Anonymize Me: A Technician's Guide to Hiding from the Internet

welcome round all right we go so you'll have to excuse me I'll tell you right out front everybody that knows me is taking classes for me at trend concepts I'm very loud so you'll be able to hear me way in the back and sometimes I get extremely energetic so hopefully whatever kind of recording is happening I won't bounce around too too much so that's my information if you want a hit me up on Twitter or send an email after the fact if there's something you want maybe the presentation got a lot of links in here so let me tell you about myself obviously got that little intro there but I've been doing this training for about ten plus years now and so one

thing I love about training is kind of transferring knowledge things I know might be something you don't know so the idea is one thing we're all in is figuring out what's the not knowns right and so I like to do that I push it a lot to a lot of classes now obviously my focus here is on information security so you know usually if i'm not in the classroom doing some training I'm you know doing some pen test or vulnerability assessment or audit or something like that for a lot of the businesses in Columbia South Carolina so also do a SharePoint a lot of apps stuff as well of course you mentioned olas columbia that's one of the the group's

I'm co-organizer of with Franco 2g and also Cola sec member which is basically kind of hacker space there in Columbia South Carolina we focus on wide variety of different general istic type of security things too so as well as certificate so i didn't want to list those because for me certificates anymore and doing this so long it's more to help anybody that takes the classes so that they can kind of further their career that's what i'm interested in that's the only reason I other than I have to take the certificates and certification in general and then of course gadget and technology if enthusiatic are enthusiasts so this we're going to look at today a lot of

things and some of the things if you go to the two o'clock search going to be there as well are the two o'clock presentation so you'll see some kind of lead over here I didn't know how the internet would be so I planned accordingly so I'll have a little area there if you're connected to your laptop right now and you have a good connection then these are things you can look up or you can write them down and kind of check them out later but this is what we'll be going over right through the session so if you don't know raise your hand if you have not used the internet right hopefully oh my goodness hopefully

everybody has used it it's a great place to go to do a lot of so a lot of people use the internet for online marketplace I mean ebay amazon you pick it there's lots of uses of that i love it to be guilty of that it's a great place to connect with others I have friends and/or family that are dispersed and they're not all on top of each other so the only way you can do that nowadays is the trini thing right be on Facebook or Twitter or something like that so it's good for that kind of stuff if you use that kind of stuff as well as things like reddit right who doesn't love

reddit so the internet is amazing the problem here and as you will see probably coming up in a second is that privacy is a large concern or should be a large concern for everybody so as we are dealing and interacting on a daily basis with the Internet we're giving away a lot of information right we're using a lot but we're also giving away a lot and so hopefully in this session I'll kind of focus on some things you might want to take home with you and what I focus on here is more practical knowledge ok so current threat landscape everybody talks about threats unfortunate side of events is the assume breach concept today that we have to

kind of live with and so we're constantly looking for ways to hunt for threats we're constantly looking for ways to try to prevent threats for from taking foothold into our environment and of course the keynote kind of bounced onto this a little bit in the beginning today so the bad guys are winning a lot of the sad news there but we are trying to look to change that right trying to find new ways creative solutions better design to be able to make sure that that's not going to be the future for us so that's one thing at least somewhat to kind of go over and then unfortunate side as you go through this you kind of

see and say well as more and more people interact online you know it's great now and then there's awesome things about it but from a privacy perspective you kind of see more and more of this type of threat where you're just kind of leaving all kinds of doorways open for yourself for possible attacks in the future and so attacks from you know risk like identity theft tax like blackmail extortion you know unsolicited selling a marketplace of your information it's all out there and so that's the concern so what I hope to present to you guys as we go through these slides is a way to start searching for some of this stuff online and kind of opening your eyes to

some of the things and the threats that are out there okay so we'll start here okay so when you're doing a search and what I found out through going through and trying to develop this talk is I wanted to kind of take it from a perspective of how can I apply this practically to a lot of different folks and so some folks might be able to have different levels of interaction that they want to go through and reduce their overall privacy footprint and so it's got everything it's got the mom and dads and the family members down to the more technical crowd and what you can use to kind of remove yourself from the internet so the first thing to make note

of is the concept there of ego searching right or vanity searching is what a lot of people call it so ideally what vanity searching our ego searching is is you searching on some of your favorite providers again i listed a whole bunch of them down here for yourself right and try to find out what kind of information is out there about you and so some examples of that of course they mention it here in the slide you've got putting your name right obvious to what that would do and maybe it pulls back some results but maybe it's too broad in the scope of the results that you get so then you start to incorporate well phone

numbers you start to incorporate physical addresses and some of those types of things so one of the big things that we do a lot in pen testing from a reconnaissance perspective we want to be able to do like google hacking right but we want to do it and apply it in this regard to ourselves right to see how much information is out there and what an attacker could probably use to maybe potentially get a foothold into that information or that company or whatever it is so that's a key thing to make now a note that I want to make sure that I mentioned as you guys go through and perform some of these activities make

sure you're not signed on to whatever the provider is and so a lot of times you'll go to you know sign on to your gmail and then you open up YouTube and you're like wow it's still got me signed in or if you go to Google and start searching Google it's still got you signed in so all that stuff is being tracked constantly so if you're you know and again I might be talking to the crowd here you might already know this but if you're ever going to do open-source intelligence-gathering you want to make as isolated as an environment as possible so that that interaction point is not related or touching you right you want to have good

offset right and so as a way to do that make sure you're not signed on to whatever the provider is if you are of course you can i'll show you in one of the slides you can go if it's google or something like that it keeps track of all your search history i'll show you a link you can go to and actually clear out your search or start kind of restricting some of the access to that also anybody hands up notice the Edward Snowden live stream this week from start page com maybe not it was talking about election results and was talking about general privacy concerns with Trump becoming our new president and so I

really don't have a dog of the fight but will tell you that hosting it on start page calm is a good start if you don't know about start page calm what it does is it anonymize this all your searches through google so if you're trying to do searches well use something that's going to anonymize those searches now of course here's another example up go so as opposed to going in and using some of these search providers that keep tracking everything about you maybe start to anonymize that and use alternative sources of searching that are out there also another quick thing just to kind of mention here if you start to find yourself in a position

like this has been a lot of hacks a lot of a breaches this year one big one course of myspace concept but you're like loud i don't think i have a myspace account anymore and sure enough maybe you did back in the day but you didn't decide to go close that account out so that's another thing to consider if there are things out there that you should do you should do some personal grooming so being able to go to your machine and do personal grooming is the same thing as doing to the internet and doing some personal grooming and so there's a couple sites i put in my notes to make sure i mentioned here name check

calm as well as gnome calm you can go to both of those sites put in like a username or something like that and see if it's visible on any social networks that are out there so in just in case you got a myspace account or you got a flickr account or something like that you might go to those sites and start you know getting more visibility into your foot your foot print okay alright so moving forward josh will talk about this is probably a little bit in his presentation as well the concept of daxing and so boxing is really an important concept because a lot of people that go after and try to use intellectual gathering or the first part

of the pen test we use that concept of kind of disclosing and finding out about personal information about employees for the organization so here they give you kind of just some definitions to consider boxing the process of retrieving hacking publishing other people's information such as names email addresses phone numbers and so on and so a classic example of this is Ashley Madison right so with the Ashley Madison cake 5 500 half-a-million-dollar lawsuits against this organization tool to how they handle the the overall breach and so that's a big cause for concern course gamer gamergate is another example of daxing as well so from a pen test perspective in a privacy perspective really what I'm trying to

get across here is the more information that's out there that's about you the more exposed you are right so that's ideally what we want to kind of start looking at so as well before we get into actually doing some of the search and start start looking at how do we fix all this mess it adds to the fishing connotation so this morning we have in the keynote the concept of fishing and what fishing is there's so many different types fishing and smishing and spitting and all these different types of aversions of fishing that are out there but when it boils down to it it is that a level of trust exposure that we're trying to compromise with that

individual and so you know family members or friends or relatives or even colleagues you know everybody's going to get a fish and so we'll look at how to address some of that stuff a little bit later but if you know sites like hopes later right that you can kind of point them to to give them my idea you know is that a spam or is it a scam or something like that that's a good useful thing or you can use fish tank so if you've been given like a URL and you're worried about this or you know you go to a site and you're wondering if it is something that is considered a fish site those are

good things to kind of address and kind of know about and of course you know looking for where all the attacks come from course we saw in the presentation this morning a lot of tax are going to you know our fishing campaigns are targeting the individuals here in the United States so that's what that last link kind of goes to so all right so when looking at all this okay what you're going to find is there's just a lot of sites out they're that kind of expose some of the information that's out there about you right and how you post things so some examples of this might be echo sec right so if I had a

little demo to show you guys if you guys ever seen echo sec before it's pretty neat they have a free version and a pay version the free version is very throttle very limited however what you can do is you can type in a geolocation address ok and then of that place you can kind of draw a rectangle around the area of coverage and then you can kind of see all the social interactions that are happening around that area now there are a lot of different services that are online that are like this so mappa Phi's another example that's out there so what all these sites do well they kind of track you right so is another kind of a

silly example of that check-in services that we use that are going to keep track of us tweeting or whatever we're doing our social interaction it's going to kind of keep track of that and then that could be something that might broaden your access and so an example with that from a privacy perspective would be if let's say your privacy prone but you have somebody that is with you that is not as privacy problem okay so they check into somewhere or they say they're going on vacation or whatever the case may be well now because you're understanding that you're friends with that person they tagged you in something or whatever the case may be then you can

kind of use these sites to geo locate that particular person okay so some of that's kind of scary wiggle net you guys haven't ever used that site it's a great place to kind of geo locate Wi-Fi devices so what you're going to get if you zoom in you're going to get the SSID you're going to get the mac address of those devices that are all around you now obviously what we're trying to do their right as we go closer there we're try and do some more driving or something like that where we go up to the facility we create a fake access point that says that name and we just wait for the results of that and then we

pass the traffic on and so maybe that's a bad guys thinking of what he could use the site like this for as well as others so ideally start looking at some of these to be an eye opener of what kind of information is around me so I can better kind of prune some of that information away okay all right so I know I didn't know what the internet access would be like here so what I wanted to do is I'm going to take a break from the slides and show you what i would have kind of demonstrated in this particular position so let me see if I can get this so you guys can see it will

all right so a couple things just really quick photobucket right so photobook is a service that you can use to send some of your photos off and they can print them or whatever the case may be now this is just one example but probably a similar example would be any other service that does the same thing right there's an app for it on your phone probably when you install the application it might ask you can I use your camera can I access your online or your your gallery of photos or whatever it is or maybe you get to the situation where just upload the stuff okay so I didn't have a chance this morning to go

off and pull out some things but what I've seen with this service before in the past is I've seen people's w-2s I've seen people taking credit card pictures front and back seeing driver's license all kind of things that you would expect it probably shouldn't be on the internet and how does this really happen well it could happen out of neglect right or out of just obvious just I don't care or it could be that you install an application that asks you access and it says what to make things more convenient will start uploading your files to your account right so it could be something like that that might be a concern of ours now we

might not choose to use that service anymore because how it handles its business as well as Google dorking so I picked out some Google dorks to just show off here the first one there basically is just going to look for pictures to be and the actual site one of those actually looks at iCloud photos online the other one looks at DM dcma so that's a usual type of format that we use for most digital photos today so some of the Google dorking if you haven't used Google dorking before in your attack methodology you should definitely look at it there's some really good indicators compromised in fact I probably threw some down here let me show you in this one I'll skip it but

so like for me if I'm doing some recon on a particular subject organization some of the things i would use is google dorking for that so here's site LinkedIn then specify the user or you can go to some of these other sites like zoom info or lead411 or radius calm and put some other information in there now what am I looking for well I'm looking for the format of the email address I'm looking for the department that they're a part of I'm looking for additional information like in this case if they're doing email are they going to use their middle initial or not you know are they going to do first initial last name where they can do and their formatting

the email so i can further when i get to the social engineering piece of the attack i can have that information ready for me and so good information and google hacking in general looking for defaults and such as well as these other services that i mentioned to you guys like echo sack and map fi all of these services everything that's a public event through a meet-up or Twitter or some of those types of things even using things like tweet path right you can find out if somebody is actually geo-locating some of their tweets and stuff like that that might be useful information to know especially if you are with that person a lot or they build

relationships with you and they kind of always are giving out their information so that's a lot of the geolocation side of things let me jump back in here all right so people searching is another thing when i went through this process i wanted to be able to find all the various different sites that have information about me online and by gosh when i started going over this list it was a tremendous list okay so you know services like spokeo or pipl you can find a lot of information about yourself on these sites now of course the nice thing is they're kind of centralized so they will point you in the direction to who the source is to where that

information is coming from okay so and then of course a little bit later we'll talk about how do you get out of that right so you're going to start seeing like things like that's creepy stuff like pictures or your house you're going to start seeing how much your house costs or what you pay for it maybe you're going to start seeing things like phone numbers email addresses everything that is in the Recon package right so all of that stuff is visible right and to the down degree of some of this will see that even things like Amazon wish lists are off the actual limits here in that regard so there's lots of information out there on the internet

about your birthday stuff like that other things okay I think that's about it a lot of things there so searching for some more right so when I started going through this I was like well maybe I want to be able to find a particular person's phone number I want to validate that phone number that individuals so there's lots of services out there as well that do stuff like this so ideally we just come in have somebody's name and you would try to discover the phone number some of these services actually lets you discover things like cellular phone numbers or if it's coming from a cellular carrier some of those types of things give you previously known phone numbers of

individuals so they're great at tracking down people as well as addresses so now you can kind of further creep a little bit more into how much information out there from my physical address is out there now what you'll find is you'll find a lot of your physical address your phone number all that stuff just out there on the internet so again a lot of cool stuff to discover there through that process and so all of this you start saying this is a lot i want to start removing some of this content so how do i do that okay so the first one's kind of obvious right stop giving out your information right when the earth account they don't need

my email address right they don't need my phone number and so consider that the first step right stop giving out your information second stop is the one that's probably maybe the hardest for some people I guess maybe unless you know how to deal with it is the every place you go you want to save 10 cent on diapers or whatever it is you've got to have a loyalty card for that right so ideally what you do with that is you handle it by doing either giving out false information right we'll talk about that a little bit or just not filming everything out right as far as that profile is concerned so don't providing acta do not provide accurate information

it's an excellent way to do it you could also do disinformation so if in this case you want to give out some information may be a give it in the case that it's not linked to you or linked to a specifically straight your your information if you have to remember things consider things like reversing the day in the month in the year some of those give a fake physical address also you can use post office boxes right so a lot of what we do is we try to separate ourselves from direct contact whenever we're trying to increase our privacy that's a way to do that and another example for that is you could use anonymous email address seen by heard of

shark lasers com so what shark lasers com will do is it lets you create basically an anonymous email and you can sit it there right there in the web browser so if you want to download something or something requires your email address give them an anonymous email and then if it requires you to actually confirm it it'll come right there into the window where you can confirm it so but it's not linked to you so it's kind of separated from the actual direct contact okay you can also use some of the email forwarding services listed here ideally they're just trying to clean you up so they're not going to be perfect but if you're trying to reduce things like spam or you

