TC7 day 1 – How hackers get caught

simple nomad
UPDATE: Slides

Simple Nomad’s keynote was titled “How hackers get caught” which could have been subtitled “laughing at skiddies” as he gave several examples throughout. SN, founder of NMRC, has been hacking for years and proved this with his Bell Special Services hat.

The first area covered was logs. Not knowing how the event, application, and system logs work can easily give you away. The shell history will expose the actions you were taking, even the incredibly inept (attempting to install a rootkit four times). Another giveaway is leaving a “:wq” in /var/log/messages or even worse binarys.

Laziness is a fast track to jail time. Never hack from home; take the time to drive to suburbia and get a free WiFi connection. Take pride in your paranoia. The logs will take you down, but you have to consider what makes sense: Do you wipe them completely or just edit? SN described monitoring several logs that normally generated patterned output. The logs are colored and opened in terminals with a really small font. You can’t actually read the text, but you can recognize the text block coloring and shape and it is easy to spot entries that aren’t normal. Other things to look for in logs are portscan footprints (ssh disconnect without a connect). Default settings are also an easy giveaway (not changing the default Metasploit port).

The code you run on the system can give you away. Is it really system or bandwidth intensive? A regular user will notice that and start complaining. If the target is slower than your testing system this is definitely possible. If you compile the code on the target the libraries accessed will give you away.

He also covered blackhat vs. blackhat. This was mostly silly tricks for annoying other blackhats. Gaining access to 0wned systems and modifying the rootkit so it was plainly exposed (hiding something important like system32). A lot of trojan code is written quickly and features buffer overflows that can be taken advantage of. Also, scanning .mil addresses from the 0wned box is a great way to get it noticed.

Finally, there is the problem of people bragging. If you deface some site at 3AM then jump on IRC and send all of your buddies to go look at the low traffic site you are an idiot for seeding the server logs with your group’s IPs. He also noted that the fed could own any of the free proxy servers you are connecting to. In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you’re agreeing to give all of your info away.

It was a pretty interesting talk and really educational if you were interested in doing forensics on your own system.

Comments

  1. Bushman says:

    first comment

  2. SomeCat says:

    First Loser^

  3. thr0n says:

    If two are fighting the third shall win.

  4. paul says:

    “In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you

  5. David li says:

    I agree with Paul
    http://www.hackaday.com/entry/1234000437059293/#c456886

    Let’s see some of that!

  6. David li says:

    Oh second thought… OMG! COLOR PICTURES!!!

  7. t3h says:

    Anyone have this speech? I’d like an mp3/video of it…

  8. R3P1N5 says:

    mmm, i’d really appreciate a recording of his speech (lol, it’s a bit hard to get to such speeches from here in Australia)

  9. grammar nazi says:

    Use to learn the shift key…all of you!!!! Bunch of lazy ass bastards!!!

  10. beezle says:

    I can’t find anything to substantiate the claim about CIA and free email sites.

  11. Hybrid says:

    hack a day dosent capatalize anythng retared.

    you see that? ^ all that bad grammer and spelling should really piss off the grammer nazi. :)

  12. t3h says:

    grammar nazi, how about YOU learn to use the shift key :P

  13. ydef says:

    “In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you

  14. ydef says:

    “In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you

  15. ydef says:

    “In 1996 the CIA admitted to running the two largest freemail services. So, if you use Hotmail, you

  16. robert paulson says:

    hey guys its 4 yrs later, am i too late to comment?!?!

  17. droos says:

    if you’re too late, i guess i really missed the boat.

  18. asdasdasdfasdfsg says:

    It’s never too late to comment, bitches.
    The last one is MINE, MUAHAHAHAA!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s