MATT ASHBURN
Yeah, we all want to be special here but not in this case. You don't want to be unique in this case because the more unique you are, the easier it is to identify you.
And it may be tempting to say that okay well, I need to modify my location and I need to prevent persistent tracking so I'll use the VPN to modify my location. I'll use incognito mode to perhaps remove the cookies or if I don't have a VPN, maybe I'll use free Wi-Fi. There are a lot of people out there that I know that actually do that and it's terrifying frankly. Because even if used in combination, these things combined do not equal security which can compromise investigation like we talked about before.
[MUSIC]
MATT ASHBURN
Welcome to Needle Stack the podcast for professional online research. My name is Matt Ashburn, former White House National Security CISO and now a purveyor of open source research.
JEFF PHILLIPS
And I'm Jeff Phillips, tech industry veteran and curious to a fault.
Today we're going to talk about some common techniques used by researchers to cloak their identity when they conduct research on the web.
We're also going to get into the pitfalls of each of those. So Matt when we talk about common techniques, I'm referring to VPNs, incognito mode or private browsing within your browser, free Wi-Fi. We know a lot of practitioners will look to get off of their corporate network go use free Wi-Fi. So we're going to talk more about those and what those solutions will miss or what they miss and what else you may need to add to the mix. And this really all relates back to our podcast last week, where we talked about the digital fingerprint and within that session, we ended it by talking about tools that online researchers can use and different categories of them.
Today we're going to talk about what not to use or where you should at least know there's some shortcomings and you may need to augment them.
MATT ASHBURN
That's right. And you mentioned last week's episode on the digital fingerprint. And for those that weren't with us shame on you. You should go back and read it or go back and watch it rather. We'll give you a quick summary. So the digital fingerprint is much like your actual fingerprint in that it's something that uniquely identifies you as a person. And this includes online when you're doing research. This includes things like your browser fingerprints, so your operating system, your date time, your time zone, language settings, the type of browser and the versions of things that you're using, as well as your behavior online, your pattern of life and how you operate online, the types of search terms you use, the order in which you do things, all of that matters as well as your location.
So your IP address online and where you appear to be in the world when conducting research. All these combined can be very, very unique and uniquely identify you as a person or perhaps associate the research you're doing with your organization and hopefully not but it can really pose a big risk and compromise your investigation. And that can result in things like disinformation, misinformation or perhaps the target of your investigation prematurely becoming aware that they're being investigated and any number of things can happen at that up to and including retaliation against you.
So it's very important that we're aware of this.
We can't completely get rid of a digital fingerprint but we can mitigate a lot of the risk by using good tools and knowing the risk associated with things like VPNs, incognito mode and free Wi-Fi.
Those are very tempting but please, please if you're using those today, you at least have to know the risk.
There may be a time and place for them but you really shouldn't be using them for truly professional online research.
JEFF PHILLIPS
I think about a lot of our practitioners that we talk with, they're not your typical user for the IT staff, right?
So on one hand, those that maybe have some understanding especially after listening to podcast one, that they have a digital fingerprint and that they need to manage it, that they turn to things like VPNs and incognito mode because they're common, they're readily available. VPNs gate those are now promoted to consumers where that was a business technology years, years and years ago. And these things in my view they feel or you think that they're working, protecting you in the ways that you want to be protected. But as you reference and as we'll go deeper into this that there's lots of elements to a digital fingerprint and other risks besides your anonymity that these things don't address, right.
Or that they're not the best from a tradecraft perspective. I think you started to hit on one of the first big red flags across any of these whether it's VPN incognito mode, et cetera which is that they don't do anything to protect you against malware while that's necessarily the IT teams concern, your machine is not protected when you're using any of these solutions.
MATT ASHBURN
Yeah, that's exactly right. And it's very important as researchers that we isolate the untrusted content that we're viewing, isolate all of that from the actual workstation that we're on right that's very, very critical. Of course, there's the obvious cyber security issue there right?
Of perhaps the workstation you're using being a part of your organization or being part of your DirtyNet let's say that can then become compromised and either destroy information, modify information and really modify the integrity of your investigation, destroy the integrity of your investigation. And as investigators, you may not care about cybersecurity, although you really should but most people frankly, they don't right.
That's IT teams' job, it's the cybersecurity folks, it's their job and I'm just here to do my research, right? That's the attitude of a lot of people that I encounter. And frankly, even if that's the case, it's wrong in my opinion. But even if that's the case, if that's how you feel, you should still care about the integrity of your investigation and the quality of your research as well as potential embarrassment. How embarrassing would it be if a malicious actor were to infect your workstation, uncover your identity, uncover all the other things that you're researching and then expose that somehow?
And we've seen cases over the years where adversaries have done that exact thing or perhaps something along the lines of your investigation, files being modified.
