Hacking the Hackers

Arthur Piper


October 1, 2014

rm10.14_hackthehackersIn January, LinkedIn began civil legal proceedings against hackers who had been "scraping" the personal details of its customers. The perpetrators allegedly created fake accounts to search the professional details of potential job candidates and used these details in their own recruitment businesses.

"By pilfering member data from the LinkedIn site, the defendants' misconduct threatens to degrade the value of LinkedIn's Recruiter product, which LinkedIn has invested substantially in over the years," the company claimed. "On information and belief, the defendants, who have invested none of their own time and resources into developing and building the LinkedIn platform, have engaged in their scraping activities in an attempt to establish competing recruiting websites and usurp LinkedIn's Recruiter product."

The problem for LinkedIn was that it did not know who the individuals were. So its lawyers issued a so-called "John Doe" notice, which would allow the company to subpoena witnesses, demand documentation from internet service providers and effectively proceed with their civil case until it had enough evidence to fill in the names of the suspects.

The tactic worked. Shortly after LinkedIn filed suit, its lawyers amended the original complaint to contain the names of a two-year old company, HiringSolved, and its chief executive officer, Shon Burton. In July, both sides agreed to a judgement on consent.

While the actual details of the settlement are confidential, the court order proposed that HiringSolved pay LinkedIn a cash settlement of $40,000, delete all LinkedIn data, and remove any references to LinkedIn in its product platform, marketing materials and any other branding. HiringSolved would also remain in compliance with LinkedIn's terms and conditions in the future.

John Doe notifications are more often used by government agencies than businesses, according to Nicole Strecker, a lawyer and managing director of the IT staffing agency STA Worldwide. John Does are aimed at finding out the identities of hackers hiding behind technological smokescreens such as a proxy server or firewalls. But, she said, firms are increasingly using them in civil proceedings to track down and prosecute hackers, although most cases remain unreported by the media. "Most of the time you are not going to hear an announcement that companies are pursuing unnamed people, they just go ahead and do it," she said. "But this was LinkedIn."

While there are no official figures, industry experts report that civil cases against hackers are on the rise. Businesses are looking to establish who the guilty party is and to retrieve lost money. "This is a common route to take today," said Benedict Hamilton, managing director in Kroll's investigations and disputes practice. "There are lots of successful actions going through the civil courts and, very pleasantly for the victims, they are not getting much publicity."

Even when hackers live in hard-to-reach jurisdictions, their assets often are not as difficult to locate. Many have villas and yachts in the best U.S., Mediterranean and Caribbean resorts, he said, and "you can get court orders there to seize them, often recouping $15 to $20 million in one go."

But civil proceedings are not an easy route to take. The law has not been fully tested in many areas, and businesses that want to pursue this line of attack must produce evidence and identify the perpetrators. Finding out what happened on the server is the easy part: a server automatically produces logs of the work people do on them, so the company's IT professionals should be able to compile a schedule of unauthorized activity.

In one case, Hamilton said, hackers sent an email with a bogus link to 1,000 employees in a firm. The link claimed to be from the human resources department, but it took them to a false page. Forty people visited that page and seven entered their credentials, allowing the hackers access to the network. Kroll was able to identify the work done by the real employees and separate that from the hackers' activity.

It is more difficult to find the perpetrators. Hackers use sophisticated techniques to block their server's IP address-the unique digital code that identifies each device on the internet. But it is not impossible. In the phishing scam Hamilton described, the hackers slipped up. They usually used compromised IP addresses but, on a couple of days, they forgot, revealing their true IP address, which Kroll traced to a property.

"Essentially, you are looking for moments when they need to use money, moments when they need to register, or moments where they just get lazy," he said.

Unless it is a group of teenagers using their own computers at home, identifying and tracking down hackers can be time-consuming and expensive, which is why it has traditionally been left to law enforcement. They can obtain warrants and information under the secrecy of court orders. Businesses, on the other hand, have concentrated on reviewing their internal networks to reduce the potential risk of breaches. Industry associations have become good at allowing member businesses to share information-often made anonymous to protect competitors-so that they can fortify their systems against the latest hacks.

That passive attitude to managing the risk of cyberattack is changing, however. Some organizations are setting traps for hackers within their own networks, or designing fake networks to catch the perpetrators. Data on the fake part of the site can often be traced to the criminals when they sell or attempt to use it. Other businesses are setting up databases in more sophisticated ways to both prevent serious loss and to help create evidence that can be used in court at a later date.

