Wednesday, September 24, 2008

Tracking the Palin Email Hacker

Yesterday I wrote about how the alleged hacker got into Vice Presidential Candidate Sarah Palin's Yahoo email account on Tuesday, September 16. Today, let's take a look at how the hacker's IP address was traced starting with part of a message the hacker (username Rubico) had put up on the 4chan forum:

yes I was behind a proxy, only one, if this s*** ever got to the FBI I was f*****, I panicked, i still wanted the stuff out there but I didn’t know how to rapids*** all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state.

Rubico had used a proxy service to try and hide his identity but quickly realized how vulnerable his identity was. Proxy services are commonly used to access sites that are sometimes blocked by IT departments. Typical blocked sites include YouTube, Facebook, MySpace, etc. Proxy services are also used to play web based on-line games on sites that are blocked. Here's a good definition of what a proxy server does from Wikipedia:

A proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client.

Here's a simplified diagram (modified from Wikipedia with some made up IP addresses) we can use to show how a proxy server/service works.


Let's describe what happened referring to the diagram:

Rubico made his attack by accessing yahoo.com from the client computer (IP address 132.168.2.10) and going to yahoo.com through the proxy server (IP address 10.7.5.3). As a result, yahoo.com saw the proxy IP address of 10.7.5.3 only - yahoo.com did not see the 132.168.2.10 client address Rubico was using. So.... using the proxy service masked his IP address from yahoo.com - yahoo.com servers logged the IP address accessing the account as 10.7.5.3. Sounds good so far - right? Yahoo logs the proxy address and Rubico is "hidden" from yahoo.com - at least for a little while.

This kind of setup works great for accessing sites that are commonly blocked by businesses but it does not really hide client IP addresses from law enforcement people. Rubico used a proxy service offered by Ctunnel.com. Ctunnel is a CGI Proxy service and it is simple to use - it does not require any special browser configurations and can be used to access most sites on the web. According to the Ctunnel website, the proxy service is administrated by Gabriel Ramuglia, owner of the Overnight PC computer repair shop located in Fairbanks, AK. Ramuglia setup the proxy so users could access a browser based game he runs called Oil Fight. Because Oil Fight is a game, it could potentially be blocked by schools or corporations.

Here's more from the Ctunnel website:

Why should I trust Ctunnel?
By going through any proxy, you trust any data you send or receive to the proxy owner. To earn your trust I will be as open and honest with you as possible....... Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tomorrow, or be otherwise unreliable. Ctunnel however, operates solely off money derived from advertising shown during the proxy session, and therefore will not be down tomorrow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpoena could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.

Less that 24 hours after the hack the U.S. Secret Service was knocking on Ramuglia's door with a subpoena. The proxy server log files had exposed Rubico - each Ctunnel user's IP address, the time and destination were logged and they had not been flushed yet. By Sunday morning the FBI was knocking on the door of accused University of Tennessee student David Kernell with a search warrant.

4 comments:

Anonymous said...

Using something like this to hide your identity is just as good as the end point, in this case, a small service that must respond to the law. It was an irresponsible act. Using something to make yourself anonymous -- regardless of if you're being stalked or you're a foreign disiddent or a whistle blower or a criminal or terrorist -- it brings attention. If you use something like TOR you're only as secure as the endpoint and all the TOR server operators who you gotta trust. Faced with a subpoena there's nothing anyone can do but give it up. Look what happened with Google in the Viacom suit. They promised people their data was safe and asked them to trust them -- then it turned out that not only was it not encrypted, they also lost control of it. So Google or any other anonymizer might easily fail the test when it comes to digital or physical security.

Gordon... said...

Excellent comment!

Anonymous said...

Now if he didn't use a US based proxy, how much would it have slowed down the men in the dark suits?

Gordon... said...

He may not have fully realized what he was doing at the time but he likely understands now.