Insights For Success

Strategy, Innovation, Leadership and Security

General

Popular TOR site list

GeneralEdward KiledjianComment
TOR-Links1.png
TOR-Links2.png

Candle is a basic search engine. It contains a small but interesting subset of TOR sites.

TOR-Links3.png

Grams is a dark market search engine for labour, digital & physical goods that can be purchased with various currencies including Bitcoin. It searches the most popular darknet markets including Hansa, AlphaBay, Agora, Nucleus Market, Majestic Garden, Oxygen, Outlaw Market, Oasis, Tochka and Arsenal.

TOR-Links4.png

Haystack is another TOR (darknet) search engine and claims to have indexed 1.5 billion pages (which makes it one of the most comprehensive TOR search engines). In my experience, this site is a hit type of thing. Every couple of searches fail for me.

Security sites

TOR-Links5.png

GnuPG (open source version of PGP) allows users to cryptographically sign and encrypt email communications.

TOR-Links6.png


OnionShare is a free and opensource tool that allows users to securely and anonymous share large files over the TOR network.

Anonymous Pasting sites

There may be times when you want to post (public or private) a snippet of text with the world. The common feature shared by most of these TOR based services is that pastes delete automatically after a certain amount of time. These are TOR alternatives to pastebin.com

TOR-Links7.png

DeepPaste is a very simple and basic pasting service.

TOR-Links8.png

RiseUp pasted are automatically deleted within a week. Additionally you can share files up to 50MB.

TOR-Links9.png

Pasta is an open source paste service that supports standard pastes, editable pastes, self-burning pastes and URL shortener.

Email

TOR-Links10.png

Confidant Mail is a free and open srouce non-SMTP encrypted email system that leverages GNU Privacy Guard (PGP).

TOR-Links11.png

Daniel email service is a free anonymous email and XMPP service (limit of 25MB storage space). Encryption is not built into the service.

TOR-Links12.png

Elude is an email service with encrypted storage with a TOR only web client. Their accounts are completely anonymous, they allow you to purge your data completely if required and provide encryption.

TOR-Links13.png

I wrote a review about ProtonMail here and their well designed email service is also accessible via the TOR network. This is a very good option because unlike the other email services here, ProtonMail is a real company offering a professional service.

Social sites

TOR-Links14.png

Cyph Messenger is an open source video chat and file transfer app that uses a modified Signal messenger protocol enhanced with Quantum Resistant encryption (their claim).

TOR-Links15.png

Dread is a TOR Reddit clone that is used primarily as a drug market discussion and reviews forum.

TOR-Links16.png

Here is the Facebook TOR site.

Common hotel safety and security questions

GeneralEdward KiledjianComment

When an operational security expert thinks about hotel risks, we typically group them in these buckets:

  1. physical security
  2. safety
  3. technological risk

Travel security means you need to think about potential risks you may be exposed to and how you could mitigate them.

What about room security?

First, think you should do when you walk into any hotel room is walk around and identify all potential ingress points. Make sure that they are locked (windows, sliding doors, doors to adjoining rooms, etc).

The front door is your primary risk and anytime you are in the room, you should always use all of the protection mechanisms made available to you (lock, hasp and deadbolt).

Capture.PNG

When travelling, I always carry a light and cheap Addalock to provide an additional level of safety.

If I'm going to sleep and believe that the risk level may be higher than normal, I will stack the glass cups (water and coffee) in front of the door so any attempted opening will cause them to fall and wake me up.

Are peepholes in hotel rooms really an issue?

The short answer is yes. There are inexpensive adapters that reverse the magnification of a peephole and allow a threat actor to watch you inside your room. I have even seen some with smartphone adapters so you can even record video.

Tip: If the peephole doesn't have a cover built-in, roll up some toilet paper and shove it in the peephole.

Is a hotel safer than an AirBNB?

This is a question I receive regularly and the answer isn't simple.

Most AirBNBs are located in non-descript residential buildings and therefore could allow you to blend in with the locals. Remember that you have to trust the Airbnb host. 

A hotel, on the other hand, is flashy and everyone knows where it is (forget about blending in) but these establishments typically have stronger better-designed security,

Hotels typically set up shop in safer neighbourhoods whereas an Airbnb can be anywhere.

You need to do some research and determine what your risk profile is and then determine which solution best meets your requirements. 

What should I look for before booking a hotel room?

In an emergency situation, you are ultimately responsible for your own safety. An ounce of prevention is worth a pound of cure. Do your research before booking a hotel and the room. I generally want a non-biased third party to provide the below answers. If that is not possible then I try to stick to major Western chains that usually will be fairly honest with their answers.

