7 April 2019

Is Flawless Digital Anonymity Possible?


That’s the question David Balban explores in his April 2, 2019 online article on the cyber security and technology website, HackRead.com. He begins, “Let’s suppose you want to post the most anonymous comment on a social network imaginable. What kind of tools do you need for that? VPN? ToR? SSH Tunnel? In fact, none of the above,” he writes. “It suffices to purchase a burner SIM card and a used smartphone on a flea market nearby. Then, drive as far from your place of residence as you can, insert the card into the phone, and drown the device in the river. That’s it,” he wrote.

“But, what if you need to do more than just write a comment once, while concealing your IP address from some website?,” he asks. “Imagine,” he notes, “you want to reach a degree of anonymity that’s extremely hard, or impossible to compromise [breach], at any level; and, even conceals the fact of your using anonymization tools to a certain extent.” Mr. Balban then goes on to explain or advise what to do — to become digitally anonymous.

“Just like any perfect thing, flawless anonymity is rather a theoretic concept; but, within realms of possibility to approach it closely via multiple different layers of protection,” he wrote. “You cannot be uniquely identified,” he claims, “as long as you leverage a combo of technologies complementing each other, even if fingerprintable system values are used to distinguish you from the others.”

Entry-Level Security

“This degree of [digital] security and anonymity can be roughly achieved by means of following the scheme: Client > VPN/Tor/SSH tunnel > Target,” Mr. Balban wrote. “Essentially,” he notes, “this is a fine-tuned alternative to using a proxy, that simply allows you to obfuscate your IP address. It doesn’t provide any genuine anonymity that you can rely on. This scenario is susceptible to node compromise, browser fingerprinting, and commonplace log analysis at the ISP, or data center level.”

“Incidentally,” Mr. Balban notes, “some people consider private VPN to be more effective than public VPN services, because in the former case, they are certain that their system is configured in the right way. Let’s imagine,” he says, “somebody knows your external IP, hence they know the data center, that, in its turn, knows which server this IP refers to. Do you really think that it’s difficult to figure out the actual IP address that was used to connect to this particular server?,” he asks. “Not to mention that few people will ever bother to encrypt their drive, and adopt protection against hardware seizure.”

“No one is likely to notice their server being rebooted at init level 1; and the VPN logs being switched on under the guise of fixing “minor technical issues at the data center,” Mr. Balban wrote. “As a matter of fact,” he adds, “this might not even be necessary, given all of the server’s inbound and outbound addresses are known.”

With respect to Tor, “using it may appear suspicious in itself,” Mr. Balban observes. “Furthermore, all the outbound nodes are known; and, many of them are simply banned, is a major red flag for many sites. For instance,” he adds, CloudFlare allows customers to define whether their firewall should accept Tor connections.”

“In summary,” he writes, “if you need to hide your most important personal data from the rest of the world, and get around the basic website access restrictions, while keeping your connection speed high enough, and being able to funnel all the traffic through a different node, then you should opt for VPN,” Mr. Balban recommends. “The best pick is a paid service. It costs just about as much as a VPS service (virtual private server), that works within your own country, and needs to be configured and maintained. As opposed to that, a commercial VPN supports dozens of countries, and hundreds, or even thousands of outbound IPs.”

Medium Level Of Security

“This level of online security is an enhanced variant of the basic one covered above,” Mr. Balban wrote. “It can be implemented as follows: Client > VPN > Tor > Target. In this case, combining different technologies increases the efficiency of each one. Don’t expect to much from this setup though,” he warns. “It does prevent remote observers from determining your IP address; but, it still keeps you exposed to the attack vectors described above. It’s your physical work-space, your machine, that’s the weak link in the protection chain.”

High Level Of Security 

“Here’s what it looks like,” Mr. Balban wrote: Client > VPN > Remote workspace (over RDP, or VNC) > VPN. The work computer should be a remote one, rather than your own. Ideally, it’s a Windows 10 machine with Firefox, a few plugins and codecs installed, and no offbeat fonts and suchlike plugins on board. It should be typical and hardly different from millions of others on the Internet. Also, even if you experience a data leak, or fall victim to some other compromise, you will stay hidden behind another VPN.”

Flawless Security

“The scheme is as follows,” Mr. Balban writes: Client > Double VPN (hosted in different data centers that are close to one another) > Remote workspace with a virtual machine > VPN”

“The technique involves a primary, and secondary VPN connection, the latter covering your back in case the former gets compromised,” Mr. Balban explains. “This way, you conceal your traffic from the ISP, and, don’t reveal your real ISP address to the data center hosting the remote workspace. There is additionally a virtual machine on the same server.”

Mr. Balban writes that “I have put this scheme through quite a bit of testing. The slowdowns are tangible, even if the set-up is properly implemented geographically; and yet, the performance is tolerable for the most part. It’s important to refrain from dispersing the servers across different continents,” he notes. Here’s another element of the logic: make sure your servers aren’t all located within, for example, the European Union, because different law enforcement entities collaborate closely in that region. Meanwhile,” he warns, “don’t disseminate them too broadly either. Neighboring states that don’t get along well with each other, are the perfect spot for your servers.”

“One more thing,” Mr. Balban wrote is, “You might want to add to the mix, is automatic hits to websites taking place in the background from your real computer, to emulate garden-variety surfing. This will keep you off the suspicion radar, by making it look like you aren’t using anonymization tools. Also consider using Whonix, or Tails and go online via public Wi-Fi every now and then, having modified the network adapter’s details that might entail de-anonymization.”

“The ordinary VPN is a dependable instrument to circumvent the commonplace Internet restrictions, while keeping your connection speed at a decent level.” Mr. Balban noted. “If you want more anonymity, add Tor to the chain; but, be advised you will have to sacrifice some speed in this case. If you want even more, follow the recommendations above,” he wrote.

“It’s not that easy to get around browser fingerprinting, and attempts to de-anonymize VPN usage, based on the time it takes a packet to go from a user to a website, and then the website to a user’s IP address,” Mr. Balban wrote. “You may be able to successfully foul the trail a couple of times; but, you never know what new de-anonymizers will splash onto the screen tomorrow. That’s exactly why you need a remote workspace and virtual machine to stay on the safe side. Such a solution can cost as little as $50 per month. Keep in mind,” he notes, “that you must pay in Bitcoin only.”

“Last, but not least,” he concludes, “the most important prerequisite for safeguarding anonymity, is to separate your work with regular personal data, and with sensitive information that has significant value. All of those encrypted tunnels and complex schemes become worthless, once you sign into your personal Google account – while using one of them.”

The only surefire way of staying digitally anonymous is to never go online; but of course, that is not practical for the overwhelming majority of us. Below, is an article I posted to this blog in 2017. It has a lot more advice and steps on can take — if you really do want to stay anonymous online.

Famed Hacker Kevin Mitnick On How You Can Go ‘Invisible’ Online And Hide Your Digital Tracks

Kevin Mitnick, for those of you who do not recognize the name is, according to his Wikipedia bio, “an American computer [cyber] consultant, author, and hacker — best known for his high-profile 1995 arrest; and, his subsequent incarceration for five years in prison — for various computer, and computer-related crimes. He now runs a computer-security firm, Mitnick Security Consulting LLC., which helps companies test their network enterprise/firewalls for vulnerabilities, weaknesses, strengths, and potential loopholes. He is also Chief Hacking Officer of the [computer] security awareness training company — KnowBe4, as well as an active advisory board member at Zimperium, a firm that develops a mobile intrusion prevention system.” Mr. Mitnick’s “The Art Of Invisibility: The World’s Most Famous Hacker Teaches You How To Be Safe In The Age Of Big Brother, And Big Data,” was published Feb. 2017 by Hachette Book Group,” on which this article is based. He has written three other books, including his 2011 page-turner, “Ghost In The Wires: My Adventures As The World’s Most Wanted Hackers.” 

Mr. Mitnick had a February 24, 2017 online article on WIRED.com’s site on his, then, new book: “The Art Of Invisibility,” discussing how to ‘go invisible online.’ First, Mr. Mitnick reminds us of the unpleasant reality that the Internet and the Worldwide Web aren’t safe; and, we are under constant assault by cyber thieves and others who are attempting to steal our personal information, and/or, infect our networks and devices with the gift that keeps on giving. “Even if you delete an email the moment you read it on your computer, or mobile phone, that doesn’t necessarily erase the content. There’s still a copy of it somewhere. Web mail is cloud-based,” Mr. Mitnick reminds us, “so in order to be abler to access it from anywhere, at any time, there have to be redundant copies. If you use Gmail for example,” he writes, “a copy of every email sent and received through your Gmail account is retained on various servers worldwide at Google. This is also true if you use email systems provided by Yahoo, Apple, AT&T, Comcast, Microsoft, or even your workplace. Any emails you send, can also be inspected, at any time, by the hosting company. Allegedly this is to filter out malware; but the reality is that third parties can, and do access our emails for other, sinister, more self-serving reasons,”: Mr. Mitnick wrote. “While most of us may tolerate having our emails scanned for malware, and perhaps some of us tolerate scanning for advertising purposes, the idea of third parties reading our correspondence, and acting on specific contents found within specific emails is downright disturbing,” Mr. Mitnick wrote. “The least we can do,” he urges, “is make it harder for them too do so.”

Start With Encryption”

Most web-based email services use encryption when the email is in transit,” Mr. Mitnick wrote. “However,” he warns, “when some services transmit mail between Mail Transfer Agents (MTAs), they may not be using encryption, thus, your message is in the open. To become [digitally] invisible, you will need to use encryption,” Mr. Mitnick writes,“Most email encryption uses what’s called asymmetrical encryption,” Mr., Mitnick notes. Using this tool/technique,allows you to “generate two keys: a private key that stays on my [your] device, which I never share,” Mr. Mitnick wrote, “and a public key that I post freely on the Internet. The two keys are different, yet mathematically related,” he wrote. For more detail on this section of Mr. Mitnick’s article, please go to WIRED.com to read his entire article.

Picking An Encryption Service”

Both the strength of the mathematical operation, and the length of the encryption key — determine how easy it is for someone without a key to crack your code,” Mr. Mitnick wrote. “Encryption algorithms in use today are public”; and, that’s a good thing, he adds. “You want that. Public algorithms have been vetted for weakness — meaning people have been purposely trying to break them. Whenever one of the public algorithms becomes weak, or is cracked, it is retired, and newer, stronger algorithms are used instead.” “The keys are (more, or less) under your control ; and so, as you might guess, their management is very important. If you generate an encryption key, you — and no one else — will have the key stored on your device,” Mr. Mitnick wrote. “If you let a company perform the encryption, say in the cloud, then that company might also keep the key after he, or she shares it you; and, may also be compelled by court order to share the key with law enforcement, or a government agency, with or without a warrant.”

When you encrypt a message — an email, text, or phone call — use end-to-end encryption,” Mr, Mitnick recommends. “That means your message stays unreadable until it reaches its intended recipient. With end-to-end encryption , only you and your recipient have the keys to decode the message. Do a Google search for “end-to-end encryption voice call.” If the app, or service does not use end-to-end encryption, then choose another,” vendor Mr. Mitnick urges.There are also “PGP (Pretty Good Privacy) plug-ins for the Chrome and Firefox Internet browsers that make encryption easier,” less cumbersome, and hopefully not frustratingly slow. One such service provider/vendor is, “Mailvelope, which (Mr. Mitnick writes) neatly handles the public and private keys.Then, whenever you write a web-based email, select a recipient, and if the recipient has a public key available, you will then have the option to send that person an encrypted message.”

Beyond Encryption: Meta Data”

Even if you encrypt your email messages with PGP, a small — but information-rich part of your message is still readable by just about anyone,” Mr, Mitnick warns. “In defending itself from the [some of] Snowden revelations, the U.S. Government (USG) stated repeatedly that it doesn’t capture the actual contents of our emails, which in this case would be unreadable with PGP encryption. Instead, the USG said it collects only the email’s metadata.” “What is email metadata?,” Mr. Mitnick asks. “It is the information in the To and From fields, as well as the IP addresses of the various servers that handle the email from origin to recipient. It also includes the Subject Line, which sometimes can be very revealing, as to the encrypted contents of the message.” Though, a clever adversary will almost certainly use deception techniques that make it much more difficult to pinpoint, or find in the first place. “Metadata, a legacy from the early days of the Internet, is still included on every email that is sent and received; but, modern email readers hide this information from display,” he noted.

“That might sound okay,” Mr. Mitnick warns, “since the third parties are not actually reading the content ; and, you probably don’t care about the mechanics of how those emails traveled — the various server addresses and time stamps — but, you’d be surprised by how much can be learned from the email path, and the frequency of the emails alone.” Especially when you use this information in a holistic, ‘patterns-of-life’ kind of link analysis. The bottom line: Mr. Mitnick warns, “to become truly invisible in the digital world, you will need to do more than just encrypt your messages.”

To Stay Truly Hidden Online, You Will Need To (according to Mr, Mitnick): 

(1) Remove Your True IP address. This is the point of connection to the Internet, your [digital] fingerprint. It can show where you are (down to your physical address); and, what provider you use. That is one reason that cyber thieves, off-the-griders, and others use Internet cafes, or other means to disguise the origin of their email;

(2) Obscure Your Hardware & Software. When you connect to a website online a snapshot of that hardware and software you’re using — may be collected by the site;

(3) Defend Your Anonymity. Attribution online is hard. Proving that you were at the keyboard when an event occurred is difficult. However, if you walk in front of a camera before going online at Starbucks, or if you just bought a latte at Starbucks with your credit card, these actions can be linked to your online presence a few moments later,” again, part of a pattern-of-life, link analysis. “To start,” Mr. Mitnick writes, “your IP address reveals where you are in the world, what provider you use; and the identity of the person paying fir the Internet service (which may, or may not be you),’ and certainly won’t be you or someone you can be easily connected with if you or they are trying to hide. “All of these pieces of information are included within the email metadata, and can be used later to uniquely identify….you.” “IP addresses can of course [and are] forged,” Mr. Mitnick writes. “Someone might [and a clever adversary will] use a proxy address — not his or her real IP address, but someone else’s — that an email appears to originate from another location. A proxy, like a foreign-language translator — you speak to the translator, and the translator speaks to the foreign language speaker — only the message stays the same. The point here,” Mr. Mitnick writes, “is that someone might use a proxy from China, or even Germany to evade detection on an email that really came from North Korea.” “Instead of hosting your own proxy, you can use a service known as, Anonymous Remailer, which will mask your email’s address for you,” Mr. Mitnick writes. “Anonymous Remailer simply changes the email address of the sender — before sending the message on its way to the intended recipient. The recipient can respond by the same method, which is the simplest version,” he added.

“One way to mask your IP address is to use the onion router — Tor,” [or what is also known as the Dark Web] Mr. Mitnick wrote,- which is what Edward Snowden used when he was emailing the British tabloid, The Guardian, in the days and time before he became a U.S. fugitive from justice and ultimately fleeing/finding sanctuary in Vladimir Putin’s Russia. “Tor is [was] designed to be used by people living in harsh regimes — as a way to avoid censorship of popular media and services; and, to prevent anyone from tracking what search terms they use. Tor remains free, and can be used by anyone, anywhere, even by you,” Mr. Mitick wrote. I do not believe that is entirely correct; or, maybe I am reading that claim incorrectly. Perhaps if he had written “can be used by anyone, anywhere, where TOR isn’t blocked by the host nation. Granted, there may be ways, even under repressive regimes like North Korea, where a clever cyber savvy individual might be able to circumvent this kind of censorship; but, my guess is — that is a very risky proposition that could cost them their life, if they were to be caught using Tor. 

“To use Tor, you will need the modified FireFox browser from the Tor site (Torproject.org),” Mr. Mitnick wrote. “Always look for legitimate Tor browsers for your operating system from the Tor project website. Do not use a third-party site,” Mr. Mitnick warns. “For Android operating systems, Orbot is a legitimate, free Tor app from Google Play that both encrypts your traffic, and obscures your IP address. On iOS systems (iPad, iPhone), install the Onion Browser, a legitimate app from the iTunes app store.” Mr. Mitnick warns that the Tor isn’t a panacea; and, writes “there are several weaknesses with Tor: You have no control over the exit nodes, which may be under the control of government and/or, law enforcement; you can still be profiled and possibly identified; and, Tor is very slow. That being said,” Mr. Mitnick writes, “if you still decide to use Tor, you should not run it in the same physical device that you use for browsing the web. In other words, have a laptop for browsing the web, and a separate device for Tor. The idea here,” Mr, Mitnick explains, “is that if somebody is able to compromise your laptop — they still won’t be able to peel off your Tor transport layer — as it is running on a separate physical box.” Just FYI, I have utilized the above technique and I know that it works.

(4) Create A New (Invisible) Account. “Legacy email accounts might be connected in various ways to other parts of your life — friends, hobbies, work,” Mr. Mitnick warns. “To communicate in secrecy, you will need to create new email accounts using Tor so that the IP address setting up the account is not associated with your real identity in any way.”

“Creating anonymous email address is challenging — but possible,” he wrote. “Since you will leave a trail if you pay for private email services, you’re actually better off using a free web service,” Mr. Mitnick recommends. “A minor hassle: Gmail, Microsoft, Yahoo, and other services require you to supply a phone number to verify your identity. Obviously, you can’t use your real cellphone number — since it may be [likely is] connected to your real name, and real address. You might be able to set up a Skype phone number, if it supports voice authentication; however, you will still need an existing email account and a prepaid gift card to set it up,” he wrote.

But,“purchasing a burner phone anonymously will be tricky,” and will require some thought and a plan to ensure you are not leaving behind ‘bread-crumbs,’ that can later be used to connect-the-dots as they say, and positively identify you as the buyer/purchaser of the prepaid gift card. Use cash, and try and buy it where there are no cameras on the street, nor in the store where the purchase is made. But, the chances of there being no cameras either out on the street, or inside the vendor is slim and none. And, there is also the method of travel you “use to get to the vendor in the first place.

As Mr Mitnick points out, “Uber and Taxi records can be subpoenaed;” and, using your own personal vehicle obviously places you at/near the scene, and at the time the prepaid card was purchased. Most “law enforcement agencies, especially in major metropolitan cities, “use automatic license plate recognition technology (ALPR) — in large public parking lots to look for missing and stolen vehicles. as well as people on whom there are outstanding warrants. The ALPR records can be subpoenaed,” Mr. Mitnick warns, use — ingress and egress route — and/or wear some kind of disguise that hides your face, ear lobes, Iris/facial recognition, or any identifying features that could be used to connect you to the purchase. Using a third-party is an option, but that method is also not foolproof. Assuming you have devised a plan to get you to/from the location where the pre-paid burner phone can be purchased, and do so anonymously/clandestinely, there is still the issue of the purchase itself. Using someone else that is a complete stranger to you, would obviously be ideal; but, there is always the risk that the individual takes your money and buys something else, and/or, finds another exit from the store that simply allows him/her to abscond with your money. Mr. Mitnick suggests using a homeless person to make the purchase is a good option — if you can pull it off — and, ideally agree to meet a few blocks away to actually make the transfer — thus putting you outside the immediate vicinity of the vendor. Agreeing to pay an additional amount of money to complete the transfer, can act as an incentive for the homeless person or purchaser to follow through with these requirements.

