MATT ASHBURN
Understand who's behind the tools that you use though, however, right? They may be providing them for free, but who's actually operating these? How are they funded? Where are they based? And from that, number two is, understand what could happen with the data that they collect on you.
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, a former CISO and current open source research wrangler.
JEFF PHILLIPS
And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today, we're going to be talking about tools, tools that will help you gain insight into, as well as mitigate elements of, your digital fingerprint.
So you need to know yourself to disguise thyself. We're going to look at example tools in a few different categories today, so things that are available on websites. We're going to look at browsers. We're going to look at browser extensions and we're even going to discuss a little bit about professional research platforms. Now, Matt, we need to provide the requisite disclaimer upfront that we're not endorsing any of the resources we're discussing today.
Everyone, you need to use any of these tools that we're going to talk about at your own discretion. You need to remember that no tool is perfect, especially free tools, when we get into things around browser extensions, and you need to read up on their pros and cons, what kind of data they're going to collect about you.
As our panelist, Amir Mohammadi, last week talked about, there are a lot of different ways you can be fingerprinted while you're conducting online research.
And as you're going to hear Matt and I talk about these different tools, they do different things when it comes to obfuscating your activities, right? So you might have to combine tools to get the full effect that you want.
MATT ASHBURN
That's right. As you said," Use these things with caution," right, as you would with any tool. The tool is only as good as the operator of the tool, so make sure you employ good solid research tradecraft, and understand what the tool does, understand who is creating the tool and why perhaps they're offering it. If it's free, perhaps be a bit skeptical, and understand why it's free and the conditions under which you may be operating.
JEFF PHILLIPS
Awesome. Let's jump in. Maybe talk about some websites.
MATT ASHBURN
Yeah. So first off, we have some websites that are very useful. We've talked a lot about the digital fingerprint, including a browser fingerprint being a big component of that. And the browser, as we've discussed, can give away a lot of tells. As you're going online to do research, you can actually give away a lot about yourself, and in fact, the attributes of your browser and your device can combine into a very unique fingerprint that can allow you to be tracked. And this is helpful for advertising, but as researchers go, we don't want these things to be unique.
So, first website I want to mention is actually AmIUnique. org. I refer to this a great deal. It has a great explainer in the About section there on browser fingerprinting, and a great deal about different techniques and modern ways in which websites can track you and fingerprint you to make sure that you're unique and identifiable.
The website's actually created by a group of French academic researchers. They have PhDs there on staff dedicated to researching browser fingerprinting, tracking, privacy concerns, and they also have a browser extension to view changes in your fingerprint over time. So, if you like the website, you may want to check out their browser extension, but AmIUnique.
MATT ASHBURN
org is a great resource, and I urge you to go there. And the results will probably surprise you the first time, because just about every time I've gone there with an off- the- shelf laptop or something like that, you have a unique signature.
You wouldn't think that you would, but every device is very unique based on its characteristics. The second website I want to cover is actually called Cover Your Tracks, and that was actually born out of a Electronic Frontier Foundation project back in around 2010 or so called Panopticlick. And essentially it was a research project that they did to start exploring how unique people are, and their fingerprinting is a viable means to identify people online as unique persons.
And not only do they cover fingerprinting, but they also test to see how effective your ad blockers are. A lot of people employ ad blocking and other privacy tools that Jeff's going to touch on a couple of those here in just a second.
So, it basically tests those. It runs through a series of tests and attempts to employ different tracking mechanisms to simulate real world effects and gives you a result and sort of grades your browser and your configuration to help you understand better how vulnerable you could be to these privacy issues.
JEFF PHILLIPS
Good stuff. I mean, so right now we're talking about understanding if you're unique or not. Now we're going to get into some of these different tools, which to me, I would go to AmIUnique in a before- and- after scenario, right, as we go through some of these. What did I look like before? What do I look like now? But sticking to the website category, Matt, I think one of the first things we can talk about are privacy- focused search engines, right? So, you can't talk about that without the most well- known, which is DuckDuckGo, right? And so DuckDuckGo is all about the proposition that they don't track, they don't collect or share any of your personal or search information as compared to more traditional browsers... or, I'm sorry, more traditional search engines that have evolved over time.
Used to be you just... they advertised to you based on key words. If you plugged in a search for cars, then you'd get a car ad. That's evolved over time where they're now tracking you beyond what you search, including your history, but where else you go, because that becomes very valuable on the advertising front.
And that's how they end up with these hypertargeted ads that are based on all of your browsing, all of your search history. But using DuckDuckGo, none of that's tracked. They're still making their money by presenting you ads just on a key on a keyword basis. So, what that means for your online research is whatever you search for is not going to be associated with your IP address, right?
So those two things are not going to be linked. It's also not collecting all of your search history. Every time you open up or go to DuckDuckGo, it's a brand new, fresh engine from the start. So some things you still have to consider, though, we're talking about when you search inside of the search engine, that that's all private.
Now, individual websites, once you launch from there, or social media platforms that you may go to, they can still track you and collect your data, right? So this is keeping your search history and your search stuff private. It's a search engine, so it's not protecting you from viruses or malware or other online threats. You'd need some other tools to get involved there. Now, I am talking about very specifically the DuckDuckGo search engine. DuckDuckGo also has a package, what's called Privacy Essentials, that takes not only the search engine, but adds to that tracker blocking and forced encryption from an https perspective that would start to help with some of those other things when you launch from the DuckDuckGo website.
But from a search engine perspective, very well known and will keep your search very private.
MATT ASHBURN
Yeah. Thanks, Jeff. And there are also web browsers that we want to talk about as well. So we've covered some websites that are useful. We've covered some other tools that we can better inform ourselves about our digital fingerprint. And now let's move into actual tools that we can use to protect ourselves. Right? If we look at web browsers, most people use Edge or Chrome or Firefox, something like that. But unfortunately, by default, they don't have tools built in to protect your privacy, and as researchers, this is where some concern comes in. The first I want to talk about is actually called Brave, B- R- A- V- E, the Brave web browser.
It's a free and open source web browser.
It's based on Chromium, so the same browser stack that Google Chrome is built on. And by default, it automatically blocks online advertisements and also web trackers that are out there to help ensure your privacy. And over the years, they've also added on additional features. So they have, for example, a Brave search engine, a VPN service, they have an ad blocker, and they also have video conferencing as well, all built into the browser with privacy controls in there to protect you and your data. The interesting thing there is over the years, they've really grown and they actually boast, I think, over 50 million active users now.
So incredible success there in getting people to adopt a privacy- focused browser.
Now, the other browser I want to talk about is actually called Tor. There's a concept that started in the 1990s. It matured in the early 2000s, and it was actually funded by the Electronic Frontier Foundation, same folks that brought us the Cover Your Track website. It isolates every single website you visit, so you prevent tracking from site to site, so the advertising and tracking concerns there are nullified. Also, any cookies or history that you have that you gathered during the session, all of those are wiped away at the end of the session. So from that perspective, the session is very disposable.
And also, it prevents somebody who's watching the network from knowing what websites you visit. And this is really important, right, as we look at vulnerabilities there in our network connection, and who may be between us and the target website that we're visiting, that's a concern. And the way that this works is, traffic is routed around the world through different relays, so that way it's impossible to know from which each request originated. So you can go visit websites on the open web, or even on the dark web, with Tor and be relatively assured that no one can track back to the specific IP address that you're using to help cloak you a bit there.
Now, some downsides to this. The Tor website has the list of relays there, and so it's pretty easy to identify that you're using Tor from that perspective. May not be uniquely identifiable on Tor necessarily as easily, but someone can relatively easily determine that you're using Tor and that itself can present some challenges. So for example, some websites may block those IP addresses because they may have a lower reputation, as an example, so just some headaches that you may run into there. It does have some features in there to help reduce fingerprinting and it attempts to make all users appear the same to websites you visit, so it does have some benefits there from a fingerprint perspective too.
JEFF PHILLIPS
Excellent. Now, you're going to start to see, as I go into browser extensions, we're going to start to see a lot of the overlap, right? Matt was talking about browsers, but you're going to start to see that they had some overlapping features here. When I talk about browser extensions, what we mean by an extension, by the way, is an extension is an application you add to your browser that allows you to customize it or augment the browser's operation to be able to control how websites behave, add features and functionality that you want to your browser.
And there's a whole mess of extensions that are focused on privacy and ad blocking. Again, Matt just mentioned some browsers that have that built in, but if we're talking about in particular with... there's extension marketplaces for Chrome and for Mozilla and for Edge, we're most interested here in those extensions that can further manipulate or hide your digital fingerprint. But again, we're going to see a lot of overlapping functionality.
The first category, I'm going to talk about two, Ghostery and Ublock Origin. silence - 3s Their primary purpose is to block ads and block various trackers that are trying to collect information about you as you browse the internet.
Ghostery and Ublock are very popular. You can see the number of users when you're in, for example, the Chrome extension marketplace, all the ratings. And again, what they're trying to do is in the name of not having hyper-targeted ads and information collected from you.
It starts to help to give you some level of privacy for what we're talking about, which is all your online research needs, right, and trying to be private from that perspective.
For example, Ghostery includes an enhanced anti tracking feature. So when it's a tracker that they don't know, and they won't straight block, they'll look to strip out any of your personal or identifiable information from your browser and stop that from being presented to that given website.
Now Ghostery, for that specific tool, it's not going to completely hide your browsing patterns. You have some other things to think about, as we talked about earlier, such as who owns, or where's the developer located?
In the case of Ghostery, this is owned by a German company, which is fine and good. It's where that developer resides. But in the back of your mind, certain countries may be required to provide your information if it's requested by government or law enforcement.
So, to what level is your information safe? But all about antitracking and ad blocking. And I mentioned Ublock Origin.
Similar, it's been around for years and years. Very popular extension for Chrome and Mozilla. It's constantly sending out new updates, so it's a well- maintained extension. And again, it's all about blocking ads and anything that's looking to track you from that perspective. There's also some malware protection built in to the Ublock Origin extension. This is all coming from lists.
The way Ublock Origin works is they're maintaining lists. There's something to be considered. This is a list of volunteers. This is a free app, so it's a list of volunteers that are very interested in privacy. And so, for example, they keep a list of well- known malware sources to block. And again, you're adding these to your existing Chrome, Mozilla, Edge browser, as compared to maybe getting a... very focused privacy browsers that Matt was talking about. The other category of extensions I wanted to talk about, because we've been really focused on the digital fingerprint, are those that go kind of one step further.
You might find them under anti- fingerprint or fingerprint spoofing extensions, right, whether it's to block your fingerprint, spoof it, or randomize it. And some of these are free. Some have fees that provide some upgraded capabilities, but they all have a free version. Two of them are Scriptsafe and CyDeck Security anti- fingerprint, or anti- FP. Now, first one, Scriptsafe, similar to the...
prior too, we talked about it, one of its primary things is to block scripts that are going to be used to collect your information. But it also has functionality within it that allows you to spoof your time zone. And by spoof, we mean present a different time zone than you're actually in, as well as spoof your User- Agent and your refer, things that'll help hide your identity.
Now, in this one, in particular, all that reads really well. Some things to think about, it doesn't look like this one's being actively supported, right? The last time the developer did any updates has been around 2018, but there's tons of people that are still using it as an extension, but you might want to take a look at that. CyDeck is kind of interesting in that it goes even further.
It's got a lot of features and functions related to your fingerprint. Allows you to have multiple fingerprints and assign them to different browsers. It gives you the ability to block or spoof or randomize your fingerprint, and claims to have over a hundred settings. So, something to think about here is it maybe it gets a little too complex for your typical user. And you know, the thing we're trying to do is just not block. As we've talked about best practices on a tradecraft front, you're trying to blend in, you're trying to look like a certain device. Maybe you need to look like an Android phone, right? We're not just looking to change everything to look fake, but I need to blend in and look like a particular device in a particular region.
So, some overall words of caution on these extensions is that you'll want to see what they track from the perspective of when you install that extension into your browser. Exactly what are they able to do related to your fingerprint? There's a number of them where they're helping with a level of anonymity, or to break some of these trackers, but maybe they're only modifying two things within your fingerprint so that you're not generating this unique identification.
Others do things like they'll automatically replace your User- Agent string after a period of time, and with a randomly selected one.
So they have a library of a hundred different fingerprints, and every hour, for example, it'll just change your User- Agent string. Now, we're not going that deep today, but in the middle of an investigation or doing online research, you wouldn't want your fingerprint to change on a website that you're digging deeper into, or a forum where you're engaging, right? So, some words of caution about these different types of extensions that either help with privacy or some things that are more about your anonymity for online research.
MATT ASHBURN
Yeah. Thanks, Jeff. And there's a final category that we want to cover today and that's actually research platforms. There are a few of those out there. There are some that are free, some that are minimal cost, and then you have some also that are for really strong investigative or corporate needs where you want to have maybe an enterprise solution for research. It runs the gamut. The first one I want to talk about is actually called Kasm Workspaces.
It's actually a project that's out there, K- A- S- M Workspaces, Kasm. They essentially have virtual cloud- based containers that you can actually open up and run instantaneously. They're disposable sessions, so that's good from our practice, but also, the best part is they employ a customized VNC remote protocol, so that way you can actually view and interact with the sessions that you're launching, and there's no security risk there, right, because the only thing coming from the browser to your workstation is just that video stream.
And so in that case, you can access things like Kali Linux or the Brave browser or Chrome or Edge.
And the best part is they actually update every single night to the latest and greatest version of those, so if you're worried about new features or security risks or that sort of thing, that's all built in and taken care of. They actually have a three- minute free trial on their website. You can go there and just instantly launch a session and just kind of play around with it. See if that's for you. Again, it doesn't necessarily provide anonymity from an IP address standpoint, because you're using their set of IP addresses, but it does provide you some isolation there. So think about it as rubber gloves when you're going out to go collect something, the same sort of idea is true for research.
The second one is actually Authentic8 Silo for Research. And so they're actually the sponsors of Needle Stack, so I wanted to mention them. They are an online research platform. They have many of the world's most trusted organizations, and Fortune 500 companies are using that platform. That provides a professional online research platform, a customized browser based on Chromium, as well as a bunch of workflow enhancements in there to help collect and store and analyze information all wrapped up into that.
And the best part is, not only do you get that isolation, but they also have a network of points of presence all around the world, so you can actually select anywhere you'd like to pop out of in the world and perform your research as if you're in that location.
And as you mentioned earlier, Jeff, it's important not to block tracking necessarily, but you want to just blend in with the crowd, And so that's a great way to do that. There are other competitors in that space as well, Intrepid and TELUS and other companies that are out there. But we want to just at least mention those that may not apply for a lot of people in the audience, but they are out there. So, if you have a threat intel team or something like that, or if you're a private investigator, or if you're working for a corporation doing corporate research or something like that, or OSINT in some other fashion, those more professional platforms may be a good fit for you.
So to wrap up, there are really three things to take away from this. One is, understand that there are free tools. There's some paid tools out there as well. They can all provide some level of benefit. Understand who's behind the tools that you use though, however, right? They may be providing them for free, but who's actually operating these? How are they funded? Where are they based? And from that, number two is, understand what could happen with the data that they collect on you. What insight would they have, even if it's a free tool or a paid tool, what insight would they have to your browsing and your investigation?
And then if they have that insight, what could they then do with that data? If it's sold or something like that, what's the risk to you as an investigator? Just have that in the back of your mind. And then finally, as always, as we talk about on Needle Stack, use good cyber hygiene and best practices and solid research tradecraft.
That's the important thing to take away as well. So now let's move on to some Q& A. Jeff, I think you have some questions there from the audience.
Is that right?
JEFF PHILLIPS
I do. I do. Let me grab one here. Okay, I like this one." Does installing extensions make your browser fingerprint even more unique?" I talked about extensions. If you install these things, does that make your fingerprint more unique, Matt?
MATT ASHBURN
Short answer is" Yes." Anything that alters your browser, that changes the configuration there, makes it more unique, can in fact make you appear more unique and make your fingerprint even more unique as well. So that's a very short answer to that. There's probably some longer explanation that we could give as well, maybe in a different episode, but the short answer is" Yes," and there are some techniques that you can use as an adversary to try and figure out if someone has a particular extension installed.
JEFF PHILLIPS
That makes sense. And by the way, what that ticked off in my head is just how these different extensions do different things, and the next thing you know, you have four, five to do different things, so a great question.
All right, here's one potentially a little more complex topic for some of our listeners, but the question is," Are there ways to collect information or do research from social media and dark web sources without having to create a sock puppet?" And real quick for anyone, a sock puppet, that's an alternative online identity or user account that people use for deception purposes.
In our case, we're talking about here using it for good to go out and, assume, to just collect research.
But are there ways to collect without having to create these false identities?
MATT ASHBURN
Yeah, I guess the good intent there is in the eyes of the holder, I suppose.
JEFF PHILLIPS
That is true.
MATT ASHBURN
Depends on what side you're on, I suppose. But yeah, that's a great question. You know, we talk a lot about going out there and getting information yourself, but many times it's useful to have a database of information that you can go and perform a query against and then go out and pursue information once you have a bit more insight. So, the short answer is" Yes." There are actually a number of companies in this space that do specialize in collecting information on the open web or the surface web or the dark web and cataloging it, storing it, looking through for keywords and hashing things and everything else that they do.
They're pretty impressive, actually. A couple of the ones that come off the top of my head, I would say Fivecast is one, particularly for social media investigations.
You also have Bluestone Analytics. And also, I would say Flashpoint as well. These are essentially private companies that have made a business and a really good service out of cataloging information that's out there on the web and archiving it in some way. So, you can then go search through their treasure trove of information without actually having to go and manually find all this stuff on different individual websites.
And then of course, from there, once you look at the data holdings that they have, you can then click a link or copy a URL or something and go view the information yourself, if you'd like.
All right. I think those are all the questions that we have today. Thanks to everyone who attended our live show today, and thanks to everyone who submitted questions as well.
And if you liked what you heard today, you can always subscribe to our show wherever you get your podcasts. You can also watch episodes of Needle Stack on our YouTube channel and view transcripts and other information on our website at Authentic8. That's Authentic with the number eight. com/ needlestack. Authentic8. com/needlestack. We'll be back next week for our Listeners Live show dedicated entirely to your questions, so sign up on our website to attend that live show, submit your questions, and we look forward to seeing you then.