One of the last things is at the end of the day, when it comes to being analysts, we are the weakest link.
We say this in security all the time, the human element is always the weakest link of anything, right? I can accidentally make a mistake, visit a site after building up a bunch of tracking cookies are doing something the wrong way. And now they know more about me than what I want
Hey, everyone, welcome to NeedleStack the podcast for professional online researchers.
I'm your host, Matt Ashburn, former CISO and current open source research Wrangler.
And I'm Jeff Phillips, tech industry veteran, and curious to a fault.
Today we've brought together a panel of professional researchers from our sponsor Authenticate. Now we've been talking about digital fingerprints, these first few episodes.
And so our guests are here to talk about how their digital fingerprints impact the way they go about their work day to day. The ways in which the ability to conceal a digital fingerprint has evolved over time and to provide some advanced insight into how you're tracked online and how to thoroughly blend in whenever you are conducting your research.
First, let's meet our panel. We have Adam Huenke.
So Adam served as a formally trained all-source military intelligence analyst. He then transitioned into the cyber threat intelligence realm through the financial sector.
So welcome, Adam.
It's a pleasure to be here.
We also have Amir Mohammadi. Amir is a security researcher and he has extensive knowledge of browser and digital fingerprinting and how you can be tracked online.
Glad to be here.
All right. So my first question here is going to go to Adam. Adam, how has the digital fingerprint impacted your experience as a CTI researcher.
From a CTI researcher's standpoint, phishing is one of our most common things that we do research on.
And when you're looking at phishing sites, the nature of these things is often targeting certain geographical locations.
If they notice you from outside that area, either you're not going to get access to it, or they can be suspicious and then change it up and make it difficult for you as a researcher to gain access to that site. Again, as researchers, all we're trying to do is get to the phishing site, see what it's really doing. If we're able to download what's been done on the site, because they left it open, we can do that as well. But it's one of those things where you have to be cognizant of what you're doing as far as from a digital fingerprint standpoint. We do use VPNs from time to time and the issue then becomes some of those VPNs get blocked, whether it's due to just the site itself, they know that it's a VPN, whether it's from Nord or some of one of the other ones.
And then lastly you got to be able to split your location for that digital fingerprint, right?
Where I can spoof my location, but I also need to make sure that my time zone, my language, my keyboard, everything matches up and also be able to access that site at the appropriate time.
Because there can be windows where it'll be shut down for me to be using because I'm in the United States and say, it's set up for Japan. I'm hours ahead or hours behind it'll shut down and not give you access to that phishing site.
Were there any issues with VPNs? You mentioned that you had to tweak some settings there and configure it and you mentioned some issues around geolocation. Any challenges there, anything else to be aware of?
Because where I came from in the financial sector where organizations are not just localized to the United States, you have customers worldwide.
Some of the regions, most VPNs only have a few exit notes. You can't exit from everywhere. So again, it's just you're blocked from there. You're blocked because of that. And then one of the other things is also the IP addresses can have a poor reputation. And like I said earlier, they could be associated with that VPN either through that reputation or just in general, be associated with the VPN. Because they're advertised so often now you can buy a VPN service for $ 30 a year for five, 10 devices, right.
And the bad guys know this. Right. They know where it's coming from. They can do their research and figure that stuff out.
And I guess too, the VPN is good in as much that it is very cheap and I guess the tunnel itself is encrypted from your point to the VPN itself. And then beyond that, you're not really sure what's going on, but also it doesn't really provide you any protection from a security standpoint either. So you're still exposed to web- based malware and untrusted data that you visit while doing your research, right?
Yeah. And that's one of the things I had to assume the personal risk myself on my last job.
Because I had my own asset that I used and I didn't have a VPN.
I was going through a dirty line and I was just crossing my fingers, hoping that malware didn't get downloaded onto my machine. Thankfully I was using some, I was being careful, but you never know and things can happen. Right. It's one of those things.
Adam, You mentioned you were using a dirty line, I'd like to poke in there a little bit more. Can you give us an idea of roughly, what was the cost to pull together an environment, we'll call it a do yourself environment, so that you could secure your access and where it allowed you to disguise your fingerprint?
So a lot of people don't realize the cost of doing business is going to be dependent on the size of the business.
The business I was at was a medium sized business. To buy a new computer that isn't tied to the company would probably be around $ 3, 000 or $ 4, 000. But then on the back end, you've got to look at the network you're going to have to build to get there, the VPN service, if you can get one, a dirty line that's not associated with that organization. And then you got to talk about who's re- imaging or who's taking care of these machines. If you buy five or six of these, you've got to re- image them every so often so that if you do get malware or if something does happen, they've got to be taken care of. And that maintenance cost goes up.
So you're talking roughly $ 10,000 or $15, 000 per machine, per person on average. There's also potential for that company to assume the risk involved if something happens, right. Say something's misconfigured on the website, it says the company's name or something on the website, but on the computer it says the company's name somewhere in software or whatever they can be found. That risk to the company is either reputation or itself can be millions of dollars in loss, if you think about it.
Wow, that's pretty significant. And as we're talking about our digital fingerprint as researchers and how to minimize the risk there, Amir I'd like to ask you what are some of the ways that things can go wrong and where does the concern come from?
So you can be an analyst looking for information simply. And fingerprinting can happen in a lot of different ways. So fingerprinting essentially is attributes that come in sets. So there's categories to it. And these categories are tailored to the components and the browser. And you have network based attributes. You have browser specific attributes, you have plugin based attributes, you have hardware attributes and you also have the user attributes and there's more, it goes beyond that. It's just the tip of the iceberg. But as a researcher, you could be online.
You could be looking for different pieces of information. And some of the dangers from that, let's say we're looking for an email address and we're trying to figure out what sites are associated. During that process where you use, let's say a free online service, because most people to that typically look for a new pieces of information. They use a free online service. That online service that offers that information and adds the capability for you to be able to piece from one information to another, that whole process of searching for the next set of information can be recorded and sold as resale for additional data.
So you could, for instance, let's say I'm looking for, like I mentioned prior, email to services associated with it. And then I search for it and then that tool takes that information, what I searched for and then offers it as part of a different service that says somewhere along the lines, Hey, type in your email and we'll tell you, who's looking for you. And so for them to obtain that information requires the fingerprinting aspect. So from a researcher perspective, if you're hunting, let's say an adversary of some sort, the fingerprinting nature that these sites can perform on your browser can be devastating from the perspective that it may tip off an adversary and cause them to perform some sort of damage control procedure after realizing that, Hey, someone in fact is looking to me and the fingerprinting aspect behind this, it's very simple, matter of fact.
You don't necessarily have to take as much information as possible. It's more or less a combination of information taken from each classification of fingerprinting attributes. So it may be an IP address. And then I simply take your browser version number. And then I formulate the two together, formulate a hash and the hash I obtain can be used across different sites.
I can calculate the same exact hash and that's sort of where the tracking comes in place from one site to another. And so there's a clear danger from that perspective. But there's also the danger of maintaining all these different attribution vectors. So I'll give you a simple example. So Google recently, a while ago, they were trying to introduce these flock IDs and they were kind of advertiser friendly way of tracking your web navigation from one place to another.
The attribution factor here and the danger behind it is, let's say I am using something like Chrome to navigate the internet and collect information on honestly on a week to week basis. I need to keep up with all the new web technologies that may allow someone to use them to fingerprint against me. And so these flock IDs are a perfect example. Just this week, matter of fact, they're being retired and replaced by a new thing called Topics in Chrome, which is supposed to out outline what your interests are to third party sites. Now, for this transition from flock IDs to Topics, it may seem minuscule and very minor, but that small detail can be leveraged by these sites at any given moment.
And that could be used in comparison to detect a flaw on your persistency. Your VPN may protect you from the IPV4 that's passed on, but it may not protect you from the webRTC IP address or the IPV6 IP address with the webRTC local IP address and the list just keeps on going. So yeah, there's also the danger of maintaining persistency in your environment if you're trying to spoof to something.
That's a lot to keep up with, wow.
Adam, I do want to go back to you on a question, because you had built some, looked to build some of this on your own. And we've got a lot of parameters here that Amir was just talking about that you need to keep aware of. Although I guess as a user of Chrome, day to day, it's just happening. These updates are just happening and I don't care about them if I'm not deep into the research, but if you're out there trying to manage how you digital fingerprint, then you need to do so. So what do you feel you were missing when you were using your personal machine that our listeners should be aware of?
And maybe they're dealing with that too.
From a personal machine perspective, I'm putting all my data at risk, right? I have years of photos, programs, my college degree stuff that I worked on here that I could potentially lose if I get malware or ransomware or something like that. So, if I'm working at an organization I'd love for them to help give me a device to do this with right. On top of that, I'm using built in tools that may or may not work just because of the type of computer I'm using. But the company may have some better access to tools as well, from well known companies out there like Cisco and Palo Alto, where you have basic pseudo sandbox windows that you can surf the web for.
You're still coming from that piece structure of that organization. But at least you're protecting that organization because you're using a VM of windows to go surf the internet. Not necessarily the greatest thing, but because it's just security focused and not a digital fingerprint focus, right? It's still showing that I'm coming from whatever organization name, the IP space and I can't change anything other than it's a windows box. And then lastly, as a researcher, one of the hard parts is keeping your sock puppets straight. Right? And for me it was a challenge.
I had a spreadsheet where I'm okay, I'm going to pretend to be this person this day. And then tomorrow I'm going to be this person this day and they may use different computers from different time zones. And it's just, it's a mess. And it's one of those things where at the end of the end of the day, if you mess up, the next thing you know is you have the hazard of a friend recommendation for something like that coming up where maybe I forgot to log into the right Facebook account. I ended up using my personal account. I'm researching somebody. And next thing you know, I've got a friend request for that person because I was searching for them.
And they may have a friend request for me and they are going to go, who is this guy? Why is it popping up as a friend request? It's not something you want to have. If you're a security researcher, or someone doing research on individuals like that.
And Amir, I'd like to ask you, so in our podcast, we've mentioned the term digital fingerprint, browser fingerprint. And the idea that your digital fingerprint is comprised of attributes about your network, your browser fingerprints or attributes about your browser and then of course the user's behavior. A lot of people may understand the first thing and the last thing, but that in the middle seems to be a bit obscure to some folks. Can you explain to us a little bit about what browser fingerprinting is and some of the high level techniques and what the risk is?
So for just regular browser fingerprinting, you have your user agent. It may be a mix of what plugins you have installed. So for instance, if I'm running Firefox and have VLC installed, VLC is a standalone package, it sits outside of Firefox. And so when you install it and you introduce it and you have the right codex for it, that are supported in the browser, you can attribute based on that. There's also a little bit more complex methods of fingerprinting from a user perspective. So you can be spoofing all your attributes, but then when the user introduces their own set of software and their own preferences to the browser, automatically that browser's tailored to them.
And I'll give you two fairly new examples and they're not necessarily new, but they've been lingering for a while. And I haven't seen that many sites take advantage of these, but these are points of attributes that you should be very well aware of since it is the end user that introduces them. So on one fingerprint technique actually allows you to see what sites you're logged into. So let's say I'm logged into YouTube, Gmail, et cetera. On a third party site, I'm able to calculate that they are logged into those sites.
And the method in which that's used for that is this method where all these sites, they have this login after redirect scheme. So this is where you log into the site and then you redirect it to another page.
And during that redirect, what you can do is you can replace the artifact that you're going to be redirected to, to a simple thing like Favicon. So Favicon is this icon you see in your tab and you see it on every website, every website has one. And the problem with that is when you combine both the login after redirect and the Favicon together, it gives you a standard way of figuring out if someone is logged in. And the way that works is quite simple. So, if I try to load the Favicon as an image on the website, if the image doesn't load, it means you're not logged in because the redirect never happened for that resource to be loaded.
Now, if the redirect does happen, then the image is loaded and that tells me that you're logged into that site. So that's just one user based attribute that is often overlooked, but is very helpful in figuring out what kind of user is trying to access my site. The next one, and this kind of goes again with user attributes is extensions.
So you can actually figure out on certain extensions if they're installed or not. And the way this works is, all extensions that you install, they come with this manifest. And this manifest specifies at the bottom in the web accessible resources. It simply states that, okay, these resources are available to the extension, but they're also available to third party sites because it requires this interaction for the extension to work properly. And so what you can do is you can target these specific resources to tell you essentially, if that extension is installed. So these are just two attributes, but with these two you attributes, I'm able to essentially profile someone and go, okay, yeah, you're interested in X, Y, Z, you use these type of tools.
And so now I know what kind of user you are. This gives me a general idea, and this isn't something necessarily that you can install an extension on and protect yourself from. This is core functionality that the browser supports already. It's not necessarily something that people are trying to fix or anything. It's not necessarily something that everyone's abusing, but it is something that you, as a user introduced to the fingerprint, not necessarily oh, I have this specific user agent and you can spoof that all you want, but then these user attributes, they're the ones that are going to get you, because you are the one that's introducing them.
That's pretty interesting. And especially, we're thinking that we're doing research on behalf of an organization. The fact that adversary websites, adversarial websites, I should say, can actually determine if we're logged into a certain page or not.
That can be pretty telling right, from the adversary's perspective and concerning from the researcher's perspective, because if you have your corporate, let's say your email open, right, and they can detect that, that's a pretty big concern. And they can gain some additional insight. And so they can then associate your research with you as your person or you as the person representing your organization. You mentioned that there are some extensions out there too. So can you expand a little bit on that and how can we maybe use extensions and what are some of the things that to look out for there?
So there's a lot of extensions online that help you spoof specific attributes and they're classified a lot differently. So you have the ones that help you just change the value. So, if I want to look like a different browser, it typically changes the user agent. There's extensions out there that offer proxying services. So that helps you mask your connection. They're not perfect. And I'll detail exactly why, and then you also have some really good extensions like Noscript, that their sole purpose is to block elements by default. And so it is your job to add them to an allow list over time as you're navigating different websites.
So this is a different approach. And the problem with a lot of these extensions, the ones specifically that help you spoof some of your attributes is they're not persistent in the way they do it. So well, like I spoke on this before, one extension may claim that, oh, I can help you change from one browser to another, I can help you look like Firefox instead of Chromium. All right.
Now the navigator object, again also supplies the CPU architecture of the browser that you're running. So you might be running the browser under Linux, but then your user agent is claiming Chrome with windows on it. And so that in itself is another persistency problem. So a lot of these free tools out there, the primary danger of using them is that even though they claim that, Hey, I can help you change your user agent or Hey, I could help master your IP address. There might be a leak in the persistency if an adversarial site is crafty enough to notice that persistency problem and do a comparison against the two.
And so that's usually the danger behind some of these extension tools. They do exist, they're not perfect but it is something to keep an eye on.
Yeah, I appreciate that, thanks.
Adam, any final thoughts or words of advice that you'd like to give the listeners out there today?
I touched on sock puppets earlier, and I want to give some advice on that.
In the sense that, be aware that, you got to be assured that your organization actually allows you to use them. There's some legal issues that are involved when creating and using sock puppets, especially if you're using it to log into other sites that have user agreements that you may be violating because you're pretending to be somebody else. So if you're going to have so sock puppets, I would say A, make sure your organization's good with it. B, have a policy in place to track it, so that in case for legal investigations will say, you've got to submit this to law enforcement. At the end of the day, you can say, look, I used this, this is why, if X social media site says that somewhere's wrong.
Well, here's why I did it so that I could do it this way. And the law enforcement team will take it from there. And the legal team will take it from there and do it to make sure that you're not in trouble. You're not violating that end user license agreement that you sign up for, for some of these things. One of the last things is at the end of the day, when it comes to being analysts, we are the weakest link. We say this in security all the time, the human element is always the weakest link of anything, right? It's not necessarily a machine or a network that gets you in trouble or downloads malware.
It's the human clicking on the phishing link that they got, or going to a malicious website or doing the wrong thing while they're out there. So it's same in research, right? I could accidentally make a mistake, visit a site after building up a bunch of tracking cookies or doing something the wrong way. And now they know more about me than what I want. So say, and I think Amir mentioned it about the persistence of cookies and everything around you when you surfing the internet. So if I start my day looking at Fox News and then go to this website and I'm going to Amazon, all that stuff gets linked together.
Then I say, okay, now I need to go do an investigation. Well, now I've gone to CNN or Fox News. I've logged into Amazon. That all gets carried with me if I use the same browser, right? So now I made a mistake. I should have just closed everything out, started fresh. Right? And that's one of those things where, again, we as humans, we make mistakes. We're fallible. So we are the weakest link sometimes when it comes to managing our fingerprints.
Amir, Anything else that you'd like to add?
Yeah. I mean, the human operator is obviously always the weakest link and practice good hygiene. Don't reuse the same information. If you're performing some sort of research operation on some sort of adversary that you're willing to hunt down, don't reuse the same password everywhere. Don't reuse the same email. Your tools could be as good as they come, but it boils down to how you use them.
Well, Adam and Amir, thank you guys so much for being here today and everything you've told us about digital fingerprint, browser fingerprint.
And even some of the tips and tricks that we need to know as researchers to prevent attribution of our research to ourselves or our organizations. Let's go to Q and A and we'll take a couple of questions from the audience today. Jeff, what questions do you have from the audience?
Thanks, Matt. All right. So I'm going to throw this one out. Maybe Adam, you can take the first crack at it. And the question is, do you have any examples of criminals or suspects being aware of and leveraging a digital fingerprint?
Yes, actually. So when you look at, from a financials perspective, financial institutions, again, phishing is the biggest problem they have, right? There's phishing emails going out and targeting the customers. And when they're looking at the customer to try and they click on the link and they go to the site, they're not just looking for that username and password to get into your bank account. Because in the banking industry, they've gotten smart to where they've fingerprinted your devices over time to make sure you're who you say you are. So those criminals are now doing that as well.
Not only are they getting your username and password, they're getting what your device fingerprint is, so that they don't get blocked from a perspective of trying to log in and access your account.
Amir, any thoughts from your perspective on again, criminals or suspects, leveraging digital fingerprints against us to do harm.
Yeah, sure. So there's different classifications of adversaries that leverage your browser fingerprints. So Adam mentioned how there are these adversaries that take advantage of your fingerprint to bypass AMO anti laundering systems. And you also have criminals that leverage your fingerprint from the perspective that, oh, okay, maybe I'm not financially motivated. Maybe I'm an initial access broker is what they call them. And I just want to gain access to this user's machine so that I can perhaps sell the access to a different classification of adversary that might leverage it.
And so from a fingerprinting aspect there, all they would need is your browser and then the version number. And they could also leverage plugins too, install plugins with version numbers. If you get a component and a version number, you can tailor vulnerabilities to the browser and you can use that to gain that initial access and sell it for more. So there's that. And then there's of course, the classification of adversaries that Adam brought up, regarding financially motivated ones. It's interesting about that field of fingerprinting, because the adversary that actually takes advantage of the fingerprint to log into someone's bank account, bypassing AML, they may not necessarily be the same that also grab that fingerprint.
So there's a lot of these sites called config shops out there, where you can pay almost a dime to purchase an entire fingerprint of a user in order to leverage log into set sites that leverage the same fingerprint to detect login anomalies.
And what's interesting there is people will go to these config shops, they'll buy a config, and they'll load it in these specially designed browsers. And these specialty designed browsers are called anti detect browsers and the sole purpose is to take a fingerprint and to leverage it so that you look identical to that fingerprint. And it really depends, does the adversary have persistent access to a user's fingerprint, right? Could they obtain a victim's fingerprint on a day to day basis? That might not be true. They might only have access to it on a week to week basis.
And so it really depends on how crafty your adversary is and how they're motivated. But there's definitely leverage behind using this fingerprint data to bypass a lot of these systems in place.
So our second question is for Amir here, what are some of the other dangers related to digital fingerprinting that we as investigators should be aware of?
Yeah, really I think, well, fingerprinting, like I said before, we only explored the tip of the iceberg here.
And there's a lot of dangers behind that because it's very hard to account for all these different attributes. It's very hard to maintain it and keep up with it and be persistent about it. And so sometimes that whole process of just keeping up with what a digital fingerprint is and what some of the latest techniques are, it can get very difficult. I think a lot of investigators need to be fully aware that it really depends on what site you're visiting and how crafty your adversary is. And your best bet is reconnaissance before you actually decide to engage.
Well, Amir, Adam, thanks again for joining us today and thank you at home for your time as well.
Thanks to all those who attended our live show today, and especially to those who submitted questions for us to answer or for our guests to answer today.
And for everyone else out there, if you liked what you heard today, you can subscribe to our show, wherever you get your podcasts. Watch episodes on our YouTube channel and also view transcripts and other episode info at our website at Authenticate, that's authentic with the number eight. com/ needlestack. Next week, we're going to talk about some of the tools and tricks and techniques that you can use to help manage your digital fingerprint. Today we gave you some of the risk, next week we're going to talk about some of the tools that you can use that are available to you as researchers to make your life a little bit easier as you conduct online research.
You don't want to miss it, stay tuned for next week.