If you are able to pull off the above successfully, the next issue is how to get the burner phone activated — again, without leaving a trail or ‘bread crumbs’ that could be used to eventually place you at, or near the scene of the actual purchase. “Activation of the prepaid phone, requires either calling the mobile operator’s customer service department, or activating it on the provider’s website,” Mr. Mitnick wrote. “To avoid being recorded for “quality assurance,” it’s safer to activate the phone over the web. Using Tor over an open, wireless network after you’ve changed your MAC address should be the minimum safeguards,” he added. “You should make up (fabricate) all the subscriber information you enter on the website. For your address, just Google the address of the major hotel, and use that. Make up (fabricate) a birth date and PIN that you’ll [be able to] remember — in case you need to re-contact the service provider’s customer service department.”

“After using Tor to randomize your IP address and, after creating a Gmail account that has nothing to do with your real phone number, Google sends your burner phone a verification code, or a voice call,” Mr. Mitnick wrote. “Now, you have a Gmail account that is virtually untraceable. We can produce reasonably secure emails whose IP address — thanks to Tor — is anonymous (although you don’t have control over the exit nodes) and whose contents, thanks to PGP, can’t be read, except by the intended recipient.” “To keep this account anonymous,”Mr. Mitnick warns, “you can only access it from within Tor — so that your IP address will never be associated with it. Further, you should never perform any Internet searches while logged into that anonymous Gmail account; [because] you might inadvertently search for something that is related to your true identity. Even searching for weather information could reveal your location,” he added. Then again, perhaps you should search for weather in an area that you aren’t; and, do not intend to go to.

In conclusion, Mr. Mitnick writes, “becoming invisible [online], and keeping yourself invisible, require tremendous discipline, and perpetual diligence. BUT, IT IS WORTH IT,” he contends. “The most important takeaways are: First, be aware of all the ways that someone can identify you — even if you undertake some, but not all of the precautions I’ve [Mr. Mitnick] described. And, if you do undertake all of these precautions, know that you need to perform due diligence — every time you use your anonymous [online] account. NO EXCEPTIONS!”

Mr. Mitnick’s last recommendation that to stay anonymous online requires “perpetual diligence,” should be ingrained into your consciousness — if you want to be invisible online.. It is human nature, that we can and do often get complacent — especially if we have been succeeding at something for a prolonged period of time. We tend to let our guard down. You can successfully hide your digital presence for a long time — only to have your identity and location discovered, or vulnerable to discovery, based on one, seemingly innocuous mistake/oversight. Years of effort can be ‘washed’ away the click of a mouse. And, even if you successfully implement, and adhere to all of these precautions/steps, that still doesn’t mean that you could never be identified via the Internet — though it will make it much tougher, take longer, require money, and access to sophisticated algorithms and link analysis to track you down digitally.

Thus, if you adhere to Mr. Mitnick’s techniques/tools, it puts you in an entirely different category as far as unmasking your IP address and location. New software and algorithms, big-data mining, link analysis, and patterns-of-life information will in all probability lead an investigator or determined adversary to you; but, that could take years, cost them lot of time, resources, and money; and, perhaps some blind luck — such as making one, seemingly innocuous mistake. Digital breadcrumbs are the researcher and investigator’s precious assets. And, in time, one would expect the ability of service providers,law enforcement and intelligence agencies, repressive regimes, and others to digitally tag you — anytime you go onto the Worldwide Web. But, we aren’t there yet.

And, as with mouse traps — cyber thieves, malcontents, and off-the-griders. the digital spies will no doubt figure out a way to overcome even these kind of cyber precautions. A determined adversary, with the time, talent, patience, and resources, — more than likely — will eventually find you…short of being off-the-grid. Unfortunately, all these steps outlined by Mr. Mitnick can, and are no doubt being employed by the darker angels of our nature, which is one of the reasons why — in the aftermath of the Edward Snowden leaks — that many of our most lucrative means of surveiling these militant Islamic terrorist groups are no longer useful. Digital false flags, and denial and deception abound — as the Internet/Worldwide Web remains very much…….a digital wilderness of mirrors.

No comments: