How To Hook A Hacker

In 2012, we all became pretty familiar with hackers, getting to know their groups like Anonymous, Lulzsec, and others like them. The activities of these high-profile hackers have come to the attention of international authorities, who are now increasingly working co-operatively across national boundaries to try to prosecute them. Hooking a hacker is, however, easier said than done.

The obvious fact is that hackers use the Internet to obscure their identity. Let’s start with the basics – the IP address that uniquely identifies a system on the Internet is dynamically allocated by the Internet Service Provider (ISP), so the only way of finding out who had that address, at that time, is to hope that the ISP has a record for this.

Not all ISPs do. In the UK, ISPs do keep records of IP addresses allocated, but they don’t hold this information forever, so time is against the investigators. The trouble is that any request for this information requires proof of illegal activity to generate a warrant, which can take time.

Even if IP address information can be retrieved, the source of the IP might well be in another country which raises political and legal barriers to any investigator. Hackers know this and will deliberately attack targets outside their own countries. Some hackers who have been identified have only finally been caught because they were arrogant enough to attack an institution in their own country.

This happened to Victor Faur from Romania who attacked NASA from the safety of his country. He seemed immune to prosecution, as Romania did not recognise the crime, but Faur then decided to attack computers in Romania, at which point the Romanian authorities arrested him.

Knowing that they cannot always hide safely behind a dynamic IP address, hackers moved on. The next step was for them to use a proxy or, more likely, several proxies. Examples of proxies are:

  • Facilities provided by individuals or companies usually with the intent of making it possible for people in repressive regimes to have their say anonymously
  • Systems that have been compromised without the victim’s notice. Many hackers will tell of forgotten servers in some foreign country that they have hacked onto and now route their traffic through, others will talk about an army of computers that they have turned into their obedient servants, or Robots, making a network of Robots or BotNet.

Proxies make the investigators’ life a little harder as they may now have multiple ISPs in multiple countries to work with. The result is more time, greater complexity and less certainty in the results. And like chasing all prey, it requires patience, determination and a good deal of silence.

In the meantime, some hackers have moved on to use onion routing, a technique for anonymous communication via computer network. Tor is now the obfuscator of choice though there are others. These routing protocols manage to obscure the source, destination and the actual body of the data, making the life of the investigator extremely difficult. There are ways of discovering more information but they require more time and considerable access to parts of the onion routers’ network, like the exit node of a Tor network for instance.

Sometimes, ironically, investigators are helped by the hackers themselves, who need to communicate either with their collaborators or, in the case of hacktivists, by the need to make people understand why they are taking the actions they are taking. So the frequent posts made require that the hacker always takes precautions.

One Anonymous member, Sabu, was apparently caught because he failed to use Tor once when logging onto his IRC feed. This allowed the FBI to see his IP and hence allowed him to be traced. Another member, Nerdo, kept his childhood ‘handle’ so whilst as a hacker he was cautious, it was possible for investigators to associate this name with a real world name by tracing it back to a time when he was less careful, as he had less reason to be.

The job will get harder. Hackers will learn how others were caught and will take precautions, and investigators will have to look for flaws in those new precautions. By the nature of the game, investigators are reactive, waiting for a compromise and then having to chase on limited information. Victims can help by having good security and improving logs which help traceability by providing more information. Good monitoring is also key, as the less the time between hack and detection, the less data that is stolen and the hotter the trail.

Simon Heron is Internet Security Analyst at Network Box (UK), a managed security company, where he is responsible for developing the overall business strategy and growth. Simon has more than 16 years experience in the IT industry, including eight years experience in Internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Prior to Network Box, Heron co-founded and was Technical Director of Cresco Technologies, a network design and simulation solution company with customers in the U.S., Europe and China. Before that he worked for Microsystems Engineering Ltd, as a Project Manager, where he implemented network security for the company.