Your digital footprint is like your shadow on a sunny day—always there, slightly altering its form as you move through life. Yet, this shadow can often expose more than we’d care to reveal. Your personal information, such as your home address or social security number, is merely a click away from prying eyes. Now let’s get something straight; you didn’t sign up for this level of exposure. But it’s happening, and we should all be alarmed.
Managing and limiting YOUR online presence
Before we get into performing an OSINT investigation on a target, it is important for us as security professionals to understand methods of protecting ourselves. Did you know that approximately 91% of cybercrimes start with a simple email? (https://www.yeoandyeo.com/resource/91-of-cyberattacks-begin-with-a-phishing-email.)
It’s possible for an attacker to not know your name at first. However, with more data, they can eventually build a complete picture of your digital identity. In today’s world, data is as valuable as oil. Recognizing how simple it is for someone to obtain your information is not only concerning, but it’s also a call to action.
Your personal data is being exploited by cybercriminals, stalkers, and profit-driven corporations. Although you may not be directly selling your information, your daily online activities are doing it for you. Every Google search you make, every social media post you publish, and even every product you browse on an e-commerce website contribute to a complete profile of you—one that you didn’t even create.
Figure 2.4 – Google tracks you with your phone (https://timeline.google.com/)
Why protecting personal data is more important than ever
Digital data vulnerability isn’t merely about the now. It has far-reaching consequences, including identity theft and even personal safety risks. The impact is multidimensional. For instance, an imposter using your identity could apply for loans, make illegal transactions, or even conduct criminal activities. Clearing your name afterward is not only an enormous task, but it can be financially and emotionally draining.
Data vulnerability can have a significant impact on your personal life as well. For example, a potential employer may come across inaccurate or unfavorable information about you, which could damage your reputation before you even have a chance to demonstrate your abilities.
The stakes are high and the odds, unfortunately, are not in your favor. However, don’t resign to digital fate just yet. Let me give you some tips for being not just digitally aware but also digitally empowered. Your personal information is precious; it’s time to start treating it that way.
Internet browsers – The frontline of data vulnerability
The browser is your friendly digital conduit that gets you from here to there on the information superhighway. It’s where you read the news, watch videos, engage in social media warfare, and what have you. However, lurking underneath that user-friendly interface is a data-collection apparatus that puts the NSA to shame. No, I’m not here to fill your head with conspiracy theories. But remember my saying: “Just because I don’t see the black helicopters doesn’t mean they aren’t there!”
First-party vs. third-party cookies
Yep, there are different types of cookies to fill our browser’s tummies:
- First-party cookies: Stored by the website you’re visiting. They remember your settings, what’s in your shopping cart, and more.
- Third-party cookies: Stored by someone other than the website you’re on, often advertisers. These are the cookies that follow you around the web, serving up that pair of shoes you glanced at once but didn’t buy.
Enter the cookie grabber
This tool, known as a cookie grabber, is designed to snatch those cookies. The danger? It can grab both types of cookies, even those with sensitive info such as your login details.
For instance, you visit a site with an embedded cookie grabber. Without a hint of suspicion, you log in, and just like that, your session cookies are stolen. Now, the attacker has a key to your digital kingdom and access to your accounts on other platforms, all from a simple, unnoticed theft.
It gets more unsettling. Let’s talk about websites that store your credentials—your usernames and passwords—in plain text right in your browser. It sounds technical, but here’s the deal: sometimes, when you log into a site, it keeps a record of your login details in a format anyone can read. If your computer is compromised or you’re on a shared computer, someone could use a basic tool, such as a hex editor, to see these credentials. It’s like leaving your house keys on a park bench and walking away.
Imagine logging into a website that doesn’t take your privacy seriously. Your credentials are stored in plain text in a cookie. You’re none the wiser, but a hacker or even a nosy roommate could extract this information with ease, breaking into your accounts as if they were their own:
Figure 2.5 – Using a cookie grabber, you can assume someone’s account or identity
How to protect yourself
Both VPNs and proxy chains serve as effective tools for maintaining online privacy. They help in obscuring your real IP address, making it difficult for third-party cookies to track your internet activities. This is especially valuable in today’s digital world, where online tracking and data privacy are major concerns. However, it’s important to choose reputable VPN and proxy services, as they have access to your internet data. Always prioritize services that are known for their strong privacy policies and commitment to user security.
DuckDuckGo: the unsung hero of privacy-focused browsing
If mainstream browsers are the attention-seeking reality TV stars of the digital world, DuckDuckGo is the introverted genius no one’s heard of but should have. DuckDuckGo is on a mission to simplify online privacy. The plucky company blocks hidden trackers that follow you around the web. Their software firewall shuts down attempts to collect your search history and personal information.
DuckDuckGo’s products are entirely focused on giving you control over your data. Their search engine never stores search history or user information. All searches are private by default. The browser extension and mobile app also block invasive trackers lurking on websites.
Figure 2.6 – DuckDuckGo is a great browser to hide yourself
Encryption provides another layer of protection by securing connections between you and websites. Together, these tools form an effective privacy shield to stop advertising companies and other third parties from profiling you.
DuckDuckGo makes money by showing keyword-based ads instead of creepy targeted ones, so they have no need to create personal data profiles. Their business aligns with their mission to put privacy first.
So, you’re ready to make the switch? Excellent. But you can’t just storm out of one relationship and into another without some prep. Here’s how to do it:
- Download and install: Get your chosen privacy-focused browser.
- Import settings: Most browsers will allow you to import bookmarks and settings from your old browser.
- Set as default: Make your new browser the go-to for all your digital escapades.
Browser alternatives: pros and cons of other private browsers
Now, let’s not romanticize DuckDuckGo as the only superhero here. There are other options too, each with its own set of perks and quirks.
Brave browser
This is one browser I recommend to everyone. It’s kind of the new kid on the block
The privacy-centric Brave browser (https://brave.com/) is an excellent starting point for obscuring your online activity. Brave blocks trackers by default, reducing the ability of third parties to monitor you.
Figure 2.7 – Brave is my personal choice for hiding my identity
For those wary of switching browsers, extensions such as Startpage offer similar protections.
Startpage displays a privacy score between one and five so you can see just how many trackers and cookies it foiled on each site. The details may shock you, but will ultimately empower you. Startpage also cloaks your identity from any trackers that do run by masking your digital fingerprint.
Figure 2.8 – The Startpage extension is available in the Chrome web store
While blocking trackers, you may need to permit certain benign cookies so sites function properly. Startpage allows you to approve cookies individually—no need for blanket access. For searches, Startpage queries Google anonymously so they can’t add to your creepy profile.
Between Brave’s robust protections and Startpage’s actionable insights, you now have potent weapons to evaporate your digital shadow. No longer will you be passive prey to cyberstalking trackers. The following are its pros and cons:
- Pros: It blocks ads and trackers by default
- Cons: The built-in ad system might not be everyone’s cup of tea
Tor browser
Tor (or The Onion Router) is a networked community united by a common cause—online privacy. Tor was born from rebellion. While governments spy and corporations track, Tor fights back. It’s an online resistance movement, with servers, relays, and nodes, run by volunteers worldwide. No single point can trace the full path.
Figure 2.9 – The Tor website
Tor scrubs metadata and masks IP addresses. Traffic is encrypted and re-encrypted as it hops through the privacy network. Like peeling back layers of an onion, each relay only knows the next stop, not the final destination.
This is only possible through strength in numbers. Thousands of selfless volunteers lend their computers as Tor nodes. These diverse entry, middle, and exit points form the decentralized backbone of the network. Censorship-resistant connections sealed with privacy-protecting encryption.
Tor is free software (https://torproject.org) built by a community of believers. The code is open for all to inspect and improve. Transparency keeps Tor true to its mission. There are no shady backdoors or hidden agendas baked into the tools. The following are its pros and cons:
- Pros: Tor offers the highest level of anonymity
- Cons: It has a slower browsing speed due to multiple server hops
But Dale, what browsers would you stay away from? Well, folks, that list goes a little like this (in no particular order):
- Google Chrome
- Microsoft’s Edge
- Firefox
- Opera
- Safari
Your browser is your first line of defense against cyber threats. It’s more than just a gateway to the internet; it’s the fortress that guards your data with solid power. Make the change and fortify your browser today. Your digital self will be grateful for the extra protection.
Creating and managing online personas – Sock puppets
Now, before your imagination runs wild, no, we’re not talking about crafting a delightful puppet out of your favorite pair of socks. Sock puppets are fictitious online identities created for the purposes of deception, manipulation, or information gathering. Like puppets on an entertainer’s hand, they are characters that allow the puppeteer to take on a different persona and interact incognito.
While not inherently illegal, sock puppets are often frowned upon due to their capacity for abuse. They can be used to spread misinformation, artificially boost popularity, harass others anonymously, or infiltrate communities under false pretenses. However, they also have legitimate uses in fields such as investigative journalism or penetration testing.
There are several motivations for individuals and organizations to use sock puppet accounts:
- Anonymity: The primary purpose is to dissociate online activities from one’s true identity. This anonymity facilitates information gathering without revealing oneself.
- Deception: Sock puppets allow one to influence conversations, share false information, and manipulate perceptions. This deceptive capacity can be used for infiltration or social engineering.
- Reconnaissance: They are effective tools for gathering intelligence about people, organizations, topics of interest, etc. without detection.
- Privacy: Some may simply want to protect their privacy by separating their online presence into multiple unconnected identities.
Setting the stage: creating your sock puppet
An online persona created for the purposes of anonymity and information gathering can be a powerful tool when applied ethically. Sock puppets serve as digital chameleons, blending into the online environment to collect open source intelligence without revealing the investigator’s true identity. This practice is particularly valuable in scenarios where revealing one’s identity may skew the information obtained or pose a risk to the investigator’s safety.
Imagine, for example, a cybersecurity expert tasked with assessing the security of a financial institution. By ethically deploying a sock puppet, they can interact with suspect phishing sites or malicious actors to understand their tactics—without exposing the institution or themselves to undue risk. It’s a bit like an undercover cop in the digital neighborhood, watching and learning but not interfering.
Additionally, sock puppets can play a crucial role in tracking cyber threats. They can be used to monitor dark web forums or infiltrate cybercriminal networks, gathering intelligence on emerging threats, data breaches, or the sale of stolen data. This allows cybersecurity professionals to warn potential victims and fortify defenses before any actual harm is done.
The ethical use of sock puppets in OSINT is underpinned by a strict code of conduct: they are not used for deception or manipulation, but rather as a shield to protect the identity of the security professional while they gather the necessary intelligence to bolster our digital defenses. It’s a cloak of invisibility for the good guys, allowing them to observe and report without becoming targets themselves.
Here are some things to consider when creating your sock puppet:
- Clearly define the purpose of your sock puppet. It could be for research, data collection, or cybersecurity exercises. Always have a clear and ethical goal in mind.
- Creating a sock puppet starts with crafting a believable persona. Kind of like building a character for a play, you’ll need a backstory, interests, and even quirks. Tools such as the Fake Name Generator (https://www.fakenamegenerator.com/) or NameFake (https://namefake.com/) can be your best pals here, helping you come up with a genuine-sounding identity.
Expand beyond just a name to create an identity, including the following:
- Date and place of birth
- Hometown
- Education and work history
- Interests and hobbies
- Favorite books, movies, music
- Political views
- Religion
- Photos and images
Some will call these steps pretexting.
Note
Oh, is that a new word for you? Well, what I mean by pretexting is not just pretending to be someone else; you’re creating a whole backstory, setting, and script to make it believable.
- You’ll want to have an image/photograph of your persona to make your puppet look as real as possible. A website called https://thispersondoesnotexist.com/ does a great job of using completely AI (artificial intelligence) generated images of folks. This way, someone can’t do a reverse image search to find out that you just borrowed someone else’s photo.
Figure 2.10 – Yep, this isn’t anyone in real life; it’s AI-generated (https://thispersondoesnotexist.com)
- You’ll want to set up a dedicated email account for your persona. You can you a service such as 20 Minute Mail (https://www.20minutemail.com/).
- Set up some accounts and profiles on social platforms for your sock puppet.
Note
Remember, the key to a great performance is consistency, so maintain the same persona across different platforms
I was once interviewed by a reporter. I preferred to keep my anonymity. I chose to use Tor, which encrypts internet traffic by routing it through several servers worldwide. Along with an encrypted messaging service found on the dark web, I was able to communicate with this reporter securely. Our discussions were completely private, with no risk of being traced back to us. Don’t forget to give your puppet a phone number! Using a service such as TextFree (https://textfree.us/), you can send and receive text messages without exposing your real number. It’s kind of cool.
Setting up anonymous communication
To prevent sock puppet accounts from being linked back to their creators, anonymous communication channels are essential. This involves creating untraceable email addresses and burner phones.
When setting up the puppet’s email account, consider the following:
- Avoid unusual providers that raise red flags
- Use common services such as Gmail or Outlook
- Create the address through public Wi-Fi or a VPN to remain anonymous
- Ensure the name sounds realistic and doesn’t just use random characters
- The email will be used for registering accounts, so anonymity is key
Burner phones are clutch for keeping your investigation on the down low, but you have to use them carefully. Only use a burner for stuff directly tied to your case—calls, texts, 2FA codes, etc.
Figure 2.11 – Some of my personal burners I’ve used for engagements
Never ever save sensitive docs, names, dates, locations, or other case details on the device. Remember, burners can still get tapped, hacked, or compromised despite being disposable. So, take extra precautions such as using encrypted chat apps (Signal and WhatsApp), not linking the burner to personal accounts, turning off GPS, removing metadata from pics, and regularly clearing caches. Use code names when contacting sources instead of real ones.
When conducting an OSINT investigation, the responsible management of burner devices is a crucial step in the operation’s lifecycle. When an investigation concludes or if there’s a suspicion that the integrity of a burner has been compromised, it’s time to ensure that the device is retired securely and professionally. You’ll want to take one of two steps in handling these devices:
- Archive the device responsibly: This is akin to how sensitive materials are handled post-operation—maintaining a clear chain of custody. By securely storing the burner with the client, alongside any other used equipment, we ensure that all resources, data, and potential evidence remain intact and under proper oversight. This practice isn’t about hoarding hardware—it’s about the meticulous separation of duties and maintaining an unimpeachable professional standard.
- Have a meticulous decommissioning process: Begin with a thorough factory reset to erase all data, a standard procedure in the industry. Then, physically disassemble the device. Removing and rendering the SIM card unusable is essential—this may involve cutting it into pieces, a method endorsed by security protocols to prevent data recovery. Deconstructing the device further—separating the screen from the battery, for example—is a measure taken to ensure that no recoverable component falls into the wrong hands. Disposal should be executed with discretion and distributed across various locations to mitigate the risk of data reconstruction.
These measures aren’t the cloak-and-dagger tactics of a crime drama; they’re the bread and butter of ethical hacking and professional digital investigation. A burner phone is a shield, safeguarding both the investigator’s anonymity and the integrity of their work. Employing these devices, with their eventual disposal, is a testament to a professional’s commitment to security and confidentiality in a field where the stakes are invariably high.
Remember, every step we take is geared toward strengthening security postures and uncovering vulnerabilities before they can be exploited maliciously. Our practices are transparent to clients and within legal bounds, ensuring that our work always aligns with the noble goal of protecting assets and information in a world increasingly reliant on digital infrastructures.
By keeping communication anonymous, there will be no way to connect sock puppets to their creators. The accounts will appear entirely self-contained.
Maintaining anonymity is crucial when creating sock puppet accounts in order to preserve privacy and enable deception. Untraceable communication channels are essential to this goal.
Pulling the strings – Operating your sock puppet
Now that your puppet is ready to grace the cyber stage, it’s important to follow some ethical guidelines:
- Transparency with stakeholders: If you’re using sock puppets for research or corporate exercises, maintain transparency with stakeholders about your methods and intentions.
- Data protection: Be a guardian of data protection. Collect only the data necessary for your research and handle it with the utmost responsibility.
- Documentation and reporting: Keep meticulous records of your puppet’s activities. This not only helps in presenting your findings but also ensures accountability.
Leveraging gender dynamics in sock puppet operations
When diving into the cyber investigative scene, piecing together your online alter ego is part art, part science, and all about walking that ethical tightrope, especially when it comes to gender dynamics in the digital world. Yes, the internet’s chock-full of gender stereotypes, but when we’re crafting these personas, we’ve got to handle them with care.
Imagine you choose to use a female character for your online disguise. It’s true that being a woman might help in some situations because of how people have always interacted socially. But remember, we’re not here to trick people just for the sake of it. We’re smart about how we do things, not sneaky. The real point is that you can use smart moves such as the honeypot method, where you might act a bit flirty and vulnerable to get your target’s attention. But doing this means you have to be really careful about staying ethical. It’s about gathering information in a clever way, not misleading or using people.
When it comes to making your sock puppet believable, the devil’s in the details. Skip the stereotype rehash and give your digital decoy some real personality. A dash of unique flair makes your puppet more than just a bunch of pixels—it becomes a believable character that can gain trust where it’s needed most.
Note
Here’s a pro tip: keep your sock puppet on a completely different leash from your real online life. Think virtual machines, sandboxed browsers—the works. Mixing the two is like wearing socks with sandals; it just doesn’t look right. This is how you keep your cover story tight and your real identity under wraps.
These sock puppet shenanigans have their place on the right side of the cyber tracks. They’re dynamite for infiltrating shady online groups to sniff out security risks or pretending to be a greenhorn in your own company to see who bites the bait in a phishing test. It’s all about putting those cybersecurity hats on and using our powers for the good guys.
So, let’s keep it smart, keep it ethical, and remember—we’re here to stop the baddies, not join them.
Email and messaging anonymously
Using an anonymous email address is critical for OSINT investigators who want to obscure their identity and maintain privacy when interacting online. Email addresses often serve as a gateway to a person’s real identity, providing clues and links regarding who someone actually is. Without anonymity, the OSINT researcher risks their personal information being exposed if their email is linked to forums, services, or social media used in an investigation. This could make the researcher vulnerable to hacking, doxing, retaliation, or unwanted association with certain groups or causes.
Creating a completely dissociated email address tied to no identifying details is therefore vital for secure, private OSINT work. The anonymous email should never be used for anything that could reveal personal details. It should not be the address listed on social media, professional sites such as LinkedIn, shopping accounts, etc. Ideally, it should be generated using a service such as Proton Mail (https://protonmail.com/).
Figure 2.12 – Proton Mail can help to hide your real identity
Alternatively, a Tuta email (https://tuta.com/) does not require any valid personal info to create.
Figure 2.13 – Tutanota anonymous email
Using a dedicated anonymous email address allows the OSINT investigator to register for forums, make inquiries, and communicate without concern that their real identity will be uncovered. It is a critical line of defense to preserve anonymity.