In the previous chapter we talked about the artifacts that can be collected by an attacker from individuals and companies from devices, networks, and browsers. Not only attackers but also competitors collect information and artifacts from users. We discussed the tools and techniques that attackers use to compromise networks and we discussed how browsers can be used by the attackers to collect information from users in particular.
This chapter we will be focusing on cyber anonymity. The flow of this chapter will be as follows:
The term anonymity, like many other English terms, originates from two Greek words. The first half of the word, an, is derived from a Greek word meaning without, and the second half, onoma, is another Greek word meaning name. Combining these two words created the term anonymous – maintaining the state of going unnamed is referred to as anonymity. When it comes to the cyber world, anonymity refers to remaining online without revealing your identity. There are different levels of anonymity, which will be discussed in detail in the third topic of this chapter.
The moment you connect to the internet, your information will be collected in many layers, as we discussed in earlier chapters. The meaning of cyber anonymity is making it impossible for others to find the owner of a message or an act by not revealing their identity while remaining connected. Another definition of cyber anonymity is performing activities connected to the internet without your identity being revealed. As you can see, anonymity is also associated with privacy. When privacy is missing, anonymity cannot be maintained. Whoever would like to maintain cyber anonymity has to protect their privacy first. We use different identity systems in physical interactions, including national identity cards, passports, driver’s licenses, and social security numbers, but in the cyber world, mainly, identities are represented by usernames or user IDs.
On the other hand, being anonymous considerably reduces accountability for any actions performed. This is the main reason for attackers to take precautionary actions to hide their identity when performing illegal acts, which makes it hard or impossible for investigators to trace the perpetrators after the action.
Because of this, it has become a legal requirement for many online services to provide an identity before performing any action. Once an identity is provided, it must be verified, as attackers will impersonate the identity otherwise. There are many different identity verification methods. All the identity verification methods are categorized into six categories. Identity verification is also known as authentication. The following are the commonly available authentication methods:
Since this verification is commonly used, users generally have an understanding of how to provide MFA or 2FA authentication. This requires users to provide additional verification other than a username and password based on the verification options available.
The downside of this verification method is that another person can impersonate this by guessing and providing partial information. The following is an example of this verification method:
Figure 7.1 – Database-based authentication
Database-based authentication is used to authenticate by providing information that is already stored in the database. As per this figure, the user must provide both an infringement number and vehicle registration to authenticate and access the system.
Figure 7.2 – The service provider provides external authentication providers to authenticate
As per the preceding figure, www.scribed.com provides users with access to a range of books. Users have the option of creating an identity on www.scribed.com or they can use an existing Google or Facebook account. When a user selects an external identity provider, the request will be redirected to the respective identity provider’s portal. Then, the user can provide the credentials:
Figure 7.3 – When a user selects Google as a service provider, the request is redirected to Google
When the user provides valid credentials in the identity provider’s portal and is successfully authenticated, the identity provider redirects to the service provider again to provide access to the service.
Typically, once the user is authenticated, the user will be given access based on the least permission policy, which is known as authorization. Most systems, including financial organizations, practice this mechanism. Once the user is authorized (authorization is the level of access given to the user based on the user role), the user will be given access to the resources based on their permissions. The permission will be given based on their role. According to the security policies, the minimum set of permissions that allows them to perform their job tasks will be assigned.
In today’s world with its complex requirements, the preceding authentication systems cannot provide complete security, as attackers can use various tactics, techniques, and tools to compromise security. To overcome this concern, many identity systems incorporate zero-trust-based implementations, which are not only limited to the preceding authentication methods but also validate additional attributes such as the usual location of access, the usual device of access, realistic travel times, IP addresses, and suspicious behaviors.
For example, Azure Active Directory is one of the most used identity systems and provides identity services internally and externally. While supporting MFA or 2FA authentication and biometric authentication, it also supports configuring conditional access policies based on a range of criteria including the following:
Figure 7.4 – Azure Active Directory provides a conditional access policy to configure zero-trust security
If the user identity is critical, systems and infrastructures can use conditional access policies in addition to main authentication systems. Conditional access supports maintaining zero-trust security. The idea of the zero-trust security implementation is not to trust any request without verification.
For example, when a user provides the correct credentials to log into the system and the system is designed to validate a user only based on the username and password combination, we are assuming that the user credentials will never be compromised. As a result of this implementation, if an attacker compromises the user credentials and tries to access the system, the system will allow the attacker access if the credentials are correct. In today’s world, there are many attacks targeting user credentials. Compromising passwords has become common. If the systems are completely reliant on the username and the password, there can be many attackers accessing the system pretending to be users using compromised passwords.
Therefore, zero-trust implementation is necessary. Even if attackers successfully compromise a password, the system will still have to validate the user based on the different verification methods that we discussed before.
For example, if an attacker compromised a user’s password, typically, the attacker would launch this attack remotely and then try to access the service; if the system is based on a typical castle security implementation, the attacker would be able to successfully access the resources. If the systems are configured with zero-trust security, a username and password would be not enough to access the system even if these credentials have been compromised. When an attacker tries to access the system using the compromised credentials, even if the credentials are correct, the system will try to validate the following:
Since the system is validating the request based on the preceding criteria, even if the attacker is trying to access with compromised credentials, the system will block the attempt in real time, which makes the attacker’s successful attack useless.
This section explained the importance of implementing a proper identity system, as cyber anonymity is based on not revealing your identity. Especially for critical systems, it is very important to maintain a proper identity system – not only systems authenticating based on credentials but also monitoring other attributes that make attackers’ attempts much harder to succeed.
There are many arguments about privacy and anonymity – some of these arguments try to establish a connection between privacy and anonymity – but privacy and anonymity are two different concepts. In other words, maintaining privacy will not lead to anonymity. Depending on the scenario or the requirement, you might want to choose privacy or anonymity. Having a better and clear understanding of privacy and anonymity will help you to select the right option. For example, when using a mobile app, when accessing a web application, or when installing software, it will tell you that the app or software will maintain your privacy – or that it provides anonymity. Some organizations or companies are being honest here, but some are still playing with words, as most users do not have a very clear understanding of these terms.
The term privacy refers to the ability to keep your personal or sensitive information exclusively to yourself and have total control over access to your information. In other words, you can control who can access your data, what the level of access is, and when they can access it and you can find out what the purpose of them accessing your information is. As a broader definition, information privacy is the right to have control over your information and how it can be collected, accessed, and used. This will often be dictated by the privacy policy in many organizations or when you are accessing any online service in the cyber world. The privacy policy is treated as a legal document that defines the way customer data is gathered, used, managed, and disclosed.
In the previous chapter, we discussed cookies – especially, we discussed how third-party cookies will collect information from users and often share it with other companies or organizations. As you may have noticed, many websites you visit today have cookie policies. Even though users frequently won’t read it, the cookie policy defines the information that they gather and how the information will be used. As an example, let’s visit the https://www.packtpub.com website. If this is your first time visiting this website using this browser, you will be prompted with a cookie policy acceptance notification.
This website has given users options to decide on collecting information. As it clearly says, “This website uses cookies and other tracking technology to analyse traffic, personalise ads and learn how we can improve the experience for our visitors and customers. We may also share information with trusted third-party providers.” Once the users give consent, their information will be collected. On the other hand, cookies will be used to provide a more personalized and rich experience for the users based on their choice:
Figure 7.5 – Cookie policy to get user consent on information collection
If you click More info, this website will take you to the privacy center where you can select what type of information collection you consent to. There are usually a few options: this website explains the privacy information, the cookies necessary for the website to function properly, which usually users cannot turn off, performance cookies, which typically do not collect information, and the third-party cookies that we discussed in the previous chapter:
Figure 7.6 – Privacy statement on cookies
If you select the second option, Strictly Necessary Cookies, it will not allow the user to perform any action or turn off cookies that will affect the site functionality.
When you select Performance Cookies, you can allow or disallow cookies to be active. Performance cookies collect performance-related data but not personal information about the users. For example, these cookies collect information such as how many users visited this website, how long they stayed on the website, and the number of pages visited. You can select whether you want to enable these cookies or disable them. The fourth option, which is Targeting Cookies, is cookies from third-party providers. In particular, these cookies will collect information and may share it with third-party providers. This will be used by third-party providers to personalize advertisements.
If you click on the Learn more link of this website, it will take you to the company privacy policy, which explains how they collect customer data, including the information collected through cookies, what type of data they are collecting from customers, how they manage the data they collect, how long they will keep the data, with whom they will be sharing this information, and where the personal data will be processed:
Figure 7.7 – Privacy policy of the organization
If you read through the policy, you will find out how they collect the data. For example, they will collect data when you visit their website, when you make online purchases, when you engage with their social media, when you install their app, or when you create an account with them. They explain what type of information they collect from the customer, including customer name, date of birth, billing information, job title, telephone number, and billing information. They also explain why they collect customer data and how they manage customer data.
This example shows how this website collects customer data, manages customer data, and uses customer data. The customer has the option to decide what type of data they can collect.
Anonymity refers to hiding your identity but not your actions. As we discussed before, when you interact with the cyber world, different entities will be collecting your information in various layers. In the cyber world, you can be anonymous by preventing these entities from collecting your identity-related information. It’s more like in the physical world when someone is covering their face to prevent others from identifying them. In many robberies, robbers used to wear face masks to prevent others from identifying them. In that way, they could be anonymous, but their actions were still visible. For example, if the robbers rob a bank and wear face masks, the action is still visible, as many have seen the bank robbery take place, but they cannot identify the robbers, as they were wearing face masks. In many cases, investigators are able to catch the robbers by using a tiny bit of information that can still identify the robbers. Sometimes, it can be a tattoo on one robber’s hand, for example, which can be used by the investigators to trace the person even though they were wearing face masks.
In the same way, in the digital world, there are ways that you can be anonymous, but a small mistake can reveal your real identity. Attackers wanted to maintain anonymity all the time, as their intentions are bad and they never want to get caught. As users, our intention to be anonymous is based on ethical reasons, as we don’t want our information to be collected and processed without our consent.
Since user data will be collected in multiple layers and multiple entities, it’s not simple to be anonymous in the digital world, especially for users. When it comes to attackers and hackers being anonymous, it’s not that hard, as they are aware of these layers – as in, the ways that different entities collect identifiable information. However, for users, remaining anonymous is challenging. This is the reason we discussed various types of data collection methods. When you understand the ways that the information is collected, then you can understand and plan to prevent your data from being collected at various layers.
In the next few sections, we will be talking about different levels of cyber anonymity and the best practices when it comes to cyber anonymity. If you really want to maintain anonymity when you are interacting with the cyber world, developing the required mindset is very important. As I explained earlier, through a single mistake, investigators can trace a robber; the same thing can happen when you neglect a single piece of the process and reveal your identity.
As we discussed earlier, cyber anonymity is trying to hide your identity without hiding the action. The meaning of being anonymous is hiding your identity but your actions still being visible. Back in 1996, there was a paper published in the Journal of Universal Computer Science by Bill Finn and Hermann Maurer, who were from the computer science department at the University of Auckland. It first introduced the levels of anonymity (https://www.jucs.org/jucs_1_1/levels_of_anonymity/Flinn_B.pdf). This paper introduced multiple levels of anonymity. According to the paper, networked computer systems required multiple levels of anonymity. The paper explains five levels of anonymity, but these levels were introduced in 1996, so it does not provide categorization for the techniques and tactics used today. However, it establishes a few points to continue our discussion.
The various levels of cyber anonymity are as follows:
The reason to start our discussion based on this paper is that this paper establishes the ground to continue our discussion of further levels of anonymity. As you may notice, Level 1 and Level 0 discussed in Bill Finn and Hermann Maurer’s paper do not provide proper anonymity, as they collect information about the user, even though they don’t collect identity-related information. Since this paper was published two decades ago, we would need to achieve a greater level of anonymity in today’s complex systems.
According to the paper we discussed, the highest levels of anonymity were provided by Level 1 and Level 0, but as we understood, even though both Level 1 and Level 0 do not collect the identity or do not require authentication, both implementations collect user activity-related information. The reason behind this categorization is the definition of anonymity. By definition, anonymity hides identity, not actions. Since Level 1 and Level 0 do not collect information related to identity, the paper presented by the University of Auckland defined even Level 1 as an anonymous system.
When we compare this situation with today’s world with more complex implementations, collected information can contain sensitive and personally identifiable information even though the user identity is not collected. For example, as we discussed, direct cookies and third-party cookies collect information related to the device, browser, location, user behavior-related information, IP address, and any items that the user is interested in. Combining all this information, you could probably uniquely identify the user. If we want to establish another level beyond Level 1 and Level 0, we need to look at a system or method where none of this information is collected from the user, including the user’s device, browser, IP, or anything related to the user’s activities. If we suggested a system that did not even collect this information, it could be named a super-anonymous level.
If we were to implement a super-anonymous level, mainly, it shouldn’t have any identity or authentication requirements as per the definition of anonymity. Then, the real challenge would be to protect users from the systems established to collect user activity-related information, as we discussed under Level 1 and Level 0. Since most of the applications developed today use web-based technologies and are accessible over browsers, inherently, browsers use direct and third-party cookies to collect information. A super-anonymous level will be a level that does not collect identifying information or any other user device-based, browser-based, or behavior-based information during the interaction with the web-based application or website. Ideally, when accessing the system, it should not only avoid collecting identification-related information but also any activity-related or behavioral information.
To maintain a super-anonymous level, we need to follow the best practices to be anonymous on the internet. As discussed, user data is collected in multiple layers, so we need to follow best practices to prevent data collection when on the internet.
We discussed the layers of cyber anonymity and how the different entities collect user information while the user is on the internet. As this process is collecting information in different layers, we need to concentrate on all the layers, not just the browser. The best practices that we are going to discuss here not only concentrate on the browser but also all the layers. Let’s look at some best practices to maintain cyber anonymity:
Figure 7.8 – This shows your private IP address
This will show your private IP address. In this system, the private IP address is 10.10.10.8. If you want to check your public IP address, there are multiple ways to do that. The easiest way to check your public IP is by accessing https://ip.me or you can just search whats my ip on Google:
Figure 7.9 – The ip.me site shows your public IP address and other information
When you access https://ip.me, it will show you your public IP address and other information including your internet service provider, country, location, and postal code. If you are using a VPN service, you can send your traffic over a VPN server and this will prevent the web application from detecting your public IP. There are different types of VPN services available, which we will be discussing in the next section. For now, I will use OpenVPN to show you how the traffic is sent over the VPN server. Let’s download the OpenVPN community edition client first by accessing https://openvpn.net/community-downloads/, and once downloaded, install the software onto our device. Then, we need to download the configuration file – we can download many configuration files on https://www.vpnbook.com/. There are many connectivity details available, but select OpenVPN, as we need connection details for OpenVPN:
Figure 7.10 – Configuration files for OpenVPN for different servers
Select any of the listed servers to download the configuration file and extract it to any folder. Then, open the OpenVPN community edition software and import the files. Just select the FILE option and click BROWSE to select the configuration file’s location or you can simply drag and drop the files:
Figure 7.11 – Importing configuration files for OpenVPN for the servers
Once the configuration file is imported, you can specify the username provided by the https://www.vpnbook.com/ site and click CONNECT:
Figure 7.12 – Connecting to the VPN server
Once you click on CONNECT, it will prompt the password. You can provide the password provided by the https://www.vpnbook.com/ site when you downloaded the configuration file:
Figure 7.13 – Connected to the VPN server
Once the VPN client is successfully connected to the server, your traffic will be redirected through the VPN server. If you access any internet service now, they will be detecting the VPN server’s public IP address instead of your public IP. Now, when you try the same site, see the IP address shown there:
Figure 7.14 – Once connected to the VPN server, your public IP will be changed
Once you connected through the VPN service as shown, it will not disclose your real public IP; instead, it will show the VPN service-connected IP address. Traffic will be encrypted from your device to the VPN server. This ensures anonymity while you are interacting with the internet.
Another important thing to remember is that the VPN is only connecting you through its server, so the VPN service should be trustworthy. If you use an untrusted VPN service, that VPN service provider can also collect your information. Some browsers and operating systems have VPN services built in. The Tor browser is the best example, which we will discuss in detail later.
VeraCrypt is a free and open source tool that uses strong AES256 encryption to encrypt data – you can use VeraCrypt to completely encrypt a device, including its operating system.
BitLocker also supports the Trusted Platform Module (TPM), a hardware module that provides trusted technology to protect sensitive data, which provides encryption much stronger and that’s connected to the hardware device. When stronger encryption is used and the TPM is enabled, even if the device is stolen, a third party will not be able to retrieve the data.
If you use known information about you within the password, attackers use a method called Common User Passwords Profiler (CUPP) to generate a tailored wordlist generated to break your password. There are many tools you can find to generate CUPP passwords. I’m using cupp.py to generate this. You can download cupp.py from www.github.com/Mebus/cupp:
Figure 7.15 – CUPP generating a tailored password wordlist
Cupp.py is a Python script into which an attacker can enter known information about the user, including first name and last name, a spouse’s name, a child’s name, and birthdays. Then, the script will jumble the entered words, changing capital and simple letters and common special characters to create a long wordlist to crack the password.
Because of this, we shouldn’t be using information about ourselves or family members within our passwords. One of the ways to overcome this issue is using passphrases, as phrases are easier to remember than complex passwords and they are lengthy. Therefore, they are not as easy to break using common password-breaking techniques.
There are online services that support passphrase generation, such as https://www.useapassphrase.com/ and https://untroubled.org/pwgen/ppgen.cgi.
When you use https://www.useapassphrase.com/, it generates passwords based on the number of words:
Figure 7.16 – useapassphrase has generated a four-word passphrase
You can select the number of words you need to create the passphrase and our given example has used a four-word passphrase. The advantage of passphrases is that they are easy to remember and extremely hard to guess or break. If you noticed, the approximate crack time is given by centuries.
When you use https://untroubled.org/pwgen/ppgen.cgi to generate a passphrase, a number of options are given, including the number of words, the length of the words, enabling random capitalization, and inserting digits. This page only generates data and will not be stored by any means and it shows the number of combinations possible:
Figure 7.17 – untroubled.org password generator can generate passphrases
The untroubled.org password generator can generate passphrases that are extremely hard to guess and break using common password-cracking tools. The source code for the password generator is available to download to confirm that this site does not collect this data, but the drawback of this passphrase is that it is not easy to remember. Users need to use password managers such as KeepPass or BitWarden, which we discussed in previous chapters.
Figure 7.18 – Secure connection established by https
If the web application doesn’t show the padlock sign as shown in the figure, your communication is not encrypted, which means that attackers can see what you are doing, even sensitive information such as your passwords and bank information, or whatever information you are communicating.
When interacting with the cyber world, there are multiple components working together to establish connectivity. Once connectivity is established, data will flow through multiple layers. When you work on applications, data will be sent over multiple layers during client-server communication. As we discussed in the previous sections, we need to look at all these elements to maintain anonymity in the cyber world. Due to the vast number of elements involved, it’s not easy to maintain cyber anonymity, as all these elements are collecting information as per the design. Especially for your typical user, concentrating on all areas is going to be hard. When you concentrated on the Best practices to maintain cyber anonymity section, you may have noticed that we must be extremely mindful to maintain cyber anonymity. The best way to maintain cyber anonymity is to develop a cyber anonymity mindset.
This can be started now and applied to devices that you use all the time – these can be mobile devices, laptops, desktops, smart devices, or even personal assistance devices. Just think about whether your own device is secure. You can assess whether your own device is secure by answering the following questions:
If the answers to these questions are yes, to at least most of the questions, you will know you are using a secure device. If not, you can take action to make your devices more secure. With these questions, you can understand the importance of other elements connected to your devices, such as the accounts connected and billing accounts. For example, if someone can claim and get a SIM card for your number by claiming ownership or as a replacement for a misplaced SIM, they will have access to everything of yours, meaning they can receive all your OTPs (sent to reset your passwords and access devices and accounts including Google or Apple IDs). Then, you need to think about the other connections that are used to access the internet from your device.
This way, you can start developing a mindset to maintain anonymity in the cyber world. Once you started practicing, it will become a habit, and you will be suspicious whenever you come across anything that can potentially compromise your privacy and you will be able to prevent yourself from being exposed when on the internet.
This chapter focused on understanding cyber anonymity and the layers of cyber anonymity. We discussed the basics of cyber anonymity in the Definition of cyber anonymity section. Then, we tried to understand the difference between privacy and anonymity. Then, we defined and understood the different layers of cyber anonymity in the Levels of cyber anonymity section. We also discussed the best practices to maintain cyber anonymity and developing a mindset to maintain anonymity in the cyber world. During this chapter, we developed a set of skills for maintaining anonymity:
In the next chapter, you will be provided with information on how to plan for cyber anonymity and the prerequisites to maintaining cyber anonymity. In the next part, we will try to understand the scope of access and the plan for connectivity and understand the level of access. Then, we will prepare the device and the applications for anonymity.