Thank you everyone who attended our online investigation webinar series, Naked & Exposed. (In case you missed it, you can watch Part 1: Stop Investigating Online Without Managed Attribution and Part 2: A Day in the Life of an Online Investigator on demand.) It is estimated that just within the U.S., there are roughly 1.5 million people conducting online research – in every industry and sector of the economy. From private corporations, to government and law enforcement organizations and even academia, teams are doing research that spans surface, deep and dark web.

We were happy to see many of you attend our webinars to learn about attribution tools and techniques, so you'll feel a little less naked and exposed when venturing out into the often unpredictable and sometimes even hostile web. We didn't get to answer all the audience questions live, so have compiled our responses here.

Remote/Mobile Work Environments

How does our current situation of working from home with an employer-issued laptop and VPN affect the security of online research?

If you're using an employer-provided VPN and laptop, and you're connected to your home WiFi, the risk here is really two-fold:

  1. You're still doing research that's attributable to your employer – even if it goes through the VPN, because of things like browser fingerprinting, or if you are accessing services that are already associated with your identity.
  2. If the VPN were to disconnect, which often happens for a variety of reasons, you won’t be able to get to your organization's files and websites, but you might still be able to browse the web. The browsing activity that’s not going through the VPN is putting you at risk.

Similarly, any investigation activities that you’re doing using your own home network on your home computer or other devices, can be a problem. You need to be very careful when doing investigation work on any device that you use to log into your personal social media accounts or shopping sites  – anything that could lead adversaries back to you.

RELATED BLOG: What VPNs and Incognito Mode Still Give Away in Your Online Identity

Is using mobile phones for research safer than using a regular workstation?

Phones are often used to do research, especially in organizations that have IT policies that block access to certain sites and content, and so, investigators reach for their phones. But, of course, there are still the same types of risks that you have when browsing on a laptop or a desktop computer – most sites use tracking mechanisms to collect information about their visitors, and there’s even malware that specifically targets certain types of phones. The bottom line is – browsing on your phone may give you a false sense of security, but the risks are still very real.

Alternatives to Managed Attribution

Are burner accounts a useful way to conduct certain types of research, like on social media for example?

In some ways, burner accounts can indeed be very useful, and we see this often with law enforcement, especially when investigators want to get access to certain groups and join discussions using false identities. But this approach can be very tricky and time consuming, and by no means completely fool-proof. You have to carefully craft your persona and diligently maintain it, in order not to raise any red flags. Little things like home address, profile photo, activities, check-ins, status updates, etc. – can quickly add up to create a huge administrative burden. You need to pay attention to which sites you visit under your disguise and which time zone your persona operates in… and even with all that care and maintenance, the smallest slip-ups could quickly arouse suspicion and jeopardize your mission.

How effective are various browser extensions and apps?

Some browser extensions can presumably provide additional protections, but analysts should still be aware of hidden risks – your browsing behavior and other trackable attributes can still lead the adversaries back to you; and what’s more – having certain extensions installed on your device may actually make your online profile even more unique and identifiable.

Questions About Tor/Dark Web

How does TOR impact attribution?

Tor anonymizes traffic – the traffic originates on your workstation through a special browser, then bounces around through multiple hotpoints before it gets to an exit node, which then retrieves content from the website. At a high level, that’s how the dark web achieves its anonymity. The downside of using the dark web for research is that you might stumble across some objectionable content that shouldn't be on your local workstation, or malicious content that can infect your device or your employer’s network.

Also, you still have some risk of attribution: not necessarily from the IP address, but rather from your online behavior, such as the patterns you use for accessing certain websites, or the way you communicate in online forums – many of these seemingly small things can be catalogued and tied together to create a profile, which can then be tied back to your real identity and affiliations.

The bottom line is that it’s hard to recommend Tor as a safe alternative to a properly managed attribution solution. Maybe we are a bit biased here, at Authentic8, but we believe that there’s no real alternative to a true managed attribution service. Most organizations’ IT security policies block Tor because IT is not able to properly monitor traffic to ensure security of the internal network. Dark Web Add-On: Silo for Research gives you full access to the dark web, is easy to use, offers a seamless browsing experience and provides full managed attribution that helps you search even the darkest corners of the web without risk.

Questions About Silo for Research

Even when using Silo, what behaviors/tradecraft should we practice to avoid giving ourselves away?

Silo managed attribution service is a great way to keep your research safe and anonymous. But of course you still need to practice sound tradecraft. Even with secure browsing, analysts need to be mindful of behaviors and actions that can link their online activity to their organization. Simple things like including a company name in your username or using a corporate email address when accessing online services can compromise an investigation – even when you are using secure cloud browsing. Additionally, pay close attention to how you use Silo features like time zone and certain browser-based attributes. Make sure to set your language, location and other properties to values that fit with your research profile and goals. Authentic8 regularly offers tradecraft training – take a look at our upcoming educational webinars.

How would Silo eliminate its own "unique identifiers" when investigating online?

Silo for Research allows users to safely view and interact with untrusted websites and other content, save and annotate data, and even translate content into different languages. It uses a one-time-use browser built on-demand in a secure cloud-based container. All web code is rendered in the cloud and converted into a high-fidelity remote display of the session, protecting endpoints from malware, ransomware, and drive-by downloads.

Silo for Research allows researchers to spoof their true location in over 30 different countries worldwide, manipulate their hardware and software fingerprints, and to collect, annotate, and securely store internet-based data.

How does Silo handle public IP addressing on their egress nodes so untrusted content owners can't block Authentic8's public IP addresses/ranges?

Using Silo's global infrastructure, researchers and investigators gain simple, safe “point and click” access to open, deep and dark web content. We employ tradecraft best practices to keep the service both available and protected. For additional information, contact your account representative.

How does Silo work with sock puppet social media accounts?

In general, we recommend staying away from standard or stock profiles because any traits that are consistent  across these profiles can be used by adversaries to figure out your true identity. It’s not difficult to spot patterns – for instance, around election times we often see a lot of propaganda-type accounts that tend to have similar usernames. Having a pattern makes it easier to script the creation of these accounts, but it can also help spot similar accounts and take actions against them.

Why would I want to use Silo to access my bank account or Facebook account?

The biggest benefit here has to do with security. Naturally, when you're logging into a website like Facebook or your bank account, you're associating your identity with that session, so you're not really gaining anything from a managed attribution perspective. But browser isolation with Silo can still offer you security benefits.

What’s more, if you are accessing your bank account or social media using an untrusted device, you can use Silo’s web-based client, so you can still browse securely without having to install anything on the device itself. Say, you are using a shared computer at a hotel business center or in a public library – with Silo, you can be assured that no data remains on that computer after you close your session and leave.

Even though I’m an enthusiastic user of Authentic8, I still never use the Silo browser for personal account use. I won't use it to sign on to personal accounts. Am I justified with my paranoia? How much info will Silo will capture?

Authentic8 has built-in features to enable customers to encrypt their log data with a customer-supplied key to ensure integrity, security and non-repudiation of user activity captured by audit logs. With this encryption enabled, only the customer's administrators would have insight into the websites visited or other activity after the session launches.

Is this affordable enough for a personal account? / Do you provide individual analysts access v. corporate access?

At this time, Authentic8 does not sell accounts to individuals.