The vast majority of people surfing the internet using conventional computers, tablets, and smart phones tend to believe that they are actually relatively anonymous. After all, how many people have the same first and last name? Beyond that, aren’t firewalls and updated browsers supposed to protect your privacy? There are just a few places where people feel safe browsing online, yet should be very concerned about all the information they are making available to others. This chapter discusses the six fallacies that you may be holding in relation to your own anonymity online. Feel free to use the links provided in the resource section to find out just how vulnerable your system really is.
Mistake #1: Trusting the Browser Not to Report Your IP
As you may be aware, your computer’s IP is your machine’s temporary address while it is connected to the internet. No matter whether there are dozens of computers accessing the internet or just one, each machine is assigned a unique address. Therefore, as soon as someone has this IP information, they can find out who you are, where you live, and a whole host of other interesting information. Even worse, hackers with a minimal amount of skill can use specialized tools to find your computer, prowl around behind the scenes, insert data, or remove files without you ever knowing it.
Your IP Address for example is 3.231.219.178, located in Ashburn, Virginia, 20149, United States. (You can secure this by using a VPN)
Today, most sites that track IPs do so in order to obtain information that will help them research markets and consumer behavior. While not much is written about it, simply making your IP available online can also give the government incredibly detailed information about your interests. This data may be compared with history from known terrorists or other criminals to put you on a watch list without you ever knowing what is going on. No matter how innocent you may be, or uninterested in committing a crime, nosy government agencies eager to stereotype others can and will use this information to keep tabs on you.
Never forget that over 50% of people on death row in the United States alone were found innocent when DNA testing became available even as well over 50% of all reported crimes go unsolved. With just a little bit of research, you will soon find that stereotyping/profiling (essentially using statistical algorithms to predict who committed a crime) often leads to innocent people paying for the crimes committed by other people. IP information is the kind of massive data dump that government agencies love to use because it provides so many details about viewers. This includes how much time the viewer spent looking at a page, how many pages were viewed on the site, download activity, and all sorts of other information that can be used to retrospectively connect you to a crime.
Mistake #2: Erasing Browser History
If you routinely update your browser, then you may already know about the “privacy windows” and other features that are supposed to protect you from online snoopers. For example, the “privacy window” in Firefox and IE version 11 will prevent entries from being placed in your browser history, yet they admit freely that your ISP still has a record of each site that you visited. To add insult to injury, the “privacy window” in Firefox will not protect you from IT specialists or other admins appointed to see what sites you are visiting while at work and using employer equipment.
Consider a situation where you severed a relationship, but still feel curious about what the other person is doing. If you decide to create fictitious accounts, or use some other method to snoop, simply deleting the information from your browser will be of no use. Aside from the fact that your ISP still has a record of all site you visited, Windows also keeps a number of keylogger files hidden all over your system. For example, in Windows 7, if you are unable to install IE 11, you will be directed to look for the IE11_main.log file. This particular file will open as soon as you click on it. Within, you will find a listing of everything you did while trying to install IE 11; plus the computer’s response.
Given the bloated nature of the Windows operating system, there are more than likely hundreds of similar files that reveal every single thing you do online and offline.
As operating systems continue to evolve under the watchful eye (and control) of government agencies, never underestimate just how much information is being stored and transmitted without your knowledge. Cameras embedded in laptop cases can switch on without your knowledge and take your picture, and microphones can switch on and record your conversations. When combined with certain hardware protocols, you may never realize that this information was recorded and then transferred off the system by an open internet connection. Sadly, even if you could search through the thousands of files that make up an operating system, finding, an opening these files may be impossible for you to do. Perhaps it can be said that revealing information about the IE11_main.log file was an accidental oversight by Microsoft. Given the existence of this type of keylogger, never doubt that others may exist on your system, and that they were placed there either by the OS manufacturer or the hardware developer.
Aside from that, it is also very important to realize that most sites log information about visitors. Facebook, Gmail, Yahoo!, Twitter, and MSN all have special features that let you use their login information to access other accounts on different websites. Unfortunately, behind the scenes, sites that you haven’t even logged in to may be keeping a record of your online activity and saving it without your knowledge. In this era of multi-tab browsing, not only is your data being recorded in one location, it can easily be recorded and identified as yours by dozens of sites.
Mistake #3: Browsing in a Public WIFI Area
There are bound to be situations when you do not want anyone to know who you are communicating with, or what kinds of information you are looking for. Under these circumstances, many people go to a library or some other place where they can access a public computer. Even though there is no tracking information on your specific computer, that does not mean you cannot be tracked to that computer and hidden browser histories. As may be expected, the ISP that provides the internet connections will also keep a full record of all sites accessed by visitors.
Even though you may not realize it, surveillance, face recognition, and license plate recognition technologies have advanced well beyond what you expect. In this case, simply walking into a library, restaurant, or other location is more than likely to trigger a camera to take your picture. If you have anything with a barcode or RFID chip on you, rest assured your ID can be retrieved and recorded. From there, it is fairly easy for surveillance cameras to document your path through the facility and the computer terminal you were working from.
Of all the mistakes made by people seeking to browse in complete privacy, using a public WIFI area is one of the worst. Not only are you leaving behind a picture of yourself, you are leaving behind all kinds of information that can be used to build a profile of your activities and habits. In fact, your interest in using these places may just make you the kind of person that government and law enforcement agencies will be even more interested in studying more closely.
There is no question that many people using free WIFI hotspots like the idea of getting fast internet access for free, plus the false sense of security that goes with public browsing. Keep in mind that there is no such thing as getting something for free. Each time you visit a public WIFI or use these systems, you are providing valuable information that should never be given away in the first place.
If you find that you must use one of these locations, make it a point to only look for things that would be of interest at home or while pursuing a mundane hobby. Anything that you want to keep secret is best accessed from your computer at home or some other location that has a truly secure system and no surveillance cameras that record information that can be used against you later on.
Mistake #4: Failure to Use a Safe OS
When you ask people why they switched to MAC or Linux, they will say they did so because of increased safety. Sadly, most of these people have a safer OS, but don’t know how to use it to protect IP addresses and other critical information. For example, if you do not configure Linux security options, your browser will be just as vulnerable as IE,or other browsers under Windows. (See case study)
Today, the most secure operating systems are housed on DVD or USB drives. Typically, you cannot write or store files on the same drive as the OS. Operating systems such as Caine 6.0, Kali, and Tails (all Linux distros) offer the best that modern technology has when it comes to browsing anonymously. These operating systems do not record information about your activities, so you never need to worry about unwanted information being stored on your computer. On the flip side, always be aware that your ISP is still recording everything that you do, as are other sites that you are visiting. In order to get the most privacy out of these operating systems, you need to combine them with a respectable private VPN service or set up connections to the web without using an ISP from your local area.
For the time being, if you are looking for a safe operating system that can be used for routine functions, getting away from Windows should be a top priority. At the very least, you can choose a Linux distro that is not manufactured or developed in the country you live in. Depending on the situation, it may take government or law enforcement agencies a bit more time to get into your computer, or use other methods to track your online activities. As an added bonus, the open access to all programming routines used in Linux makes it much harder to sneak in the “back doors” that Windows appears to be riddled with. If there is a vulnerability, the Linux community will get rid of it faster simply because there are more people looking and able to fix the problems. That being said, as governing bodies gain more control over programmers and business owners, they will eventually gain more control over the main Linux kernel and ensure that key vulnerabilities are in place to allow them to snoop as they please.
Mistake #5: Failure to Set up Encryptions
As you may be aware, encryptions set up a “code” that translates your information into something that cannot be read by others without an appropriate decoder. The “code” used to encrypt and decipher may have just a few characters or “bits” in the key, or they can have thousands. As encryption and hacker technologies continue to evolve, reliance on larger sized keys is becoming less useful as computing power and advanced mathematical models make it easier than ever to predict information and then use those models to arrive at the actual information.
Historically speaking, encryption and decryption were of extreme importance during war time in order to find out enemy troop movements and other vital information. For example, during WWII, the United States worked tirelessly to intercept and then decode Japanese and German transmissions in order to gain vital information. By the same token, keeping our own information was also of prime importance. Rather than try to create a new encryption from scratch, our military relied on the Navajo, and other First Nation people to translate war information into their own language. The “code talkers” were very simple compared to modern cryptography, however they still played a key role in preserving military information and ensuring that communications remained readable only to intended parties.
Chances are, you may not be concerned about the government reading an email to your spouse saying that you will be home late. On the other hand, if you are irked by snoopers in general, then having an encryption system in place is very important. If you are transmitting proprietary information or need to safeguard financial information, then encryption will be very important. While it may take a bit longer for this type of data to transmit, it is truly the only way to protect data while it is in transit from your computer to a remote destination.
At the current time it is widely suspected that government agencies such as the NSA are fully capable of deciphering 1024 bit encryption systems. To make matters worse, SSL and TLS protocols (used in https based URLs) for many websites, browsers, and operating systems rely on a maximum of 512 bits. Recently, it was discovered that virtually all Windows, Mac, and Android users are vulnerable to FREAK attacks that stem from previous legislation banning encryption levels higher than 512 bits. Even though your computer and browser may rely on 1024 or higher bit encryption systems, a FREAK attack can force your computer to use 512 bits or less; which in turn, makes the information very easy to decipher.
While encryption technologies are in increasingly severe disarray regardless of the operating system and browser under consideration, comprehensive encryption when combined with other tools represents the only way to keep your data and communications safe. Since there are two main ways to crack an encryption key, you should make sure that the protocol selected is as impervious as possible to each type.
Brute Force Decryption: When selecting encryption software, bear in mind that the size of the encryption key is no longer the sole factor in determining how hard or easy it will be to crack the code. Since modern computers have access to faster processors and memory resources, they can easily launch “brute force” attacks that outstrip shorter encryption keys. Doubling, or even tripling the size of the keys may inhibit some hackers, but not all of them. In particular, super computers owned by government agencies can launch brute force attacks with a minimal amount of difficulty.
Sorting and Predictive Algorithms: Today there are two main algorithms used to crack encryptions faster than using brute force methods. Grover’s algorithm essentially searches through the entire key for a single term and then locates each instance that matches. For example, the letter “e” is the most commonly used letter in the English alphabet. Searching for “e” might offer valuable clues about the information stored in the key. Typically Grover’s algorithm is run several times until enough information is put together to figure out the rest of the material. SHA encryptions (makes use of “hashes” to find a path through a table or other data) and Twofish (a free, public domain encryption algorithm) can be cracked by the Grover algorithm.
Shor’s Algorithm can easily crack RSA and other commercial keys used for banking, medical records, and other sensitive information. Essentially, RSA and several other commercial keys make use of prime factors and number trees to encrypt data. Shor’s algorithm makes use of the similar equations to reverse that process without actually having the decoder key available for use.
Internet VS. Local Data Encryption
Since your browser comes with its own encryption utilities, you will basically be stuck with whatever it has. For example, the FREAK attack (which has been around and known about for decades) easily forces IE, Opera, and Safari browsers to go to a lower encryption level. On the other hand, Firefox is impervious to this attack. While Firefox may look like the winner in this instance, you never really know what kinds of hacks have gone undiscovered. When it comes to internet encryption, you are best served by using less well known, or even minimal browsers where you can shut off flash, javascript, java, and other functions that can be exploited by hackers.
Fortunately, protecting data on your hard drives and in various files is not as difficult as protecting online communications. As you search for viable software, look for ones that have at least 2048 bit encryption and offer full security from Grover’s and Shor’s algorithms. If this information is not available on the manufacturer’s website, do not hesitate to send them an email and ask if these features are included in the software. At the very least, even if a hacker is able to get into your computer, or decrypt online information, anything stored on your computer will still remain safe.
External Drives are Not a Replacement for Comprehensive Encryption
People looking for the cheapest and lowest tech way to avoid encrypting data feel they are safe if they store everything on an external drive. For example, if you use one USB drive for launching a “lite” Linux distro, and a second one for storing data, you may believe that the data stored on the USB drive is perfectly safe. Unfortunately, if you didn’t start off by removing the hard drive from your computer, the USB drives may still be accessible to the hard drives. This can happen if the BIOS (responsible for controlling different computer parts) directs the hard drive to scan the USB drives or keep records of everything on them. While external drives can be used to help protect data, user mistakes can also ruin months of careful work and effort. One single instance of plugging a “safe” USB drive into a running computer can compromise it in a matter of seconds. If the data on the USB drive is not encrypted, the compromise will be even worse.
Mistake #6: Thinking you are Anonymous Just Because You Don’t Use Your Real Name
Have you ever created an email, social networking, or some other account using fake name, address, and phone information? If so, you are one of millions of people that think anonymity online is as simple as providing false information. As previously discussed, no matter who you claim to be, your ISP still knows your identity and what you were doing. Once your IP address becomes available to a remote website, the owners of the site can obtain your information without too many problems. Therefore, even though you may be able to fool your peers on the network, anyone that wants to know more about you will eventually find a way back to your ISP and all your information. Needless to say, government and law enforcement agencies can accomplish this much faster, and in “real time”.
Sources:
Encryption Tools the NSA Still Can’t Crack Revealed in New Leaks – As of December 2014, these encryption methods appear safe from government snooping. Never forget that there are hackers through the world that may be well ahead of the NSA and other agencies. They may have already compromised these systems but it has not been revealed yet. Always keep your encryption software updated and make sure you are aware of the latest news in this arena.
Ipinfo Security Portal – site dedicated to helping you see how secure (or insecure) your browser really is. You can also do some wireless, security suite, and browser testing using this site.
Microsoft Windows Vulnerable to FREAK Encryption Flaw Too – news release with information on FREAK and how it came into being.
So, Linus Torvalds: Did US Spooks Demand a Backdoor in Linux ? ‘Yes’ – Currently, many people believe that Linux operating systems are safer than Windows because there are more distros to choose from. Under the hood, all Linux distros basically share the same core routines, or “kernel”. While each distro may make some modifications to the kernel, it is very possible that backdoors in the main Linux kernel will affect all of them. Fortunately, all of the OS program code is available and free to access, which means these problems are more than likely to be discovered by programmers and dedicated distro developers. That being said, the very idea that a government agency (regardless of the nation making these demands) is disturbing.
Tracking the Freak Attack – use this site to find out if your browser can be compromised by a FREAK attack. If you get a positive response, either move to the latest version of Firefox or keep an eye out for updates for your specific browser.
Does this mean that my employer can easily find out if I have been surfing the web while on the clock? I get on Facebook occasionally but I could still probably get in trouble for that…what kind of work and effort would they have to pay for to find out my browsing history? We have an IT guy but he seems pretty new.
If they really want to find out your surfing activity it wouldn’t be that difficult.
I traveled Europe for two months and used ONLY public computers! Fortunately I didn’t communicate anything highly sensitive or confidential via the internet cafes. However, it does creep me out that someone out there has access to all those emails I sent to my family and friends. I also am feeling so violated as I think about all the locations that might now have my picture and personal information! Are there hackers out there who do it just for fun? I like to think they wouldn’t care to hack into my personal information because I’m not a very exciting person, but now I don’t know. Are there studies or statistics following up with crimes committed by hackers who stalk other people this way?
I’ve always been an Android/Windows person. So should I get a mac to protect my privacy? How do I learn to properly configure it? That last comment in the section about macs makes me wonder if I should bother. The thought of someone else knowing what I’m browsing makes me feel so vulnerable! Is there a way to know how often the government checks in on me and my personal information? Can we stalk their stalking?