According to Joseph Steinberg, chief executive of online security firm Green Armor Solutions, while it may be possible to present computer logs in court, having them stand up as evidence is another matter. The defending lawyer is likely to argue that the logs are inaccurate, or have been tampered with by the plaintiff. Larger corporations often have mechanisms in their systems that ensure such logs are not accessible even to administrators.

"They are at least backed up in some fashion not accessible to administrators so that a copy is preserved in a way that, objectively, an expert would say has not been tampered with," he said. "We have had the technology to do this for a long time, but you've got to make sure you set it up in a fashion that's going to hold up in court."
To Disclose or Not to Disclose?
One of the most important decisions a business makes when it has been hacked is whether to inform the authorities and any individuals whose data was compromised. Typically, it is not an easy call to make, especially as disclosure requirements are not uniform worldwide. In the United States alone, almost every state has its own data breach reporting requirements, which normally include a combination of the different kinds of data involved in the breach, whether the data and person can be linked, and whether any potential loss is material. The more personally identifiable data has been lost, the greater the chance that a business will need to report. That obligation extends beyond the consumer. In the United Kingdom, for example, firms may need to report such events to the individuals concerned and the Information Commissioners' Office, which deals with such matters.

"Companies may think they are just located in a state or a country, but they may well be processing information about customers based all over the world," said Bridget Treacy, partner leading the U.K. privacy and cybersecurity practice at the law firm Hunton & Williams. "In each case, you need to look very carefully at what the local requirements are where you and your customers are based."

She advises organizations to develop a policy document establishing a response in the event of a hack or data breach. It should identify a core team with specific roles and responsibilities, including external advisers like IT forensic experts, press relations teams and lawyers. "Companies that handle this particularly well have rehearsed their breach incident response," she said.

Another option is for the business to disclose the hack to authorities and let them do the initial criminal investigation and criminal prosecution, said Domingo Rivera, vice president of computer forensics at AVM Technology and owner of Rivera Law Group. "As soon as that is over, businesses start their own civil actions," he explained. "It helps save some of their costs by having the government set a precedent."

Organizations want to see what money they can recover from the hackers once the government case is closed. But some companies are starting to take action themselves. "You are seeing a bit of a trend of not relying so much just on the government and businesses taking a more aggressive approach," Rivera said.

That should be a business decision, however, he advised. Not all cybercriminals have yachts and most are effectively subcontractors working for other criminals. When they do have money, it may be difficult to obtain, and they may be impossible to sue if they live in a jurisdiction with no legal extradition rights.

But Fernando Pinguelo, cyber risk management partner at law firm Scarinci Hollenbeck, said the decision should not be based solely on whether a business can recover damages, or avoid an embarrassing public relations episode. Instead, it should also be based on how firms want hackers to perceive their organizations. "These suits can be a deterrent factor," he said. "You're making a statement that you're not going to be subjected to this type of activity."

In recent case law, such as the LinkedIn suit, the notices and user agreements displayed on the plaintiffs' websites proved critical, Pinguelo said. Having such prominent public notifications in place acts both as a deterrent to would-be hackers and lays the potential groundwork for future civil lawsuits.

Pinguelo also said that attempting to use the resources of the federal authorities has potential risks. First, once authorities are involved, they may want to dig deeper into what happened than the business prefers. Second, those investigations focus on catching the perpetrators, not on recovering assets. Finally, the authorities may simply not be interested. They are dealing with so many large cases-including the state-sponsored hacking of U.S. businesses-that a case would have to be considered important enough to switch resources from existing investigations into the one the business hoped to pursue.

"Once you turn over the investigation to the authorities, you can't control it," he said. "But with civil law, you are in control and you can pursue every avenue that is available to you."

One factor that has dissuaded businesses from bringing civil cases against hackers is that they must do it alone. That poses financial, technological and reputational risk challenges to the business and increases the odds of the hackers getting away without penalty. Since the same criminal gangs often target a number of businesses, Hamilton is working with law enforcement authorities in the United Kingdom to explore ways of bringing groups of victims together to jointly fund asset recovery. That could open up the possibility of businesses pursuing hackers along the lines of a class action lawsuit or via a mechanism similar to a creditors' coalition, allowing them to share costs, intelligence and resources. If that happens, perhaps the stigma of being hacked will begin to wane and a strategy of fighting back will gather momentum.

Arthur Piper is a Nottingham, U.K.-based freelance writer and editor.