It’s been a few weeks since Palin’s “hacker,” David Kernell, got caught because he left a reference to ctunnel.com in the screenshots of Palin’s email.
What if David Kernell was able to remove the references to ctunnel.com? What would the FBI have to do to catch him? And how would a would-be hacker avoid detection?
- The FBI would have to obtain records from Yahoo and 4chan, and these records would hopefully reveal the IP addresse(s) that accessed Palin’s account.
- The FBI would also have to search data retrieved from a descendant of Carnivore, a wiretapping software used for the Internet c. 2001. Such data could reveal the MAC address of the hacker. The MAC address would lead to the place of purchase for David’s network card.
Even if David Kernell photoshopped ctunnel.com from the screenshots of Palin’s email, the FBI could still have catched him in two ways:
- The IP address at Yahoo or through Carnivore-like software would have led the FBI to ctunnel and then to David’s IP address.
- The MAC address gotten through Carnivore-like software at David’s ISP (which is not really likely) would have led the FBI to the store at which David’s computer was purchased. Something like “ping davids_IP && arp -a” would have to be run on a LAN level.
So how else could David have avoided detection?
1) He could have chained proxy servers.
2) He could have used a combination of p2p networks like the ones used for downloading movies and music to get to the web pages.
But even then, the FBI would still be able to catch him.
The FBI could still log name server look ups, the very techology that allows your computer to see www.fbi.gov as 64.212.100.43. If a log of name server look ups matched the time stamps of when the hacked pages were accessed, then the FBI would have a strong reason to believe that the hacker was using the ISP that provided the name server lookup, and from there get to David.
Okay, okay. Let’s say that David disabled name server lookups. Could the FBI catch him if he went as far as that?
If somehow his MAC address got leaked that would lead right to whoever purchased his computer’s network card. If he paid cash for his network card on the black market, or Craig’s List, then the FBI would be on a wild goose chase.
I think if he took all the precautions above, the FBI would be at a total loss for tracking Palin’s Hacker if he were l33ter.
Thoughts?
8 replies on “How the FBI Would Have Tracked Palin’s Hacker If He Were L33ter”
I have been out of the l33t community for a few years now, but is there still such a strong black market for NICs? You can find a working 10/100 NIC lying around in computers, bought 6 years ago, lying on the street waiting to be collected by the garbage men.
You know you can change the MAC address for almost any NIC. No need to pay cash or use the black market 🙂
@Ezra Butler I was joking about the market for NICs. I’m pretty sure a really paranoid criminal would just use a stolen laptop.
@Ryan Good point! So after changing the MAC would there still be a way for a cyber-sleuth to catch him after using all the precautions above?
@Barce – Hold on a sec – l33t hackers aren’t “paranoid criminals”, they don’t “steal”! They simply “borrow for temporary use”. Even in @ryan’s case, they have to make sure that the MAC isn’t being used by another machine at the time, or else packets will get lost.
A much simpler way would be going into a library in Alaska, simply logging on at any terminal and hacking away. I am assuming that there must be computers there with little security, because they are near Russia, and books have been banned for years.
@Ezra Butler – Ya, there’s a fine line between criminal and hacker. I think around the 1980s there was a time when hacker wasn’t equal to criminal. The powers that be did a good job on me and it’s hard to get away from 25 years of media telling hackers are criminals.
Few notes:
1. MAC addresses are used only on the data link level, not on the transport protocol level (TCP/IP). So, your MAC address stops at your router. It also has a MAC address which then stops at your ISP and never reaches any remote host you visit. They would only know to look at your ISP if they had your IP address, in which case you’re already screwed.
2. Your IP address can still be tracked down no matter how many proxies you chain if all of them either keep logs or are on an ISP that keeps logs. That’s almost a guarantee these days.
3. Even fetching web pages through a p2p network can be tracked down if ISPs of computers along the path keep enough logs. It partly matters how quickly the breach is discovered so that they request logs while still available.
As to the real question of is it possible without being traced, I’m not leet enough to know.
@Ryan thanks for your comments. I definitely need to review TCP/IP illustrated and some RFCs.
I am not so sure about #2 based on software like tor and privoxy used in combination.
Have any of you folks checked this software out:
http://www.torproject.org/
and
http://www.privoxy.org/
Thank you all for reading!
There has been an exploit used for years with java.
If you have java and it’s being used in a browser the website you visit can see your internal IP/Network IP—10.10.0.1 or 192.168.0.1 or what ever you internal IP is.
Yes this can happen and has been happening for at least a decade.(Sun micro systems has known about this for years). I have spoken to them on the phone about this but they do nothing.
If you have java disabled in your browser your internal IP (Network IP)is hidden.
Yes your MAC can be seen too using some other exploits.
It is best to spoof your internal ip and mac.
Many routers like linksys allow for this however many people do not know how to configure them this way-the instructions for the router will not show you how to do this.
Most people just open the box plug it in and let it run.
All router are different so i will not go into this deeply showing how to do this.
Google router MAC spoof or router internal IP spoof.
Have a linksys router? did you know you can call a tech for free?
Linksys is very good about teaching people about the routers they sell.
Get a good tech on the line and they will teach you about your router.
Ask them how to change your internal IP and how to change your MAC.