Creating a Safe & Anonymous Environment for Online Investigators
Earlier this week while attending the HTCIA International Conference and Training Expo in Las Vegas, I had the pleasure of sharing my 20 years of experience with the technical and human aspects of going undercover online with today’s leading high-tech investigators who are on the cutting-edge of fighting cyber crime. The topic, “Going Online Undercover: Tools, Techniques and Best Practices,” drew a standing room only crowd. The reason for such high interest in this topic has become painfully clear — so much criminal activity is conducted online and social media is being widely used for radicalization and recruitment of terrorists. By its very nature the Internet is the least anonymous environment and law enforcement is effectively wearing a uniform and driving a marked car every time they logon.
I was blown away by the turnout for the presentation, which clearly shows the importance of the topic. The talk outlined techniques and processes for how online investigators of all kinds can effectively blend in and level the playing field. To successfully investigate, you need to engage actively online while maintaining anonymity or cover. Unfortunately, that can rarely be accomplished through the use of traditional tools such as Tor, proxies, relays, private browsing mode, etc. While these tools have merit, they are insufficient for many investigations and create signatures and additional vulnerabilities that put operations at risk.
Effective online cover, or managed attribution, requires an understanding of the clues everyone leaves behind and intentional creation of the online signature you want to present. Once you understand how your adversaries can identify and track you, you are better equipped to develop a misattribution strategy appropriate to your unique operational parameters. Borrowing from this approach, our secure web browser, Passages, protects users in a similar fashion from targeted attacks. Passages protects users by masking their IP address using the Passages VPN and by removing all tracking code (along with all malware) when restarting the Passages Virtual Machine. Without the IP address or any other tracking data, the user can’t be identified or targeted. To an attacker, they simply fly under the radar and are ignored.
The Internet doesn’t have to be a big, dark, and scary place. With the right tools and proper approach Internet investigators and users alike are able to have a safe and anonymous experience.