I don’t need to cover my traces, or do I?

6824175422_003a2ca642_bAnonymity on the net is a topic that is discussed more and more frequently. We all know that many services on the net can be used anonymously. Or can they? The Internet is a giant data processing machine, and data about us users is getting more and more important. Anonymity on the net is to an increasing degree becoming a hallucination. Your access is logged, your surfing is tracked by cookies and the big data companies are even gathering info about your non-digital life. People are to an increasing degree doing things online thinking they are anonymous, but in reality they leave traces behind. These traces can lead back to their real identities, and in worst case put them in serious trouble.

I’m not going into the big picture about anonymity and privacy here. I’m going to present a tool that can be used to obfuscate your true identity. The anonymity network TOR. This is a tool and network that provides fairly strong protection against anyone who try to find out where a connection over the Internet really came from.

Let’s first debunk two myths.

  • This kind of stuff is only needed by criminals. I’m a law-obeying citizen! Well, yes. It is in most cases OK to surf without this kind of protection. But it is also good to be aware of this possibility. There are situations where it can be smart to cover your traces even if you have perfectly honest intentions. And being anonymous is not wrong in any way, you have the right to use this kind of tool if you like.
  • I don’t know how to do this. I’m no hacker. Don’t worry. Using this tool is no harder than installing a program on your computer.

So what’s the problem we are trying to tackle here? Practically all services on the net log all access. This log contains the so called IP-address that you are using, no matter if you have entered your real name at the site or not. The IP-address is a numeric code that is unique for all devices that connect to the net. Your ISP assigns one to your computer (or router, or modem) automatically when you connect to the net and you don’t have to worry about that. When you surf “anonymously” on a site, the site owner will know this IP-address but not who it has been assigned to. That information remains in the ISP’s log and is typically revealed only to authorities when investigating crimes. (Depends on local laws.) So you can under normal circumstances be traced back to your ISP, but the trace stops there.

So you have a certain level of privacy when surfing from home. But what about your computer at work? Here the company is in the ISP’s position. All traffic you generate can easily be traced to the company, but not to your workstation. The company’s administrators may be able to trace further, but that depends on how the internal network is managed.

Here’s some examples of situations where the default protection may be insufficient:

  • Your ISP may protect your identity, but how reliable is that? Someone may present fraudulent accusations to get access to your true identity. People may misuse their access rights and leak data. The ISP’s employees are just humans after all. You don’t have to worry about that if you are using TOR.
  • What if you discuss something online from work, but the topic is totally unrelated to your employer? Or even in conflict with your employer’s interests. Then it’s best if no one afterwards can claim that someone from that company made a comment in the discussion.
  • If you consider becoming a whistle-blower, get TOR! Handle the case through TOR exclusively. This is a tricky situation where you may break contracts or even the law, and still do very much good for the society. You may have to pay a high price for being a hero unless you protect yourself.
  • TOR can circumvent some national censorship schemes. This benefit is obvious in totalitarian states, but might be more relevant to you than you think. Finland, for example, is considered to be a democratic country without severe human rights problems. But despite that we have an Internet censorship scheme that was developed to stop child pornography. Now it is misused to block on-line poker, criticism against the authorities and many other things. The list of censored sites is secret and site owners can’t challenge it in court. But TOR-users have free access. (Yes, seriously! Sounds like China or Iran but this is in EU.)
  • TOR is not only protecting your identity, it also encrypts traffic and prevents 3rd parties from finding out what you are doing and who you are communicating with. This may be beneficial if you don’t trust the network you are using. A good example is FRA in Sweden. They have legal rights to intercept all network traffic crossing Sweden’s borders, including traffic in transit to other countries. A bummer for us here in Finland as our cables to the world go west.

TOR is a privacy network that routes your traffic through a chain of several randomly picked servers before it goes to the site you are accessing. The traffic is encrypted all the way from your computer to the last relay machine. The protocol is also designed so that the relaying machines never know more than they need to know. The first server knows who you are but not what you are doing or what site you are accessing. The last server can see your traffic in plaintext and knows where it is going, but do not know who you are. None of this is however logged by the TOR relays as their purpose is to ensure your privacy. Even if someone with malicious intent would get hold of one of these servers, they would not be able to reveal your secret.

The simplest way to use TOR is to download and install the browser bundle. It consists of two parts that work together seamlessly. “Vidalia” is the control center that sets up the chain of secure servers and handles communication. “TorBrowser” is a Firefox-based web browser that is preconfigured to communicate through TOR. It makes it easy to start using TOR, no nerdy settings needed. A separate browser is also really necessary to guard your privacy as your normal browser is full of cookies that can identify you.

Installing TOR is easy, but that alone does not guard your identity. If you want to be truly anonymous at some certain site, you need to follow some additional guidelines.

  • Do not use a user name or account that you have used previously without TOR. That account can be connected to your real IP-address using old log entries. Start fresh and create a new account through TOR. Needless to say, your new alias shall not give any hint about your true identity.
  • Make sure that all your access to the site where you want to be anonymous is through TOR. Even a single login from a connection that can be traced may reveal you.
  • If you have to provide a mail address for your new account, use TOR to create a new mailbox in a webmail service of your choice and use that address exclusively. tormail.org is an alternative if you are paranoid.
  • Think about what info you submit when anonymous. Personal info is naturally no-no, but also other kind of knowledge may reveal you or limit the number of possible persons behind your alias.
  • Don’t use both your anonymous identity and your real identity from the TorBrowser at the same time. This makes it possible to tie them together as they both would use the same IP-address. You can use the Vidalia-console to refresh the IP-address that is shown outwards. Make sure you do this before logging in with another identity, or use your real-life identity from your normal browser instead.
  • Don’t break the law. That is of course good advice in generic as well. In this case a criminal investigation will pose a greater threat against your anonymity as the authorities have much more abilities to trace you.

Disclaimer. I hope you never truly need this kind of protection. But if you are in doubt, play safe and cover your tracks. Also keep in mind that it is tricky to be truly anonymous on the net. That is especially true if you are wanted by the authorities. Do not rely solely on this article if you are in a situation where your personal safety depends on anonymity, like for high-end whistle-blowers or opposition activists in non-democratic countries. What’s said above is a good start in these situations too, but you should get a more comprehensive understanding of on-line anonymity before putting yourself at risk.

Check what your surfing looks like from the site owners’ perspective. This site reveals the info. If using several connections, like home and work, check all of them. If you install TOR, visit the site from the TorBrowser to see how the address has changed.

Safe surfing,
Micke

PS. Another way to see the need for anonymity. The law protects our property against thieves, but still we use locks. The law protects our privacy on-line (to some extent), but most people do not enforce that in any way. TOR is for privacy what a lock is for theft. Why not play safe and lock it?

Photo by zigazou76 @ Flickr

More posts from this topic

graveyard, RIP Flash, Is Flash dead

RIP Flash? Has Chrome signed Flash’s death warrant?

The first day of September may go down in internet security history -- and not just because it's the day when F-Secure Labs announced that its blog, which was the first antivirus industry blog ever, has moved to a new home. It's also the day that Google's Chrome began blocking flash ads from immediately loading, with the goal of moving advertisers to develop their creative in HTML5. Google is joining Amazon, whose complete rejection of Flash ads also begins on September 1. "This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later," F-Secure Security Advisor Sean Sullivan wrote in August when Amazon made its announcement. "Flash-based ads are now an all-too-common security risk. Everybody will be better off without them." Last month, Adobe issued its 12th update in 2015 for the software addressing security and stability concerns. An estimated 90 percent of rich media ads are delivered through Flash. Having the world's largest online retailer reject your ad format is a significant nudge away from the plugin. But it would be difficult to overstate the impact of Chrome actively encouraging developers to drop Flash. About 1 out of every 2 people, 51.74 percent, who access the internet through a desktop browser do it via Chrome, according to StatCounter. This makes it the world's most popular web interface by far.   Facebook's Chief Security Officer has also recently called for the end of Flash and YouTube moved away from the format by default in January. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely," F-Secure Senior Researcher Timo Hirvonen told our Business Insider blog. So what's keeping Flash alive? Massive adoption and advertisers. “Everyone in every agency’s creative department grew up using Adobe’s creative suite, so agencies still have deep benches of people who specialize in this,”Media Kitchen managing partner Josh Engroff told Digiday. “Moving away from it means new training and calibration.” And Flash does have some advantages over the format that seems fated to replace it. "HTML5 ads may be more beautiful, and are perceived to be more secure, but the files can be a lot larger than Flash," Business Insider's Laura O'Reilly wrote. In markets, stability can breed instability and it seems that our familiarity and reliance on Flash has resulted in unnecessary insecurity for our data. Has Flash hit its moment when its dominance rapidly evaporates? We can have hope. "I sincerely hope this is the end of Flash," Timo told us. Cheers, Sandra [Image by Sean MacEntee | Flickr]    

September 1, 2015
hacking team, hack like a champion, why hacking team matters

3 reasons the Hacking Team story matters from Mikko Hypponen

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
adobe flash, uninstall, auto-update, click-to-play

3 ways to make Adobe Flash less annoying and/or risky

Time to update Adobe Flash if you use it. So if you do, do it now. Of course, it always feels like time to update Flash. As an internet user, it's become all of our collective part-time job. It's a reminded that while the software is free, your time isn't. This particular update was necessitated by an event you may have heard about. "The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups," Brian Krebs explained. The Hacking Team hack raised interesting questions about government surveillance and helped rattle nerves this week as computer systems kept planes out of the air and shut down the New York Stock Exchange -- freak incidents that are completely unrelated, according to disclosures thus far. But it doesn't take events like this remind us Flash exploits are so common that they're part of the business model of criminal operations like the Angler exploit kit. The key to security is always running the latest version of everything. So how do you get yourself out of the business of constantly mitigating Adobe Flash risks? Here are three ways. 1. Quit it. This is Brian Krebs' solution. He's lived without it for more than a month as an experiment. "It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)," Krebs said. And did he notice life without it? "...not so much." So instead of updating, you can just get rid of it. 2. Auto-update. If you're going to keep it, this is the minimum precaution our Security Advisor Sean Sullivan recommends. This will make sure you're getting all the updates and will prevent you, hopefully, from being tricked into downloading malware posing as an update. So turn those "background upgrades" on. 3. Click-to-play. If you're doing number 2, you probably want to do this too. Click-to-play means Flash elements run when you tell them to. Here's how to do it in all your browsers. Not only does this expose you to fewer risks, it makes the internet less annoying and can make your browser quicker. So why not? So what did you choose? Let us know in the comments. Cheers, Jason  

July 10, 2015
BY