Security through obscurity: How to cover your tracks online

From Tor to steganography, these six techniques will help obscure the data and traces you leave online

Thinking about the bits of data you leave behind is a one-way ticket to paranoia. Your browser? Full of cookies. Your cellphone? A beacon broadcasting your location at every moment. Search engines track your every curiosity. Email services archive way too much. Those are just the obvious places we're aware of. Who knows what's going on inside those routers?

The truth is, worrying about the trail of digital footprints and digital dustballs filled with our digital DNA is not just for raving paranoids. Sure, some leaks like the subtle variations in power consumed by our computers are only exploitable by teams of geniuses with big budgets, but many of the simpler ones are already being abused by identity thieves, blackmail artists, spammers, or worse.

[ Verse yourself in 9 popular IT security practices that just don't work and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Sad news stories are changing how we work on the Web. Only a fool logs into their bank's website from a coffee shop Wi-Fi hub without using the best possible encryption. Anyone selling a computer on eBay will scrub the hard disk to remove all personal information. There are dozens of sound, preventative practices that we're slowly learning, and many aren't just smart precautions for individuals, but for anyone hoping to run a shipshape business. Sensitive data, corporate trade secrets, confidential business communications -- if you don't worry about these bits escaping, you may lose your job.

Learning how best to cover tracks online is fast becoming a business imperative. It's more than recognizing that intelligent traffic encryption means not having to worry as much about securing routers, or that meaningful client-based encryption can build a translucent database that simplifies database management and security. Good privacy techniques for individuals create more secure environments, as a single weak link can be fatal. Learning how to cover the tracks we leave online is a prudent tool for defending us all.

Each of the following techniques for protecting personal information can help reduce the risk of at least some of the bytes flowing over the Internet. They aren't perfect. Unanticipated cracks, even when all of these techniques are used together, always arise. Still, they're like deadbolt locks, car alarms, and other security measures: tools that provide enough protection to encourage the bad guys to go elsewhere.

Close 'n Forget, a Firefox extension, deletes all cookies when you close the tab associated with a site.

Standard cookies are just the beginning. Some ad companies have worked hard on burrowing deeper into the operating system. The Firefox extension BetterPrivacy, for example, will nab the "supercookies" stored by the Flash plug-in. The standard browser interface doesn't know that these supercookies are there, and you can delete them only with an extension like this or by working directly with the Flash plug-in.

There are still other tricks for sticking information in a local computer. Ghostery, another Firefox extension, watches the data coming from a website, flags some of the most common techniques (like installing single-pixel images), and lets you reverse the effects.

The last machine in the path then submits your request as if it were its own. When the answer comes back, the last machine acting as a proxy encrypts the Web page N times and sends it back through the same path to you. Each machine in the chain only knows the node before it and the node after it. Everything else is an encrypted mystery. This mystery protects you and the machine at the other end. You don't know the machine and the machine doesn't know you, but everyone along the chain just trusts the Tor network.

While the machine acting as your proxy at the other end of the path may not know you, it could still track the actions of the user. It may not know who you are, but it will know what data you're sending out onto the Web. Your requests for Web pages are completely decrypted by the time they get to the other end of the path because the final machine in the chain must be able to act as your proxy. Each of the N layers was stripped away until they're all gone. Your requests and the answers they bring are easy to read as they come by. For this reason, you might consider adding more encryption if you're using Tor to access personal information like email.

There are a number of ways to use Tor that range in complexity from compiling the code yourself to downloading a tool. One popular option is downloading the Torbutton Bundle, a modified version of Firefox with a plug-in that makes it possible to turn Tor on or off while using the browser; with it, using Tor is as simple as browsing the Web. If you need to access the Internet independently from Firefox, you may be able to get the proxy to work on its own.

An SSL connection, if set up correctly, scrambles the data you post to a website and the data you get back. If you're reading or sending email, the SSL connection will hide your bits from prying eyes hiding in any of the computers or routers between you and the website. If you're going through a public Wi-Fi site, it makes sense to use SSL to stop the site or anyone using it from reading the bits you're sending back and forth.

SSL only protects the information as it travels between your computer and the distant website, but it doesn't control what the website does with it. If you're reading your email with your Web browser, the SSL encryption will block any router between your computer and the email website, but it won't stop anyone with access to the mail at the destination from reading it after it arrives. That's how your free Web email service can read your email to tailor the ads you'll see while protecting it from anyone else. The Web email service sees your email in the clear.

There are a number of complicated techniques for subverting SSL connections, such as poisoning the certificate authentication process, but most of them are beyond the average eavesdropper. If you're using a local coffee shop's Wi-Fi, SSL will probably stop the guy in the back room from reading what you're doing, but it may not block the most determined attacker.

Online privacy technique No. 5: Translucent databases The typical website or database is a one-stop target for information thieves because all the information is stored in the clear. The traditional solution is to use strong passwords to create a wall or fortress around this data, but once anyone gets past the wall, the data is easy to access.

Another technique is to only store encrypted data and ensure all the encryption is done at the client before it is shipped across the Internet. Sites like these can often provide most of the same services as traditional websites or databases while offering much better guarantees against information leakage.

A number of techniques for applying this solution are described in my book "Translucent Databases." Many databases offer other encryption tools that can provide some or all of the benefits, and it's easy to add other encryption to the Web clients.

In the best examples, the encryption is used to obscure only the sensitive data, leaving the rest in the clear. This makes it possible to use the nonpersonal information for statistical analysis and data-mining algorithms.

Disappearing Cryptography" explores various solutions in depth, and my iPad App How to Hide Online provides interactive illustrations for trying the algorithms.

Related articles

This story, "Security through obscurity: How to cover your tracks online," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

This story, "Security through obscurity: How to cover your tracks online" was originally published by InfoWorld .

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies