Operational Security - Hiding in plain site

Anonymity on the net is tricky and hard to maintain. It seems every server you access wants to tag you, track you, and gather as much information on you as possible. The big networks like Google, Facebook, and Amazon are the worst, but virtually every website tries to grab some information. And if you refuse/block their attempts you may be denied service.

In a previous post we discussed setting up a secure anonymous system, but we also warned that the more secure you become the more restrictions you have. It is a balancing act. If you completely wall yourself in you cut yourself off from the rest of the world, but you still don't want to walk around naked. If you do, you don't want people to know where you live and work.

The best way to stay “anonymous” on the net is to be someone else. Misdirection and obfuscation is the key. In the previous post we showed you how to run multiple systems on one machine in order to compartmentalize your footprint on the net. Now we shall look at setting up some of those systems for various purposes.

Operational Security is key. Strictly adhering to assigned scope of a protocol is essential. We suggest at least three systems and their relevant protocols.

1) A clear system where you are who you are and allow servers to positively identify you – banks, credit card sites, etc., where you can not be anonymous.
2) A secure system where you allow little or no information to leak and obfuscate what you can not block.
3) A spoofed system that presents a false identity allowing you to visit services that require you to allow tracking and/or positive identification.

In the system described in the previous post we set up a base Linux system with Whonix running in a VirtualBox.

The base system is your clear system. Whenever you use that system you should assume your identity is open to scrutiny. You are walking about in the buff. But we don't want to be totally without protection, so this should only be used for visiting sites that are completely trusted and checking your real/personal email. You should be very careful while operating in the clear.

Whonix, through the gateway and the workstation, provides strong protection through the Tor Browser. Unfortunately a large number of websites are not compatible with the Tor Browser. Portions of websites will not load, services are not available, and some sites will deny the connection all together.

Google often views your Tor connection as a bot and harasses you with endless Captchas to solve, but you shouldn't be connecting to Google with your secure system anyway.

Google is one of the worst offenders of anonymity. They make it their primary mission to gather as much information as they can on you and link your secure sessions, and your spoofed sessions, to your clear sessions. But they are not the only systems trying to tag and track you. They are just the best at it – probably better than the NSA. After all, that is Google's business. So stay off Google and beware of sites that use Google Analytics.

Your secure system should only be used for visiting .onion servers and on open servers that do not require authentication. If you ever log in anywhere with your secure system it is compromised and should be deleted. Clone a new secure virtual workstation and keep it secure. If you want to use a secure virtual machine for IRC or other purposes, dedicate a virtual machine for that task only and occasionally delete the machine and start fresh.

For good general browsing on the net we need to develop a VM that is spoofed.

To do this we will set up a Whonix Workstation in VirtualBox dedicated to that task. When using this spoofed system we will use Firefox in lieu of the Tor Browser. This will still send traffic through the Tor enabled Gateway, but with less security. We can configure our Firefox browser to offer false and misleading information to allow us access to sites which require that information.

To accomplish this we need a pseudonym and a completely spoofed profile.

We start with the absolute basics on the net – an email address. If we want a twitter account or a snapchat account, we need an email, and many other sites which require some type of authentication require an email or cell phone number. That brings us to our first, first step – setting up a burner phone. After all, if you use your cell phone you are tagged from the start.

A cheap prepaid phone can be purchased at Walmart or other outlets relatively inexpensively. You need to pay cash – your credit or debit card tags you. Order one online and you've automatically linked the phone to your clear ID and your home address. Not good. Use cash for the phone and the prepay plan. All you need is a plan with calls and text, you don't need to pay for data.

When you activate your phone they will want an email address. This is the tricky part. You need the phone number to verify the email and the email to verify the phone. Services are all about getting you to verify your identity in some way so they can track you and link your possibly numerous identities. If you use an email that is already verified as you, you just wasted your money on a burner phone.

Here is a little trick. Go on Google with your secure virtual workstation. You will need to use Firefox because Google doesn't like the Tor Browser. Sign up for a gmail account under your pseudonym. When you get to the page where you are asked to enter a phone number stop. At this point you know the email address is available so you can use it when you activate the phone. Activate the phone, then give Google the number.

Now you have an active cell number and an active email address. Google can send you a text to verify your email account and the phone service can send you an email to verify your service.

A few considerations for setting up both accounts. You will need a complete profile – name, date of birth, realworld address (in both cases you may be able to get by with just a city or zip code), the phone number for Google and the email address for the phone. Keep it all consistent. You are setting up a profile you will use with this virtual machine.

You are now, when using this VM profile, John Doe from Anytown, USA with a working phone number.

Make your new identity plausible. Don't be John Doe, and don't be some famous person or try to get cute and play off of your real identity. That is bad opsec. Pick a plausible name, date of birth, and use a town nearby where you bought the phone. You can even travel to a nearby town to buy the phone and use the wifi at the corner coffee shop to set things up.

When you connect with Firefox through Tor, Google may see you connecting from Moldavia, but that doesn't matter. They know you are using Tor. The phone will tag your general geographic location by the area code. If your connection is traced it will confirm that info, but it is unlikely anyone will break Tor and trace your location on one connection to Google. But don't use some location hundreds of miles from where you bought the phone – that isn't plausible.

Developing and maintaining a spoofed profile is all about plausibility. If you offer believable information there is no reason to dig deeper and it is accepted. If there is a red flag, that triggers elevated scrutiny. The more mundane and average the personae is the less likely it is questioned. You are already waving a red flag by using Tor, you do not want to add to that suspicion by calling yourself Dick Jerkson from Hellsgate, Wyoming with an area code in Newark, NJ.

Your online personae should be seamless and credible without giving hints to your real identity, and it should be consistent with your planned activity. If you are developing this personae for a blog and twitter account to write about hacking and security people will assume your name and possibly your location are false anyway. But you need to use strict opsec to assure you are not divulging info which links to your true information.

Stick to your part, but assume no one believes you and you are under scrutiny.

Using a spoofed personae is risky, but it's the best way to use services which require authentication without opening yourself to easy identification. You should use a dedicated VM workstation for limited activity and only the activity that requires the lowered security. If you can accomplish the task with the more secure workstation using the Tor Browser, do so.

Over time the new personae will gain a reality of its own in cyberspace, but over time the likelihood of your real personae bleeding into your spoofed personae increases. The spoofed personae should only be used for a limited objective and then discarded. If it is going to be used for communication on a blog or social network it should be used for that exclusively. Even following links others post can add to the likelihood the Googleplex will link your activity to your clear activity or another spoofed personae.

At this point you should have a secure Linux machine running Whonix in VirtualBox with multiple workstations for different tasks – one secure for browsing/searching and at least one with a spoofed ID for sites requiring authentication. Now it is up to you to keep your operational security tight and guard against leaking your own information. Google and other information aggregators are constantly looking for links between seemingly divers sets of data. Stay safe out there.