Becoming Virtually Untraceable- “eps9.0_syst3m_da3m0n5.dat”

*Note: This article was originally published by the author on February 3, 2019. This article is also available in Spanish here.

Rami Malek of the “Mr. Robot” TV series; credit: USA Network

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War

If you’ve managed to stick with me this far into the series, then I must applaud you for it is evident that privacy and anonymity are very important to you. This is installment number nine of the series and while it is always beneficial to begin reading any series from the beginning to understand everything that has been previously covered up to this point, you can pick up wherever you’d like. Feel free to check out the entire series consisting of 15 unique articles: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15.

In this installment of the series on Becoming Virtually Untraceable, I will demonstrate how adopting an adversarial mindset can help you avoid becoming a victim in real life and online. We’ll look at a few spotlight data privacy issues that have been front-page news recently involving Apple, Google, and Facebook. Lastly, I’ll finish up by providing you with some more tips on staying as anonymous as possible online.

Adopt an Adversarial Mindset to Avoid Victimization

Credit: Tale of Ronin

Too often in modern society, it seems as though it is the meek and righteous that continually fall victim to sneaky traps laid by cunning predators, scammers, and criminals. I challenge you to not be this way and instead metamorphose your spiritual mind and physical body into a hardened bastion of impenetrable strength. Make a personal conviction to make yourself a hard target. It is never too late to journey down this path, but it will test you mentally, spiritually, and physically. There are many parallels that can be drawn between real life and cyberspace, which is why I often dance between the two realms.

Why Adopting an Adversarial Mindset is Extremely Important

Predators are lying in wait to take advantage of you at every turn. Though it may seem as though there is a noticeable imbalance of evil versus good, looks can be deceiving. Every person alive on this planet struggles with their own inner demons (da3m0n5) whether they admit it or not. The only difference is that some have given into or have become overtaken by their inner demons whereas others choose to resist indefinitely. Predators come in all shapes and sizes, some hide behind keyboards thousands of miles away in foreign lands. Some are right next door, putting on that fake smile as you walk on by them.

With a military combat background coupled with ethical hacking and practicing martial arts, admittedly my view of the world is seriously warped and slanted towards looking for the flaws in people. Call it an overabundance of caution, but I’ve seen the evil that people are capable of and I refuse to fall victim to it. Flaws in people aren’t hard to find either, everyone has them. Your “flaw” or vice might be your penchant for alcohol, drugs, fast cars, money, or sex. Those are the usual themes. Just like a pickpocket thief, cyber predators read your online behaviors and observe every detail you make publicly available to determine if they can exploit any of your vulnerabilities. For that which you’ve kept hidden or private, they can infer the rest. This is why one must be cognizant of what information one is publishing to the world on the Internet.

Parents need to be aware of the suicide challenge #MomoChallenge

Children are the smallest, most innocent, and vulnerable group of people that cyber predators prey upon. Parents and parental guardians have a responsibility to protect their children from the dangers of society and to teach them about perils they may one day encounter on their own. Are you monitoring everything your child does online? There is an unending stream of news stories about sexual predators who use the Internet to prey upon the most vulnerable members of society — our children. As a father of 3 kids, knowing how to use technology to your advantage to be intrusive parents into your kids’ lives is more important than ever due to all the social pressures kids face online today. If you’re a parent of a pre-teen or teenager, then you might want to Google #BluewhaleChallenge or #MomoChallenge. Scary stuff, peer pressure for kids is already challenging enough for kids to go through, but the fact that there are adults who are encouraging youths to harm themselves while using social media and the Internet as instruments of their evil is flat-out disgusting.

Girls and women have to be hypervigilant at reading social cues and environmental circumstances wherever they go to avoid becoming victims of sexual predators of which statistically, death is a common result. This is why it’s always safer for females to travel in pairs or larger groups. Some women are completely capable of fending for themselves and will put some men to shame physically speaking. That’s awesome, but what happens when they are confronted by two or more men? In terms of physical security, I think whenever possible it is not a bad idea for men, fathers, sons, husbands/boyfriends to escort their wives/girlfriends, mothers, grandmothers, daughters if nothing else for the sake of protection.

This is such a basic and traditional concept that too often in today’s “civilized” 21st-century society doesn’t happen anymore because everyone is too busy to concern themselves with such trivial common-sense protections and feels as though the police should be able to protect them. Until they are victimized… Come now, don’t be foolish. You are always your first line of defense, the police can’t be expected to be everywhere at once and may take precious time to come to the aid when notified of an emergency. The real question is can you defend yourself enough to fend off an attacker long enough for help to arrive?

