Introduction

Within Silo, Toolbox delivers important utilities which allow InfoSec researchers to do the work they need to do without tipping their hand utilizing a disposable browsing environment or exposing local resources. Toolbox enables misattribution by allowing users to alter the browser’s identified OS, browser type, and language settings, as needed. Manipulation of these settings is done in the Browser Fingerprint Management (BFM) settings panel from within the Admin Console and can also be done (in limited form) inside the Toolbox browser itself.  


Definitions

In context of Silo and Browser Fingerprint Management.


Misattribution - The act of changing web server facing characteristics of your browsing session to try and mislead web servers about your true identity or to alter the content displayed. Within the context of Silo, the characteristics which can be changed are geo-location, OS brand and version, browser type, version, and language.

User Agent String (UA) - A string of text passed to a web server at the beginning of an HTTP session to identify various attributes of a browser, more information can be found here: Browser User Agent

(IP) Geolocation - The process of identifying a person’s location by IP address. We have more information on this topic here.


Language Settings The settings that determine the default language displayed by the browser in the Accept-Language request-header.  


Technical Details

In the provisioning options for the Toolbox Web App, there are options related to BFM with more information here for more information on how to configure a Toolbox Web App. Below is the following list of Toolbox options related specifically to BFM.


Egress Location

This setting controls the region where your traffic emerges on the Internet.

Browser Fingerprint

Allows for the configuration of UA string, platform (OS), language, and time zone.

  1. UA String may be set to any of the pre-set values or it may be set to custom.  In custom mode any UA string may be pasted into the window.  
  2. Platform may be set to Linux, Mac, or Windows
  3. Language may be set to any language setting you like.   
    1. More about Language Tags
    2. More about Accept-Language request-headers
  4. Time zone


Note: The default settings for all of the above settings is to use the local setting based on egress node location.


Configuration

Primary configuration of BFM options is done from the Toolbox configuration pane in the Admin Console. Additionally, it is possible to change UA settings within the Toolbox session. The policy to change in session parameter is done through the Admin Console's Toolbox Web App configuration.


Admin Console Settings

Once you navigate to the Browser Fingerprint section of a web app, you will see the following menu



If the settings are left as-is, the system will automatically use the default settings as defined by the native Linux system and the language and time zone settings of the selected egress node (Mexico City, Mexico in the screenshot). In addition, the ability to change the UA string in session may be turned on or off here.   

If you select the Customize Browser Fingerprint checkbox, the resulting menu will display as shown below:



The following options are available:

  1. User Agent - Choose one of the many predefined UA settings, or select Custom User Agent to define personal Browser User Agent
  2. Platform - Select from Mac, Windows, or Linux
  3. Language - Enter a valid Language Tag
  4. Time zone - Select a timezone


Please see the appendix for important information regarding these settings.  


In Session UA Changes

Once in the Toolbox session, a user may decide to change their UA string without restarting the Toolbox session.  To do this, the “Allow in session user agent switching” must be checked for the Toolbox web app that is being used. Once in session, the user can select the flag icon from the toolbar, then select "Change." This will expand the list of available User agents. Choose an agent and the setting will be applied immediately. 



Please see the Appendix for more information about the impact on misattribution when making this change.  


BFM and Misattribution Use Case.

Non-attribution browsing is the de-facto state for all Silo browsing sessions. As described above, with Toolbox, the user has the ability to misattribute their browsing profile. That is, the user can change characteristics of their browsing sessions to appear as something they are not. However, the intent of these features is not to guarantee complete misattribution in all scenarios. Rather, the intent is to make changes sufficient enough to pass a cursory review of web logs or other information regarding the session to avoid detection. This is especially true when Java or Flash are enabled in the browsing session.  


These technologies allow the web server, if properly configured, to do a more rigorous analysis of the computer trying to connect. This could reveal a mismatch, for example, of a UA string which purports to be a Safari browser running on Windows, with certain Linux fonts installed. To a discerning eye, these would stand out and seem suspicious but at a cursory glance, they may go unnoticed.  


Silo’s Native Environment

Silo and Toolbox web sessions all originate from Linux servers running a customized version of Chrome. This is the default settings applied if no BFM settings are altered.


Egress Points and Native Languages/Time zone Settings

If BFM settings are not altered, the Native Language and Timezone settings will be inherited from the location of the egress proxy. This would be the most “natural” settings for this kind of session.


Please contact Support for any additional questions.