sign in sign up
<<
Home , Digital privacy

PIXABAY - GERALT Protect the contents of your traffic by using a VPN provider. NOTE: This is only for local protection. When the VPN provider exits to the to visit, for example, , their data could be compromised between the VPN provider and the destination website. GOV’T / FIREWALLS

UNSECURE CONNECTION YOUR UNSECURE CONNECTION ISP YOU INTERNET

SECURE CONNECTION VPN SECURE CONNECTION VPN TUNNEL PROVIDER VPN TUNNEL DIGITAL TOOLS We live in a time where nearly the net users through real-time or fibers), exchanging matter or properties analysis of traffic at key while committing an act. What’s interesting is entire human base of knowledge is choke points, de-cloaking this principle also applies in the digital world freely available online—often times attacks that subvert some and can be used to track and monitor you. of the operational secu- Companies track our online behavior for from a device we carry with us in rity techniques we use and advertising purposes and researchers are our back pocket. solid of an publishing ways to get around basic anony- ever-increasing data set of mization techniques that tech savvy Internet BY: DR. BRANDEN R. WILLIAMS internet usage. users deploy. Essentially, the keys to real pri- Is there anything that vacy in the digital world rely on the security ny time we access this great source can be done to privately access the Internet? of the message exchanged, hiding the true of knowledge, order a pizza or shop As it turns out, there are some tools freely origin and/or destination of the message and Aonline, we leave digital fingerprints available that can improve your privacy. ensuring you can hide or mask the protected and breadcrumbs all over the Internet. Of message well enough so patterns cannot be course, the destination site will contain some A STATE OF discovered and it disappears into the back- of these breadcrumbs that identify your ses- CONSTANT MONITORING ground noise. sion, but you also leave fingerprints on every Dr. Edmond Locard, often referred to as the The Internet was designed to be open and single router, switch or firewall that services Sherlock Holmes of France and credited with resilient. The goal being that a military strike your session. developing major advancements in forensic at one node wouldn’t tear the entire network Some of the details of our online activity science, formulated a basic premise that un- down. When you look at the traditional three can be masked through technolo- derpins our ability to investigate crime: every major pillars of (confi- gies, tradecraft (burner phones, tablets and contact leaves a trace. The Locard Exchange dentiality, integrity and availability), the de- laptops) and operational security. Yet, re- Principle says that a criminal will both bring signers of the Internet largely ignored the searchers constantly impress us with better something to a crime scene (such as DNA) first, at a high level ignored the second, and capabilities of tracking down individual inter- and take something with them (such as dirt embraced the third.

MARCH 2018 TACTICS & PREPAREDNESS www.tacticsandpreparedness.com 7 DIGITAL PRIVACY TOOLS

Because of the distributed nature of the network, every bit of data that comes from your phone or computer travels over multi- ple devices that connect you to the destina- tion. If you want to see this in action, open up a command prompt on your computer and type this command without the quotes, “tracert 8.8.8.8”. If you are on a Mac, open your terminal and type “traceroute 8.8.8.8”. What will come back is a list of all the rout- ers that your packets touched on the way to this public name server. Any of those routers can see the data inside your packets, which is why encryption is so important to protect the confidentiality of data. But encryption is not enough. Because cer- tain kinds of traffic look exactly the same ev- ery time, such as logging in and out of your account, researchers have figured out ways to infer the contents of certain kinds of traffic even if they cannot directly observe it. Things like the destination address and how much data is transmitted can clue someone in to what the contents of those packets might be. SITES LIKE SECUREDROP ARE USED TO SAFELY SEND FILES, TWO ITEMS TO KEEP SAFE OFTEN USED BY WHISTLEBLOWERS OR PEOPLE IN COUNTRIES In order to become anonymous (or pseudo- WITH STRONG NETWORK MONITORING LIKE CHINA. anonymous) online, you must focus on pro- tecting two things: you must protect the would protect an insecure connection to an many, then France, then Liberia before exiting contents of your traffic as well as identifying unencrypted web application in the same out to the internet. features of the two endpoints. In some cases, network. The IP address shown in the screenshot you can do both at the same time. As an ex- (https://www.dropbox.com/s/hf28hdl- ample, you can subscribe to a service called THE ONION ROUTER do7nrbpu/Screenshot%202018-02-20%20 a (VPN) from provid- In order to provide another option for hid- 14.03.49.png?dl=0) matched what I pulled ers all over the internet. ing traffic and providing anonymous services from my logs. My home IP address did not ap- What this does is create a secure tunnel that are very difficult to trace, a group of re- pear, and the true source of the traffic was between you and the provider, and all of your searchers from the U.S. Naval Research Labo- concealed from my server. You can also try the internet traffic must go through that tunnel ratory created The Onion Router or for Tor Messenger product, which is designed to first, so anyone around you (for example, at short (information at www.torproject.org). leverage Tor to send secure and anonymous an open Wi-Fi Hotspot) won’t be able to see Tor is made up of groups of nodes, and after messages between two individuals. the contents of your traffic, but they can tell connecting to the Tor network, your connec- you are connected to a VPN service provider. tion is routed to several nodes before hitting TOR VULNERABILITIES Depending on what data you are passing, ob- an exit node out to the internet. Thankfully, Anyone can run a Tor node, which should servers may be able to determine things you our friends at Tor recently made accessing Tor make you start to ask questions. Could a gov- are doing such as checking email, searching and onion sites much easier by releasing the ernment run one? Yes, and many vocal Inter- on Google or browsing product pages on Tor Browser. It’s effectively a custom imple- net privacy supporters suspect that several Amazon.com. mentation of the popular Firefox browser, but agencies already do this to target opponents VPN technology is in use everywhere, al- that also means that security bugs in Firefox that leverage the Internet to run. In fact, a lowing companies to leverage the cheaper can sometimes be found in the TOR browser. popular use case of Tor is providing dark- public Internet to connect workers and If you want to try Tor out, the easiest way web marketplaces and information bureaus locations as opposed to expensive direct is to download the Tor Browser from the URL that can only be accessed via Tor. There are high-speed lines. It provides a baseline set above. Once you install and open the pro- both legitimate (privacy and security) and of security, irrespective of the security capa- gram, you can go to any website and see how illegitimate (selling or trading illicit items) bilities of the clients and servers used inside you are being routed. For example, I loaded reasons to do this. the tunnel. As an example, a VPN tunnel that up my website after opening the Tor Browser Trusting Onion sites can be a challenge. leverages Security (IPSec) and my connection was routed through Ger- For example, it is completely reasonable that

8 www.tacticsandpreparedness.com TACTICS & PREPAREDNESS MARCH 2018 DIGITAL PRIVACY TOOLS the FBI could conduct a sting operation via technologies such as Tor can be used to get to exchange files securely in countries with an Onion site to catch criminals selling or around this monitoring. There are, of course, strong network monitoring such as China. trading illicit goods and services. If you en- completely legitimate reasons to securely ex- Ad blockers are a useful extension to add vision SilkRoad reborn, the site could offer change information between parties—a digi- into your browser to stop advertising track- simple things like selling narcotics to more tal dead drop. Here is a list of additional tools ing of online behavior. If you use and deploy complex things like purchasing the services that you might find useful: one, you will stop receiving ads for products of a hitman. TAILS (https://tails.boum.org) is an operat- you search for inserted into your typical on- The U.S. government also interfaces with ing system that aims to preserve privacy and line browsing. Check your browser’s plugin Tor to track down criminals who run these . You follow the instructions to put store for one that may work well for you. successful hidden Onion sites. The FBI’s it on a USB stick and then boot a computer/ Operation Torpedo in 2011 compromised laptop from that USB stick for a completely ADDITIONAL READING Onion sites so they would push specially anonymous and temporary computing expe- For more information how three math vi- modified code down to users, revealing their rience. This would be useful if you are using sionaries solved an incredibly complex prob- true IP address. This technique is called de- someone else’s computer to access sensitive lem to provide the framework for confiden- cloaking, and it resulted in a number of raids documents, and do not want to leave any tiality on the internet, check out this simpli- and arrests of Tor users. traces on their computer. fied Wikipedia article on the RSA Algorithm: Tor has gotten much more secure over the Signal Messenger (https://signal.org) is a http://brando.ws/RSAAlg years as evidenced by the surprisingly large secure messaging platform that allows for For a fantastic write up on how TOR can number of vulnerabilities discovered and messages to disappear over time. This is use- be less anonymous, read this Vice article: fixed in the platform. It’s great for creating ful if you want to send short “text” messages http://brando.ws/vicetor casual anonymity, but it may not protect you with confidential instructions or messages Looking for a VPN service? Check out this fully against a sophisticated adversary. As al- (such as financial data) that do not stay resi- list of providers by PCMag: http://brando. ways, understanding the technology you are dent on devices. Keep in mind, however, that ws/2017-vpn 3 using and having some kind of confirmation once the message reaches the other side, that on the authenticity of the content you are ac- person may put your identifying information BIO cessing via Tor is critical to your safety. in screen shots. Branden R. Williams, DBA, CISSP, CISM SecureDrop (https://securedrop.org) is a (www.brandenwilliams.com) is a seasoned PRACTICAL TOOLS secure way to exchange files between parties. security executive, ISSA Distinguished Fellow, FOR PRIVACY It is most commonly used by sources who and technology executive sought by global revealed both a number want to blow the whistle on governments or companies to consult on their digital busi- of tools and techniques used by the NSA to corporations by anonymously sending docu- ness initiatives. His latest book on PCI DSS collect intelligence as well as showed how ments to journalists. It could also be used v3.2 Compliance is available on Amazon.

GEARREVIEW

X-22 HUNTER STOCK

The X-22 takedown chassis is specifically designed for the Ruger 10/22 Takedown series of rifles. It is reinforced polymer, with adjustable length of pull and comb height to fit a wide variety of shooters and fit in a backpack. It features multiple sling mounting options, a non-slip rub- ber butt-pad, and M-LOK slots for accessory attachment with no gunsmithing required. www.magpul.com

MARCH 2018 TACTICS & PREPAREDNESS www.tacticsandpreparedness.com 9