What’s Up, with WhatsApp

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

Understanding The Links

I suppose there is a certain paradox in relation to having content about OSINT, OPSEC & Privacy on the same website. Why would someone who is involved in OSINT care about a person’s Privacy or why would someone who is keen on their Privacy care about OSINT or OPSEC.

I hope from the explanation below you will see how OSINT, OPSEC and Privacy are so closely linked and if we practice one discipline we should have a good working knowledge of the others.

An OSINT practitioner needs to understand the limitations of their work if they do not know how Privacy or OPSEC practices deployed by a subject may affect their ability to capture information or intelligence. Can they see this, understand it and can they circumnavigate it? They also need to understand the risk of being compromised by their own OPSEC practices. Do they understand that if they deploy tight Privacy practices on their accounts that this may effect what they can see of their subject.

A person who cherishes their Privacy needs to understand how it can be exploited by OSINT practitioners. What are the risks to people who do not practice Privacy or OPSEC.

OSINT

OSINT, stands for Open-Source Intelligence, which is a methodical driven approach to collecting, analysing and making decisions about data accessible in publicly available sources which is to form an intelligence picture of a subject, group, company, organisation or country.

It is probably true to say that OSINT has been around as long as it has been necessary to obtain information or intelligence. Certainly after both World Wars and the onset of the Cold War there was an uplift in the necessity to collect Open-Source Intelligence. As we have moved into the digital age, more information is publicly accessible and as our digital footprint expands so do the opportunities to obtain Open-Source Intelligence.

OPSEC

Operational security looks at what digital footprint risks we leave and how we can mitigate those risks. It encourages us to view our habits from the perspective of an adversary in order to protect sensitive information about ourselves or the fact that we are looking at them. What are our vulnerabilities and can they be discovered or exploited. It is not that we are trying to hide it is that we are trying not to be discovered.

Some measures we can take are free, some we will have to pay for, some measures are simple to implement some require more knowledge and application. The important point however is that we can increase our OPSEC and still enjoy our smart phones.

PRIVACY

The above two have their history firmly planted in the military and intelligence worlds, however with the advance of the digital age Privacy is also an important factor now.

I am not sure that while we use and carry around a smart phone, or other device that transmits and receives data that we can ever be 100% private. Can we really be expected to know what our smart phones and the apps on them are really doing. What we can do however is take steps either reasonable or extreme to reduce our digital footprint and increase our privacy.

What information we openly share or have to provide to be able to use a service can be potentially important personal identifiable information. We need to have some control over how our personal information is collected and used. The next data breach could expose you.

HOSTILE THREAT PROFILING

Putting all the above together, we can begin to see how individuals may be susceptible to hostile threat profiling. For people in positions of authority or influence this could be a vulnerability.

“Once effectively gathered, this intelligence can be used to locate an individual, identify patterns of life and target them accordingly. Many people are unaware of how they are sharing their personal details and what types of data may appear online. This is a particular risk for law enforcement, military, security services, diplomats and high profile people.”

David Benford, OSINT Trainer.

“A high-valued target can be anyone with privileged access and organizational influence, with access to sensitive information, or anyone with high levels of exposure and influence”

“Social exposure will inevitably lead to security & personal information leaks, especially when the high-valued target is not aware of essential security guidelines”

Christina Lekati, Social Engineer

Ideally in the below image we would want the circles not to interlink however this is not realistic given the digital age we live in. We need to make the area where they do interlink as small as possible. We also need to understand that the circles may not interlink evenly and as a result we can assess where our vulnerabilities lie more accurately.

In the below image we can look at what we want from our digital devices in terms of Usability, Security & Privacy. I have chosen a more Secure and Private approach by placing a dot in the lower left corner, I have scarifised Usability. This may not be suitable for all, by moving the dot around the triangle you can see what is important to you and then you can be to work out how reasonable or extreme you strategy needs to be to achieve better Security and Privacy.

How you want to position the above circles or dot will depend on your own Threat Model which should be distinct to you.

