The police made two big arrests in February. A Glaswegian 15 year old was hauled off for allegedly hacking into the FBI’s systems. And just days earlier another British teenager was detained on charges of hacking the AOL account of the director of the CIA.
The arrests raise the question of how the police and cyber detectives catch hackers. Because before you can catch a hacker and create strong defences, it is vital to know how the cyber criminals work. Fortunately many former officers and security companies working with the police are willing to share at least some of their secrets.
First up, catching a hacker is very, very difficult. Even a novice can hide their identity using “obfuscation” technologies. Leo Taddeo, a former New York FBI special agent in charge of fighting cyber crime, explains the problem. “Hackers use tools to disguise their IP address,” he says. “Other technologies like Tor and encryption add other layers to make it difficult to identify them. These tools are widely available. They make it a resource-intensive and time-consuming task to find hackers.”
Obfuscation tools are free and legal. They bounce traffic off multiple servers around the world. Furthermore, hackers will use only encrypted communication methods, and hide their activities using euphemisms and codewords. From this perspective, perhaps it’s a miracle the police catch anyone.
So how do police manage it? Mr Taddeo says it’s often a case of waiting for a perpetrator to slip up. “99.999 per cent of the time it is down to a mistake,” he says. “Criminals are lazy or sloppy. They may not configure a tool correctly. They are unaware they are leaving a trail for law enforcement officers.”
Greg Day, Palo Alto Networks chief security officer and board member of the UK National Crime Agency, offers an example of this sort of error. “Hackers may have an alias or tag. A few years ago a US criminal was caught after his girlfriend had the same tag tattooed on her body. She put a picture on social media,” he says. “The law enforcement officers were very keen to know why she had that tattoo.”
Even experienced criminals may get tripped up by a deed done in their callow days of youth. Andrew Conway, security researcher at Cloudmark, says: “They may not be very good at hiding their identity at first and, since the internet never forgets, this may be used to track them down later. The Dread Pirate Roberts, Ross Ulbricht [founder of black marketplace Silk Road], was caught in part because he did not sufficiently disguise his identity in the very first post he made promoting the Silk Road.”
Forensic teams search for clues in overlooked places. Guy Bunker, senior vice president at cyber security firm Clearswift, says: “One of the critical pieces to understand is that there are at least two ends to an internet exchange. [US TV cook] Martha Stewart had a run-in with the legal authorities, and a lot of that hinged upon an e-mail having a sender and a recipient. While you could delete the e-mail from one place, erasing all instances of the e-mail was too difficult.”
Employing essential tools
When the police have a potential lead they can use a few hacks of their own. Gunter Ollmann, chief security officer of Vectra Networks, says: “If law enforcement officers can install intercept software on a device used by the criminal, they can see all communications unencrypted.
“A popular tool is FinFisher, made by Gamma International. FinFisher is a commercial government law enforcement Trojan. It does everything you could possibly want, including key-stroke logging. It came to the public’s attention during the Egyptian revolution, when the Egyptian police were alleged to be trialling it.”
Undercover work plays a role. The DarkMarket credit card fraud forum was cracked by FBI agent Keith Mularski, who took the guise of a spammer named Master Splynter. Undercover officers also infiltrated the LulzSec hacking group and Silk Road.
Money laundering can offer a treasure trove of clues. The FBI has had a number of successes looking at PayPal accounts. Cloudmark’s Mr Conway says he was personally involved in the investigation of a wire fraud case. “When the secret service obtained the details of the suspect’s PayPal account, they not only had his personal contact details, but also his customer list,” he says.
But it’s getting tougher, says Mr Conway: “Now that bitcoin and other cryptocurrencies provide a means of anonymous and largely untraceable funds transfer, that means is less useful.”
Speed is of the essence
Moving fast is the key to identifying hackers. One of the most famous successes of recent years was the take-down of the Citadel botnet network. Citadel infected more than 11 million machines, with $500 million in losses. The attacks were hosted on infected servers and sent victims to rigged websites via convincing, but fake, e-mails from well-known brands.
By the time the police identified the location of the target websites, the criminals had moved on. Microsoft vowed to smash Citadel. Its team turned to e-mail security specialist Agari to track attacks in real time. With the FBI and industry body FS-ISAC joining the partnership, the criminals were traced to datacentres in New Jersey and Pennsylvania. Arrests followed and Citadel was crushed. “What is remarkable about the case is that it was led and funded by Microsoft, not by law enforcement agencies,” says Pat Peterson, chief executive of Agari.
“Only when we had a court order could US marshals seize evidence and the FBI could investigate.” Important moral here – often the best criminal detection work is done by the private sector, alone or in partnership with the police.
Naturally, the quickest way to find a hacker would be to go direct to their location. That would mean getting through the obfuscation layers of VPNs (virtual private networks), Tor routing and IP anonymisers. Impossible?
Tor in particular is considered almost unbreakable. Andrew Beckett, Kroll managing director of cyber security and former head of penetration testing at GCHQ, says: “Intelligence agencies spend millions trying to do so every year and only last year the Russian’s tacitly admitted their inability to break Tor by offering a six-figure reward for anyone able to devise a reliable technology to decrypt data sent over Tor.
“The fact remains that for all the money spent by governments trying to break Tor, only a handful of users have ever been identified, and then at the end of a very expensive and labour-intensive process.”
The conclusion for companies at threat is that the police cannot end hacking by detection alone. It is too expensive. Too time-consuming. Resources are too stretched.
Mr Taddeo, the ex-FBI New York cyber boss, says it’s a losing war. “Any data point we look at tells us we are losing ground. The police can’t keep up,” he says. His new role as chief security office at Cryptzone focuses instead on beefing up security measures inside the corporate perimeter. “In this world it pays to harden your interior,” he says. “All criminals need is one improper implementation of security and they can get access.”
The police are doing their best. A freedom of information request by Veracode in 2015 revealed 3,829 British police officers have undertaken cyber security training, up 100 times compared with 2010. But even with these resources only a tiny fraction of the perpetrators will see justice. Catching hackers remains a tough, tough job.