Jan 2
Becoming Virtually Untraceable (Eps8.0_St0p_Tr4ck!ng.me)
*Note: This article was originally published by the author on January 13, 2019. This article is also available in Spanish here.
“Everything can collapse. Houses, bodies, and enemies collapse when their rhythm becomes deranged. In large-scale strategy, when the enemy starts to collapse you must pursue him without letting the chance go. If you fail to take advantage of your enemies’ collapse, they may recover.” ~Miyamoto Musashi
It is beneficial to begin reading this series from the beginning to understand everything that has been previously covered up to this point. I highly recommend doing so before reading this installment, but it’s your call. I’ve covered an immense amount of material in previous installments, so much so in fact that I am really considering turning this series into a book at some point in the not-to-distant future. In this 8th Digital Invisibility newsletter, I will continue my metaphoric smackdown of social media, talk some more about some popular alternative Web browsers, and give you some more tips on staying as anonymous as possible online.
Maintaining Privacy in the Age of the Data Breach
How do we protect our personally identifiable information (PII) in the Age of the Data Breach? To maintain a low profile in these times when it seems there is a new data breach like every week, one must be mindful and hesitant to put any personal information online at all. The way to do this is to USE FAKE INFORMATION about yourself online AS MUCH AS POSSIBLE. Why do you need to use your real name, home address, and telephone number? Do you know how much damage someone can do with that information? A lot.
Even though it’s 2019, there are still plenty of people that are surprised to learn just how much information about them is freely available online and wide open for the entire world to see, or at least, for anyone that cares to look. The world is a huge stage with little digital bread crumbs of evidence left here and there for those who are perceptive enough to pick up on them. Subtle clues here and there, digital trails to follow. Many different types of people use OSINT tools, methods, and techniques for many different purposes. Some are cyber threat hunters, some are cybercriminals, some use it for digital forensics purposes, others may just want to track down someone from their past or determine how much personal information about themselves is online.
The OSINT aperture can be widened or narrowed depending on what we’re looking for. Sometimes the search is wide and deep, other times the search might be narrow and shallow. OSINT is about knowing which tools to use for a particular task that will yield the best results or which combination of tools to use. You probably wouldn’t use a sledgehammer to hang a picture, after all, it’s the same for OSINT. Some tools will work better than others depending on what information you’re targeting.
The wave of popularity that Open-Source Intelligence (OSINT) has experienced has resulted in a boom of new software tools and techniques that virtually anyone can use to gather “intelligence” about another person or organization. There are a plethora of software tools and resources available for this type of activity, so many in fact that it would be impossible to list them all here. Some of the best OSINT tools, however, weren’t designed to be tools at all. Social media can be one of the greatest OSINT tools. Let’s drill down on this a bit further.
If digital privacy is something that you value and you use social media sites like Linkedin to connect with work colleagues, you’re more vulnerable to privacy violations than you may realize. On Linkedin, unless you’re actively posting disinformation about yourself to throw others off your trail, anyone can look up who you work for and potentially retaliate against you by forwarding photos, posts, or Tweets to your employer in an attempt to get you fired or at least reprimanded. Why would you ever want to give someone you don’t even know that opportunity?
Depending on your personality, it is probably only a matter of time before you get into a flame war with someone on social media. You could be the nicest, sweetest person, but if someone doesn’t like something you wrote or posted, it’s game on for them. They will stop at nothing to wreck your entire existence. Just look at how recent the ‘Swatting’ attacks have resulted in the deaths of innocent victims. When things escalate as they tend to do all the time on social media with these short-fuzed troglodytes, what do you think they are going to turn to? Honestly, it doesn’t take much experience on the Web to become fairly knowledgeable about OSINT tools and techniques for collecting information. In other words, you needn’t be an OSINT master to do damage to someone’s reputation in short order.
Are you removing geotagging metadata from photos before you upload them to any website? If not, you could be tracked down this way. Photo metadata is known as EXIF data and there are several tools that anyone knowledgeable can use to extract EXIF data from photos you post online. So, think twice about snapping that selfie and uploading it to Twitter, Facebook, or Instagram. You have no idea who is lurking in the shadows… The same holds true for other people or places you want to protect.
Even if a website advertises that they automatically remove EXIF data, do you really trust what any social media tech company tells you about your privacy after Facebook’s many proven instances of deceitful scandals? To me, it is just incomprehensible to trust FB or any tech company with my personal information. How did former President George W. Bush put it?
“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” ~Former President George W. Bush
You can use free tools like ImageOptim for Macs or via Web services to strip photo metadata before posting any images online. ImageOptim also has alternative versions of its tool available for use on other operating systems (OS) platforms such as FileOptimizer for Windows and Trimage for Linux. I highly recommend stripping EXIF data from photos before posting them online, but hey, it’s your call.
Think about the root cause of why you want to share your personal information online in the first place. Does this urge to share really stem from a deeper desire or void within you that wants to be accepted, to be popular or liked? Let me assure you, social media is not your friend. Neither is the Internet either for that matter. There are no such things as “safe” places online. Every website around every “corner” is collecting information about you in the form of cookies. They want to track your browsing habits, monetize your mouse clicks, and sell you crap you never asked them to from advertisers you may have never heard of. If you’re cool with that, then stop reading and move on elsewhere.
However, if you’re somewhat bothered by the fact that your private browsing data and personal information are being collected without your consent and sold to third-party data aggregators for profit, then perhaps it is time you began to scale back on the amount of content you post online in the first place. Just know, however, that you probably did consent to the collection and selling of your browsing data, at least. Even if unknowingly as it was probably buried within the pages and pages of the website’s Terms of Use and/or Privacy Policy.
Maybe now is a good time to go back through your FB timeline, your old Tweets, your Instagram and Snapchat photos, and start removing anything that can possibly be used against you in any whatsoever. How about deleting that old MySpace account too while you’re at it? What were you waiting for it to become popular again? Here’s why, because if you don’t do this now, you’re only making someone else’s job that much easier. Someone you don’t even know could be pouring over your Linkedin profile, your Facebook timeline, and whatever else that they can find out about you using online search engines like Spokeo. It could be an enemy, a frenemy, a friend, a former lover, a current employer, a potential employer of a job you’ve applied to, a police detective, or a government agency building a dossier on you because of that old Tweet you wrote about how you wish a Mack truck ran over your least favorite politician. The fact is, you don’t know who is collecting information on you, so you have to take preventive measures. While it’s true that what’s put on the Internet is there to stay, these are the steps you can take to make it a lot more difficult for anyone to successfully cyberstalk you.
If you think that employers in the 21st century are not profiling potential job candidates by searching the Internet and most assuredly searching for your name on social media to determine whether or not they even want to invite you to interview, then you are sadly mistaken. Less is more online. Remember, what is posted online, stays online forever. Meaning, it NEVER disappears, ever! Somewhere, it is archived or someone saved a copy to their hard drive, took a screenshot, whatever. If you were able to delete your information, trust me when I tell you that it’s not gone forever. You just can’t see it for the time being because you deleted it or asked to have it removed. That doesn’t mean it won’t necessarily resurface though. Seriously, STOP PUTTING PERSONAL INFO ONLINE! You can thank me later.
Do yourself a favor and shut up online!
I know that sounds rude and I fully intended it to be so, but it doesn’t lessen the importance of the statement one bit. You will not regret deleting your FB profile or your Google account. You will not regret creating a fake email account that you only use to sign up for website accounts with a fake name of course.
For Christ’s sake, stop posting all of those photos of little Johnny and Suzie all over the damn Internet. As the Cambridge Analytica Facebook scandal and many other data breaches or betrayal of user trust have shown. Children nowadays are more likely to have their identities stolen and their credit ruined before they reach the age of eighteen than any other generation preceding it.
“Parents/legal guardians should strongly consider freezing their children’s credit because it’s one of the best proactive measures they can take to protect them. It’s important that parents/legal guardians check and make sure there is no credit file already associated with their child’s information. Children shouldn’t have a credit report, and if one is discovered, parents/legal guardians should immediately contact the Identity Theft Resource Center’s toll free hotline for assistance in reclaiming their children’s identity: 888–400–5530.” ~Identity Theft Resource Center
Stop foretelling everyone on social media when and where you’re going somewhere. It’s just bad Operational Security (OpSec). The fewer people know about your travel plans, the less they can target you or your loved ones who may be waiting at home for you. Again, I have to question the sanity of people who post this type of information, to begin with? Who do you think you are really? Rihanna, Brad Pitt, JLo? Seriously, no one cares what you’re doing or where you going in advance. Get over your ego already. Post the details and sanitize (scrubbed of all EXIF metadata) photos after your trip’s return.
DNA Testing
There are a lot of different ways your DNA can be added to a national DNA database, don’t make voluntary DNA testing one of them. This is one of those data privacy fails if you’ve ever voluntarily paid to submit your DNA to be checked by companies like the Google-backed “23andMe” or “Ancestry[dot]com.” How can you be sure that the company you submitted your DNA test to won’t sell your genetic information to your health insurance provider? Uh oh? Now we have a potential catastrophe just waiting to happen should that occur. Don’t you think that health insurance providers are scrambling to figure ways that they can buy or gain access to this genetic information? We’d be foolish not to suspect that in my opinion.
Can you imagine being denied coverage for a procedure based on analysis by your health insurance provider who determined that genetically, you’ll only live to be approximately 56 years old? “Sorry, but we’re going to pass on your heart replacement surgery approval. It’s not worth the cost based on our calculations that you’re going to die at age 56 of congestive heart failure anyway. It’s cheaper to let you die of natural causes.”
How about life insurance providers? You know they want that genetic information more than anyone despite the fact that you’re paying for the insurance. How about police investigations, ever heard of cold cases? We’re starting to see more and more cases where police were able to solve cold case mysteries from decades ago with DNA voluntarily given to genetic ancestry companies. Remember that the police or government can subpoena that information. Now hopefully you were never involved in any serious crimes, but it’s still a major data privacy risk.
Featured Privacy Tactics, Techniques, & Procedures
Freenet
Whenever people think of anonymous browsing, especially for the Dark Web, they think of Tor. However, there are other alternatives such as I2P and the Freenet Project.
Freenet is free software which lets you anonymously share files, browse and publish “freesites” (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in “darknet” mode, where users only connect to their friends, is very difficult to detect.
Communications by Freenet nodes are encrypted and are routed through other nodes to make it extremely difficult to determine who is requesting the information and what its content is.
Users contribute to the network by giving bandwidth and a portion of their hard drive (called the “data store”) for storing files. Files are automatically kept or deleted depending on how popular they are, with the least popular being discarded to make way for newer or more popular content. Files are encrypted, so generally the user cannot easily discover what is in his datastore, and hopefully can’t be held accountable for it. Chat forums, websites, and search functionality, are all built on top of this distributed data store.
*Note: This is where I take issue with Freenet, however, “…hopefully can’t be held accountable for it [someone else’s data]” which is stored on your computer’s hard drive, even if encrypted and only temporarily stored, can still lead to serious consequences with life-altering impacts. How do you explain to the FBI that the illegal images and videos they busted in your front door with a search warrant for aren’t yours? Are you really that naive to think that a prosecutor or judge is going to care about the subtle intricacies of how Freenet’s decentralized and distributed data sharing function in which you are required to give up a portion of your computer’s hard drive to store other people’s data? Did you not agree to the terms of use for Freenet and download the software at your own risk? To me, the risk is not worth the reward. I can’t be responsible for what others download and store on their systems which then gets transferred to my computer’s hard drive. Encrypted or not, it’s still a risk.
I2P
I2P is a lot like Tor and is currently on version 0.9.37. Think of it as “an anonymous overlay network — a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs. I2P is used by many people who care about their privacy: activists, oppressed people, journalists, and whistleblowers, as well as the average person. No network can be “perfectly anonymous.” The continued goal of I2P is to make attacks more and more difficult to mount. Its anonymity will get stronger as the size of the network increases and with the ongoing academic review. I2P is available on desktops, embedded systems (like the Raspberry Pi), and Android phones.”
If you’re not a fan of Tor, you might consider trying I2P instead. Additionally, as I’ve said previously there is a great deal more information below the surface of the Web, much of which is not accessible from Google search engines or without some type of anonymous browser technology like Tor or I2P. The Deep Web is often access controlled through paid subscriptions to periodical repositories like those offered by colleges and universities (e.g., LexisNexis for legal journalistic research; or ProQuest which offers information technology content). Some of the Deep Web is tightly controlled by organizations or companies as in the case of medical records, legal documents, financial records, etc.
The Dark Web, however, is another story altogether. If you plan to surf around on the Dark Web, be very careful. This is where some of the worst of the worst cybercriminals call home. The Dark Web is the seedy underbelly of the Internet, access it at your own risk. This is where the illegal content and hidden services are which may be attractive to some. However, it is also where law enforcement and security researchers try to monitor what is going on.
Spotlight Data Privacy Issue
This installment’s spotlight on a hot data privacy issue goes out to the cell phone service provider companies (e.g., AT&T, Verizon, Sprint). Be aware that cell phone companies are selling your phone’s geolocational data to anyone who is willing to pay a few hundred dollars. While this may be alarming, it is not surprising in the least. Cell phone carriers have a long tradition of being some of the slimiest and shadiest companies ever.
Unfortunately, if you own a cell phone, and most of us do statistically, there is almost nothing that you can do to protect against this short of taking drastic measures on a continual daily basis. By drastic measures, I mean removing the SIM card and battery from a cell phone when you’re not using it. It’s either you do that or place the phone in a Faraday bag so that no RF signals can reach it or escape from the phone to nearby cell phone towers. These are the only methods you could potentially use to protect against being tracked in real-time via your phone signal.
Low-Tech Security: Evasion and Anonymity Tip
Instead of providing your real email address for services or people you never want to hear from again, use a fake email address from Maildrop. Whenever services like Netflix or Hulu offer free limited-time trial periods, you can just keep using fake email addresses after fake email addresses to keep things free for a while. That is a hacker tip for you to play with. Of course, the main reason to use a fake email address or at least a separate email address from your primary address is that nearly every single website now requires that you create an account to access their content. Of course, part of the website registration requires that you provide a name and email address. There is nothing that requires these be your actual name and email address. For both of these items, you should use a fake name or pseudonym EVERY F*CKING TIME unless you want your real name known and you are willing to receive ungodly amounts of spam from the site.
That is it for this edition of Becoming Virtually Untraceable folks. I sincerely hope that you enjoyed reading my content. If you did, please do me the courtesy of clapping, re-tweeting, or upvoting the article to let me know someone out there enjoyed it. Until next time, and remember this mantra to live by for those seeking to become virtually untraceable:
***Trust No One. Verify Everything. Leave No Trace.***
Additional Privacy Resources
z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21
*Privacy-related articles also published by the author can be found here.
Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net
