How hackers avoid getting caught
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How hackers avoid getting caught

  1. #1
    System_Overload
    Guest

    Post How hackers avoid getting caught

    The nightmare for Ecount, an online gift certificate service, began last year when a hacker broke in to the company's system and stole personal information belonging to its customers.

    Nine months later, the criminal is still at large. The thief has brazenly taunted executives with repeated e-mails while staying ahead of investigators, deftly wiping away his electronic fingerprints and covering his tracks at every turn.

    "We're sick to death of hearing from him," Ecount Chief Executive Matt Gillin said of the intruder, who has offered to return the information for a fee.

    Although law enforcement agencies are quick to trumpet their occasional victories against cybercriminals, they are rarely able to track down hackers sophisticated enough to pull off such complicated heists. Few hackers of this caliber are arrested, and fewer still spend time behind bars.

    The resulting frustration for investigators, companies and consumer victims raises a question that has persisted for years: Why are hackers able to elude capture so easily? The answer, according to security analysts and fraud investigators, is that the Internet has bred an elite class of criminals who are organized, well funded and far more technologically sophisticated than most law enforcement officials.

    "It's a world-class business," said Richard Power, editorial director of the Computer Security Institute, a private research firm that tracks electronic crime. "Al-Qaida and serious narcotic terrorists are using credit card fraud to finance their groups."

    Fraud cost e-tailers $700 million in lost merchandise last year, says Avivah Litan, a financial analyst for research firm Gartner. Some large Internet retailers have software that screens transactions and refuses to sell to customers who appear suspicious. Litan estimates that this costs Web stores between 5 percent and 8 percent of sales.

    A Gartner study also shows that 5.2 percent of online shoppers have been victimized by credit card fraud and 1.9 percent by identity theft.

    "These are huge numbers. This is scary stuff," Litan said. "The Internet has got an albatross around its neck."

    Skilled hackers shake off investigators by shuttling between multiple servers before launching an attack. After fleeing a targeted site with credit card numbers or other bounty, the intruders immediately begin deleting the log files of each server they have passed through, eliminating any record that they were there.

    It is the equivalent of "vacuuming up the crime scene," said independent fraud investigator Dan Clements, who runs a Web site devoted to catching hackers called CardCops.com. Only about 10 percent of active hackers are savvy enough to work this way consistently, he said, but they are almost always successful.

    Having grown up with the breakneck pace of "Internet time," hackers of this digital generation use speed as a primary weapon. As with all criminal investigations, pursuing online suspects means time-consuming records searches that often require subpoenas--a process that can give hackers an insurmountable advantage.

    FBI agents can swiftly get subpoenas from the courts but often lose critical time trying to serve them. Agents can spend days sorting through digital smoke screens created by multiple servers, requiring agents to obtain and serve multiple subpoenas.

    In the meantime, valuable evidence is often lost, and by then, hackers are long gone.

    The federal government is taking steps to improve its fight against criminal activity online. FBI Director Robert S. Mueller created a new cybercrime unit in December, and the Bush administration has added 50 new federal prosecutors to address the problem nationwide.

    Still, few believe that these measures will eradicate a problem that's become so deeply entrenched. The FBI confirmed, for example, that no arrests have been made in any of six recent high-profile cases reviewed by CNET News.com:

    Playboy.com: An intruder slipped past the Web site security systems of the adult entertainment company last November and obtained the personal information of an undisclosed number of customers of the site's e-commerce store. The hacker notified customers that he or she had pilfered the information and, as proof, gave them their credit card numbers.

    Ecount: Last summer, a hacker circumvented the Internet defenses of the Philadelphia-based company's gift certificate service and notified customers of the breach in an e-mail that included their home addresses. The hacker then demanded $45,000 from the company to keep him from exposing the personal information of 350,000 customers.

    Egghead.com: A hacker infiltrated the e-tailer's system in December 2000. After three weeks of investigation, the company said the intruder did not obtain the personal information of its 3.7 million customers, but many banks said they spent millions of dollars to issue new credit cards in the meantime.

    Creditcards.com: Also in December 2000, a hacker broke in to systems maintained by the company, which enables merchants to accept payments online, and made off with about 55,000 credit card numbers. The hacker tried to extort the company and, when executives refused to pay, exposed the numbers by posting them on the Web.

    Western Union: In September 2000, a hacker exploited an opening in the Web site of the financial services company and got away with more than 15,000 credit card numbers. Human error left "performance management files" open on the site during routine maintenance, allowing the hacker access.

