if anything, Apple implement in IOS 15.

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

Some Interesting conclusions

• 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

• Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

• This equates to extra time worth $30,319 per annum

• 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

• 83% of CISOs spend at least half of their evenings and weekends thinking about work

• Only 2% say they are able to switch off once they’ve left the office

• Over a third have failed to take all entitled annual leave

• 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

What are the most stress inducing elements?

• 44% being responsible for securing the organization and preventing breaches

• 40% the need to stay ahead of threat intelligence

• 39% the long hours worked

• 65% of those surveyed had suffered a breach in the past 12 months

• 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

• A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

What are the effects of the stress?

• Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

• 35% also reported that their stress had impacted their physical health

• 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

• 31% said the stress affected their ability to fully perform at their job

How are CISOs coping with the stress?

• A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

• A fifth have taken a leave of absence due to stress (21%)

• 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

• 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

The last couple of articles I wrote referred readers to TOR (darknet/darkweb) sites. These sites are easy to identify because the terminating marker is .onion (instead of .com/.net/org).

The right way of accessing TOR sites is with the secure TOR browser designed and distributed by the TOR project. This purpose-built browser uses a hardened firefox to deliver maximum anonymity while browsing the "normal" web or tor sites.

There may be times when you are on a device that doesn't have the TOR browser and when speed is more important than privacy or security. In these situations, web-based services allow you to browse these tor (.onion) sites from a standard browser. That is the purpose of this blog article.

The following sites are web services that will allow you to access tor sites without using the tor browser (using a normal browser like Chrome, Firefox or Safari).

These services are called TOR gateways or TOR proxies. the TOR2WEB project was designed to allow users to access all onion services without using the TOR browser. The project site is here.

Remember that using these gateways means the gateway operator can see where you are going, and you lose all privacy and anonymity features of TOR.

To use use TOR2WEB gateways

Using most sites is very simple, you take your TOR address

Here is the secushare onion service at http://secushare.cheettyiapsyciew.onion/

you append the gateways domain name to the end of the onion address. As an example, if you want to use the gateway called onion.ws you simply add .ws at the end of the URL like this

http://secushare.cheettyiapsyciew.onion.ws

Some rare ones require you to remove the .onion at the end and replace it with their gateway url (e.g. like darkness.to) the above address would need to be

http://secushare.cheettyiapsyciew.darknet.to

List of TOR2Web gateways

Be aware as free services, many of these sites are flaky and will periodically be down. Try another one or try later.

If you visit the main domain with your browser, most will provide instructions (in case you forget how to use them)

• Onion.sh

• Onion.ws

• Onion.pet

• tor2web.to

• darknet.to

New sites pop up everyday so if these sites don’t work for you, just search for tor2web gateway in your favourite search engine (startpage.com, duck.com, etc)

Warning

I mention above to only use these services when security and privacy aren’t a concern. You may be wondering why. Here is a list

Session leakage

This is the same risk you experience when using any VPN service. Because the service is the one routing you to your final destination, they see everywhere you go and everything you see. A malicious operator can log and record your entire session with all traffic send back and form (between you and the TOR service). Never enter login credentials (or anything personal) when using these gateways.

Service enumeration

When using the TOR browser with long random TOR URLs, your browsing is relatively private. When using these gateways, you are on the “normal” web and any dns server used by your browser will see the URL you are visiting (e.g. http://secushare.cheettyiapsyciew.darknet.to)

Assume any DNS in your configured DNS chain or the providers chain will know what URL you are trying to resolve through your TOR gateway service.

User correlation

When using these gateways, the gateway operator can log all of your publicly available user identifiers (IP address, browser, OS, fingerprint, etc) and then log that you visited X tor site.

Conclusion

Although these gateways aren’t considered secure, there is a use case for them and it is another tool in your online tools arsenal. If you use them knowing their limitations, you will be fine and they could save you a lot of frustration.

The recent explosion of breaches by the CL0P Ransomware gang has renewed an interest in the darkweb showcase sites used by these threat actors to prove that they successfully broken into a company and to encourage victims to pay, Many have asked me to share some of these site and I was always hesitant. I recently learned that some “consultants” are charging customers to provide these publicly available links, which is wrong.

Most of these are on the TOR darkweb so you will have to use a TOR browser or VPN that bridges to TOR.

Mobikwik Indian data leak

mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onion

Cl0p ransomware gang

http://ekbgzchl6x2ias37.onion/

DopplePaymer

http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/

AKO group

http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion/

Ragnar Locker

p6o7m73ujalhgkiv.onion

Nefilim Group

hxt254aygrsziejn.onion

Avaddon Ransomware

http://avaddongun7rngel.onion/

Darkside Group

darksidedxcftmqa.onion or darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion

Suncrypt

nbzzb6sa6xuura2z.onion

REvil Ransomware

http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/

Mount Locker

http://mountnewsokhwilx.onion/

Pay2Key Leaks

pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion

Lockbit Ransomware

http://lockbitkodidilol.onion/

Ragnarok Leaks

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

There are hundreds of write-ups about the CL0P Ransomware and the grand behind it. They came back into the spotlight recently claiming to have exploited the Accellion FTA (old file transfer service) and thus customers running unpatched version of the Accellion product.

Over the last couple of weeks, more “leaks” have come out claiming many more companies have been breached through this vulnerability and then infected with the Cl0p ransomware.

Many have asked if I knew where (on the Darknet, aka TOR network) the CL0P gang is publishing the list of infected companies. the answer is yes : http://ekbgzchl6x2ias37.onion/

Now a word of caution. We aren’t certain who created this site. We don’t know if data on the site is actual CL0P infected organizations or simply someone that found the leaks and is claiming they are infected.

My research leads me to believe that the CL0P group is behind this TOR site and that the data on it is indicative of infected organizations.

If you click on Canadian Bombardier, you get this page with some data provided as proof.

Here is a sample of the “proof” they provide for Bombardier

The moral of the story is that there are bad people our there that want to profit from the misery of others. These threat actors are getting more creative and have improved marketing skills trying to “encourage” victims to pay up.

Hire a good CISO and invest in your security program.

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

• never open an attachment from an unknown person

• never open an unexpected attachment from a known contact

• never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person

• never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

Disable Airdrop

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

2. 3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)

3. Choose Receiving Off to disable AirDrop

Disable Bluetooth

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

2. Click on the Bluetooth icon to turn it off

Disable JavaScript in Safari

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

1. Open the Settings App

2. Find Safari

3. Scroll to the bottom until you see Advanced

4. Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

1. Open the Settings App

2. Open Personal Hotspot

3. Turn off Allow Others to Join

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

The third source you can check is a site called cybernews

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

• My favourite password managers (free and paid)

• five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

• If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

• If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

• If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

• Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

• Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

• You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

• Never reused a password for multiple sites.

• whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.

If you. are performing Open Source Intelligence (OSINT) or Signals Intelligence (SigInt), you may need to generate fake identification information.

The information in this article is being provided for educational purposes only. Don’t do anything illegal.

Fake Name Generator

This site generates believable fake identities with name, address, Date of birth, telephone number and much more. If you need a “complete” fake identity then this free site may be useful.

Data Fake Generator also performs the same function.

Fake IMEI

The International Mobile Equipment Identity (IMEI) number is a unique identification number that all mobile phones and smartphones have. If you need a fake one, this simple page may be useful. You click on generate and it creates a new one for you.

Elf Wrin’s lair

This is a classic site that can generate a ton of useful fake information such as:

• complete fake ID

• credit card

• Social Security Number

• car license plate

Although the information is fake, all of the information will pass the generic algorithmic checkers.

PIC/CIC Database

The site describes its usefulness as follows:

“Many PIC and CIC codes can be manually dialed before placing a long distance call by dialing 101 followed by the PIC/CIC code. This forces your call to be carried by that PIC/CIC code's carrier instead of your normal long distance carrier.”

This is a more niche service and will only be useful to a very small group of readers.

Fake photo generator

There may be times when you need to create a fake profile (dating site, social media, etc) and this site will generate an AI (Generative Adversarial Network) created picture for you. Simply refresh the page to get a new image. If you like the image, save it as it may never come back. Also double check the entire image to make sure there aren’t any weird artifacts.

The purpose of this blog article is to share some useful sites that will allow you to create temporary contact mechanisms for OSINT, SIGINT or other cyber activities.

This is not an exhaustive list and I am simply listing these here to help you. This listing should not be considered a personal endorsement by me. Do your own research ;-)

Disposable email

10 minute email offers a quick way to receive email with an email address that disappears in 10 minutes. This free service can be useful if a site requires registration with email verification but you don’t want to give away your real email address and this is a one time use activity.

Email forwarding service

There may be times where you want to protect your email address but need to regularly receive emails from an untrusted source or from a service you need to hide from. This is here AnonAddy comes in. They have a free plan for casual use and paid plans if you need a bit more functionality,

If you are technically inclined an require additional security or privacy, the service is based on an open source project so you can host this solution yourself as well.

Send faxes anonymously for free

FaxZero is a fax service that allows you to send faxes for free. They do require that you click on an email confirmation link before they process your fax. Hence why I listed the other email services above. FaxZero does offer a paid service if you need priority faxing of higher volumes. The best recommendation is to use the free service during times when you believe they should be less busy therefore your faxes will go our sooner. In my testing (over 3 months), 95% of all my faxes (with the free fax service) were sent within 20 minutes.

Send a Free anonymous text message (SMS)

Globfone is a free web based service that allows you to send SMS messages to almost any smartphone on any network anywhere in the world. it is anonymous and does not require a registration. It adds a small ad at the end of your SMS that reads “/try Globfone”.

The other services listed on their site seem much less reliable but the SMS one has worked every time.

Receive SMS messages

There may be times when you need a temporary disposable inbound SMS number. This is where SMStoMe shines. It is a free service and requires no registration to use. Remember that inbound numbers are shared. Numbers are refreshed every 30 days and are capable of receiving SMS messages from any network in the world.

Free WIFI cellphone number

There are many free WIFI calling and SMS services out there but the one I have found to be the most reliable is TextNow. You can buy an add free service with number protection for about $40 a year but the basic service (that should meet your OSINT needs) is free.

Everyone on the internet knows what a search engine is. It allows you to find internet connected resources (webpages) quickly and easily without having to catalog the web yourself. Well Shodan.io is a search engine used by researchers and hackers to find Internet of Things devices connected to the internet (printers, webcams, industrial systems, WindowsXP, etc).

The purpose of this article is to provide some hyperlinked examples to help the Open Source Intelligence student play with Shodan and make it immediately useful.

This article will provide some examples of how to find webcams connected to the internet.

While you will find thosands that are unprotected (no username or password required) others will be protected but have the default password enabled. Where can you find webcam default passwords? Just search the net but here is one called iSpy to get you started.

Many of these searches will require a free Shodan account so make sure you create one.

I am providing this information for educational purposes only. Don’t do anything illegal.

html:"DVR_H264 ActiveX" - Security Digital Video Recorders

title:camera - This is a quick search that lists anything with the word camera in it

webcam has_screenshot:true - This search lists any device that self identifies as a webcam and where Shodan has a screenshot.

Server: IP Webcam Server "200 OK" - android IP webcam server

server: webcampxp - Looking for a very popular windows Webcam server software

title:”blue iris remote view” - Webcams using the Blue Iris webcam management software

product:”Yawcam webcam viewer httpd - Yet Another Webcam is a free webcam publishing server software.

title:”IPCam Client” - Devices using the IPCam software

title:”+tm01+” - loads of unsecured Linksys webcams

Others

I will be posting more articles about other interesting Shodan searches but here are a couple extra to wet your appetite.

"230 login successful" port:"21" - Find FTP servers without logins

I am a Canadian and politically independent.

As a Canadian, I have been watching many on the left cheer as the top 5 biggest tech companies killed the right-wing social media app Paler. Apple and Google removed the app from the app store. Twitter and Facebook removed their social media accounts and Amazon turned off their cloud hosting.

The left touted this as a significant win “for the good guys”.

Let’s talk Alibaba

Alibaba is one of the biggest tech companies in China. The brainchild of Chinese billionaire Jack Ma, it operates 3 primary brands Taobao, Tmall and Alibaba.com. It’s online marketplaces generated about $280B of revenue.

Like Google and Amazon, Alibaba invests heavily in AI, ML and other bleeding-edge technologies. In fact, their AI is so sophisticated that they can predict customer purchases with incredible accuracy. Singles day is the biggest shopping day in China. Weeks before the 2018 singles day sale, Alibaba employees began boxing predicted future customer orders and employees claim the predictions were 80% correct. Alibaba also claimed to have facial recognition software that can distinguish minorities.

Similar to Amazon AWS, Alibaba operates a large global cloud platform called Alibaba Cloud.

Jack Ma is also the founder and owner of the Ant Group. The Ant Group is the world's largest mobile and online payments platform.

We are now hearing that China may nationalize both Alibaba and the ANT group. Regardless of nationalization, we know that all Chinese companies must help China if asked and if deemed beneficial by the CCP.

Back to Parler

If none of the American or European cloud service providers agree to host Parler, it may choose to move to the Chinese cloud. The Alibaba Cloud may host the site and Alipay can process payments. What would happen if the most popular US right-wing political website was hosted on a Chinese company platform that also owns incredibly advanced AI models? And what if that company were nicely asked by the CCP to help advance Chinese political aspirations?

What could China learn by analyzing all that right-wing political information? What would happen if they decided to secretly change how posts are shown? What if the CCP decided to weaponize the platform with the aim of further destabilizing the US political space?

As a security professional with a deep understanding of China, I just want to urge a little caution. This short term gain may have serious and long term repercussions if it pushes Parler towards the Chinese.

The most likely outcome is that they will try to build their own infrastructure but this is dependent on other American companies selling them products and services (e.g. switches, servers, connectivity, etc). If they are unable to acquire the needed gear, they will either have to choose Alibaba Cloud or agree to disappear.

I wrote an article on how to browse Twitter anonymously using Nitter. I talk about the issues and dangers of tracking by Twitter, the Facebook owned Instagram takes all those risks and pumps them up 10 times.

Nitter is a consumption service for Twitter posts, well bibliogram.art is a consumption service for public Instagram posts.

Bibliogram is a website that scrapes Instagram public profiles and then displays it in a cleaner, faster loading interface that stops trackers, removes ads, generates an RSS feed and doesn’t require an account.

Obviously, because you are not logged in, you cannot post, comment, follow or perform other functions that require an account.

Here is the profile of vegan artisanal cheese maker Vegcheese on IG which consumes 1.81MB to load.

Here is the Vegcheese IG profile via bibliogram and it consumes 748KB to load (less than half the size of the original IG page.

You can browse bibliogram from any web browser. Here are some instances for you to try:

• bibliogram.art (AU)

• bibliogram.snopyta.org (FI)

• bibliogram.pussthecat.org/ (DE)

• bibliogram.nixnet.services/ (DE)

• bg.endl.site (US)

• bibliogram.hamster.dance/ (US)

There are many more instances around the world but I wanted to give you some examples. For me the fastest is the ENDL hosted site from Canada.

If you use Android, you can install the UnTrackMe app and force all Instagram links to open in bibliogram as well.

Twitter changed its privacy policy this year, preventing its user from opting out of profiling for advertising purposes and informed users that it would be sharing more data with said advertisers.

I know that most users couldn't care less about their privacy but for the small band of privacy crusaders wanting to use Twitter without giving up their privacy, keep reading.

This Twitter front end is called Nitter. It is an open-source front end that redirects Twitter links to its interface, stripping all tracking code from the page or links. You cannot log into your Twitter account or send messages through Nitter (since that would allow tracking), and Twitter doesn't officially allow third party web interfaces to its services.

Here is the “business case” from the Nitter dev team in their own words

It's basically impossible to use Twitter without JavaScript enabled. If you try, you're redirected to the legacy mobile version which is awful both functionally and aesthetically.

For privacy-minded folks, preventing JavaScript analytics and potential IP-based tracking is important, but apart from using the legacy mobile version and a VPN, it's impossible. Using an instance of Nitter (hosted on a VPS for example), you can essentially browse Twitter without JavaScript, while retaining your privacy.

In addition to respecting your privacy, Nitter is on average around 15 times lighter than Twitter, and in some cases serves pages faster. In the future a simple account system will be added that lets you follow Twitter users, allowing you to have a clean chronological timeline without needing a Twitter account.

There are countless ways to ensure Twitter links you click on open in Nitter (instead of Twitter).

• On Chrome, you can use the Nitter Redirect.

• On Firefox, you can use the Nitter Redirect.

• On Microsoft Edge, you can use Privacy Redirect.

• On Android, you can install UnTrackMe from the F-Droid store

Here is an example of my @ekiledjian Twitter page

Here is my Twitter stream on Nitter

Most Twitter clients (e.g. Tweetbot, Twiterific, etc) are designed to log you into your account and therefore require you to log into your Twitter account through them, so Twitter can grant them a unique authentication token. This means that Twitter can revoke the tokens assigned to a client, if the client falls out of favour.

Nitter on the other hand is only requesting the public profile page of the account and then re-skins it to remove all trackers and beacons. Nitter is much more difficult to block.

There are times when certain public profile Twitter users will block you. In my case, I tweeted an article about corruption (written by a major Canadian newspaper) about the mayor of Brampton and he decided to block me on Twitter. To be clear, I never harassed him or did anything un-gentlemanly. I simply retweeted an article from a major Canadian newspaper that they themselves had tweeted.

But through Nitter, I can access all of his public tweets

Hopefully you found this useful.

Most of us have multiple streaming service subscriptions (Netflix, Hulu, Disney+, etc). As money becomes tighter, some want to lighten their monthly subscription spend and here are some legal ways to stream.

Kanopy

Kanopy offers an interesting portfolio of artistic and classic films. Before you close this page thinking the content is low-grade, know that they even have some films from the Criterion collection.

Kanopy also supports AppleTV, Roku, Chromecast, AndroidTV, FireTV and SamsungTV.

The catch is that you have to be a member of an organization that is subscribed to their service (local library or University ) The one important note is that their film catalogue changes regularly so if you see a film you want to watch, stream it quickly.

Popcornflix

I know the name sounds like one of those Android side-loadable illegal BitTorrent streaming "services" but it isn't. Popcornflix offers comedies and mainstream movies (many recent releases) for free in exchange for inserting ads while you watch. You can watch Popcornflix through any modern web browser or via apps on Roku, AppleTV, Google Play, Amazon or Xbox.

Internet Archive

Many technical geeks know Internet Archive for their service that is trying to archive the web for posterity.

In addition to that noble cause, they also store and stream a considerable amount of classic black and white films (from days gone by). The Internet Archive waits until the copyright expires and then stores and streams it. Everything they stream is in the original unedited format.

Crackle

Crackle has been around for a while but never seems to have caught on. Owned by Sony, it offers relatively modern TV shows and movies for free. They monetize the service by inserting ads. Crackle offers some cult classic films that other platforms don't, so it is worth a look.

Hoopla

Similar to Kanopy, Hoopla requires you to be a member of a library that offers its services. Hoopla is owned by Midwest Tape, a company that supplies libraries with DVDs, CDs and audiobooks.

You sign up using your library card and you will instantly gain access to hundreds of movies and TV shows. Hoopla works via your web browser, on most tablets (Android, iPad), Smartphones (Android and iPhone) or on TV-connected devices like AppleTV, AndroidTV, Chromecasts, Roku and FireTV.