Untraceable Links: Technology Tricks Used by Crooks to Cover Their Tracks

Home , Blackphone, Confide, I2P, Open Garden, Open Whisper Systems, Pretty Good Privacy

UNTRACEABLE LINKS: TECHNOLOGY TRICKS USED BY CROOKS TO COVER THEIR TRACKS

New mobile apps, underground networks, and crypto-phones are appearing daily. More sophisticated technologies such as mesh networks allow mobile devices to use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet. Anonymous and encrypted email services are under development to evade government surveillance. Learn how these new technology capabilities are making anonymous communication easier for fraudsters and helping them cover their tracks.

You will learn how to:  Define mesh networks.  Explain the way underground networks can provide untraceable email.  Identify encrypted email services and how they work.

WALT MANNING, CFE President Investigations MD Green Cove Springs, FL

Walt Manning is the president of Investigations MD, a consulting firm that conducts research related to future crimes while also helping investigators market and develop their businesses. He has 35 years of experience in the fields of criminal justice, investigations, digital forensics, and e-discovery. He retired with the rank of lieutenant after a 20-year career with the Dallas Police Department. Manning is a contributing author to the Fraud Examiners Manual, which is the official training manual of the ACFE, and has articles published in Fraud Magazine, Police Computer Review, The Police Chief, and Information Systems Security, which is a prestigious journal in the computer security field.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without the prior consent of the author.

NOTES Introduction Technology is making it easier for fraudsters to cover their tracks while avoiding detection. Underground networks, new mobile apps, and encrypted cell phones are appearing daily. More sophisticated technologies such as mesh networks allow mobile devices that use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet. Anonymous and encrypted email services are under development to evade government surveillance.

Fraud examiners need to be aware of these tools to understand how they could be used to hide evidence of fraud.

Underground Networks and Tools The Tor Network In 2003, the U.S. Naval research laboratory launched what came to be called The Onion Router Project, which came to be known by its acronym TOR. The reason the project name contained the name “onion” was that the original concept intended to construct a way to route Internet network traffic through multiple encrypted layers, or nodes, which would effectively hide a user's location and the network through which they were connected.

Tor was designed for use by people who had a need for online anonymity. Normally, users on the Internet can be traced by their Internet protocol, or IP, address. When you use the Tor software, your IP address remains hidden.

Tor is made up of two different parts. The first is the software that you can download and install on many devices. The second and critical piece is the Tor

NOTES network, which is comprised of over 5000 volunteer computers that allow Tor users to route traffic through these network nodes.

Tor is not designed to anonymize a user’s identity—it only hides where the user’s Internet traffic originates. The first Tor network node that a user accesses will know where that single transmission came from. However, as the transmission proceeds to the next Tor node, the second node will only know that the transmission came from the previous node—not where the transmission originated.

This process continues through at least three Tor nodes, each of which only knows the address of the previous node in the chain. There is no way for the final destination of the transmission to be able to trace the random pathway back through the Tor network to identify the user.

There are other applications, such as email clients, chat clients, and instant messaging clients designed to work with the Tor network.

Use of the Tor network does not guarantee complete anonymity, because the packets sent across the Tor network are the only parts of the transmission that are modified. The actual contents of the data in these packets are not modified in any way.

Users who desire an even higher level of privacy have been known to encrypt their data before transmitting it on the Tor network, and possibly also use a virtual private network, or VPN, to provide even more anonymity and protection.  https://www.torproject.org

NOTES The Invisible Internet Project (I2P) I2P is an open source project that has been in active development since 2003. The I2P network is designed to provide even better anonymity than Tor. Even though it is currently much smaller in scale than Tor, it is quickly gaining in popularity.

Tor is good at hiding the identity and location of the user and recipient of transmissions, but I2P carries this to another level. Where a Tor user creates a connection circuit to communicate through the network, I2P users create multiple user-defined tunnels to communicate with each other. These tunnels can be reconfigured or changed by a user at any time.

I2P tunnels operate in only one direction—either in- bound or out-bound. Users can configure as many tunnels as they need, and they have the ability to create a single tunnel that is used only one time for one communication. Once that communication has ended, the user can deactivate the tunnel and never use it again.

Where the message headers on Tor are encrypted, the message body may not be (unless the user has used another application to do so). On I2P, there are multiple levels of encryption that protect the entire message from end to end.

I2P is also a packet-switched network, which means that each message is broken down into different packets, each of which can travel the I2P network by different routes. This packet switching also allows I2P to balance the transmission workload across multiple routers on the network, which can make it much more fast and efficient.

NOTES Users of I2P can also customize their configuration of tunnels on the network to require that their communication be forwarded through more network routers, which could enhance a user’s security even more. Since this means that every message would need to go through more “hops,” it could decrease the speed of the transmission. But the user has the flexibility to adjust his network settings according to his perceived risk profile.

I2P is considered in many ways to be more secure than Tor, but making effective use of I2P may require significantly more technical knowledge than the easier- to-use Tor network. Cybercriminals and other people for whom additional security is important will not hesitate to migrate to I2P, which may help this network to grow rapidly.  https://geti2p.net/en

The Amnesiac Incognito Live System (Tails) Tails is a Linux-based operating system designed for anonymity. It can be run from a USB stick, DVD, or SD memory card on any computer. Information from the website states that since Tails is a completely separate operating system, it does not use or depend on the operating system of the computer being used. Tails supposedly leaves no tracks on the host computer and does not use the host computer’s data storage. When shut down, Tails also claims to automatically erase the contents of RAM memory.

Tails can be used to access either the Tor or I2P networks, so it provides a portable, independent, and secure operating system, with additional protection added through these underground networks.

NOTES The software package also comes with encrypted email and messaging clients, and secure data wiping software.  https://tails.boum.org/download/

Freenet Freenet is a peer-to-peer software application that allows anonymous browsing and distributed file storage. All communication with Freenet is encrypted and routed through multiple nodes. It has a Darknet mode that communicates only with people that are trusted by the user.

Users contribute some of their bandwidth and even a portion of their hard drive space for use by other users of the network, which could make it problematic to identify the actual storage location of potential electronic evidence.  https://freenetproject.org

Encrypted Cell Phones Burner cell phones, which are pre-paid and usually low- cost phones capable of being used for short periods of time and then exchanged for a new device, have been around for many years. Burner phones present challenges for fraud examiners and law enforcement, as the devices and airtime cards can be purchased with cash, leaving no links to identify or trace the user.

However, growing concerns over both government surveillance and corporate data collection have resulted in companies producing cell phones specifically designed to provide security and privacy. There are also a growing number of mobile device apps that are also designed with these goals in mind. These new technologies can create more challenges for fraud investigators attempting to

NOTES identify fraudsters and also in the preservation of electronic evidence.

There are many encrypted cell phones available for purchase, along with software applications to encrypt data on almost any cell phone. In most cases, phones with hardware-based encryption will be significantly more expensive than a normal cell phone that uses only software- based encryption. The number of devices and apps already available is too extensive for this presentation. However, we will spotlight several options to provide a general idea of what is offered.

Blackphone Blackphone is a device manufactured by Silent Circle, a Swiss company founded by a former Navy Seal and a group of experienced computer security professionals. One of the founders is Phil Zimmerman, the inventor of Pretty Good Privacy, one of the oldest and most widely used encryption programs in the world.

The Blackphone has a proprietary operating system called PrivatOS, which is a modified version of the Android operating system with much-improved security. PrivatOS allows the user to create multiple spaces on the device, which can be used for different purposes. In effect, the user can create several virtual devices on the phone.

PrivatOS comes with the Silent Suite of apps pre- installed, which includes Silent Phone, Silent Text, and Silent Contacts. Silent Phone allows the user to make private calls or videoconference over an encrypted VoIP (Voice Over Internet Protocol) service that operates worldwide. Silent Text automatically encrypts text messages, and includes a burn option that

NOTES permanently wipes the selected message. Silent Contacts encrypts the user’s contacts and does not allow unauthorized access to the data unless specifically approved by the user. Many apps on regular cell phones automatically have access to any contact information stored on the device, many times without the user’s knowledge. The Blackphone protects against these types of apps.

The company also offers international calling plans that eliminate roaming charges while also enhancing the security of the user. This Silent World calling plan currently functions in over 80 countries, with expanded coverage areas planned for the future.

The Blackphone is capable of being remotely wiped in the event that the device is lost or stolen. The company also has a Silent Store, where apps that have been analyzed for security by the company are available for download. One of the greatest security risks for regular phones is from insecure mobile apps, which could contain malware or give the developer access to much of the data on the phone.

Silent Circle does not maintain any of the encryption keys used to secure data on the Blackphone. This means that they would be unable to provide this information to requests from either intelligence or law enforcement agencies.

Purchase of the Blackphone includes two free years of service from SpiderOak, which is a cloud-based backup service where data is encrypted end-to-end; SpiderOak also does not ever know the encryption keys used for the data.

NOTES The device has a built-in Disconnect Secure Wireless VPN, which masks the user’s IP address and location. Purchasers receive two free years of this service, and pricing after this period is based on data usage.

A final interesting feature of the Blackphone is the Kismet Smarter Wi-Fi Manager. With regular cell phones, if the device is configured to look for a Wi-Fi signal, no matter where the user goes, the phone will try to connect to Wi-Fi rather than cellular data. This can result in security risks should the phone connect to an insecure network. With the Kismet software, the phone automatically turns Wi-Fi off if the user is out of range of a trusted Wi-Fi network. Users still have the capability of connecting to an untrusted network, but the Blackphone will warn them of the risks before allowing the connection.

There is currently no secure email app included with the Blackphone, but Silent Circle is a member of the Dark Mail Alliance, which is developing an open- source encrypted messaging protocol that will more than likely be bundled with future versions of the Blackphone.

When activating a new Blackphone, the user needs to provide a username and an email address, which is the only information that Silent Circle maintains. If an anonymous email address is used, then the company has no data linking a Blackphone to its owner.  https://blackphone.ch

Chiliphone Chiliphone is an anonymous VoIP calling service that operates from any Web browser and any device, and uses Bitcoin for payment. After navigating to the

NOTES Chiliphone website, the user inputs the number that they wish to call, and a screen displays the cost per minute of the call (in Bitcoin) and shows a QR code to deposit sufficient Bitcoin for the call. The user must send Bitcoin to the Bitcoin address associated with the QR code, and then they will be capable of completing the call. Of course, the device must have a microphone capable of communicating through a Web browser. If a user were using a VPN to mask their identity and location, along with Bitcoin for payment to provide additional anonymity, it would be difficult to trace a call made via the Chiliphone service. However, nothing on the website indicates that the calls are encrypted, so any person or agency with a wiretap on the destination telephone number could potentially listen to the content of the call.  http://chiliphone.com/main/content/about

Open Secure Telephony Ostel Ostel is a test platform from the Open Secure Telephony Network to make and receive encrypted calls from almost any computer, tablet, or smartphone. Depending on the user’s device, different apps may be required to connect via Ostel. The sign-up process requires an account creation with a verifiable email address. However, there are many sites on the Internet where anyone can create an anonymous email address, and the username for the account can be spoofed. Therefore, there is no way for Ostel to link any account to a specific person.

Calls can be only with other Ostel users. Once the software has been installed, the user inputs the username of the person they want to call and initiates the call. Currently, Ostel users are not able to call regular landline telephone or cell phone numbers.

NOTES During a call, the Ostel server does receive limited information about the devices and the IP addresses of the calling parties. However, once the call is terminated, no other logs are saved. If the users were utilizing VPNs on their devices, then their IP addresses would not be very useful. All calls with Ostel are encrypted end-to-end, so even if they are intercepted no one can listen to the conversation.

Ostel does not maintain any other call records and is currently exploring ways to increase the anonymity of their service.  https://ostel.co/#

Tox Tox is an application that provides encrypted audio calls, video conferencing, text messaging, and file sharing. The software is available for multiple operating systems, including Windows, Apple OS X, Linux, Android, and iOS. Once installed, the Tox app will assign a unique Tox ID, which can then be shared with other Tox users. Tox can be used over the Tor network to enhance anonymity.  https://tox.im

Burner Burner is a phone app that allows the user to create multiple burner phone numbers that can be used once and then discarded. Burner numbers can also be kept if a person wants to use them for only certain purposes or for contact with designated people with whom the number has been shared.

The basic Burner app is free and allows the creation of a sample burner number. After installing the app, the user enters the cell phone number of the device where

NOTES the app is installed. The user can then select any area code in the United States, and the app will create a burner number that can be used to make calls, send text messages, or send photos. Additional burner numbers can be created through the purchase of credits. http://www.burnerapp.com

Signal/RedPhone Open Whisper Systems has created two different apps to facilitate making encrypted cell phone calls. Signal (for the iPhone) and RedPhone (for Android phones) are both free apps that provide end-to-end encryption for calls, and the company plans to include text messaging in the near future.  https://whispersystems.org/#privacy

Ready SIM Ready SIM sells SIM cards that can be used in any compatible unlocked phone. The SIM card is pre- loaded with a cellular or data plan, and is self- activating. The cards can be purchased for cash at many retail locations throughout the U.S. or directly from the Ready SIM website. No registration is required, and SIM cards can be purchased that include unlimited nationwide calling in the U.S., plus text messaging and data. They also offer plans with only data. A plan that includes talk, text, and data for 7 days can cost as little as USD 25.00.

Purchasers can enter a postal zip code, and, after the SIM card has been activated, a text message will be sent to the phone that tells the user the new telephone number attached to the SIM card. If no zip code is specified, Ready SIM will randomly assign a telephone number.

NOTES Consider a scenario where a fraudster purchases several cheap unlocked phones using a pre-paid debit card. The next step would be to purchase several of the lowest- cost Ready SIM cards with cash at one of the retail outlets (or online). Once the Ready SIM card has been activated, a user could transfer it from phone to phone until the first 7 days have passed, and then activate the second ReadySIM card and begin again. If money were no issue for the fraudster, they would purchase additional new phones to use with this card as well.

If the user also combined this system with the use of a VPN on the phone for data usage, it would be extremely difficult to trace his location.  http://www.readysim.com

Anonymous and/or Encrypted Email W-3 Anonymous Remailer This web-based service was created as a joint project of George Mason Society and the Global Internet Liberty Campaign. The Web page contains a form that asks the user to input the email address the message should be sent to, along with a subject and the body of the message. The message is then sent through their anonymous server, and the recipient never receives email header information that could identify the sender.  http://gilc.org/speech/anonymous/remailer.html

BITSMS This service allows a user to send a text message anywhere in the world and pay with Bitcoin or one of three other virtual currencies. The service also allows the sender to attach virtual currency to the message, thus providing the capability of sending an untraceable

NOTES text message with virtual currency attached to anyone in the world.  http://www.bitsms.eu

Ultimate Privacy Ultimate Privacy is a subscription service where users can pay by the month or by the year. Membership provides access to a wide range of services, including anonymous email, disposable email addresses, anonymous text messaging, and more. Most services are Web-based, but the company also provides access to several software applications that can be downloaded for use independently of their server. The company claims to maintain no logs of user activity.  https://www.ultimate-anonymity.com/index.htm

CounterMail CounterMail is an email provider located in Sweden. Accounts are encrypted and anonymous, and all messages are encrypted using the OpenPGP encryption protocol. CounterMail never captures IP addresses of users accessing their systems, and all email messages have an anonymous IP address in the message header to maintain their users’ anonymity. All messages and attachments are always encrypted, and CounterMail does not save the public or private encryption keys of their users. CounterMail also offers the option to purchase a USB key, and logging into a user’s account is impossible unless the USB key is inserted into a USB port on the device being used to access the account. Fees can be paid by credit card, PayPal, wire transfer, or Bitcoin.  https://countermail.com/?p=start

NOTES ProtonMail ProtonMail is a free email provider located in Switzerland, which is outside of the legal jurisdiction of both the United States and the European Union. Switzerland has some of the most restrictive privacy laws in the world, and all external surveillance requests or court orders must be processed in the Swiss courts. Email is encrypted on the ProtonMail servers and is also encrypted during transmission for additional security. ProtonMail is never in possession of the decryption keys for any user data. There is also a feature for users to designate a self-destruction date and time when the encrypted email in the recipient’s inbox will be destroyed (or no longer readable, if sent to a non-ProtonMail user).  https://protonmail.ch

Lelantos Lelantos is an email provider on the Tor network. The cost of a basic account is USD 32.00 per year, payable in Bitcoin. No personal information is ever given when signing up for an account. All incoming email is automatically encrypted before it is stored in a user’s inbox. The account allows registration of 100 email addresses, so the user can use multiple email addresses without opening new accounts. Temporary email addresses are also available, along with self-destructing email.  http://lelantoss7bcnwbv.onion

Mailtor Mailtor is a free email service and Bitcoin wallet on the Tor network, which maintains no personal information. Users can send Bitcoin to any other Mailtor user, and, once Bitcoin is deposited in the account, email can be

NOTES sent to both visible email addresses as well as to email addresses on the Tor network.  http://mailtoralnhyol5v.onion/src/login.php

NOTE: The addresses given for the Lelantos and Mailtor websites can only be accessed with the use of the Tor browser, which can be obtained from www.torproject.org .

Other Anonymous Mobile Apps Confide Confide is an anonymous app that provides encrypted chat/messaging capability, also allowing the transmission of photos and documents. The data is encrypted from end-to-end. Users can designate messages that can only be read once and then self- destruct.  https://getconfide.com

Wickr Another popular app named Wickr allows the user to decide the expiration date and time for any message sent. It can also transmit photos, videos, audio files, and documents. The app comes with a data shredder to securely erase messages or other files sent via the app.  https://wickr.com

OneOne OneOne is a free app that allows users to send untraceable text messages, and this app automatically deletes the messages on the server after 24 hours, whether they have been read by the recipient or not.  http://getoneone.com

NOTES Telegram Telegram is a cloud-based system with servers distributed in several countries. All message traffic is encrypted, and the encryption keys are stored on the user’s device. Users can coordinate group chats with up to 200 people.  https://telegram.org

Mesh Networks Mesh networking makes use of special hardware or software to allow devices to directly connect to each other without the use of the cellular network or the Internet. This technology is being used by municipalities to provide seamless Wi-Fi coverage within their boundaries by connecting available Wi-Fi routers and all available devices. Protesters are using this technology to communicate and coordinate their efforts, even in locations where government or law enforcement is attempting to control or stop the protest effort. Criminals can also use this technology to make it more difficult to trace their communications.

Mesh networks are self-healing, anonymous, pervasive, and cheap to deploy. The only way to shut down a mesh network is to close down every single node on the network, which may not be practical. Users may connect to other devices and can use the fastest or most reliable connection from any other device to actually connect to the Internet. The hackers at Lulzlabs have released a mesh-networking product named Airchat. Their system is based on an off- the-shelf amateur radio transmitter and uses encryption to communicate with other radio transmitters on the network.  https://github.com/lulzlabs/AirChat

Another smart phone app named Open Garden has been used extensively in the recent Hong Kong democracy

NOTES protests. Open Garden currently has over two million users, and connects every user who has installed the app into one giant mesh network. Users share their Internet connection and bandwidth with every other device on the network. The same company has also created an app named FireChat, which allows instant messaging and photo transfers on the mesh network of connected devices.  http://opengarden.com

Mesh networks can provide another communications channel when cellular phone networks are not operational—for example, after a natural disaster. As long as electrical power exists, Wi-Fi signals can still allow connected devices to communicate.

Other organizations are experimenting with Hotspot 2.0 technology, where public Wi-Fi networks work in a similar fashion to cellular networks, using any available device to connect to the Wi-Fi network. Time Warner Cable recently made all of its home and business wireless access points capable of providing Internet access to any Time Warner customer (in certain markets). Part of the wireless router bandwidth is reserved for the homeowner and another section is made available to any other Time Warner customer within range of that device’s signal.

With this type of automatic network, authorized devices automatically connect to the nearest device with the best signal, similar to the way cellular telephones change connections to the nearest cell tower. As the user moves around the area, the user’s connection can hop from one device to another, depending on which device has the best connection and signal.

From an investigative perspective, mesh networks make it more difficult to track investigative targets and to trace

NOTES their communications. Users of a mesh network may never touch their cell network or the Internet, and there are no logs to trace messages through this decentralized network.

Conclusion New technologies, services, and apps are evolving daily that can provide fraudsters with the ability to communicate using potentially untraceable links. Fraud examiners must maintain an awareness of these new capabilities to recognize indications that any of these tools may have been used to hide evidence or to escape detection.