2

What are some of the ways law enforcement agencies can trace a hacking attempt back to the hacker?

IP and MAC addresses can be spoofed easily, hackers can easily hide their tracks using compromised host around the globe to launch attacks from.

In such a situation, is it at all possible for law enforcement agencies to track and arrest these hackers?

How about some of the more localized attacks like cracking WEP/WPA passwords to gain access to the wireless network, or web application attacks like XSS or SQL injections?

Help with tagging is appreciated, i don't know what to tag this question as.

curiousguy
  • 5,028
  • 3
  • 25
  • 27

3 Answers3

5

Terry Chia, we meet again xD. Simple put, although technologies to track hackers are present, there are a number of constraints on governments that prevent them from doing so. That said, a private individual working as a blackhat will probably have better chances to track a particular hacker.

To begin with, the main reason law enforcement agencies arrest hackers in the first place is their connection to their (generally some crappy free) VPN breaks down without their realization. The reason IP Spoofing is so devastating is if a US individual spoofs a Russian and then Chinese IP, it is almost certain that the two governments would never help US law enforcement. So you ask how it can be done?

To track such a hacker a number of precautions would have to be applied on the server, JavaScript and PHP like languages can provide useful information such as the clients browser, operating system, etc which is generally not spoofed. Additionally, web application attacks will not work because I doubt the hacker will stay on the same IP for long.

For example, Google has been known to be able to track users even under spoofed IPs and disabled geo location instantly. They do this, by capturing all wifi points in range every time you connect to them, by matching this to their existing database of wifi points they could easily locate you. The technique essential works by invading user privacy. If the "law enforcement" could access such a database, they could use it against you. Additionally if they can somehow sniff such traffic they could obtain the same info.

Here's a video demonstration that: http://www.youtube.com/watch?v=McF50tjuFEs

Ultimately, it's not viable for law enforcement to accurately track or arrest any individual, because laws in most country believe that a person is not guilty unless convicted. What I mean is that, even if they get your "true IP" and come to your house, hackers have been known to have security measures to erase disks several times over beyond capabilities of cyber forensics or use Deep Freeze/TrueCrypt to hide and lock that data with multiple unbreakable layers of encryption. If you do it right, there's no "evidence" on your PC. In fact, people can got away in many cases because they claimed their computer was used as a zombie or their wifi was hacked. In many cases it is true.

Rohan Durve
  • 2,321
  • 16
  • 19
  • Great answer thanks, I'm curious about your statement about gathering information about the clients browser and operating system. Generally, how is that useful in tracking down a hacker? It could perhaps rule out countries where the browser and OS is not widely used, but a common configuration like firefox/chrome + windows 7 won't provide much information. –  Jun 24 '12 at 04:12
  • And am i right to deduce from your answer that the only way to trace a user spoofing his IP and MAC addresses will be wifi geolocation and perhaps traceroutes? –  Jun 24 '12 at 04:14
  • No, what I'm implying is that there is no perfectly legal methods of doing it. Applications that are invading privacy or have access to the system that the hacker is using are the best hope imo to get him, and then you still have to recover proof of his direct affiliation to convict him of anything. Although the information can be redundant it can be really helpful. Knowing a hacker has bt5 installed in a VM or BackBuntu helps reverse engineering a lot, since you know something you can look for definitively. Note: It contains your versions as well. That's huge. – Rohan Durve Jun 24 '12 at 04:16
  • * cyber forensics – Rohan Durve Jun 24 '12 at 04:23
  • "_They do this, by capturing all wifi points in range every time you connect to them, by matching this to their existing database of wifi points they could easily locate you. () If the "law enforcement" could access such a database, they could use it against you._" Actually the database is accessible by anybody. – curiousguy Jun 25 '12 at 16:56
  • @curiousguy Even better then! xD You got a URL for that? – Rohan Durve Jun 25 '12 at 17:05
  • 2
    @RohanDurve-Decode141 The SSID/BSSID to location mapping is done by asking `https://www.google.com/loc/json` (the Google database cannot be downloaded for off-line use of course, but anyone can query it). [example Wifi based location query](http://stackoverflow.com/a/5134619/963864) – curiousguy Jun 26 '12 at 00:26
1

Spoofing is easy, but it doesn't always work as expected, one small mistake and they will trace you up.

Regarding WEP, well, this is a "wild west", hacks are trivial and widespread. For example, by having iphone setup to some public wifi, when I setup the hotspot with the same name, your mobile will join, and get email over insecure pop3 with plaintext password. This is really easy. That's why you need a mail server with no no-ssl protocols available.

For website attacks, this is also "wild west", no government is monitoring this, so you need to handle incidents on your own. So because of that you need to run websites at various privilege levels, so single hack wont expose complete company information.

Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • 1
    "_For example, by having iphone setup to some public wifi, when I setup the hotspot with the same name, your mobile will join_" Indeed, this is fundamental property of open Wifi: you cannot reliably identify a particular hotspot. If you want to offer free hotpot, please to it with WPA-Enterprise, with EAP-TLS and anonymous login. – curiousguy Jun 25 '12 at 16:50
0

You may try to deploy honeypot/honeynet honeynet to analyze hacker's behaviour.

zakiakhmad
  • 464
  • 3
  • 10
  • 2
    Honey pots may help discovering hackers **tricks**, but they do not automatically uncover hackers **identities**. – curiousguy Jun 25 '12 at 23:00