    CD Universe: About 350,000 credit card numbers were stolen from the online music company in January 2000, one of the first large-scale hackings of its kind. The thief, identified only as "Maxus," held the card numbers hostage and demanded a $100,000 ransom. When the company refused, the hacker posted the numbers on a Web site.

    Without commenting on these specific cases, law enforcement officials say many online merchants may be partly to blame for the lack of arrests because they do not devote enough resources to prevent intrusion or facilitate investigations in the event of a crime.

    "If there is any message to get out there, it would be for companies to upkeep their antivirus and firewall software," said Laura Bosley, a spokeswoman for the FBI's Los Angeles field headquarters.

    Jennifer Granick, litigation director at the Stanford Law School Center for Internet and Society, said security is often neglected by companies more interested in making a quick buck.

    E-commerce companies "rushed online during the dot-com boom, and they saw the money that was to be had and didn't give a thought to security," she said. "They were too busy trying to capture eyeballs to secure their sites."

    Even if they have fortified their Web sites against attack, many companies are still unaware of the importance of preserving evidence if a crime occurs--ignorance that can kill any hope of catching a perpetrator, said Bruce Smith, an investigator for Pinkerton Consulting & Investigations and a former FBI agent who worked on computer crime cases for six years.

    Frequently, Smith said, agents will scan the Web logs of a hacked company only to find a blank record that leaves the intruder's trail stone cold. Sometimes, he said, the shopkeeper accidentally destroys the logs, covering the hacker's tracks with other records. More often, the online store never turns on the logging feature to begin with because it could slow a Web site's performance.

    "You cross your fingers when you start looking at the logs," Smith said. "Sometimes you get lucky, sometimes not."

    Moreover, precious time can be lost when companies hesitate to contact authorities immediately after an intrusion. The reason for the delay is often rooted in business, not justice.

    "Fear," Smith said. "They're reluctant to admit that they've been victimized. You can imagine the bad press. Here's someone who's telling clients their information is safe at the same time their site is getting hacked."

    Security experts blasted Egghead for taking weeks to investigate whether the personal information of its customers had been compromised. A company with good logging capability should have been able to determine the extent of the intrusion within a few days, security specialists said, perhaps saving banks a cost of between $5 and $25 for each new credit card issued out of precaution.

    "I think there was some things that we wished we did before the attack," said Jeff Sheahan, the former chief executive of Egghead. "We thought we had a tight oversight system. We asked ourselves how we missed this. It was just focusing on other things and not sensing that there was a big enough risk."

    The investigation was expensive for Egghead, but the intrusion exacted a much higher price in the form of lost confidence among its customers. "When you're an e-commerce business, trust is important. I don't think there is any doubt that trust level took a hit to some degree," Sheahan said.

    Other online merchants would do well to learn from Egghead's mistakes, for the number of hackings is growing. To gauge this trend, CardCops' Clements posted fake credit card numbers on the Web and then spread the word at sites popular with "carders"--those who traffic in stolen credit cards--that a Web site had accidentally divulged the information.

    In less than a half-hour, the site had 74 visitors from 31 countries. Within a couple of days, the number of visitors had grown to 1,600. No one can say how many came to the site with criminal intent, but Clements believes most did.

    "There's a war raging online," he said, "and the bottom line is that law enforcement is losing."

    The Source



    System_0verload

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    262
    good post but I think some one already posted it I was going to post this a few days ago but I saw some one posted it or something similar to it.
    aislinn, Aria, BTBAM, chevelle, codeseven, Cky, dredg, evergreen terrace, from autumn to ashes,hopesfall, hxc, luti-kriss, nirvana, norma jean, shai hulud, this hero dies, tool, underoath, zao,

  3. #3
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007

    Re: How hackers avoid getting caught

    Originally posted here by System_Overload
    Having grown up with the breakneck pace of "Internet time," hackers of this digital generation use speed as a primary weapon. As with all criminal investigations, pursuing online suspects means time-consuming records searches that often require subpoenas--a process that can give hackers an insurmountable advantage.
    I'd rather have it so that judicial permission is needed to see my files and logs than not.

    IMO there should be a bit more emphasis on prevention in the first place, rather than trying to catch criminals after the fact.

    I don't think this has to do as much with there being any 'ubercrackers' out there which exploit things, rather bad security in general encourages exploitation.

    Now, what if servers which were proxy-possible (in that they are physically connected etc. in such a way that they can be a chain of proxies) just sent their logs to either a small appliance connected to a serial port? This device would be incapable of being erased unless a physical switch was flipped. (I'm a great proponent of my personal baby idea, the hard drive with a read-only toggle.)

    Law enforcement could simply check these un-erasable logs...
    [HvC]Terr: L33T Technical Proficiency

  4. #4
    Real good post. I love reading these kinds of articles.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    385
    Terr:
    I saw that idea in a book I read (The Cuckoo's Egg), where the author (this was real life for those who haven't read it) tied in printers onto the lines going into the computers. As the hackers went through his system -- carefully managed after detection so as not to alert them -- the printers would print out everything that happened on their line, and there was no way to detect it. Sounds like a great idea too, the only problem is that for just the one hacker, thousands of pages were printed.

    I realize the thought did not apply just to that particular method, just a warning to anyone who decides to try and attempt that.

    One way to do it (without the lovely equipment of a HDD with a read-only switch) is to program a small, cheap gateway computer to only log everything and route the mesages to the other computer(s). All you have to do is make sure that it will not accept anything addressed to itself, nor execute anything so that there is no possible way anyone can do anything to it without using the monitor, keyboard, and mouse that are physically attached to it. this computer could feasibly be used just like the printers were except that instead of printing everything, it writes it all to the HDD.
    Preliminary operational tests were inconclusive (the dang thing blew up)

    \"Ask not what the kernel can do for you, ask what you can do for the kernel!\"

  6. #6

  7. #7
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Yeah. The only thing to look for is when the intruder gets in (his information already logged) realizes what has happened (if he does) and then sends new bogus entries to make it look like he left and someone ELSE came on and did the deed. But at least you have something to go on, eh? It's nothing that can't already be done on an rooted box, I would think.

    And if more than one computer in a proxy chain (or intrustion incident) has this log device, then it would be fairly easy to simply search for suspects which they both contain in order to figure out if any bogus entries exist. (If the cracker is smart enough to be consistent, it would still be quite a deal to make all the timing match up.)

    I mean, it's like a blackbox for a computer! You could have the first blackbox be a governmentally-controlled 1-week long record, to appease the antiprivacy people. Law enforcement would probably love the prospect of reliable logging capabilities, should they exist.
    [HvC]Terr: L33T Technical Proficiency

  8. #8
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    "If there is any message to get out there, it would be for companies to upkeep their antivirus and firewall software," said Laura Bosley, a spokeswoman for the FBI's Los Angeles field headquarters.
    hmm this is something thats been said a million times and STILL stubborn users do not listen.. i wonder when they would start listening..
    probably when a really MAJOR hacking incident that would cause world chaos.. maybe then they would start protecting their computers properly.
    the lack of responsibility for computer security of most users are just plain pathetic...

    Home users, just coz they are not using SERVERS or big ass information computers, doesnt mean they are not potential targets.. if anyone read the "chaos" theory of an FBI angent( which i am sorry not to remember his name), you would understand..

    Chaos theory is explained this way.. a cracker/coder/hacker can send trojans all over the computers in the world.. especially home users.. and this trojan remains dormant or inactive till a certain command is given or a certian time is reached.. and once those trojans are activated, they would launch an attack, creating an army of computer zombies..

    and this is possible.. these e-mail worms are just a start.. they are the smoke which would lead to a huge fire..

    too bad not all home users are aware of that..

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    385
    carnivore boxes I would think could do it (can't remember all the specifics for carnivore). You could use a logging program that searches all the logs in order to cut down on the manual search time (say by time/date, connection, protocols, commands, etc.). If the program is good enough, it could detect the spoofing and the address that did it, though everything should still have manual checks just to make sure the searches didn't miss anything. The essential part of the box would be that it couldn't be detected in anyway, hidden as either a router, or more ideally not even there at all (as in hidden virtually, but physically present). For the latter case, it could be like a wiretap, everything split to both the main server and to it.
    Preliminary operational tests were inconclusive (the dang thing blew up)

    \"Ask not what the kernel can do for you, ask what you can do for the kernel!\"

  10. #10
    Junior Member
    Join Date
    May 2002
    Posts
    4
    I think Amarican bussness need a slap in the face like these, perhaps it will help them realise that they need to beef up security on the servers because if I was a customer to anyone of these sites you think I would keep using their service if K new they did not have enough protection to keep my private info secure.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •