A single mistake is all it takes
In February 2012, following the arrest of the leader of hacker group LulzSec, I read a brief mention in an article on how the capture of their leader, Hector Monsegur, was made possible. According to the article, the claimed leader of the worlds most wanted hacker group at the time made a mistake in operational discipline, accidentally revealing himself to the FBI. This of course resulted in a knock-at-the-door and his subsequent arrest. New York citizen Hector Monsegur's mistake took him from being a celebrated underground hacker in LulzSec to a would-be FBI informant in an instant.
So what huge mistake did the seasoned hacker responsible for hacking an FBI affiliate and taking down the cia.gov website make? Actually it wasn’t a big mistake at all. He just once during months and months of malicious security operations accidentally logged into a third party IRC channel forgetting to use Tor - the free anonymizing service of choice for hackers as well as privacy conscious citizens all over the world. Hector Monsegur was only connected to the IRC server from his real IP address for a few seconds before disconnecting but the harm was done, his real IP had been logged and his fate was sealed. Human factor versus operational discipline, score 1 – 0.
The great firewall of China
Another example of botched up Operational discipline I read about is the claim by US authorities that Chinese government hackers operating against US targets blew the cover of their operation by accessing their own private Facebook profiles from the same equipment used to hack US sites. Due to the nature of their mission, the infrastructure set up for them bypassed the great firewall of china. Since access to Facebook normally is blocked for common citizens from within China, the story goes that these hackers thought it would be a good opportunity to get updated on the latest Facebook likes. Resulting in complete US government documentation on several of the Chinese hackers involved as well as a pinpoint to from where they operated. Human factor versus operational discipline 2 – 0.
And the final example of the devastating 3 - 0 win for the human factor over operational discipline comes from legendary hacker Kevin Mitnick. I'n his book Ghost in the wires he describes sitting in his motel room after three years on the run from the FBI when he gets the knock-on-the-door. It's the FBI whom after all this time finally have found their most wanted hacker. Or have they? The agents are having a hard time establishing the man in the motel rooms identity since the only photograph they have of Mitnick is several years old and he has changed his appearance while being a fugitive. Mitnick being a self-proclaimed master of social engineering of course doesn't make the agents lives any easier. The problem for the FBI is that, if the person in the motel room isn't Mitnick, they have no warrant. And the agents really are not sure if this is the right guy or not. Kevin Mitnick almost slips away once more. Then, almost by accident, the agents find a small note in a jacket in the room. The note is a four year old receipt with the name Kevin Mitnick as the recipient. Consequently the world's most wanted hacker is caught after three years of fooling the FBI. And why? Only because he accidentally left a receipt in his jacket three years ago that had his name on it. That tiny little slip earned him five years in a federal prison.
True or false
Of course such stories as the ones above should read with a healthy bit of skepticism, especially the second one with regard to that it involves nations spying on each other. It can be safely presumed that vast amounts of disinformation from all involved parties appear in the media all the time and this could be just one of those.
But regardless if the examples above are true or not there is most definitely a lesson to be learned from them and that is that all people make mistakes. People make a lot of mistakes. Operations not going as planned are the most natural thing in the world, even for genial hackers or extremely well planned government covert spies. The odds are always against the party that can’t afford to make mistakes. This is of course true regarding all activity but when one tiny mistake means the difference between your freedom or a one hundred year long sentence in a US federal prison, the impossibility of maintaining one hundred percent effective operational discipline really comes to light. Making it virtually impossible to not get caught in the long run.
What really fascinates me though is that so many individuals involved in security operations still overestimate their ability avoid making mistakes. Except the obvious moral reason not to commit computer crime I would argue that this is the most convincing reason to take the narrow road. In my opinion, no human being can consistently keep track of the thousands of technical and human factors involved in being invisible online while at the same time performing malicious or disruptive attacks. This without making any revealing mistakes that would yet again letting the human factor win over operational discipline. Or is it?
While I was writing the above a thought suddenly crossed my mind. Isn't it logical that the ones not making any mistakes at all would also be the ones no one has ever heard of? If that is true, how can I then be so sure they don’t exist?
Note: I later read the same story in the book “We Are Anonymous by” Parmy Olson where it was also regarded as being the truth. Since Hector Monsegur still haven’t been put to trial in the US, there are to my knowledge no official documents regarding the arrest.
Amazon - We Are Anonymous: Inside the Hacker World of Lulzsec - Parmy Olson
Ars Technica - The lastest on the unmasking of Lulzsec
Mandiant Intelligence - Exposing One of China’s Cyber Espionage Units Report
Amazon - Ghost in the wires - Kevin Mitnick