So far in this series of posts, we’ve discussed the nature of Passive Information Leakage (PIL), examples of how behavior exposes information, examples of how PIL could be used against us, and finally how to capture PIL against a competitor. Now, we end by talking about best practices for preventing PIL.
All attempts to gather PIL start with identification and tracking, which is key to blocking an attack. The attack is most powerful if you can be uniquely identified, but it can also be effective if you are simply connected to your business or organizational unit. It can even work if you are simply recognized each time you visit, even if your visits can’t be connected with your real world identity.
The starting place for preventing identification is masking your IP address. The IP address is a globally unique identifier specific to your computer or your local network (if you are behind a NAT). There is no way to spoof your IP address locally. Like the return address on a letter, if you make up a bogus address, the response to your letter will never arrive. You need to have a real address, not associated with you or your organization, which can forward connections to and from your computer.
The masked IP addresses that are utilized should change frequently to prevent opponents from seeing the patterns of activity from the fixed IP, and from somehow capturing your identity and associating it with that IP address. It’s even better if you can share the masked IP addresses with others who are in no way connected to you or your activities. This is why widely used privacy services are the most effective way of acquiring masked addresses.
The next practice is to eliminate tracking information that is visible from your browser. Cookies are the best known of these trackers, but there are many others that are much harder to remove. Techniques collectively called “super cookies” use Flash, history, and other components of the browser to save identifying information in a way that is much more difficult to remove.
Anonymity-optimized virtualization is the best tool for eliminating these trackers. Many virtual desktop infrastructures (VDIs) are designed to persist user information and therefore do not properly remove super cookies. Anonymity-optimized virtualization destroys all potentially identifying information in the virtual machine between each use, generally rolling back to a known clean state to eliminate any malware (which can also be used for tracking and identification) at the same time.
When dealing with clever opponents, it is also important to isolate the virtual machine from the local network. In most companies, many of the devices and services on the network will be identifiable as being associated with the business. For example, my printer might be called “Ntrepid printer 10th floor North.”
Finally, the visible browser fingerprint needs to be as common as possible, and not associated with any of your overt browsing activities. Browser fingerprinting technologies are now good enough that each visitor to even fairly large websites is uniquely identifiable on the basis of fingerprint alone. The setup and configuration of the virtual machine needs to be handled with care to avoid introducing unique elements to the fingerprint; and, it’s even better if you share your detected fingerprint with numerous other unaffiliated persons.
While a skilled and dedicated individual could set this up, it makes as much sense as creating your own anti-virus signatures or building your own firewalls. Ntrepid has over 20 years of experience creating tools to protect against exactly this kind of threat from extremely motivated and sophisticated opponents. Our Passages and Nfusion solutions provide complete protection against Passive Information Leakage as well as against the most advanced malware.