IP and Data Anonymization 

[fa icon="calendar"] Mar 7, 2018 9:39:02 AM / by Rob Scholl CISO @RISK

Rob Scholl CISO @RISK

Protecting your privacy: Anomymization the good & bad.

IP Anonymization is good, and bad - let's learn why.

IP address and data anonymization are a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describes remain anonymous. Here is a quick summary of ways that users both nefarious and well intentioned can keep their identity and location hidden while browsing, communicating, and downloading and transferring files.


 Lets talk about how something meant for good can be turned into more nefarious uses.

LEVEL 1: Anonymous Web Browsing 

An effective way to stay anonymous online is to hide the IP address. This is the easiest way to trace online activity back to its source. If someone knows an IP address, they can easily determine the geographic location of the server that hosts that address and get a rough idea of where the user is located. Broadly speaking, there are three ways to obscure your IP address and hide your location:

  1. Use a proxy server. If you want all of your online activity to be anonymized, the best way to do it is to pretend to be someone else. This is basically what a proxy server does: it routes your connection through a different server, so your IP address is not so easy to track down. There are hundreds of free proxies out there and finding a good one is just a matter of a quick online search. Most major browsers offer proxy server extensions that can be activated in just one click. 
  1. Use a Virtual Private Network (VPN). For most intents and purposes, a VPN obscures your IP address just as well as a proxy does – and in some cases even better. They work differently but achieve the same result. Essentially, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. So, if I were to log into Digital Trends’ VPN, anyone looking at my IP address would think I’m in New York when I’m actually on the West Coast. Here’s a list of good VPN services to get you started: ExpressVPN, NordVPN, IP Vanish, Private VPN, among others. 
  1. Use TOR. Short for The Onion Router, TOR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. Browsing with TOR is a lot like simultaneously using hundreds of different proxies that are randomized periodically. But it’s a lot more than just a secure browser. We won’t get into the details here, but you should definitely check out www.torproject.org if you’re concerned about anonymity. 
  1. Use VPN + TOR. Combining VPN when using TOR provides a better level of anonymization, since web-site browser-based HTML and JavaScript/WebAssembly code can leak information via DNS leaks, as well as STUN/ICE/TURN service accesses that can potentially bypass TOR for direct peer-to-peer communication. 
  1. Beyond TOR.  Whether the use of Tor, or its replacement, increases or declines, capabilities available to users in the dark or open web will expand. As technology evolves and software advances, users should experience better search ability with different ways of protecting privacy.

Summary:  In addition to the expansion of cryptocurrencies and marketplaces on the Darknet, there will also be an increase in the number of illicit users. Much of the criminal activity is now and will continue to take place on the open-web through social media or dodgy sites hosted in 3rd world countries. @RISK collects and analyzes intelligence from all of these sources and monitors the development of Darknets like TOR, I2P, Signal, Telegram, and others, ensuring that they will be able to monitor and extract intelligence from them in the future.  

One thing is for certain when it comes to monitoring Known and Hidden Networks, the Darknet as we know it will not hold forever but is prepared for the inevitable changes that will come in Tor, other Darknets, and in the open web.


LEVEL 2: Anonymous Email and Communication

Using proxies, VPNs, and TOR will obscure an IP address from prying eyes, but sending emails presents a different anonymity challenge. In this instance, a threat wants to send somebody an email but does not want anyone to know the originating email address. Generally, there are two ways to go about this: 

  1. Use an alias. An alias is essentially a forwarding address. When a threat sends mail through an alias, the recipient will only see the forwarding address, and not the real email. Since all mail is forwarded to a regular inbox, this method will keep the real email address secret, but it will not, however, prevent spamming.
  1. Use a disposable email account. This can be done in two ways: either an actor can just create a new email account with a fake name and use it for the duration of their needs, or you can use a disposable email service. These services work by creating a temporary forwarding address that is deleted after a certain amount of time. Also, using a VPN and communicating through an anonymized email address will keep a threat's identity hidden, but it still leaves open the possibility of emails being intercepted through a man-in-the-middle scheme. To avoid this, tools can encrypt emails before they are sent.

Here’s how:

  • Use HTTPS in the Web-based email client. This will add SSL/TLS encryption to all Web-based communications. 
  • Use PGP (Pretty Good Privacy) software. While using HTTPS will encrypt data on a network level, PGP software will encrypt the actual e-mail and files themselves.

In addition to email, attackers may encrypt any instant messaging some examples they might use to communicate while attacking a network include:

  • TOR chat: a lightweight and easy-to-use chat client that uses TOR’s location hiding services. It uses SSL/TLS encryption.
  • Cryptocat: a Web-based chat client that uses the AES-256 encryption standard, which is extremely hard to break. It also supports group chats.
  • Signal: encrypted communication platform originally made famous by Edward Snowden (previously known as RedPhone for voice, and TextSecure for messaging), is very secure using AES-256 encryption standard.
  • Telegram: service that provides chat, including secure chat (which provides perfect forward secrecy, with frequent key changes for security). Telegram also supports bots, which are used for various cryptocurrency tool registration and/or validation.

Summary:  Occluding how to be found is a sure sign to avoid detection and accountability, an additional benefit it brings is to create false affinity because someone else thinks they are talking to a trusted associate or service professional.  This is precisely how confidential information is shared resulting in illicit wire transfers or breaches.

LEVEL 3: Anonymous File Transfers and Sharing

 Getting files from the Internet is easy, but the sender has access to the receiver’s IP address in order to download files. In the case of BitTorrent, there are thousands of different peers that can see an IP address at any given moment, which means downloading is one of the least anonymous things to do on the Web. However, if done correctly, it is possible to download and share files while keeping an IP address and identity concealed.

  • When downloading directly from a file hosting location, users may use a proxy or VPN to obscure their IP. 
  • If using BitTorrent to download content that has been stolen, the use of a proxy or VPN will keep an identity hidden.  A service like BT Guard is the same as any other VPN or proxy service with the one difference being that the site is designed specifically for heavy BitTorrent users
  • There are also hosted sharing services that do not expose the receivers IP address to the sender, just the hosting service.

Summary:  Moving files discretely is the best way to exfiltrate it away like racoons in the night to a place where it can be safely be examined and used for further exploitation, sale or theft.  Identifying this kind of behavior is an important step plugging a hidden gap left open by your current cyber capabilities to stop a hacker before they can exploit it.

Topics: Insider, Cyber attack surface, polymorphic, Cyber Event