Persons in control of websites that you visit have a very unique, almost godlike view of all of the data flowing in and out of their systems. And so, they see dozens and dozens of data points, if they would like, about you. And all those attributes combined can create a very unique signature and a very unique picture of who you are. And then over time, this information can be assembled. And as an investigator, the concern is it can uncover your intent or even the specific goals of your investigation.
Welcome to NeedleStack, the podcast for professional online research. My name is Matt Ashburn, a recovering CISO, and I absolutely love internet research and all that it has to offer.
And I'm Jeff Phillips, tech industry veteran and curious to a fault. Which makes me excited, because today we're going to talk about what's in your digital fingerprint.
Now, first, Matt, what we're going to have to do is we're going to have to define what exactly a digital fingerprint is, and then we'll want to go into, what does it say about me when I'm conducting research and actually the intent behind what I'm researching.
So, I know it can give away who I am and what I'm trying to accomplish. And then of course, last but not least, how it can be used against you in terms of the consequences of not properly managing or cloaking your true to digital fingerprint.
So, Matt, there are a lot of people conducting online research for their organizations and they don't know what a digital fingerprint is, how it can impact their ability to collect information, in particular to do that safely and reliably.
Can you give our listeners a little digital fingerprint 101 to get us started?
Absolutely. So, when you think of a digital fingerprint, obviously, the word fingerprint is reminiscent of our actual fingerprints, something that's unique to us as a person or at least within a certain realm of certainty. And a digital fingerprint is exactly the same. It's a set of unique attributes that identify you as a person or certain behaviors and things like that.
So, think of your digital fingerprint as being something that is unique to you. So, that can include a number of things. It can include certain attributes that are passed to websites by the web browsers, so, your operating system, your device that you're using, the language settings that are there, time zone settings, all of those things, as well as the location. So, your IP address, for example, that you're using to browse the web belongs to a certain internet provider in a certain region of the world that can also be used as an attribute to help identify you.
And also, your behavior. A lot of people forget about this one, but your behavior is incredibly important when doing online on research, because we all have our own habits and our own ways of doing things, own methodologies, own ways of asking questions in Google, for example.
And all these things combined, really create a very unique signature that we call our digital fingerprint and it's extremely unique. And in fact, there are a number of security researchers and academics out there that have come together. And if you go to the website amiunique. org, you can actually go there yourself and take a look at your browser fingerprint even, and see how unique that is to your specific device. You may think that you're just using an off the shelf computer or a virtual machine or something like that, but everyone has its own quirks and the unique attributes that really can compromise your investigation.
Matt, I actually went to that site earlier today, and I have a laptop that's been handed out from my company. I would've thought that it's pretty generic, but I actually saw indicators where less than 1% of the population out there had similar elements on their laptops as I did.
And again, this isn't my personal machine, this is one that a IT person put together for me that you would've thought was generic. So, I was very unique in certain elements of my fingerprint.
But let's go. Let's talk about the technology side as far as why this is a thing, why there is a digital fingerprint. I know you talked about the way you research also can impact you. Having this ability to track digital fingerprints actually serve some purposes, was designed for a reason. What are some of those reasons why it's even in place?
Yeah, absolutely. So, there are a number of reasons why a website or someone would be able to obtain attributes about your device or about you or your browser, a number of very valid reasons for that. So, if you go back to the early days of the web, web browsers from the very beginning were designed to present to websites your operating system, language settings, the specific version of your web browser, all of those things, very specific information. But really, that was more for compatibility. Websites, they needed to know the type of browser that you're using so they could present material that would be compatible with that browser, for example.
Then as the web evolved, there became more and more use of this information. So, for advertising, for example, advertising to people that maybe have a specific language or are in a specific region, things like that.
But it's important to note that the persons in control of websites that you visit have a very unique, almost godlike view of all of the data flowing in and out of their systems. And so, they see dozens and dozens of data points if they would like, about you, and that all those attributes combined can create a very unique signature and a very unique picture of who you are. And then over time, this information can be assembled. And as an investigator, the concern is it can uncover your intent or even the specific goals of your investigation.
That's really interesting, because you mentioned on the advertising side, which all of us are familiar with, which on one hand can be annoying, if you will, that I search for something and it follows me everywhere I go and I'm seeing that ad. But when you talk about that having superpowers on the other side, it's not as innocuous as you might think. So, if I apply that to now, doing research professionally for my company, for my job, you can start to see where this might be a problem, especially if I don't want the person on the other end, if they're an adversary or someone that I'm trying to track, being able to find this out.
So, I'm thinking of law enforcement, of course, looking after criminals, government looking after foreign governments. But even in this, if I'm in the cybersecurity center and dealing with phishing attacks, whether I'm in a team that's trying to keep an online community safe from fake news.
And so, I need to understand and go research these people, that on that other end, they have as much power as almost my IT team does too. They're as sophisticated. So, beyond annoying. It can really have an impact on that types of research.
Yeah, that's very true. And once the target of an investigation or once the owner of a website realizes that you're doing whatever it is that you're doing, collecting information, maybe you're going a scheduled job, maybe you are using certain search terms in a certain language, that type of thing. And any of these things can tip them off that you're doing something unusual, that you're not quite blending out at the crowd. They can either block you all together, or maybe going into hiding. If they're a target of an investigation, your investigation may be prematurely disclosed to them.
So, if you're looking into a suspect's activities online or researching them on a social media site, something like that, you don't want to prematurely disclose that they're being investigated because then you lose the elements of surprise. If you're looking at the more complex or more capable adversaries, they can even target you with disinformation or misinformation, and give you false information.
If you're going to a website in a certain time of day, then maybe that sticks out or something like that. And they realized," Hey, this is someone who is maybe not a legitimate visitor to the site, let's give them a different version that provides disinformation or misinformation." And then of course, there's always the ever present risk of malware. As investigators, we many times have to go to untrusted websites or websites that we know in fact are malicious, in the case of a cybersecurity researcher or a soccer, something like that. And in those cases too, they may be hyper aware and could even potentially, based on the information presented, narrow down where you are in a region or your organization, or even you as a person, and even at that point, start retaliating against you in some way.
Exactly. Wow. So, there's the aspect of, this is bad, all of those elements from my research being compromised, getting disinformation, retaliation against me or my organization. Those are all pretty impactful things. And why we're talking about, really, you got to understand this fingerprint. But I think it might be helpful if we put this in some real world scenarios, in terms of, which details of your digital fingerprint could point to your real identity or the intent behind whatever research you're conducting?
Absolutely. There's a ton of them out there. And if we think back to the components of a digital fingerprint that we just discussed, one of those big ones in my mind is your online behavior. So, something as simple as going on a social media website, let's say Facebook, just as example, and starting to search for someone's name that you've never searched before. And you start digging through their friends list, digging through their activity, looking a lot of their photos. On the back end, Facebook may put two and two together and say," Well, this person seems awfully interested in this other person.
They're essentially going through and viewing everything about their life, perhaps they know each other." And so, the algorithm may actually choose to present to the target of your investigation a friend suggestion for your account.
And of course, if the target of investigation starts getting some very strange friend suggestions, that may tip him or her off that they're under investigation or under some ever increasing level of scrutiny. And then they may go dark or may change their behavior or start deleting content or any number of other things that they could do. So, that's one that sticks out in my mind as a very obvious example. And we know of cases where similar things to this have happened. It's fairly easy to detect when something's anomalous.
And we can all can relate on social media, how that tends to work and what gets recommended to you. So, that makes a lot of sense. And again, as you sit here and think about what happens to you in your personal life and where these suggestions come from and start applying that to your professional online research life, there's a lot of reason to be careful.
So, maybe we move into some tips here. I'm thinking about tools that some practitioners will use to try to combat these kinds of things.
And I know a lot of people, a lot of our listeners are going to jump straight into thinking about if there's VPNs, there's using incognito mode within your browser or private browsers, there's search engines that say they don't track you like others, say DuckDuckGo.
We've talked about practitioners. And I know that go out to free public wifi, so these are all better than nothing types of solutions.
Now, we're going to talk in the next episode to tease that a little bit about what are some of the shortcomings of these solutions.
Again, they serve a purpose and they're better than nothing, but they do have shortcomings. But that's one category of things you can do, VPNs, incognito mode, and using search engines that don't track you. There's that whole next category of purpose built tools or about managing your attribution or managing your digital identity in terms of manipulate your location. You mentioned device type, OS. So, I know there are platforms that actually enable me, enable people to do that.
Then of course, I think there's tips which you're way more in tune to, which are how you actually conduct your online research so that you don't have to establish those rhythms and connect things together.
Yeah, that's true. So, there are a couple of components there that you touched on. One is being able to disguise who you are. So, think of it as almost like a cheap disguise where you want to change your immediate appearance, maybe put on a hat or something like that. In the real world, well, and the digital world, the research world, those are fairly easy things to change, like changing your browser, your operating system, your location. And you need to make sure that whatever you're presenting to the website that you're researching or presenting to the target of your investigation is consistent with that region.
So, put on a disguise that matches and blends in with the traffic of that target region or that target himself.
So, you need to make sure that you understand the regional differences. There are different web browsers and operating systems that are used all around the world. And depending on the region, a certain web browser may be popular versus another. And so, there's a great website out there, statcounter. com. They're a global stats service out there. You can actually go to gs. statcounter. com and click there and choose a region of the world. And you can see very quickly the types of mobile devices, desktop devices, operating systems, web browsers. All of those things are there ranked by popularity.
So, that if you're trying to blend in, you want to try to use some of those attributes perhaps to look and feel like someone in that particular region. It's also important that you prevent any kind of persistent tracking, so cookies that may resonant on the device and things like that, that you're using.
Even if using a local VM, make sure that you clear that out and clear any of those local cookies or other sort of digital pocket litter that may be there within that session. And so, you can use a disposable web browser, for example. And then also, again, I'm going to foot stomp here, your pattern of life, the behaviors that you use. This is a case where you may want to use some automated collection or a scheduled collection, particularly if you're researching a target of an investigation that's in a different time zone. If you're researching somebody that's in a foreign country or even a different time zone of your own country, you want to make sure that your research is compatible and consistent with somebody in that same region.
So, if you're on the East Coast of the United States, researching or investigating someone that let's say is in maybe London, England, you want to shift your research by a few hours there so that you're consistent. And if you don't want to wake up maybe five hours earlier, so then you can use some scheduled collection there to still go collect the information you need to collect, and then do the analysis during your regular business hours.
There are a number of solutions that are out there for these things. You can certainly have a local virtual machine that you create and manage, things like Kali Linux, especially are good for cybersecurity research and things like that. Of course, those come with a local network connection, so your network connection is still within the United States here or wherever you are around the world. So, that can also be a bit of a downside to those things. And so, you have to manage a separate network for those things. There's also, cloud- based virtual desktops. You have Amazon Workspaces, you have a number of other cloud providers that are serving desktop as a service with different points of presence around the world.
Of course, that's great. Then you have to still deal with the malware risk of moving that data back and forth and maintaining those various systems and there's a cost to that as well. There's also some local container based projects like Kasm, for example, Kasm Workspaces. They're container based system there, so that way you can plug and play whatever features you'd like. But same risk there as with a local VM, in that you still have to maintain a global network there to make sure that your location is consistent. Now the best of the best, and in my opinion, fully featured enterprise level services through something like a managed attributes and solution.
There are a number of these out there, for example, Authentic8 Silo, these are all in one easy to use services that combine the best of all these. They give you a nice disguise, so you can tweak your browser fingerprint. You can also change your location via a global network of points of presence around the internet. And also work in the scheduled collection, that way your pattern of life is consistent with the region that you're researching. So, there are a number of ways to do that, it all depends on what your mission is.
And your mission and your budget, of course, with money all things are possible.
I will never forget pattern of life.
And now, I'm thinking about every morning when I come in and fire up and just how I go through certain steps, I hit certain sites in a certain order every day.
We all do it, yeah. I go to Reddit first thing in the morning. So, and then after that, I browse a couple of links there, then I go onto my news sites. I think everybody has their daily habit.
Everyday. Wow. Well, to me, this has been amazing. So, being aware, and first of all, understanding that you have a digital fingerprint. Hopefully we've done that today on our podcast. But having that understanding that it's even there, being aware of it, knowing some of that is step one. And then getting into some of these tools, which we'll continue to talk about through future episodes is going to be fundamental to being successful.
And success is whether that's being more efficient, whether that you mentioned protecting from malware.
But then some of those other things where, whether it's retribution or losing a lead, those are all downsides to not understanding that you have this thumbprint that is very unique to you. So, super interesting stuff today.
Yeah, that's exactly right. And the key thing here is you can't remove your digital fingerprint completely. You're always going to have some level of fingerprint. You just need to be aware that it's out there and be able to manage the risk and manage that in some way. So, that way you're mitigating the risk that's appropriate for whatever your mission is that you're accomplishing. Well, we'd like to thank everybody for joining us today. If you'd liked what you heard today, you can always subscribe to our show, wherever you get your podcast. You can also watch episodes on our YouTube channel and also view transcripts and other episode info on our website. That's Authentic8, that's authentic with an eight dot com/ needlestack.
We'll be back next week to talk more about what VPNs and incognito mode and free wifi and all these things that sound really great, we'll talk about how they still give away your digital fingerprint.
Even if you think that you're buying something or getting some security value there, it's still very risky. We're going to tell you all about that and go into more detail on that in the next episode. See you then.