Besides IP addresses, how else could one be identified?

Question

OP: I'm curious how else an actor seeking to identify someone online could accomplish this task besides just using an IP address. What methods would they employ? What knowledge must they have of the target? What technology would they need access to?

Edit: Let's break identity into domains and lets discuss each domain then. First, the client's computer. How can an attacker identify a client from his computer? I.E. what is the digital fingerprint they leave behind? (I am assuming that the attacker does not have physical access to the computer. I am inferring what digital forensics from a particular computer are exposed to the web from normal internet use)

Second, the client's cyber persona (all the email, social media and such accounts aggregated). Assuming an attacker can sprawl the web, how can they effectively assemble the pieces of a persona into a whole package that can be used to identify a particular individual.

Finally, trust on the web. Who does the client have to trust to access commonly used services such as Google and Facebook. What are the points of attack that can leak secure information to untrusted third parties.

I've included a picture:

Edit2: After further refinement, we have arrived at a chain connected to a computer user: Real Life Persona and Geography >>> Digital Fingerprint >>> User's Cyber Persona. An attacker shall be defined as an entity that works his way backwards first by aggregating the Cyber Persona linking it to digital fingerprints and from there to the RLPG.

The deepest question can then be broken down into first what access, tools and techniques must an attacker possess to rebuild the user's cyber persona. Second, how can they link that cyber persona to the user's digital fingerprints. And finally, how can both sets of information definitely identify a RLPG profile?

Answer 1

In case of web browsing your software configuration usually provides a pretty unique fingerprint that can be tracked as you browse. Check out the Panoptclick project.

Also every piece of information you post to different sites will contain information about you. For example the time of your postings will give a clue about which time zone you are in even if you don't provide any personal information.

Answer 2

The technology is pretty simple, your system and your browser sends lots of interesting information with http requests. All the server has to do is capture and log those attributes. Some combination of those could be use to correlate requests.

Here's a starting point:

TCP stack attributes

Browser capabilities

Browser cookies

Flash cookies (managed by the Flash plugin, not the browser)

Browser version

Browser user-agent

[Edit] HTML5-enabled browsers can also send a location. It's a browser setting that the user can control (you should check the default of your browsers). Devices with GPS can pull that information and send back lat/lng: http://www.w3schools.com/html/html5_geolocation.asp

Answer 3

An interesting but potentially endless question, even with the edits.

I'm going to assume for the sake of interest that the attacker's capabilities and knowledge are virtually limitless... many of these brainstorming ideas are going to take more than a single person on a shoestring budget.

Computer Identity

Here's a vague list:

• Identifiers for location of host computer - IP address is the obvious one. Below that, depending on what you are snooping and how, I'd suspect you can get low enough to see what path the routing is taking to get a better sense of physical location. Getting far with this approach will likely require hacking some areas of the internet provider.

• MAC address - generally identifies an aspect of the host hardware (like the network interface card) - can be spoofed.

• keys for privileged communication - can't easily be gathered without hacking the other end point, but possible.

• a lot of information can be gained about the computer of the local network supporting it based on how it communicates. Varies by the type of communication, but it's everything from the obvious browser-type that is part of most HTTP commucations (you don't see a lot of UNIX systems running IE, for example...), to more nuances - like the fact that in my experience Windows machines use certain protocols ever so slightly differently than UNIX.

• volume and speed of transmissions is going to give some sense of how the computer is connecting to the net - if you see video streaming for example, you can pretty sure the computer isn't dialing in by modem.

Social Media & Identity

I suspect it depends. Certainly the same aspect that lets us "find friends" on Facebook, Google+, LinkedIn, etc is a pretty great way of aggregating the identities of a given human. How much and what info you can glean from there has a lot to do with how the given individual is using the Net.

I've generally suspected that gaining enough information to generate a fairly accurate list of identities, email addresses, websites/blogs, and other public behavior of a person would be relatively easy. Many folks maintain consistent usernames from site to site, and pictures and friend links make aggregation easier. From there I'd think it's pretty easy to get an idea of a subset of the places the person may work, shop, visit or otherwise interact with, given the blending of socializing, shopping and marketing that is available at this point.

