What’s Up, with WhatsApp

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

Effective Use of a VPN in OSINT

It has been established for some time now, that to protect our privacy the use of a VPN is almost mandatory. For an OSINT practitioner their use is far more than that, yes there certainly is the OPSEC perspective, but can we manipulate then for the benefit of our OSINT work?

VPNs come in many shapes and forms. Some are more reputable than others, some more private, such as those who offer, “No logging” where they do not keep a record of your use of their service. Depending on where you sit as an OSINT practitioner, will probably dictate what VPN company you use and how you are able to use it as a tool to better undertake your OSINT tasks.

If you are hobbyist who likes the idea of being able to find out information about others or are just learning your trade-craft, you may not necessarily want the cost of purchasing a subscription. So you may chose a free VPN, this will inevitably come with restrictions and it will have its limitations. Never mind the potential privacy risks.

For professional OSINT practitioners such as those who work in private industry or Law Enforcement etc, the use of a free VPN service is simply not desirable or suitable. We also need to have consideration at all times as to what information we are leaking to other 3rd parties about the OSINT we are doing. Hence why a, “No Logs” provider may be beneficial.

Another factor we need to concern ourselves with is the DNS that we use. Does your VPN provider have its own DNS server. If it doesn’t we can still choose a DNS server in our Browser settings or maybe in our Firewall. We can choose a privacy focused DNS provider to avoid what is called, “DNS Leakage.” DNS leakage is where we still have to use out internet providers DNS servers, so they can still see our traffic.

Remember though a VPN is not bulletproof and is not a replacement for good OPSEC practices.

Check this link to compare VPN providers https://techlore.tech/vpnchart.html

We can use a VPN in the same vein as we would use a search engine to research subjects or entities that are not based in the country we are from. I am in the UK, but if the subject or entity is not UK based; is it realistic for me to just use the UK version of Google to research a subject or entity based say in the USA, no it isn’t. I would look to us the US version of Google too. Or we could even use a search engine native to the country we are interested in.

Check out Colossus https://www.searchenginecolossus.com/ to see a list of a Country’s native search engine(s).

This link will show you the different Google Country domains http://www.genealogyintime.com/articles/country-guide-to-google-search-engines-page3.html

We can combine using a native search engine along with a local IP to help us find more information and intelligence than by simply using google.co.uk and a UK IP address. Don’t forget, where is the information we are looking for stored, is on a server in our country of origin or is on a server in the country where our subject of entity is based, or one close by. Will utilising an IP in that country help us retrieve better results from those servers.

What about when we are creating sock puppet accounts, do we stop to think where is our subject or entity of interest based. Should we change our IP to that country and then create our accounts. This way we can potentially utilise the social media platforms own algorithms, that may assist us in finding our subject or information about them.

Remember social media platforms are in the main about networking, making it easy to find people we know or things of interest, one way that they will do this is by looking at our IP address when we create our account. Some will even default our location upon creating the account based of our IP.

Spoiler alert, I do not know how the popular social media platform algorithms work and I know the use of a VPN to create accounts can be difficult if not impossible. But it is something to consider, work smarter not harder, lets try and utilise the platforms own algorithms to do some work for us.

To demonstrate how we can make a VPN work for us, I did an initial search on the Google UK domain for Laura Steele who was involved in the storming of Capitol Hill on 6th January 2021.

The initial results I got on the first page were very generic mainly relating to possible social media accounts. It wasn’t until the bottom of page 2, did I start to see results for the Laura Steele I was interested in. I will assume that Google’s algorithm doesn’t associate my IP in the UK as being  particularly interested in events in the US. It wants to provide me with UK relevant results.

I have redacted some specific social media accounts for the privacy of the account holder as they were not related to the subject of interest.

Now compare the first page of results, when I change my VPN to a US server. Straight away I see results more relevant to my subject of interest.

If you were to click on the News tab you would see the above repeated. Using the US IP there is straight out of the box news item after news item relating to the subject.

And lets not forget that some VPN providers have multiple servers in a country, so in theory the closer we get to our subject, we can start to use server locations closer to them combined with internet data centres, which may give us even more bespoke results. Don’t forget we can also combine our local VPN IP with a native search engine too.

Below is a map of Internet Data Centres

Another little OPSEC trick you may want to utilise is also based on the above. If you are investigating a website that is abroad and is very localised in it’s appeal. Why not hide yourself amongst the crowd. Use a VPN IP and / or a native Google domain to research the site. We just don’t know if the owner of the site sits and reviews the logs, which will show them which country your IP is from.

As I have said, a VPN is not bulletproof and we always have to think about how we deploy them in our OSINT.

My Journey Into The World of OSINT

(First Published on Medium February 2020)

My journey into the world of OSINT is now just over one year old. OSINT is not the main area of my work, I don’t get to learn or practice anywhere near as much as I would like but it is certainly the work I enjoy the most.

Following on from my previous Blogs in relation to leveraging messaging apps for OSINT I thought I would share how I conducted the research.

I’m still working on the project which I hope will help me increase my research potential in relation to mobile (cell) phone numbers and email addresses. Most of what I will write about can be done using free resources. It isn’t overly technically and it’s something I thought I would share for those like me who are still learning. There are many tutorials also available to assist with how to leverage the apps I am going to talk about.

The problem was how can I research mobile numbers and email addresses without relying upon the use of sites that require payment. Everything that happened in the summer of 2019 appears to have focused people’s attentions on creating their own OSINT tools. So what could I do with the platforms that people use everyday?

My first consideration as always is operational security. I won’t write about that as this would then become a lengthy article. Needless to say @dutch_osintguy has this covered for us with some great articles.

Next up is a sock puppet, @technisette and @jakecreps have some very good articles. My sock would only be used on this setup.

One part of my operational security was the use of a Virtual Machine to host what was going to be my OSINT set-up. There are free flavours from both VMware & Virtual Box. My VM was going to be completely separate from any other OSINT VMs I have created and I was going to use a clean install of Windows 10. Next up was precuring myself an old Android phone. Family and friends are always upgrading phones so it wasn’t to hard getting my hands on one for free.

The phone was then factory reset and would only be used alongside my new VM. Setting the Android up is solely for the purposes of leveraging social media apps and messenger apps. You can use Wi-Fi (with VPN) to download the apps but you will need a SIM for verification purposes. In the UK a SIM will set you back £1 pound but you can pick them up for as little as a penny.

Needless to say this is an on-going project which can be expanded upon however the apps I started off with were, the usual suspects you may say but I did expanded it to include less well known apps.

Next up was replicating this on my VM, so downloading the desktop applications.

Desktop Clients

You will see on the left hand side the desktop applications available for the messengering apps from my previous blog. In the Bookmarks you will see which website applications are in use.

This way I can link these apps to my Android phone and enjoy the desktop experience. Then you can use the websites for the other social media sites. I also find that this is an easier setup for functionality, flexibility, recording and evidencing what I do.

You may have wondered why Android, (People don’t seem to mind giving you old ones, which is a starter), you can use an I-Phone which I have done too however the next part of the set up is not Apple friendly, the use of Vysor. Vysor is a clever little application that enables you to control your smartphone from your computer as if it were just another window via a Chrome extension or desktop app. There is a free version of Vysor too, bonus! The paid version is better though, which you would expect. You could in fact not use Vysor at all and rely on the desktop environment you have created or you could just use Vysor full stop.

If you don’t like the idea of Android then cool go with an Apple I-Phone without using Vysor. You can still mirror I-Phones on to your desktop you just can’t control them using your mouse and keyboard like you can with Vysor. The above set up takes a little longer to setup than an emulator but I find it is easier and seamless to work with.The benefits are numerous including the ability to seamlessly copy a profile picture and reverse image search it.

Now before I go any further I think it is important that we understand the risks of using any app to do our research. Truecaller for example will suck up your contacts as that is what their business is. So you have to be very careful and decide on a case by case basis whether you want your subject’s mobile number / email being harvested by all these companies. Privacy polices are boring but an essential read.

Disclaimer everything we do, the results are dependent upon our subject’s own Opsec and Privacy settings.

On WhatsApp our luck is in and our subject has not bothered about their privacy. We have a nice profile picture that we can do reverses image search on and see where else on the web they appear. The bonus of having the desktop application is you can access the full profile picture and save it straight to your VM. Last seen is another nice touch, if you are keeping tabs on them you can watch when they are using WhatsApp there are also apps that will monitor the account for you. Even if, Last Seen, is disabled you can still see when your subject is on-line. This could help you work out their patterns and determine where in the world they may be and the times they operate on-line.You may get really lucky if someone has updated their status and maybe provided an alternative means of contact because they are off-line. Don’t forget to check their About Me either.

I have also used an Android emulator inspired by @aware-online and their excellent tutorial on how to geolocate groups on Telegram.

Needless to say this is not for nefarious purposes and it should also be used to understand the information you are giving away, from a privacy & OPSEC perspective.

OSINT & Messenger Apps

(First Published On Medium January 2020)

Throughout 2019 one thing that is obvious about the OSINT community is how much work people do in their own time and how willing they are to share their work.

So I decided that over the Christmas Holidays I would look at the many messenger apps that are available and see what information could be leveraged using a Subject’s mobile phone number. I wanted to see what information could be obtained from the app and the desktop versions. This is very much a whistle stop tour and please take what I have done and build on it.

Below is an illustration of which apps are popular across the Globe.