catching a hacker

crunchyblanket · Jan 21, 2012

So I'm a little wary of Googling this one. One of my minor characters is an amateur computer hacker - good at it, but isn't heavily involved in hacking. They manage to gain access to a company network, and to sensitive documents.

My question is: is there any kind of security the company can use in order to identify that they have been hacked? And further, is there any way to identify a hacker, or trace their location? I'm hoping to create a situation in which the company in question are able to track down the hacker. Is there any existing software or method to do this, or do I need to take advantage of the future setting and just make something up?

Thanks in advance for your help

Williebee · Jan 21, 2012

crunchyblanket said:
So I'm a little wary of Googling this one. One of my minor characters is an amateur computer hacker - good at it, but isn't heavily involved in hacking. They manage to gain access to a company network, and to sensitive documents.

My question is: is there any kind of security the company can use in order to identify that they have been hacked? And further, is there any way to identify a hacker, or trace their location? I'm hoping to create a situation in which the company in question are able to track down the hacker. Is there any existing software or method to do this, or do I need to take advantage of the future setting and just make something up?

Thanks in advance for your help

There are both active and passive intrusion detection systems available.

An active system will detect unauthorized access to files and systems and alert the network administrators.

A passive system will log the unauthorized access and a review of the logs will show the unauthorized activity.

In both cases logging may show the time/date of the unauthorized activity, what files/systems were accessed during the activity, and the source IP of the access. That IP (internet protocol) address may be coming from a laptop in the parking lot, or a house across the country, or an office on the other side of the planet. It may have come through a variety of proxy servers or hacked computers on systems pretty much anywhere. So, tracing back to the original source of the intrusion may or may not be possible.

The "hack" may come from a person, or a "bot" that has been programmed and launched by a person to sniff out weak spots in systems and networks. When the bot finds one it may just report back to its master (the hacker) or it may already have been programmed to launch attacks and harvest information. Hours/days/weeks later the hacker may get back to check to see what the bots collected, kind of like a lobster trapper.

ETA: Often a hacker is identified by what they are after, as much as the how they went after it. Many malicious bits of code contain "signatures", quirks in the coding that may -- MAY be specific to a particular hacker. OR they may be just copied and pasted into a new bit of malware, like borrowing a tool from a black hat mechanic's toolbox.
Hope that helps.

crunchyblanket · Jan 21, 2012

that's perfect, Williebee, thank you very much

Drachen Jager · Jan 21, 2012

Read the book "The Cuckoo's Egg". It's pretty old (by computer-era standards) but most of the actual hacking and counter-hacking hasn't changed that much. It's a real-life story about a Berkley sysop who detects a hacker and becomes obsessed with finding the guy. He still gives lectures to the NSA, CIA etc. about computer security because of his experience.

Deleted member 42 · Jan 21, 2012

Social engineering is a lot easier, and a lot harder to defend against.

Otherwise smart people will give you their login if you ask the right way.

Or they *write it down* in a public place.

No, really.

jaksen · Jan 21, 2012

Or they share their entire C or D drive on a file-sharing network. There they are, all their sensitive documents and even word docs that are labeled: Passwords. You could ~~literally~~ practically swim around in someone else's computer.

No, not kidding.

Edit: Kinda hard to even fit inside a PC, let alone swim in one.

Mac H. · Jan 21, 2012

One way to do it which is easy for the reader to visualise is via a honey-pot.

The company has prepared security with a backup plan for when security fails - they have documents on the protected system that appear to be exactly the kind of thing hackers would be after. For example, if you are a company developing new technology you put documents about a secret project headed by the head of Internal Projects - Dr Rufus Bergmeister.

The company also sets up a free blog on the internet where Dr Rufus Bergmeister talks about his hobby of model boat building and occasionally complains about his late hours at the office, letting slip things that he probably shouldn't mention

So if anyone ever googles 'Dr Rufus Bergmeister' they will find that blog and visit it.

All the company has to do is monitor the hits on the fake blog and see if anyone ever arrives there after googling the name 'Dr Rufus Bergmeister'. It would be very suspicious if they did.

If that happens then the writer of the fake blog can let a few more details slip (complaining about the workloads of a new project etc) and wait for the inevitable result of a fellow model boat building enthusiast who 'just happens' to find the blog and start a friendship with the fake 'Dr Rufus Bergmeister'.

Yeah - how I handled it above is pretty crude .. but you get the idea.

Good luck!

Mac

crunchyblanket · Jan 23, 2012

Thanks for all the help, everyone. I quite like the idea of someone luring a person into giving them access

Carmy · Jan 23, 2012

Good luck with this. I've been hacked and cyber stalked for over a year and only now had an expert sort it out, prove the hacking, and stopping it.

Talk to a computer repair company and they'll usually give you the 'goods'.

Sea Witch · Jan 23, 2012

Drachen Jager said:
Read the book "The Cuckoo's Egg". It's pretty old (by computer-era standards) but most of the actual hacking and counter-hacking hasn't changed that much. It's a real-life story about a Berkley sysop who detects a hacker and becomes obsessed with finding the guy. He still gives lectures to the NSA, CIA etc. about computer security because of his experience.

Dang! That's what I was going to say! You beat me to it. Clifford Stoll was the author. Great book.

benbradley · Jan 23, 2012

Mac H. said:
One way to do it which is easy for the reader to visualise is via a honey-pot.

The company has prepared security with a backup plan for when security fails - they have documents on the protected system that appear to be exactly the kind of thing hackers would be after. For example, if you are a company developing new technology you put documents about a secret project headed by the head of Internal Projects - Dr Rufus Bergmeister.

This reminds me of the Nixon Administration and the "White House Plumbers" who were (as I recall the story) tasked with fixing information "leaks" among the staff. They would "let" different (allegedly secret and true) information get into the hands of different people, and whichever story showed up in the press would implicate the person who had that story given to them.

hammerklavier · Jan 25, 2012

If the hacker remotely logs into an employee's account (this usually involves a remote desktop connection, ie, logging into the user's actual desktop machine), and then accesses systems and documents that that user has access to, then it is unlikely the hacker would be detected. (Unless they do it ineptly, using multiple password attempts, etc).

If they log in and then start changing permissions on files, change users (like change to the super user on a unix file system) and generally go to systems that the original account didn't have access to. Upload and run hacking programs (like password crackers) and change operating system files, settings, and network settings... then they are more likely to be detected.

sk3erkrou · Jan 25, 2012

Something else you may want to consider is that sometimes large companies will actually hire someone to hack into their computers. These people are generally ex-hackers who have stopped doing things maliciously, but are still good enough to help out. What they do, is they simply do their best to hack into the company computer network, finding all of the security holes, and then tell the company how to fix them. Of course, these people have to sign nondisclosure agreements for anything that they may see while doing this, but if they are going to hack into the network anyway, then I don't think this would be too much of a problem. Or they could leave a back door into the network, and tell a friend about it, having the friend get into the computers for them, circumventing the nondisclosure agreement. This could make for an interesting plot point.

kuwisdelu · Jan 25, 2012

The most recent well-publicized hack job is probably Anon's infiltration of HBGary. You could try reading up on that.

catching a hacker

crunchyblanket

the Juggernaut of Imperfection

Williebee

Capeless, wingless, & yet I fly.

crunchyblanket

the Juggernaut of Imperfection

Drachen Jager

Professor of applied misanthropy

Deleted member 42

jaksen

Caped Codder

Mac H.

Board Visitor

crunchyblanket

the Juggernaut of Imperfection

Carmy

Sea Witch

Stirring the word cauldron

benbradley

It's a doggy dog world

hammerklavier

It was a dark and stormy night

sk3erkrou

kuwisdelu

Revolutionize the World