Operational security: How to get digital footprints off the Internet

Prior to founding ​Molfar​ research company, I worked as an open source data analyst at an investment fund and, after three months at a new job, I decided to search for the information about myself. It was a worthwhile experience. And terrifying one: comments I shouldn’t have written, embarrassing pictures of less attractive younger self and personal information in hacked data dumps.

OPSEC (operational security) is a term introduced by the U.S. intelligence agencies to define the process of denial of the attacker’s access to information that threatens security and classified nature of the mission.

The private sector of the economy uses OPSEC as a defense mechanism against gathering confidential information by competitors and malicious actors. In this article, we will talk about the basic measures of personal data protection, as follows:

• How to find and delete compromising information about yourself;
• Is it possible to completely remove yourself from the Internet;
• How to prevent hacking and stealing credentials.

Identification of sensitive information

The first step is to identify sensitive information: in which form it is stored and where. Put yourself in the shoes of a competitor or malicious actor, using OSINT methods. Search for the information about yourself or your company. The types of private data are:

Private data of a person:

• full name;
• date of birth;
• e-mail;
• personal and corporate phone number;
• address;
• social media profiles;
• passwords

Private data of a company:

• intellectual property;
• business research;
• financial information;
• information about personnel (family, habits, lifestyle; corporate climate)
• information about clients;
• passwords to business resources;
• IPs and MAC-addresses of work computers.

Search engines

Use Google, Bing, Yahoo or DuckDuckGo to search the internet for any information about you and your company. Use advanced search operators to return more specific and relevant search results:

inurl:username — find pages with a username in the URL;

[your name] intext:[personal information, for example, phone number, ID or address] — searches for personal information about subject in the body of the page;

site:docs.google.com “companyname” — publicly available Google Docs with the company name in a body of the document

site:* companyname.com -site:companyname.com — sites which have backlinks to a company’s page. For instance, review websites, job search engines, directories, blogs;

password filetype:docx site:companyname.com — *.docx files on a company’s website, containing the word “password”. On rare occasions, in case of company’s tech staff negligence, such combination of search operators may lead to a file with users’ passwords.

Image search

Reverse image search engines use facial recognition and return the websites containing the subject’s picture:

• https://images.google.com/
• https://yandex.ua/images/
• https://www.bing.com/images/
• https://tineye.com/

Search for email accounts and passwords in data breaches

Online services suffer hacker attacks that expose user’s email addresses, usernames, passwords and credit cards. All these credentials appear in hacked data dumps. Attackers use anonymous marketplaces to buy compromised data and check if the same password is being used in multiple accounts. The goal is to steal an identity or have unauthorized access to computer systems and online services. Use following services to search for the usernames and passwords in data breaches:

• https://haveibeenpwned.com/
• https://passwords.google.com/ (check if passwords saved in Google account were compromised)
• https://spycloud.com/
• https://ghostproject.fr/
• http://pwndb2am4tzkvold.onion/ (access via the Tor-browser)

Google Passwords Checkup checks if email password or passwords to websites saved in Google account have been exposed in data breaches

Vulnerability analysis and risk assessment

Make a table or scheme with the accounts, usernames and names. Add the phone numbers and e-mail addresses used during registration or in contact information.

Identify the weak points which may be used to gain access to private data and evaluate the level of risk associated with each vulnerability:

• Probability of attack;
• Extent of damage;
• Recovery time and amount of work

The more dangerous the attack, the higher is the priority to eliminate the vulnerability. The key point of analysis is to identify what kind of information to leave publicly available and what information to delete. While creating a new account with email or phone number, keep in mind that account information exposed in data breaches may lead to identity theft.

Measures

Depending on the level of risk, the methods for protecting data include generating the complex passwords or passphrase, removing geolocation, filling the account with false data and fake stories or complete deletion of data. However, what we post online is forever. And even if you follow key security rules, keeping silence, your family and colleagues may not. Bear in mind that an attacker with serious intent accumulates data over time using different sources, and it’s not one piece of information that causes the damage.

Basic operational security rules:

1. Separate the accounts

Create random usernames for your personal email accounts, use separate email addresses for financial operations, social media and general use.

2. Do not reuse passwords

Use password manager to generate unique passwords for each online service. For additional security, set up two-factor authentication.

3. Delete metadata, remove geolocation

In 2012, a programmer and businessmen John McAfee was put on a wanted list on suspicion of committing a murder. Hiding from Belize police, McAfee was publishing a blog with the journalist of Vice Magazine Rocco Castoro. McAfee’s location in Guatemala was revealed by the photo in the blog post: it was shot on an iPhone and contained EXIF metadata including geolocation.

“We are with John McAfee right now, suckers!” — Vice boasted in a post with an image containing EXIF data. As P.T. Barnum said, “There’s a sucker born every minute.”

EXIF data stores specific information related to an image such as camera model and manufacturer, the date and time the image was captured, and location coordinates. Before publishing the content, delete all the metadata to protect your privacy. It’s even better to disable geolocation while taking pictures and to use anonymous browsers like Tor.

4. Hide details

Do you like to post selfies on Instagram or corporate event pictures on Facebook? Social media are taking care of your privacy and automatically delete EXIF data before publishing. However, an image may contain details such as silhouettes of buildings, advertising signs, reflection in the mirror, plug and socket types, documents on the desktop. They make it easier to identify a person, to find an office location or home address and shed light on the target’s lifestyle.

Malicious actors can use photos with badges to steal identity in a social engineering attack

5. Keep silence

Publishing any content on the Internet is a threat to privacy. Social media absorbs emotions, encouraging us to share experience and tell stories. Thinking before you post any comments or photos is important. Does this provide any helpful information for attackers to build a profile of a person or a company? You should also ask your mum to stop sharing pictures of you online. Intriguing details of family gatherings, childhood diseases and travelling may surprise your future employer or partner.

Moms use social media to “leak” photos of you captured during family events

Provide false information online

Make sure that the digital trace does not contain any hints. Poisoning your data and leaving fake digital trails will mislead the adversary and won’t allow them to find links between the accounts. Thereby, two goals will be achieved at the same time: you will keep a friendly and trustworthy image and set the competitors on the wrong track that will waste their time.

1. Do not use the real date of birth, enter random date when registering accounts

2. Do not enter full name or use false names for your accounts

3. For non-public accounts, use random image profiles, like the photos generated by AI https://generated.photos/. Make sure that the photos are unique for every website to prevent finding any relationships between them via reverse image search

Generated Photos uses AI to create portraits of people who don’t exist

4. Create documents with fake accounting data or financial statements and place them around your network. Use Canary Tokens https://canarytokens.org/ to receive notifications when they’re opened and track IP addresses of malicious actors. Another service https://iplogger.org/ generates the links to be placed in a document or communication channels to track IP addresses or location of a hacker.

Looks like an ordinary document (on the left), but its metadata contains a code. Canary Tokens sends notification (on the right) when the file is opened in Microsoft Word

Information removal

It is impossible to delete all information about you from the Internet (although Michael Bazzell doesn’t think so). Public registers contain information about transport vehicles, real estate and court cases, which cannot be deleted. Web archives save historical images of websites. But It is possible to delete unused accounts, remove yourself from data brokers websites, and send a request to delete publications in social media and other websites:

1. Remove inactive accounts

Go to the directory of direct links to delete unused accounts: https://backgroundchecks.org/justdeleteme/. Keep in mind that it’s better to delete the account than to deactivate it. For example, after deactivating your Facebook account, your data still remains on the Facebook servers as well as the servers of search engines. To remove yourself completely, you need to delete your account and have Google remove your account pages from its search index.

2. Remove yourself from the data brokers websites

People search websites or “data brokers” (Pipl, Acxiom, WhitePages) collect and sell personal data from publicly available registers and social media. To remove your profile from the databases you must send a request to the owners’ or administrators’ email. If the website has no contacts, search for them in the WHOIS directory. A number of services offer profile deletion through the online form. The list of the links and instructions are in the Vice article.

3. Remove publications from a search index, social media, and other websites

If you like to remove personal information from search results, contact the site owner who published the information. After being removed, Google won’t find the information to list in search results. If the website owner denies your request, Google may still remove certain types of personal data. Such requests remain publicly available: if the page was removed via addressing to Google, then the removal request as well as the page itself will appear in the Lumen Database.

The same procedure is being used in social media: ask a person to delete the publication or remove a tag from the photo. If this person refuses to do it, report the administration (and disable the option to be tagged on the photos in the settings). Instructions for exposed private information reporting:

• Facebook
• Instagram
• LinkedIn
• YouTube

Looking into the mind of a hacker is a first step to guard your and your company’s online data. Use OPSEC methods to neutralize the attempts of malicious actors to steal your identity, prevent the collection of information by competitors, hide the youthful nonsense from the future employer or avoid any questions from law enforcement. Or contact specialized agencies that will check the vulnerabilities if you don’t have much time to learn OPSEC techniques.

Artem Starosiek is the CEO of the Molfar, an OSINT research and consulting company. Follow Molfar on Twitter if you want to learn more about OSINT tools and OPSEC techniques used for corporate security and business risk intelligence