© 2021 cqcore

Deep Dive into Operational Security

(First Published on Medium March 2020)

In my previous posts you may have gathered I have an interest in leveraging mobile phones for the purpose of OSINT however OPSEC is never far from my thoughts and I have @dutch_osintguy to thank for that, as he is passionate about the subject and gave me a few pointers for this blog too. Check out his blogs and webinars.

Now some of what I am going to write about you may think that the risks to your investigation are minimal however depending on the person or entity’s capability and position it could well be an issue. This is a dip in the ocean and It is all about assessing where the risks lie.

My preferred method of using a mobile is to use brand new smart devices although I have reused devices too. I understand that there is always cost elements at play here. We are fortunate in the UK that we can purchase a new smartphone for cash without the need to provide any identification. The same is true of a SIM and access to mobile data.

Reusing old devices however can create potential OPSEC risks.

I am going to talk generally here about Google & Apple devices. They use unique identifiers sometimes referred to as universally unique ID or UUID to track a device and link them to accounts. Don’t forget if you are using an Android device from any other manufacturer they will also be collecting information in a similar fashion and I would say you should read up on their privacy polices too.

This is from Google’s privacy policy on the information they collect,

“A unique identifier is a string of characters that can be used to uniquely identify a browser, app, or device. Different identifiers vary in how permanent they are, whether they can be reset by users, and how they can be accessed.- Unique identifiers may also be incorporated into a device by its manufacturer (sometimes called a universally unique ID or UUID), such as the IMEI-number of a mobile phone.”

In essence what they can do is link an IMEI across their database. So what @dutch_osintguy preaches is never mix your OSINT persona with your personal social media is very relevant here. So if you decide to reuse one of your old smart devices to setup a new sock puppet and you insert a new SIM to provide yourself with a new number for anonymity, that may not be enough to protect your OPSEC.

If you are in any doubt about what information they gather read their privacy polices, maybe a riveting night time read, or maybe not, in any case you will fall asleep.

So the phone is factory reset however when you set the new phone up with a new sock puppet account Google and Apple has a record of the ID of the device so can link it back to the original account or accounts that have previously been on the device. Now this may or may not be an issue as your subject or entity may not have the ability to access that information however at the very least you are leaving a footprint for Google & Apple.

Now I cannot say how Google or Apple’s algorithms work because I am just not bright enough or informed enough but we do know that they use a devices, probe requests, Wi-Fi, Bluetooth, cellular connection and location data to improve there geo-location of you coupled with other factors such as time correlation and behaviour. Now with this in mind you may wish to consider not even having your own personal devices switched on or even in the same place so that there is no possibility of a connection between your personal devices and your sock puppet device. You may even want to consider the purchase of a Faraday bag.

Wi-Fi is another potential issue too. If as part of setting up your new sock puppet account on your device you decide that Wi-Fi at the local McDonald’s is a good idea, herein lies another potential risk. I know this has been a popular choice for creating Facebook accounts so as to protect your OPSEC when not using a VPN and an attempt to fool Facebook. You should however consider using a more privacy focused no logs DNS provider as opposed to the Wi-Fi providers DNS.

Even though the device has been factory reset as soon as you join the Wi-Fi at McDonald’s (which is supplied by 02 in the UK), if that device has been seen previously on the O2 Wi-Fi network it will automatically recognise the device by it’s MAC address and will display the previous persons details as a welcome message. At this point you have two choices continue as you are using the old PII supplied or start again with your new sock puppet’s PII and risk linking the two together as O2 will use the MAC address to do this. What I have seen in the UK, is free Wi-Fi is not necessarily free as you are sometimes having to provide, mobile number, email address, name, date of birth and home address. So careful consideration needs to be given as to what free Wi-Fi you use. Asda does not require any information at all to use their Wi-Fi but in my tests you couldn’t use a VPN either, so there is a trade off.

Another consideration If you are using Facebook on your device is not only their privacy policy as they also capture device identifiers, you may also want to see what information other apps are sharing with Facebook. Navigate to Off-Facebook Activity in your settings and there you will find this information. I have been doing some research recently on how to potentially leverage dating apps and would you believe it, they had all shared information with Facebook. You are able to disable this, so this maybe one of the first things you do when setting up a new account. Again, without meaning to labour the point don’t mix your personal social media with your OSINT.