Now you have to go to your client or to your boss or to your agency that you work for, whoever it is and you now you have to explain that. Explain why the analysis may be incorrect or something that was done previously may have to now be modified or reconsidered or completely re-done because of this mistake that you've made because you didn't really care about cybersecurity.
JEFF PHILLIPS
This goes back where we talked about IT staffs on the other side, the adversaries these days are as technically astute, their own IT staffs knowing everything that's going on. That's super interesting about what might happen to my files and stuff on my own desktop even if I'm not worried so much about the cybersecurity part of it. Let's go specifically, how about we go deeper into VPNs and some of the pitfalls around using a VPN, right? Most know, first thing I get a VPN for is it can encrypt traffic in transit.
So I'm looking to be secure from that standpoint. From an online research perspective practitioners I talk with, it's the ability to spoof your IP address. So get a VPN, I get an IP address that's not associated with me or my company now that doesn't put me in geographies all over the world but at least it hides my existing IP address. But there's other pieces of your digital fingerprint that can give away where you're coming from, right?
MATT ASHBURN
Yeah that's exactly right. And there's the location narrative that we many times talk about. So things like the provider that they're using. So if it's coming out of some kind of sketchy looking provider that may raise some red flag and so you may have certain content that could be blocked. So you're trying to access social media let's say or something like that, many websites and services now block these IP addresses of a lower reputation.
If you're using a VPN, it's going to be of a lower reputation IP address pool typically, right?
Because many people are using them and many times abusing those connections and so they obtain a very low reputation many times. There's also the configurations right, that are in use. So things that are still exposed even if you're using a VPN, are things like your keyboard and language settings, the time zone that you're in, the hardware and software that's installed on the workstation and even specific versions of those things and also your behavior, right?
A VPN doesn't change your behavior so even then it's very difficult.
And as we just discussed also, it doesn't provide any cybersecurity benefits, no isolation certainly the tunnel is encrypted.
So anything that's in transit may be protected by encryption but the actual content is still resident on your local workstation and without that isolation, it's really not a good idea.
And so all these things right, the attributes that are presented in all these things, how you're presenting yourself is really the equivalents of a cheap disguise right?
You're trying to fool someone that you're in a different location but all these other attributes, your keyboard configuration, your hardware configuration, your operating system and all these things really are still betraying you and disclosing your true location or your true intent.
JEFF PHILLIPS
Let's talk a little bit then about out some people look to take a VPN, maybe add incognito mode.
Again most folks I think are starting to familiar with that. That's where you can turn on private browsing within your native browser, on your desktop. We think about it as well for one, if anyone looked at my history, my kids you won't be able to tell where they went on online. So we think of it in terms of anonymity, some of us.
Now it falls short in terms of being able to blend in as we talked about earlier right? So there's one thing about being totally anonymous and what that can do is terms of raising suspicion versus being able to manipulate things and actually blend in. So what do you think about incognito mode as a way to do your online research?
MATT ASHBURN
Right. So incognito mode, similar problems, right? You're still not getting that isolation, right? So you're still viewing untrusted content on the local workstation which is a huge problem if you're a professional researcher, not saying there's never a time for this, right. And this is true for all these tools. If you're trying to get the best price on an airline ticket for example, from your personal computer incognito mode is great for that, right?
There's no cookies left behind and all of those things so that be maybe nice.
You're starting with a relatively fresh session and you don't care if the airline eventually knows who you are because you have to put your name and address and all those things in there eventually anyway. But if you're conducting online research, it's important to know that even without those initial cookies, there are many ways to still identify you. Whether it's the websites that you visit, the patterns that you have, the platform that you use, the canvas fingerprint and there's all sorts of other fingerprinting techniques by the way, the list of fonts and extensions and all these things are very, very easy ways to uniquely identify a particular workstation.
So still are ways that down to a relatively small pool and with relatively decent certainty, they can identify you as a unique individual or a unique device. And again, there's a great website out there amiunique.org, go check that out if you don't believe me, check that out and see, you can actually run a quick test. And it's nothing to do with me, nothing to do with our podcast here, completely separate group of academics and researchers that are interested in ways to fingerprint browsers and devices without things like cookies right? So it'll be surprising I guarantee you and I almost guarantee you that your configuration will be very, very unique and can be identified, right?
JEFF PHILLIPS
And so, unique is a bad thing. We all like to be unique and why not but that is a bad thing here.
MATT ASHBURN
Yeah. We all want to be special here but not in this case. You don't want to be unique in this case because the more unique you are, the easier it's to identify you. And it may be tempting to say that okay well, I need to modify my location and I need to prevent persistent tracking. So I'll use the VPN to modify my location, I'll use incognito mode to perhaps remove the cookies or if I don't have a VPN, maybe I'll use free Wi-Fi. There are a lot of people out there that I know that actually do that and it's terrifying frankly, because even if used in combination, these things combined do not equal security which can compromise your investigation like we talked about before.
JEFF PHILLIPS
All right. Most of the practitioners I engage with when they're getting started, if they've learned about their digital fingerprint and, if they're using VPN or this is where you're going to go step one or kind of when I first get going I'll get a VPN, I'll go incognito, go to the coffee shop and use their free Wi-Fi. What we're saying is that's an incomplete disguise, right? That's not going to cut it if you're doing sensitive research related to your organization.
What you do when you're buying plane tickets is a whole nother story. What should we look for? What should we tell our listeners to look for?
MATT ASHBURN
Yeah, that's exactly right. And you hit the nail on the head it's a cheap disguise, all these things even if you combine them are still cheap disguises. So if you were to take the image of me right now I'm sitting here or standing here at a desk, if you were to modify the backdrop, let's say just remove the backdrop and I put something else and maybe just a black screen or something like that and if I put a hard hat on, right. Some people may say okay well, you're completely different, right? You've put a hat on, you've changed your background so you're hidden, you're safe nobody can ever know it's you.
But I have certain facial expressions. I have certain methods of speaking. I may nod my head pretending like I'm interested in something, right if I'm talking to somebody that I don't really care about. All these things right that are combined, I might make terrible jokes, whatever the case is. And those things are still unique attributes about me as a person. And so I can still be identified. If you've already seen me and you already know generally what I look like or what I sound like or the topics that I like to discuss all those things are unique to me combined they're all unique to me.
So when you're looking for a solution, you really need those things, right? You need isolation number one, you don't want that untrusted content coming down to the local workstation because then that can be compromised and compromise the integrity of your investigation result in embarrassment and any number of other things right?
And also you'll keep the cybersecurity people upset with you if you don't have things isolated.
There's also manipulation, right? You can't prevent having a fingerprint. We've mentioned that a couple of times now.
You can't prevent a fingerprint but you need to be able to manage those elements of your digital fingerprint so that way you can manage the risk associated with it. That way you can accommodate different identities and different persona and different attributes, right?
So being able to modify how you appear online, whether that's the information sent by the browser, your canvas fingerprint, your screen size, again all of these attributes that are out there. Bonuses though that I would look for also are things like workflow enhancements, being able to easily capture information, take notes, do analysis and share information and save information in a safe way and then integrations as well. There's a lot of applications out there, not just the web browser, a lot of other applications out there. So you want to find a solution there that can ideally integrate with your existing applications as well.
JEFF PHILLIPS
When you start thinking about those purpose-built tools, I think people that are maybe not different if you're in the sock and you're a security expert, you're very much into your computer, but if you're a trust and safety analyst that's trying to protect the community or you're very good at investigating money laundering, right? You're not a computer expert or whatever so the availability and ease of use of VPN and incognito mode because in the back of your mind, you should probably do some protection here, but not maybe uncomfortable to go out and look for this purpose-built solution and to be able to describe to internally why you would need something that's purpose-built.
So you default it, so I'll use a VPN, I'll go to free Wi-Fi, I'll just turn on incognito mode.
MATT ASHBURN
It's noteworthy that there's a time and place for these things, right? I'm not saying you can never use a VPN or never use incognito mode or never use free Wi-Fi. Look, I use all three of those things for different gains, right? So I was recently on a family vacation and the free Wi-Fi that I was using, because it was the only Wi-Fi available, blocked almost every website that I wanted to go to. So okay that may be saying something about my browsing history perhaps but really it wouldn't allow me like work-related websites and things like that because there's a very, very limited in use.
So, okay, I fired up a VPN and tunneled over HTTP traffic or HTTPS traffic TLS and hid my online research and hid my online activity within that tunnel over the free Wi- Fi.
Okay. So that's a perfectly acceptable reason to do it but you should not use these things for professional online research at work. That is not the time to be using free Wi- Fi, VPNs or incognito mode. It can have a significant impact on your research if you're not using those right tools that you should be using and you need to be able to the cloud. If you can't do that, then your investigation's going to be off to a poor start.
And the worst thing is you won't know if your investigation's compromised for the most part. Many times you won't know if the adversary gets tipped off or you won't know if the target of the investigation prematurely recognizes that they're under scrutiny. Many times they'll just change their behavior and it will just impair your investigation. You don't want that. So you need to take this very seriously. Well, if you're out there and you liked what you heard today, you can always subscribe to our show wherever you get your podcasts. You can also watch episodes, catch them on our YouTube channel.
Transcripts and other episode info on our website authenticate. com/ needlestack. Next week we'll be back and we'll have stories from the field on how to conduct secure anonymous online research, looking forward to it. It's going to be a great show and hope to see you then.
[MUSIC]
