It’s not that most black hat hackers have a love for the theatrics that they don the black mask and the blazer, obscuring their identity is paramount towards being able to continue with their activities. The shroud of invisibility often lets them carry out their nefarious (or vigilante) acts with impunity. And it can be easily argued that the whistleblowers of the current digital era are enabled thanks to the levels of privacy afforded by the very same technologies. While we aren’t taking any sides, we dug around a little to figure out how they go about their activities, how they hide their traces, how they stay off the grid, how they dish out their blend of activism. In no manner should this list be considered complete. Here’s how they do it.
Some things are a no-brainer. Almost every black hat that was caught and the countless ones that are yet to be caught operate under a pseudonym. And it’s not just the name, each identity is only utilised with a certain set of hardware. On your work laptop, he/she might be a John or a Jane and on another machine they might be a genderless X4yn3r. Consistency is important, those who’re out to track you down and discern your identity are always getting some bit of information or the other which they’re piecing together which is also why black hats tend not to use the same software for long, because no matter how random a software can claim to be, there’s always a pattern and over time, the more they see the easier it becomes to narrow down on someone.
It’s when the identities mix, that they tend to get caught. Ross Ulbricht a.k.a. Dread Pirate Roberts was caught when he gave out his personal email ID while astroturfing. The FBI had a lot of data about his identities and this one post on a forum allowed them to connect the dots and nail him. The importance of maintaining separate identities is a matter of life or death.
Remote Access Trojans are how black hats gain control over your machine. And that’s also how they add computers to their personal botnets. Which incidentally become staging areas for attacks and sending unsolicited emails. Opening a simple email is all it takes for the payload to be delivered and for a backdoor to be opened. From that point onwards, you’ll have no idea as to what nefarious purpose you machine was used for. Say hi to the feds for us.
The go to tool when it comes to hiding your internet traffic from snoopers, the all popular VPN is heavily advised but little is known about the efficacy of VPNs. Sure they allow you to watch geo-restricted content on YouTube but they aren’t great for ensuring privacy in their default usage scenarios. While many VPNs claim to not keep logs, they’re also signatories to laws that require them to lie about keeping logs once contacted by a security agency to do so. Little white lies…
Hackers do their homework and check if a VPN is actually obfuscating traffic by using tools like WireShark to check if switching on a VPN breaks existing connections. Then they check if the VPN is indeed re-routing all the traffic from the machine or just a portion of it limited to browser sessions and specific apps. This matters because existing browser sessions and applications on your computer will immediately try to ping back home when a network connection is modified and if any of these pingbacks are not routed through the VPN, then it’s as good as not using a VPN.
A general trend observed among hackers who speak up is to use multiple VPN services and switching between them. And when it comes to paying for these services, the methods of payment are kept anonymous. When a VPN service becomes sufficiently popular, the feds bring in listening equipments and monitor the end points, this is one manner in which traffic correlation is done in order and it renders a VPN useless. And it’s not just the endpoints, even network routers along the way are tapped to perform man in the middle attacks and generate logs. Most governmental security programs focus on always gathering metadata until some suspicious activity is flagged and then the metadata is mined to generate a profile. Hence, the need for using multiple VPN services. And lastly, they prefer a VPN service operating in a country like Sweden which has good privacy laws.
|If you wish to keep yourself informed of all the latest developments in the world of black hat hackers then there are a few IRC channels on TOR but that’s a close knit community you’re never going to get into. Which is why there’s DEFCON for the commonfolk. It is one of the largest hacker conventions held annually in Las Vegas and there are plenty of agents from the top security agencies in attendance.|
Just using TOR isn’t all that hackers do, you gotta use TOR correctly. And it’s only good as long as the you ensure traffic to the endpoint router is encrypted as well. And the feds know this which is why a good percentage of the TOR exit routers are monitored. TOR works by anonymising traffic with packet delays and origin obfuscation but lab experiments like the one performed by Sambuddho Chakravarty at the University of Columbia found that by monitoring traffic flow within the network, 100% of the traffic could be identified and the same experiment performed within a real-world TOR network allowed for 81.4 per cent of the traffic to be identified.
Intrusion Detection System
High-risk behaviour on the internet always attracts attention, infact, the mere act of downloading the TOR browser or switching on a popular VPN service immediately gets your connection flagged down for monitoring. Hackers need to be one step ahead of the curve so they rely on IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to figure out if someone is trying to snoop on them and take precautionary measures.
Commercial personal satellites
While few have reached this level where they can exploit the inherent design flaws of older commercial satellites to gain control. This is often how command and control server of large botnets are controlled remotely, since the satellite covers a large physical area, it is very difficult to pinpoint where the attacker is hiding. Also, this allows attackers to intercept incoming traffic and redirect them to spoofed pages.
One of the most common ways of identifying a networked machine is by looking at the MAC (Media Access Control) address. Each device is supposed to have its own unique MAC address and a lot of ISPs rely on the same since dynamic IP addressing scheme ensures a different IP address each time a client connects to the network. So what do attackers do? The spoof their network adapter’s MAC address as frequently as possible. Every new internet session they join with a device has a new MAC address so that traffic correlation becomes difficult. There are simple batch scripts to do this but some prefer tools like TMAC to do the same.
Not everyone is well-off to afford a separate machine for their black hat activities. In such cases, attackers rely on Virtual Machines which are pre-loaded with an arsenal of tools, most of which we’ve already mentioned. And virtual machines can be destroyed in a manner of seconds without leaving a trace of existence.
Password@123 – if this is your Wi-Fi password then you’re among the majority unlucky ones who’re an attackers’ wet dream. Drive-bys are when attackers compromise your network and perform an attack and then leave. Your weak Wi-Fi security probably lost a bank a couple of thousand dollars. Needless to say, all machines connected to that network are not part of a botnet. Performing drive-bys are not difficult, there are devices like the Alfa AWUS036H which is a high-gain wireless adapter that can be used from a long range and is compatible with an assortment of malicious tools. One authentication handshake is all that’s needed for the attacker to compromise your network.
A good OS
Let’s assume you’ve goofed up and let your guard down. The authorities are en route with a pair of shiny new ankle bracelets but you wouldn’t know till they knock on your front door. So it’s best to be prepared and not spoon feed the feds with all the information needed to incriminate you. This is where hard drive encryption matters. Tools like VeraCrypt and AxCrypt allow you to encrypt your hard drive according to military grade spec and then even if caught, it’ll take the authorities ages to get in. Anakata, the co-founder of Pirate Bay ended up with a pretty heave jail term because he had not encrypted his drive.
There’s a lot more from where that came from
Quite a lot of these hackers are extremely proficient at coding and develop their own scripts and tools which we shall never hear about, however, they’ll be used to essentially accomplish the same as we have mentioned here. Hackers are not necessarily on the wrong side of the law, it’s just that the law is so convoluted and vaguely worded that you’re always committing a crime when you’re on the fringes and guilt by association is a very common tactic used by the legal system to make hackers turn on their own. So it’s only natural for them to take these steps and now you know the how and the why.
This article was first published in September 2016 issue of Digit magazine. To read Digit's articles first, subscribe here or download the Digit e-magazine app for Android and iOS. You could also buy Digit's previous issues here.