  • Choose a hotel where the room locks are electronics. This makes it harder for previous guests or “bad guys” to have access to your room. Ask for 2 copies of the room key and keep both on you. If you misplace or lose one, immediately notify the hotel and have replacements made.
  • Make sure the room is equipped with a deadbolt lock and a peephole
  • Most of us do not pay attention to the hotel’s fire suppression system but trust me this one is important. Make sure your room is equipped with a smoke detector and that each room (and the hallways) have visible sprinkler systems. In many countries, the fire response teams are not as fast, well equipped or trained as in North America.
  • Make sure that the hotel environment is secure with proper fencing and that the guest areas are well lit (parking, hallways, ice rooms, etc).
  • Generally, I prefer hotels where the elevator leaving the parking area only goes to the lobby (and not directly to the rooms).
  • I try to make sure that any hotel I choose has adequate security personnel. I like to see uniformed security personnel that seem to be well trained and adequately equipped (in this case adequate depends on the area.) They should be willing to escort you to your room or vehicle if requested.
  • I recommend you contact the foreign affairs ministry of your country (DFAIT in Canada, US Embassy for the USA, etc). Ask them about the area the hotel is located in and determine how safe it is.

How do I ensure my stuff hasn't been tampered with?

If you have read my other articles, I talk about hotels being a prime target for intelligence gathering. Where possible, take all of your "stuff" (passports, money, electronics, etc) with you. Sometimes that isn't possible or desirable, so what do you do.

Make sure everything is turned off (not in hibernation or sleep mode).

Use discreet alignment of your "stuff" to detect if anyone has tampered with it. Discreet alignment means that everything has been placed in specific ways so you will detect the slightest movement. As an example, maybe you place a water bottle 1 thumb away from the USB port of your laptop. When you come back, you will immediately know if someone tampered with that port (if the alignment is off).

You can also use cardinal bearings (alone or with discreet alignment). Cardinal bearings are basically compass headings. So you place the protective item (coffee cup in front of the sensitive USB port) and make sure the handle of the coffee cup has a perfect bearing of north. You can also use pens or anything else that is easy to move.

Once you have set up your environment, take pictures of it with your smartphone camera.

If you are being tracked, make sure everything looks natural. You do not want anyone to suspect that you are laying traps.

Using the do not disturb sign

In security, we want as much advanced notification as possible that something is wrong. The trick here is to place the do not disturb sign on your door but to do it in a way that is unique but natural. As an example, instead of letting the sign just hang freely from the handle, you place the edge into the door frame so it is on a slight angle. To most people, it will seem like you left in a hurry and the sign justs got stuck in the door. If you come back and the sign is no longer on an angle stuck in the door frame (aka it is hanging freely), that means someone was in your room and that you should approach with caution.

How to make yourself an easier target for hackers

GeneralEdward KiledjianComment
Your_data.jpg

I've talked about different technologies to provide additional protection when working online (Chromebooks1, Chromebooks2, VPN1, VPN2, VPN3, etc.) The truth is that anything that is posted, shared, stored or connected online risks being hacked and leaked. 

Instead of telling you how to protect yourself, I want to share tips on how to make yourself a flashier and easier target for hackers. After all, why make their lives more difficult than it needs to be? 

Reuse the same passwords everywhere

Reusing the same passwords everywhere is convenient for you and hackers. If they manage to crack or steal your password from one site, they can then reuse that same one on your other accounts. Don't make their lives difficult and reuse the same password for all your online accounts. While you're at it, use simple short passwords using only letters to make it easier to crack.

Don't use 2-factor authentication

2-factor authentication is usually a secret code generated on your phone using a free tool like the Google Authenticator or Authy. The purpose of 2-factor authentication is to provide additional account protect that would prevent someone from accessing your account if they somehow manage to get your password.

2-factor authentication goes against our goal of making you easier to hack. Doesn't 2-factor authentication sound like a lot of trouble for nothing? Why would you want to make it difficult for hackers to access your account if they have gone through all the effort of finding and cracking your password? 

Whatever you do, do not enable 2-factor authentication so your account can be stolen easier. 

Trust everyone and click on those links

Security advocates always caution users not to click on "strange" links from known or unknown sources. Sure often these types of links are used to install malware on your machine or to steal your login credentials (phishing), but you may miss that funny joke a friend sent. 

Hackers go to great lengths to make their emails look legitimate so why not reward all their hard work by clicking on them? If you don't click on those links, you will force the hackers to work harder to steal your information, and who wants to work harder? 

So I say click on those links quickly. If you see a link click on it regardless of any doubts you may have. 

Don't update your software and operating system

All software is written by humans and is therefore imperfect. Reputable software vendors (that hate hackers) release regular updates to their products to patch vulnerabilities that may be exploited. 

Our goal is to make you an easy target so why install updates? Updates take time. It is easy to forget checking for them (on smartphones, tablets and PCs). The easiest thing to do (the most hacker-friendly) is just to leave your machine as it is, and not install any updates. After all, what if the update changes a function? 

The moral of this story is to just leave well enough alone.  Don't make a hacker's life more difficult than it has to be, don't update your software or operating system.

Don't ever turn off Bluetooth

You work hard, and anything that makes your life easier should be encouraged and used. Bluetooth is a modern convenience for anyone that uses wireless headphones. You turn it on and pair it with your favourite headphones when you first set up your device and forget about it. 

Convenience is king. When you want to listen to a podcast or some music, you shouldn't be bothered to fiddle with small switches in some control menu to turn on Bluetooth. 

There are well-known attacks against Bluetooth that could allow a remote attacker to connect to your device and steal data stored on it. Who cares? Convenience is king and outranks security. We want to make your devices as vulnerable as possible, so whatever you do, leave Bluetooth on. While you are at it, leave other data transfer features on (like Airdrop on Apple and WIFI). 

Don't use a VPN

I have written about VPNs for years. How they can be used to protect your data when using unknown or untrusted WIFI networks. This article is about making your life and the hackers life easier, not making you more secure. 
VPNs are a hassled. You have to buy a subscription, install the app on your devices and remember to turn it on everytime you connect to an untrusted WIFI network. When using a VPN you are paying to make your WIFI experience more complicated. Does this seem logical to you?

Hackers love using unprotected or poorly protected WIFI networks to perform reconnaissance and even break into your devices. Hackers have a wide variety of easy to use tools that work on devices connected to these open WIFI networks where users aren't using a VPN. So the moral of the story is convenience. After all, if you can't trust your local coffee shop with your data security, who can you trust. 

Remeber that your goal is to make your and the hacker's life easier so trust easily and trust often. Don't use a VPN to encrypt your traffic and make it impossible for a local hacker to steal your data or compromise your device. 

Share a lot and often

The purpose of social media is to share information with friends and other strangers that are connected to you. So the hacker rule is to share as much data as possible and share it often.

Peacing data together is a fantastic way for a hacker to build a profile about you so they can reset passwords, use your credit or craft believable phishing emails. Make sure that all your social media profiles are public. Then once you your profile is visible to everyone on the internet, make sure you post a tone of "useful" information such as 

  • habits: (when you go to the gym, restaurant, stores, etc) so hackers can figure out where you live
  • vacations:  everyone wants to know that you have left the country for a week of sun and relaxation. Especially those hackers and thieves. It is so much easier when the target (oops... I mean friend) lets you know it is a good time to steal from them. 
  • Date of birth: MAke sure you use your real date of birth on social media sites so friends (that can't be bothered to remember your birthday) can wish you a happy birthday. Hackers can then use this information to apply for credit in your name. It's a win-win for everyone. 

The moral of the story is to post lots of personal data, regularly and as quickly as possible. 

Conclusion

I hope you have found these tips useful. I know many hackers will thank you for being such a friendly and trusting person. Remember that good security is inconvenient and convenience is the most important factor to a busy person like you. You are too busy to worry about securing each and every service you use, so don't. 

After all, people are generally nice and trustworthy. So open that attachment. Click on that link. Share that vacation departure notice. Life is short, live a little.

Google One finally available to all US customers

GeneralEdward KiledjianComment
Google_One.PNG

I first wrote about Google One in May 2018, when it was still shrouded in secrecy.  The new storage program with improved storage capacities was an invitation-only program until today (for US residents anyway).

Per the original (Google Drive) model, storage is shared across all of the Google properties you use (GMAIL, Photos stored in full resolution, Drive, etc.)

  • 100 GB for $1.99
  • 200 GB for $2.99 (New)
  • 2 TB for $9.99 (2TB for the price of 1TB on the old plan)
  • 10 TB for $99.99
  • 20 TB for $199.99
  • 30 TB for $299.99
Google_One_2.PNG

If you use the Google Family sharing program (not available to Google Apps accounts, unfortunately), you can share your Google One storage with up to 5 family members. In addition to storage, Google is offering Google Play credit to Google One subscribers and promises to add even more benefits (24x7 support is now also included).

Many still see the Google One page as invitation only but expect this to change shortly. Rolling this new program out to its millions of customers is likely being undertaken in stages.

As a Canadian, I anxiously await any indication about when it will open for us.

US bans use of Huawei technology through Defense Authorization Act

GeneralEdward KiledjianComment
Capture.PNG

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies. 

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition. 

procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned.