The Internet has become the world’s largest information exchange. Given a phone number, email address, license plate, LinkedIn Profile, Instagram username, or just about any other single piece of identifying information, and odds are an attacker can find the other pieces.
The sad part is, we’ve all knowingly (and in some cases unknowingly) helped contribute to this data depot in one way or another over the years and it’s only in hindsight that we realize we may not have made the best decisions. So now that the data is out there, what can we do about? Well, it depends on your intentions. Do you want to completely disappear, or just minimize that digital footprint? In this blog post, BTB’s Senior Security Consultant Matt Barnett provides some guidance on staging your own disappearing act. First a disclaimer: much of the content in this blog post is related from the amazingly comprehensive work compiled by Michael Bazzell and Justin Carroll in The Complete Privacy and Security Desk Reference (https://www.amazon.com/Complete-Privacy-Security-Desk-Reference/dp/152277890X/). It’s a must-read for anyone taking their disappearing act seriously since this post cannot effectively cover all facets of the topic.
No, I’m not talking about the higher path to self-enlightenment here. Before we can begin to know where to start our scrubbing process, we need to get an idea of what’s out there. Let’s start with some basic reconnaissance. The links provided in this section will help you determine what information is publicly accessible about you.
For those not looking to perform a complete vanishing act (assuming it were even possible), this section will help provide some useful links to improve the security of your online presence. We need to be mindful of what information we share with our digital friends and family as well as what information we make public to anyone that may be curious.
Complete Disappearing Acts
So you’ve decided to go rogue. Completely off the grid. Respectable choice. This section will provide a few helpful to aid in eliminating your digital footprint.
I’ll offer a few pro tips in this section that you should consider during your visits to the Internet. These tips draw from the experience of professional hackers that use these techniques to remain stealthy during client engagements. There are also a few staple tools-of-the-trade that I’ll touch on. The tools will help protect you and preserve your anonymity online.
To Like or Not to Like:
The first tip is to avoid using the “Like” button on your favorite social media site(s). I know this is going to be hard one. Allow me to explain. Even if your profile is private, the user posting the content you “Like” may not be. Searching through posts and images you “Like” may be a way to build a profile about your hobbies, interests, political views/affiliations, etc. Some court cases have even allowed these “Like”s to be introduced into evidence or used to bias jurors in civil cases. Think before you click!
Tag You’re It
Allowing others to tag you in photos has similar risks as the previous tip. Imagine how your boss would feel if he saw you doing that keg-stand with your old college buddies on Friday night when you called out sick earlier that morning.
Speaking of Photos
Have you ever seen this site (http://exif.regex.info/exif.cgi). Upload a photo from that iPhone of yours and see what happens (or Android if you’re on the dark side). Photos contain metadata, or data about the picture, known as EXIF data. This data is embedded by default on cameras and smartphones. It contains date/time information, source, GPS position, and more; this data can be harvested from any site you upload it to. Note: many social media sites (e.g., Facebook) strip this data before the picture is posted (Flickr does not), but that doesn’t guarantee that they aren’t capturing (and storing/selling) the EXIF data in the process. Better check those terms of service again. I’ve posted a link for a tool that will strip this data for you below.
Nothing Lasts Forever, Except on the Internet
My final tip is to always be mindful that what you put online will live there forever. There are companies that make it their work to archive the Internet (https://archive.org/web/). Once the content is up there and cached by an archiving site, it will be available in perpetuity. The more we move to a digital society, the more important controlling our digital footprint becomes. Think job interviews and future in-laws.
Many of these will help you avoid the tracking techniques used by companies and keep your data private/anonymous.
VPN Software: https://www.privateinternetaccess.com/ : VPNs (Virtual Private Networks) create a tunnel from your computer to the VPN provider and encrypt all of your traffic along the way. Your ISP (e.g., Comcast, Verizon) will only “see” you communicating with the VPN company, while the sites you visit will only see the IP address of the VPN company, thus making you disappear like Batman after he says something really cool. There a numerous VPN providers, I personally like PIA for its ease of use, low fees ($30/yr), and lack of log retention. Be sure to read the terms of service on any vendor you are considering. Your smartphone can also use VPN technology.
Photo EXIF Data Removal : http://verexif.com/en : As mentioned above, this tool will strip the metadata in your photos, removing things such as date, time, GPS position, camera source, etc.
Google Alerts : https://google.com/alerts : Google allows you to configure alerts around specific keywords (e.g., your name, place of business) and will send you and email whenever a new search result matches your query. This can help you stay informed about when your private information hits the public Internet. (This service is free but requires a Gmail account).
Start Page : https://startpage.com : Google is an amazingly powerful search engine but it comes with a few strings. Tracking. All Google queries are logged and saved. If you’re searching for something you’d rather not keep record of consider using Start Page. Start Page will make the search request on your behalf—preserving your anonymity while allowing you to use all the features of Google’s powerful searching algorithm.
Signal : https://signal.org : Signal provides end-to-end encryption for your text messages and phone calls. To use this, both parties need to have the app installed on their smart device.
We’ve covered a lot of ground today and despite that fact, this is still a very incomplete list of resources, tools, and knowledge. It should be a great start for beginning privacy aficionados looking to dissipate that digital footprint—or at a minimum, at least stop some of those spam calls. BTB Security is constantly researching new tools, techniques, and services that help protect customer’s privacy, improve security, and reduce inadvertent information disclosures. We’re always here to help so feel free to drop us a line if you have any questions. A big thank you to Michael Bazzell and Justin Carroll for their extensive research in this field and making searchable resources available at https://inteltechniques.com. Be safe out there and think before you click!Read more...