You Can Hack But You Can't Hide

Wednesday, July 07, 2010

I thought this is a very interesting title for discussion but the whole idea is to debate on whether "you can" or "you can't hide". Now that the hackers around the globe have more sophisticated Hack tools under their belt, spoofing your identity has become even more easier than ever.

Mature hackers, unlike script kiddies, will always think twice before trying to break in a target system. They only fear what could happen if at all they get caught. “Law enforcement relies on the corporate sector and citizens to report when they encounter on-line suspicious activity so these schemes can be investigated and criminals can be arrested,” stated Peter Trahon, Section Chief of the FBI's Cyber Division. Unless its reported, hackers enjoy their freedom because their crime is hidden and so are they. This would not only encourage hackers to do more crime but will also give them the power to experiment on thier targets without any fear of getting caught.

I know by now there is a quetion on everybody's mind that "Why would someone not report cyber attacks". Well, there are many reasons which again favours the hackers to remain hidden.

  1. It impacts the financial market. The stock market may react negatively to security breach announcement.
  2. Negative publicity of the reporting firm may harm its reputation or brand and can even cause its customers to lose confidence resulting in giving a competitive advantage to commercial rivals.
  3. Litigation concerns may come into the picture. Investors, customers or stakeholders may move to the court to seek recovery of damages caused by the organization reporting the security breach.
  4. It violates the statement of confidentiality and liability. Officials of a firm or organization may face sanctions under federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA), or the Sarbanes-Oxley Act of 2003, which require institutions to meet various standards for safeguarding customer and patient records.
  5. Public disclodure of a security breach would alert other hackers around the globe that the reporting firm is weak in its cyber-defense and may inspire more attacks.
  6. IT personnels, espcially those responsible for IT Security may fear having to lose their job following a security breach, as a result they would seek to conceal the breach from top level management.

Lets take a look at some statistics:


Its evident from the above figure that online crime complaints increased substantially once again last year. The figure shows statistics for complaints that were filed, but we do not know how many complaints were not reported. Needless to say that its impossible to come up with a statistic that would show all those breaches that are not reported and the total loss associated to it. It could probably be way beyond our imagination.

If we take a peek in the past and look at the history of hacking by the world's most famous hackers, then in my opnion, they are famous not because they were "successful" to break in, but because they were "unsuccessful" to hide or clear their tracks before they got caught. Organizations following a strict policy, compliance standards and having implemented the most powerful anti-virus/IDS/IPS solutions tend to assume that they are very secure, but they also realize that 100% security can never exist not can it be achieved. Forensic technology has progressed immensly in the recent past which helps uncover the root cause of a security incident and probably leading to evidence that may aid to get hold of the culprit.

Now, its possible to detect promiscious NICs on the network, review firewall logs and identify suspicious activity, trace the attacker's IP address to locate and bring them to justice, use forensic tools to dig through the hard drive and catch the perpetrator red handed and to make you feel a little more better, the government of most countries have made some serious laws with regards to cyber crime such as Cybersecurity Act (S 773).

There is one such organization called "The Honeynet Project" which deploys honeynets all around the world that capture attacks in the wild, analyze this information and share their findings to raise awareness about Internet security and the most common threats. With this technology we can come to know who is attacking our systems and how. Its a sneaky idea to prove that your competitors have hired hackers to shut your organization down.

Unless an organization have really thought about security from a proactive standpoint, its very easy for a hacker to break in your house, steal your stuff, damage your property, degrade your reputation and still go scott free without even being noticed.

Cross Posted from Saumil Shah's blog here:
Post Rating I Like this!
Mister Reiner This is how I see it:

High-end Pros and the Top Tier don't get caught because they know how to avoid detection and don't over stay their welcome. They also don't fall for honeypots because that type of low hanging fruit is just too obvious.

As you point out, law enforcement can only pursue those that are detected and reported. Even if a hacker is detected, if he truly knows what he is doing, any forensics collected at the scene of the crime is next to worthless with respect to tracking him down.