Review of the Data Brokers

Jordan Drysdale //

The following content is loosely based on a presentation I gave at BSides Denver.

After speaking at BSides Denver, one of the audience members spent some time discussing the content with BHIS. He called the software he helped this particular data broker build “The Actual Privacy Death Star.” His claim was that approximately 1400 unique data points were collected on a per-human basis and were then used to target ads. The most profitable of the targeted ads, he claimed, were delivered under certain ‘manic conditions.’ His point was that when people were searching things like opioid abuse, suicide hotlines, et cetera, the targeted ads delivered in these search results were among the most profitable for the data brokers.

Article re: 2014

https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more?utm_source=govdelivery

Eradicate. The data brokers know more than Google, Facebook or any other single entity that gathers human specific trackable info. They are aggregators; their relationships with search engine marketeers allow them a constant pipeline of updated human intel. Location services on our devices integrate with our online personas and are pipelined outbound direct to our individual death star database tables.

These are all on by default and are re-enabled by updates.

Digital Identity Crisis??

Recover. Alternate identities, burner phones, VMs, bitcoin, private browsing, plugins, pi-hole project….uggh. Privacy Badger. AdBlock Plus (still keeps track of every single site we visit). Panopticlick. uBlockOrigin.

Meow.

Funnels of data collection

  • Transit?
  • Operating System. Microsoft’s OS 10, the new primary data collector for M$ 😀
    http://bgr.com/2016/01/05/microsoft-windows-10-spying-2015-user-data/
  • Browser? Amazon purchases. Every search string ever.
  • Mobile? Super cookie and Verizon’s privacy fun times! Add something to cart on mobile, should arrive on your desktop’s cart shortly.
  • Cookies. Super cookie, perma cookie, cookie monster.
  • Life. Divorce filings. Criminal Proceedings. Deaths. Possible associates.

Nom, nom, nom

SANS 504 and its principles have become a part of daily life. PICERL. It is fair to assume at this point that we’re all compromised. So, since there’s been an incident and we’ve definitely been compromised, what do we do? How do we even contain a breach of this magnitude? These folks will sell you everything you want to know about anyone, presuming you aren’t trying to hire them or lease them something. We really need to take a step back and first recognize that this is a problem, a real big problem.

Meet the data brokers:

  • Acxiom
  • Corelogic
  • Datalogix
  • eBureau
  • ID Analytics
  • Intelius
  • PeekYou
  • Rapleaf
  • Recorded Future

Companies are monetizing us. Astute observers of the Security Weekly podcasts may remember Joff asking why doesn’t someone figure out and start the process of claiming a portion of the money ad networks are making of us? Sure, we are currently being grouped and pooled and statistics are being run against our demographic interests, but regardless, our individual habits are being monetized. Do we just need to sue via tort? How do we define and assess damage in this situation?

These activations recently went through the incinerator…

These questions don’t really have answers and I am definitely not advocating more lawsuits. What I am advocating is an awareness of a serious problem. So where are we in the 504 ethos? It is hard to contain the losses since they have populated data arrays around the globe already. Eradication of this righteous infliction may have to begin where a lot of breached companies do; forensic analysis of the losses, recovery, and learning from the incident.

Privacy trainwreck.

If we were going to start over at the beginning with a clean slate, what would I do differently?

  1. Prepare. Amazon is one of best aggregators of data (bad?) and their cloud platform is awesome (good?). Spin an AWS CloudFormation instance of IAD Gov’s GoSecure. Use the blog post here and the GitHub here to set up your OSI layer 1 through 4 cloaking device on a raspberry pi.

GoSecure Magic.

  1. Identify. I am going with threats here and presumably, because of what we’ve learned, transit isn’t all that interesting to data brokers. One of our blue teamers built a powershell script that does nothing except generate white noise. Every five minutes a new random URL is visited from a tiny VM full of ad garbage and all the fun of browsing the internet insecurely. For daily life, Private browsing mode and the array of plugins it takes to make one’s browser configuration unique at Panopticlick will help you stay semi-anonymous. This crew will trade you Starbucks cards for log-free VPN access:

10 bucks at Starbucks or 37 days of “PrivateInternetAccess” – I’ll have a latte, por favor

  1. Contain. This is where a conversation John and I had comes back into focus. As civilians, we should operating at Defcon 3 under the full assumption that we are being individually tracked, monitored and every conversation we have filtered for interesting tidbits. Our operational level should be to carry the RPi with us everywhere, search with DuckDuckGo and support the EFF.

Non-Attrib. Paypal takes gift cards!

The less you contribute:

  • Apps
  • EULA’s
  • Location Data

The better:

  • Use DuckDuckGo
  • PrivateInternetAccess
  • Check out (and cleanse) your google history

We are stopping here, since we are back where we began. There’s been an incident. We’ve been compromised.



Want to learn more mad skills from the person who wrote this blog?

Check out these classes from Kent and Jordan:

Applied Purple Teaming

Defending the Enterprise

Available live/virtual and on-demand!