18.4 Online Anonymity and Self-Protection

18.4 Online Anonymity and Self-Protection

It is important for investigators to become familiar with online anonymity to protect themselves, and to understand how criminals use anonymity to avoid detection. In addition to concealing obvious personal information like name, address, and telephone number, some offenders use IP addresses that cannot be linked to them. Such IP addresses can be obtained by using free ISPs that allow individuals to dial into the Internet without requiring them to identify themselves. Other ISPs unintentionally provide this type of free, anonymous service when one of their customer's dial-up accounts is stolen and used by the thief to conceal his identity while he commits crimes online. Public library terminals and Internet cafes are other popular methods of connecting to the Internet anonymously.

Investigators should use anonymity to protect themselves while searching for criminals on the Internet, particularly when conducting an undercover investigation. Online undercover investigations can be used in many types of criminal activity including online gambling. When investigating online gambling it is necessary to create several undercover identities to make transactions and gather intelligence into the supporting organizations and networks. Undercover identities are also used to purchase drugs on the Internet and stolen hardware through online auction sites. In child exploitation cases, undercover investigators may pose as children or as pedophiles to gather evidence in a case as described in Chapter 21. Computer intruders can be tracked on IRC, counterfeiters can be ferreted out, and fraudsters can be apprehended all with the assistance of online undercover identities.

18.4.1 Overview of Exposure

In their book Investigating Computer Crime, Clark and Diliberto demonstrate the dangers of online investigations by outlining the problems they encountered during one online child exploitation investigation.

1. Telephone death threats.

2. Computer (BBS) threats.

3. Harassing phone call (hundreds).

4. Five Internal affairs complaints.

5. Complaints to district attorney, state attorney general, and FBI.

6. Surveillance of officer.

7. Videotaping of officer off duty (of officer giving presentation in church on subject of "dangers of unsupervised use of computers by juveniles").

8. Video copied and sent to militant groups.

9. Multimillion dollar civil suits filed.

10. Tremendous media exposure initiated by suspects.

11. Hate mail posted on Internet resulting in many phone calls.

12. Investigator's plane tickets canceled by computer.

13. Extensive files made on investigators and witnesses, including the above computerized information: name, address, spouse, date of birth, physical, civil suits, vehicle description, and license number.

14. Above information posted on BBS.

15. Witnesses' houses put up for sale and the bill for advertising sent to witnesses' home addresses by suspects.

16. Witnesses received deliveries of products not ordered, with threatening notes inside.

17. Hundreds of people receiving personal invitation to witness's home for a barbeque (Put out by computer).

And much more! After 18 months of this, when all was said and done, the suspect was sentenced to 6 years, 4 months in state prison. All the complaints against the investigator were found to be unfounded, and the investigator was exonerated of any wrongdoing. (Clark and Diliberto 1996)

Simply conducting research to gather intelligence online most likely will not open an investigator to these types of attacks. However, the above testimonial highlights the imperative that when conducting an investigation involving Internet usage and technically savvy targets, proper, predetermined protocol must be followed. Chapter 19 discusses undercover best practices in more detail and, in addition to following applicable jurisdictional policies, attorneys should be consulted prior to conducting online undercover investigations.

18.4.2 Proxies

One approach to concealing one's IP address while surfing the Web is to direct all page requests through a proxy. Web servers that are accessed via a proxy record the IP address of the proxy rather than that of one's computer. Commercial Web proxies like Anonymizer.com are available and there are many machines on the Internet that act as proxies either accidentally or by design. Additional information about Web proxies are available at

• http://www.all-nettools.com/privacy/anon.htm

• http://inetprivacy.com/a4proxy/

• http://anon.inf.tu-dresden.de/

When offenders use Web proxies to conceal their identities, it makes tracking more difficult because investigators must obtain information from the server running the proxy to determine the actual IP address of the offender. These logs may even be available on systems that are specifically designed to protect the identity of users. For instance, a now defunct anonymous proxy service called "SafeWeb" debunked the commonly held belief that their anonymizing service did not retain log files.

... what do we do with the logs? Every night we tar them up, ship them to a central machine, compile stats on how many clients we served and how many ads we served, gpg the logs, and store them for 7 days. After that they get deleted, unless someone manages to supena (sic) them. In which case we pull out only the entrys associated with the supena (sic), and keep them around until we're actually served with said supena (sic).

It is also possible to connect to IRC or ICQ through a proxy that does not just handle Web traffic, such as a Wingate or SOCKS proxy. Increasingly, individuals who want to hide their IP address on chat networks are finding misconfigured hosts with open proxies and are using them without authorization. It can be difficult to obtain log files from these misconfigured proxies when they are located in another country. To address this growing problem, many IRC networks will not allow connections from hosts that are running a proxy server.

18.4.3 IRC "bots"

Individuals can make it more difficult to locate them on IRC by using the invisibility feature.^[15] However, the invisibility feature does not conceal the individual from others in the same channel, so this offers limited protection. One advanced aspect of IRC that some offenders use to conceal their actual IP address are "bots." These programs can function like proxies and can be used to perform various tasks from administering a channel to launching denial of service attacks. "Eggdrop" is one of the more commonly used IRC bots and can be configured to use strong encryption (blowfish) that conceals the contents of its logs and configuration files making it necessary to examine network traffic to observe nicknames, passwords, etc. The IRCOffer bot is also widely used to share pirated software, movies and other illegal materials. Another popular type of bot is a "bouncer" (BNC for short) that allows an individual to connect to IRC via the machine that is running the BNC bot. When an individual is connected to IRC via a BNC bot, only the IP address of the computer running the BNC bot is visible - the individual's actual IP address is not visible on IRC.

18.4.5 Encryption

To protect their Internet communications, some individuals encrypt data using PGP or specialized e-mail services such as Hushmail^[16] and Zixmail.^[17] Others use the secure e-mail standard (S/MIME) that is integrated into many e-mail clients. The encryption keys used in S/MIME are usually stored on an individual's system, protected by a password. For instance, by default, Netscape stores these keys in a file called "key3.db". However, these keys can also be generated and stored on a hardware device such as an iButton^[18] or iKey.^[19] These devices are portable and will destroy the encryption keys they contain if they are tampered with.

Some IRC clients support encryption, making it more difficult for investigators to monitor communications and recover digital evidence.

CASE EXAMPLE (ORCHID CLUB/OPERATION CATHEDRAL):

A major investigation into an online child pornography ring that started with the online chat room called Orchid Club and expanded to a chat room called Wonderland Club has involved hundreds of offenders around the globe. Interestingly, when the Wonderland Club members learned that they were under investigation, they did not disperse but began using more sophisticated concealment techniques such as encryption and moving to different IRC servers frequently. The use of encryption significantly hindered investigators. In one instance, a suspect's computer was sent from the UK to the FBI in an effort to decrypt the contents but to no avail. Overall, the level of prosecution in this case was low relative to the number of individuals involved.

Additionally, Trojan horse programs can be configured to encode traffic between the client and server. For instance, by default, each packet sent between a Back Orifice client and server is XOR-ed with a known pattern (XOR is a simple binary operation). However, these packets begin with same pattern of bytes and intrusion detection systems can be configured to determine the key and decrypt the traffic. Therefore, more technically proficient intruders will configure Back Orifice to use a plugin with stronger encryption.

In general, it is not feasible to decrypt network traffic and it is more effective to seek and recover digital evidence from the end points of the communication. Computer intruders have realized this - rather than attempting to obtain credit cards as they are transmitted between the client and server through an encrypted Secure Socket Layer (SSL) connection, intruders target the end points. Computer intruders usually steal credit cards by installing a Trojan program on individuals' systems and monitoring their keystrokes, or by breaking into the server and stealing the file or database that contains credit card information. Similarly, when intruders cannot obtain passwords using a sniffer because traffic is being encrypted using SSH, they target the end point, replacing the SSH server software with a version that records passwords in a file. Alternatively, intruders target the original SSH server software before it is distributed (CERT 2002).

18.4.5 Anonymous and Pseudonymous E-Mail and Usenet

Individuals who are more technically savvy and are especially interested in concealing their identity, send messages through anonymous or pseudonymous services. For instance, when e-mail is sent through an anonymous remailer, identifying information is removed from the e-mail header before sending the message to its destination. The most effective anonymous remailers (e.g. Mixmaster and Cypherpunk) are quite sophisticated and make it very difficult to determine who sent a particular message. For instance, the following message was sent through the "anon.efga.org" remailer.

Received: from server1.efga.org by is4.nyu.edu; (5.65v3.2/1.1.8.2/26Mar96-0600PM) id AA09406; Sat, 9 Aug 1997 00:43:54 -0400

Received: (from anon@localhost) by server1.efga.org (8.8.5/8.8.5) id AAA08333; Sat, 9 Aug 1997 00:44:06 -0400

Date: Sat, 9 Aug 1997 00:44:06 -0400

Message-Id: <BEDPZMcwd925FWA/mG0Tyg==@JawJaCrakR>

To: ec30@is4.nyu.edu

Subject: Test

From: Anonymous <anon@anon.efga.org>

Comments: This message was remailed by a FREE automated remailing service. For additional information on this service, send a message with the subject "remailer-help" to remailer@anon.efga.org. The body of the message will be discarded. To report abuse, contact the operator at admin@anon.efga.org. Headers below this point were inserted by the original sender.

However, even when these types of remailers are used, evidence transfer occurs - the sender transfers something in the message, the message leaves something behind with the sender, and intermediate machines that handle the message may have useful information. The sender may disclose something personal or the message may contain class characteristics that give a clue about its origin. The sender's computer may retain fragments of the message, the encryption key used to sign the message, or a clear connection to the remailer used.

CASE EXAMPLE (USDOJ 1999):

Carl Johnson used anonymous e-mail to threaten notable figures, including federal judges by posting to an e-mail list entitled Cyberpunks. Johnson used a system called "Assassination Politics" - a computerized gambling operation where participants "predicted" the date of death of the Government employee, with the assassination payoff being funneled to the assassin as proceeds from the bet as described in one of his messages.

Leading eCa$h candidate for dying at an opportune time to make some perennial loser "Dead Lucky" are: e$ 2,610.02 J. Kelley Arnold, United States Magistrate Judge, Union Station Courthouse, 1717 Pacific Avenue, Tacoma, Washington ... I feel it is necessary to make a stand and declare that I stand ready and willing to fight to the death against anyone who takes it upon themselves to try to imprison me behind an ElectroMagnetic Curtain. This includes the Ninth District Court judges ... I will share the same "DEATH THREAT!!!" with Judges Fletcher, Nelson and Bright that I have shared with the President and a host of Congressional and Senatorial representatives.

Johnson used several aliases and anonymous remailers when posting to the mailing list and in one message he sent his private PGP key to the list. Johnson's use of remailers and encryption ultimately implicated him - authorities matched the PGP digital signature on e-mail messages to an encryption key discovered on his computer. Interestingly, because he sent his key to the mailing list, many people had access to the private PGP key that was used to implicate him. So, the connection between Johnson and the digital signature that what was used to implicate him was not a one-to-one match. Nonetheless, the court held that the Government's technical evidence was sufficient to prove that Johnson wrote the messages and found him guilty.

Intermediate servers may contain timestamped logs that show where data was received from and where it was forwarded. Using these fragments of information it may be possible to narrow the suspect pool and then focus an investigation on a few individuals. Some remailers make efforts to minimize information transfer that could be used to link a message with its sender but none are perfect.

Truly anonymous remailers do not enable the sender to receive a response to their messages because there is no way to connect the message back to the individual who sent it. For this reason, true anonymous services are only useful when an individual does not want to maintain two-way communication.

Anonymity means you have no reputation or persistence - in essence, you have no identity and people can't establish long-term relationships with you.

Pseudonymity - creating persistent alter-egos that cannot be associated with your true identity - lets you access the full power and resources of the Internet, and establish long-term relationships, without sacrificing your privacy. (http://www.freedom.net/faq/pseudo.html)

Because most people using e-mail want a response, they use pseudonymous servers such as Asarian-host to conceal their actual identities as shown in the following Usenet message.

Path: news.ycc.yale.edu!pln- e!extra.new5guy.comllotsanews.comlnewsfeed1.earthlink.net! uunet!uunet!in1.uu.net!rutgers!usenet.logical.net!news.dal.ca!torn!howland. erols.net! newsfeed.berkeley.edu!su-news-hub1.bbnplanet.com!news.bbnplanet.com!news.alt.net! anon.lcs.mit.edu!nym.alias.net!mail2news

Comments: To protect the identity of the sender, certain header fields are not shown. Anonymous email addresses for asarians can be requested by filling in the appropriate form at: http://asarian-host.org/emailform.html

Message-ID: <199809212245.QAA16547@asarian-host.org>

Posted-Date: Mon, 21 Sep 1998 16:45:21 -0600 (MDT)

Date: Mon, 21 Sep 1998 18:40:36 -0400

From: "lisa"

Reply-To: lisa@REMOVE_THIS.asarian-host.org

Organization: Asarian-host.org

Subject: cutting

Newsgroups: alt.abuse.recovery

Comments: Anonymous USENET posting by Asarian-host, using Email Gateway: mail2news@anon.lcs.mit.edu Mail-To-News-Contact: postmaster@nym.alias.net

Some remailers keep logs of the actual e-mail addresses of individuals, but many remailers will perish rather than make such concessions, even when illegal activity is involved. There is a possibility that investigators can compel a pseudonymous remailer to disclose the identity of the sender but it requires significant effort since their business is to protect the identity of their users.

CASE EXAMPLE

A pseudonymous remailer in Finland named anon.penet.fi was compelled to disclose the identities of subscribers as a result of actions of the Church of Scientology (COS). During the investigation, anon.penet.fi operator Johan Helsingius was heard as a witness. He was asked to reveal the pseudonymous accounts used to disseminate private COS documents, but refused. A legal battle followed, Julf was required by the courts to reveal identifies, and he ultimately discontinued the remailing service.

18.4.6 Freenet

An anonymous information sharing system that is accessed via a Web browser, called Freenet,^[20] is becoming increasingly popular among child pornographers and other criminals. Figure 18.3 shows the Java Freenet client that can access information via Web links or using "keys" similar to URLs that are associated with each file on the network.

Figure 18.3: Java client providing links to Freenet.

Each computer that joins Freenet becomes a node on the network, storing files that others can download. Freenet uses strong encryption and regularly moves data from one computer to another, making it difficult to determine where the information originated. This concealment activity makes it difficult to establish the continuity of offense, making it necessary to evaluate their source based on characteristics of the files and their contents as described in Chapter 9.

In addition to concealing data, encryption is used to protect users legally as explained on the Freenet FAQ:

to keep operators from having to know what information is in their nodes if they don't want to. This distinction is more a legal one than a technical one. It is not realistic to expect a node operator to try to continually collect and/or guess possible keys and then check them against the information in his node (even if such an attack is viable from a security perspective), so a sane society is less likely to hold an operator liable for such information on the network.

Freenet also supports Near Instant Messaging (NIM) as well as online discussions via a program called Frost. Other applications are being developed to make Freenet more usable.

18.4.7 Anonymous Cash

Anonymous cash services like V-Cash and InternetCash implement a simple concept that can be useful to individuals who want to protect their privacy. Individuals can purchase anonymous cash through one of these services and then use it to purchase products from vendors that accept this form of currency. Another form of online currency are e-metals (e.g. e-gold, e-silver) that are backed by precious metals and are accepted by various online vendors and in some eBay auctions. In fraud cases that involve anonymous cash, it is quite difficult to identify the offender because of the added layer of protection.

^[15]http://www.mirc.co.uk/faq6.html#section6-26

^[16]http://www.hushmail.com

^[17]http://www.zixmail.com/

^[18]http://www.ibutton.com/

^[19]http://www.rainbow.com

^[20]http://freenet.sourceforge.net