I don’t need to cover my traces, or do I?

6824175422_003a2ca642_bAnonymity on the net is a topic that is discussed more and more frequently. We all know that many services on the net can be used anonymously. Or can they? The Internet is a giant data processing machine, and data about us users is getting more and more important. Anonymity on the net is to an increasing degree becoming a hallucination. Your access is logged, your surfing is tracked by cookies and the big data companies are even gathering info about your non-digital life. People are to an increasing degree doing things online thinking they are anonymous, but in reality they leave traces behind. These traces can lead back to their real identities, and in worst case put them in serious trouble.

I’m not going into the big picture about anonymity and privacy here. I’m going to present a tool that can be used to obfuscate your true identity. The anonymity network TOR. This is a tool and network that provides fairly strong protection against anyone who try to find out where a connection over the Internet really came from.

Let’s first debunk two myths.

  • This kind of stuff is only needed by criminals. I’m a law-obeying citizen! Well, yes. It is in most cases OK to surf without this kind of protection. But it is also good to be aware of this possibility. There are situations where it can be smart to cover your traces even if you have perfectly honest intentions. And being anonymous is not wrong in any way, you have the right to use this kind of tool if you like.
  • I don’t know how to do this. I’m no hacker. Don’t worry. Using this tool is no harder than installing a program on your computer.

So what’s the problem we are trying to tackle here? Practically all services on the net log all access. This log contains the so called IP-address that you are using, no matter if you have entered your real name at the site or not. The IP-address is a numeric code that is unique for all devices that connect to the net. Your ISP assigns one to your computer (or router, or modem) automatically when you connect to the net and you don’t have to worry about that. When you surf “anonymously” on a site, the site owner will know this IP-address but not who it has been assigned to. That information remains in the ISP’s log and is typically revealed only to authorities when investigating crimes. (Depends on local laws.) So you can under normal circumstances be traced back to your ISP, but the trace stops there.

So you have a certain level of privacy when surfing from home. But what about your computer at work? Here the company is in the ISP’s position. All traffic you generate can easily be traced to the company, but not to your workstation. The company’s administrators may be able to trace further, but that depends on how the internal network is managed.

Here’s some examples of situations where the default protection may be insufficient:

  • Your ISP may protect your identity, but how reliable is that? Someone may present fraudulent accusations to get access to your true identity. People may misuse their access rights and leak data. The ISP’s employees are just humans after all. You don’t have to worry about that if you are using TOR.
  • What if you discuss something online from work, but the topic is totally unrelated to your employer? Or even in conflict with your employer’s interests. Then it’s best if no one afterwards can claim that someone from that company made a comment in the discussion.
  • If you consider becoming a whistle-blower, get TOR! Handle the case through TOR exclusively. This is a tricky situation where you may break contracts or even the law, and still do very much good for the society. You may have to pay a high price for being a hero unless you protect yourself.
  • TOR can circumvent some national censorship schemes. This benefit is obvious in totalitarian states, but might be more relevant to you than you think. Finland, for example, is considered to be a democratic country without severe human rights problems. But despite that we have an Internet censorship scheme that was developed to stop child pornography. Now it is misused to block on-line poker, criticism against the authorities and many other things. The list of censored sites is secret and site owners can’t challenge it in court. But TOR-users have free access. (Yes, seriously! Sounds like China or Iran but this is in EU.)
  • TOR is not only protecting your identity, it also encrypts traffic and prevents 3rd parties from finding out what you are doing and who you are communicating with. This may be beneficial if you don’t trust the network you are using. A good example is FRA in Sweden. They have legal rights to intercept all network traffic crossing Sweden’s borders, including traffic in transit to other countries. A bummer for us here in Finland as our cables to the world go west.

TOR is a privacy network that routes your traffic through a chain of several randomly picked servers before it goes to the site you are accessing. The traffic is encrypted all the way from your computer to the last relay machine. The protocol is also designed so that the relaying machines never know more than they need to know. The first server knows who you are but not what you are doing or what site you are accessing. The last server can see your traffic in plaintext and knows where it is going, but do not know who you are. None of this is however logged by the TOR relays as their purpose is to ensure your privacy. Even if someone with malicious intent would get hold of one of these servers, they would not be able to reveal your secret.

The simplest way to use TOR is to download and install the browser bundle. It consists of two parts that work together seamlessly. “Vidalia” is the control center that sets up the chain of secure servers and handles communication. “TorBrowser” is a Firefox-based web browser that is preconfigured to communicate through TOR. It makes it easy to start using TOR, no nerdy settings needed. A separate browser is also really necessary to guard your privacy as your normal browser is full of cookies that can identify you.

Installing TOR is easy, but that alone does not guard your identity. If you want to be truly anonymous at some certain site, you need to follow some additional guidelines.

  • Do not use a user name or account that you have used previously without TOR. That account can be connected to your real IP-address using old log entries. Start fresh and create a new account through TOR. Needless to say, your new alias shall not give any hint about your true identity.
  • Make sure that all your access to the site where you want to be anonymous is through TOR. Even a single login from a connection that can be traced may reveal you.
  • If you have to provide a mail address for your new account, use TOR to create a new mailbox in a webmail service of your choice and use that address exclusively. tormail.org is an alternative if you are paranoid.
  • Think about what info you submit when anonymous. Personal info is naturally no-no, but also other kind of knowledge may reveal you or limit the number of possible persons behind your alias.
  • Don’t use both your anonymous identity and your real identity from the TorBrowser at the same time. This makes it possible to tie them together as they both would use the same IP-address. You can use the Vidalia-console to refresh the IP-address that is shown outwards. Make sure you do this before logging in with another identity, or use your real-life identity from your normal browser instead.
  • Don’t break the law. That is of course good advice in generic as well. In this case a criminal investigation will pose a greater threat against your anonymity as the authorities have much more abilities to trace you.

Disclaimer. I hope you never truly need this kind of protection. But if you are in doubt, play safe and cover your tracks. Also keep in mind that it is tricky to be truly anonymous on the net. That is especially true if you are wanted by the authorities. Do not rely solely on this article if you are in a situation where your personal safety depends on anonymity, like for high-end whistle-blowers or opposition activists in non-democratic countries. What’s said above is a good start in these situations too, but you should get a more comprehensive understanding of on-line anonymity before putting yourself at risk.

Check what your surfing looks like from the site owners’ perspective. This site reveals the info. If using several connections, like home and work, check all of them. If you install TOR, visit the site from the TorBrowser to see how the address has changed.

Safe surfing,

PS. Another way to see the need for anonymity. The law protects our property against thieves, but still we use locks. The law protects our privacy on-line (to some extent), but most people do not enforce that in any way. TOR is for privacy what a lock is for theft. Why not play safe and lock it?

Photo by zigazou76 @ Flickr

More posts from this topic


Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
Tracker Mapper

Want to Pwn Internet Trackers? Here’s How

A recent PEW report says that 86 percent of people have taken action to avoid online surveillance, including simple things like clearing their browser cache, as well as using more effective methods, such as using a VPN (virtual private network). The same report says that 61 percent of participants indicated that they’d like to do more. Many people understand their privacy is at risk when they do things online, and want to do something about it. But that’s easier said than done. Not only do you have to have the will to make it happen, but you have to know where to start. Who do you want to protect your privacy from anyway? Facebook? The NSA? Nosey neighbors? PEW’s report says that 91 percent of people agree or strongly agree that consumers have lost control over personal information that is collected and used by companies. So if you want to take this control back, the first thing you need to do is figure out who’s stalking you online. F-Secure’s Freedome VPN, which you can try for free, has baked-in tracking protection technologies to help people protect their privacy while they’re surfing online. It also has Tracker Mapper – a feature that people can use to control how they expose themselves to Internet trackers. Tracker Mapper has been available for Macs and Windows PCs for about half a year, and was just launched for Freedome’s Android and iOS apps. So how does using Tracker Mapper help you control your online privacy? Here’s our Chief Research Officer, Mikko Hyppönen, talking about how online tracking threatens people’s privacy, and how Freedome (and Tracker Mapper) can help people protect themselves. [youtube=https://www.youtube.com/watch?v=X1F8sHjCBx0&w=560&h=315] I ran a little experiment to help me learn how to limit my exposure to trackers while planning a vacation. I used Alexa to help me find some popular travel websites that I could use to shop for deals on hotels. After that, I turned on Tracker Mapper (which is turned off by default, because we respect the fact that people don’t want apps to create logs without permission) so I could find out which of these websites used the most tracking to study me as I used their site. I chose 5 of the more popular sites, and then I spent about 10 minutes on each, and left a bit of extra time so I could check out the results in between. The whole thing took me about an hour, giving me a one-hour log of the tracking attempts Freedome blocked while I browsed these sites. Tracker Mapper creates an interactive visualization of the blocked tracking attempts, and gives you information on what trackers attempted to monitor you on different websites. It also shows how these trackers link together to create a network capable of monitoring you as you navigate from website to website. These are screenshots showing how Tracker Mapper visualizes online tracking, as well some of the statistics it provides. The capture on the left shows the entire overview of the session (which lasted exactly one hour). The shot in the middle shows the sites I visited ordered by the most tracking attempts. The capture on the right shows the actual trackers that attempted to track me during my session, ordered by the number of blocked attempts. Based on this, Trip Advisor appears to have made the most tracking attempts. But you can learn even more about this by combining Tracker Mapper with a bit of online digging. You can tap on the different “bubbles” in Tracker Mapper to pull up statistics about different websites and tracking services. The first screen capture shows how many tracking attempts from different services were blocked when I visited Trip Advisor. The next two show the most prominent tracking services Freedome blocked – the tracker that TripAdvisor has integrated into its website (www.tripadvisor.com), and a tracking tag from Scorecard Research (b.scorecardresearch.com). As you might have guessed, TripAdvisor’s own tracking service is only used on their website (it’s what’s called “first-party tracking”). That’s why Tracker Mapper doesn’t show any connections between it and other websites. The second one, Scorecard Research, is used on both Trip Advisor and Lonely Planet. That’s why there are lines connecting it with both (it’s what’s called “third-party tracking”). Scorecard research is a marketing research firm that provides tracking and analytic services by having websites host their “tags”, which collect information about those website’s visitors. The Guardian has an excellent write-up about Scorecard Research, but what’s missing from the Guardian story is that you can opt-out of Scorecard Research’s tracking. Basically, they put a cookie on your browser, which isn’t an uncommon way for tracking companies to allow web surfers to protect their privacy (and oddly enough, a common way for them to track you). Stripping trackers out of websites lets people take control of who’s monitoring what they do online. PEW’s survey found that this idea of control is central to people’s concerns about online privacy - 74 percent of respondents said it’s important to control who can get information, and 65 percent said its important to control what information is collected. However, opting out of every tracking service (and for every browser you use) by installing opt-out cookies isn’t as convenient as using Freedome. And as F-Secure Security Advisor Sean Sullivan pointed out in this blog post, it actually works much better for your browsing (one experiment found that Freedome can reduce the time it takes to load web pages by about 30 percent, and decrease data consumption by about 13 percent). You can download Freedome for a free trial and find out for yourself if how it can help you control your online privacy. And right now, you can win free annual subscriptions, as well as cool swag (like stylish hoodies) by posting a screenshot showing your blocked tracking attempts to F-Secure’s Facebook wall, or on Instagram with F-Secure tagged. The contest is open till March 23rd, and 5 winners will be randomly drawn after it ends.

March 16, 2016
going back in time with macro malware

Hack to the Future: The Return of Macro Malware

We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of.   "Back to the Future" banner image courtesy of Garry Knight, flickr.com

March 15, 2016