March 13, 2015

In recent forensic investigations for U.S. customers, we stumbled across a lot of non-proxy’d attacks from Latin American countries. Many people ask us why a lot of attackers don’t even both to disguise their true source IP addresses? Well, there are a lot of different issues surrounding this.

  1. Weak IT Legislation, no IT legislation or governments/law enforcements unwilling to co-operate with certain countries. This is something that can’t be changed and won’t be changed easily. In certain countries you can buy piracy software, piracy music on 8 Gib USBs, 100 Gig hard drives full of latest movies in “mercados”. Those countries of course don’t care about hacking activities or other illegal actions done online, if they permit it offline.
  2. Complete incompetent Internet Service Providers who ignore all aspects of Security, logging and so forth. We won’t mention countries or ISP names but the issue is more than wide spread. During one of our recent assignments we found that complete Peering Routers of various IPs had no access filter for remote access and the usernames were set to: admin and guess? admin123. We discovered that all main core and DSL access routers all had the same local authentication of admin and admin123. Should a hacker uncover this, a 4 million people city is pretty much offline.
  3. Wireless Security is to 95% non existent. For example in Mexico 50% of all private and business users have either their Access Points open or WEP encrypted. Those who use WPA, leave it to factory standard which is a numeric number of 8 – 12 digits. A rainbow table for this is standard equipment for any Pentester. Then you have like 5% left where you may need to employ Social Engineering techniques.
  4. Location Tracking and IP address assignment from ISPs. Another big problem. IP addresses are being handed out in a widely uncoordinated manner, meaning that a person in city X will get an IP in city Y. Mobile Apps particularly suffer from those assignment and tracking problems making it really hard to track the actual location.
  5. Little to no IT Security awareness amongst employees of ISPs and businesses. Whilst social engineering works well in developed countries like the U.S. or Europe, in Latin America even basic password rules are widely ignored. There is a strong understanding that physical security is important (gates, guards, cameras etc.) but IT equipment is left wide open.

The list goes on and on and with those deficits in IT Security across complete country infrastructures, hackers and people with malicious intend have no obstacles in their way doing what they are doing. The missing legislation in many countries along with the non-enforcement of the little legislation in place certainly assists hackers in their activities.



Cyber Crime and IT Legislation

Author: Martin Voelk
November 27, 2014

As part of our Penetration Testing and forensic engagement with our customers, we often get asked: Can we not involve law enforcement to track down the hackers who attacked us and bring them to court? The answer is: It depends where the hackers are based!

We live in a networked world, but the world doesn’t have the same laws. In a recent forensic event the customer was all too happy that they thought the attacker has a European IP address. However upon investigation, a school server in Europe had been compromised and used as a relay. The school was happy to assist in our investigation. Analysing logs lead to the likely real source in China! That means game over.

We worked on a case where a customer website incl. Design etc. had been mirrored by a chinese firm. Intellectual property infringement. Nothing you can do. If the persons doing this reside in a non-Western country your chances are next to zero to take those people to court. After Romania and Bulgaria joined the EU, we seen good progress in the ability to involve local law enforcement but there are dozens and dozens of countries where this is not possible.

A lot of the hacks and frauds source from but are not limited to: China, Russia, South America, Middle East, Africa and Far East Asia. Often from countries where there is little or no IT legislation. In other words hacking is not a crime in some countries. Yes, you heard that right. We know those countries but won’t name them. Google Search knows them too.

The other problem is where countries have bad or no relations with each other. A few examples. Almost no Arab law enforcement agency cares about attacks against Israeli servers and vice versa. An Israeli hacker would likely not face problems at home for attacking an Iranian server. The current situation between the Ukraine and Russia and Russia and the West gives the same picture. Then in countries with war zones, no one can or will enforce hacking investigations, such as in Syria or Iraq.

We recently worked with a UK customer who got hacked. We were able to trace the real IP down to the source. It was in Argentina. Game over. Everyone knows that the relationship between Britain and Argentina is poor to say at least. Law enforcement in Argentina will not help investigating or even prosecuting an argentinian hacker who attacked a UK company, unless there is some public or national interest (maybe).

Hackers who know legislation know very well from where they can launch attacks and from where they can’t. In the West a lot of the Cyber Criminals hide in the TOR/Deep Web Network and try to disguise their real location. In some countries of the world there is no need to use TOR because hackers won’t face problems. A lot of the serious hacking boards are publicly hosted in Russia on the white web. Same goes for Chinese forums.

The issue is complex and difficult.

We can only recommend customers to get a Pentest to check their security before they got hacked! Tracing down hackers or even prosecuting them if they are based outside your home or western legislation is as good as impossible and will cause frustration for the victims.