General security

Can You Really Be Anonymous on the Internet?

November 5, 2012 by Jeremy Martin

To some extent, the answer to the question in the title is yes. However there are many variables to consider. Just in the United States, there are many laws on the books (especially post-9/11) that have enabled “Big Brother” to potentially violate several of the rights granted to Americans by the Bill of Rights. Listed are just a few of the regulations or budget contracts that reference loosening the term “reasonable search and seizure” covered in the fourth Amendment and why there is such an outcry to Internet privacy.

  • USA Patriot Act, Title II (Enhanced Surveillance Procedures)
  • ECPA (Electronic Communication Privacy Act)
  • Title 18, U.S.C §1030 (Computer Fraud and Abuse Act)
  • Title 18, U.S.C §2703 (Required disclosure of customer communications or records)
  • CISPA (Cyber Intelligence Sharing and Protection Act)
  • NDAA 2011 (The National Defense Authorization Act)

There are legitimate reasons why governments want to monitor and control communications of the populace and/or foreign entities. Intelligence and National Security is a valid concern. However, many countries have fallen to those excuses and have violated the basic trust they had with their citizens. Tunisia, Egypt, and Syria are just some of the more recent countries that have fallen to the temptation to over censor or monitor.

The need for some to pass information without prying eyes has spawned many different methods of “anonymous” communication. To understand how people are hiding where or what they are sending, you need to know the basics of the communication mechanism they are using. I am going to focus on the Internet and the medium. There is always a fingerprint on every packet that is sent. If all the systems or nodes on a network are monitored and logged, the origin can always be tracked. The Challenge with the Internet is that nobody controls everything (even though there is a current power struggle in this area). This means that if you cannot get the logs, you may not get the origin or the original fingerprint. There are several reasons you don’t get the logs. The two most common are political and the lack of storage.

During the uprising in Tunisia, the government at the time tried to stop transmissions during the uprising and effectively turned off the traditional paths to the Internet. Several groups then helped reopen the comm channels by sending dialup numbers, IRC channels, proxy addresses, and VPN servers. Soon after, the Twitter feeds and videos started to stream out of the country again. On the other side of this coin, many people use these types of ump points to download movies, music, and pirated software or send out malicious attacks against targets. Even the MPAA has hired people in India to attack in a massive DDoS attack. The hactavist group “Anonymous” then attacked back, effectively shutting down the MPAA websites. The MPAA then called foul, but that is another story.

For whatever reason you want to protect your identity on the Internet, there are several options. Proxy servers are one of the most common routes. There are free and commercial proxy servers all around the world that offer access without logging the connections. Some of these proxies offer SSH encryption or even AES 256 bit encryption tunnels such as BTGaurd. This makes network forensics virtually impossible outside of knowing what the IP address of the proxy was connected to.

The TOR community or Onion network is another service that contains thousands of public proxies and thousands more that are not publically known. With this being said, blacklisting TOR network addresses does not work. The basic TOR client that comes with the TOR Browser Bundle (TBB) even allows you (the client) to be a proxy into the TOR network. TOR however does not support Bit Torrent, but it does support browsing, chat, email, and other basic Internet services. However, once on the TOR network, others on the same network will know your original IP address.

There are many “secure” live operating systems that you can even use to log into TOR. The first one I want to talk about is Tails. “The Amnesic Incognito Live System” is a live CD/USB distribution preconfigured so that everything is safely routed through Tor and leaves no trace on the local system. This can be found on

The second one I would like to mention is Whonix, “(called TorBOX or aos in past), an anonymous general purpose operating system based on Virtual Box, Debian GNU/Linux and Tor. By Whonix design, IP and DNS leaks are impossible. Not even malware with root rights can find out the user’s real IP/location.”

Both of these are pre-configured operating systems that will let you automatically connect to the Tor network with little to no work on your part. Whonix is based of two different virtual machines and does require more resources and a running OS. The Tail OS, if burned to a CD, doesn’t leave a forensic trail on the local hard drive.

The other method to completely hide all your traffic is the traditional VPN. A VPN server essentially hides your IP address because you are virtually connected to a completely separate network. Once you touch the Internet, it is going through their gateway. The downside is that there is a bandwidth bottleneck. You are also on a network with others trying to hide their identity. Once you are on the network, your source is known by the other people on the network.

Now from the investigation standpoint; if the logs do not exist, there is no forensic footprint. If the evidence has been tampered with or does not exist, there is no case. If you are not on the same network as those using these services, especially the proxies, you may never find the origin or the suspect. If you are on the same network or inline between the suspect and the proxy, you may be able to see what is going through the wire if it is unencrypted.

However, you need to be careful of wiretap laws. Not even the ISPs have the right to monitor your traffic without probable cause and more than likely a court order. This is a major security threat for companies that want to control all of their traffic. If you blacklist, there will only be other covert channels that pop up.

It comes down to managing acceptable risk. Going back the beginning of this article, some laws are being pushed that wiretaps may be a normal part of everyday life and that National Security trumps right to privacy as it is in most other countries around the world.

If you are not a member of a hacking group/hactavist community/state sponsored cyber army, you may not have access to a private VPN or proxy. In this case, there are several resources you can choose from, but it all comes down to researching the product that is right for you. Here is a list of services that some people use to hide their origin.

  • BTguard

  • Private Internet Access

  • TorrentPrivacy

  • TorGuard

  • ItsHidden

  • Ipredator

  • Faceless

  • IPVanish

  • AirVPN

  • PRQ

  • BlackVPN


  • Cryptocloud

Services that do not support anonymity (Log a lot)

  • VyprVPN

  • SwissVPN

  • StrongVPN

Now what was covered are the traditional methods of becoming “invisible” on the Internet. The Hactivist group that calls itself Anonymous is about to release a new program on November 5th, 2012. The name of this program is called Tyler and is part of Project Mayhem 2012: Dangerous Idea #1. The video just released by Anonymous can be found at “TYLER is a massively distributed and decentralized Wiki pedia style p2p cipher-space structure impregnable to censorship” – anonnews

Other Resources:

Posted: November 5, 2012
Jeremy Martin
View Profile

Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare. Starting his career in 1995, Mr. Martin has worked with Fortune 200 companies and Federal Government agencies. He has received numerous of awards for service. He has been teaching Advanced Ethical Hacking, Computer Forensics, Data Recovery, SCADA/ICS security, Security Management (CISSP/CISM), and more since 2003. As a published author he has spoken at security conferences around the world. Current research projects include SCADA security, vulnerability analysis, threat profiling, exploitation automation, anti-forensics, and reverse engineering malware. You can find more of Jeremy's writings & services at