You can run… but you can’t hide (without a lot of work)

Imagine if the police knew exactly what you do online. Imagine if the PTA knew of all the porn sites you scan secretly, the vitriolic comments you leave on blogs, and the number of hours you spend playing Farmville.

Here in Denmark, police have recommended to Parliament that it create laws that make it impossible for citizens to surf anonymously. According to Danish-language blog Computerworld Denmark, the proposal is intended to help investigate terrorism.

In the proposal, locations providing open Internet, like cafes and libraries, would have to confirm a user’s identity, with some form of official ID, before letting them get online. Companies may also have to register and verify users’ identities before providing access, as well as retain records of user logs.

The Internet is a realm of information. Anyone can go online and find out about any subject that interests them… but how much can they find out about you?

The answer – more than you would think!

Lets take a normal example… a friend sends you an address of a web site to go to, say www.geekcentricity.com – and you go there. Now, the owner of the www.geekcentricity.com can look in his server logs, and if he wanted to (not that Darren would, mind you) – determine the following things about you:

• What Internet Provider you use (i.e. AOL, Comcast, etc.)
• Your IP address (which uniquely identifies your connection to the ISP)
• What Operating System you use (e.g. Linux, Windows 7, etc.)
• What browser you are using (Firefox, Chrome)
• Where you are in the world (Sweden, America, Japan – as well as which city you are in)
• Your screen resolution (e.g. 1024×768)
• The URL you were visiting before you went to www.geekcentricity.com (e.g. www.google.com )
• And more…

For proof that this is possible – go to Anonymizer and look at what they know about you already! Visiting a web site is not the only way someone can get information about you though. Every time you are on MSN, playing an online game, and using email, you are giving away more information about yourself.

Your computer has several signatures it leaves wherever it goes.

The first is your MAC address. If you use a wireless service at a public venue or a hotel, they may be required by law to maintain your MAC to IP address information and keep your browsing logs.

Your browser itself may have cookies (browser, JAVA and Adobe Flash), specific version information about your computer and the browser that can personally identify your computer/browser.

So while it may not be easy to tie your name to a web site you have visited, it is certainly possible.

How is this possible?

Well, your computer is making a connection with the web site right? So, for that web site to send you information – it needs to know your IP address. Bang! it has your IP, which it can then convert to a hostname and see what ISP you are with.

The site needs to have information like your browser name and version, screen resolution, operating system etc. so that it knows how to correctly display the page for you. For example, some sites look very different in Firefox and Internet Explorer, so sometimes the site will have two version of the site – one for each.

It will then perform a check on your computer to find which browser you are using, and then display the right version of the site. Useful huh? Well, the problem is – any site can get that information just simply because it wants to know more about you

Java/javascript also has commands and functions that will find out information about you, and cookies are a wealth of information to the web site owner.

Don’t forget browser holes and exploits as well – if your outdated browser has an exploit, they may be able to exploit it and get more information.

What can I do to stop them finding out this information?

There are many different levels you can take this to…we will start off simple, and get more paranoid:

Proxies

Okay, so proxies aren’t strictly for making you more anonymous – but they do. Proxies are meant to be there to speed up your Internet connections.

Your web site request goes through to the proxy (which will hopefully be located a bit closer to home, try and pick a proxy in your own country) which then checks its cache to see if any of its other users have accessed that page recently. If they have, it can then perform a simple file size check at the site (to make sure the page it has is still up to date) and if its okay, it can send it to you. And all that should take less time than you contacting the site yourself.

So how are proxy servers anonymizing you ask? Well think about it – do you actually make any contact with the web site? No… the proxy does it all for you. Therefore, the web site won’t be able to get any information on you.

There are some exceptions, as some proxies aren’t completely anonymous (they may pass some data across to the site), but the way to check this is to use the proxy to go to a test page like the one at Anonymizer and see if they come up with your details, or the proxy servers details.

To get a proxy, you can either:

Ask your ISP if they have a proxy server for you to use

Find a public proxy, there are lists all over the net

Do a search at a good search engine for “public proxy servers” or similar.

Also, there are different kinds of proxies for different kinds of Internet activity. For example, you can get HTTP proxies for web browsing, FTP proxies for accessing FTP servers, Socks proxies for telnet and IRC etc.

These different proxies usually use different ports to each other. HTTP proxies are usually something like ports 8080, 8010, 1080, 80 and Socks usually use 3128, 1080.

Encryption

If you ever get your computer hacked by someone over the net, or someone hacks your email – they are going to be able to go through the private information. Encryption is a way of making your private files and emails unreadable to anyone who doesn’t know how to decrypt them.

Obviously, some encryptions are trivial and can be cracked in minutes (Caesar shifts, XOR encryptions, character substitutions etc.). However, there are encryptions out there that are very very strong. And your average script kiddie who breaks into your mail will not have a chance in hell of decrypting it.

See our article “what is PGP / GnuPG?” for more information.

Web based email accounts

Generally, web based email is good to use. You can sign up for a web based email account, and you don’t really need to give them any personal details. Obviously, Gmail is an example of a web based email service.

Ever been to Hushmail? They are an anonymous web based mail service. And they offer very strong email encryption as well. Basically, when you use your hushmail account to send a mail – your IP address is not included in the email headers which means that the receiver of the mail can’t trace you back to your ISP – they can only trace you back to Hushmail. However, Hushmail do not keep any details about you – so effectively you are anonymous.

Spyware / Adware

Spyware is any software that covertly gathers user information through your Internet connection without your knowledge, usually for advertising purposes.

Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware.

You should scan your PC regularly to remove Spyware/Adware using a scanner such as Ad-Aware.

Cookies

You may have heard people ranting about cookies, but what are they, and why might you not want them?

When you visit a web site, it is entirely possible that the site could place a cookie on your computer. A cookie is basically a piece of information, stored in a file on your computer. These files are refered to as cookies, or cookie files. Basically, the site can put whatever they want in the cookie, and then access the cookie again when you next go back to the site.

Why do this you ask? Well, its simply for convenience. Ever logged into a web based email service – and then found that next time you go back there it automatically has your login name entered for you? or ever been to a web site which actually tells you how many times you have visited the page before? The site knows this because the information was stored on your computer.

For example, IE has facilities for cookies – and you can turn cookies off using the options. However, you will suddenly realize how many web sites use cookies – and how many web sites get annoyed when they can’t use cookies on you.

It may also be worth mentioning that some cookies are only present for the time that you have the browser open – these are generally used for security purposes, like when you login to your web based email, and then goto another site, and then go back to your mail – it might want to check the cookie to make sure you are the same computer that accessed the mail a short while ago. So think carefully before turning cookies off.

I am really paranoid – what can I do?

Okay – so you want to take it a stage further? Well, this is actually a good idea anyway. Here we go:

Get a personal firewall – There are loads out there and some of them are free for personal use. Just do a search in a search engine and you should find some – AVG is a good example.

Switch off java/javascript. Your browser will have an option for this.

Turn off cookies. Your browser will have an option for this.

Use Privoxy. Basically, this is a web filtering program. You can set it up so that it also sends back ‘altered’ http headers – so you can fake what browser/operating system etc. etc. you are using.

Lastly – there’s Tor. Tor is an onion-routing system that maximizes network security. Tor is used by the military, journalists, politicians, etc. to secure sensitive data and such. However, anything outside its network range is compromised.

Here’s a list of what it does:

• Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn’t magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension.
• Torbutton blocks browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe’s PDF plugin, and others: they can be manipulated into revealing your IP address. For example, that means Youtube is disabled. If you really need your Youtube, you can reconfigure Torbutton to allow it; but be aware that you’re opening yourself up to potential attack. Also, extensions like Google toolbar look up more information about the websites you type in: they may bypass Tor and/or broadcast sensitive information. Some people prefer using two browsers (one for Tor, one for non-Tor browsing).
• Beware of cookies: if you ever browse without Tor and a site gives you a cookie, that cookie could identify you even when you start using Tor again. Torbutton tries to handle your cookies safely. CookieCuller can help protect any cookies you do not want to lose.
• Tor anonymizes the origin of your traffic, and it encrypts everything between you and the Tor network and everything inside the Tor network, but it can’t encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication. HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
• While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust. Be careful opening documents or applications you download through Tor, unless you’ve verified their integrity.
• Tor tries to prevent attackers from learning what destinations you connect to. It doesn’t prevent somebody watching your traffic from learning that you’re using Tor. You can mitigate (but not fully resolve) the risk by using a Tor bridge relay rather than connecting directly to the public Tor network, but ultimately the best protection here is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them.

 

On the other hand

Don’t use the internet. It’s as simple as that.