Using the Internet to hide crime Alain Homewood & Jung Son
What we will talk about today• Introduction & Background• Internet Service: Legitimate Vs Criminal Uses• Using the Internet to hide evidence• Tools and techniques to hide crime using the internet
What we will talk about today• Ways in which investigators can get around the methods used to hide crime• Case study• Conclusions• References• Questions
Introduction & Background• In recent years, the Internet has developed rapidly and has been used as a great tool for various areas.• The Internet creates new ways for people to communicate and share information• Growth of Information Technology has led to a development of digital encryption technologies.
Introduction (Continue…)However …There are different impacts of the Internet.
Introduction (Continue…)• The Internet has transformed criminal opportunity to hide their crime.• Encryption also gives criminals a powerful tool for concealing their activities.
Introduction (Continue…) Schneider, J.L. (2003) notes: “ While this technology facilitates productive, legitimate interaction, it can also open a ‘Pandora’s Box’ of criminal opportunity.” (p. 375) He continues: “ Not only can criminals hide in terms of identity and location, but also the types of crimes being committed may not be a high priority for police and their high-tech crime units to investigate.” (p. 375)Schneider, J. L. (2003). Hiding in Plain Sight: An Exploration of the Illegal(?) Activities of a Drugs Newsgroup. The Howard Journal of Criminal Justice, 42(4), 374-389.
Introduction (Continue…)Denning & Baugh (1998) stated that: “ encryption is being used as a tool for hiding information in a variety of crimes, including fraud and other financial crimes, theft of proprietary information, computer crime, drugs, child pornography, terrorism, murder, and economic and military espionage.” (p. 47)Denning, D., & Baugh, W. (1998). Encryption and evolving technologies: Tools of organized crime and terrorism. Trends in Organized Crime, 3(3), 44-75.
Internet Service Legitimate Vs Criminal UsesImportant communication tool Important Crime tool Sharing criminal ideas Sharing good ideas ….
Internet Service Legitimate Vs Criminal Uses Showing Hiding my my profile profile exchange of ideas and Enhance criminal beliefs VS activities Share criminal knowledge – Enhance (how to buildCommunication bombs) overcome overcome barriers of barriers of time investigation Interact Interact with with friends criminals
Using the Internet to hide evidence• News Group• Online Forums• Online file repository• Voice over chat (to avoid tracked conversation) This provides a challenging set of circumstances for investigators to find evidence
Hiding Identity - Anonymity• The best way to hide crime is to ensure it can’t be tracked back to you.• In general if the perpetrator makes no attempt to conceal their identity online then they can be tracked.
Hiding Identity – Another Device/NetworkIt is very easy for a criminal to simply useanother device or network to conduct crime.This could involve the use of:• Authorised use of a device from their friend, employer, internet café, university etc.• A stolen device or one accessed without authorisation (i.e. steal a mobile and use it’s data plan)• Public wireless networks
Hiding Identity – Hacked Devices/NetworksCriminals often have an array of hackeddevices/networks that they can use to routetheir communications through. This includes.• Hacked servers• Hacked home computers (often under Botnet control)• Hacked wireless networks
Hiding Identity – Stolen CredentialsCriminals may hack, steal or guess credentialsfor access to people’s online services. Crime isthen conducted using these credentials. Populartargets include:• Online banking• Payment systems (e.g. Paypal)• Online merchants• Email & Social Networking (mainly for spam)
Hiding Identity – Identity Theft• Identity theft allows a criminal to appear as you while committing crime by stealing or fabricating your identifying documents.• Can open accounts in your name with any service provider.• Can get credentials for your existing accounts reset.• Complete identities are readily and cheaply available online.
Hiding Identity – Proxies• Proxies provide an intermediary for network traffic helping to conceal the identity of the source.• Can be chained together allowing the network traffic to travel through several proxies.• Not commonly used by criminals any more due to a lack of supply and better options being available.
Hiding Identity – VPNs/SSL Tunnels• VPNs (Virtual Private Networks) allow network traffic to be sent via a third party concealing the identity of the source.• All traffic between the user and the VPN provider is generally encrypted.• Thousands of commercial VPN providers with varying policies on keeping logs etc.• Many less legitimate providers who provide guarantees of not tracking anything you do.
Hiding Identity – TOR https://www.torproject.orgTOR (The Onion Router) is essentially a peer to peerVPN network. Traffic is encrypted and routedthrough several peers before going out to theinternet. Source: http://www.torproject.org/about/overview.html.en
Hiding Identity – TOR How it worksEach connection made is routed through a randompath. TOR makes your communications anonymousbut not private. Exit nodes can see the unencryptedtraffic. Source: http://www.torproject.org/about/overview.html.en
Hiding Crime – TOR Hidden ServicesTOR can also host hidden services (i.e. web servers)that can’t be tracked. TOR acts an intermediaryallowing two users to talk to each other withoutever connecting directly. Source: https://www.torproject.org/docs/hidden-services.html.en
Hiding Identity – TOR Hiding evidence of TOR Usage• Portable versions of TOR that can run off a USB flash drive are available. These leave limited traces on the host machine• Live Linux distributions including TOR are available. These leave no traces at all on the host machine.• Both of these options require zero configuration and are “plug and play” solutions for anonymous communication.
Hiding Identity – TOR Alternatives• I2P (http://www.i2p2.de/) is very similar to TOR but more decentralised.• FreeNet (https://freenetproject.org/) provides a similar function to TOR’s hidden services.
Hiding Activity• To hide crime online it is also important to be able to hide communications and criminal activity.• The easiest way to hide communications is hide in plain site; the internet is a big place and there’s only so many eyes watching.• Criminals are getting more sophisticated in the methods they use to hide their criminal activity online.
Hiding Activity – Private Communities• A lot of criminal activity on the internet happens in private or semi-private communities.• These typically involve private forums and chat rooms were criminals can communicate with each other securely.• These communities often have some sort of vetting process; usually a referral from an existing member.
Hiding Activity - Darknets• A Darknet is very similar to TOR with the exception that all the nodes in the network are known; it is friend-to-friend not peer-to- peer.• Darknets ensure that communication is only seen by people within the group thus ensuring privacy.• Darknets are harder to set up and maintain than TOR but also harder to detect and track.
Hiding Evidence - Encryption• Encryption is the process of applying a transformation to information using an algorithm to make it unreadable without special knowledge.• Algorithms range from the easy to crack (protected MS Office Files, MD5) to near impossible (AES, Twofish)• A wide range of commercial and free software available.
Hiding Evidence - Encryption• Criminal cases involving encryption have been steadily increasing.• Cracking encryption often isn’t feasible – try to find the password another way.• If you encounter a live system where encryption is likely to be used don’t turn it off.
Hiding Evidence - Steganography• Steganography is the process of hiding a hidden piece of information inside of legitimate/innocuous information.• This means the hidden information attracts no attentions.• Commercial and free software available that can hide files inside image, audio and video files.• Hidden information could be hiding inside any container file.
Hiding Evidence - Steganography• Can be used in conjunction with encryption to further hide evidence.• Very little if any use by criminals online.• The media has often reported that terrorists widely use steganography to hide communications online. This is a myth.
Other Techniques – Jurisdiction Issues• In the physical world criminals will often commit crime from or escape to jurisdictions were they cannot be prosecuted. This applies equally to online crime.• Most online crime originates in countries with poor electronic crime laws and/or a lack of motivation to prosecute criminals.• The use of computers/networks in multiple countries further complicates jurisdiction issues.
Ways in which investigators can get around the methods used to hide crimeHide UnhideCryptography CryptanalysisCipher Decipher
Ways in which investigators can get around the methods used to hide crime• Cryptanalysis Study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Wikipedia. (2011)• Brute-force attack Tries every possible key until an intelligible information is obtained.Stallings, W. (2005). Cryptography and Network Security (4th ed.). Upper Saddle River, NJ: Prentice-Hall,Inc.Wikipedia. (2011). Cryptanalysis. Retrieved 20th March, 2011, from http://en.wikipedia.org/wiki/Cryptanalysis
Ways in which investigators can get around the methods used to hide crime• Software – PRTK (Password Recovered Toolkit) – EnCE (Hash Analysis) – FTK (Forensics ToolKit) – E-Discovery – Internet Evidence Finder – S-Tools (Steganography)
Fox News - SteganographySource from: http://www.youtube.com/watch?v=SgxiBIt9siE&feature=related
Case study – An Insight Into Child Porn• In 2009 “Mr X” provided an expose on the current child porn industry to Wikileaks.• “Mr X” has 10+ years experience in the industry.• This expose details how the industry currently works and explains why attempts to set up filters will never work.http://mirror.wikileaks.info/wiki/An_insight_into_child_porn/
Case study – An Insight Into Child Porn Step 1 – Rent Servers• Rent servers in multiple countries (Germany is a favourite). These servers are paid for with stolen credit cards, prepaid credit cards (i.e. “Prezzy Cards”), PayPal or WebMoney.• Often identification is required; for this there is no shortage of high quality false identification.
Case study – An Insight Into Child Porn Step 2 – Configure Servers• Administrators connect to the servers anonymously (i.e. proxy chains and TOR) to configure them.• All operating system logging mechanisms that can be turned off are turned off.• Partitions are encrypted using TrueCrypt; If the server is shut down or some logs in locally these volumes are unmounted.• Servers configured to only accept connections from a limited range of IP addresses.
Case study – An Insight Into Child Porn Step 3 – Share Media• One server is the content server; content is uploading anonymously through proxies.• Other servers are “proxy servers” or “forward servers”.• A domain name is handed out that links to one of the forward servers (the server rotates each time)• Custom software on the forward server creates an encrypted tunnel through the other forward servers and then to the content server.• The user then connects through this tunnel to the content server using remote destkop tools like RDP or VNC.
Case study – An Insight Into Child Porn Conclusion• The content server attracts very little attention as it’s only talking to a very limited range of other servers.• All traffic from the content servers through the forward servers is encrypted and cannot be monitored.• If a forward server gets raided the TrueCrypt volume is unmounted automatically. If this is somehow defeated then there’s no illegal content on the server to find anyway.• If the user gets raided then it’s often difficult to prosecute. They were viewing a computer in another country remotely; nothing is actually on their computers
Conclusions• Criminals are becoming increasingly sophisticated in their attempts to hide crime online.• Investigators are also becoming more sophisticated. However there are still many challenges in tracking online crime.• Anyone who is serious about hiding crime online can probably do so in way that leaves little to no traces.
References• Denning, D., & Baugh, W. (1998). Encryption and evolving technologies: Tools of organized crime and terrorism. Trends in Organized Crime, 3(3), 44-75.• Schneider, J. L. (2003). Hiding in Plain Sight: An Exploration of the Illegal(?) Activities of a Drugs Newsgroup. The Howard Journal of Criminal Justice, 42(4), 374-389. doi: 10.1111/1468-2311.00293• Stallings, W. (2005). Cryptography and Network Security (4th ed.). Upper Saddle River, NJ: Prentice-Hall, Inc.• Wikipedia. (2011). Cryptanalysis. Retrieved 20th March, 2011, from http://en.wikipedia.org/wiki/Cryptanalysis