Blog

IPs Aren't People

Anthony Aragues
August 23, 2017
Table of contents
<p>If you watch a lot of CSI Cyber or hacking movies you might be lead to believe that the IP address is the missing link between an activity on the Internet and identifying who acted. In reality this is rarely the case.</p><p><strong>There are at least 4 common technologies that obscure who is tied to an IP.</strong></p><p><strong>There are many other less transient signatures of a system than an IP address.</strong></p><p><strong>Once a computer is identified it does not always identify who is using it.</strong></p><h3>What is an IP address?</h3><p>IP stands for Internet Protocol. An IP address is an address given to a system for a period of time that makes data routable to and from the system on networks. The IP address creates a mapping that the rest of the network can use to identify and communicate with the system hardware.</p><p>Only a few network devices need to keep the system’s address (known as a MAC address) because everything else uses the IP to communicate. There are 2 major versions of IP in use today:</p><ul><li>IPv4, which has around 4 billion addresses</li><li>IPv6, which has so many addresses that it’s compared to the number of grains of sand on Earth</li></ul><p>IPV4 is exhausted in many ways and has lead to a slow migration to IPV6. Most major networks and devices today support IPV6. These 2 versions are significant because they both have their own ways of being an obstacle in identifying a person by an IP.</p><h3>Why aren't IP addresses easily tied to people?</h3><p>There are a number of things that may be in the way of an IP being useful to identifying people. Some of them were created specifically for privacy. Others were needed to solve limited network addresses available before IPV6.</p><ol><li><p>Virtual Private Networks (VPNs) are used to encrypt traffic between a machine and the VPN so that any untrusted networks in between can’t easily snoop on the data. Most corporations use VPNs, although individual people can also purchase a VPN service or create their own. VPNs are useful for privacy for a few reasons:</p><ul class="bottommargin-sm"><li>Multiple people can use the same VPN at the same time.</li><li>Anything that they interact with while on that VPN will only have the IP address of the VPN - not the systems connected to it.</li><li>Only the VPN can reverse the information and identify the system (if it keeps logs).</li></ul></li><li><p>Proxies are just like the name implies. They usually route traffic for a specific protocol like website traffic. These are typically used for purposes like filtering unwanted websites from schools, public places, and companies. Proxies present the same issue as an IP address that’s recorded by a destination - only the proxy IP can be seen, not the IP of the system.</p></li><li><p>Network Address Translation (NAT) is a technology that creates an internal network that can’t seen by an external network. This is used when there are a lot of internal devices and only a few public IP addresses available. The effect on a destination is the same. They will only see the IP address of the NAT device. Unlike with other technologies, the NAT device is usually in the vicinity of the systems it connects to.</p></li><li><p>DHCP is a technology that shares an IP address contemporaneously. This ensures that a pool of IP addresses are used for devices that still need them. Any that are not don’t get a new lease on an IP, which means it’ll be available for others. If you’re getting logs of IP visits you must also keep the time for the visit, and then match the time of the visit to when someone had an IP. The system assigned that IP now may not be the same one.</p></li></ol><p>The above technologies are often in used conjunction with one another. Together they make an IP address much less reliable as a personal identifier. Advertisers, for example, will only use an IP address to determine an approximate region, while for everything else they use other means. In the security industry they are used to identify systems and kept within that context.</p><h3>How can systems and people be identified?</h3><p>The list of practical systems and people’s signatures changes constantly. There are privacy features created to remove them and new research and technologies that create new ones all the time. For a comprehensive list of web browser signatures you can go to <a href="https://panopticlick.eff.org/" target="_blank">https://panopticlick.eff.org/</a> and run their test. It shows your list of browser plugins, cookies, settings, and technologies used to track you. That’s not the end of it though. All of our interactions can create signatures that can identify the people behind a system.</p><h3 style="text-align: center;"><img alt="Panopticlick" src="https://cdn.filestackcontent.com/8yiQkiRAR9iRoV3gYtEE"/></h3><h3>What can identify a person on a system?</h3><p>This is another area of ongoing research. Conceptually, anything we do on a system can be used to create a signature.</p><ol><li><p>For instance, the unique way we type or use a mouse are both very easily recorded from a remote system. None of the technologies mentioned will mask this. Storing information at this level simply isn’t practical though.</p></li><li><p>A more common method used is the correlation of your personal accounts. Anything that requires authentication is generally assumed to be you. This includes things like work accounts, email, and social media. A reasonable connection can be made by correlating the information between the logs of someone’s personal systems and the system someone wishes to identify them on.</p></li><li><p>Uploaded information can also be used to identify someone. Files contain a good amount of embedded information that can link someone to a system. Many cameras automatically embed geographic coordinates, making them particularly useful for identification purposes.</p></li></ol><h3>What can I do if I don't want to be tracked online?</h3><p>There are a lot of reasons that people want to have some level of privacy online. Some may fear for their personal safety in response to expressing themselves, while others simply don’t like advertising anything too personal. Whatever your reasons, there are a few steps you could consider, such as:</p><ol><li><p>Using a privacy VPN that doesn't keep logs</p></li><li><p>Using an Operating system with a browser built with privacy in mind. Consider the <a href="https://tails.boum.org/" target="_blank">TAILS OS</a> for online activity as a start.<br/> <img alt="Tails" src="https://cdn.filestackcontent.com/CYVKaRCVSSKg2gMXAO3w" style="margin-top:10px;"/></p></li><li><p>Not using the same Browser/OS/System for things that identify you personally and things you do not want to be identified with easily.</p></li></ol><p>I sincerely hope you found this information useful. If you are interested in what useful intelligence can be derived from IP addresses research “Threat Intelligence.” There are a number of companies that track information related to IP addresses within a useful context. Anomali has a <a href="https://www.anomali.com/products/threatstream">Threat Intelligence Platform</a> designed to work with this information and make it useful with computer operations.</p>
Anthony Aragues

Anthony Aragues is the former Vice President of Product Management at Anomali. He started his career in technology and security in the military in 1997. He has been focused on Threat Intelligence since 2008 with the start of McAfee's Global Threat Intelligence program where he was an inventor of multiple threat intelligence patents.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

August 23, 2017
-
Anthony Aragues
,

IPs Aren't People

<p>If you watch a lot of CSI Cyber or hacking movies you might be lead to believe that the IP address is the missing link between an activity on the Internet and identifying who acted. In reality this is rarely the case.</p><p><strong>There are at least 4 common technologies that obscure who is tied to an IP.</strong></p><p><strong>There are many other less transient signatures of a system than an IP address.</strong></p><p><strong>Once a computer is identified it does not always identify who is using it.</strong></p><h3>What is an IP address?</h3><p>IP stands for Internet Protocol. An IP address is an address given to a system for a period of time that makes data routable to and from the system on networks. The IP address creates a mapping that the rest of the network can use to identify and communicate with the system hardware.</p><p>Only a few network devices need to keep the system’s address (known as a MAC address) because everything else uses the IP to communicate. There are 2 major versions of IP in use today:</p><ul><li>IPv4, which has around 4 billion addresses</li><li>IPv6, which has so many addresses that it’s compared to the number of grains of sand on Earth</li></ul><p>IPV4 is exhausted in many ways and has lead to a slow migration to IPV6. Most major networks and devices today support IPV6. These 2 versions are significant because they both have their own ways of being an obstacle in identifying a person by an IP.</p><h3>Why aren't IP addresses easily tied to people?</h3><p>There are a number of things that may be in the way of an IP being useful to identifying people. Some of them were created specifically for privacy. Others were needed to solve limited network addresses available before IPV6.</p><ol><li><p>Virtual Private Networks (VPNs) are used to encrypt traffic between a machine and the VPN so that any untrusted networks in between can’t easily snoop on the data. Most corporations use VPNs, although individual people can also purchase a VPN service or create their own. VPNs are useful for privacy for a few reasons:</p><ul class="bottommargin-sm"><li>Multiple people can use the same VPN at the same time.</li><li>Anything that they interact with while on that VPN will only have the IP address of the VPN - not the systems connected to it.</li><li>Only the VPN can reverse the information and identify the system (if it keeps logs).</li></ul></li><li><p>Proxies are just like the name implies. They usually route traffic for a specific protocol like website traffic. These are typically used for purposes like filtering unwanted websites from schools, public places, and companies. Proxies present the same issue as an IP address that’s recorded by a destination - only the proxy IP can be seen, not the IP of the system.</p></li><li><p>Network Address Translation (NAT) is a technology that creates an internal network that can’t seen by an external network. This is used when there are a lot of internal devices and only a few public IP addresses available. The effect on a destination is the same. They will only see the IP address of the NAT device. Unlike with other technologies, the NAT device is usually in the vicinity of the systems it connects to.</p></li><li><p>DHCP is a technology that shares an IP address contemporaneously. This ensures that a pool of IP addresses are used for devices that still need them. Any that are not don’t get a new lease on an IP, which means it’ll be available for others. If you’re getting logs of IP visits you must also keep the time for the visit, and then match the time of the visit to when someone had an IP. The system assigned that IP now may not be the same one.</p></li></ol><p>The above technologies are often in used conjunction with one another. Together they make an IP address much less reliable as a personal identifier. Advertisers, for example, will only use an IP address to determine an approximate region, while for everything else they use other means. In the security industry they are used to identify systems and kept within that context.</p><h3>How can systems and people be identified?</h3><p>The list of practical systems and people’s signatures changes constantly. There are privacy features created to remove them and new research and technologies that create new ones all the time. For a comprehensive list of web browser signatures you can go to <a href="https://panopticlick.eff.org/" target="_blank">https://panopticlick.eff.org/</a> and run their test. It shows your list of browser plugins, cookies, settings, and technologies used to track you. That’s not the end of it though. All of our interactions can create signatures that can identify the people behind a system.</p><h3 style="text-align: center;"><img alt="Panopticlick" src="https://cdn.filestackcontent.com/8yiQkiRAR9iRoV3gYtEE"/></h3><h3>What can identify a person on a system?</h3><p>This is another area of ongoing research. Conceptually, anything we do on a system can be used to create a signature.</p><ol><li><p>For instance, the unique way we type or use a mouse are both very easily recorded from a remote system. None of the technologies mentioned will mask this. Storing information at this level simply isn’t practical though.</p></li><li><p>A more common method used is the correlation of your personal accounts. Anything that requires authentication is generally assumed to be you. This includes things like work accounts, email, and social media. A reasonable connection can be made by correlating the information between the logs of someone’s personal systems and the system someone wishes to identify them on.</p></li><li><p>Uploaded information can also be used to identify someone. Files contain a good amount of embedded information that can link someone to a system. Many cameras automatically embed geographic coordinates, making them particularly useful for identification purposes.</p></li></ol><h3>What can I do if I don't want to be tracked online?</h3><p>There are a lot of reasons that people want to have some level of privacy online. Some may fear for their personal safety in response to expressing themselves, while others simply don’t like advertising anything too personal. Whatever your reasons, there are a few steps you could consider, such as:</p><ol><li><p>Using a privacy VPN that doesn't keep logs</p></li><li><p>Using an Operating system with a browser built with privacy in mind. Consider the <a href="https://tails.boum.org/" target="_blank">TAILS OS</a> for online activity as a start.<br/> <img alt="Tails" src="https://cdn.filestackcontent.com/CYVKaRCVSSKg2gMXAO3w" style="margin-top:10px;"/></p></li><li><p>Not using the same Browser/OS/System for things that identify you personally and things you do not want to be identified with easily.</p></li></ol><p>I sincerely hope you found this information useful. If you are interested in what useful intelligence can be derived from IP addresses research “Threat Intelligence.” There are a number of companies that track information related to IP addresses within a useful context. Anomali has a <a href="https://www.anomali.com/products/threatstream">Threat Intelligence Platform</a> designed to work with this information and make it useful with computer operations.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.