Hacking Sony and getting away with it?
May 10, 2012 4:11 AM   Subscribe

The most recent Risky Business podcast included an 'opsec for dummies' segment, wherein an incident responder (one of the good guys) talks about what techniques can be successful in avoiding detection.

Lots of folks busted from Anonymous (see: Sabu) were done in by very poor operational security. Opsec, whether you're a good guy or bad, is really hard, because when you're an attacker, you don't need a specific vulnerability to get in - any one will do. However, as a defender (or an attacker trying to be undetected), you've got to do everything right. In other words, breaking in is the easy part.

There have and will continue to be sizable breaches, as well as ongoing criminal activities, in which the perpetrators haven't been caught. I'm actually impressed at the ability of law enforcement these days to bring guys down (even if they make their own opsec mistakes along the way).
posted by These Premises Are Alarmed at 4:37 AM on May 10, 2012

One of the Sony hackers wasn't intelligent enough. From the indictment, you definitely want to use proxy-servers that don't comply with the US authorities.

In general, you don't need to be a ultra confident hacker, you just need to show some common sense:

1. don't use everyday equipment, because you cannot be sure you will reliably eliminate all incriminating evidence;

2. don't use everyday accounts, (ISP, proxy, etc.) because using everyday accounts will get traced back to you;

3. don't boast about it, because that will raise attention. Your target is predisposed to not go to the authorities because exposure will likely damage their business more than your activities did. Don't make your target want to go to the authorities; and

4. don't work with anyone else, because you don't know if they'll follow the first three rules, and if they don't, they might get caught and then they will probably flip and turn you in.
posted by kithrater at 5:03 AM on May 10, 2012 [1 favorite]

I work in information security, but I am not a forensic analyst by trade. I do read a lot about it, though, and have a very strong background in network forensics and incident response, so I think I'm at least moderately qualified to speak to it.

Not getting caught in a high profile case like this often hinges on who is doing the investigation. Your standard law enforcement digital forensics jockey is incredibly, incredibly dependent on his or her tools to do the analysis.

A forensic analyst will begin by imaging a drive and using software to index what's on it. Software like Encase and Forensic Toolkit (FTK) basically scan drives for relevant data. This software doesn't just scan the files on the disk. It will also look at the unallocated space. When you delete a file, you're really just deleting what is effectively a phone-book-like entry that says file "foo" starts at point X on the disk. After deletion, data still sits at X until it's overwritten. This is the principle that undelete software works on.

So, now you have an index of a lot of stuff on a disk. What you do with it is where you prove your value as a forensic analyst. Every action an attacker takes on a system somehow changes it, even if it's only modifying a registry entry or a file timestamp. Using this data, one can construct timelines of system activity.

This can also be augmented with logs from network devices. Network flows track which computer talked to which computer and for how long. A clever analyst can make reasonable assumptions based on correlating system activity to network logs.

So let's assume you have the best case scenario -- you're able to identify what happened on your machine, and what IP was the source of the attack. There's now a good chance that you need to go through the same process on the source machine, because the attacker isn't stupid enough to do this from his personal laptop. The attacker is going to hack someone's unpatched windows box on some Verizon FiOS network and jump through one, three, or more of these devices.

So our fearless investigator needs to analyze all these upstream devices to identify an attacker, all while a) hoping that evidence on the upstream devices isn't being corrupted with normal system use, and b) balancing this with a backlog of other forensics work, and c) not making a mistake that will get everything thrown out by a defense lawyer.

Not to mention that our attacker can use tools like TOR and anonymizing proxies to further hide origins. Oh, and a really good attacker can, on any system, use tools that are only resident in RAM and never touch a disk, so if the feds turn off the machine for imaging the drive, all the evidence is destroyed.

So how do any of these hackers get caught? They get greedy or they get stupid. In a lot of cases, they'll leave custom tools they wrote on the infected system. They'll use these tools elsewhere where they are less careful. They'll re-use passwords. They'll try to get back in to the prize network or server they've compromised from other machines because they don't want to give it up. Or they'll think that they haven't been detected while the feds and the compromised corp are _letting them_ continue to be active, so they can trace communication channels back. Another good one is bragging on a message board from that personal PC of yours or posting CC numbers from a less anonymized access channel. Arrogance generally goes with the territory on the black hats.

Make no mistake, the attackers have a _huge_ advantage in this game. But smart defenders can chomp through the mounds of data pretty quickly. This is why people with strong security backgrounds and forensic skills make huge salaries, and why most police departments are staffed with someone with a 2 year degree from a community college in forensics and can't handle much more than careless child pornographers.
posted by bfranklin at 5:44 AM on May 10, 2012 [8 favorites]