I was just trying to learn a bit more about how hard it is to possibly cover your tracks if you want to hack anonymously, and I came across these three sequential posts on Reddit.com
Now I'm gonna have to figure that Russia's got at least one person who can read Reddit and try these tricks for themselves, or maybe even know a crap ton more themselves.
[–]gordonmessmer 455 points 23 hours ago
There are lots of things that make it difficult to identify an attacker. I'll try to outline a few, in brief:
1: To quote your example, an attacker might send a shell command like "rm -rf /". What would record that he'd done so? Ignore the fact that he's eliminating files that log his action. Shell history is optional to begin with. And many attackers won't use a normal shell, they'll use a program of their own which is designed to accept commands and execute them without any logging.
2: You might try to record that sort of thing at the network. There are a few problems with that. First, recording all traffic would require more storage (and faster storage) than most businesses have, so that's impractical. You could instead try to record only data that's an attack, but that means you'd have to know what constitutes an attack. As new attacks are developed constantly, keeping logs of only data involved in an attack is probably impossible.
3: Encryption. As you guessed, the source and destination of traffic are not encrypted, but the data itself is. That generally means that only the application which is receiving the data is capable of examining its plain-text contents.
4: Anonymization. Attackers very rarely launch an attack from a machine that they directly control and which could identify them specifically. They might use a VPN, or tor, or another machine that they've previously compromised to launch the attack. In any of those cases, even if you log the traffic, and even if you can examine the plain-text, you still don't know anything other than the fact that the attacker is using a specific VPN (unlikely, since the VPN provider could probably correlate a VPN IP to the user it was assigned to at the time, and to a person via billing information), or that an attacker was using tor (no way to identify such users, by design), or that they were using a compromised host. In the latter case, you might be able to contact the owner of that host and get them to help you track the attacker, but in practice this is improbable, and because you have to do that repeatedly until you can actually identify the attacker, it becomes exponentially more improbable for each hop the attacker uses. The attacker's ISP has all of the same problems. They can't reasonably log all of the data they process, they can't generally identify attack data, they can't tell what you're doing if your traffic is encrypted, and anything you send to initiate an attack probably isn't sent to the system you're attacking directly, so they can't even correlate encrypted traffic to an attack between your system and your target.
[–]AjaxGb 425 points 23 hours ago
Let's use the post office as an analogy for your ISP. Say you want to send John Victim a nasty letter, but don't want him to know who sent it. If you just send him the letter, he can look at the return address and see that it was you. This is where VPNs come in. You write your letter and address it to "John Victim".
Then you put the envelope inside a second, special envelope, and address that to "VPN Inc." VPN Inc. runs a popular service that you and many other people subscribe to. It gives you special envelopes that only VPN can open. When your letter arrives there, a machine extracts the inner envelope and automatically sends it on its way.
Now when John checks the return address, all he will see is that the letter came from "VPN Inc.", just like many other letters. The post office knows that you sent some sort of letter to VPN Inc., and that a nasty letter reached John Victim, but there is nothing linking the two events together, since lots of people are constantly sending letters through VPN's service. There are also similar services that will add their own envelopes and send the letter back and forth randomly between a ton of different locations, if you need extra security and less speed.
tjt5754 63 points 23 hours ago
The most effective way for a hacker to hide themselves is to connect through multiple systems before connecting to you (victim). If I have hacked a system in China, and a system in Russia, and a system in Poland, then I connect through them sequentially before connecting to you it will seem like I'm hacking you from that computer in Poland.
Now the police could go and confiscate that system, but by the time that they do, I'm long gone. The ISP can't log all communication to and from that system, so it's very unlikely that they could go back and find the connection from the Russian system to the Polish system.
If they do… then you just have another system to go and dig into and hopefully find evidence of the connection from China… and so on. The fact is that the forensic evidence for chained attacks like that just doesn't exist. It would require full packet capture for the whole internet.
stories. They are likely 100% BS.