Metadata Attacks

Danger of Metadata

"We kill people based on Metadata"

Michael Hayden:  "We Kill People Based on Metadata"Just Security

General Michael Hayden, Director, National Security Agency

Metadata generally refers to the relationships between you, and people you interact with. You and your daughter text each other all the time? Your phones are often in the same house? A huge correlation. You talk to your high school friend every Saturday evening? Also a correlation. If one person in your neighborhood talks to 200 people a day, while everyone else has an average of two or three people a day? Clearly a very talkative person, potentially even the leader of your neighborhood. Most information flows through him, so if he was removed from the network, information would not flow nearly as well.

Some marines in the middle east were trying to get a certain village to kick out the local terrorists, and thus make the village safer. Negotiations were going nowhere, nobody budged an inch. They also noticed that one of the locals was generally around, but not talking to anybody. At first they thought he was the village idiot or a bum, but while doing recon they noticed that he had a house like everybody else, so he wasn't homeless. And he had much more visitors to his house then any other house in the village. They realized that he was in fact the boss, but the boss didn't want to talk to the marines directly and sent other people to speak for him. The negotiators they were talking to couldn't make any decisions! That is why negotiations never went anywhere. Finally, having figured it out, they asked to speak to this particular local directly, and they were able to convince him not to give the terrorists safe haven.

In this story, there was a happy ending. In many cases figuring out who the boss is results in that boss being un-alived.

Hide your metadata. hiding the sender and intended recipient of a message is much harder than obfuscating the content of the message, but there are ways to mitigate metadata attacks. Using different email addresses for different accounts can help reduce potential correlation, but the hardest one to deal with is hiding your IP Address, which is typed to your physical location.

VPNs and Tor

Your IP Address is the location of your computer on the internet. It is a unique number that your modem uses to connect to the internet, and any website or service you connect to with that modem can see your IP Address. You could create two different social media accounts with different names, different emails, but if they have the same IP Address then those social media companies will correlate those two social media accounts.

You can use a VPN to reduce IP Address correlation. This will send your internet connection through to another IP Address before connecting to your intended website or service, likely that IP Address used by many other people using the same VPN.

However, the VPN provider is likely also selling your data and/or providing it to state agencies. NSA security letters written to large companies include a clause that you cannot disclose to customers that their customer's data is compromised. We only know this because one person shut down his company and servers rather than comply. This was many years ago and I haven't heard of a second time this happened. I wouldn't trust overseas servers or companies either.

While state level attacks may occur, corporate level threats are likely mitigated by using a VPN.

There is another VPN-like option, it's a little bit more secure, but it's considerably slower. It's called Tor.

Tor obfuscates your IP Address by "bouncing" your requests from one random server to another before it reaches the intended destination. It bounces your request three times and returns the response from your intended destination through the same path. While it is possible some of these nodes are under state control, it would be difficult to monitor/run all of them.

Tor significantly reduces some threat levels, but do not consider it a complete solution to everything. Remember the correlation attack with the student who was the only one to log into Tor on the same day a bomb threat was called in.

I will explain how to use Tor with a browser in a later chapter.

Using Public Wi-fi

Instead of connecting to the internet using your own modem, you can connect using public Wi-fi and use that IP Address instead. However, there are some things to consider. All Wi-fi devices have a unique number called a "MAC Address", which is likely correlated with your purchase.

You can put physical distance between yourself and the public Wi-fi, and any associated cameras with the location of the public Wi-fi by using a directional Wi-fi antenna.

The usage of this random MAC Addresses and directional Wi-fi can help against state level threats, but if all your going to do is post some memes, then it's unlikely for state level threats at time of writing to arrest you unless those memes are REALLY fire, or you are British. So I consider this an advanced topic, for further research, look into the "Kali Linux" and "Tails" operating systems. Less technical people should consider Tails, more technical people with a lot of interest in computer security should consider Kali Linux. (Tails)[https://tails.net/] (Kali Linux)[https://www.kali.org/]

Directional Wi-fi does not take away from the importance of counter-surveillance. Connecting to an internet dead drop while under surveillance is almost as bad as checking a physical dead drop under surveillance. Physical surveillance and counter-surveillance are outside the scope of this document.

Under severe threat, consider purchasing a laptop for the express purpose of checking a dead drop one time. Use it and then dispose. Expensive, but limits many possibilities of Metadata. Essentially a burner laptop. You can purchase them for under $300 if you know where to look.

Metadata Obfuscation

Assuming you have connected to the internet with an appropriate level of IP Address obfuscation for your use case, the next thing is to create an accounts on platforms you intend to use. This means coming up with an alias, and fake information to put into the account creation screen on those platforms. The "Fake Person Generator" will generate a randomized person with name, address, PFP, the works. I do not recommend using the temporary Gmail account that it provides.

Fake Person/Name Generator | User Identity, Account and Profile Generator

Fake Person/Name Generator

Many websites will require verifying a phone number, 2 factor authentication app, or other hard to fake identification. But in many cases only email is required. For throwaway accounts you don't plan on using for more than one session at your computer, "Guerilla Mail" is an excellent choice. Guerilla Mail will create a random email address for you to use for email verification for accounts. However, there is no password protection for this email address, and anyone who knows the email address can go to this page and read your email. This is excellent for downloading free EBooks that require an email address to download, this way your real email does not get put onto spam lists. I do not recommend Guerilla Mail for creating an account you intend on using for anything longer than one session, or sit down at a computer. Tempmail Ninja is a similar service, and at time of writing Guerilla Mail does not allow sending email, but Tempmail Ninja does.

✉ Guerrilla Mail - Disposable Temporary E-Mail Address

Guerrilla Mail

Create an anonymous temp mail to protect yourself from spamTemp Mail

Temp Mail

For creating long terms social media accounts you plan to keep, without correlating it to your real name, I do not recommend the above services. This will require more in depth planning and bare minimum a long term email address that is not correlated with you at all. This is outside the scope of this document.