Robert, to comment on the first half of your posting at least (the maths of cryptography is still something I haven't explored)...
On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote: > Last summer my PC was attacked by a malicious hacker who used a Trojan > Horse NetBus. My Norton Personal Firewall alerted me about all five > attacks, but I panicked, shut down and rebooted, but by doing that, > somehow the malicious hacker got my username and password and even my > email address (all replaced). He even took over my Norton firewall > somehow and shut me out so that I could not reconfigure it or even do > anything at all in my MSDOS screen to find mysterious or renamed Windows > files. I was terrified that somehow this malicious hacker would get into > the computer network at the university I am affiliated with. Knowing universities, chances are the attacker was *already* inside the network. Universities are chock full of unattended computers, all inside the firewall defences, and all capable of being used maliciously. The statistics show that 80%-ish of informaton security incidents come from insiders. And it's almost a rite of passage for a computing science student to break open a system. In the case of NetBus, at some point someone actually had to install the trojan on your computer. This is easier than you might imagine. Is your computer *always* under lock and key when not in use? Do you *never* run software downloaded from anywhere except official sources, and then only after thorough scanning with today's anti-virus software? Have you religiously installed *every* security update for your operating system and application software? Really? :) Once NetBus is on your machine, the attacker has complete control. