Hackers get busted

November 30th, 2007 at 11:08 UTC by Dan Cvrcek

There is an article on BBC News about how yet another hacker running a botnet got busted. When I read the sentence “…he is said to be very bright and very skilled …”, I started thinking. How did they find him? He clearly must have made some serious mistakes, what sort of mistakes? How can isolation influence someone’s behaviour, what is the importance of external opinions on objectivity?

When we write a paper, we very much appreciate when someone is willing to read it, and give back some feedback. It allows to identify loopholes in thinking, flaws in descriptions, and so forth. The feedback does not necessarily have to imply large changes in the text, but it very often clarifies it and makes it much more readable.

Hackers do use various tools – either publicly available, or made by the hacker themself. There may be errors in the tools, but they will be probably fixed very quickly, especially if they are popular. Hackers often allow others to use the tools – if it is for testing or fame. But hacking for profit is a quite creative job, and there is plenty left for actions that cannot be automated.

So what is the danger of these manual tasks? Is it the case that hackers write down descriptions of all the procedures with checklists and stick to them, or do they do the stuff intuitively and become careless after a few months or years? Clearly, the first option is how intelligence agencies would deal with the problem, because they know that human is the weakest link. But what about hackers? “…very bright and very skilled…”, but isolated from the rest of the world?

So I keep thinking, is it worth trying to reconstruct “operational procedures” for running a botnet, analyse them, identify the mistakes most likely to happen, and use such knowledge against the “cyber-crime groups”?

Entry filed under: Security economics, Security engineering

10 comments Add your own

  • 1. Mike Bond  |  November 30th, 2007 at 11:51 UTC

    There are two broad ways of not getting caught. One is to “stay below the radar”, and the other is to “run a tight ship”. I would imagine many hackers plan never to draw the attention of law enforcement, and their security measures are never intended to frustrate the attacker, they are simply superstitions to make themselves a less attractive target than the next guy.

    Once a hacker comes under the attention of law enforcement, I imagine he remains rather in the dark about the skills and resources of his attacker. Whilst a hacker may know that in theory police can do X,Y, and Z, I imagine he really has no clue about how much time, effort and resources his opponent is really devoting to him.

    Ulimately, I think this lack of attention paid to understand ones enemy is the systematic act of carelessness which is a hackers undoing.

    Disclaimer: I am not a hacker, a criminologist nor a law enforcement expert. Oh dear I guess I’m guilty of the same lack of understanding that I’ve accused of being the hackers undoing!

    Mike

  • 2. Adam  |  December 3rd, 2007 at 04:03 UTC

    I think they become too overly self-confident in their abilities. If you wish to relate this to a mix between psychology and philosophy, then it’s a well-understood fact that humans have a natural tendency to reduce their barriers when things are going well, but are quick to put up their barriers when things turn sour. I would assume that this is no different when it comes to hackers. They start believing they’re ahead of the law, until one day they hear a rat-a-tat-tat on the front door.

    Even if he was the most intelligent of the intellects in the underworld, he (or she) would still have to constantly analyse his (or her) disposition to ensure that no mistakes were being made in the name of the aforementioned tendency.

  • 3. Mia  |  December 3rd, 2007 at 08:23 UTC

    It’s something in the human condition. Neighbors always say that the serial killer seemed “so nice and quiet” and journalists always say the hacker is “very skilled and very bright”.

    That said, I wonder if Akill’s downfall was mistakes made during operation. While I like the idea of operational analysis of running a botnet, I notice that most of these guys have a very active online presence and a chatty social network. The treachery of heir network is also a vulnerability.

  • 4. Clive Robinson  |  December 3rd, 2007 at 17:39 UTC

    @ Dan, Mike,

    “…he is said to be very bright and very skilled …”

    I think the first question you should ask is

    “By who’s standard is he very bright and very skilled”

    If it is by the Judge or a Journalist then yes he may appear to be very bright. But by a security expert he might appear not very street wise or somewhat silly.

    Many years ago Arther C. Clark made an observation about “any sufficiently advanced science would appear as magic”

    Well the same applies to current technology.

  • 5. Toby Clarke  |  December 4th, 2007 at 13:12 UTC

    One of the factors that leads many people to commit online crime is a lack of ‘perception of crime’ – ‘hey , im just clicking away on my pc here, nothing major happening’. If they were trying to jemmy someone’s window open, they’d be a good deal more aware of the fact that they were commiting a crime – and a good deal more aware of the risk of being caught. Without this constant stimulus I imagine it’s hard to maintain the discipline required to ‘run a tight ship’.

    In Risk Management you will usually see a couple of ‘near misses’ before something bad happens. For criminals, these near misses act as negative feedback allowing them to hone their skills in avoiding detection.
    Hackers dont often get these opportunities.
    [some might argue this point - Kevin Mitnick had plenty...]

    In general, I feel that ignorance of the proximity/progress of law enforcement is the key factor, coupled with the ‘hysteresis’ of the law enforcement response – i.e. typically, online criminals proceed without intervention while officers build a case until the day the knock on the door comes.

  • 6. Richard Clayton  |  December 4th, 2007 at 18:15 UTC

    There is a key asymettry in catching criminals: the police only have to be lucky once, the criminal has to be lucky all the time.

    Of course, those (both police and criminals) who practice their trade diligently, research new techniques and the failings of old ones, and above all have some grasp of what operational security is all about, will make their own luck.

  • 7. Clive Robinson  |  December 5th, 2007 at 20:13 UTC

    @Richard

    “the police only have to be lucky once, the criminal has to be lucky all the time”

    Depends on your type of criminal I would argue the exact oposit when it came to terrorists…

  • 8. claudio  |  December 8th, 2007 at 16:01 UTC

    “The group is alleged to have …. skimmed millions of dollars from people’s bank accounts” and “He was detained as part of an FBI crackdown on hi-tech criminals who run botnets – networks of hijacked PCs”.
    Maybe they just got him while he was trying to collect some money for his activities. Understanding how computers work (if he did) doesn’t mean he also understood how money tracking works. And maybe, being overly self-confident, he had just been social-engineered ;)

  • 9. Clive Robinson  |  December 11th, 2007 at 19:59 UTC

    @ claudio,

    “Understanding how computers work (if he did) doesn’t mean he also understood how money tracking works”

    This has been the Achillies heal of crackers in the past.

    However there is increasing evidence that the smarter crackers have become “guns for hire” and either work for or have teamed up with experiance conventional criminals for whom money laudering is part and parcel of their everyday activities.

    I had a long chat with somebody at a major Dutch bank recently on just this particular problem as they have seen an increase in the related types of money laundering.

  • 10. zerofool2005  |  December 12th, 2007 at 17:30 UTC

    I actually know one of the people who got busted in this. And he got busted because he was hosting the update files for the bots on his University server. And the amount of bots downloading from it crashed it. So they launched an investigation and now the rest is history.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

November 2007
M T W T F S S
« Oct   Dec »
 1234
567891011
12131415161718
19202122232425
2627282930