A fairly recluse friend of mine pointed out recently that he'd been "outed" on the internet. While the friend, himself, did not have an account on most social sites, his friends did, and there was no avoiding the pictures of "this is me with X" getting posted around, so that a fairly accurate shadow identity of my friend was formed, without his consent or involvement. He was essentially able to research himself based on what everyone else was mentioning about him. It included things like books he liked, places he'd been, and things he'd worked on.

I've generally thought, too, it would be pretty easy to intuit a person's patterns - when do they wake, when do they work, what are they usually doing when they tweet/post/etc. And glean enough information do a pretty awesome spear phishing attack or other deft social engineering.

Trust

IMO - far too much. Certainly many services can start as a low-sharing relationship - most Net services require an email, and the email may require a phone number. But the way data builds, private data can grow quickly.

The biggest challenge is that once data is shared, it can't be unshared. At a minimum, you need to trust the service, any transmission mechanism, and any cases where the service trusts or depends on an outside entity.

Answer 4

The amount of information we leave behind when using the Internet and technologies originating from it is quite surprising to an average user. I don't think I could effectively cover all of it, but here's some of the knowledge I've gathered from work in ethical hacking.

Le Browser

Fingerprint: A browser (as others have mentioned) has a fingerprint through which a decent amount of data can be recovered:-

• Browser Toolkit (Often the browser itself) with a version.
• The Host System OS Information
• Info on the expected return type, supported compression methods, etc.
• And of course the IP.

Observe two such fingerprints below:-

Firefox: (v22.0)

root@kali:~# nc -lvp 80 
listening on [any] 80 ... 
GET / HTTP/1.1 
Host: 192.168.1.9 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1
Connection: keep-alive

Google Chrome: (v27.0.1453.116 m)

root@kali:~# nc -lvp 80
listening on [any] 80 ...
GET / HTTP/1.1
Host: 192.168.1.9
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

Cookies Tracking cookies are all to famous for me to explain here. I found the two following references adequate to cover the basics of the same. - http://www.prontomarketing.com/files/2012/07/WHITEPAPER-The-Myth-Of-Accurate-Conversion-Tracking-Using-Google-Analytics-Summary-Ver-1.pdf - http://www.postaffiliatepro.com/features/tracking-methods/

Client sided script based tracking Javascript for example runs on the client side, and while it can't open a /bin/sh backdoor to your system or access files, it can request pages, etc using AJAX. Since it's on your local network, it can access intranet hosts. This can have a number of applications that an attacker can exploit depending on exact scenarios (find which router they use, get license keys, access identifying info stored on the LAN). While the exact reference for the same seems to have 404'd, please use the following as a POC reference. http://code.google.com/p/jslanscanner/

Click Jacking Although using things like your camera, microphone or built-in geo location tracking are supposed to require explicit user permission, click jacking is one of the vectors that an attack can exploit to get you to bypass this security measure. Documented uses include:

• Tricking users into enabling their webcam and microphone through Flash
• Tricking users into making their social networking profile information public
• Making users follow someone on Twitter
• Sharing links on Facebook

Offensive Security

Client Sided Vulnerabilities Exploitation Client sided vulnerabilities in browsers and/or browser plugins and/or local software allow a remote attacker to gain browser-level access privileges on the victim machine. Thereafter, any permitted files, resources, global cookies, can be accessed directly. Privilege escalation is also possible to obtain root. Reference: The IE Aurora vuln is a good example of this. http://www.metasploit.com/modules/exploit/windows/browser/ms10_002_aurora

Server Exploitation If the hacker cracks a server that has authority to say use your webcam, then the next time your userID is encountered it is possible to access your resources as per the privileges given to the server by you. Government agencies and ISPs are known to track visitors to sites blocked by them.

Man In The Middle Good ol' MITM attacks can steal sensitive information from users whose cryptographic protocol utilized is too weak (yes, I said it, if your kung fu no good) or if it is absent. This can happen in a local network, a routing point, a tor exit node or a VPN node that has been compromised. I'm pretty sure Google will be able to answer this better.

tl;dr:

There's a lot to cover here, and I'm certain that I've missed out on a major portion of it, but as you can see there is definitely a traceable jet trail left behind if the tracking was implemented as a precautionary measure.

Answer 5

It depends on the context.

Is this just a random Joe Schmoe on the internet? If so they probably use that same username on more than one site you can use google or Spokeo to find other uses of that username and hopefully some social media accounts.

Is this a person who knows how to hide their identity online? If so you probably won't find anything online and it's time to start looking at motive and questioning people. If that person doesn't know you personally and they did a good job of hiding their identity online and they didn't steal or break any of your stuff just let it go man because it's gone and it's not worth it just for internet revenge.

Did this person steal from you? vandalize your websites or damage you in any way? If so look for the person who would gain the most from what happened, start asking questions and involve law enforcement.

Do you own the attacked equipment? If you do look at the http headers and any connections made to your equipment from that person they may have slipped up. You may get lucky and see something interesting that can identify that person or the machine they're on.

Good Luck!

Answer 6

Here is a list of things that can be used to identify you and track you on different websites and such.

• Your usernames (they are not going to be completely different from website to website).
• Your location
• Your browser and the settings and browser version (anything browser related)
• The language you speak (if you visit chinese forums for example, it is easy to know that you are chinese or can speak it or have some relationship with it)
• Your profile image (can't be completely different all the time)
• Your email
• Any cookies you have on your computer
• Your OS version

I didn't include ip because you said except ip.

Answer 7

I notice nobody else has mentioned this one: Evercookie

Answer 8

When you browse anything on the Internet a lot of information is logged:

• Your IP address
• Your location
• Your browser version
• Your user agent etc..

So there is possible way available to prevent these type of tracking

• Use any premium vpn

Answer 9

Given a known email address and perhaps a web site login (handle), you may find significant amounts of information through website searches. For example, people tend to use the same user ID's repeatedly across the internet, and in a recent investigation I was involved in, a known user ID led to a YouTube channel that included a video of a mobile device review, where reflections of the reviewer and also their precise location at the time was revealed during the video. What can be determined varies on a case by case basis.

Answer 10

While I agree to 99% of the answers posted here, I would like to add two words that have not been dropped yet: Behavioral Analysis.

Combine that with the multitude of information-snippets that your browser and your computer leak, and you've got a pretty good idea what is used by governmental companies and institutions to track individuals (beyond the usual user tracking you might know from advertisers and metrics-collecting companies). Practically, all one needs is the correct set of “triggers” and you'll be collecting metadata which will enable you to narrow things down to specific individuals.

Answer 11

There are many factors to this. Randomness is only as good at the time the Internet was not yet designed. Today, whenever a person lay his hands into the keyboard to surf the net, he is "associating" and attaching a part of his personal identity to the network. Thus, it creates a link between your physical identity to the network realm and creating an identifiable "digital persona". This digital persona creates a link of raw information which can be used to identify your "personal identity".

If you are a member of a terrorist group and you dropped a bomb in the US soil, then decided to post it to Facebook by using multiple VPN connections believing you can eliminate an array of trace back, then you're just fooling yourself.

The question of course of how easy OR how hard it is to do the process of identification and verification will vary on three (3) different things.

1. The raw data presented by your online and physical activities.

   a. Timestamps, names, addresses, emails, userid's, passwords, gender, online shoppings, bank transactions, the promo you signed-up in the mall, the search keywords you use and even typing patterns can be used to identify a person's identity.

2. The raw data presented by the machine and external entities.

   a. Timestamps, IP addresses, browser and cache information, chat histories, logs, temp files, mac addresses, digital signatures, machine fingerprint, network path etc. The result of your dmesg contains a unique identifier of your machine's hardware serials etc.

3. The skill-level, motivation and tools of the attacker/person/organization to identify you.

   a. Establishing a link between your physical identity to your digital identity requires skills by the attacker or the organization. b. Organizations can identify and track you down by consolidating the raw data presented above and through the use of advance analytics not including their connections. c. Malicious attacker can craft malwares which can aid in data consolidation and analysis. d. Combining and linking these data, patterns and behaviors will come up with a result that can match a person.

All of the above mentioned are components to identification.

Anonimity can only be achieved through constant randomness. The "anonymyous" remains anonymous because it acts through a multiple persona. It moves. It never re-use connections. It never allow patterns and behaviors for study.