More Related Content
Similar to Conducting Anonymous Online Investigations - Webinar (20)
Conducting Anonymous Online Investigations - Webinar
- 1. © 2014 The Hetherington Group
Conducting Anonymous
Online Investigations
Cynthia Hetherington, Hetherington Group
- 2. © 2014 The Hetherington Group
Cynthia Hetherington
Cynthia is one of the most respected authorities on
the topics of online investigations and online
security.
•Librarian
•Analyst
•Security Practitioner
•Investigator
•Author of:
Business Background Investigations
The Manual to Online Public Records
Web of Deceit
Data2Know.com: Internet & Online Intelligence
Newsletter
- 3. © 2014 The Hetherington Group
In Short…
Anywhere you find
convenience
I will find you.
- 4. © 2014 The Hetherington Group
Acxiom’s - Aboutthedata.com
• Thousands of databases
• Millions of websites
• Dozens of possible experts
• Hundreds of listservs, mailing lists, e-mail groups
- 5. © 2014 The Hetherington Group
Surfing Anonymously
• www.torproject.org
- 6. © 2014 The Hetherington Group
Please Read the Small Print
Want to Really Work?
•...then please don't just install it and go on. You need to change some
of your habits and reconfigure your software! Tor, by itself, is NOT all
you need to maintain your anonymity. There are several major pitfalls
to watch closely.
•Tor only protects Internet applications that are configured to send
their traffic through Tor—it doesn't magically make all your traffic
anonymous just because you install it. We recommend you use Firefox
with the Torbutton extension.
- 7. © 2014 The Hetherington Group
Create a New E-mail Account
- 8. © 2014 The Hetherington Group
E-mail Rules
• Check with the boss first
• Do not use your real identity or anything that appears to be
your real identity
– No Nascar drivers, sports teams, badge numbers,
geographic indicators, or kids names in the User ID
section
• Do not put in a proper e-mail address
• Do not answer the security questions properly
- 9. © 2014 The Hetherington Group
Social Network Participation
• Facebook does not reveal the viewer to the person they are
checking out
• Linkedin does reveal the viewer unless they make their
profile anonymous
• MySpace has an application that can be added to reveal IP
addresses as well as User IDs (if you’re logged in)
• Twitter does not reveal who is looking at your profile
- 10. © 2014 The Hetherington Group
Undercover Accounts
- 11. © 2014 The Hetherington Group
Facebook
• Facebook has a strict Terms of Service stating
you are not to create a false profile in order to
deceive their users into revealing themselves
• Most Facebook participants are now sensitive
to strangers trying to “friend” them
• If you are being friended, have a challenge
question ready for the supposed friend to vet
them
- 12. © 2014 The Hetherington Group
Would You Friend Danny?
- 13. © 2014 The Hetherington Group
Would Rawan Friend You?
- 14. © 2014 The Hetherington Group
Facebook
You are better off creating an account of something
local
or inanimate
- 15. © 2014 The Hetherington Group
Beware Facebook
Facial recognition is now at 80%
– http://www.bbc.co.uk/news/magazine-15069858
Your cell phone directory is now public information
– http://www.facebook.com/group.php?
gid=2392434374
- 16. © 2014 The Hetherington Group
LinkedIn
• Make yourself anonymous
• Log into your account
• Select Settings
• In the middle of the screen you’ll see Privacy Controls
• Choose Select what others see when you’ve viewed their profile
- 17. © 2014 The Hetherington Group
Choose Anonymous
The only caveat is that you can not see who is viewing your profile if you select
anonymous, unless you pay for the $25 per month subscription.
Choose anonymous
- 18. © 2014 The Hetherington Group
LinkedIn Hazards
While you are making your profile anonymous,
check out the following items to lock down your
account:
PRIVACY CONTROLS
– Turn on/off your activity broadcasts
– Select who can see your activity feed
– Select who can see your connections
– Change your profile photo & visibility
- 19. © 2014 The Hetherington Group
Twitter
• Twitter is accessible without having an account
• There are some reasonably intelligent individuals to follow on
Twitter that cover the security markets
• Do not discount Twitter as a waste of time — most suspects are
live tweeting constantly
- 20. © 2014 The Hetherington Group
Twitter Do Nots
• Don’t be too specific! There is a big difference between “Just
bought a gazillion carat ring on XX Avenue, leaving store now”
and “Just bought and engagement ring, wish me luck!”
• On that note, say it, don’t spray it: Don’t spit excessive personal
information—this is about as dangerous on Twitter as it is on any
other social network.
• Call the police, don’t tweet about it!
• Don’t tweet about moving servers, changing passwords, or any
other type of situation where your security could be
compromised more easily.
– Source: http://www.twitip.com/twitter-security-dos-and-donts/
- 21. © 2014 The Hetherington Group
Twitter Dos
• There are hundreds of Twitter tools everywhere. In your Twitter
settings, you can manage which applications have access to your
data and which don’t in the Connection tab
• Choose a strong password—Twitter’s famous attacks have been
known to start with a hacker guessing someone’s password
• Do use direct messages when appropriate, not everything is meant
to be said in the wild
• Consider having a private, separate account for work or project-
related purposes
- 22. © 2014 The Hetherington Group
Other Social Networks
• So far, there is no industry standard for social networks
• Read through the FAQs and information sheets on each service
• Try a friend’s account to view your own personal accounts to see
what you are exposing
• Software designers and hackers are both in a race to monetize
your profile!
- 23. © 2014 The Hetherington Group
Thank-you for participating
If you have any questions, please feel free
to email them to:
Cynthia Hetherington
CH@hetheringtongroup.com
Joe Gerard, Vice President Marketing and Sales, i-Sight
j.gerard@i-sight.com