Search
Items tagged with: opsec
Update (2021-01-09): There’s a newer blog post that covers different CloudFlare deanonymization techniques (with a real world case study).
Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission.
Understandably, the photographers and fursuiters whose work was ripped off by this website are upset and would like to exercise their legal recourse (i.e. DMCA takedown emails) of the scam site, but there’s a wrinkle:
Their contact info isn’t in DNS and their website is hosted behind CloudFlare.
CloudFlare.
Private DNS registration.
You might think this is a show-stopper, but I’m going to show you how to get their server’s real IP address in one easy step.
Ordering the Server’s IP Address by Mail
Most knock-off site operators will choose open source eCommerce platforms like Magento, WooCommerce, and OpenCart, which usually have a mechanism for customers to register for an account and login.
Usually this mechanism sends you an email when you authenticate.
(If it doesn’t, logout and use the “reset password” feature, which will almost certainly send you an email.)
Once you have an email from the scam site, you’re going to need to view the email headers.
With Gmail, can click the three dots on the right of an email then click “Show original”.
Account registration email.
Full email headers after clicking “Show original”.
And there you have it. The IP address of the server behind CloudFlare delivered piping hot to your inbox in 30 minutes or less, or your money back.
That’s a fairer deal than any of these knock-off fursuit sites will give you.
Black magic and piss-poor opsec.
What Can We Do With The Server IP?
You can identify who hosts their website. (In this case, it’s a company called Net Minders.)
With this knowledge in mind, you can send an email to their web hosting provider, citing the Digital Millennium Copyright Act.
One or two emails might get ignored, but discarding hundreds of distinct complaint emails from different people is bad for business. This (along with similar abuse complaints to the domain registrar, which isn’t obscured by DNS Privacy) should be enough to shut down these illicit websites.
The more you know!
Epilogue
https://twitter.com/Mochiroo/status/1259289385876373504
The technique is simple, effective, and portable. Use it whenever someone tries to prop up another website to peddle knock-off goods and tries to hide behind CloudFlare.
https://soatok.blog/2020/05/09/how-to-de-anonymize-scam-knock-off-sites-hiding-behind-cloudflare/
#cloudflare #deanonymize #DNS #fursuitScamSites #informationSecurity #OnlinePrivacy #opsec
In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories. You can learn more about it here.
Why are we talking about this in 2021?
Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.
Remember: You can’t recycle fash.
(Art by Khia.)Instead, they spun up a Reddit clone under the domain
thedonald.win
and hid it behind CloudFlare.Even worse: Without Reddit rules to keep them in check, they’ve gone all in on political violence and terrorism.
(Content Warning: Fascism, political violence, and a myriad of other nastiness in the Twitter thread below.)
https://twitter.com/Viking_Sec/status/1347758893976457217
If you remember last year, I published a blog post about identifying the real server IP address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use them?
(Related, I wrote a post in 2020 about more effectively deplatforming hate and harassment. This knowledge will come in handy if you find yourself needing to stop the spread of political violence, but is strictly speaking not relevant to the techniques discussed on this page.)
Unmasking TheDonald.win
The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).Foiled immediately! What’s a furry to do?
(Art by Khia.)However, their software is still a Reddit clone!
Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:
When I paste a URL into this form, it automatically fetches the title.
How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.
So what happens if you control the server that their request is being routed to, and provide a unique URL?
Leaking TheDonald.win’s true IP address from behind CloudFlare.
Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address:
167.114.145.140
.An Even Lazier Technique
Just use Shodan, lolhttps://twitter.com/_rarecoil/status/1347768188017143808
Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.
You can’t help but laugh at their incompetence.
(Art by Khia.)The Road to Accountability
Okay, so we have their real IP address. What can we do with it?The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.
Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.
Dunking on these fools for the inconsistencies in their worldview is self-care and I recommend it, even though I know they don’t care one iota about hypocrisy.
I immediately wondered if their ISP was aware they were hosting right-wing terrorists, so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. Canada’s laws about hate speech and inciting violence are comparably strict, after all.
I’ll update this post later if OVH decides to take action.
Lessons to Learn
First, don’t tolerate violent political extremists, or you’ll end up with political violence on your hands. Deplatforming works.https://twitter.com/witchiebunny/status/1347624481318166528
Second, and most important: Online privacy is hard. Hard enough that bigots, terrorists, and seditious insurrectionists can’t do it right.
This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well, and they’re useful for exposing shitty people.
Remember: Sunlight is the best disinfectant.
Conversely: Basic OSINT isn’t hard; merely tedious.
Other Techniques (from Twitter)
Subdomain leaks (via @z3dster):https://twitter.com/z3dster/status/1347807318478639106
Exploiting CloudFlare workers (via @4dwins):
https://twitter.com/4dwins/status/1347809701291937792
DNS enumeration (via @JoshFarwell):
https://twitter.com/JoshFarwell/status/1347840751720304641
If the site in question is running WordPress, you can use Pingbacks to get WordPress to cough up the server IP address. If you aren’t sure if something runs WordPress, here’s the lazy way to detect that: view any page’s source code and see if the string
/wp-content
shows up in any URLs (especially for CSS). If it’s found, you’re probably dealing with WordPress.Gab’s (another platform favored by right-wing extremists) IP address discovered through their Image Proxy feature to be
216.66.0.222
(via @kubeworm):https://twitter.com/kubeworm/status/1348162193523675136
The Alt-Right Notices this Blog Post
Shortly after I posted this online, some users from thedonald.win noticed this blog post and hilarity ensued.https://twitter.com/SoatokDhole/status/1348204577154326528
I want to make something clear in case anyone (especially members of toxic Trump-supporting communities) is confused:
What’s published on this page isn’t doxing, nor do I have any interest in doxing people. That’s the job of law enforcement, not furry bloggers who sometimes write about computer topics. And law enforcement definitely doesn’t need my help: When you create an account, you must solve a ReCAPTCHA challenge, which sends an HTTP request directly to Google servers–which means law enforcement could just subpoena Google for the IP address of the server, even if the above leaks were all patched.
This also isn’t the sort of thing I’d ever brag about, since the entire point I’ve been making is what I’ve done here isn’t technically challenging. If I wanted to /flex, I’d just talk more about my work on constant-time algorithm implementations.
If, in response to my abuse report, OVH Canada determines that their website isn’t violating OVH’s terms of service, then y’all have nothing to worry about.
But given the amount of rampant hate speech being hosted in Canadian jurisdiction, I wouldn’t make that bet.
Addendum (2021-01-19)
Additionally, this wasn’t as simple as running a WHOIS search onthedonald.win
either, since that only coughs up the CloudFlare IP addresses. I went a step further and got the real IP address of the server behind CloudFlare, not just CloudFlare’s IP.This isn’t rocket science, folks.
According to CBC Canada, they moved off OVH Canada the same day this blog post went live. I’m willing to bet a simple WHOIS query won’t yield their current, non-CloudFlare IP address. (To wit: If you think the steps taken in this blog post are so unimpressive to warrant mockery, why not discover the non-CloudFlare IP for yourselves? I’ll bet you can’t.)
There are a lot of ways to deflect criticism for your system administrators’ mistakes, but being overly reductionist and claiming I “just” ran a WHOIS query (which, as stated above, wouldn’t work because of CloudFlare) is only hurting your users by instilling in them a false sense of security.
Just admit it: You fucked up, and got outfoxed by a random furry blogger, and then moved hosting providers after patching the IP leak. How hard is that?
Also, if anyone from CloudFlare is reading this: You should really dump your violent extremist customers before they hurt more people. I’m a strong proponent of freedom of speech–especially for sex workers, the most censored group online–but they’re actively spreading hate and planning violent attacks like the Capitol Hill Riot of January 6, 2021. Pull the damn plug, man.
Finally, I highly recommend Innuendo Studios’ series, The Alt-Right Playbook, for anyone who’s trying to make sense of the surge in right-wing violence we’ve been seeing in America for the past few years.
How Do You Know This IP Wasn’t Bait?
After I published this article, the developers of their software hobbled the Get Suggested Title feature of their software, and the system administrators cancelled their OVH hosting account and moved to another ISP. (Source.)You can independently verify that their software is hobbled: Try to fetch the page title for a random news website, or Wikipedia article, with the developer console open. It will stall for a while then return an empty string instead of the page title.
They also changed their domain name to patriots.win.
If the IP address I’d found was bait, why would they break a core piece of their software’s functionality and then hurriedly migrate their server elsewhere?
The very notion doesn’t stand up to common sense, let alone greater scrutiny. The whole point of bait is to catch people making a mistake–presumably so you can mock them while remaining totally unaffected–not so you can do these things in a hurry.
A much more likely story: Anyone who makes this claim is trying to downplay a mistake and save face.
Header art by Kyume
https://soatok.blog/2021/01/09/masks-off-for-thedonald-win/
#cloudflare #deanonymize #hateSpeech #OnlinePrivacy #Technology
How do I know that a Meta engineer is working from home in my apartment building? Probably the unclaimed-for-days bubble mailer in the shared package room addressed to "[redacted] Meta Platforms, Inc" that has sticker labels on it saying it includes a Yubico pass key and an "Open Me First" document.
💙 Safety tip for fedi users 💙
Hi friends! Hazel here with an important tip for online safety. We have lots of fun here on fedi, but this is still the internet. It's absolutely critical to safeguard your privacy, so no matter how safe it may seem: never share your personal information online!
There are lots of friendly, close-knit communities here, but that doesn't make it safe to post personal details. Bad-faith actors sometimes sneak into communities like ours, looking for vulnerable people to stalk and harass. Fedi, in particular, has a problem of hateful people operating "scrapers" that use bots to scan the federated timeline and capture any information on marginalized people. This gets passed on to dangerous groups like KiwiFarms and used for harassment, doxxing, and other terrible things.
Fortunately, you can protect yourself by limiting what types of personal information you share online. In particular, here are some things that you should never ever reveal:
- Your legal name(s)
- Your birth date
- Your address (even city of residence)
- Photos of your house (especially the exterior)
- Your phone number
- Where you work
There's also some which are a bit less critical, but I still strongly recommend against sharing. If you want to publish one of these, then please consider your risk factors!
- Selfies / other photos showing your face
- Your exact age (and be careful with ranges)
- Where you went to school / college
- Details of businesses / organizations you visit
- Uncommon medical conditions (doctors are frequently hacked)
This may seem restrictive, but I promise you - it's a small price to pay for online safety! There are horrible people out there, and they'd like nothing more than to make us suffer. Let's make sure that doesn't happen!
--
With love from Hazel,
Admin of transfem.social
#OnlineSafety #PersonalSafety #DigitalSafety #Safety #Privacy #OpSec
On Firefox, I recommend you to disable the protocoll until we find a solution to either spoof it or break the fingerprinting method. It works even without #javascript.
The whitepaper 👉 https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf
#privacy #fingerprinting #infosec #opsec #cybersecurity #http #http2 #browserleaks
Test yourself at https://browserleaks.com/http2
HTTP/2 Fingerprinting
HTTP/2 Browser Fingerprinting identifies web clients by analyzing specific HTTP/2 attributes, such as SETTINGS frame values, WINDOW_UPDATE frames, stream prioritization, and the pseudo-header fields order.BrowserLeaks