Is Digital Privacy a Privilege Of The Wealthy?

It’s a chilly spring morning in 1987, and things aren’t going so well for you. The threats and stalking weren’t your fault, but you’re genuinely afraid for your safety and the police couldn’t help much. After thinking long and hard, you’ve decided your best option is to disappear and start over. You pack your family’s belongings into your Fiero, empty your bank accounts (a couple grand in cash), close out your accounts without forwarding, and hit the road. You’re sick to your stomach scared to leave, but you’re also relatively confident – you can find cash work and lodging pretty much anywhere, (under an assumed name with counterfeit papers, if necessary). Go far enough and keep your head down, and it’s not likely he’ll find you again without a good PI or a string of bad luck.

★ ★ ★

It’s 30 years later, and the business of fleeing an abuser has changed dramatically. Many elements of our world are still familiar, but the nature of personal privacy has changed dramatically. The internet, mobile phones, and social media brought the world closer, often in incredible and inspiring ways, but also in ways that fundamentally harm our ability to keep any element of our daily activity private or secure. The field of network security has grown from an afterthought to a standard college degree program and a major element of global military forces. News coverage shows us terrifying ways our personal data and digital devices can be abused, constantly bombarding us with reminders to restrict access to our data and internet presence.

Yet, the “common sense” security and privacy advice we offer frequently carries costs. Security experts can tweet about an Android version being obsolete and horrifically vulnerable to snooping a thousand times, but billions of people in the world simply can’t go out and buy a good quality new phone. There are wonderful commercial identity monitoring and digital privacy services available, for a yearly fee that might cut into many people’s medication budget. Even finding quality security education has tangible and intangible costs.

Whenever I tackle an extremely complex and contentious security topic, I endeavor to offer a variety of differing expert views to readers. Through a series of eight scenarios, I’ve invited seven security and digital privacy professionals to join me weighing in on the fundamental question of how much of a privilege digital privacy, and the abilities to “restrict” or  “remove” our digital footprint, really are. The discussion is generally North America-centric  – international privacy laws vary greatly. However, many of our privacy and personal security solutions are not specific to any country. Our general conclusion is that while convenience and absolute anonymity can be a privilege that comes with resources, there are many effective low-cost ways to drastically improve personal digital privacy.

My colleagues, who generously contributed their time and knowledge to this article without compensation or sponsorship, are as follows:

  • Viss / Dan Tentler – Founder of Phobos Group. Dark Wizard. Breaker of things. Essentially a static analog for “targeted, skilled espionage for hire”.
  • Munin / Eric Rand – Blue team consultant; amateur blacksmith; consistently paranoid
  • Krypt3ia – Old Crow, DFIR, Threat Intel, Targeter: krypt3ia.com @krypt3ia
  • Lloyd Miller – Managing Director at Delve, a competitive intelligence, research, and policy consulting firm
  • plum / Chris Plummer – Former IBM, DoD, now staff at exeter.edu. Oxford commas at 603security.com, chasing120.com, and @chrisplummer.
  • CiPHPerCoder / Scott Arciszewski – CDO at Paragon Initiative Enterprises, writes and breaks cryptography code. https://paragonie.com/blog/author/scott-arciszewski – @CiPHPerCoder on Twitter
  • evacide / Eva Galperin – Director of Cybersecurity at the Electronic Frontier Foundation.

 


Question 1: Mobile Device Privacy

Smartphones are woefully vulnerable to compromise and surveillance by numerous sources, from advertisers, to criminals, to suspicious spouses, to nation state adversaries. As our “second brain”, they contain massive amounts of our sensitive information, such as where we’ve been, our contacts, and our account logins. The common security boffin recommendation is to always own an up to date phone (often specifically an iPhone), replacing it whenever it becomes obsolete. Good quality phones aren’t cheap, but smartphones are frequently a necessary part of modern life. What are your privacy and security suggestions to somebody who can’t afford a new iPhone every few years, but needs a smartphone for work or school?

Munin – Limit your threat surface. Only install those apps that are essential for what you need, and avoid random web browsing on it. Don’t open attachments on it – set your email client to text only. Apply updates if they’re available for your platform. Don’t root or jailbreak it – yes, it lets you do a bunch of cool things, but it also opens up significant maintenance problems.

Lesley – Even if you can’t afford a new phone, please routinely check the version of Android or iOS you’re using. Once the phone is out of date and no longer receiving updates, reset it to factory and treat it as cautiously as you would a public computer. No matter the age of your phone, avoid installing any apps with too many permissions, including access to your microphone, GPS, camera, contacts, or phone identification. Keep location services turned off.

On another note, while the ubiquitous iPhone has pretty good security “out of the box”, there are also very good arguments for using an up-to-date Android phone from which the battery can be physically removed, if privacy is a big concern. There are few things more reliable than physically breaking a circuit.

Viss – There are carrier free phones that you can buy that cost half of what carrier phones do. A OnePlus2 will cost you around $300, and they get software updates several times a year. You can also get a Google Nexus or Google Pixel. All of these non-carrier phones get software updates way way more often than any phone that a carrier will try to sell you. That alone is a pretty huge improvement, even before taking personal measures to secure a mobile device. Also, a OnePlus, Nexus or Pixel will likely last years, and remove the need to buy a new phone every 12 months.

Lloyd – I don’t think good security comes cheap with phones, but Munin gives the best advice – if nothing else, only do the bare minimum necessary to accomplish what you need to do, and cut out the rest.

plumIn theory, devices purely for work or school should not be all that demanding in terms of features, so they should be remotely affordable. The carrier market is white hot right now.  Chances are, there’s at least one in your region with a pretty compelling deal on a handset. This is difficult because for short money you’re into a new phone that you may not necessarily understand how to secure.  To that end, don’t go out on an island – buy something your friends and family are familiar with, so they can help you.  While many are averse to working with salespeople, you may find one that knows quite a bit about keeping your handset locked down. It’s worth the ask; there are really good people out there who know a lot more than simply how to sell you a phone.  You may not get it perfect, but it will be better than out-of-the-box.

Krypt3ia Phones, like much of the technology today we buy and use that could lead to compromise of significant amounts of our data are coming down in price in certain spaces while going up in others. So if you want to have a burn phone (and now you can get smart phones too cheaply) you can try to firewall yourself off by only doing certain things with a burner phone. I guess the thing is that generally here any phone at any time could be that device that leads to your data being open to attack.

It may also be of use to have a phone that has less functionality like a flip phone to carry out some tasks as the lesser the technology level the less the adversary has to work with as attack surfaces go. The reality however is no matter what you do you are subject to technologies that you do not have control over completely. As an example, I recently gave up a phone that I liked quite a bit because the provider did not update the operating system for security patches and had not done so in over a year. They just don’t really care, so I had to move on to a system that I could push the updates on. Still though, if you are relying on technology to protect you and YOU aren’t in control of every aspect of that, and are competent at it, it is a null sum game. Best I can advise you is to compartmentalize as much as you can. Use code words for things (i.e. appointments in calendars, names in phone books, etc) to obfuscate and make it that much harder for the adversary to get a toe hold.

CiPHPerCoderNon-carrier phones like One Plus are a good idea, as Viss said, but one important obstacle is how purchasing is structured. If you get a carrier phone, you probably aren’t dropping $800 right then and there; instead, they roll the cost of the device into your monthly payments. If you get a non-carrier phone, you have to purchase it yourself. I believe it’s worth it to find a way to overcome this obstacle (so that you won’t be left vulnerable when an Android vulnerability surfaces if your carrier is negligent) but this comes down to a cost-benefit decision.

A related concern for most people is data privacy. For example, using a secure, private messaging app like Signal or WhatsApp instead of an insecure choice (Telegram, unencrypted SMS) to communicate with your friends is a great move. Encrypting your phone with a passphrase (to be clear: not a PIN code, swipe pattern, or fingerprint; you want a passphrase) prevents anyone (for example, at the airport) from accessing your private data while it’s powered off. I recommend a longer passphrase (e.g. 20 lowercase letters, generated randomly) instead of mixing different character classes, to minimize frustration and typos.

evacide – (most of the useful technical advice has already been given, so I am going on a bit on a tangent here) Phones are one of the most clear-cut examples of money buying security, but when you’re making digital security/privacy decisions, always keep in mind the attacker in mind. Your most up-to-date iPhone will not help you if you’ve been coerced into giving your password to your abusive partner or that partner has installed an app (covertly or otherwise)  on your phone that allows them to spy on you. For these cases, it may be appropriate to covertly purchase a cheap second burner phone, which may not be as secure against hackers, but which may allow you to covertly communicate without alerting your abuser.

Question 2: You, on the Internet

Companies like FamilyTreeNow and Intelius collect data about every US citizen they can; even ones who don’t regularly use a computer. This data often includes addresses, phone numbers, social media profiles, criminal history, as well as family member names and birthdates. Obviously, this data can be very damaging when used inappropriately, and generates global privacy and security concerns far beyond simply being in a local phone book. Removing this data from hundreds of these companies is a huge undertaking, but commercial subscription services that do it reliably aren’t cheap. What’s the best option on a tight budget?

Viss https://www.abine.com/deleteme/landing.php – spend $129.

Munin – Do what you can to minimize the harm – that’s the name of the game here. If you can’t afford a good service, do what you can by yourself. It won’t be perfect, but reducing the threat surface to a minimum will help. Remember, you don’t always have to outrun the bear – you can last a lot longer if you can outrun the other campers.

Lloyd – I don’t believe takedown notices are an effective strategy in the whack-a-mole world of personal data aggregation. You can send them, but the sites can ignore them. Additionally, a lot of that information including birth, property, voter registration, and criminal/legal records are government-generated and legally protected public records. There are several very reputable services, including Intelius (get it?), you can pay to do help remove some of this information, but I would ensure they offer guarantees and other identity/credit protection services.

Lesley – Third party privacy services are out of many people’s’ price range, but certainly the most effective solution for everyday privacy concerns short of a new identity. Privacy is also a constant battle – you need to look at a subscription service more than a one-time removal. If you absolutely can’t afford one, you can opt-out of many services for free, but it’s a time consuming and convoluted process. As a last resort, at least remove your data from the top 20-25 services to try to delay and frustrate people trying to research you. Don’t make a harasser’s life easy.

plumTwo years ago I discovered a downloadable database of voter registration data that included DOB from eight US states, and it had already been online for several years and mirrored in Europe. For the individuals in these states, through no fault of their own, their identities are permanently at risk.  In truth we’re talking about mitigation, not prevention. Anyone’s best hope is an annual ID theft monitoring service. Some employers actually offer these free of charge.  Tight budget? You’re left to pull a free credit report once a year and hope you catch something. The system is pretty broken here.

Krypt3ia The ONLY way to avoid this is to not be you any more. So, you fake your own death after getting decent documentation with another name. Get credit set up for that person, a whole “new suit” as they say and then live that life and never talk to anyone from your past.

But oh wait… Now you have a new name and series of datapoints to worry about!

Best bet, go live off the grid in the woods or become homeless.

Another null sum game.

CiPHPerCoderI’ve got personal experience with the downside of these services. When I was a teenager, my mother’s hobby (which consumed most of her waking hours when not working) was genealogy research through websites like Ancestry.com. It’s kind of funny in that, as I taught myself more about computer security and online privacy, she was unwittingly working hard to ensure that I would never have privacy online. Many years ago (either 2009 or 2010), an Internet troll had used this publicly available data to send me harassing emails, demanding that I take my blog offline forever.

Despite that experience, I don’t have a solution here.

It’s obviously an extortion racket; using the threat of public exposure to get people to pay up. The alternative to reaching into your wallet is playing whack-a-mole with third parties that mirror your personal information. The first option provides this industry with the incentive and resources to continue harming people’s’ lives. The other maximizes the harm they cause your own life (by wasting time trying to achieve a modicum of the privacy you should, rightfully, already have).

However, like many other areas of security, layered defenses work wonders to fend off attackers. Making a new pseudonym and linking it to a false persona is challenging and requires a ton of discipline to be successful. Even if you can’t protect your personal information, you can prevent malicious parties from connecting your screen name to your real name without drowning in a moral quandary.

Question 3: Traveling Abroad with Digital Devices

Travel is often considered a privilege, but people from all backgrounds do travel internationally. There are firm warnings from security professionals about bringing mobile devices and computers into less friendly countries (especially ones that conduct extensive monitoring and seizure) as they may conduct forensics on them or insert surveillance hardware or software. This adds a layer of risk to somebody who is trying to remain unseen. The blanket advice is usually to bring a separate, disposable computer and phone if they’re required. Computers and phones aren’t cheap. What would you recommend to somebody who needs to travel overseas to a dubious location but doesn’t have a big budget?

Munin – If you’re travelling for business, see about having your company handle the purchase of separate, designated equipment. If you’re there for a conference or just visiting, see if any of your friends in that country [social media’s great for making friends in foreign parts] will be willing to let you borrow equipment while you’re there. Remember that any kind of electronics you bring across a border – especially these days – is probably going to get searched, so avoid the problem if possible. Also, take some time ahead of time to set up a benign social media profile – put some noncontroversial or patriotic looking activity on it, and lock down or suspend your real accounts before you travel. If you end up being forced, coerced, or pressured into giving up online activity, refer to that account as your only account. Part of being safe is looking like you’re not worth harassing – so keep the lowest profile possible.

Viss – Do you HAVE to travel with your phone? Or your laptop? Can you use a chromebook, and just buy a burner phone while you’re in another country? Do you feel that you’re in a position where customs here or there will try to get into your phone? Here’s a fun trick: Select a cloud backup provider (Spideroak, Box, Dropbox, ec2, whoever, doesn’t matter). Make a titanium backup or nandroid backup of your phone. Make sure to use the encryption option. Put your encrypted phone backup into cloud storage before you leave. Format your phone in the air on the plane. If anybody wants to look at your phone, they can see it – there’s nothing on it. Have fun. When you get to your destination, pull down your phone backup and restore it. You may want to remove all your downloads and stored media beforehand. If you take the time to either A) have a dedicated travel phone that you do this to, or B) just occasionally trim your phone storage down you can get this to under a gig.

