undefined | Better HN

0 pointsnikcub14y ago0 comments

if I were tasked with catching these guys, I would:

* setup numerous honeypot open proxies and tor gateways

* work with journalists to have all emails and communications forwarded

* isolate ddos clients and reverse-engineer command and control. surprisingly many of these trojans are poorly written and have security holes themselves

* setup numerous fake twitter profiles and provoking them into responses - things like posting images, replying, etc.

* setup fake hacker groups. stage defacements etc. in order to get in touch with them

* I would write a system that tracks and stores every bit of communication they make and plot out their social communication graphs and when they are talking, who to, etc.

* ask ISP's or proxy providers to grep for traffic patterns.

* get user-agent info from twitter, or provoke them into visiting a link, and possibly load malware. no browser is really safe in a targetted attack

* word/speech tracing. this is why 1337 5p34k was invented, so you can not be traced via your vocab/grammar/spelling/phrases etc. it doesn't take a large sample to start narrowing it down

probably more - haven't really thought about it, but when i did see that they started using twitter I gave them 3-4 months, tops.

0 comments

5 comments · 4 top-level

chippy14y ago· 1 in thread

"1337 5p34k was invented so you can not be traced via your vocab/grammar/spelling/phrases etc"

What about txt msg spk?

spicycat14y ago

It was invented so you can not be understood via your vocab/grammar/spelling/phrases etc.

trotsky14y ago

get user-agent info from twitter, or provoke them into visiting a link, and possibly load malware. no browser is really safe in a targetted attack

This is certainly the most direct way. I'd be pushing exploits from the twitter data center and sharing links to funny/cool #antisec whatever in irc hangouts. The client is almost always the weakest link here, and with people using multiple devices you get lucky once or twice and get some malware on a phone or pc.

If you're investigating foreign hackers on foreign soil you have a lot of leeway in terms of back hacking them, the US is definitely using this kind of approach in anti-terror.

Once you get the right guy and know it's him, share the details with the local authorities and let them figure out what legal info they have to build a case now that they know who they're after.

The other way I'd do it is with a fleshed out honeypot. Set up something tempting with two stages of flaws and some good documents. Bring the first flaw to on of the farm irc channels with something semi-juicy you got out of it. They'll probe the rest of the system and find the second dangled SQLi flaw and some juicy data. If you can set up and watch them in advance some mistakes will generally be made, and whatever documents and executables you leave to get stolen will probably end up being handled in an unsafe fashion. Think how tempting a VPN software token authenticator would be to run, and I highly doubt that stuff would get RE'd before it got run. If you can get them to voluntarily run some software they stole from you you won't be needing a warrant in advance.

burgerbrain14y ago

  "* setup numerous honeypot ... tor gateways"

What would that achieve?

shareme14y ago

or in fact form a fake group to set up a social network for Anonymous users ..except whoops its a honey pot..

j / k navigate · click thread line to collapse