try to get that mailbox back to a workable state then you could use some of the services there Plus as well some of these email forwarding services can basically set it to where you are proxying the request through this particular service so what that means is kinda like Craigslist right so on craigslist it's got an email and somebody can click on that email to ask you a question well it's not your real email so it goes through a service converts it and then jumps back to your account and and that way that providing that new unique layer of abstraction is very useful from a privacy perspective okay as well as also things like implementing some measure of anonymous

calling right so maybe you don't give out your real phone number maybe you use an isolation method of that maybe you give a friend's phone number or you use some type of Wi-Fi calling service use something that kind of separates yourself from that physical number right that's huge as well and one of the things that my colleague will probably talk about at two o'clock is building out an anonymous profile right if you're going to do that content this information you've got to have some information to give right so a good site to follow their be fake name generator calm and you can kind of create yourself a unique identity as far as rewards card go again the downside here is everything

that you give it information wise links back to you and so this is really good if you can give an anonymous email address right it's not linked to you so use that if they have to have an email address give them a fake one right if they have to have a phone or maybe give them your anonymous phone number or give them your google voice or something like that don't link it to you now one of the cool things that a lot of places are now doing of course you see it in CVS you see at the best buy you see it at Toys R Us you can actually go in store and if it's like a coupon if that's the

argument that I don't get my ten dollars off my hundred auto purchase you can go in store and actually scan the card which is again not linked to you and then get all of those you know coupon codes or whatever it is so do keep that in mind there's a lot of opportunity here to do that concept of disinformation ok so again how do we protect ourselves right keeping that motive moving forward one of the biggest and I could have probably put this into several slides is you got to have a good baseline okay so I took it on myself to try to give you some examples of kind of what looks like a good baseline and and if

there's nothing else there's something that you can take away from this so the first thing is have an antivirus solution so again there are too many antivirus solution vendors out there doing pen testing I've seen some of them fault her a lot and some of them do a decent job so again but you're better student to have something to protect yourself then you're not right and it's available on all platforms so you can use clam maybe you can use I don't know semantics whatever your choice is I will mention there is a great site out there av-comparatives org that you can go to and they do third party wise rigorous testing on different solution providers

and they kind of rate them so every so often they'll give you a report on how well antivirus is doing okay for operating system and application updates so the thing I usually follow is if i'm not using an application or haven't used an application and a few weeks is gone right there there's no reason to have it on their idea i love like everybody else there might be something one thing that you have to hold on to because this does this one thing you do every six months i understand that but if nothing else try as best you can to keep it updated so if you guys haven't heard there's some great sites out there like nine aight if

you're ever building pcs a great place to go to directly access an interface with just the installs versus having to go to somewhere like majorgeeks or somewhere else that it's got all these links and you're like which one do i click there's a thousand different links in here so it makes it a little easier and i even have a date or tool so if you install 9i and you install the packages from nine night you can actually keep those programs up-to-date so keep them out today best you can another example is your browser check from koalas so we I mean everybody's you know vulnerable to different types of browser extensions it be it you know Java scripts are

asking me java silverlight or adobe flash whatever it is you can go quickly to this site and you don't to download anything you just do a scam right there and see if any of your plugins or your system is out of date so the more we can keep up to date again you look at the verizon data breach port that was a big problem for a lot of organizations as keeping up with a patch management configuration management so using those tools to your benefit definitely goes a long way another consideration to make as well here safely removing cook he's right so the problem with cookies local shared objects right so you've got them everywhere right it's not browser just

cookies right you got Flash cookies you got silver like cookies you got all these various objects they restore all around the Machine what can we do about it well we can use tools like ccleaner right as a solution that goes through across browsers because not everybody uses just one browser as well as looking at some of those local shared objects and removing some of that stuff bleach bit if you're on Linux right so you can do these different options glary utilities has some good options here as well as even maintenance that you can use with that particular tool onyx as well if you're on a Mac right so there's lots of different options out there to

get rid of some of those cookies choosing a better browser don't use Internet Explorer I mean obviously nobody really does for the separate work right but use something like Firefox there's lots of good plugins out there for Firefox it's my favorite I use chrome for a while and again I kind of go back and forth between these two guys kind of love hate but definitely with regards to these look at some of the tracking and the providing options for control there in that regard okay you can also use us things like trust no one right anybody used that before so it gives disinformation out on the browser so when you do a search it doesn't

automatically interpret what you're searching it just feeds it information so if it's keeping some information our goal with trust no one is the concept of just providing extra extra noise as we go through our searching process Firefox extensions I just kind of picked a few out here gostrey is a good one to kind of keep track of what cookies are going on also this disconnect is a very useful tool here there's a feature of disconnect that you can actually do disconnect search that will do an anonymized search right there for you you can use blur to blur out your credit card details in your credit card information of course no script or a privacy badger all of those are really

good and of course I mentioned you guys I would take you guys that part where you can track what Google is tracking on you okay really quick just to show you guys what I would demo if I had some more time there's some extra stuff in here so get a VPN service right so there's tons of them out there I just listed a couple of IP vanish a private Internet access a pro x pn tour guard tiger VPN lot of days use HTTPS Everywhere so if you ever know what the man the middle attack does or if you excuse me I was going to think I SSL strip it's going to strip away that HTTPS connection make it try to make it

HTTP so we want to make sure that we're using if there is a version of HTTPS out there we're using that right verse right of the page a full disk encryption can't say enough about that course of the Mac you've got five all windows you got BitLocker but then there's other options out there for containers using something like Bear Creek so you can use something like that as another solution for protecting that ho space machine additional plugins web of trust used to mention now nobody mentions it right got pulled out of the Firefox browser plug-in section because of the way that they were handling privacy practices and that's the problem right you got all these cool things that focus on privacy

look at adblock plus right now they're starting to sell off to the highest bidder right so you got to find measures of change right that's what's going to happen in security in general so using you block or you ball community is a better option than something like a droite plus not going sure there we go right exactly right um so yes yes

sure

yeah definitely use origin I'm sorry for facebook activity again just go look at what you've got here as an option just it's kind of alluded because you've got to go all these levels deep to be able to find where you clear it out how you control some of the settings and that's why a typical user is probably not going to do that right they're not going to go the extra mile that it takes to go through all those little layers that it takes to get some of this stuff out we'll talk about ways to address that in a second also one thing that just a no is the knots not on me if you're in web

applications you know what what kind of stuff you're sending out to the application server that can identify you so it's a way to kind of take that away a little bit and not help them to identify what internet browser you're using and what operating system you're using you can use something like the user agent switcher right to kind of tell them you're in some version of Linux when it's not linux or something you're using something else right this information is the best way to go and I mentioned tries attract me not there's obviously some privacy filters here a lot of that stuff's going around if I see the black mayor season 3 on netflix right now there's a super creepy episode

there which is the the third episode of season three and it deals with obviously the ability to kind of turn on the webcam turn on the camera in some of those and now with doughty's malware is not just as simple as looking for the light anymore okay so some of those types of things their oversight is a pretty cool tool if you haven't used it before if it's on a mac and it tries to access your camera or turn on your internal microphone it'll pop up a message which is pretty neat right active kind of a host of detection a little snitch if you're on a Mac Great Firewall if you're on Windows so something make me like zone alarm again

the windows firewall is decent you can add a lot of rules in there but you need a firewall to protect you and then last pass right is in here as well just having some type of a password manager is a great way to fix the problem with reuse of passwords right you know I don't care what version to use just use something because somethings better than nothing right okay you have a question I'm sorry no this one asked you a strawberry your limit um strawberry sure thanks I appreciate that thank you very good i know i'm gonna try to respect your time and we'll keep going here so windows 10 is a mess right everybody

agree that right so with privacy and again I hope nobody works for myself sorry anyway so Windows 10 is a you know a lot and then just put as much as I could on this one sly because there's so many areas of interaction that Microsoft sends out right it just keeps some invasiveness right so things like location tracking feedback you want to get microsoft Wi-Fi sent who thought that was a good idea right and so those types of things I just can't understand Cortana listens to you all the time right so you know turning stuff like that off again there's a really cool tool i'll mention here oh and oh shut up 10 now again I

can't condone this tool because again I haven't looked at it far enough but it is a tool that kind of does all this stuff for you right so if you don't want a hassle with going through all the different settings changes if you want a simpler version just kind of as a bar to slide over to turn on each one or turn off each of these things you can do something like that okay but even you know it's just crazy and this has moved a lot of people on two different platforms because of the mess that what Windows 10 is kind of caused so what are some other things that we can do so don't forget to sign out that's a big

one obvious one I wanted it to be more practical for moms and pops as well so again you know teaching as long as i have i've seen students that log on with their gmail account and maybe just walk out and not remember to sign off something like that or they'll leave there you know and their desk just to run down to the restroom or go get a drink or something like that and not lock it out so those are simple type of things that you can do even at home right is it becomes habit it just becomes habit so do that turn off devices not all about in the news and so that's a good one anyway same thing with

the internet I mean in general that's a good practice to follow secure file deletion right so by default everybody should know windows does not when you removed from the recycle bin does not get rid of everything right so you got tools like recovery that you could run and see if you can recover some of that stuff that's been removed so definitely find a good way to you know get rid of stuff revo uninstaller anybody fans of that I love that tool so if someone's bed in the registry real good or you can't find out exactly how to get rid of something it's a real good tool for uninstallation as well as d kappa phi right you get these laptops today they

come with all these fancy trialware bloatware what are going to call it so using tools like that to kind of remove some of that stuff's good one thing i thought about that as i go passing through this anybody like portable apps right they're amazing so you can run poor blacks just walk wherever you are that way you don't have to install the application right there on the computer and you can even do certain types of application virtualization put those on there as well and that way you know again same thing you just plug it in you don't have to actually install it onto the actual disk on checking for default installs right how many times you've you

installed something and it's try to install either changing your browser settings or changing your search provider installing some more crap where whatever it is so using something like uncheck e to do unchecking all the boxes as you do the installation a secure Drive wiping so using things like d van or using something like kill disk right those are really making sure that you don't have like a few years back with the Stanford students when they got the xboxes from gamestop and we're able to pull off the credit cards that were stored on the drive so you want to make sure you're killing your drives doing appropriately write a note mr. robot fans right so yes lots of good stuff

there you can pull off drives cloud services like SpiderOak so if you are using cloud storage providers again the sentiment of these is that you are the product right everybody knows that should know that and not really the customer and so a lot of the you know the weight that weighs heavy on a lot of people from a privacy perspective is they don't offer zero knowledge right and a lot of k so we use services like spider oh and they do take a zero knowledge approach to the information that they are you know having so a lot of good things there from ways to protect yourself again I realized a lot of stuff a lot of stuff right so then I

want to focus on smartphone privacy now I took the approach to the fruit right product Apple obviously Android would have some of these same kind of settings that you would want to customize but again the problem with these devices today they're making for convenience right and I keep adding all these new features which are amazing but the downside to some of those features is they can leave yourself exposed and so what I wanted to do is just take a second here and kind of look at that now I my notes of course I have a couple links to things like Apple's iOS pause the privacy policy which I recommend everybody read also the FCC smartphones security checklist

again it's a good thing to follow if you're trying to make sure you're at least a baseline of what you would expect from a privacy perspective so anyway just looking at these you're like oh my gosh Apple is amazing at tracking stuff right same as Microsoft is or Windows is so you can see how advertising limit your ad tracking go through some of your phone here and you'll see some of this stuff just turned on just amazes me so looking at your apps and controlling what access your apps have to things like your camera why does that happen eat access to my camera was that app need access to my location all the time some of those

types of things I usually look to say never in most cases if I can if it says that it will always need access and it won't let me choose to only when the app is loaded I will say no I'm sorry so those types of things you have to make an account for what you're willing to sacrifice a little bit absent use your microphone apps that use your photos mean just stuff that is just kind of scary right how about that next to last one right your Wi-Fi and that's the same thing with all devices a lot of times if you connect somewhere like free Wi-Fi or whatever it is it always just connects right and so everybody that don't spend

test knows that and so you can use lots of different tools out there the scan for people that are looking for networks to connect it right and connect such so again the whole cloud methodology and some of that stuff there's also three and privacy filters that you can apply there's just a lot of options we can do now I made to slice just because there's too much stuff right so how long does it keep your messages look at using secure messaging applications signal whisper chapstick ears crimp the cat there's lots of solutions out there that you can use and even for your mail so look at using something like proton man right so Safari there's again a lot of things

here does a you know default wise from a search engine perspective cookies perspective blocking pop-ups is obvious who thought it was a good idea there's store password right and so again we don't really know how they are using that information course clear all that information out now unfortunately I ran out of room so here's some other stuff just to kind of have at it so the black faux is not doing as well but I do mention it here if we can find a way to get just a plain phone nowadays and then kind of looking to kind of lock it down instead of having all this bloatware and other stuff that's added to the system

again that's a good option even though you have to pay for it a good bit with the black phone to turn off Surrey so one of the things here that I think is it kind of silly about series you can tell Surrey to basically go to airplane mode and then if you're trying to remotely connect to your device because some i stoled it you can't get to it right same thing with the control center right I put that probably somewhere in here as well you can flip that control center up somebody who saw the the commercial with the guy that couldn't get onto the phone so he went to the control center and he started taking all

the pictures so he loaded up the whole storage of the device when his friend came back he had all these photos that he had to go through and delete of the device so this it's a trick you know it's funny but it's serious in the same regard so there's lots of things here that you can do auto lock out so obvious one keep it up to date as much as you can um just so many different things alright see here okay so parental controls right again judging from the crowd I don't know how many half kids or don't have kids or maybe you just want to kind of control your roommates right they do some crazy

stuff after all and maybe they're using your stuff right to do that crazy stuff so you wanna have a little bit of control things like k9 web protection or have a content filter in place you know those are good solutions to make again if you can you can afford it and you can put it in place I mean having a pfsense firewall or small box that you can run pfsense those are all good solutions as well if you can add some of that content manageability inside there there's also just being a dad myself found a lot of different apps that are out there that can control screen time stuff and even Internet devices now that you can

basically go things and do things like pause the internet you can set restrictions to a time windows when the internet is available or not so you can do a lot of cool things today definitely those are good and then also privacy grade org so there's lots of sites like privacy a grade basical what it does is it looks at the apps that you install and it gives them a rating based off of privacy who doesn't want that right because what we are owes were a nap generation we're always installing lots and lots and absent you might not know exactly what those apps do obviously implementing something like Open DNS great content filtering mechanism and a

great book for any parent out there that's trying to get a handle of some of this stuff what the kids do outsmarting your kids online right makes sense so anonymize networks another thing to consider oops I think I shall pass one sorry controlling spam so there's a lot of things you can do so for the first thing why don't we want to click on subscribe right here right I think it's maybe kind of obvious right by responding to something like that to the email you're giving that positive confirmation and not only the rate at which you do it as well as an important factor to it so a lot of times of the people that push out a lot of that spam

they don't care if you unsubscribe or not now so again I understand it's a part of their policy that they have to follow that and that might be true but a lot of times it's not right so a lot of that is extra effort that we've now gone through and confirmed ourselves not only confirmed herself but now they can sell our information off this is a real account live account and they access they are very interactive with this account so again be careful with doing stuff like that because of what it entails now another thing here limit the sharing of your email address again don't use your real stuff right it is far as I'm concerned your email address

should not have something that's recognizable by somebody that is gonna know your name so not to say that you're going to create a very crafty email address that is going to be offensive to anyone but you want to do something that's not linked directly to write obvious so if you have control over that try to do some of that and then in this case if you do maybe in this case you use an email service that's not that you pay for write something that is not free because again like I said back at the concept there is if you're not paying for it you're the product right don't post your email address on websites this

is a hard one for a lot of companies right in time I do a pen test if I'm doing recons first thing I do a spider the site try to find emails right or go on linkedin try to find emails and so a lot of times I as a company if there's not policies that govern some of this like accept we use is not really a way that in this case we can enforce something like that from an organization for Spectre so we have to consider that for own personal use right just don't put your real email address out there things like use a disposable email of course there's another site are mentioned shark lasers to you guys

earlier I use that a lot of my classes because we'll do a lot of trial software's like Nessa sorcerer are not necessary that and we'll have the students go through and use like a fakey message I mean again just so they can kind of try out the software other things they're reporting spam don't click any of the links be careful with the links you can instantly just copy a link right there from the email go over to virustotal go to the URL thing so it can scan the URL from another third-party versus having to click on it right it's always a better practice to do something like that watch out for check boxes and of course there are some

spam filtering services you can use kind of proxy out your mail anonymize networks a lot of things here of course the Tor project I to pee the idea of using these networks everybody thinks these networks are we and in ugly and stuff then it's dark net whatever it is everybody does illegal things on these but a lot of times it's just privacy prone people that might be using these networks now I to P is relatively or not related new but it's not as used as much as the Tor project as far as I can tell but either one of these solutions really good and I also want to bring your attention to privacy browsers so epic I

don't know if white hat has there's anymore it was called aviator also browse are all of those are browsers that are focused on privacy efforts so not having to go through the effort of and the Firefox settings changing everything from a security perspective now I like that because it's a lot more hands on but everybody's not going to like that so using something like epic browser might be a better option for you in that case also use proxy lists right so if you've got tools that you can use like proxy chains or something else find a good proxy list that's anonymizing your traffic and then maybe that's an option as well a lot of VPN sites also

produce those a proxy list for free to use so any of that type of stuff that kind of anonymous some of your network connections as well as operating system so cubis s cube less entails both of those solutions are really good from an anonymized perspective from a privacy perspective so they're not going to be tracking everything something like a Windows 10 would a lot of good stuff with tails it keeps a little bit newer I guess in regards to that but both of those solutions really good and then sandbox it's amazing application virtualization you can do for sandboxing on a windows based system so if you want to have our get back a little bit more

control of the applications that run in windows you can get that now of course Microsoft is trying to do this now with a lot of their micro virtualization that they're doing and things like Windows 10 but again a lot of people are very weary of Windows 10 in its virtualization and was speaking a virtualization that's another layer that we can add there from a protection perspective as well so credit card information sharing a lot of information here and controlling it so prevent that you're approved junk mail who doesn't get that crap right thirty thousand dollar loan I just go ahead and take it to my bank right and so those are the types of things that concern me

so here you can go to this particular site you're starting to get some of that mail and you can opt out online for a small period of time but then opt out permanently if you go ahead and do it through males so some of those services get a free reddit report that's your right and so you can do that and all as well as you can pray place a fraud alert for 90 days or pray place of a freeze I don't know but I think the state of South Carolina is free to do that yes okay perfect so those are good options and then get reusable reusable credit cards right so you get them at walmart

wherever some places let you even pay cash for these reusable credit cards so the idea there is it's not linked directly to good

good to know yes absolutely but try and try those toys options are always good options to follow if I heard of privacy calm very cool site again I don't know if it's open invite or not but basically what it does this it creeps temporary credit cards for every online transaction that you make in that pretty cool so those types of things kind of like blur does a little bit with your credit card but even if taking it to the next level those are cool services that you can start to use for anonymizing yourself a little bit further okay social media so again this is probably a stab in the heart so to speak for a lot

of this yours this generation so ideally social media I understand it it's awesome right I use Twitter literally on a daily basis I really do enjoy it a lot but if it comes down to the point between yourself and privacy and looking at the concerns of some of that how how how evasive these particular types of technologies and these services are is out of control so I'm always having to go into my facebook privacy policies and privacy settings and make sure they're not turning some new feature on right so that's kind of a pain in the butt but it definitely is important go to the privacy settings at the first step you can also go into facebook under your

settings a lot of times people will sign on with their the apps that they download with Facebook so that's always a bad option right it's convenient option but it's a bad option because now you're giving that particular application full certain controls over your account so you can go into the settings under apps under Facebook and if it's been a while since you used an app and signed on with it with Facebook take it on their block it and don't allow it to be able to interact with your Facebook account there's also sites you can wipe out your stuff so you can go in here and you can wipe your tweets account killer calm delete me delete

your account calm both of those sites will take you to the up kill your account page so you don't have to magically figure out where it is on the actual site so all of those are very useful if you're trying to find okay where's my space and I need get ramai space we don't use it anymore how do I get rid of those or Google+ you know maybe in this case you're not a plus google com fan you can go there and try to find how to downgrade and not use that particular service anymore okay also I suggest everybody kind of this has been several years since this talk was a you know given at hope conference

but privacy is dead get over it is it good awk kind of introducing you to what kind of thought behind investigative process is now used in this social landscape that we use today and then another thing is depending on your level of professionalism so like I separate all these accounts if it's linked in if I know the person well enough if it's a good business contact well then yeah i'll add them in a same thing goes with facebook usually facebook i'm more reserved on who I Lau access but then Twitter it's wide open right if you follow me i'm going to follow you and it's going to be back and forth between everybody so you know maybe setting up

that separation those layers depending on the service you use is another good thing to think about hmm so we need to control herself as you can see there's lots of different things that around here so let's look at that a little bit and so most sites today have an opt-out measure and so I mentioned spokeo i mentioned pipl com both of those in the introduction so when I went through the process or removing myself from the internet your best option is find a buddy right so you find somebody else with the same privacy concerns as you and then basically you see how much information they can find on you and you find out as much information as you can

on them and then you can go in it like a teamwork kind of thing and that's much funner that way rather than doing it yourself it will be a process I promise you guys getting your privacy back is not a for the faint of heart there is a paid service that I've put my notes to mention make sure I mentioned to you guys that is by a bind com delete me is the name of the service it's ninety nine dollars but again you have to decide is it worth that to go through that go cost of you or is it interesting which I again being a hacker I love those kind of things I like to find out as much as

I can about things I like to go through the process right so here's all the sites and just kind of a lot of different things here what you'll find is that every site pipl com or spokeo com any of these sites where they track you sometimes they'll give where they found you from and then you can kind of go to that site and see if they have an opt-out so definitely look at those types of things again just delete me is another good place to go to find where those opt outs are located as well as we have to be concerned about data marketers right so again like I said if you're not paying for your the product

right so ideally a one example is the value packs right if you get mail somewhere you might be getting a lot of those little blue envelopes that have lots of coupons that nobody uses right so you want to kind of opt out of some of those types of services and so here's some great places to go as well as safe Shepherd is another place so chef efforts a shepherd calm will allow you a proactive way to remove your personal information from the internet from these marketing databases so again being that more proactive person is definitely going to go a long way as well as the telephone stuff so if you start to see that a lot of your

information your home phone information your relatives your friends all of that stuff is online and available to you start getting you know you're trying to reduce the amount of spam calls you get or people with no caller ID or something like that you want to kind of remove that you can do some of that here by using some of these types of services also things like simple stuff you can try if you want to not be discoverable if you have to call somebody for some reason you can do the star 67 to kind of do the no caller ID or you can use services like spoof my call or Bluff my are not smooth Michael smooth card or

bluff my call to actually you know give it a fake caller ID right something like that huh there you go right that's a good one all right so we're going to do this right we're going to get this done I'm going to wrap it up here in perfect time for lunch and now or any questions so basically the first step of your think first don't give out your information unless you have to but as well as just that also start using some of the search engines to make sure that you're going through and looking for your name looking for your address city and phone number and you can even set alerts to that right so whatever the

alert service you like to use start monitoring some of those types of things as they come online right another example is delete everything you're not using I don't care if it's apps I don't care if it is online services or whatever it is go through the process of your diligence and trim some of that stuff up right so that's an obvious one go and look at some of if you're trying to find how to get out of something you know you've got the opt-out remove opt out with a space or privacy a lot of different alternatives you can use their try to find out how to get out of that right as well as use pre cake credit

cards if you can use cash absolutely go that route p.o.box misspelled or alternative names again this information is a large process of a part of this as well as understanding your privacy and how to control some of this so privacy rights org awesome site if you guys don't know they also have a data breach section that's one of the big ways I keep up on all the breaches that happen is going to privacy right so it's a good place to go in general a lot of good stuff there another thing I thought about I was going to demo it for you guys is looking at how much information is actually required for some of these services and

so don't feel everything out right so don't give them your phone number don't give them your birthday unless they absolutely happen and if they have it disinformation is your best choice there so no phone number no email address no date of birth no physical address or ways to find anonymous or disinformation there is also going to help you along in long term don't blindly click terms of service right that's a big one there's actually a tool called utilizar that lets you go through and look at the eula for any things that might be of something that could be a cause for concern as you're installing things like applications and then you can make that decision more appropriately whether or

not you want to allow the art so perfect right I did it so i'll leave this few minutes here before lunch to see if you guys haven't closed for sure well i'll give you this one better there you go are any other questions it is it so odd I give you my work email so you can even go after that as much you want or any other questions I don't but if you if you want I'll tweet it out or I'll also be available if you want to just email me directly at that email i can send you a link to it in dropbox alright thanks guys appreciate you guys coming you [Applause]