How to Track a Hacker

Bill O’Reilly, Paris Hilton and Sarah Palin have one thing in common, apart from being celebrities: They have all been victims of hacking.

Although the media spotlight hit all three public figures, it was Palin’s bad fortune that got the most attention. Right before the presidential election in 2008, a hacker gained unauthorized access to the vice president hopeful’s personal email account gov.palin@yahoo.com. It was not hard for the hacker to figure out her security questions (her date of birth, Zip code and where she met her husband); all he had to do was a simple Google search and a quick lookup on Wikipedia.

After accessing her account, the hacker posted screenshots of her emails on WikiLeaks and 4chan, revealing Palin’s private communications. According to Wired that published some of the now-deleted posts on 4chan, the hacker claimed he sifted through all Palin’s emails.

“I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family.”

What the hacker did not realize when he posted screenshots of the emails was that he also displayed his own URL, which showed he was using Ctunnel, an anonymous proxy server, in an effort to conceal his identity online. His efforts were not enough, though: The URL facilitated the search of the log files in the proxy server for the IP address he used under the attack.

In addition, for 4chan the hacker used an account that was linked to his own Yahoo email. That address was then easily traced back to 20-year-old University of Tennessee student David Kernell, who five years prior had written a blog where he posted his name and other personal information. He also had a Facebook page where he had published his interests, phone number and political views. It did not take long for investigators to track down Kernell, who will stand trial April 20 for identity theft, wire fraud, computer fraud and obstruction of justice.

Kernell’s story is one that illustrates how a careless hacker can be identified. More sophisticated and experienced hackers, however, are much more vigilant about leaving behind digital footprints. But as with any other crime, there is rarely such a thing as the perfect crime, although criminals take infinite measures to avoid getting caught, starting with the computers used in an attack.

The computers used to commit cyber crimes are often bought with cash to prevent linking them to a credit card. To attack a system from a country where authorities do not collaborate with the attacker’s country is also very common. A border-crossing police investigation is much harder to do than if one country only is affected by the attack.

Hackers do not use their own Internet connection, but often go through someone else’s wireless network, using an insecure WLAN access that cannot be traced back to the perpetrator. During the attack, the hacker will let his communications bounce against as many IP addresses as possible. The hacker’s computer will connect to the target computer through many other systems he controls. If possible, he will also destroy the target computer’s logs to impede an investigation.

Because investigators will inevitably be able to pinpoint the command and control server the hacker connected to, the attack is short-lived and the CCSs won’t be reused. Also, oftentimes a hacker will try to get rid of evidence by destroying the computer after a completed attack.

Insecure WLAN-connections create a base for cyber criminals’ attacks. As soon as a computer connects to the Internet, a large amount of data is transmitted to different servers. Simply by connecting to the Internet creates log at the ISP. Although not all communication is analyzed and stored, ISPs keeps statistics on how much information has been sent and received from each connection point. That information can often be directly linked to whoever is using said computer. Some computer programs and operating systems require registration the first time they are used. As registration usually asks for name, phone number and email address, a direct link between the computer and its user is created. License keys to programs are sometimes linked to the computer’s specific network cards or hard disk to prevent the same key from being reused.

It is also common that computer programs automatically search for updates on the Internet; Windows Update, for example, does it automatically and frequently. Every time it happens, traces are left in log files and databases. Windows Update also identifies every computer with a Globally Unique Identifier to keep track of what installations have been made to the computer. IP address, region and language settings are also stored, which also gives clues to whom the computer belongs. IP numbers point to ISPs, which in turn can point to who was using that certain IP address at a certain time. If the IP address belongs to a wireless network, it is possible to identify MAC addresses that were connected at the specific period of time. MAC addresses can also be used to identify what kind of computer is being used and who the distributor is.

Catching a hacker is unlike catching a kid with his hand in a cookie jar: Skilled hackers are often so good at covering their tracks that most of them remain uncaught after launching an attack. However, to minimize the damage and collect evidence against a hacker, there are a couple options to consider once an attack happens. The first involves shutting down the system and taking the computer to a lab where the necessary evidence can be collected. If a site has been hacked, Google’s Official Webmaster Central Blog suggests taking it offline or returning a 503 status code to prevent the site from being crawled.

The second option is to act as if nothing has happened and move all sensitive data and information off the compromised computer to another. This approach will preserve the crime scene while allowing the hacker to continue and leave behind more evidence that will be useful in building a case against him.

Check Also

GSA Eyes ‘On-Ramp’ Solicitation for OASIS Small Business IDIQ’s Six Subpools

The General Services Administration has announced plans to issue a solicitation as an on-ramp for the six subpools of the One Acquisition Solution for Integrated Services Small Business contract vehicle. GSA’s Federal Acquisition Service said in a presolicitation notice published Friday that it expects to award 30 contracts for subpool 1, 20 contracts for subpool 3 and eight each for subpools 2, 4, 5B and 6 of the OASIS SB indefinite-delivery/indefinite-quantity contract.

SSL to Design Methane Emission Detection Satellite; Richard White Quoted

Maxar TechnologiesSSL subsidiary has received a contract from Environmental Defense Fund to design and define requirements for a small satellite designed to detect and monitor methane emissions from oil and gas facilities worldwide. MethaneSAT is a small form-factor satellite that will work to provide high-resolution images to help detect and measure low- and high-emission sources in regions that constitute more than 80 percent of global production of oil and gas per week, Maxar said Thursday

Booz Allen’s Sarah St. Clair on Lessons Learned From HR Tech Upgrade Project

Sarah St. Clair, vice president responsible for human resource services at Booz Allen Hamilton, told Diginomica in an interview published Tuesday about the company’s experiences and efforts to address challenges associated with upgrading its HR technology system. St. Clair discussed Booz Allen’s move to execute the Workday project to manage recruitment operations and mentioned some of the actions the company made to mitigate negative impacts associated with project implementation.