Becoming Virtually Untraceable (Eps3.0_4dv4nc3d_T3chn1qu3s.mp3)
*Note: This article was originally published on September 6, 2018. This article is also available in Spanish here.
“Opt for privacy and solitude. That doesn’t make you antisocial or cause you to reject the rest of the world. But you need to breathe. And you need to be.” ― Albert Camus, Notebooks 1951–1959
In part 3 of this series, we pretend that we’ve all swallowed the proverbial “Red Pill” and I continue to show you just how deep the privacy rabbit hole goes. The privacy techniques in this installment are slightly more advanced than the average person would likely need or want to implement, however, if you’re the super-paranoid or extremely privacy-conscious type then, by all means, implement them. The standard disclaimer still applies: Before proceeding, ensure that you have a solid grasp of the concepts discussed in the previous installments Part 1 and Part 2 of this series.
It is also worth noting that becoming virtually untraceable has unfortunately been labeled by society with a negative stigma surrounding those who espouse this way of life. Society cannot understand why someone would want to live this way. Society’s expectation is for everyone to be a social butterfly and spill their guts on social media about what they ate or wore that day. I refer to this trend as ‘keyboard diarrhea.’ No one cares about any of that nonsense and the world would be better off without it. However, becoming virtually untraceable is not about being anti-social or about being a recluse. It’s about protecting your privacy intelligently.
Some people strive to become untraceable out of sheer necessity, and for them, it becomes a way of life. They are generally very guarded people who don’t offer much personal information when solicited, unless perhaps when they’re around family or friends. For others, it may merely be a novel concept that they can only fantasize about as they find themselves stuck in this systematic process of being tracked everywhere, all the time, in every facet of their lives. If you are tired of being stuck in this process, remember there is always a choice to break free. It may require work on your part to do so, but no one can force you to live a certain way. We are not captives to society’s expectations. That is the beauty of living freely in a semi-free society. Sure we have laws that everyone is expected to adhere to, and certain individual rights are afforded to us by the Constitution and its Amendments. But, if we are so inclined, then we couldn’t give a damn what society thinks. When has society ever led you down the correct path? I am willing to bet the answer is never.
The point is that this mentality, or this concept of untraceability, has a lot to do with your own perspective on life. Are you the sort of person who cares deeply about what other people think about you? Perhaps this is necessary for continued employment or social reasons in your particular situation. I’ve worked jobs where in some cases if you don’t conform to the culture they will literally force you to the point of either quitting or being fired because you’re perceived as a detriment to the team and organization. Or, are you the sort of person who couldn’t care less about what others think? If this is you, please realize that this attitude is a luxury many cannot afford to have, so cherish it while it lasts. Some of these techniques may very well be unrealistic for you to implement into your personal life, but those who are truly serious about becoming virtually untraceable will make the necessary sacrifices to achieve it to the greatest extent possible.
Skillful Deception using Digital Steganography to Hide Files in Plain Sight
Magicians are masters of skillful deception. They are well known for being able to trick people with sleight of hand, hiding things from audiences that are in plain sight. There are also ways to do this same type of thing digitally using digital steganography, which is a method of hiding information within plain sight. There are ancient and even more recent forms of steganography that involved indelible inks written on scrolls, hidden tattoos under hair growth, and even microdots that contained an entire page worth of text. In this context, however, we will focus on the computer or digital form of steganography. Digital steganography is often incorrectly categorized as a form of encryption. Though steganography is at times referred to as the ‘dark cousin’ of cryptography, the two types of algorithms perform distinctly different processes.
Whereas cryptography uses computer applications, protocols, and mathematical algorithms to encrypt data; digital steganography uses computer applications and mathematical algorithms to encrypt, compress, and embed data into a cover medium file using any one of several different digital steganography methods (e.g., Least-Significant Bit- LSB, or Discrete Cosine Transform- DCT). Many digital steganography applications offer the additional ability to encrypt the secret file(s) as part of the embedding process so that even if the presence of digital steganography is discovered, the secret data will remain inaccessible without the corresponding password or passphrase. A full history and explanation of exactly how digital steganography works is beyond the scope of this article, but you’re more than welcome to learn to your heart’s content about steganography here if you’d like.
To provide you with some context of how using digital steganography could be beneficial, I offer you this scenario written in simple terms. If you were to encrypt an email using Open Pretty Good Privacy (PGP) with your private PGP key and send it to a recipient who already had your public PGP key to decrypt and read that communication, it would appear as undecipherable ciphertext during transit except for the data packet header which would reveal the source and destination IP addresses among other basic packet details. Free E-mail services such as Gmail, ProtonMail, Yahoo, Hotmail do not offer end-to-end encryption or Public Key Infrastructure (PKI) though, so it is possible that your private email messages and associated data attachments can be read as it transits through their network along the way to its destination IP address. The most these free email services can offer is encrypted email inboxes (Hint: your password is the decryption key), and standard Transport Layer Security (TLS) encryption while the email data packets are in transit from point-to-point across the Internet.
There are plug-in browser extensions that you can add to Chrome, Firefox, and others that offer the ability to encrypt email using PGP. Encryption is great, don’t get me wrong. I use it whenever I can, however, it is not as secret as it is made out to be. It is possible to intercept encrypted data packets and determine by inspecting the packet headers which source IP address sent it and the destination IP address it’s going to. Using a Virtual Private Network (VPN) helps maintain your anonymity as previously discussed in Part 1 of this series, but it is not perfect privacy because the VPN provider still knows your true IP address and this information can be acquired by governments and law enforcement. Additionally, there are some shady VPN service providers who will sell your private browsing data to third parties. So, how do we get around that and still send secret encrypted information? Enter digital steganography.
On the contrary, say you were to send a plain text (unencrypted) email with a stego-file (a.k.a., “stego object” in the figure below) attachment with some unremarkable text such as “Hey Bob, Alice and I want to come for a visit. Check out this picture of our new flowers.” The fact that you are not sending an encrypted message does not raise suspicion, it would just appear as another boring email with a boring image file attached to it. However, what any unsuspecting person who views the email and image file won’t know is that the image is actually a carrier file with an encrypted secret file hidden inside of it that will only open with the correct key (password/phrase). Do you see the subtle difference between these two scenarios? Now, you may not always need to use digital steganography, but it’s there if you need to. There are digital steganography applications that will embed files into virtually any type of file format in existence (audio, text, video, image, VoIP, etc.).
You need not be a criminal to have files that you want to hide from prying eyes. For instance, maybe you’ve got an electronic journal that you want to keep private or perhaps some racy photos or videos of yourself or a significant other that you would prefer to keep private. That is not a crime as long as all parties are consenting and of legal age. Once these types of compromising photos or videos are taken, however, the possibility that they can be used against you in some way (e.g., revenge porn or blackmail) or leaked without your consent is a real possibility. In the cybersecurity realm, if some type of threat is a possibility then it is considered a risk that should be mitigated to whatever extent possible. If you store this type of material on your Internet-connected home computer or smartphone, then the risk that those pics and videos could be stolen is a valid risk. The same goes for whatever camera or video recording device you used to produce said material. Freely available digital forensic recovery software tools can easily locate and recover deleted files. So ask yourself before engaging in such activity if it is really worth it to record it? You may also have financial info or a password list that you want to keep hidden. One method to hide sensitive personal files is to use a digital steganography application to secretly embed your personal files into a seemingly normal-looking cover medium file such as an image. For instance, you decide to embed your home-brewed beer recipe text file into an image that is password-protected.
At last check, there were over 1,200 different digital steganography applications available for use on the Internet. Not all digital steganography applications are created equal, some are more maturely developed than others, meaning the code was better written. Some of the steg software applications only work for audio, video, text, or image files while other applications are more robust and can perform multiple types of digital steganography. If you’ve ever watched the ‘Mr. Robot’ USA Network TV show, then you may have noticed the main character ‘Elliot’ (played by actor Rami Malek) use the DeepSound digital steganography application to hide data within audio files such as music albums. In order to perform audio or video file steganography, the carrier file needs to be much larger in file size to be able to embed the hidden data without causing noticeable “noise distortion” to the audio/video file. This is known as peak signal-to-noise ratio (PSNR), the lower the better to avoid detection.
Many of these digital steganography applications offer the capability of combining strong encryption and compression algorithms to hide personal files within other files (called carrier files). When the hidden file(s) are embedded into the carrier file, the file then becomes known as a stego-file. The encryption can be unlocked, or decrypted, with a password, or passphrase that the recipient would need to know before receipt along with the same steganography application to open the file. Deepsound, for example, offers AES 256-bit encryption of the stego-file which is powerful encryption, at least until quantum computing cryptography becomes a real threat.
Create Virtual Crypto Disks Hidden Within a File
By this point in the series, hopefully, I’ve sold you on the need to implement full disk encryption on all of your computers and electronic devices. If you buy an iPhone, you already know that Apple’s full disk encryption on the phone is top-notch, but there are ‘workarounds’ that the FBI has paid to obtain. If the FBI has methods of cracking iPhone encryption, then you know other government agencies (e.g., the NSA, CIA, etc.) and security companies also have methods of accessing these devices to include foreign governments as well cybercriminals threat actors. Microsoft Windows BitLocker and BitLocker-To-Go are an option if you own Windows 7, 8, 8.1, or 10 Professional edition. BitLocker is not the best option for whole HDD encryption for multiple reasons I won’t delve too deep into here. Microsoft maintains the ability to backdoor your BitLocker and Encrypting File System (EFS) keys anytime they need to. This ‘Big Brother’ access on Windows systems makes it difficult to trust BitLocker’s encryption and very easy for law enforcement or government agencies to break into your computer or devices that are encrypted with BitLocker or EFS.
VeraCrypt is a freely available French-produced encryption application that I mentioned in Part 1 of the series that allows users to create virtual encrypted disks within a file and mount it as a disk. How is this useful you may wonder? This could be useful in particular circumstances such as when traveling outside of the U.S., or back to the U.S. from abroad. It could also be helpful if you need to hide an entire folder or drive from plain sight on your Hard Disk Drive (HDD). VeraCrypt can encrypt an entire USB flash drive or partition of an HDD and allows users to work on files with parallelization of data which can be read, modified, and saved while the data is re-encrypted without significantly slowing the computer processing speed.
Perhaps one of the best features of VeraCrypt is its hidden volume feature which uses digital steganography technology to hide an encrypted container with a partition or folder container. This feature allows users to maintain plausible deniability should someone try to force you to reveal your password. For example, the way this works is that you have a password-encrypted outer partition that is completely visible but only a few non-sensitive files in it. Let’s say you’ve been detained for whatever reason and some 3-letter government agency agent is threatening you with a court order for the password to unlock your encrypted drive. This feature is nice because you can reluctantly provide the password to that outer encrypted container after making the other party jump through all of the legal hoops, and they won’t find anything damaging in the outer container spare a few files which you intentionally placed there to be found in such a situation. What they don’t know is that you have a secret, hidden encrypted volume within that outer encrypted drive that contains the most sensitive files that only you have the password to. It’s pretty nifty in my humble opinion and virtually impossible to discover.
Before you upload any images to Internet websites or send them to others via email, it is advisable that you first run them through metadata (a.k.a., EXIF data) filtering applications such as AnalogExif or ExifTool for Macs or Windows users. Otherwise, unless the website you’re uploading those images to auto-removes the metadata, you stand a chance of having geolocation data, the date/time the photo was taken, the type of camera used, among other data being recovered from your images. If you are still using social media, then you could also run the risk of someone being able to cyberstalk you to your home address from photos you posted to social media.
Using YubiKey Two-Factor Authentication
In Part 2 of this series, I briefly mentioned two-factor authentication (a.k.a., “2FA”), and in a nutshell, it is a much better Identity and Access Management (IAM) control mechanism than merely using passwords alone. Implementing 2FA or even multi-factor authentication (MFA) makes it much harder for an attacker to take over your account if they can break or otherwise compromise your login ID and password. Most people use their cell phone as the second factor of authentication, but it can also be an email, RSA token random PIN, the least secure means which is a Short Message Service (SMS) text message PIN. 2FA can be accomplished in several different ways. Possible second or third factors of authentication include:
1. Something you are- think biometric (fingerprint, facial recognition, iris scan) authentication
2. Something you know- think password, PIN, voice-provided codeword
3. Something you have- think RSA token, RFID chipped card (e.g., CAC), YubiKey
There are other authentication factors such as an individual’s location, but it is not advisable to use the location factor for authentication since it can be easily spoofed using modern technology. YubiKeys are a physical token device that you plug into your computer’s USB port or connect via Near Field Communication (NFC) to your smartphone to authenticate with 2FA. YubiKeys are considered to be what is known as Universal 2nd Factor (U2F) authentication which is considered to be superior to other forms of 2FA due to the fact that the authenticating individual must have the corresponding encryption YubiKey to authenticate and cannot be replicated from a remote site.
YubiKeys are also not a realistic option for some individuals who may work in secure facilities with sensitive information or technology that have security policies restricting the use of any Wi-Fi, NFC, and Bluetooth-enabled devices. So, while YubiKeys are a preferred choice for the best 2FA security protection, I advise you to do your homework on it before deciding to switch over. It’s either that or don’t access your personal accounts during working hours and instead actually focus on your work while using a YubiKey for authenticating at home. Authy is a mobile application that is used for 2FA and generates random 6-digit PINs to authenticate users on websites after they’ve already provided the correct login ID and password to access the site. Watch for Authy to become a lot more widely used and publicized to accomplish 2FA on smartphones in the coming months.
Google is Privacy’s Public Enemy #1
Nithin Coca wrote a nifty piece on why he fully quit using Google, and why you may also want to go that direction. I know what you’re thinking? “Is this guy for real? Quit Google? How does one even do that and why?” Well, it is a long story (TL;DR), but suffice it to say that if you value privacy then Google, my friend, is not your friend and neither is Facebook, Twitter, Instagram, Snapchat, Tumblr, MySpace (yes, it still exists) or any number of Internet tech giants. They are all in the business of collecting and selling your personal information. Everyone should go into it knowing that, but unless you make it a habit of reading the fine print in the Terms of Service agreements, you’d never know because these social media sites are not in habit of warning customers ahead of time. It’s typically bad for business. Another reason not to use Gmail is the fact that they make a large chunk of their profits from vendor advertisements, so there is a definite incentive on Google’s part to share your email and Google search data with 3rd party vendors who comb through it to market products to you. It’s all a big-money game, in the end, big surprise I know.
Where privacy is concerned, ProtonMail is a much better free option than just about any other free email service provider for the simple reason that they are based out of Switzerland, and they will not readily hand over your information to anyone. It is also true that you get what you pay for. So, if you want the best privacy email then use ProtonMail, but pay a small fee for the extra capabilities and storage capacity. Companies tend to treat you better when you’re the primary paying customer. On the flip side, Google has exponentially more users than ProtonMail, and they have all of their built-in features and cross-site functionality applications. However, Google willfully complies with “tens of thousands of search warrants and subpoenas every year” according to its transparency report. ProtonMail does not have to comply with any search warrant. When it comes to security though, it’s hard to argue that anyone does it better on an Enterprise level than Google for the billions of users as they have. Google has long been a leader in tech innovation and Internet security in many respects. It is a calculated risk either way, but the privacy-focused individual will tend to shy away from big-name companies such as Google that have a reputation for sharing user data for marketing profit.
Parenting & Privacy in Teen Social Media
Recently in the news, there was a disturbing report about a man who stalked young teenage girls on social media that lived near his home. On more than one occasion the man broke into the same house while he was naked and masturbated in the girl’s room while she slept. If you view the video of the initial home intrusion, the man appears to just walk right through the front door which was left unlocked, and then disturbingly, sees a video camera and “shooshed” it with his finger as he proceeded to walk upstairs to the teenage girl’s bedroom. If this doesn’t hit you as a parent like a pair of brass knuckles to the face, I don’t know what will at this point. First, responsible adults (parents) need to ensure that basic home security checks of all the doors in the house are performed prior to going to sleep, but the fact that this guy was able to just walk into the house after having already broken into the house and done this once already is absolutely mind-boggling.
There’s no other way to put it, social media can be a dangerous tool. Dangerous for those who use it, and for all of the nefarious activities it can be used for by purely evil people. Ignorant and young people alike may not understand that there is a distinct possibility that what they see on social media or anywhere on the Internet has been fabricated by someone with ulterior motives. Recently, both Russia and Iran have been in the news regarding using fake social media accounts to try to subvert U.S. 2018 national election outcomes by paying for false advertisements and with political posts as happened in the 2016 Presidential election. There are also domestic-based threat actors and groups that actively attempt to subvert news stories and misguide unsuspecting people.
We need to educate our children and elderly that social media is a tool that can be used for both good and bad things. Lately, it seems to deliver more bad than good. Privacy concerns and social media are on the minds of many people in the U.S. There is a reason that both Facebook and Twitter CEOs have had to testify before Congress in recent months. If you still feel like you must use social media, then at least try to use it responsibly and educate others who may not be aware of the perils. Lastly, it is your parental right to be an intrusive parent who monitors their kids’ activities online and their cell phones. Under no circumstances can you allow your teen to convince you that your monitoring of their cell phone and Internet activity is an invasion of their privacy. You’re paying for it more than likely, they are your responsibility, and what they do online could bring harm to them and/or your family. Do your job moms and dads, your kids will thank you later on in life when they are still alive to visit you instead of being kidnapped by psychopaths trolling the Internet.
Assuming a New Digital Identity
Sometimes it is just good to start fresh. If you feel overwhelmed and need to detoxify your digital life, think hard before taking drastic measures and jumping off the deep end. It is time-consuming to try and reestablish your digital identity once you decide to delete it and remember that the Internet is very unforgiving. Once you’re on it, you’re there to stay in some manner or another, meaning that there will still be digital breadcrumbs that will lead back to your former existence that you will have to attempt to clean up quietly. If you’re serious about assuming a new digital identity, I recommend you implement as many of the recommendations in this series as you think you need to, and also read other articles and books. While it may be impossible to delete your digital identity completely, there are many steps you can take to obfuscate it to the point where it is essentially non-existent like that old MySpace account you forgot about but that is still lurking around.
A handle is another name for a nickname or callsign. If for whatever reason, you can’t give up your social media account activity because you’re an addict, it’s okay because I am right there with you as a writer and cybersecurity professional. Though I know a great deal about achieving digital privacy, many of the steps I recommend I cannot myself entirely undertake without compromising my ability to publish my writings and maintain employment. The Internet is a useful tool to remain up-to-date, but you have to be very distrusting of the information you find online. You always need to further validate it. If this is not true for you, however, firstly I am envious, and secondly, you might consider employing a technique I like to call “handle morphing.” This technique consists of constantly changing your Twitter, or other social media profile handles multiple times per week to confuse people and throw them off your trail. Many hackers already do this as a matter of redundancy. They maintain several different social media accounts on the same platform under different names in case the platform temporarily disables their primary account or they should need to ‘burn’ that account for whatever reason (i.e., it could be linked to illegal hacking activity). Some social networking sites may restrict how often you can change your handle or even require that you delete your old account and start fresh with a new one. The social media sites try to make it as difficult as possible to quit their sites to prevent users from ditching their services on a whim since that is potentially lost profits for their company. I am sure you can understand the motive there, right? Always follow the money trail, you’ll never go wrong.
Other techniques I have used consist of deactivating my LinkedIn profile for 19 days at a time when I don’t need it to be accessible for whatever reason (e.g., applying for new jobs) and then reactivating it just in the nick of time before it expires and is deleted on the 20th day, only to deactivate it again a day or two later. Watch, now that I have let that secret out, LinkedIn (a.k.a., Microsoft) will change their account deactivation policy. Are you tired of weirdos and strangers contacting you on LinkedIn? Give this technique a try. You’ll still maintain your account, but it will not be visible while it is deactivated for 19-day stretches and I should note that you’ll have to set up all of your account news feed preferences again upon account reactivation. If my LinkedIn account were to accidentally disappear though as a result of my failure to reactivate the account in time, I would not lose sleep over it…
Note: you may not want to do this if having a large social media followership is important to you because people may not easily recognize your new profile and may unfollow you if they don’t recognize you.
Delete Me from the Internet Why Don’t You?
Similar to the ReputationDefender.com site previously covered in Part 1 of this series, DeleteMe has branded itself as “the most trusted information removal service” that will remove you and your family’s public profiles from data broker sites like Intelius, including names, current/former phone numbers, email addresses, current/former physical addresses, and even photos of your home. At the time of this writing, DeleteMe offers 3 plans:
1 person ($129/yr. US), or
2 people ($229/yr. US), or
2 people for 2 years ($349/2 yrs US)
Shining a Flashlight on Dark Web Scans
Some companies such as Lifelock and Experian are offering Dark Web (a.k.a., ‘DarkNet’) scan services as an identity theft monitoring tool. My advice is not to waste your money on this type of product. The chance that these Dark Web scans are even close to comprehensive is slim-to-none, and it is highly likely that the company is only looking in a couple of illicit marketplace spots. Although there are search engines on the Dark Web such as Duck-Duck-Go among others, the nature of the Dark Web is decentralized and dis-aggregated which makes search results incomplete as they will not yield any results from unknown and newly established Dark Web sites. That could mean that the scan won’t return any matches for your personal information even if it is on the Dark Web somewhere.
There are all types of hidden services and sites on the Dark Web, some of which are only shared by individuals who know about them with other trusted individuals they choose to invite. That makes it difficult for the good guys and gals to discover and track this type of illegal activity. It is a rat’s nest actually, and unless you know what you’re getting yourself into I’d suggest not visiting the Dark Web. You cannot un-see the things you may stumble upon there. In other words, searching for your info on the Dark Web is like trying to find a needle in a haystack. On the other hand, if you’ve got an extra $10/month to throw away for this type of scan service, it could buy you valuable time to change your login credentials if it does happen to turn up a positive search result on your personal information. It’s up to you, it can’t hurt, but it isn’t necessary either for the reasons I have mentioned. By and large, though, these Dark Web scans are just another gimmick that credit reporting agencies, identity theft companies, and financial institutions will market to make more money from security-paranoid people.
The Hacker Way
Hackers are an exceptionally innovative and resourceful breed. No matter the technology involved, hackers will always try to find a way to make the technology work for their purposes, good or bad. If there is a part of you that feels the same way, then perhaps you too, are a hacker of sorts, deep down inside. Hackers are generally sympathetic towards anonymity and privacy, but not all. In my lifetime as an ethical hacker, I have seen many self-pronounced hackers espouse the concept of freedom of information and believe that data stolen from hacking databases, whether for monetary gain, sabotage, or to prove a point, should then be dumped on the Internet despite it possibly being damaging to national security (e.g., classified information to WikiLeaks). Being a Whitehat hacker, I vehemently disagree with this practice but I understand why hackers do it. They want to prove a point as to how weak a website’s or database’s security is.
Whatever your opinions are on the subject, you’re entitled to it but please first understand the implications of engaging in any illegal hacking activities. The Computer Fraud and Abuse Act (CFAA) is not a joke, and there have been quite a few hackers who have served serious prison time after having been charged with crimes in violation of the CFAA. The litmus test for whether something is legal or not should always be, “Is what I am about to do going to violate the CFAA?” or some other law such as the Health Insurance Portability and Accountability Act (HIPAA). Discovery and learning are noble causes, but they are not worth going to prison over.
Becoming virtually untraceable and being a hacker go hand-in-hand. Your goal should always be to blend in and fly low under the radar, “Nothing to see here folks, move along.” The master Blackhat hackers, or very skilled bad guys, are very adept at operating silently and covering their tracks. If you didn’t know what to look for, you’d probably never even notice that a skilled hacker has even been in your network or on your system. They will go to great lengths to remain hidden to include the malware they write and propagate. In order to protect against the enemy, you need to think like the enemy. Try not to give people a reason to notice you, fly low under the radar. Some hackers are eccentric, and they seek attention, but it often ends up being overwhelmingly negative attention that they ultimately receive. It turns out that many people don’t like hackers, imagine that! I wonder why? Going forward, you should welcome the challenge of trying to remain virtually untraceable as much as possible in both the physical and digital realms. We must try to always remember the duality of technology in our online endeavors, like a dual-edged sword it can be wielded to save or destroy. It merely depends on who is wielding that technology. Remember this: Zero Trust, Always Verify.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.