TrustedSec - A Beginner’s Guide to Staying Safe/Anonymous Online
What is OSINT?
It is probably safe to assume you have heard of OSINT at some point (Open Source INTelligence). However, if you have not, it can very generally be described as the collection and analysis of data gathered from publicly accessible sources. People who perform OSINT have a wide variety of sources they can pull from and many different techniques they can use. For example, they could scrape information about you, your friends and family, or your company from your social media profiles. They could search through the multitude of data breaches that have been made public, looking for passwords to your accounts. The amount of data that can be found online can be rather daunting. This article will cover some steps you can take to limit your exposure, access to your information, and why that is important.
What is Anti-OSINT?
Anti-OSINT is the process and techniques by which one attempts to prevent the gathering of accurate OSINT data about a person or thing. For many people, this could be imagined as the domain of entities such as spy agencies, conspiracy theorists, or hermits who are living off the grid.
In the next section, we will cover why this list is too limited and why everyone should be concerned about their privacy.
Why is Online Privacy Important and do I Need It?
Data in all forms can be used. While this can be a positive in some instances, it can also be used for nefarious reasons. When that data is your personal information, the results can be significant.
Potential employers may search your social media profiles to get an idea of who you are, and what they find may have an impact on their impression of you. Other companies, such as search engines or any company that offers a service for “free”, can make a LOT of money off of you and your information. There is no such thing as a free service. If the company does not charge for their service, they are likely selling the information you provide (intentionally and unintentionally) to other data brokers. Many times, this is used for targeted marketing and market research, but it can easily be used to profile you as well.
“Bad people” can use data to do bad things to you or to other people in your name. Given a few pieces of information about you, someone could open new financial accounts in your name, request sensitive information from your health care providers, or cause any number of other issues for you.
Often I hear people tell me that they have nothing to hide and that no one is even after their information anyway. I disagree with both of those statements. Everyone has something they want to hide or protect, such as their financial account numbers or medical records. Other common pieces of information can be used in combination, such as your date of birth, mother’s maiden name, and so forth.
Other people may live or work in countries with repressive or tyrannical governments where they may face fines, imprisonment, or even death based on their activities or beliefs. For these people, maintaining anonymity and privacy is critical to their safety.
Perhaps you have someone who means to harm you. This could be a disgruntled employee, an ex-significant other, a hate group, or a random online stalker. Maintaining proper privacy and control over your information can help prevent these individuals from locating you.
Are you completely satisfied with every decision you have ever made in your life? For many of us, it is likely that you have made a few bad choices and you do not wish those to limit your possibilities in the future.
The list can go on and on. Ultimately, everyone probably has something they care to hide, and to the right person or company, that data can be of great importance.
Wait, All of my Information is Already Online?
In the modern era, it is likely that many companies already have substantial access to your data. Do you have an email account with Google or Microsoft? Do you play games on Facebook? Do you have completed profiles on your social media accounts? Do you have store loyalty cards? All of these result in someone having access to some aspect of your information. The question is, how do we wrangle it in?
First, you must accept that you will likely never be able to completely remove all of your information from online sources. However, that does not mean you cannot remove most of it.
Start by making a list of every active online account you know you have. If you are not sure if you remember them all, you can use services such as https://namechk.com/ and https://checkusernames.com/ to see where your username/handle has been used.
For each account, log in and go to the profile page. Next, edit everything you can as to remove as much accurate information about you as possible; you may not be able to change or remove every piece of information. Then, attempt to delete the account. You may ask why it’s worth changing all of your information if you are just going to delete the account anyway. Well, when the account is deleted, that does not always mean the data is wiped from the databases. This way, even if the data is not entirely wiped, it should not contain your accurate information.
With that done, you need to search for anywhere else your information has been stored. This is typically done with search engine lookups. Search for your name or any piece of identifying information, and for every site that returns results, see if they have a request form or some other way to remove your information. As mentioned before, we are striving for a best effort here – you will not be able to remove everything.
How do I Maintain my Privacy?
Ok, so you have detailed as much as you can of your online information. Now, how do we maintain that privacy? The most critical aspect is to periodically check for new information pertaining to you online and removing it.
Another step you can take is to freeze your credit at all credit agencies: Equifax, Trans Union, Experian, Innovis. This will prevent several types of identity theft attacks that can be performed against you. It will also alert you to anytime someone performs a credit check on you.
One simple but necessary thing that can be done is to ask friends and family to not post/share info about you or tag you in photos.
When filling out a form/application/questionnaire, only fill out as much as required, as many times not all the fields are necessary. Even for the necessary/required items, question why they are needed and see if you can forgo filling them in. Even if you have to fill in an answer, make a determination if it is absolutely necessary for you to accurately provide that piece of information. Does the loyalty program for your grocery store need to know your real home address?
How do I Create an Alternate Online Identity?
What’s that? You want even more privacy? How about creating a sockpuppet account then? A sockpuppet is an alternate online identity used to hide/obscure your identity that is not tied back to you.
First and foremost, let me be clear that I am not a lawyer, nor do I have any form of a legal background. You should make every effort to not perform any illegal activity and ensure that everything you do in creating and using the sockpuppet is legal.
Now, let’s make a list of the items you will need to create your sockpuppet – a name, an email address, a physical address, possibly a phone number, and some way to pay for everything.
For a name, this can be anything you wish (I typically use some variation of my own name). Changing one letter, using your middle name instead of your first name, or even using your grandmothers last name, all are viable options here.
Next, you will probably want an email address. It is virtually impossible to do anything online without an email address. I would recommend finding an email address that does not track your activities, does not require that you verify your information, and that encrypts your data. One possible provider is Proton Mail, however, there are many other that would work as well. Just make sure they fit your needs without compromising your desired privacy level.
If you are like most of us, you will eventually want to buy something. I would recommend that you pay cash for everything, but that is not really possible online. For online purchases, I would buy a pre-paid debit card and use that card to buy what I want online. Yes, that does incur a bit of overhead and inconvenience, but it protects your privacy and makes it significantly more difficult to tie a purchase back to you.
If you wish to have a phone number associated with your sockpuppet, the best option is a pre-paid cell phone. Many times, these can be purchased without providing any details about yourself. Also, you can pay for these in cash or with the debit card you obtained earlier.
If you buy anything online and want it shipped to you, but do not want to associate your home address with your sockpuppet, then use a mailing service where you can send the deliveries. It has been my experience that the best option is the UPS Store, but feel free to research this further on your own.
On the technology side of your sockpuppet, you will likely want to obscure your home IP address – the obvious choice for this is a VPN. When looking for a VPN to use, try to find one that helps maintain your privacy. It should not retain any logs/data of your activities, it should allow you to pay with your prepaid debit card, and it should not require you to provide any identifying information to set up an account. Keep evaluating different VPN providers, if a security concern arises with your current provider, switch to a different provider.
For web browsers, I would suggest always using their “incognito” mode and an ad blocker. If you want additional levels of security, you could also use a Tor enabled browser, however, using Tor over your VPN may incur a significant bandwidth throttle due to the multiple levels of protection and routing.
When it comes to passwords, you should use separate passwords for every service. This is something you should already be doing.
Finally, be willing to destroy the account if needed! If the sockpuppet gets compromised or has outlived its usefulness, then delete all associated accounts and start over. The sockpuppet account should be used for transitory activities and not be designed for long time usage.
Parting Thoughts…
The information and techniques presented above may not be for everyone. Your needs and how much privacy you feel you need will likely differ from mine. As such, use this as an intro to online privacy and some of the possibilities of how to protect your data. Use as much or as little as you feel comfortable with. Remember that our privacy and data are valuable, do not give it away for free.
Helpful Resources:
This article was just an overview and intro to online privacy. There are many resources available if you would like to learn more.
Some helpful videos:
- Tim Vetter – “Winning and Quitting the Privacy Game: What it *REALLY* takes to have True Privacy in the 21st Century”
- Scott M – “Anti-OSINT…or hiding from The Man”
- Michael James – “ANTO OSINT AF: How to become untouchable”
Get a new SSN: https://faq.ssa.gov/en-US/Topic/article/KA-02220
Get a UPS Store Address: https://www.theupsstore.com/mailboxes/personal-mailboxes
Freeze your credit:
- https://www.equifax.com/personal/credit-report-services/
- https://www.experian.com/freeze/center.html
- https://www.transunion.com/credit-freeze
- https://www.innovis.com/securityFreeze/index
Reduce spam phone calls: https://www.donotcall.gov/
Check if your email against breaches: https://haveibeenpwned.com/
The post A Beginner’s Guide to Staying Safe/Anonymous Online appeared first on TrustedSec.
from TrustedSec https://www.trustedsec.com/blog/a-beginners-guide-to-staying-safe-anonymous-online/
Comments
Post a Comment