About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Monday, December 13, 2010

Tracking cyber criminals

Whenever there's a cyber attack, one of the most natural questions is "who is behind it"?  That's a critical question to answer so that you can determine the reason for the attack and the damage that's done.  For example, if your intellectual property is stolen by a competitor, the risks are much greater than if they were stolen by an amateur hacker just poking around.  Both are dangerous, of course, but one is much more dangerous than the other.

Not all cyber attacks are equal, some are relatively straightforward to attribute, some are far more difficult and may be impossible.  For example, take a standard Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, such as the ongoing attack by Wikileaks supporters against organizations that they percieve as censoring Wikileaks.  They have been using a free utility called Low-Orbit Ion Cannon (LOIC), which is a tool designed for stress-testing websites (seeing how they perform under load).  Since LOIC is intended as a testing - not criminal - tool, it does not have anonymization features built in.  That means if the user does not take action to disguise themselves, it is trivial to track them down.  A couple people associated with these attacks have already been arrested for this exact reason.

To understand how this happens, let me explain a little about how the Internet works.  Over the years, there's been significant discussion about IP addresses.  IP addresses are part of the internet protocol and they function to direct traffic to and from their destination.  When you type a URL into your browser's address bar and hit enter, your computer contacts a Domain Name Server (DNS) to translate the human-friendly domain name into the server's IP address.  It contacts that server to initiate a TCP/IP connection, and if that's successful it sends the request for the webpage.  All communication from your computer to computers on local networks or the internet is sent as packets, which contain information such as the destination IP address, your IP address (so the computer knows who to send the replies to), the item (such as a webpage) requested, and other information not relevant to this discussion.  If you're using your home computer your IP address is provided by your ISP and if your IP address is implicated in a crime then law enforcement can contact your ISP to get your information.

Now, for a DoS attack, there are several options that criminals can use to cover their tracks.  If they use a cybercafe or open wireless access point, they can launch their attacks from there.  Then, the return IP address will be the one belonging to the business they're using.  However, this isn't perfect.  If the business records the names of their internet users, then it's no more anonymous than using your home computer.  Still, a wireless access point will record information about your computer (computer name and the MAC address of your network card) in order to successfully route the webpages back to your computer.  That may allow tracking you back to your computer.

However, that just catches the ignorant criminals.  Skilled criminals will build or rent a botnet to commit a DDoS attack.  These attacks utilize computers that the hackers take over with viruses that the victims unintentionally downloaded.  Skilled law enforcement officials can sometimes track down the hackers involved.  I don't know the methods involved, but since most successful investigations I've heard about were with hackers in Western nations, I expect it relies on cooperative ISPs.  Other criminals will utilize anonymization services to commit a DDoS attack, such as TOR.  One interesting DoS method I've heard of involves forging your IP address.  Since an attacker in a DoS attack doesn't actually need the webpage directed back to him, he can change his IP address to someone else's.  For example, in a reflected DDoS attack, an attacker will send an "Echo" request to a network broadcast address.  Essentially, this is asking every computer on a network to reply with an "Echo" packet, used to test connectivity.  However, if you forge IP on the "Echo" request to your victim's IP address, the entire network will be sending their replies to your victim computer.  This particular attack has been around for a while, so most networks have changed their configuration to prevent it.  Still, it's an excellent example of how attackers will try and cover their tracks.

Botnets pose significant issues for determining the origins of an attack, as the computers that are actively attacking are under the control of assorted "Command and Control" servers, which are likely not even directly owned by the hackers.  The control servers can be IRC bots, Twitter accounts, blogs, webmail accounts and/or Google groups.  It can even be a rented "virtual computer" on a system like Amazon's EC2 cloud servers.  Modern botnets have multiple redundant control servers, so when the primary set are taken down, secondary servers pop up.  Many of these avenues can be set up anonymously, making it difficult or impossible to trace back to the original hackers.  "Shadows in the Cloud" is an excellent example of a detailed analysis of a botnet.  Even though the security researchers took the place of a command and control server and accessed the hacker's email addresses, they were only able to pin down the location of the servers to a particular location in China.  This only provides circumstantial evidence of who is responsible for the attack.  If the Chinese government and/or ISPs were to cooperate with Western law enforcement, it's possible that we might be able to prove who was responsible, but that cooperation seems exceedingly unlikely.

Determining who is responsible for an attack is a complex and thorny issue, but I've tried to briefly outline some of the complexities.  If you'd like to know more about particular elements or take issue with some of my claims, post to the comments.

No comments:

Post a Comment