Elderly people are often targeted by financial scammers that prey upon their compassion and lack of technical prowess to steal money from them. We’ve probably all received spam/scam phone calls claiming to be IRS agents or someone claiming to be a failproof investment scheme. Elderly people, our grandparents or parents in some cases, are particularly vulnerable to any financial scam because they might not understand how someone could be so callous to try to take advantage of them. In other words, they don’t see the threat coming. It is up to you to educate them about the dangers of the Internet, of people showing up out the blue with irresistible offers, of anything involving money. Put some two-factor authentication on our beloved elderly folks for goodness sake, tell them to consult you before they do anything major financially or offer to help them with their tax return. Do something, too many elderly get scammed every year on once it happens it is almost impossible for them to recover financially as they have less lifespan left to recover from financial losses.

It’s disturbing that there are heartless people in this world who would prey upon children, the elderly, and women but it is not surprising. Predators in nature such as wolves, coyotes, lions, and cheetahs will go after the slowest or weakest animal in the herd. Often criminals and cybercriminals do the same. So, then it becomes about trying to bulletproof your life as much as is reasonably possible while still maintaining some semblance of normal life. The thin veil of digital anonymity allows evil to lurk on the Internet more so than in real life. There are methods that can be used to uncloak these bad actors, but like anonymous techniques and technologies, they aren’t perfect either.

Know Your Adversary

If you were a criminal hacker, how would you exploit yourself? It is valuable to ask yourself how a criminal might try to exploit you in every facet of your life. After all, you know yourself better than anyone else does so who better to ask? Consider what it is that you own that is perhaps most valuable. Sure, maybe you’ve got some valuables at home tucked away in a safe or some piles of cash lying around somewhere. But what could be more profitable for cybercriminals than even those things? Your personally identifiable information (PII). If a cybercriminal can discover your PII elements such as your full name, social security number, date of birth, and home address then they could try to steal your identity and open up credit lines in your name. Easier than that though is for cybercriminals to steal your credit card or banking information to make fraudulent purchases or wire transfers.

What are your daily routines? Are you super predictable? What websites do you commonly visit? Most people are creatures of habit. How do you remember your passwords? Are you one of those people who elect to have the Web browser save all of your passwords for convenience sake? Do you write your passwords down? Do you think you’re being slick by saving your passwords in a password-protected text file? I have news for you. You’re gambling on borrowed time. Those methods of protection will not stand up against current malware threats that scrape your computer for any financial data or an attacker is able to infect your computer with ransomware because you opened up a phishing email or visited a malicious URL. Security is often the victim of convenience. It’s like the organization that refuses to pay for IT security infrastructure upgrades or tools that would help the organization defend against cyber threats but fails to realize until it’s too late that it’s much cheaper to upgrade than suffer a massive data breach and end up facing legal fines and lawsuits.

Transform Yourself Into a Fortress by Applying the Adversarial Mindset to Everyday Life

A statue of Saint Michael, the Archangel

1. Look at your physical defenses: physical fitness; the 3G’s (gates, guns, guards) as in does your dwelling have security gates, bars on the windows? Does it have a home alarm system connected to a 24/7/365 home monitoring service that will notify the fire or police department should you suffer a disaster or home invasion? Do you have weapons? If so, do you know how to use them? When was the last time you practiced with these weapons? Do you understand the legal ramifications should you have to one day use these weapons in self-defense? When are you legally allowed to defend yourself, your property, your family/friends with respect to the local laws? Are you staying fit and strong, that is to say, are you capable of reasonably defending yourself from an assailant? Some people look at fitness as only being about physical and mental health, but it can always be a very critical factor in whether you will be able to defend yourself or your loved ones in a split second.
2. Look at your mental defenses: are you leaving yourself open to attack? Do you often overshare with others the intimate details of your life? Do you believe in something greater than yourself? There’s a wise saying that says, “If you don’t stand for something, you’ll fall for anything.” Very true indeed, we all need internal fortitude to remain who we are and stand up to adversity in life. Take a little time for self-reflection each day. You can couple this time with something else that you enjoy doing such as working out, practicing martial arts, meditation, walking or around the neighborhood, or running trails, whatever your thing is. Just be yourself in this life, but be careful both in your physical actions and online in the digital world because there are predators and dangers everywhere. Though it may seem impossible with everything you have going on presently in your life, sometimes it’s good to slow down and take inventory of where you are in life and what your goals and motivations are. This will help you keep important aspects of your life in focus. Keeping a written or digital journal can help with this. Of course, there are apps for that also if you want to go that route. But you’re often better off devising your own system. There will always be demands in your personal and professional life that will test your nerves, stress you out, and sometimes this can degrade you to the point of leaving you vulnerable to attack. It might be wise to slow things down a bit and reflect for a moment on what’s really important. All of those work projects will still be there tomorrow morning.
3. Look at your digital defenses: how much of an online presence do you have? Do you use social media and if so, do you use real names and post photos and videos of yourself and family/friends? Do you take the time to scrub your photos/videos of metadata before posting them online? If you’re a parent, do you consider the ramifications of posting pictures of your children on social networking sites considering mass surveillance, artificial intelligence, and facial recognition systems being employed? Does your email address contain your full or partial name? If so, why? Business or work emails often require the use of full or abbreviated employee name variations but your personal email address shouldn’t automatically identify you to others. Do you let smartphone apps access your geolocation, contacts, photos, and files? Have you not heard about the Facebook app sharing data with several other companies without your permission? Do you have a firewall turned on (e.g., Windows Defender or similar product) at home? Do you pay for a Virtual Private Network (VPN) service? Are you in the habit of throwing cyberstalkers off your trail by posting disinformation online? Do you use a different password for every site you have an account with? If not, you’re rolling the dice. This is one reason why password managers are great. You can have them generate incredibly long and complex passwords if you want, but remember that length is more important than complexity for password entropy. With password managers, you only need to remember really long passphrases (consider using a passphrase of 25+ characters) instead of a bazillion other short-length passwords. Don’t upload a picture of yourself and just have the generic silhouette for your photo.

What Does Adopting an Adversarial Mindset Have to do With Becoming Virtually Untraceable?

More than you think. When you begin to think as an adversary thinks, you can start to predict their actions and remain two steps ahead while taking precautions to protect yourself and your private information from unnecessary, unprotected exposure. To achieve virtually untraceability, you need to stop and observe your surrounding environment. How are you likely to be observed by adversaries or anyone? Who really are your adversaries?

Threat Modeling

Example of a Network Threat Model; credit: joetheitguy.com

Have you threat modeled yourself? This is important because we all face different types of threats. For women, their threat model will look different than most men’s threat models. Why? Simply for reasons that were already mentioned regarding the risk of sexual assault, but also for other potential factors such as a person’s amount of wealth, fame status, and appearance to name a few. There is a reason why Kim Kardashian has bodyguards with her any time she travels. Some men may also have similar threat model factors to consider, but it is less likely. Additionally, most people don’t have enough money to hire bodyguards and private jets, so the cost of security measures is almost always a limiting factor. If you own expensive things like cars or live in an expensive home with nice things, then your threat model might look different than someone who lives in a gated apartment complex but that doesn’t own many expensive possessions.

Traditionally, threat modeling is used to describe the process of conducting a risk assessment for a computer network to determine how vulnerable it is to certain known threats as well as the likelihood those threats will be faced from a hypothetical attacker’s view. Here are some factors to consider in your threat model:

1. What is it that requires protection?
2. Who is likely to try to attack it?
3. How might they try to attack it?
4. What’s in it for an attacker?
5. What security measures will you implement to prevent, detect, and respond to threats and vulnerabilities?

Featured Privacy Tactics, Techniques, & Procedures

Disabling unnecessary features on your computer is another aspect of hardening a system. For instance, at work, your employer may have all sorts of software on your computer. It’s possible that some of this software could be a keylogger application that is intended to track what employees are doing on their computers as well as online. This means that if you decide to log into your personal email, banking site, or another personal account, your employer could potentially have access to those login credentials. Chances are that this isn’t the case at your job, but it’s definitely possible. Employers have the right to monitor what employees do on employer-provided computers and phones. Employees do not have a reasonable expectation of privacy under the Fourth Amendment of the U.S. Constitution in the workplace.

“As a general rule, employees have little expectation of privacy while on company grounds or using company equipment, including company computers or vehicles,” said Matt C. Pinsker, adjunct professor of homeland security and criminal justice at Virginia Commonwealth University.

This privacy battle has played out in court more than once here in the U.S. and the court precedent is not on the employee’s side. Employers also commonly monitor employee Web browser activity and some will even block social media or video streaming services during working hours to increase productivity amongst employees.

According to a survey conducted by Dtex Systems, “77 percent of employed Americans would be less concerned with their employer monitoring their digital activity on personal or work-issued devices they use to conduct work, as long as they are transparent about it and let them know up front.” — Business News Daily

Spotlight Data Privacy Issues

This installment’s spotlight on data privacy is dedicated to those greedy, private user data-collecting tech giants Apple, Google, and Facebook who continue to sink to new levels of depravity month after month. A small chunk of the profits these tech giants are making is spent on lobbying on issues such as tax reform, immigration, copyright and patent reform, and privacy issues.

Technology giants spent millions on lobbying in 2018

“Google led the pack, spending $21 million — up from $18 million in 2017… Amazon spent $14 million lobbying on many of the same issues, while Facebook spent almost $13 million. Microsoft spent $9.5 million, while Apple spent $6 million.” — Ars Technica

Apple’s FaceTime App Bug

Apple Takes Drastic Measures to Stop a Nasty FaceTime Bug

Next, we have a massive privacy vulnerability in Apple’s FaceTime app code that a 14-year-old discovered which allows a FaceTime caller to activate another iPhone user’s microphone and camera without the person knowing they were turned on. As if this weren’t bad enough, the boy’s mother attempted to report this flaw to Apple and was ignored for over a week. Once Apple did acknowledge the flaw and that they had developed a fix for it, Apple seems to be in no hurry to release the fix stating that it will be sent out next week. So much for iPhone privacy, apparently Apple has more important things to worry about…

Google Jumps Into Facebook’s Dumpster Fire & Apple Blocks Both

Credit: Adult Swim

Ever wonder when the Facebook dumpster fire is going to end? Yeah, same here. One thing that has become apparent to me is that as long as Mark Zuckerberg remains CEO, the company is going to be morally bankrupt. Remember this is the same kid who while at Harvard 2004, the then 19-year-old Zuckerberg told his college friend that people who willingly gave over their private data were “dumb fucks.”

As reported by Business Insider, the conversation according to SAI sources, went as follows.

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend’s Name]: What? How’d you manage that one?

Zuck: People just submitted it.

Zuck: I don’t know why.

Zuck: They “trust me”

Zuck: Dumb fucks.

But I digress, back to this latest Facebook fiasco. According to a TechCrunch investigation, Facebook has been paying kids as young as 13 years old (the minimum age allowed under the Children’s Online Privacy Protection Act- COPPA, that companies collect data on children) to download an app which granted Facebook total access to their phones including browsing history, private messages (even if encrypted), and emails. Facebook’s response was that the app “was purely for market research.” Wow! How much more sinister can Facebook get? Seriously, they just don’t even care about ethics.

The crazy part of this story is that it gets even juicier because it turns out that, big surprise now, Google was doing the same thing. Google was using Apple’s Developer Enterprise Program to collect data on consumers against Apple’s strict App Store rules. Google allowed iPhone users to install an app called Screenwise Meter which monitored browser history and network traffic on the phone. Google rewarded users with gift cards if they installed and used the app on their phones. Once this came to light, Apple quickly blocked Facebook and Google from its App Store, but only for a few days, and has since re-allowed them. Apple gets some small props for looking out for its consumer data privacy in this one instance.

By Defying Apple’s Rules, Facebook Shows It Never Learns

Apple Blocked Google’s Internal Apps Too

Why Facebook’s Banned ‘Research’ App Was So Invasive

Low-Tech Security: Evasion and Anonymity Tip

Lock your computer screen every time you step away from your desk at work, even if it’s only to use the restroom or refill your water bottle. You never know who is snooping on what you’re doing on your computer or who wants to sabotage your work efforts to get ahead. In less than a minute someone could do serious damage to whatever you’re working on. They could also send a nasty email to your boss or a co-worker from your email account. They could quickly scan through your Internet browser history and export it to Human Resources. Get in the habit of locking your computer workstation screen whenever you step away. It’s a best practice for information security and simple, low-tech protection and privacy hack that you can begin using right now!

You’re most likely statistically using a version of Windows at work, or possibly Mac OS, Linux, or Unix. CTRL-ALT-DEL pressed simultaneously will give you the option of locking your computer workstation screen. Windows also allow users to quickly lock their screen by holding down both the Windows key + L.

It’s also a good idea not to access personal accounts such as email, banking, or social media accounts from your work computer. Doing so, as mentioned above, could lead to your employer also having access to your personal accounts. Chances are that no employer would ever risk accessing an employee’s personal accounts on websites, but employers have every right to monitor network activities on their network (Wi-Fi, Ethernet, FiOS, etc.) infrastructure. Do you really want to risk giving your employer unfettered access to your personal photos, emails, files stored in the Cloud, social networking accounts, or banking information? That’s it for this edition of Becoming Virtually Untraceable. Until next time and remember:

***Trust No One. Verify Everything. Leave No Trace.***

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net