Staying Anonymous

A few weeks ago, I was speaking with a regional bank in the Southwestern United States, where the lack of anonymity online had jeopardized a recent investigation. The bank was doing online research necessary for them to comply with the Bank Secrecy Act and Anti Money Laundering (BSA/AML) regulations.

A financial fraud analyst found incriminating evidence on the web page of a business she was investigating. Imagine her frustration when she went back the next day to collect that evidence, only to find it had been removed in the meantime. What happened?

The bank suspects that the subject of its investigation was tipped off to the analyst’s research because web traffic from the bank was hitting the website of the investigated business. This happens more often than one would think, as I’ve learned in conversations with other financial services firms before.

Fully anonymous web access

Having secure, fully anonymous web access would have kept the bank from tipping its hand in this instance. And lacking a solution to accommodate special web access for its analysts wasn’t just jeopardizing the bank’s investigations.

It also put the bank’s internal IT security at risk, because BSA/AML analysts frequently need to access URLs that are considered “high risk” from a cybersecurity perspective.

Why Online Anonymity Is Crucial for Business

Banking is not the only sector with this problem. Law firms face similar challenges. Take practice groups that need anonymous browsing for conducting litigation support research, for example.

Ideally, law firms would have access to a setup where they can browse anonymously while gathering information for litigation support. The legal professionals commonly pushing for these setups do so because they need to conduct online research without getting blocked by their firm’s URL filter. They also need to prevent their web activity by getting traced back to the firm.

Compliance managers, financial intelligence units, and law firms conducting litigation research are not the only groups facing this challenge. Professionals in other fields depend on unrestricted, secure, anonymous web access on the job as well. Cyberfusion centers, corporate security departments, private investigators, and OSINT professionals also need this level of protection when accessing the web.

And just like leading financial services and law firms, they increasingly turn to a solution that has solved similar problems for federal agencies and the Department of Defense: accessing the web through a secure cloud browser.

Where Traditional Web Browsers Fail Your Business

What’s wrong with using a regular browser for this purpose, you ask? Simply put, the “free” and supposedly “secure” mainstream browser betrays you. It’s neither free nor secure.

You don’t have to take my word for it. Check out https://sploit.io, a tool built to see what information is being broadcast about you when going online with a browser installed on your local computer or mobile device.

Did you know what kind of information local browsers such as Chrome, Firefox, Edge, and Safari share with the world? That data includes the browser’s make and version number, your device’s operating system, plugins you use, languages/fonts, your location…

All of these details, together with basic tracking code such as “cookies”, can be used to create a unique fingerprint.

That information is frequently used to identify and target individual end-users and whole organizations.

Think about it from a security perspective. This “oversharing” by the browser also exacerbates its built-in vulnerabilities. It enables attackers to exploit your browser extensions and plugin – including such that purport to protect you.

How to REALLY Browse Anonymously

Anonymous browsing tools galore – will they really protect your team’s anonymity when conducting business-critical research?

Yes, you can find thousands of blog posts and articles on “how to browse the web anonymously” on the web. And no, most don’t provide a clear answer.

They suggest a wide variety of approaches, only to then end on a note along the lines of “this is about the best you can do, and you can never be 100% sure.”

Did you end up more confused than when you started? Most of these how-to guides suggest a multi-step solution where several methods are combined to prevent your web activity from being traced back to you.

It seems as if the six most commonly suggested methods are imperfect at best:

Switching to “private browsing” or “incognito mode”

…only prevents the browser from storing your web session’s browsing history, cached web pages, or “cookies” locally.
Because the browser is still sharing your browsing history and other traceable details with your Internet Service Provider (ISP), your web activities remain vulnerable to snooping and are neither anonymous nor private. Let’s move on.

Accessing the web through a Virtual Private Network (VPN)

…protects you when using public WiFi, because it encrypts the connection and makes it harder for attackers to intercept internet traffic. Still, VPN services don’t fully anonymize your web activity.
VPN also does not protect against web-borne exploits, such as spyware infections, and can make larger organizations more vulnerable. And it often is slow – but you likely knew that already.

Misconceptions about VPN are widespread even among IT professionals. If you’re considering it to ensure anonymity and non-attribution for web investigations, I recommend reading this Authentic8 whitepaper about VPN [PDF] first.

Using a proxy service

…hides your originating IP address from websites when going online. It doesn’t protect users against tracking code or malware fingerprinting. Depending on the vendor that runs the proxy server, your IP address and web requests may be stored and sold to third parties who aggregate such data. Feeling anonymous yet?
Installing browser-based anonymity or privacy tools

…can shield your online activities to a limited degree from tracking or malvertising on the local browser. Paradoxically, such browser extensions also can make it easier for third parties to find out who you are, what you’re up to, or to launch an attack.

Another downside is that plugins also compound the inherent vulnerabilities of the local browser, especially in business IT environments.

Browser plugin user data can be sold to third parties and used for deanonymization. Attackers frequently hijack plugin developer accounts to push malicious “updates” for add-ons. Are you willing to take that risk?

Using “privacy browsers”

…won’t fully anonymize your web sessions either. Most of these “secure” browsers are derivatives of popular traditional browsers that are tweaked to enhance online privacy protections.
That means they still process – potentially dangerous – web code on your local machine and don’t provide professional-grade anonymity.

They have been outlawed in some countries and too often get blocked by certain web services. This makes them even less viable for professionals with the need for conducting anonymous web research while abroad.

Avoiding public WiFi

….is also a – surprisingly common – suggestion. So we’re supposed to cease work when out and about, at the airport, at a coffee shop, or when connecting from the home office? Seriously?
To be fair – some of these methods can be useful for browsing mostly anonymously, as long as we keep in mind that none of them were built for this specific purpose. For business-critical and compliance-relevant use cases, however, cobbling together a mingle-mangle of tools that keep you mostly anonymous isn’t enough.

In the age of remote work, enabling secure, anonymous web access becomes ever more important, because IT doesn’t always control the network or machine employees and contractors are connecting from.

*** This is a Security Bloggers Network authored by Kurt Cunningham.