Lesley Echoing Viss, consider very carefully if you really need the phone, or you just feel irrationally naked without it. Payphones may be rare, but they still exist in most transportation hubs, as do calling cards that work internationally (they are often sold in airports), and paper maps. If there is no way you can function without a phone, there are relatively cheap (<$40) options for unlocked disposable phones such as BLU’s, and SIM cards can usually be purchased a convenience stores when you arrive at your destination. Leave your sensitive personal data, including your fingerprints, off of any burner phone. Use it for travel essentials only. Stick to a “dumb phone” if you can.

Lloyd – For short term use, you can get used smartphones off Craigslist, get a prepaid SIM card, install just the contacts and apps you need for the trip, and then toss it on your way home. And, as everyone else has said, if you don’t need it, don’t bring it.

plum – I would never travel internationally with personal devices. Everyone has done well to discuss the risks, and from a practical perspective the logistics alone of getting a lost device returned to you from across a border – presuming a scenario that involves total honesty and goodwill – we’re talking long odds.

Krypt3ia – A USB stick with TAILS and an internet cafe or other access to a PC. Light footprint or you are in trouble. At this point you are dealing with nation states, and you will not win. INFIL and EXFIL into and out of countries is best done with very little on you. A mini USB (32 gig) can easily be tossed or eaten or destroyed. Not so much any other more expensive and luggable assets. For that matter you can cache them and in some cases secret them in your luggage where the color X-Ray and other schemes of detection can be obfuscated.

CiPHPerCoder – These are all good answers, so the only thing I can really offer is my setup. For domestic travel, I just have an encrypted laptop and encrypted mobile phone. If I’m traveling internationally, however, I’ll do the following:

  1. Rent a throwaway Virtual Private Server (VPS) from one of the providers on LowEndBox.
  2. Configure the VPS so that I can only SSH in via a Tor Hidden Service, using public key authentication (no passwords) with a SSH keypair unique to that server. (Ed25519.)
  3. Encrypt anything I need and store it on the server. (Veracrypt.)
  4. Purchase or repurpose a new laptop with a fresh Windows install for traveling purposes.
  5. Carry a USB or SD card with a Veracrypt-encrypted file containing the SSH private key.

TAILS can be procured on-site, and verified through other channels. I’d leave the phone at home.

Total cost: less than $10 if you already have the hardware on hand.

evacide – If you’re traveling for business, your business should have a policy in place your digital devices and travel. If they don’t already have one, this is the time to encourage them to do so. If you are crossing the US border, I recommend reading the advice EFF has written up as part of Surveillance Self Defense on this subject: https://ssd.eff.org/en/module/things-consider-when-crossing-us-border.  In general, I would make sure my devices are password-protected, encrypted, and turned off when crossing the border. Particularly sensitive information should be removed from the device in advance, encrypted, and stored on a server for (secure! encrypted!) download if you need it when you arrive at your destination.

Question 4: Credit and Identity Theft Monitoring

Identity goes hand in hand with privacy. More Americans have had a credit or debit card stolen in the past couple years than those who have not, and data breaches and identity theft are huge problems. Services that proactively monitor and protect against this come with a monthly or yearly fee. What’s an affordable and effective solution for responsibly keeping an eye on your identity and credit? Are there solutions for people who can’t get a credit card?

Viss – Most credit cards these days come with alerting capabilities that will tell you if a charge comes through past a certain amount. Turn that on and set it to like $50. Anything over $50 and you get a text or an email. INSTANT notification if something sneaky is going on. You can’t do much about it not getting stolen in the first place, for example in the case of Target, the malware was in the cash registers and nobody knew. But you can know immediately if an attacker tries to use your card for evil, and you can call it in right away. Simply do this with every card.

Munin – If at all possible, do -not- use a debit card for anything. Every transaction is a gamble – so gamble with the bank’s money, not your own, and use a credit card if at all possible. An affordable alternative to paid services is to be ‘lucky’ enough to be in a breach – haven’t we all, at this point, received several years’ worth of “credit monitoring” to compensate us for the time and stress of having our identities compromised? More seriously, though, follow Krebs’ advice – lock down your account with the major credit bureaus, and unlock it if you have a specific need for a credit check. It’s not perfect, but it’s affordable and will reduce harm.

Lloyd – Using anonymizing services like Sudo, Blur (Abine), or Privacy.com allow you to make purchases with credit cards you have 100% control over. Therefore, if an online store’s is comprised, you can just delete the card and move on. Lock down your credit reports and do that for any of your children as well – people don’t monitor their children’s credit, making them vulnerable to identity theft as well. You can also get prepaid credit cards using very little information. You should research which features you prefer like ease of reloading, low or no monthly fee versus per-purchase fees, or usability. Generally, Chase and Amex are great introductory options. For international travel, Kaiku offers a prepaid card with no foreign transaction fees, great for short trips abroad. Keep in mind Know Your Customer laws make it very difficult to access to U.S. banking system and stay anonymous from the U.S. government for very long or while handling large transactions.

plumThe OPM breach, the Target breach, the Home Depot breach have really paid off for me; the past few years of free monitoring have been nice.  LastPass actually bundles free credit monitoring, so that is worth exploring when this is done.

And as Munin mentioned, debit cards are cast from pure evil in a mold of good intentions. Never gamble on a retailer’s security posture with real money. Charge everything.  If you don’t have access to credit, use as much cash as possible and be very judicious in your check writing.  Every check you write says “hi, here’s my full name, here’s where I live, and here’s where I keep all of my money; in fact here’s my account number”.  That’s a lot to hand over to a complete stranger.

Krypt3iaMost banks do this now for you at no charge. I would not trust these companies to protect my data anyway. It is just adding to the complex web of your data being out there for others to abuse. Keep an eye on your accounts regularly and make sure your credit card/bank has your current number to call. Don’t waste money.

Lesley – Cash is your friend. Otherwise, a few people have already correctly noted how very risky bank debit cards are for your privacy and money. Unfortunately, many people are financially unable to get credit (or credit that promotes responsible use). There are a few options out there. Prepaid debit cards are one – although they may not have fraud protection, the amount of money which can be stolen from them is limited by the amount of money the purchaser loads them with. They can also lend some anonymity. Another option is a reputable credit card designed for people with low or no credit, designed to theoretically build credit over time. Legitimate options tend to be low limit, from a reputable creditor, with some security deposit required, and should always be designed to be paid off every month in full. Unfortunately this is a security blog, so I recommend you seek some free financial advice.

CiPHPerCoderThe credit bureaus are not your friend. Do not count on them correcting any mistakes on your credit history. Do as Munin and Viss suggested. Normally, the saying goes, “An ounce of prevention is worth a pound of cure,” but in this case prevention is your only recourse: There is no effective cure.

evacide – When you make online purchases, consider not storing your credit card number as part of your account. The same goes for storing your credit card number in your browser. Use 2FA whenever possible to protect your accounts and a password manager to create strong, unique passwords, so that if one account is compromised, the rest of them are still safe.

Question 5: On the People Still Using Windows XP

Tons of people have computers. Some of those computers are so old they are no longer patched or remotely secure.  While operating system vendors have gotten better at forcing security updates in recent versions, security (especially in the era of the cloud) doesn’t necessarily indicate personal privacy. In terms of fundamentals from operating system, to browser, to antivirus, what are your suggestions to somebody who wants to upgrade their computer in a privacy-friendly way, but can’t afford more than a couple hundred dollars?

Viss – Microsoft gives updates to small businesses and students. Linux is free. Running linux is generally fine for people who simply need “a browser so they can Facebook and Gmail”, and that will keep them from the vast majority of exploits, drive by downloads and other attacks that by and large only target Windows. From the perspective of the operating systems, it tends to get a little hairy because they are designed to spy on people at this point. Github has several examples of an “unfuck script” that one can run on a Windows 10 installation to turn off all that telemetry. Once that’s done, I wager a combination of Windows Defender, EMET, and Malwarebytes for ransomware run all together and cranked all the way up should be a pretty good start. It’s surely more than most consumers would do on their own reconnaissance.

Munin – Most folks will be fine with a Chromebook. They’re kind of stuck in the Google ecosystem, which I don’t like, but they get continual patching and have a vastly lowered threat surface. If you’re OK with the whole “webapps for everything” thing – and let’s get real; that’s 90% of everyone’s usage these days anyway – then a Chromebook will likely meet your needs.

Lloyd – Chromebooks sacrifice some measure of privacy to Google in exchange for affordable computing experience. If you are not concerned what Google knows about you, this is a fine option. It is very difficult to keep operating systems up to date long term without regularly upgrading your computer.

plumBasic, cheap ($200-ish), new systems seem easy enough to find. Certainly my best advice here concerns the disposal of old systems, as the general public is almost entirely in the dark when it comes to sanitizing equipment they don’t want anymore.  I say this a lot – the lifecycle of personal computing is so incomplete.  It’s so easy to get a new system, but we never really talk about how to get rid of the old one.  Getting familiar with a utility like DBAN, which for $0 will wipe any trace of your existence from a hard drive, is a great first step.

Krypt3ia Become more savvy about how  your systems work. Keep them patched and try to keep up with the attacks out there. However, for the average normal person out there these things I just said sound like the teacher on Peanuts. Once again, do not trust any operating system unless you have complete control over it and frankly no one out there can do this. It is thus important that you learn some OPSEC lessons. But again, try getting this through to Gramma, it is not that easy. It takes education and not the once a year kind.

CiPHPerCoderIf you’re still on Windows XP, this probably means one of the following:

  1. You lack the capital to purchase a newer computer.
    • In this case, make the switch to Ubuntu or Linux Mint, which are great and user-friendly GNU/Linux operating systems.
    • If you’d like to get familiar before you commit to a new OS, get Virtualbox (it’s free).
  2. You’re a company that needs to use software that doesn’t work on newer versions of Windows.
    • Consider switching to something like Qubes and running your Windows XP-dependent software inside of an isolated virtual machine to minimize the risk of a full system compromise.

Otherwise, you should just upgrade to a newer version of Windows. Laziness is incompatible with security.

Lesley – Part of this comes down to a distinction between privacy from companies, privacy from governments, or privacy from traditional criminals and the average nosy Joe or Jane.

An updated version of Chrome OS or Windows has a professional security team behind it releasing patches and responding to reports of vulnerabilities. This is really important. Of course, those companies rely heavily on cloud computing and telemetry – that’s how they provide the user experience which their customers expect. We’ve been focusing heavily on solutions for people facing criminal / stalker-type privacy concerns. In those situations, Chrome OS is an affordable option (assuming associated Google accounts are well-secured). Up-to-date Windows (while pricier) can be a good choice, too.

If you’re worried about privacy from companies, commercial options probably aren’t a great choice. This is where more user friendly versions of Linux like Mint or Ubuntu may be feasible. Of course, these distributions of Linux are ostensibly free, but that’s somewhat offset by the amount of time required to learn to configure and secure them.

If you’re worried about sophisticated actors, not only should you keep sensitive data off the internet, but you should restrict sensitive work to full disk encrypted systems without any speakers or network, Bluetooth, or wireless adapters physically installed.

Question 6: Private Digital Communications

There are numerous reasons to use encryption, and communicate and browse the internet privately. Abuse and harassment victims, whistleblowers, celebrities, journalists, and even government and military personnel may have to contend with being targets of surveillance, physical threats, or blackmail. Beyond overt risk, we have a fundamental right to privacy from the massive networks of data collection of advertisers and marketing firms that buy and sell our intimate details. While some services like Signal, Tor, and Protonmail are free, trustworthy VPN often isn’t. What are your suggestions for somebody non-technical who wants to communicate and browse with minimal potential for interception, without paying a lot?

Viss – Wire is free. Signal is free. Tor is free. VPNs are not. I run a small VPN service for exactly this reason. It’s IPSEC not SSL. That’s an important distinction, as well as it’s not “an app”. My VPN service uses Cisco hardware, not just “some cloud instances”. Do some homework on any VPN provider you elect to choose and try to steer clear of SSL based VPNs. They usually collect data about you and where you go, so while it may protect you from the skiddies in the coffee shop, it’s not protecting you from the vendor collecting your data for your $5 VPN account. If you’re a bit more technically inclined you could simply use an SSH tunnel. For that same $5 you could spin up a Digital Ocean host and use that as an SSH tunnel endpoint. Or you could stand up your own VPN. If you’re concerned about a private messenger on your phone being an indicator of you doing something shady, then install a bunch of them and use them for silly things. I have a wire room setup for “only gifs, no talking allowed”. There are nearly 40 people in there and nobody says a word, we just post silly gifs. So while it looks like there may be discussions happening to any outside viewers who can’t see the messages, it’s just noise. If you make lots of noise, it’s super easy to get signal through it. You just have to make sure the patterns of signal to noise aren’t super obvious.

Munin – “Use Tor, Use Signal” is the cliche in our world now, but it’s really going to depend on your specific needs. Harassment victims have different threats than whistleblowers, than celebrities, than journalists – there’s no one-size-fits-all solution. Perhaps talk to one of us, or some other trusted source, to figure out what your threat surface is, and work out what tools you have available that can best be used to manage it?

Lloyd – Depending on who you’re concerned about watching you, Signal, Wickr, and WhatsApp are fine for communication. I’m also a big fan of a pen and a piece of paper, and old fashioned face-to-face meetings. And never use a free VPN.