It really is a game of cat and mouse as to what you lock down from a privacy perspective as this can affect what information you are able to obtain yourself but it is so important to know what the apps and devices you are using are leaking about you so you are able to rationalise that against your threat model.

Useful links

Dutch Osint Guy https://dutchosintguy.com/

Privacy Policies

https://policies.google.com/privacy?hl=en-US

https://www.apple.com/legal/privacy/en-ww/

https://www.facebook.com/about/privacy

DNS Articles

https://www.lifewire.com/free-and-public-dns-servers-262606

2https://www.techradar.com/news/best-dns-server

https://www.howtogeek.com/261701/how-to-change-the-dns-server-on-your-ios-device/

https://www.androidpolice.com/2019/12/14/make-android-use-dns-server-choice/

Off-Facebook Activity

https://www.washingtonpost.com/technology/2020/01/28/off-facebook-activity-page/

Facebook Lockdown

(First Published January 2020)

Now, I am not a fan of Facebook purely from a privacy perspective. I can see the appeal of social networking platforms like Facebook.

I have an acquaintance who recently decided to set up a Facebook account as a friend he knows was moving to country where Facebook was the only means of messaging people. I did ask him why he had not simply downloaded the Facebook messenger app instead of creating a Facebook account.

Anyway he assured me that it was completely locked down and private. Needless to say when I checked it wasn’t. So I thought a short blog on taking control of your Facebook’s privacy settings maybe necessary.

Now basic privacy principals is about looking at the platforms and apps you use and adjusting the privacy settings accordingly. Moving forward there maybe be a necessity to invest in your privacy some of which I will explore in future blogs.Now Facebook has been involved in some nightmare privacy scandals and to give them their due they have made life difficult for people to leverage the site for information. A couple of years ago you could place a mobile number in the search bar and it would find you the account it was linked to. That no longer exists but you could still use the messenger feature within Facebook to add a number to find the account, that too has recently disappeared. Facebook have also announced that they will no longer link a mobile number used for 2FA (Two Factor Authentication) to an account.

In June 2019 Facebook also discontinued the Graph Search feature. Now all this may potentially thwart the casual researcher however a dedicated and methodical OSINT (Open Source Intelligence) practitioner is still able to leverage the site. Does Facebook monitor the OSINT community? I do not know however if I was Facebook I would be.

Moving forward however Facebook looks like it is rolling out a new preventive health tool and is asking user to participate in their facial recognition tech. There has been some discussion for a while that Facebook intends to bring all their messenger apps, Facebook messenger, WhatsApp & Instagram under one platform. What this would mean for privacy awaits to be seen.

I completely understand why people use Facebook. If you have ever been stuck on the M25 commuting to and from work, there are plenty of groups that provide live updates. If you have a favourite sports team or personality what better way to follow them. Lets not forget staying update to date with what friends are doing whether that is a genuine reason of just because we are nosy by default. In a later blog I will write about how you can setup an Alias account to protect your privacy. Something that journalists or people working in sensitive positions may find useful too.

So firstly to lock down your privacy you need to go to the settings

Then the Privacy tab. This is where you can then lock your account down.

Once you are happy with your privacy settings you can then preview how it looks to the outside world. Go to your timeline and click on the three dots next to the Activity Log an select, View as.

One new area of privacy that has hit the headlines of late is the how other apps share your data with Facebook. Thankfully you can view this and also turn it off.

To do this you need to navigate to you information settings where you will find the Off-Facebook Activity. You can download your activity and also see who has been sharing your activity with Facebook. You maybe surprised by what other apps are sharing with Facebook.In here you can then turn off this feature by going to;- Manage Future Activity – Future off-Facebook Activity and toggle the off switch. You will get the usual warnings about how this affects how Facebook can serve you however this should not stop you from confirming you wish to turn it off.

Hopefully you have found this introduction to Facebook privacy helpful so go and have a look for yourself.

A New Year, New Privacy

(First Published January 2020)

For my first blog of the New Year. I wanted to do a small introduction as to why I felt the need to write blogs relating to privacy in the modern world and how it relates so closely to OSINT (Open Source Intelligence), Social Engineering & inadequate security measures.

In the last few years I have seen how others have used the aforementioned to commit crimes against non-suspecting innocent people often with tragic consequences. Then there are the unscrupulous companies who harvest our information so that they can make money. So I will look to pass on my knowledge and experiences to anyone who wants to protect their privacy. I am not a tech wizard and have learnt from reading articles, exploring different practices and experimenting.

The reasons for a person to protect their privacy will differ from person to person. Someone who is high profile may need to take measure far and beyond what most of us may deem necessary but you can guarantee that some of the techniques are also suitable for the vast majority of people too.

There is a lot of material available both online and offline that will help you however I have always found these to be in the whole orientated towards the US and finding similar solutions in the UK is a little bit more challenging. On the whole it doesn’t need to cost a penny but there may be occasions where you have to invest some money to regain the privacy you desire. I will explore this in future blogs. My intention is not to single out or berate companies whose products do not serve our privacy but is more to help people navigate this world.

As it is the New Year I have decided that this would be a good time to have a clean out of all those Apps that you no longer use. We do not seem to want to delete anything, in the same vain as we do like to throw our old clothes away.

There are over five billion mobile users in the world, with global internet penetration standing at 57%.

As of the first quarter of 2019, these app users could choose to download between 2.6 million Android, and 2.2 million iOS apps. And they certainly are choosing: App Annie sets the total number of app downloads in 2018 at 194 billion; up from 178 billion in 2017.

Apps come and go just like the seasons. What is a popular one year may not be so the next. We download apps on the recommendation of others and never truly buy into its use but it stays there on our phone. I have friend with nearly four screens of Apps most that he freely admits that he does not use and has no idea what the log on details are.

One thing I will say is please unless you know what you are doing only download Apps from reputable sources such as Apples App Store or Googles Play Store.

An App when it is downloaded will ask for certain permissions giving it access to parts of your phone such as, microphone, camera, location data and so on. Most of the Apps do not even need to have those permissions to work. So why is it they ask during the setup and why do we agree? I have denied Apps permission requests that I thought that it did not require and they have worked fine.

Easy one, why does your calculator need access to your location? Some Apps will need access to your location, such as a weather app but then you need to consider do you need to have your location switched on all the time or can you use it when you need to. You can set your permissions so that apps only have them when the App is in use instead of carte blanche.

Ask yourself the question, “Have I ever looked at what data the Apps on my mobile are harvesting?”

It’s beyond the scope of this blog to detail specific cases but there are many great articles detailing how Apps capture your data and how that data is abused or monetised. if you prefer watch the Netflix documentary ‘The Great Hack.’

So this new year when your on the train or bus home do some App house keeping and delete the Apps you do not need or no longer use. I bet you won’t find it as easy as you first thing and you may have to be brutal in your decision making. If you delete an App you no longer use ensure you also delete the account on it too.

Now that was part one completed.

Once you have purged your phone the next step is to then check what permissions the remaining Apps have. You will generally find these permissions in the privacy section of your settings. If you are unable to find it you can type, “Permissions” in the search bar at the top of the settings page, this will generally provide you the options available. Now clearly how these are displayed will differ from device to device.

Once you have located the permission you will then be able to see which Apps have been granted which permissions. From there you need to work your way through them. It will be a case of determining what the Apps is for and what permissions it has been granted.

Taking the weather App, location permission seems appropriate, microphone and contacts maybe not so. The calculator does it need to know my location, I think not. You will find that in the majority of cases a common sense approach will serve you well.

Now you will find some apps especially those that are important to how the device works a little bit more problematic. I have found that I was presented with a warning that the App may malfunction if I altered the permission settings. I would say in my experience it has been a 50 / 50 split whether the App malfunctions or not but if you it does you can reinstate the permission. It’s not for the faint hearted and if in doubt leave it as it is.

Last but not least keep a check on those pesky permissions because sometimes when an App is updated they have been known to reinstate the previous permissions.

One last quick snippet consider buying a privacy screen for your device, whether it is a mobile, tablet or laptop. Have you ever been sat next to someone or behind someone on the bus or train and seen their screen clear as day whether intentionally or not. Most people I know do buy screen protectors and the extra cost of a privacy screen protector is negligible.