Catching a hacker... how much does media play upon public ignorance?
We often hear about evidence, hackers being caught, and other operations that allege to prove who the culprit is. We immediately hear that the NSA, CIA, FBI, (insert alphabet agency) is on it and will have an answer soon. As someone who actually has been using the internet for a long time, and who deals with security issues on a regular basis I believe most of this is the media being used to pull the wool over the eyes of the people due to their ignorance of how the internet actually works.
I've written about this before specifically focused on the Russian hackers. This post I instead want to try to demystify some of what it actually would take to catch the actual "hacker".
If the Hacker is stupid
If the hacker is stupid and does not know what they are doing, or are perhaps simply a script kiddy (someone who uses tools made by other people to do all the work and may not actually be able to do it themselves without those tools) then you might be able to prove who that hacker was and what they were doing from a single incident. It should be noted that script kiddy does not mean stupid. Why make your own tool if there is already one out there that works? This frees your time up to focus on making tools that can do more, or other things. So my use of the term was not intended as "derogatory" but more describing a difference between those that make their own tools, and those that use tools made by others.
When you make a connection over the internet it will show the port you came in on, and the IP address you originated from. There are other details too, but most of those you do not need to know for this simple explanation.
So this stupid hacker would jump from their OWN location, or a location they frequently are at and the IP address could lead back to them.
The other method is if they leave their name or something that identifies them in all of the commands and files they manipulated in the server. That would be like me saying "Deva Winblood" was here. Using a handle and leaving something like "CoolBadAss" is stupid too, because if you use that handle anywhere else it can be something to eventually use to identify you. It is kind of like leaving "Gucifer 2.0" in the files somewhere. It is tagging. That is stupid if your goal is not to get caught.
It should be noted that the presence of this data is not definitive proof either. If I was a hacker and was pissed at another hacker I could do the equivalent of SWATTING and plant your name and handle in my hack. Thus, I put another hacker in the spot light by using their name when I hack.
Let's assume they are not that dumb
So what type of evidence can we collect?
IP ADDRESSES, PORTS, and TIMES.
We can also look at logs to try to determine what activities and actions they did when they were on the system, assuming they did not clean up after themselves. Yet this will be them typing commands. It will not be them saying "Hi, I'm Gucifer 2.0" unless they are stupid (see my earlier post).
The IP Addresses will be owned by someone. The IP Address blocks are usually registered at ARIN if you are in North America, and other countries have a different registry. Using a WHOIS tool you can see who owns that IP address. It will be part of a block. The smallest block a company can register is a /24. This is 256 addresses.
So that IP Address will come back as COMCAST.NET or something like that.
You can then reach out to COMCAST and see who has that and they can check their records and say it is a specific client if it is a static IP (doesn't change). If it is DHCP (assigned dynamically and can change) they can use the time the IP was used with logs and likely tell who that client was.
The client might have a block of IPs they get from Comcast. The client also might be something like a Starbucks or a Motel. Now you know the general location it supposedly happened at, but it is a site that serves many people and they likely connect through local DHCP... so odds of you knowing who it actually was is unlikely. This is true in terms of piracy as well as hacking.
Yet if they know what they are doing and they are hacking then this location will actually have NOTHING to do with the hacker.
What the smart hacker does
The smart hacker will have over the weeks, years, etc have spent time in hacking into as many places as they can AROUND THE WORLD. They will keep a list of machines they have compromised. It is very likely they will have gotten some level of login access to some machines or devices.
The smart hacker will login to one of those devices (possibly in a completely different country) and use something like SSH or TELNET to then attempt to hack their desired target. Their desired target will see the IP address of the device/location they are SSHing from.
Yet they can take this further. They can connect to a device they have compromised, from there SSH/Telnet into another device, from there another, and another, and then go for their target. This means even if you attempt to trace the IP back by finding where it happened, painfully examining logs, security cameras, and anything else all you'll find is the next IP. You'll need to repeat these steps.
Wait it get's better
If you get enough access you can use a Virtual Private Network (VPN) in part of your travels and some VPN clients intentionally are designed to drop all logs. Once the trace hits that node in the trail the trail goes cold, because you no longer know the next IP address. This is how TOR, Onion Routers, and the Darknet, etc. operate. They use routers that were intentionally design to pass traffic but keep NO RECORD of it.
So they claim to have evidence?
Based upon my knowledge such a claim is unlikely unless their target is really stupid and inexperienced. It is far more probable that the story being presented is a bullshit cover, or smear story.
How can they catch them?
Basically, they need to catch them making a mistake. This will not be from examining a compromised machine. It would require a coordinated sting, and setting up things like Honey Pots (machines intentionally designed to be compromised that then allow you to monitor and attempt to trace the hacker while they are performing activities on the machine).
You can then get the general area and might trace it to a final IP, yet even that does not prove it was a specific person. You would need to continue your sting, and eventually execute something like a search warrant, and you would need to find the incriminating material on an actual device owned by the person, or burst in while they are in the ACT. Then you will have caught your hacker.
If the hacker does something like blackmailing someone for money, etc then you can trace the money too. Yet if there were no money transfers done related specifically to the hack you cannot use that method.
What does this say about the Russian Hack?
I truly believe it is total fabricated bullshit. It is a smear campaign and they have no actual evidence. If they had the evidence it would not compromise national security to share it. The very best information they likely could get is the IP ADDRESS of the first hop that accessed the server, and a log of the commands that were typed in (if those were not wiped).
Yet that would require them having access to the servers, which reportedly the FBI has not been given. So is it possible they have EVIDENCE in such a situation? Not real evidence. It is not possible under those conditions. They could have FAKE made up evidence.
Now as I said in my post. Let's say they provide a Russian IP address... That is meaningless. A stupid hacker would use that. If I compromise a Russian machine from my house I can then SSH from that machine back to the U.S. and it will say the hacker had a Russian IP address. It by itself is meaningless. Proof in the hacking world requires a VERY STUPID mistake, or catching them red handed AT THEIR LOCATION PHYSICALLY in the act.
You decide who you think is pedaling the #fakenews...
Steem On!
There's a couple big assumptions here, but your biggest assumption is that all the evidence they have is "technical."
Was just listening to a presentation from a security expert yesterday amd his opinion, as someone who has handled security for the government, DNC and GOP, is that all the major countries can hack each other because everyone is good on offense but shit on defense. Take that for what you will.
Actually no that is not my assumption. (all technical)
My assumption is that you need to catch the person red handed if all they have is technical.
Because technical doesn't prove shit... I can fake it, so can anyone else. The fakes would be indiscernible.
So in the non-technical which I mentioned some.
#1 - Spending money, receiving money related to the hacks
#2 - Surveillance and catching them actually in the act
Someone else saying it is TRUE or that they KNOW it is true does not meet the burden of proof.
You could get a witness that might say "I saw them do this when I was at their house", "or I heard them bragging about it", "or I saw them get paid for it" and you might have non-technical.
Yet the technical evidence can be spoofed and is really not proof of anything. This is especially true if the hacker is even slightly good. Only an idiot would do the stupid things. If this is "Russians" hacking I assure you they are not stupid.
Except you only "disproved" the technical pieces and then declared the whole thing a "smear campaign."
I'm guessing the British spy isn't relying on any technical data, there's also evidence of financial ties and other things. I'm sure the info hasn't been released because it is comprised of much more than some IP addresses. The bottom line is we know for a fact the hacking occurred, the only real question is who and why... and there's evidence even the public has of his ties to Russia.
I decided I'd go look to see if there were any other technologists talking about this, as my posts have been based upon my personal experience monthly of dealing with actual hacks.
I am just grabbing these enmass so please don't use a logical fallacy of saying "You linked a video from X, that completely discredits you." You have not done this yet, but it is a common logical fallacy I see employed. I could like a "Where's Waldo Video" and that would not discredit me. That particular video may be worthless, but that doesn't make everything else guilty by association.
My information is apparently NOT good enough, so that is why I am linking other videos. I haven't watched them all... so I may not agree with all of it.
There is more... and I don't expect you to believe it because there are a lot of people that believe or do not believe it. That is called a bandwagon fallacy when proof is based upon quantity of people.
My reasons are purely because I know what to look for with hacking. I know what type of information we can get.
Sadly it doesn't prove anything unless we literally monitor it while its happening, perform a sting, and catch them in the act.
Way too easy to fake, and IP addresses can be supplied for any country...
I don't know if these reports that a Government IP (U.S.) was involved. Keep in mind, that could still be some other country compromising another U.S. agency computer, and then hacking from there as one of it's hops. So even that can't smear the U.S. as being the source. IP Address doesn't prove anything.
And again, you're only talking about the technical side which you also claimed can't prove much. I'm saying they have other evidence.
And I'm saying they need to put that information up.
If they don't it is agencies that have lately quite often proven "untrustworthy" telling us to "trust them".
Appeal to authority much? (Not saying YOU... this is what they are using)
Really. I'm not sure of anything.
It's not like I have any doubts these agencies and the government has lied before.
I can't say the same for Wikileaks. That is where it started when they were clear about their sources not being Russia or a State 4 months ago long before this hacking scapegoat stuff started. Yes, that is partially why I am saying that. I've watched them SAY the election failed because of X. People didn't buy it. Then the election failed because of Y. The people didn't buy it and no proof to support it. And we could pretend hacking is Z.
This seems to have some sticking power. The other topics tended to be things the average citizen can relate to. Hacking is a good topic to pick because most citizens (and most JUDGES in court) are pretty ignorant of how it works.
If we are talking HACKING then that is a technical act. Therefore, if that piece is disproved then why wouldn't it be a SMEAR CAMPAIGN?
We're not exactly talking about baking a cake, getting dressed, brushing our teeth, and doing exercise.
Hacking to most people is only what they see on TV or in Movies. This is not even close to real, partially because the REAL stuff would make for incredibly boring TV and Movies.
So now you have an AUTHORITY who has already made numerous claims that were false, suddenly saying the Russian Hacked the election...
First... HACKING is technical. So that leaves the server for the DNC which the FBI was not given access to, OR the voting machines themselves.
Yet they have stated the voting machines are not compromised.
Leaking the TRUTH is not hacking.
Telling a story is not HACKING.
Russia was suspected immediately, long before the person trying to affect the election tried to deflect the accusation by claiming it wasn't Russia.
Except you didn't disprove it, you claimed it was impossible for that to be enough evidence by itself.
Meanwhile the intelligence community is analyzing intercepted communications: https://www.nytimes.com/2017/01/19/us/politics/trump-russia-associates-investigation.html?_r=3&utm_source=fark&utm_medium=website&utm_content=link&ICID=ref_fark
Complete and utter non-sequitor. Voting machines are far more secure than DNC servers.
And you're just confusing the issue even more. The "truth" that was leaked was obtained by hacking. Moreover the "truth" was told only about one side, and then blown way out of proportion with people taking things out of context or making wild logical leaps about the contents. Such as Podesta receiving an email by a UFO enthusiast leading people to believe Hillary was talking to aliens.
Oh I thought I should say... I am only disputing the HACKING charges...
I do not dispute Russia trying to help Trump win. I have no doubt they may have used propaganda/news to do that. I am disputing the hacking claim, because it is highly improbable.
I am sure they tried to use propaganda and speeches to sway interest.
Yet, this is normal and has happened throughout history. It is nothing new.
We do it in every other countries elections. In some cases we are even worse.
Yet those LEAKS were TRUE information. That was not disputed. They were proof of corruption and collusion.
I don't care who it came from if it is true.
But the hack absolutely did happen. We even know that it was because Podesta fell for a phishing scam... even when Assange claims it was an insider that wopuld essentially be a "Spock lie" since Podesta was an insider but did not do it purposefully, and instead fell for a common hacking technique.
Except, not nearly as much as people think t hey were. Take the "stealing the election from Bernie" part. Literally all the email said was that they preferred Hillary, nothing whatsoever was shown in terms of them actually doing anything about it.
This is literally taking a thousand documents, throwing them at the public and claiming whatever they want about the contents knowing most people won't even look at all the documents while the die hard GOP supporters will read anything into them they want.
Wow. You REALLY should go back and read those from the time they were released. If you cannot SEE the collusion and that it was talking about actions, then I may be wasting my time discussing these things with you.
I read quite a few of those emails and was very surprised. They indeed DID speak of actions to take, and steps to take.
It wasn't simply "we don't like Bernie".
That definitely was not what got all of the Bernie supporters pissed off. I think that people knew that the established DNC preferred Hillary without needing any leaked information. That was pretty obvious.
Thanks for this, very well thought out post. I was just talking with @aprilangel yesterday about how the internet worked. She was under the assumption that if all the satellites went down we would all lose internet. Apparently a lot of people think this is the case.
Satellite internet has super high latency.... It can send a ton of information fast, but the clicks between you clicking a link and it then sending you a flood of information are very high.
If the internet used satellites for all of the communication most online gaming would not work, VOIP telephone calls would not work, and many other things would not work.
I used to install satellite internet connections in the mid-2000s. Getting ping times from 1000 - 2000ms was not uncommon.
I once tried to play Unreal Tournament over such a connection. I saw the guy on the other side of the map, aimed, and fired.
Two seconds later the screen updated and I was dead on the ground with the other guy nowhere in sight. :)
I assume there are some satellite services that use some new technology to help reduce this latency, but traveling that distance between earth and the satellite and back cannot get rid of this latency completely due to physics. :)
Most of the internet is on the ground copper, and fiber connections, and some going along the ocean floors.
EDIT: and I assume you already knew all of this... I was just expanding upon your information.
No, I had a general idea but was not for certain. Lol at that lag, that is a serious real world issue. I try not to take it for granted though, my dial-up gaming days are not that far in the past. Have you come across any ubiquity products? Their air fiber is very interesting and somehow creates a data transaction point in the middle somehow, but then again I have no idea what I am even talking about. This information is based on an info graphic I saw.
No I deal with stuff that has to be super reliable, guaranteed speed, and guaranteed latency these days. I am in the VOIP business, so I haven't dealt with that product.
I used it to give internet to a family friend that lives a few blocks away. Need to write a post about it, super hack!
Again, hollywood is a conspiratorial culprit in the deceiving of the people.
If you listen to hollywood about computers, law or finance, you have been duped. Meaning, you may think you know something... because, isn't the movie based on real lifeish? You think you know something, but everything you know is misleading, wrong or worse.
Take for instance that awful show about law, CSI (or one of its look alikes) where you have the investigative forensic specialist who compulsively goes over 8 files to see if he is missing something. Imagine real life, when the chief comes in and sees him doing this, and then points to the heavy cart full of files and ask, why are you wasting your time, when none of these have even been looked at?
And hollywood never tells you that hacking is so common is because it is so bloody easy. Microsloth winderz should come with a sticker that says virus inside. IE literally says, install virus here.
And the entire financial industry is for the hackers. They have no security. They make money off of losing money. They would rather have you pay fees then ever pay your bill. Sending out a new card to a thief makes them money. So, they leave you paying for a service to watch your account, instead of having the toughest security on everyone's account.
Yes, absolutely all of Hollywood is part of a conspiracy to cover up the reality of hacking. It couldn't possibly be that writers just don't know much about computers or that real hacking would be boring as shit to watch.
Good perspective. All of the suspected Russian "hacks" came from a Russian IP address. I think if the Russians were smart enough to hack us, they'd also be smart enough not to use their own IP address. Most if not all of the supposed hacks turned out to be leaks. The ones from the DNC were leaked, most likely by Seth Rich who turned up murdered. What really baffles me is that although I know NOTHING about computers, I know the difference between a leak and a hack. Most other Americans seem unable to make the distinction. Good job as with all your posts!
Russian hackers can likely get away with hacking entities in a foreign country. Chinese hackers do the same thing. Cyber militias exist and states sponsor hackers specifically to do that. If your government sponsors you then you have nothing to fear with regard to being caught because you're politically permissioned in a plausibly deniable scenario.
The fact is it is illegal but in warfare the laws get broken by combatants. Soldiers in war don't abide by civilian laws. As far as who is responsible for a specific hack? It's a matter of who would have the most to gain and who benefits from it because it might not be possible to determine exactly who was responsible.
I have the impression this 'news' got you deep, hasn't it?
Heheh... I am not quite sure what you are asking.
It has gotten me angry at how they are spinning stuff that totally cannot be true and it is clear they are playing on the fact that most people have no clue how this stuff works, so they simply take their word for it.
It's like me using a lego set... building a little lego house and telling you I am engineer and can prove why the World Trade Center collapsed because of my extensive experience with legos.
I am not asking anything. I had just the impression the mes around this 'news' was upsetting you a lot.
Not too bad. My concern more was that they were playing upon the ignorance of people about how the internet actually works and what evidence would be required for hacking. So I felt it was worth sharing that information so that they would now possibly know.
Sure! At least I appreciate it :)
When you make your own tools your write software in a way which is unique just like a fingerprint or signature. This means if someone can find a copy of the software you wrote and that software was used in a hacking situation then you could be targeted by law enforcement. So just being able to write your own software is sort of meaningless.
In terms of covering your tracks, depends on how high profile your hack is and who you hack. If you are foolish enough to be a US citizen and try to hack the FBI or any government agency then don't expect not to get caught. On the other hand if you hack some obscure computer halfway across the world and they don't have the resources to dedicate to finding you then maybe you won't get caught.
The hackers who tend to get in trouble are the hackers who bite off more than they can chew.
Sure... writing software does not mean you used it to hack. You didn't make the web browser, but you're using it. You didn't make a word processor, but you probably use that.
That might have been your point.
As to hacking the FBI and such... if someone were doing that they would first hop through multiple countries then come at the FBI. The internet does not actually work the way it shows on tv and movies, and tracing internet traffic is not at all like tracing phone calls. There is none of this... keep them using the server for another minute.
You literally have to contact the people controlling the servers (unless you've hacked them)... pull their logs to see where connections came from... that will give you the next hop. You then go to that server... get access... pull logs... and repeat.
If they are smart and one of those servers happens to be a TOR, or Onion Router then there are NO LOGS.
You cannot catch them without compromising enough of those and setting up a long term sting. You can't do it from looking at a few servers after the fact unless the hacker in question was a complete moron, or IF the information is planted to seem legit to the public who have very little clue on how this stuff works.
When dealing with certain agencies which don't necessarily follow rules of law then it's more you have to prove you didn't. If you are a Russian who created a tool which just happened to be used in the DNC hack then nothing is going to stop the NSA and others from targeting you. No one will be able to protect you, your privacy will be lost for the rest of your life, and whether you had something to do with it or not isn't going to matter.
In a drag net it's guilty by association. You know the person who knew the terrorist? You made the tool which only serves the purpose of exploiting weaknesses in security and you happen to be from the same country as the IP addresses connected to the hack?
Do you really think you could prove your innocence in that scenario to the NSA?
Oh, yes I am aware of that. That is exactly what they would do as well.
The purpose of my post was mainly to shed some light on the way this stuff actually works so that people that don't deal with it on a regular basis will have a better context to make comparisons when there is talk about so-called evidence.
I have no doubt the agencies will do what you said. That is how they usually work. It's like Windows being used for hacking a server, so they blame Bill Gates or someone at Microsoft. If they can get away with it and it fits with their desired outcome they will definitely do it.
It will be harder for them to get away with though if more people know when it is likely bullshit or not.
I accept that I do not have access to the information to form any strong opinion on these subjects. The people who have security clearances are giving mixed reactions and providing me with no evidence. Unless I have a security clearance I have no way to know if the Russian government had anything to do with the DNC hack even if the hack were done by Russian citizens or Russian IP addresses.
Basically if the evidence is classified we have no way to form a conclusion on incomplete information. We can form conspiracy theories until enough information is released that we can narrow down the likely scenarios. The only thing very likely is Russian hackers did it, but the links to Putin and other stuff we don't have evidence for yet.
Correct... yet as a person (me) who does deal with hackers on at least a monthly basis I can and am telling you the type of information that is transmitted over the internet.
So you have IP Addresses and Logs as possible if you get access to the server, but that IP address could and likely is just the first HOP if the hacker has the slightest clue what they are doing.
The other thing you could have is testimony from someone in Russia that saw it, if those are strong testimonies.
You could also trace money if there was any exchange of money for the services.
The government hides TOO OFTEN behind things being classified these days.
I can think of no reason for this information to be classified. Not a single reason.
I don't buy into Appeal to Authority, and I know quite a lot about this aspect of security.
I do know if they are monitoring and trying to catch someone in the act, steps can be taken. After the fact though it doesn't really mean shit.
It'd be pretty easy to spoof and mock up IP address data, I can do that. Yet it won't prove who did it.
Hell until about 20 years ago I could send email saying it came from the whitehouse, I could even make it look like it came from Obama. They patched the issues with that... added a lot of security to lock that down.
Yet the rest of the internet was designed just as much without security as an issue on the basic IP traffic and doesn't really carry enough data to tell you everything you'd need to have to track someone after the fact.
I have similar knowledge to yours but the point I make still stands. I recognize the limits to my knowledge and am aware of my own ignorance. I do not have access to the classified information necessary to form an opinion on what happened. It is for lack of a better phrase a case of he said she said.
Maybe if politicians weren't so willing to lie to us it would be easier but the fact is that there could be political motivations behind some of what they say in the media. So we have different hypotheses about what could have happened and you can come up with evidence to support them. My current opinion is that it is likely the hackers were Russian but it's unknown whether or not they were state sponsored or had anything to do with the Russian government.
When I see news articles which say Putin ordered it or which talk about sources with access to classified information leaking to the press it is very hard for me to know what is or isn't true under those circumstances. My own logic would conclude that it is very likely that hackers made a mistake and the IP address or other information such as the tools used could link them to Russia. It doesn't from that information alone mean anything else.
Your hypothesis makes sense. So does the hypothesis of the other side who claim the Russian government authorized it. But unless I personally have access to the classified information or they release a declassified document so I can see with my own eyes there is no basis for me to form a strong opinion. My official stance is I do not form strong opinions with incomplete information.
I can respect that. I more or less agree with you. My doubts mainly form from a few things.
So is it possible the Russians hacked the DNC server... Sure. I ask you how can the FBI know this with proof though when they have not been given access to the DNC server?As far as Tor goes, I don't think Tor is as anonymous as people think. I'll go on record and say I do not think Tor can protect a hacker from the capabilities of the NSA or from the FBI. Too much can go wrong in the hardware and software even if Tor were implemented perfect. By design Tor is also flawed because it is vulnerable to stings and other attacks.
It is not perfect. It can be compromised but you need to plan for it. That is why I say a sting. You have to catch them in the act.
It cannot be done AFTER THE FACT like would be the case with these so-called Russian hacks.
I suspect it is being monitored continuously by the NSA and many other agencies. I also suspect many hackers who even download Tor from the official website are under some kind of monitoring just based on that. Of course I cannot prove anything I say so take it with a grain of salt.
Also TOR was just an example. TOR is just one networking stack designed not to keep logs, and to strip identifying information if possible from packets (it may not even do that). It is totally possible to role your own stack and build your own anonymizer if you compromise a machine with root access. You'd have to know what you are doing, but it is doable. So TOR is the most common and well known, but it does not use specialized hardware, it just uses techniques developed by that community and working on THEIR agreed standard.
I am not saying this happened. I am merely expressing it as an option.
In reality if it were a Russian citizen hacker they would probably use TOR. If it was a Russian State hacker and they were good I doubt they would. That is total speculation. That is all we can really do without access to information.
Yet I also do not believe this should be pushed like it is in the news PUBLICLY if it is classified.
It is then stirring up hostility and conflict with the only thing backing it being "trust us because we say it is the case" by entities that have proven untrustworthy.
The way you counteract it is by monitoring packets at various points around the world. If you can find the same pattern at different points and monitor it traveling for a bit you can use that to eventually identify entry and exit points from TOR.
Then you have to go through the process of talking to server admins, getting access to logs, etc.
There is no simple TRACE THIS ACTIVITY back to its origin unless you have compromised every hop between point A and B and know to be looking for it.
This post has been ranked within the top 50 most undervalued posts in the second half of Jan 17. We estimate that this post is undervalued by $6.47 as compared to a scenario in which every voter had an equal say.
See the full rankings and details in The Daily Tribune: Jan 17 - Part II. You can also read about some of our methodology, data analysis and technical details in our initial post.
If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.