This is a thread for @Matt_Gerlach on how one could better work with data collected from pihole. However, it could also be useful for anyone else who wants to better understand how pervasive the global tracking world is and to do something about it. #privacy#surveillance.
First up, adblockers do not work anymore. The industry has moved on a lot (they use the same ones you do, don't kid yourself that this industry isn't blackhat af and do dodgy thing)
It's better to cut the snake's head off rather than make it dance to your beat.
Once you've got that, I'd recommend using DB Browser for SQLite. It should look like so
The key tables you want are:
- network_addresses (where all the queries come from if you have a wide network with numerous sources)
- queries (the most important table)
Now the latter will be large and this could prove problematic, so you could prune this a little.
Now you can do all of this via the web UI and it's very good but you could also use the command line. Say I wanted to see all requests from one of my APs
SELECT DISTINCT domain FROM queries WHERE client IS "192.168.0.28"
Now this is where you'd work out what you want from visualisation. Say you want to show all blocked domains?
Or if you want to get fancy, take blocked domains and then show frequency for each domain. It all depends on what exactly you want to do.
For most, the pihole UI is very good so i'd recommend using that at first and fine-turning your block lists based off your own baseline.
Now creating blocklists. There's many a way you can do this, you can use ones already made by people or you can explore it yourself. The latter is one approach I prefer.
Let's take a traditional web app, say a dirty ugly news website
Developer tools are your friend here. What you want to do is inspect every single element, such as what is being loaded (JavaScript), endpoints being called etc.
Turn on developer tools (found in the menu of the browser)
Here's one for adverts called by mol-adverts.js via XHR. So we don't like this, so adding it to our own block list.
Basically, rinse and repeat is the name of the game here.
But what happens if you have a mobile app? How do you do the same?
With iOS you can attach a remote developer tool session via safari but it's a hassle, what I prefer doing is pulling down the mobile app and then running it through github.com/MobSF/Mobile-S…
Basically, MobSF is an all-in-one automated mobile application pen-testing framework. Yes, mostly for those looking for vulnerabilities or bugs but also something you can use to find out what that app is doing.
You need a few things here:
1: docker (think of this as a platform for creating and running containerised applications)
Word of caution: this stage is a little bit advanced and can be very daunting to those who aren't familiar with it. But, ask questions and experiment, you can't cut yourself or blow stuff up.
The command you want to run is this
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf
basically tells it to run it, listen on port 8000 and use the latest image you pulled above.
If all went well, you should see this in the terminal and when you visit http://0.0.0.0:8000, you should see
Ok so what exactly are we looking for here? am I hacking? do I get to wear a hoody and have chains on my keyboard?
Not exactly, you are peeking behind the curtains to see what this application is doing. The bits we are interested in are endpoints (servers that the app chats to)
So we drag our apk or ipa onto the file and let MobSF do its magic.
Remember we are looking for trackers here. Trackers are basically services that monitor what you do.
Now this will take around 10 minutes to work. I do this for every single app my kids use. I don't want to stop them from using the apps but I do want to understand how that app was developed, who it speaks to, what it collects and so on.
Once it is done, you will be presented with a screen like so. This is a lot of information to handle, so ignore most of it and got to the left and look for reconnaissance and click trackers
Here we have three that are of some concern:
braze
conviva
google firebase.
the top two are well-used and track a lot. For example
Now the cool thing is that you can see the endpoints in use here:
Twitter isn't the best place for such information, so I've turned this into a markdown page and made it accessible over at github.com/danielcuthbert…
TODO: Play with datasette.io (thanks @snkhan for that) and look at how pihole might be extended to better extract info
I've since added more on visualising the data, basic SQLite queries, and better explanations of using developer tools to inspect web pages github.com/danielcuthbert…
If there's something missing, let me know via a GitHub issue or indeed here.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Based on a question from @hakluke on how the @OWASP_ASVS might be used with bug bounties, here's my approach
First up what is the ASVS?
It's a list of application security requirements or tests that can be used to test and verify secure applications.
There are 14 different categories of which one could use to test and indeed build secure applications, ranging from architecture through to configuration management
A huge thanks to @d_olex for making my day of a rather sexy Technics record player and an album that has been on my top 5 since I heard it in the 90s: Time Machines by Coil
This album is very special.
Basically they were off their faces and made music on modular synthesizers. To even think of making music whilst on DMT is madness but actually what they produced is incredibly special
@VICE did a great piece on them a while back, and it makes for interesting reading
So to recap, I've got a load of components and I want to put them into a weatherproof box outside our house so we can monitor the pollution.
London's pollution isn't bad but we also have a lot of ugly dirty diesels still driving around.
I need to take data recorded by my box and push it to a service. That service is io.adafruit.com.
Once I have my bill of materials (BOM), I can start to make my threat model.
Waht? Threat who?
Basically a threat model is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritised.
What's the worst that could happen and what should you do?
So nerd hour over the next few days will be the creation of a multi-sensor temperature/pollution IoT device housed in a weatherproof case outside our front door.
It will use a MQTT client to push data to a MQTT server and display the data via fancy schmancy UI.
What I wanted to do is perform the whole process like you would do most things. So first up speccing the hardware/software, then performing a threat modeling exercise to understand threats/countermeasures and then finally building/securing
Now to some of you, this is bread and butter and you are probably tutting and saying it's lame. However, not everyone understands how one should incorporate a threat model into your design, and really why.
You've all heard IoT is INSEKURE, but actually how is it insecure?
All the cool kids are into Quantum and qubits, so why not have a cryptographically secure pseudorandom number generator (CSPRNG) that makes use of a quantum computer to generate its entropy pool for its randomness??
With the sheer number of Indians using my gmail and Indian websites not validating user-supplied email addresses, the last thing I'd be doing is any e-commerce in India.
hey @Snapdeal_Help have your developers ever heard of application security?
First up Deepak used an email address that didn't belong to him. I mean the things he's ordered are nice and all but I don't need to know about them, or where he lives, or his phone number or his order history or...
But then, you decide that there's no need for any authentication for orders, which allows anyone with the sequential order number to edit.
@snapdeal this is pretty poor. Deepak does have a case here of you breaching the Information Technology Act (2000)