Emerging Trends and Issues
Total Page:16
File Type:pdf, Size:1020Kb
EMERGING TRENDS AND ISSUES UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS New mobile apps, underground networks and crypto-phones are appearing daily. More sophisticated technologies, such as mesh networks, allow mobile devices to use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet. Anonymous and encrypted email services are under development to evade government surveillance. Learn how these new capabilities are helping to make anonymous communication easier for fraudsters, and how they can use this technology to hide their tracks. WALT MANNING, CFE President Investigations MD Walt Manning has more than 35 years of experience in both law enforcement and private consulting, focused on the fields of investigations, digital forensics and e-discovery. He retired with the rank of lieutenant after a 20-year career with the Dallas Police Department. After his years of investigative experience in both the public and private sectors, Manning founded Investigations MD with the simple goal of helping other investigators to be more successful. Manning has been published in Fraud Magazine, Police Computer Review, Police Chief and Information Systems Security. He has coordinated and taught more than 100 seminars all over the world on subjects related to computer and Internet investigations, as well as digital forensics. “Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, republished, modified, reproduced, distributed, copied, or sold without the prior consent of the author. ©2017 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Introduction Technology is making it easier for fraudsters to cover their tracks while avoiding detection. Anonymous networks and operating systems, new mobile apps, and encrypted cell phones are appearing daily. Anonymous and encrypted email services are being developed to evade government surveillance and increase privacy. More sophisticated technologies, such as mesh networks, allow mobile devices that use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet. Fraud examiners, investigators, and security professionals need to be aware of these tools to understand how they could be used to hide evidence of possible crimes. Anonymous Networks and Operating Systems The Tor Network In 2003, the U.S. Naval research laboratory launched The Onion Router Project, which came to be known by its acronym Tor. The project name contained the word onion because the original design routed Internet network traffic through multiple encrypted layers, or nodes, that would effectively hide a user's location and the network through which they were connected. At each relay node, a layer of encryption would be removed from the message, similar to peeling away the layers of an onion. Tor was designed for use by people who had a need for online anonymity. Normally, users on the Internet can be traced by their Internet protocol, or “IP,” address. When you use the Tor network, your IP address remains hidden. 28th Annual ACFE Global Fraud Conference ©2017 1 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Tor is made up of two different parts. First is software that you can download and install on many devices. The second and critical piece is the Tor network, which is comprised of more than 7,000 volunteer computers that allow Tor users to route traffic through these network nodes. Tor is not designed to anonymize a user's identity—it only hides where the user’s Internet traffic originates. The first Tor network node that a user accesses will know where that single transmission came from. However, as the transmission proceeds to the next Tor node, the second node will know only that the transmission came from the previous node—not where the transmission originated. This process continues through at least three Tor nodes, each of which knows only the address of the previous node in the chain. There is no way for the final destination of the transmission to be able to track the random pathway back through the Tor network to identify the user. Use of the Tor network does not guarantee complete anonymity because the packets sent across the Tor network are the only parts of the transmission that are modified. The actual contents of the data in these packets are not modified in any way. Users who desire an even higher level of privacy have been known to encrypt their data before transmitting it on the Tor network, and possibly also use a virtual private network, or VPN, to provide even more anonymity and protection. 28th Annual ACFE Global Fraud Conference ©2017 2 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES The Invisible Internet Project (I2P) I2P is an open source project that has been in active development since 2003. The I2P network is designed to provide even better anonymity than Tor. Even though it is currently much smaller in scale than Tor, it is quickly gaining in popularity. Tor is good at hiding the identity and location of the user and recipient of transmissions, but I2P carries this to another level. Where a Tor user creates a connection “circuit” to communicate through the network, I2P users create multiple user-defined “tunnels” to communicate with each other. These tunnels can be reconfigured or changed by a user at any time. I2P tunnels operate in only one direction—either inbound or outbound. Users can configure as many tunnels as they need, and have the ability to create a single tunnel that is used only one time for one communication. Once that communication has ended, the user can deactivate the tunnel and never use it again. Where the message headers on Tor are encrypted, the message body may not be (unless the user has used another application to do so). On I2P, there are multiple levels of encryption that protect the entire message from end to end. I2P is also a packet-switched network, which means that each message is broken down into different packets, or pieces, each of which can travel the I2P network by different routes. This packet switching also allows I2P to balance the transmission workload across multiple routers on the network, which can make it faster and much more efficient. 28th Annual ACFE Global Fraud Conference ©2017 3 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Users of I2P can also customize their configuration of tunnels on the network to require that their communication be forwarded through more network routers, which could enhance security even more. Since this means that every message would need to go through more “hops,” it could decrease the speed of the transmission. But the user has the flexibility to adjust his network settings according to his perceived risk profile. I2P is considered in many ways to be more secure than Tor, but making effective use of I2P may require more technical knowledge than the easier-to-use Tor network. Cybercriminals and other people for whom additional security is important will not hesitate to migrate to I2P, which may help this network to grow rapidly. MaidSafe: The Secure Access for Everyone (SAFE) Network The SAFE network is a peer-to-peer network where data is encrypted at all times. When a user installs the software, they are asked how much of their computer’s resources they would like to allocate for use by the network. In effect, their computer now becomes a node on the network, similar to the relay computers of the Tor and I2P networks. However, there are some differences. Whatever portion of the volunteer computer’s data storage is allocated for use by the SAFE network now becomes an encrypted “Vault.” When a user joins the SAFE network, they are given a completely anonymous ID. The data storage “Vault” on their computer is issued yet another different and anonymous ID. A user never needs to provide personal information to the 28th Annual ACFE Global Fraud Conference ©2017 4 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES network. There is no centralized data storage or dedicated servers that store any unencrypted data or user personal information. Volunteers are paid for their participation based on the amount of resources they provide to the network, as well as how much time they make their resources available. They are paid in a proprietary digital currency named Safecoin, which can be bought, sold, and traded for Bitcoin and several other digital currencies on multiple exchanges. A criminal wanting to cover their tracks could join the SAFE network and acquire Safecoin. They could then exchange the Safecoin for Bitcoin, and then convert that into either a different digital currency or an accepted currency anywhere in the world via any exchange. There is never any personal identification associated with either digital currency. When a user uploads a file to be stored on the SAFE network, the files are first broken into several pieces, and each piece is encrypted separately. Then several copies of each encrypted file segment are distributed and stored on computers active on the network. None of the file segments for one file are ever present on any single device other than the original owner’s. The contents of the file or any of its file segments are completely unreadable and inaccessible to any other member of the SAFE network. If a computer connected to the SAFE network is powered off, before the computer shuts down several copies of all file segments stored there by other users are copied to other active nodes for redundancy.