Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Top 6 Mistakes That Will Blow Your Online Cover

Perfect Operational Security (OPSEC) Needs to Start From Day One

Perfect Operational Security (OPSEC) Needs to Start From Day One

There are many legitimate reasons to hide your identity when operating online. Among these are anti-fraud investigations, threat intelligence gathering, criminal investigations, and sensitive research. But, you are only protected so long as you maintain your cover. Based on over 20 years of experience with online anonymity, I’ve identified the top 6 mistakes that will blow your cover.

1. Forgetting to Use Your Tools

Failing to consistently use identity hiding technologies is the most common way to blow your online cover. Just one failure to use your misattribution tools can instantly connect your alias to your real identity. Guccifer 2.0, Sabu, and many more aliases have been exposed by this kind of mistake. The hardest part is that the perfect operational security (OPSEC) needs to start from day one — far before you know how important it is to protect this particular alias.

2. Incomplete Separation

Our online identities are made up of many different accounts, including social media, email, chat, and others. Each of these may have account names, recovery email addresses, physical addresses, full names, phone numbers, and passwords. The mistake occurs when the line between alias accounts and real-name accounts starts to blur — you create some alias account that shares a recovery email account with a real-name account, or re-use a phone number, or re-use any other identifying information. There might not even be a single link, but rather a chain of accounts which together can connect your alias with your true identity. This appears to be how Ross William Ulbricht was connected to his criminal alias “Dread Pirate Roberts.”

3. Using the Wrong Account

Once you start managing more than one identity, accounts proliferate like weeds. It quickly becomes possible or even likely that you will accidently use an account associated with one identity to send communications associated with another. If there is someone you only communicate with from your “Joe” alias, then it will cause problems if “Joe” sends an email from “Sarah’s” account. Of course, the worst case scenario is if that other account is under a true name. I know of one example where two law enforcement officers shared a single computer. One configured it to send email in alias, then went to lunch. The other re-configured it to send some internal emails. When the first returned, he did not check the settings and proceeded to email their criminal target from the second officer’s official email account. This, as you can imagine, completely compromised the mission, fortunately without loss of life. 

Advertisement. Scroll to continue reading.

4. Fake Photos

The common availability of reverse photo searches and facial recognition has caused major problem for many people trying to set up alias social media accounts. To look authentic, accounts need to have activity, including personal pictures. Too often these pictures are lifted from other real social media accounts or from stock photography websites. Unfortunately, social media sites may detect and tag photos with the identity of the person whose photo was “borrowed”. If the picture is posted anywhere on the public web, a reverse image search, like tineye.com, will quickly discover the original. I have discovered several fake LinkedIn profiles trying to connect with me using profile pictures from GettyImages.

5. Writing Style

The way you write is like a fingerprint. No two people use language in the exact same way. Word choice, common phrases, sentence structures, and idiosyncrasies all allow programs to recognize samples of your writing. And, it is a surprisingly difficult fingerprint to hide. We are largely blind to what aspects of our writing identify us, so it is hard to know what to change, and it is a tremendous effort to do so consistently. If your alias only writes one paragraph in its whole existence, you can do it almost effortlessly. If it writes frequent or long posts, the problem becomes much worse.

6. Behavior and Location

Finally, you might expose your alias as being fake and reveal your true location and interests simply by the patterns of your online activities. I have seen entire blocks of anonymous IP addresses burned through user activity and improper OPSEC. In one case, a group of users had a block of IP addresses in another country. Because they used those IP addresses for personal purposes in addition to their operational activities, Google quickly started identifying their true location: where the users actually worked. It turns out that Google used their search and mapping activities to learn where they were probably located, and they were right. Sports, politics, news, and other content can similarly reflect your actual identity and location, underlying the realism of your alias.

If you can avoid these top 6 mistakes, you are far more likely to be successful with any online undercover activity. You will access the threat intelligence you need from that hacker IRC room, catch those fraudsters in the act, or make your case against some nefarious criminals.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.