The hacker characters in my cybercrime thriller Invasion of Privacy are incredibly secretive of their real world identities. This is because they are engaging in illegal activities online or actions that would put their life at risk. One has set up an illegal money spinning website that hacks IP webcams in private homes and broadcasts the live feeds. Another exposes zero-day attacks used by Eastern European malware gangs and cannot afford for them to track him down in the real world. Another, works for . . . err sorry, too many plot spoilers, must stop there.
My characters absolutely must keep their real world identities completely hidden, or risk retribution. They need to be very active online but in such a way that they cannot be traced back to the real world. I’ve attempted as much technical authenticity as possible in writing this modern-day cybercrime thriller.
Here are the five “don’ts” my hacker characters abide by in order to remain anonymous online:
Windows is full of holes that can be exploited. Every month Microsoft issues a security patch with the latest fixes. These holes may allow spyware to infest, completely overcoming all your anonymity efforts. Any hacker worth his salt avoids Windows like the plague. Instead, they use security hardened open-source operating systems, such as Tails and Whonix.
VPN enables users to create a encrypted private tunnel. Anyone attempting to trace from the internet side can only see the address of the VPN server, which could be a server located in any country around the world you choose.
TOR is a whole network of nodes that route your traffic. Each node is only aware of the one ‘in front’ and ‘behind’. Ultimately, your traffic routes onto the normal internet from one of these nodes, called an exit point.
The most complete approach is to combine the two and use VPN before going into TOR.
Instead, use anonymous email services or remailers. Anonymous email services allow you to email someone without any trace back to you, especially if coupled with VPN or TOR access. Remailers are a service whereby you can send from a real email account and the remailer will forward it on anonymously. Some remailers enable return mail, but the risk is if the remailer itself is ever compromised, it would have a record of your real email address. However, remailers can be chained together for additional layers of anonymity.
Google makes it their business to track everything you do in order to serve up adverts that you might click on. And as useful as the search engine is, there are ways to get the best out of it without compromising your identity. Services such as StartPage serve up google results but doesn’t store IP addresses, cookies or records of your searches. DuckDuckGo provides a similar service.
Two issues here. The first is having your computer’s unique MAC address recorded by the router of the public location, although this is avoidable by MAC spoofing. If you’re ever traced back to your real MAC address then you can be linked to your original computer. Add to this any in-store CCTV and you’re busted! Secondly, wifi hacking attacks are commonplace. A man-in-the-middle attack over wifi will bypass all your hard earned anonymity. Admittedly, the other hacker would need to be on the same physical wifi network already, so he probably knows who you are anyway!
Real-world hackers add on may more layers of security to anonymise their activities. However, the above are five of the most useful.
Despite all these precautions, one of the subplots in my novel involves two elite hacker enemies tracking each other down, uncovering each other’s real world identities. Read Invasion of Privacy (after it’s published August 7th, 2014) to see how creative they had to become in order to achieve the seemingly impossible!