H.R. 113: To require the purchase of domestically made flags of the United States of America for use by the Federal Government.

Legislation Coming Up: This bill has been added to the House’s schedule for the coming week, according to the House Majority Leader. More information can be found at http://bit.ly/2g091ss.

Last Action: This bill is in the first stage of the legislative process. It was introduced into Congress on January 3, 2019. It will typically be considered by committee next before it is possibly sent on to the House or Senate as a whole.

How To Blow Your Online Cover With URL Previews

URL previews are a nice feature found in most messaging applications. They allow you to paste a URL to a friend or colleague, and have a handy miniature view of the website you are about to view.

The downside is that a lot of applications generate these previews without you knowing what is happening behind the scenes. In some cases this can equate to you disclosing your public IP address in a manner that you likely wouldn’t want.

Don’t forget: when you browse to a website your public IP address is exposed. This is just how the Internet works unless you’re using Tor or a VPN to hide it.

The difference with URL previews in messaging applications is that you are broadcasting to the website owner that you are discussing the website, as opposed to just browsing to it.

This small and subtle change in context is actually quite an important distinction. You’ll see why very shortly…

A Little History

A few years ago I was on a penetration test where I was attempting to spearphish executives at a well known corporation in Europe. They had one of the most brilliant CISOs I had ever met and an absolutely amazing incident response team on staff.

After I sent the initial round of phishing emails I was monitoring my command and control server to look for connections from users, anti-virus, or anything else that might indicate that I was either having some success or was about to be caught.

After a few hours there was not a lot of activity until my web server received a connection from an IP address that resolved back to Skype. This was a WTF moment for me since my phishing server was brand new and there didn’t seem to be a good reason why a Skype server would be touching it.

A few minutes later another hit from a different Skype server. Now I was really wondering what was going on.

Then it dawned on me. Someone was discussing my command and control system during a Skype chat, and Skype was generating previews of the phishing site I had setup.

I performed a couple of quick tests using my own Skype account, and sure enough, I could reproduce the issue easily. I now knew that the incident response team was on to me, and that it was time to switch tactics.

But this also raised a much larger issue in my mind when it came to online investigations, incident response and running covert online operations.

How Does This Apply to Online Investigations?

There are two viewpoints here: one is from an investigative standpoint and the second is from the standpoint of you running a covert operation through a website.

From the investigative standpoint, if you are passing URLs back and forth with a fellow investigator you may end up notifying your target that you are talking about them. This is exactly how I figured out that the incident response team was on to me during my penetration test. You likely don’t want this to happen.

The second standpoint is where you are running a website for a covert online operation. You can monitor for these URL previews and determine that someone is discussing your site, potentially letting you know that your ruse is working or that you might be caught out (again, context is important and mission-dependent here).

Either way, it is a unique set of behaviours that can be observed that is not general browsing activity.

Test Results from Various Platforms

I did some quick testing of various messaging clients and services. The test was to simply setup a Python web server on a Digital Ocean droplet ($5/month plan is sufficient). The Python web server just printed out the IP address and headers of the connecting client.

I also setup a DNS record specific for this testing so that I could try using IP addresses vs. domain names. WhatsApp was the only service tested that responded differently for IP addresses vs. domain names. Every other service was happy to generate previews for an IP address. There was also no difference between using an HTTP vs. HTTPS URL.

Here is a summary of findings:


We, like many other companies, live on Slack so this was the first test I performed. Slack was happy to generate URL previews and identified itself with the following User-Agent:

User-Agent: Slackbot-LinkExpanding 1.0 (+http://bit.ly/1CBvSwk)The IP address of the request was from my publicly facing IP address through my office connection in both mobile and desktop versions of Slack.

Apple Messages

So Messages was an interesting test that had some pretty unique behaviours. If you post a link from Messages on your desktop/laptop it will generate the preview directly from your public IP address as can be expected.

The user agent shows:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0Pretty interesting that you see the Facebot and Twitterbot pieces in there! This was actually picked up by a Reddit user as well.

Here is where things can get more interesting: if you are sending an SMS phish to a target you can enhance the URL preview experience a little by ensuring you have a file named:

apple-touch-icon-precomposed.pngThe Messages app will attempt to retrieve this file once it determines that it can successfully reach the target web page. This file will be used in the preview that is generated and could help to entice your target to click the link. It can also be a way of acknowledging the fact that Messages was the application doing the URL preview in the first place.


Wire is pretty interesting. When you post a URL from the app both on desktop and on your mobile phone your public IP address will show up in the logs. However, there are no User-Agent headers that show up. In fact the only header that Wire sends is:

Connection: closeSo this in itself is interesting because many of your HTTP clients (browsers, crawlers, bots, etc.) will send additional headers. By Wire stomping out all information this does become a “tell” that perhaps someone is discussing a target site in the Wire application. Further tracking of how often you see this limited set of client headers would have to be done in order to come up with something more statistically relevant than my single observation.

Note that in Wire there is a setting in Preferences -> Options called “Create previews for links you send.” If you disable this it will prevent Wire from doing these URL previews. I recommend you do this. Thanks to Michael Bazzell for assistance with this one.


Facebook also announces itself, but it uses Facebook-owned infrastructure to hit the site for a preview. You will see a User-Agent header of:

User-Agent: facebookexternalhit/1.1 (+http://bit.ly/QzhITw)It doesn’t use your public IP address but does indicate that someone has posted a link to the target site on their Facebook profile or have sent it via Facebook Messenger. The IP address you see show up will be registered to Facebook so you can use a site like ipintel.io to look it up.


WhatsApp behaves somewhat differently than the other services. It will not honor IP addresses directly but if you type in a domain (and any port) it will attempt to do URL previews. Additionally, it will do continuous requests as you type the URI of the target page as well which generates a lot of traffic.

The User-Agent looks like this:

User-Agent: WhatsApp/0.3.1649 NThe request comes from your public IP address.

Services That Didn’t Generate Previews

There were some services that didn’t generate any previews or traffic when pasting links, or typing URLs. Of course you should test this yourself to verify.

Signal (Desktop/Mobile)

Skype (Desktop/Mobile)

Sudo (Mobile)

Threema (Mobile)

Twitter DM (Mobile/Web)

Wickr (Desktop)

All of the mobile testing was done on an iPhone X so there may be differences with Android that aren’t covered here.

There are probably a ton of other messaging apps out there that you could test, and you absolutely should. Feel free to let me know and I can update this post with your results.

How To Mitigate

There are a few things you can do to help mitigate the risk:

Defang your URLs — This is simply the method where you replace the dots and colons with other characters, or use brackets. An example could be:

Regular: https://www.hunch.ly

Defanged: hxxps://www[.]hunch[.]ly

Use a VPN — this is a secondary suggestion really as it is isn’t mitigating the original problem but for the services that are spitting out your public IP address this will at least obscure it.

Originally published on Hunchly.

The post How To Blow Your Online Cover With URL Previews appeared first on bellingcat.

Trump’s Calls for a Wall Falling on Deaf Ears

By Art Castañares / La Prensa San Diego Publisher and CEO

One of Donald Trump’s signature campaign promises was that he would build a wall along the U.S.-Mexico border and that he would force Mexico to pay for it.

At one campaign rally after another, Trump spooked his fan base with tall tales of people flooding across the border at alarming rates even though illegal crossing had fallen to historically low numbers.

“Build that wall!” his legions of fans would chant at the campaign rallies, enthusiastic that Mexico would bear the cost of building the wall to keep their own people out of the U.S., a theory that didn’t seem at all odd to them.

“Mexico will pay for it, believe me!” Trump promised as he revved up the already enthusiastic crowds.

But no sooner had Trump won the election when he started to recast his promise to build the wall and make Mexico “reimburse” the U.S. for it, then it turned into Mexico will eventually pay for the wall.

Of course, Mexico’s President and several other officials scoffed at the idea that they would pay for the wall as absurd and foolish, with Mexico’s former President Vicente Fox saying the idea was just part of Trump’s “stupidity”.

Never deterred, Trump then began demanding up to $30 billion in the U.S. budget to pay for the wall, completely abandoning the promise of Mexico paying for it.

Last year, Trump forced the Department of Homeland Security (DHS) to fund eight wall prototype models near the San Diego border. Trump even came to town to inspect the 30-foot tall monuments. Border experts, however, suggested that the money would be better spent on fencing, monitors, and staffing. Trump didn’t listen.

Over the past two years, as the Republican-controlled Congress failed to provide the billions of dollars Trump demanded for the wall, he has again shifted his stance to say that Mexico will pay for the wall indirectly through the newly negotiated amendments to NAFTA, now known as the USMCA, or the U.S., Mexico, Canada Agreement.

That argument would suggest that any improvements in trade relations will result in higher profits for American companies and theoretically higher tax revenues for the U.S. Treasury which would then compensate for the costs of the wall. Trickle down economics at its worst.

Two weeks ago, our government was again facing a funding deadline because (again) a federal budget hasn’t been approved and the short-term funding called Continuing Resolutions would finally run out on December 21st.

Although the Senate passed a budget bill that would have funded the government through Feb. 2, the House gave into Trump’s demands and included $5 billion for construction of the border wall. As expected, House Democrats refused to vote for it.

Then, the federal government shut down, at least partially. Over 400,000 federal employees and contractors have now been off work with no pay since before Christmas, and there’s no end in sight. The Smithsonian Museums, D.C.’s National Zoo, and Yosemite are now closed.

The problem isn’t border security, it’s pure politics.

Democrats have voted for including up to $1.6 billion for border security but not the wall. The funding is equal to the amount that was in last year’s budget, but that’s still not good enough for Trump.

With Democrats taking over leadership of the House this week with their new majority, Trump’s demands for billions to fund the wall surely will fall flat. Democrats know the wall is just a political game for Trump and they don’t seem likely to give in.

In the past two weeks, it seems even Trump may be unsure what he really wants.

His demands have always been for a “beautiful wall” across the entire length of the border, but recently he’s sprinkled in calls for a fence, barrier, and even barbed wire as the military recently deployed when the caravan of migrants was approaching Tijuana.

Last week, his outgoing Chief of Staff, John Kelly, said that the concept of a solid concrete wall was abandoned early in Trump’s administration after talking with Border Patrol leaders that actually know what’s really needed along the border.

Trump quickly tweeted that Kelly was wrong, the concrete wall was never abandoned, Trump said.

But then last week, Trump send out messages saying he has already signed a contract to build 110 miles of the wall, and that construction had already begun on sections of it.

One problem. DHS says no contracts have been signed, and that only repairs of existing fencing have been completed or are ongoing. No wall.

So, which one is it?

Does Trump want a wall, a fence, or a barrier? Is Mexico going to pay for it, now or later or never? Does Trump want the money in the budget so badly that he’s willing to shut down the government, or does he already have the money and he’s signing contracts?

It doesn’t seem to matter much to his fan base anyways.

In two years in office, Trump has not accomplished as much as he claims he has, outside of cutting taxes for the rich and ballooning the national debt.

To be fair, he’s also abandoned environmental regulations and trade treaties. He’s made it harder to get health insurance. He’s rattled the stock market and caused the worst December for stocks since the Great Depression in 1931.

But, through it all, his fan base remains unfazed. They argue that Trump is fighting the system and draining the swamp. Strangely, they still dismiss the dozens of indictments and plea deals of Trump associates as a witch hunt. And they stick by their red hat wearing Commander in Chief no matter what.

In the end, Trump’s calls for a wall may be exactly what he imagined: an impregnable barrier to keep people apart in an irreparable way.

The problem is that the people he’s separating are Americans that agree with him from those that disagree. He’s not making the country safer; he’s only make it angrier, more divided, and less American.

Hopefully, this new year will bring about a renewed sense of cooperation in Washington, D.C. to get things done, with real solutions to the pressing problems that have gone unsolved for too long.

Immigration is chief among them. DACA. Amnesty. Unaccompanied minors living in detention centers. Real border security. Trade.

Trump has an opportunity to set a new tone going into his re-election, or to continue to pick fights and focus solely on pleasing his shrinking base.

When Trump met with congressional leaders on Wednesday this week, he said he couldn’t accept a compromise on funding for the wall because he “would look foolish” if he did.

Unfortunately, so far from the first few days of this year, it looks much the same as last year.

Brazil′s Bolsonaro begins firing ′left-wing′ public servants | News | DW | 03.01.2019

President Jair Bolsonaro has authorized the dismissal of civil servants who don’t share his government’s far-right ideology. The sweep will target officials deemed sympathetic to Brazil’s centrist and left-wing parties.

Source: Brazil′s Bolsonaro begins firing ′left-wing′ public servants | News | DW | 03.01.2019