How to be invisible on the internet

It’s not that most black hat hackers have a love for the theatrics that they don the black mask and the blazer, obscuring their identity is paramount towards being able to continue with their activities. The shroud of invisibility often lets them carry out their nefarious (or vigilante) acts with impunity. And it can be easily argued that the whistleblowers of the current digital era are enabled thanks to the levels of privacy afforded by the very same technologies. While we aren’t taking any sides, we dug around a little to figure out how they go about their activities, how they hide their traces, how they stay off the grid, how they dish out their blend of activism. In no manner should this list be considered complete. Here’s how they do it.

Separate identities

Some things are a no-brainer. Almost every black hat that was caught and the countless ones that are yet to be caught operate under a pseudonym. And it’s not just the name, each identity is only utilised with a certain set of hardware. On your work laptop, he/she might be a John or a Jane and on another machine they might be a genderless X4yn3r. Consistency is important, those who’re out to track you down and discern your identity are always getting some bit of information or the other which they’re piecing together which is also why black hats tend not to use the same software for long, because no matter how random a software can claim to be, there’s always a pattern and over time, the more they see the easier it becomes to narrow down on someone. 

It’s when the identities mix, that they tend to get caught. Ross Ulbricht a.k.a. Dread Pirate Roberts was caught when he gave out his personal email ID while astroturfing. The FBI had a lot of data about his identities and this one post on a forum allowed them to connect the dots and nail him. The importance of maintaining separate identities is a matter of life or death.

RATtings

Remote Access Trojans are how black hats gain control over your machine. And that’s also how they add computers to their personal botnets. Which incidentally become staging areas for attacks and sending unsolicited emails. Opening a simple email is all it takes for the payload to be delivered and for a backdoor to be opened. From that point onwards, you’ll have no idea as to what nefarious purpose you machine was used for. Say hi to the feds for us.

VPN

The go to tool when it comes to hiding your internet traffic from snoopers, the all popular VPN is heavily advised but little is known about the efficacy of VPNs. Sure they allow you to watch geo-restricted content on YouTube but they aren’t great for ensuring privacy in their default usage scenarios. While many VPNs claim to not keep logs, they’re also signatories to laws that require them to lie about keeping logs once contacted by a security agency to do so. Little white lies…

Hackers do their homework and check if a VPN is actually obfuscating traffic by using tools like WireShark to check if switching on a VPN breaks existing connections. Then they check if the VPN is indeed re-routing all the traffic from the machine or just a portion of it limited to browser sessions and specific apps. This matters because existing browser sessions and applications on your computer will immediately try to ping back home when a network connection is modified and if any of these pingbacks are not routed through the VPN, then it’s as good as not using a VPN. 

A general trend observed among hackers who speak up is to use multiple VPN services and switching between them. And when it comes to paying for these services, the methods of payment are kept anonymous. When a VPN service becomes sufficiently popular, the feds bring in listening equipments and monitor the end points, this is one manner in which traffic correlation is done in order and it renders a VPN useless. And it’s not just the endpoints, even network routers along the way are tapped to perform man in the middle attacks and generate logs. Most governmental security programs focus on always gathering metadata until some suspicious activity is flagged and then the metadata is mined to generate a profile. Hence, the need for using multiple VPN services. And lastly, they prefer a VPN service operating in a country like Sweden which has good privacy laws.

TOR

Just using TOR isn’t all that hackers do, you gotta use TOR correctly. And it’s only good as long as the you ensure traffic to the endpoint router is encrypted as well. And the feds know this which is why a good percentage of the TOR exit routers are monitored. TOR works by anonymising traffic with packet delays and origin obfuscation but lab experiments like the one performed by Sambuddho Chakravarty at the University of Columbia found that by monitoring traffic flow within the network, 100% of the traffic could be identified and the same experiment performed within a real-world TOR network allowed for 81.4 per cent of the traffic to be identified.

Intrusion Detection System

High-risk behaviour on the internet always attracts attention, infact, the mere act of downloading the TOR browser or switching on a popular VPN service immediately gets your connection flagged down for monitoring. Hackers need to be one step ahead of the curve so they rely on IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to figure out if someone is trying to snoop on them and take precautionary measures.

Commercial personal satellites

While few have reached this level where they can exploit the inherent design flaws of older commercial satellites to gain control. This is often how command and control server of large botnets are controlled remotely, since the satellite covers a large physical area, it is very difficult to pinpoint where the attacker is hiding. Also, this allows attackers to intercept incoming traffic and redirect them to spoofed pages. 

Randomising MAC

One of the most common ways of identifying a networked machine is by looking at the MAC (Media Access Control) address. Each device is supposed to have its own unique MAC address and a lot of ISPs rely on the same since dynamic IP addressing scheme ensures a different IP address each time a client connects to the network. So what do attackers do? The spoof their network adapter’s MAC address as frequently as possible. Every new internet session they join with a device has a new MAC address so that traffic correlation becomes difficult. There are simple batch scripts to do this but some prefer tools like TMAC to do the same.

Virtual Machine

Not everyone is well-off to afford a separate machine for their black hat activities. In such cases, attackers rely on Virtual Machines which are pre-loaded with an arsenal of tools, most of which we’ve already mentioned. And virtual machines can be destroyed in a manner of seconds without leaving a trace of existence. 

Drive bys

Password@123 – if this is your Wi-Fi password then you’re among the majority unlucky ones who’re an attackers’ wet dream. Drive-bys are when attackers compromise your network and perform an attack and then leave. Your weak Wi-Fi security probably lost a bank a couple of thousand dollars. Needless to say, all machines connected to that network are not part of a botnet. Performing drive-bys are not difficult, there are devices like the Alfa AWUS036H which is a high-gain wireless adapter that can be used from a long range and is compatible with an assortment of malicious tools. One authentication handshake is all that’s needed for the attacker to compromise your network. 

A good OS

Linux.

Drive encryption

Let’s assume you’ve goofed up and let your guard down. The authorities are en route with a pair of shiny new ankle bracelets but you wouldn’t know till they knock on your front door. So it’s best to be prepared and not spoon feed the feds with all the information needed to incriminate you. This is where hard drive encryption matters. Tools like VeraCrypt and AxCrypt allow you to encrypt your hard drive according to military grade spec and then even if caught, it’ll take the authorities ages to get in. Anakata, the co-founder of Pirate Bay ended up with a pretty heave jail term because he had not encrypted his drive.

There’s a lot more from where that came from

Quite a lot of these hackers are extremely proficient at coding and develop their own scripts and tools which we shall never hear about, however, they’ll be used to essentially accomplish the same as we have mentioned here. Hackers are not necessarily on the wrong side of the law, it’s just that the law is so convoluted and vaguely worded that you’re always committing a crime when you’re on the fringes and guilt by association is a very common tactic used by the legal system to make hackers turn on their own. So it’s only natural for them to take these steps and now you know the how and the why. 

This article was first published in September 2016 issue of Digit magazine. To read Digit's articles first, subscribe here or download the Digit e-magazine app for Android and iOS. You could also buy Digit's previous issues here.

Follow Us

Mithun Mohandas

Mithun Mohandas is an Indian technology journalist with 10 years of experience covering consumer technology. He is currently employed at Digit in the capacity of a Managing Editor. Mithun has a background in Computer Engineering and was an active member of the IEEE during his college days. He has a penchant for digging deep into unravelling what makes a device tick. If there's a transistor in it, Mithun's probably going to rip it apart till he finds it. At Digit, he covers processors, graphics cards, storage media, displays and networking devices aside from anything developer related. As an avid PC gamer, he prefers RTS and FPS titles, and can be quite competitive in a race to the finish line. He only gets consoles for the exclusives. He can be seen playing Valorant, World of Tanks, HITMAN and the occasional Age of Empires or being the voice behind hundreds of Digit videos. View Full Profile