Krypt3ia Use Signal, Use TOR Browser, and understand that everything you do on the net, everything you put out there is a threat to that privacy. For that matter, every device is giving up your private data and giving the companies and governments a portrait of “you” that can be used against you. How would I obfuscate this data? There are some means such as add-ons to FireFox (TrackMeNot and uBlock) You may also want to read Obfuscation: A User’s Guide for Privacy and Protest (MIT Press), which had some good ideas on how to use digital chaff to try and limit the real data these corporations have on us. If you have an adversary though that is directly in opposition, then use encryption (GPG, Protonmail, etc) but always know that the endpoints are always suspect (those you email with and the company serving you the service) so really, own the end point, forget the secrecy.

plumGreat points have already been made.  I’ll add that it is critically important to remember to assess all of your online activity and electronic communication through the lens of litigation. If it exist(s)(ed), it can be subpoenaed.  If this presents an unacceptable operational risk for you, hash things out face-to-face.  If the logistics are not practical, follow Lloyd’s golden rule above: never use a free VPN.  Tor is a go-to. While a little different, I would also keep an eye on Brave.

CiPHPerCoder – The only VPN you can trust is the one you’ve setup and administer. Most users aren’t technical enough to do this, and therefore shouldn’t use VPNs.

That said, there isn’t a winning concoction here that doesn’t require some user education to provide robust security against sophisticated threats.

Tor is great, but only if you understand its limitations. Tor + unencrypted HTTP means the exit node can sniff or alter your traffic.

Signal is great, but only if the person you’re talking with also uses it; otherwise, you’re communicating over unencrypted SMS. (You can turn the SMS fallback off.)

Whatever technology you choose, take 5 minutes to read through the documentation. The better you know your tools, the less likely you’ll make a fatal mistake when using them.

evacide – Before you choose a secure or private communications tool, think about your threat model: are you trying to protect your communications from criminals? From the government or law enforcement? From your parents or your spouse? These are all very different models. How important is it to you that the message should be secure? How important is it that the message actually gets to you in a timely fashion? (I’ve lost track of the number of arguments I’ve gotten into with my friends and family because a Signal message didn’t go through).  Are you OK with giving out your phone number for this communication?  Seriously, and I cannot emphasize this enough, Signal is not always the answer.

Lesley – A lot of differing opinions and options have been provided with regards to this problem – hopefully providing a starting point for consideration and discussion about private communications. I want to stress again that no matter what options you choose, noise is critical. Most of the private communications methods listed above hide the message, not the fact that you’re hiding a message. If you use VPN or encrypted messaging only for sensitive conversations or browsing you’re trying to hide, anybody watching will immediately start to look at that specific communication in more detail. For this reason, one of the first things I check in a computer under forensic investigation is the private / incognito browsing history. It usually contains only activity the user wanted to hide.

Whether want to prevent an angry ex or a multinational criminal organization from intercepting your sensitive communications, make sure they are lost in a sea of everyday benign private traffic. That’s why Tor usage is so highly encouraged by privacy advocates for everyday communication – if only foreign journalists under death threat by rogue dictators used it, their traffic would be easy to spot and target.

Question 7: Authentication

Online accounts are always a target, and passwords are generally easy to guess by casual criminals and advanced actors alike. So, we frequently advise people to enable two-factor authentication on their accounts through an app or (less desirably) SMS. The problem is, not everybody has a smartphone of their own – particularly one that works everywhere reliably. What are your suggestions to somebody who uses online accounts, but doesn’t own their own phone?

Viss get a Google voice number, and set up hangouts to accept SMS messages. DO NOT SHARE THIS NUMBER WITH ANYBODY. You can set up 2FA SMS for everything that uses it, and those texts will hit Google hangouts. You can get them on a desktop/laptop, or through hangouts on your phone. The connection between your phone and Google is cert-pinned SSL, and the ‘secure texts’ will come through over data not SMS. It’s not a silver bullet, but it defeats Stingray attacks and mobile phone “man in the middle” attacks. You can also configure Google voice to either forward those SMS messages to another number, or email them to you, or another email account. There are many options.

Lesley – An alternative option is a physical two-factor security key, a tiny object which is inserted into the USB port of the computer you are using while you log into a wide range of web services. U2F keys are well under 20 dollars, easily purchased from many online retailers, and should theoretically last far longer than many electronic devices. The downsides are that if you lose the key you may be in trouble, it won’t be usable in places which block the use of USB ports, and it could potentially be seized.

Lloyd – U2F keys aren’t a cheaper option than what Viss recommends. I like physical keys but they have weaknesses: your key can be stolen, there is still limited support for physical keys, and they cost money. If you’re someone who forgets things, leaving your key at home or in the wrong bag can cost you a day of work if you aren’t careful.

plumWithout a true “something you have”, 2FA starts down a road of compromise.  Like Viss, I have not completely criminalized the use of SMS, and he presents a creative solution.  Burner phones can serve this purpose well.  For five bucks, a refill card for a thousand text messages could last a while.

CiPHPerCoderThis came up a lot in the discussion of the Guardian’s terribly misleading WhatsApp article. In the real world, a lot of users share phones and swap out SIM cards rapidly. In the WhatsApp case, this makes public keys change rapidly, which could create a UX nightmare for people who have used WhatsApp for years and never even heard of encryption. Many of the 2FA assumptions break down in a shared-device scenario.

If you’re in dire straits here, Viss’ Google Voice number suggestion is probably your best bet. I’ve not heard any other realistic solutions for folks who share phones and don’t own security keys. If 2FA isn’t available, outright, consider making it more of a point to use a password manager (KeePassX, LastPass, 1Password, etc.) than if you had 2FA.

Munin – This particular question’s been giving me problems for a few days now. The long and short of it is that, as far as 2FA is concerned, the users are entirely at the mercy of the vendors as to what nature of 2FA solutions the vendors support – for instance, though I really, -really- want to use a yubikey with twitter, twitter declines to support this option and only allows SMS based second-factor auth.

Unlike the other questions here, this is one in which the user has very little control over whether or not they can effectively follow the advice given.

The ‘correct’ solution would be to only use services from vendors that support proper 2FA – but when those services won’t “do the job” – e.g. all your contacts are on a service that doesn’t do this correctly – you’re inherently limited in what you can do.

So my ultimate advice here would be – if you -can- follow the solutions given above, do so; if you’re not able to, then do the absolute best you can with what you have available. If you don’t have a unique device available for a second factor, it’s best not to push for a compromised second factor over a non-compromised single factor. Control what you can, and look for opportunities to make it better; and pay special attention to those things you cannot control – monitoring is a kind of mitigation.

Question 8: You, in the Real World

We’ve discussed our online lives in detail, but what we do every day in the physical world leaves a huge digital footprint as well. This includes all kinds of activities, like shopping, banking, and our hobbies and work. Let’s think in terms of our introductory example of a victim of stalking and abuse (this time, in 2017). What are feasible actions he or she can take in day-to-day life, with a small budget, to reduce the digital footprint left by his or her activities (while still remaining a part of modern society)?

Viss – Use a combination of personal travel and ridesharing applications or public transit to mask surface travel. Combine using different credit cards with paying in cash. Change travel routes to not consistently use the same path to get to destination. Make random stops (at shops, for coffee, etc, whatever) to make it harder to determine where you are going. Turn off your phone from time to time (yank the battery if you can). Don’t spend a lot of time walking on the street in the open. Travel in a vehicle or on public transit as often as you can. Do not dress to impress. Do not stand out. Plain shoes, jeans, t-shirt. If you want to blend in, then blend in. You can look spectacular later. Pay attention to your surroundings. See if people are pointing cameras at you. Take detours and see if you see the same people over and over again. If you think you are being followed, validate that feeling by taking more detours and seeing if the same people are there. If you are confident you are being followed, let the people following you see you taking their photo or recording them. It helps if you have more than a phone – like a GoPro or a camera of some kind. Usually in that scenario they’ll have no idea WTF to do. The easiest way to not be a victim is to not simply lie down and take it. If you feel you’re being victimized, complaining about it on Facebook or writing a longwinded gif-riddled post on imgur will solve nothing. Get evidence of stalking or abuse. As much as you can. Confront the problem head on. If your abuser is physically abusing you get a restraining order and back that up with video evidence. http://www.wikihow.com/Be-More-Perceptive This is a good start.

TL;DR: everything on the internet leaves some kind of log. Don’t post stuff online then try to remove it. Just don’t post it in the first place. Don’t openly volunteer information for the sake of small talk. If someone asks how your day was, tell them – but don’t feel obligated to explain that it’s going poorly because your car insurance carrier dropped you because you were unable to make your last payment, and that was because trouble at work led to you being fired. That’s a lot to unpack and gives random people WAY WAY MORE INFORMATION than they need to just chat you up. It takes a bit of practice, but you can usually turn those kinds of conversations around onto them, and have them tell you a life story while not saying a word.

Krypt3ia

Physical:

  1. Enhance your situational awareness
  2. Understand where the cameras are and seek places with less of them to do business
  3. Understand where the cameras are and seek to obfuscate their seeing you (hat, glasses, scarf etc and look down, not into them.
  4. Randomize your routine, in fact do not have a routine
  5. Read up and practice counter-surveillance techniques (I can recommend books) but really having real practical experience and mentorship is key

Digital:

  1. Take all of the advice above in this document and use it.
  2. Leave your digital equipment behind or put them in Faraday bags
  3. Understand the precepts of OPSEC with regard to the internet
  4. Be vigilant

plumEndeavor to use more cash.  Every time you use a credit card, you’re generating data about where you are and what you’re doing.

Don’t allow mobile apps to use your location automatically, or at all.  Don’t check in.  The world doesn’t need to know you’re going for a run on your lunch break *right now*.  Tell them later about how you had a great run today, without mentioning where and when.  Small things like this. You’re not hiding your habits, you’re just removing the unnecessary precision in describing them.

Augment your digital protection strategy with self-defense skills.  You may never need to use them, but you’ll feel a hell of a lot more confident.  And when you’re confident, you carry yourself better, you’re more aware of your surroundings, and you turn the tables on being vulnerable.

Lloyd – Privacy and security are practice, and can’t be done alone. Your information, even your home address, is known and stored in devices and on paper by your friends, family, and coworkers. Most “hacks” occur via social engineering, where unsophisticated people are exploited for the information they keep. Educating the people around you should always be a part of any physical security practice.

Lesley – Pseudonyms and fake backgrounds aren’t just for criminals, people on the run, or spies. Sometimes, a little white lie is legal and okay, and even recommended. There are lots of places in your daily life where you can operate outside your real identity without even violating terms of use agreements. Countless examples include the fact that you don’t have to ship or receive packages at your house, you don’t have to provide real answers to your security questions, and you rarely are required to register for incentive or loyalty programs under your real name or address. Consider what information you are providing third parties out of naive, good-hearted honesty, versus what information you are providing out of legally-obligated honesty. Data collection and marketing firms don’t have your interests in mind. Why are you treating them like you have an honest, confidential relationship?

CiPHPerCoderIf you can, turn your phone off and take the battery out when traveling or discussing anything sensitive with your friends or family. Try to practice common sense at all times. Don’t, for example, take needless selfies and then share them publicly on social media if you’re trying to attain better privacy. Simply put: They don’t need to know, so don’t tell them.

Paying with cash has two benefits: It’s not directly linked to your bank account, and it promotes better money management discipline than debit/credit cards (which in turn will allow you to save money toward some of the solutions discussed above that might be out of your budget).

evacideA lot of the advice above means making major changes to the way you live. Think about how much you’re willing to change in order to avoid your stalker/abuser. A lot of victims are trying to balance their desire for privacy and distance from their abuser with a desire to continue living their lives in a normal fashion. Some simple steps such a person can take include using a pseudonym on social media accounts, locking down one’s social media accounts so that content can only be viewed by trusted friends, and making one’s trusted friends aware of the situation so that they can alter you if they are contacted by your stalker/abuser trying to get information out of them.

Munin – The advice above is all good, but ultimately, the real problem is in balancing proper paranoia with the ability to function as a person. This is very difficult.

Balancing the need to stay hidden with the very real psychological dangers of isolation is difficult even for trained professionals – so maintaining such a cover will necessarily cause stress and strain. If you have anyone that you can trust, make sure you can stay in contact with them to keep an even keel. That will help with balance, and help you remember how to use the other advice appropriately.

★ ★ ★

(Additional credit on this article goes to Bill Sempf, who contributed extensive expertise on skiptrace investigative methodology.)

All opinions in this article are that of the individual contributors, and do not necessarily reflect the views of their employers, past, present, or future.

Thwart my OSINT Efforts while Binging TV!

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

101 Ways I Screwed Up Making a Fake Identity

As most of you know, my professional area of expertise in security is incident response, with an emphasis on system / malware forensics and OSINT. I’m fortunate enough in my position in the security education and con community to sometimes get pulled into other directions of blue teaming and the occasional traditional penetration testing. However, the rarest of those little fun excursions are into the physical pen testing and social engineering realm. In the breaking into buildings and pretending to be a printer tech realm, I’m merely a hobbyist. 🙂

Therefore, it was a bit remarkable that in the course of developing some training, there was a request for me to create some fake online personas that would hold up against moderately security savvy users. I think most of us have created an online alter ego to some extent, but these needed to be pretty comprehensive to stand up to some scrutiny. Just making an email account wasn’t going to cut it.

So Pancakes went on an adventure into Backstop land. And made a lot of amusing mistakes and learned quite a few things on the way. I’ll share some of them here, so the social engineers can have a giggle and offer suggestions in the comments, and the other hobbyists can learn from my mistakes. Yes, there are automated tools that will help you do this if you have to do it in bulk for work, but many of the problems still exist. (Please keep in mind that misrepresenting yourself on these services can cause your account to be suspended or banned, so if you’re doing more than academic security  education or research, do cover your legal bases.)

What I messed up

I’m not going to waste everybody’s time talking about how to build a unremarkable and average character in a sea of people or use www.fakenamegenerator.com, nor how we always set up a VM to work in to avoid cookies and other identity leakage (including our own fat fingering). Those have been discussed ad infinitum. Let’s start with what happened after those essentials, because creating a good identity is apparently a lot more involved..

  • It pretty much required a phone number from the get go. I spun up my VMs and created the base sets of email and social media accounts that an average internet user might have, but Twitter was on to me from the start. I wasn’t planning on involving a phone for 2FA at all, but their black box security algorithm tripped in seconds and made me use a phone to enable the first account. So, I’m pretty much terrible. Granted, there are plenty of online services that will give you a phone number, and I could have burners if I felt the need, but it added a layer of complexity. In a good move, it looks like most of social media is now spamming new users to enable 2FA.
  • My super authorial D&D skills at creating dull people in big towns and reposting memes weren’t enough. I had to make friends and meet people to make the profiles pass as real. I knew that was going to be a challenge, but I didn’t expect it to become such a thought problem.
    • Twitter was the easiest once I fleshed out the characters and followed a bunch of accounts they would like, then people following those accounts. Some people just follow back folks who aren’t eggs (I do). I quickly had 40 or 50 followers on the dummy accounts. I’m apparently big in the vegan cooking scene now.
    • LinkedIn wasn’t too bad once somebody clued me into (LION) tags and good old 2000+ connection recruiter accounts. The people who participate in that essentially connect with anybody, regardless of the normal LinkedIn security and privacy rules about knowing people personally. So after making decent profiles, I just had to find a couple people with the tag, then fork out through 2nd degree connections in their vast networks to the correct industries and regions. Of course, I had to do a bit of strategic plagiarizing from other people in my characters’ professions’ skills sections to build believable people, first. (We have yet to see if they got any recruiter messages, but none of them had really lucrative careers.)
    • Facebook was actually the one I struggled with the most, because you really need a starting point in your network to even add other people. I talked to a lot of security folks about my woes there and they made some good suggestions. The first was to play some Facebook browser games for a few minutes (I feel like my time with Candy Crush was worse than the dark web), then go to their community pages and plead “add me”.  Again, people cheating the security / privacy system make it easy to gain a foothold. A couple popular games got me 50-100 friends, and from there by using Facebook’s lovely verbose search system, I could move my network into the regions that my personas “lived in”. For instance, if the character were from Chicago I would search for friends of friends of the connections I had made for people in Chicago, and those people were much more likely to add me because I was a “friend of so and so”. The other effective strategy people gave me was to present myself as an ardent fan of a sports team or political party in article comments. That worked pretty well, but not as fast as the games.
    • Once I had some “friends” on Facebook, moving into specific workplaces and schools wasn’t too hard. Public Facebook Events at those institutions and their associated venues provide lists of lots of people to add who were almost certainly physically present. Again, once I had a few connections in that circle, it became exponentially easier to add more.
    • Pinterest, YouTube, and Meetup were pretty easy – there’s really not a lot of verification of users there, by design. I liked them for this because they’re very public and tie the other social media profiles together nicely. I confess that I did lose my nerve when Meetup group sign up forms asked me detailed questions about my “kids” or my “spouse”, and stuck to ones that weren’t so intrusive, because that just felt creepy (says the woman who looked up a cached copy of your 2004 MySpace page).
  • I don’t normally feel guilty when I’m hacking somebody in a pen testing engagement (it’s for a good cause), but I did feel a little weird and guilty interacting with unwitting strangers on the internet as other people. It definitely took me out of my comfort zone – not only did I have to role play other personalities with wildly different views, but I had to shake my normal security paranoia to do stuff like click “add friend” a lot without hesitation and leak data through privacy settings, strategically.
  • I really had to commit to one character at a time to develop them into a person.
  • Even in a clean VM, there was still apparent tracking to my IP space on LinkedIn! I didn’t bother to use a proxy or a public connection for an educational endeavor, but if I had to flee the mafia or something I would certainly keep that in mind. Internet advertisement tracking is insidious and possibly scarier than any nation state actor.
  • Photos are everywhere yet were strangely really hard to come by. Fake identity creating sites like https://randomuser.me/ provide profile pictures, but anybody half decent at OSINT will immediately reverse image search a suspicious profile’s picture. Their stock art photos have been so abused that searching any one at random provides a trove of suspect business reviews and fake LinkedIn profiles (a blog of its own…). Again, since this was a legal and ethical endeavor, I just used a collection of donated (previously unposted) photos from friends, heavily visually filtered and transformed. Even that required a lot of careful checking for metadata and visual clues that tied them to a location. I’m sure there are more expensive stock art photo sources that are less abused, but I’m not sure how ultimately virginal even their photos are. Maybe I should invest in a good wig and glasses.
  • This was time consuming, and I can see it becoming incredibly time consuming, which is the reason you use tools to automate the wits out it if you do it regularly as a penetration tester. Facebook and Twitter timestamp content, and comprehensive ways around that are the kind of things social media companies give out hefty bug bounties for. On Twitter, you can retweet a years worth of old tweets in temporal sequence, but that will never change your publicly visible account creation date. Similarly on Facebook, you can manually change the date and location of posts, but your account creation date is still pretty easy to see based on other time data and your profile ID number. Ultimately, there seems to be no substitute for good old months and years of the account existing. If somebody has a work around they’d like to share, I’m all ears.

What we can learn about OSINT and defense from this exercise

  1. Not new, but always good to reiterate: people bypassing security and privacy controls for convenience is a really big security issue. People who blatantly bypassed the personal connection requirements on Facebook and LinkedIn made my job a lot easier. If nobody had accepted my fake characters’ invites on social media, I would have been pretty stymied and stuck buying followers or building my own network to be friends with myself.
  2. As an adjunct to #1, be mindful of connections via one of these “wide open” social media accounts (many hundreds of connections, or an indication they don’t screen requests in their profiles).
  3. Reverse image search the photo, all of the time. Maybe on two sites! This should be something you do before dating somebody or making a business deal, just like googling their name. No photos are, as always, a red flag.
  4. Check the age of social media profiles even if they look verbose and well defined. Stealing other peoples’ bios is easy.
  5. Never be connection #1, #2, or #3 to a profile you don’t recognize (you enabler).
  6. Don’t accept connection requests from Robin Sage, (or anybody else who presents themselves as a member of your community with no prior contact).
  7. In fact, don’t accept friend invites from people you don’t know even if they have 52 mutual friends and “go to your school”. I had 52 mutual friends and was bantering with the school mascot about a sportsball team I’ve never heard of, in a few minutes.
  8. Look for some stuff that’s deeper than social media and typical web 2.0 services when you’re investigating a person. My typical OSINTing delves into stuff like public records, phone and address history, and yes, family obituaries. Real people leave more artifacts online over the course of their lives than merely things that require a [Click Here to Sign in with Facebook], and the artifacts I listed are harder to fake quickly.
  9. Forget trust, verify everything.

The Top 9 Ways I Found Your ‘Secret’ Dating Profile

  1. You reused a cute username (or email address).

Aliases and usernames have become a big part of our personal online presence, and we often feel tied to them when we register for new sites and services. This can be a great was to build an online identity, but it can also make it trivial to tie our activity on various services together.

Even if your registered username isn’t immediately visible in a dating profile, it’s often visible in the URL of your profile, your profile photo filenames, or during communication with other users.

There are plenty of free and paid services which search and monitor social media and email accounts by username. Pipl is a great example. It will rapidly scan popular sites and services for email addresses, usernames, names, and phone numbers to build a comprehensive profile of a person.image002

Namechk.com performs a broader sweep of services for usernames only, immediately flagging services where a particular username has been registered. This is an easy way for someone with malicious intent to draw connections between a dating site profile username and your ‘real’ life, even if your profiles are correctly private or hidden.

image004

The very simplest, a Google search will often turn up social media profiles, forum posts, and blog comments tied to a particular username. If you’re concerned about dating site matches finding your online presence, or people online finding your dating profile, just don’t reuse usernames or email addresses!


 

  1. You reused profile pictures.

A few years ago, image recognition on a large scale was restricted to law enforcement and corporate security. This isn’t true anymore. Free services like Tineye and Google Images will search billions of indexed images on the internet for identical or similar pictures. This isn’t necessarily traditional hash or metadata specific – cropping or resizing an image is not a foolproof way to defeat this (as I show in the screenshot below, where Tineye and Google correctly identified my profile selfie which is substantially cropped on social media). The photos are visually similar enough that the search engines’ algorithms can draw a connection.

image006image008

Ultimately, this means that if you are interested in privacy, you should never reuse a photo or set of photos that you’ve used elsewhere on the internet (at any time) on your dating profile. Choose where to use your glamour shots, wisely!


 

  1. You forgot to check and sanitize your pictures.

Reuse isn’t the only situation in which photos can compromise your privacy. There are two sets of clues that can give away important personal information in your photos. The first are old-fashioned visual clues. Consider: is there a window in your photos, and are there identifiable buildings or landmarks outside of it? Were your photos taken in an apartment building or dorm that can be easily identified in other people’s photos? I highly recommend reading this eye-opening blog on the subject by IOActive. Give some thought to what people can see in your photos’ backgrounds before posting them to your private dating profile.

The second way your photos can betray your privacy is a bit more technical, but still terribly important to recognize. It has to do with hidden information, or ‘metadata’, which is tacked onto most pictures by phones, photo editing software, and digital cameras. You can’t see EXIF metadata without using special tools, but it may contain startling amounts of information about where the photo was taken, by whom, and when. This exists primarily to help out professional photographers and photo storage tools.

image010

I took this pretty photo at Disney World. Let’s look at some of the data hidden inside of it:

Create Date                     : 2016:02:20 20:01:04
Make                              : Samsung
Orientation                     : Horizontal (normal)
Flash                               : No Flash
Focal Length                   : 4.3 mm
GPS Position                   : 28 deg 21′ 27.100″ N, 81 deg 33′ 29.71″ W

Even with location geotagging disabled in your camera settings, metadata still provides a tremendous amount of detail about you and your devices, and can even uniquely identify photos taken with your camera. (The use of photo editing tools also becomes blatantly obvious, which can be a cause for some embarrassment.) Ensure you remove identifying metadata from photos before posting them onto your dating profile.


 

  1. You forgot that the internet is forever.

If I were forced to pick only one error which causes dating site members the most personal embarrassment over the long term, it’s forgetting this. A single mistake made months earlier can haunt you. Let’s imagine that before reading this article you uploaded your professional headshot to your dating site profile. You realized a few days later that it was too much of a privacy give-away, and made the wise choice to switch to a new photo. You might not be out of the woods.

Search engines and archive sites are continually indexing as much content as they can from the internet. These sites retain cached copies of images and pages long after they are changed or erased at the original source.

Somebody with malicious intent may use this to their advantage when trying to correlate your dating profile to other web content. He or she will very likely check search engine caches for old pictures or bios that are easier to identify or contain embarrassing details. If that professional headshot is still in a cache associated with your dating profile, he or she can use Tineye to match it to your corporate bio that shares the same photograph. If you’ve changed your username, he or she may be able to find the previous version.

Unfortunately, this isn’t an easy thing to fix after the damage is done. The bottom line is: assume that anything posted to the internet is perpetual, and usually cannot be removed (even through legal action). If you post data which compromises your privacy or reputation to your profile, remove it immediately and consider starting fresh with an entirely new profile. If needed, pursue sites and search engines to remove what they can and will, and disassociate your online identity as much as possible from the content.


 

  1. Minor details tell a larger story about you.

This is open source intelligence 101. The individual facts and conversations you post on dating sites might not give away your identity, but as a collective whole, they may. Give some consideration to how much information you’re giving other users over time and as a whole. Did you post that you live in Milwaukee, tell a user that you live in an apartment with a pool, and tell another that you live next to an airport? These pieces of information put together say a lot more about your location than they do individually.

image012

Pay attention to details. How much information have you posted on your profile over time as you’ve updated it? How much information are you providing in private conversations with other users?


 

  1. Your social media profiles aren’t private enough.

The number one open source intelligence source that people with evil intent will try to use against you, or to identify you, is your social media profiles. You make a malicious person’s life significantly more difficult by simply locking down your social media profiles so that nobody except people you know personally can view them, or that the data that is publicly visible is not enough to provide the attacker an advantage.


 

  1. You joined your social media profile to your dating site account.

We’ve previously discussed the privacy risk posed by sharing photos, usernames, and email addresses between your private dating profile and the rest of your online presence. Linking your social media accounts may be a simple and timesaving way to create an account on many dating sites and apps, but these sites frequently import most of the data we’ve discussed above directly into your dating profile and account. Given all the points we’ve discussed previously, this is obviously not a wise choice.

I highly recommend using an entirely new and separate email account to sign up for a private dating profile. If the site in question absolutely requires linking a social media account, start a new one without unnecessary personal details.


 

  1. You forgot that social engineering (and catfishing) happen, and can happen to you.

No matter who you are, which gender you are, what you do for a living, or how much money you make, you can be a target for fraud or social engineering. Somebody who wants to manipulate or identify you on a dating site may attempt to gain your trust before drawing you into a trap. If something doesn’t feel right, it probably isn’t. If something seems too good to be true, it probably is. Be very cognizant of members leading you into revealing unusual personal details, compromising photos, or financial information. Dating sites are fair game to cyber-criminals.


 

  1. You weren’t aware that you were accepting risk.

Dating online, like the rest of our lives, carries some inherent risk. The level of risk associated with joining a dating site and interacting with others on that site varies by each individual’s situation. For example, this risk may be to your reputation if your profile (or behavior with other users) were publicized, or to your personal safety if your location or identity were compromised.

Online dating is a great option for many people and many healthy relationships exist today because of it. You must simply consider what level of risk you’re willing to accept before doing it. Even if you are meticulous in protecting your online presence, there will always be circumstances outside your control. What would the consequences be if the site were breached, and your identity and interactions were posted online or sent to your employer or family? If somebody successfully identified you, how easy would it be to find your street address or place of business? Like any other activity that carries some significant risk, you must consider these types of questions and make your own informed decision.