What is Misattribution – Part 2: Technical Misattribution

Ntrepid headquarters, managed attribution solutions for government

Share this post

24Apr

What is Misattribution – Part 2: Technical Misattribution

Nfusion

Every time we update our profile pictures, send tweets, post Instagram stories, or comment on our favorite blogs, we’re giving away personal information. This is intentional—we want people to see our vacations or read our thoughts on a recent TV show premiere. But a trove of identifying information is available without so much as a click of the “share” button. In part one of this four-part series, I discussed misattribution in general. Now, I will take a look at technical misattribution specifically.

Listen to the Ntrepid Cast podcast on this topic.

What Is Technical Misattribution?

Technical misattribution is the process of masking the identifying information that computers and networks reveal. There are many different pieces of identifying information that can be learned from one’s computer and network. Accordingly, each piece of information needs to be chosen intentionally to support the identity of an operator’s alias. Perhaps the most obvious identifier is browser cookies: small bits of data that websites place on computers to recognize users each time they return.

A user’s visible IP address also provides significant information about who and where they are. IP addresses are globally unique identifiers for each connection to the internet. An IP address also reveals the user’s ISP and place within the network. In many cases, it is static and assigned to just one user or organization.

Computers and other devices may also provide location information in other ways. Many mobile devices will provide GPS, cell tower, or WiFi-based location information to applications and websites. In addition, city-level location information is available for many IP addresses from commercial IP location lookup services.

Less well-known are the various elements that comprise a system fingerprint. Every computer provides significant information about itself to allow websites and other services to better serve their users. Individually, elements like operating system, browser type, installed fonts, and plugin versions seem unimportant. Collectively, they can often uniquely identify an individual computer.

Finally, if an opponent can install malware on someone else’s computer, they can access even more identifiers—but at that point, identification may be the least pressing concern.

The Importance of Technical Identifiers

All computers provide identifying information. Hiding this information completely, where possible, is very revealing to an observer. It shows a clear intent to hide, and is only appropriate when the goal is to be overtly anonymous. In most cases, it’s better to mask or replace the identifiers with identity-appropriate false information.

When developing an online alias, operators should remember that visible technical information tells a story about who the alias identity is. By choosing what to show, operators can tell any story they want. Aliases can be easily identified as fake unless all of this information is consistent with that story. If even one element is inconsistent, an observer can discover an operator’s attempt to hide and might uncover their true identity.

In the next part of this series, I will cover non-technical misattribution. Then, in part four, I discuss the challenges that come with trying to remain misattributed in the presence of an alert opponent.

Read the introduction to this series:
Part 1

Read the next parts of this series:
Part 3
Part 4

Related Posts

24Feb

Generative AI: A New Frontier for the IoT

Have you happened upon ChatGPT? It’s likely that when you first give it a try, you’ll imagine yourself delivering in... read more

An image representing Google Dorking, a research technique requiring advanced OSINT training.
21Jan

ChatGPT – Take It or Leave It 

Have you happened upon ChatGPT? It’s likely that when you first give it a try, you’ll imagine yourself delivering in... read more

An image of a computer with a skull superimposed on it, representing accessing the dark web with the I2P network.
19Dec

I2P: A Different Dark Web

To reach the realm of the dark web, the internet-savvy must make use of special browsers. While Tor is the... read more

An image of a woman choosing different social media icons, representing accessing Twitter through it's new Tor extension.
23Jun

Twitter Goes Dark: Twitter’s New Tor Extension for Private Tweeting

Twitter is now going dark with their new Tor extension that boasts more private and secure tweeting. The extension promises... read more

An image of a laptop with a skull on the screen, representing an image of the dark web.
25Mar

OSINT Techniques Series: Avoiding the Bugged Website

The risk of human error remains the greatest liability to national security organizations. Our OSINT techniques blog series aims to... read more

Ntrepid headquarters, managed attribution solutions for government
14Jul

Dark Web Access for Investigations

  How Can I Access the Dark Web? The dark web can be accessed through the onion router, or Tor, which is... read more

04Jun

The Challenges of Using Commercial-Off-the-Shelf (COTS) Technology for OSINT Analysis Within the U.S. National Security Community

The OSINT Race  Criminal actors are aware of the vast amount of data available to understand and undermine United States policy, democratic processes,... read more

Ntrepid headquarters, managed attribution solutions for government
20Nov

What Threat Actors See: Managed Attribution Threat Modeling

My previous blog on threat modeling for managed attribution presented a basic framework for analyzing the MA solutions you might... read more