It’s a new year and as researchers work to hit their goals, we want to revisit some of our most important advice for securely investigating online. It’s time to take stock of your security hygiene and revisit how your digital fingerprint may be getting in the way of finding the data you need.
JEFF PHILLIPS
Is important because a lot of users think using something as simple as a VPN or going into an incognito mode or private browsing mode within their browsers is enough to protect them. But these types of methods are not foolproof.
[music plays]
MATT ASHBURN
Welcome to Needlestack, the podcast for professional online research. I'm your host, Matt Ashburn, a former CISO turned online researcher.
JEFF PHILLIPS
And I'm Jeff Phillips, tech industry veteran and still curious to a fault. Today. We're back to remind you of the importance of the digital fingerprint and what you as a practitioner really should make sure you're aware of as you kick off 2023.
MATT ASHBURN
That's right, Jeff. Last year we covered the importance of understanding your digital fingerprint. And just to remind listeners that may not have tuned in last time, or for those that may be tuned in but maybe don't recall, your digital fingerprint is actually made up of identifying attributes that are very unique to you. And over time you add these attributes up, they become even more unique to you. So things like the device that you're on, the device type, the language, the operating system, and so on. Also things like your physical location, or maybe the location where you appear to be based on your IP address. Also the user behavior, how you perform research, are there certain patterns to the way in which you type things? Are there certain websites that you visit in a particular order? Those are unique attributes that are attributable back to you as a person. And again, as you add these things up, these attributes together become especially unique. If you're interested in seeing how unique your fingerprint is or how your fingerprint appears to the outside world, there's a great website that I always refer people to for this. It's actually run by a team of academics and the website is AmIunique.org. They've done extensive research on browser fingerprinting and other types of fingerprinting that are available.
MATT ASHBURN
So definitely go and check that out. It's worth a look. Miunique.org right.
JEFF PHILLIPS
And again, pointing back to that past episode, reminder, your online digital fingerprint does have value and it can be a positive element to all of us as consumers in terms of being able to have your browsing experience from on websites customized and to provide information to websites. The downside starts to come into effect when you look at all this information that's being collected that's going to be sold to different advertisers. But when you get into actually conducting online research or conducting OSINT, it can really impact an investigation. Right. And this information could be used by a criminal and tip them off that you're investigating them. It could allow your adversaries to target you directly or target your organization that might be a target in terms of blocking you from getting access to their site all the way to taking some sort of retribution cybersecurity wise, against your organization.
MATT ASHBURN
That's exactly right. And that's the importance of understanding your fingerprint and learning how to manage that attribution as you perform online research, if your fingerprint stands out or if you make a mistake while we're doing research and you start to stand out to the targets of your research, any number of things can happen. They may block you altogether or go into hiding. They may prematurely become aware that they're under investigation or under research or under some kind of scrutiny. They could also target you with disinformation. If they know that you're reviewing their online content, for example, they may want to place false information out there for you to then retrieve and use in your investigation. And of course, cybersecurity Ramifications as well, target you with malware, et cetera, track you and all of those things that all of those other risks that come with doing online research.
JEFF PHILLIPS
And I think Matt, understanding how your online activity can be tracked is step one, right, to improving your trade craft. We're going to get into tools and ways you might look to improve your trade craft from a technology perspective. But just having that basic understanding of how sites work, how information is collected, different things that can be shared from your machine is important because a lot of users think using something as simple as a VPN or going into an incognito mode or private browsing mode within their browsers is enough to protect them. But these types of methods are not foolproof and they're not going to give you the level of anonymity and control that you're really going to be looking for if you're conducting sensitive online research.
MATT ASHBURN
That's exactly right. And it's important for researchers to know. Whether you're an amateur researcher, somebody working for the government, or a law enforcement agency, it's good to know that private browsing and VPNs don't necessarily stop you from compromising your research. Right. Private browsing doesn't prevent data from being passed. It doesn't prevent fingerprinting. It's just essentially a disposable session, but to a limit. Right. There are some limitations with that that aren't foolproof. And then from a VPN perspective, lots of cheap ones out there, they sound like a good value, but as they say, you get what you pay for. And that anonymity or that veil of anonymity can be compromised by the user behavior or by cybersecurity risks there, right. So think malware and things like that.
JEFF PHILLIPS
Another one we often forget about as public WiFi become so ubiquitous, and it's actually often used by people that want to conduct research as a way to be anonymous. Right. So let's get off our own organization's network, get off my home network and go to a coffee shop or wherever you can get access to public WiFi and consider that a tool that will help me to not be identified. But that's going to come with a lot of security risks itself, right. Whether again, you mentioned malware or can someone be sniffing on the line. And some of these attempts to obfuscate will also look really suspicious to webmasters.
MATT ASHBURN
That's right. And another thing to consider is working remotely, especially these days with almost everyone working remotely, at least in some fashion, it's especially important that if you're doing online research from a personal device or from your own personal internet connection from your house, that you maintain some kind of management of your Attribution. And so things like making sure you're using an isolated browsing environment, some kind of cloud based browser, for example, along with an egress that is some kind of internet point of presence that is typical for the targets that you're investigating. So if you're investigating, I don't know, a target, let's say in Europe, then you probably want to come out of a European region point of presence as an example. And then also some way to customize the browser fingerprint so you can kind of blend in with the locals a bit better.
JEFF PHILLIPS
You can look to pull tools together, try to build that on your own, kind of a do it yourself approach, but to let people know a lot of this can be achieved and especially if you're not as technical with a managed Attribution as a service offering. So where can I use my same computer that I use every day? But I'm going through a cloud based service that will keep everything isolated away from my machine that will allow me to have easy point and click access to customize and quote my appearance right? Whether that's again my physical location and where it looks like I reside, or getting access to various tools that will allow me to be more efficient. So there's building it myself, there's also services out there. And if you're not as technical, you might want to look into a managed attribution service because again, the last thing we want to do, your main job is investigating or researching online. And the last thing you want to do is tip off a target or be blocked from wherever you need to go.
MATT ASHBURN
That's right. And above all else, you don't want to put yourself at risk or your family at risk by conducting research in a way that could compromise your identity. So we've talked about a number of things here, very high level wave tops on managed attribution and the fingerprints and why it's important to online research to be able to manage that. And I think we just want to wrap up here the first episode of this season at least with what I would call the three whats in this case, the first what would be what do you need as a researcher? Do you desire some kind of isolation from the content that is, some kind of like a pair of rubber gloves. You think of trusting or touching that untrusted content. So you may desire isolation from the content that you're browsing from a cybersecurity perspective. You may also desire anonymity or confidentiality some way to manage your Attribution and appear to be from a location or a browser or device that you're not actually on as you're performing the research. Both of those may be desirable, but it depends on your use case. The second, what would be if you choose a provider for this, some kind of service, whether cloud browsing or managed attribution or some combination of these, what are the security practices of that particular provider?
MATT ASHBURN
Understand their reputation, understand the security practices that they have. Are they stock too compliant, for example, or do they have a good, strong reputation within the research community? Do they have obfuscated procurement, for example? It really does no one any favors if you, for example, use a cheap VPN service, but they're procuring their infrastructure in a way that is attributable to their company. That obviously is not very helpful and in fact, can be very damaging to your research. The third, what in my list of three whats, would be what level of service are you truly getting? And that goes back again to what are the processes, what are the procedures? What is the reputation? Just keep in mind that you get what you pay for. Cheapest is not always the best. I've used many different services throughout my years of doing online research, and I would say that one always seems to hold true. You get what you pay for, so keep those things in mind. Thanks to everyone in the audience today for joining in for our first episode here of this season. If you liked what you heard, you can always subscribe to our show wherever you get your podcast.
MATT ASHBURN
You can also watch our episodes on YouTube and view transcripts and other episode info on our website at authentic8.com, needlestack. That's authentic with the number eight .com/needlestack. Also, be sure to follow us on Twitter at needlestackpod. We'll be back next week with more tips for OSINT practitioners that's open source intelligence practitioners. We'll see you then.