When teaching classes on network forensics to law enforcement officers there are always a few sections that stick out, to me, due to the reactions they generate: Internet Routing (attempting to explain the difference between an internal IP address here and what a server sees on the other end) and, similarly, Proxies.
For some students just learning about the complexities and intricacies of Internet architecture, discussions of proxy servers and chained proxies is just too much. Conceptually proxy servers are simple, they're simply servers that sit between a user and the Internet (or some other network). The proxy server takes requests from the user and sends them to a server, then receives responses from the server and gives it back to the user. A simple handoff. The real problem comes in trying to explain the method for tracking a user through a proxy, or chain of proxies.
Often students become frustrated; tracking users through multiple proxies in multiple countries seems like a very difficult and insurmountable task. And, certainly, it can be. The advice I give to them usually boils down to this: Don't think about how to find a proxied attacker head-on, because it probably won't work and will take up a lot of time. You're investigating the entire situation, not just this one connection, look at all the other pieces of information you have and narrow other things down, just keep the proxy in the back of your mind for when you've pieced together more of the investigation.
It turns out that, many times, someone using a proxy might make other mistakes that completely negate the benefits of the proxy.
Enter Sarah Palin, Republic Vice Presidential Nominee Extraordinaire.
A couple days ago 2 of Palin's private Yahoo! email accounts were hacked by a group called Anonymous. Anonymous has gained Internet notoriety over the past year for it's crusade against Scientology. Anonymous has hacked into numerous Scientology websites releasing internal documents and mail, as well as creating grass roots rallies against Scientology in a number of major cities around the world. And now, they've decided to take a shot at Governor Palin.
After the email accounts were compromised, the login details were posted to a popular underground message board site called 4chan. A user, presumably from 4chan, then logged in to Palin's Yahoo mail account using a web proxy, called CTunnel, and took screenshots of several of the email lists, contact lists, as well as some personal pictures from the emails. This information has been posted in other places around the web, most notably on Wikileaks.
So a simple diagram of this part of the attack looks like this:
CTunnel, the orange computer in the diagram above, is acting as a proxy. Requests from the hacker are sent to CTunnel, which then sends them to Yahoo. When Yahoo responds, it sends the response to CTunnel, which then goes back to the hacker. Pretty simple. This adds a layer of anonymity for the hacker. Yahoo doesn't know who logged in to Palin's account, only that it came from CTunnel. This means investigators need to get 2 sets of subpoenas, and go through 2 sets of logs, if the evidence is still there at all. Good for the hacker, bad for investigators.
The Catch
Well, actually, there are 2 catches. Rule #1 when dealing with Internet systems is that they are only as secure as the trust you can place in them. No matter how many layers of anonymity or types of encryption I use, if I can't trust the computers I'm transmitting to it probably doesn't matter. I'm sending all my data to a site I don't own, hosted in the United States, that offers a free service. How much can I trust that service?
From CTunnel's "About" page:
- Why should I trust Ctunnel?
By going through any proxy, you trust any data you send or receive to the proxy owner. To earn your trust I will be as open and honest with you as possible. See below for information about who I am and why I run this service. Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tommorow, or be otherwise unreliable. Ctunnel however, operates soley off money derived from advertising shown during the proxy session, and therefore will not be down tommorow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.
Server access logs are deleted regularly. That's good, those are the things that are going to be tracing which computers made requests to which other computers. Somewhere in those logs is every website you visited using their service, which means somewhere in those logs is an entry showing someone logging into Sarah Palin's Yahoo mail account. But the logs are deleted regularly (probably on the order of several days, or weekly, depending on how the administrator sets it up) so all you have to do is wait a few days and you're in the clear. By the time the police get to the CTunnel server to look for your information it will have been deleted and you'll be safe.
Oh, but you know that's not the end.
How do we know that the hacker used CTunnel instead of some other anonymizing service, anyway? Because the screenshots he took of Palin's email account are of his entire browser window, not just the email. If you look at the screenshosts from Wikileaks, or just click this one for an example, you'll see the titlebar at the top displaying an address beginning with "http://ctunnel.com" followed by a long string of characters.
Those characters are not random, they link a user to his request. Those characters are exactly what you need to find the records you need in CTunnel's database. It's kind of like robbing a bank wearing a ski mask, but leaving your nametag from work on. Sure, nobody in that bank knows who you are, but it sure won't be too hard to find you now.
The CTunnel Admin Is Your Friend?
Last chance. CTunnel is a site that values privacy, maybe it's run by a left-wing privacy nut that, upon hearing about the story, will destroy all the logs to stick it to the man!
From The Register:
"Usually, this sort of thing would be hard to track down because it's Yahoo email, and a lot of people use my service for that," he told El Reg in a phone interview. "Since they were dumb enough to post a full screenshot that showed most of the [Ctunnel.com] URL, I should be able to find that in my log."
...
To prevent abuse of the service - such as the occasional bomb threat or other illegal act that's been known to happen - Ramuglia logs each user's IP address, along with the time and web destination...
Nope, the Admin tracks all this information in case of abuse...and thinks the hacker is an idiot for posting the screenshots like that. Well, on the plus side, the person who accessed the account doesn't appear to be the one who hacked in, they were just using the credentials they found. Of course, they did then download the address book, personal pictures and correspondence of the Vice Presidential Candidate of the Republican Party. Probably not the smartest move.
Oh, and a special message to Governor Palin (since I'm sure you'll be reading this blog post), rumor has it that your password was "popcorn". Just some friendly IT advice: you might want to try something a little more complex. Throw in some upper and lower case, maybe some symbols or numbers. It might not keep Anonymous out of your email accounts, but it definitely couldn't hurt.
Well done, sir. It was informative and entertaining. Kudos.
Posted by: John Ross | September 18, 2008 at 04:51 PM
The second person really wasn't a hacker.
You do know that.
Criminal trespasser but no hacking was involver to get information from a message board and wrongly log into someone elses account.
Posted by: O'YesWeWill | September 19, 2008 at 10:17 AM
@John: Thanks, I think the little extra the awesome photoshop images add is really worth it :)
@O'YesWeWill: Thanks for the comment. You're right, I was using "hacker" to refer to the person that gained illicit access to the account, rather than the person that initially gained the account information. Although, in this case, the first person didn't really do any "actual hacking" either. According to another post on 4chan the hacker used Google, the USPS web site and Wikipedia to find the answers to Palin's security questions for Yahoo's "Forgot Password" feature. Definitely more hacking than a person that just finds the username/password, but still not much "traditional" hacking.
Posted by: dmo | September 19, 2008 at 10:58 AM
Interesting comment by O'YesWeWill. Johnny Long, actually runs a training called Non technical hacking. I am not certain of the exact title but non-technical is definitely the adjective he uses to explain 'hacking'. The Tiger Team series on Tru TV also uses social engineering attacks to gain network information. Both of these sources (hard to argue with Johnny Long's street creds)believe that non-technical information acquisition that enables the finder to access a network or computer is hacking. I think that the blog author's expansion of the definition of hacking to include any means by which the access information is gained is more accurate than the 'old speak' narrow definition of having to perform keyboard magic. I would propose that under the old definition nmap and good old fashioned techniques of typing in pet's names and birthdays are not hacking either. With the increasing ubiquitous factor of such easy information acquisition (both technical and non) is anyone really hacking anymore?
Posted by: joeyd | September 19, 2008 at 12:49 PM