How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab

How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab
How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab 

By Scott Berinato
May 31, 2007

Forensic investigations start at the end. Think of it: You wouldnt start 
using science and technology to establish facts (thats the dictionary 
definition of forensics) unless you had some reason to establish facts 
in the first place. But by that time, the crime has already happened. So 
while requisite, forensics is ultimately unrewarding.

A clear illustration of this fact comes from the field investigations 
manager for a major credit services company. Sometime last year, he 
noticed a clutch of fraudulent purchases on cards that all traced back 
to the same aquarium. He learned quite a bit through forensics. He 
learned, for example, that an aquarium employee had downloaded an audio 
file while eating a sandwich on her lunch break. He learned that when 
she played the song, a rootkit hidden inside the song installed itself 
on her computer. That rootkit allowed the hacker whod planted it to 
establish a secure tunnel so he could work undetected and get 
root?administrators access to the aquarium network.

Sounds like a successful investigation. But the investigator was 
underwhelmed by the results. Why? Because he hadnt caught the 
perpetrator and he knew he never would. Whats worse, that lunch break 
with the sandwich and the song download had occurred some time before he 
got there. In fact, the hacker had captured every card transaction at 
the aquarium for two years.

The investigator (who could only speak anonymously) wonders aloud what 
other networks are right now being controlled by criminal enterprises 
whose presence is entirely concealed. Computer crime has shifted from a 
game of disruption to one of access. The hackers focus has shifted too, 
from developing destructive payloads to circumventing detection. Now, 
for every tool forensic investigators have come to rely on to discover 
and prosecute electronic crimes, criminals have a corresponding tool to 
baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to 
criminal hacking that can be summed up like this: Make it hard for them 
to find you and impossible for them to prove they found you.

The concept is neither new nor foolproof, but in the past 12 months, 
forensic investigators have noticed a significant uptick in the use of 
antiforensics. This is not because hackers are making more sophisticated 
antiforensic tools, though some are. Rather, its because antiforensic 
tools have slid down the technical food chain, from Unix to Windows, 
from something only elite users could master to something nontechnical 
users can operate. Whats more, this transition is taking place right 
when (or perhaps because of) a growing number of criminals, technically 
unsophisticated, want in on all the cash moving around online and they 
need antiforensics to protect their illicit enterprises. Five years ago, 
you could count on one hand the number of people who could do a lot of 
these things, says the investigator. Now its hobby level.

Researcher Bryan Sartin of Cybertrust says antiforensic tools have 
gotten so easy to use that recently hes noticed the hacks themselves are 
barely disguised. I can pick up a network diagram and see where the 
breach occurred in a second, says Sartin. Thats the boring part of my 
job now. Theyll use FTP and they dont care if it logs the transfer, 
because they know I have no idea who they are or how they got there. 
Veteran forensic investigator Paul Henry, who works for a vendor called 
Secure Computing, says, Weve got ourselves in a bit of a fix. From a 
purely forensic standpoint, its real ugly out there. Vincent Liu, 
partner at Stach & Liu, has developed antiforensic tools. But he stopped 
because the evidence exists that we cant rely on forensic tools anymore. 
It was no longer necessary to drive the point home. There was no point 
rubbing salt in the wound, he says.

The investigator in the aquarium case says, Antiforensics are part of my 
everyday life now. As this article is being written, details of the TJX 
breachcalled the biggest data heist in history, with more than 45 
million credit card records compromisedstrongly suggest that the 
criminals used antiforensics to maintain undetected access to the 
systems for months or years and capture data in real time. In fact, the 
TJX case, from the sparse details made public, sounds remarkably like 
the aquarium case on a massive scale. Several experts said it would be 
surprising if antiforensics werent used. Who knows how many databases 
containing how many millions of identities are out there being 
compromised? asks the investigator. That is the unspoken nightmare.


Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods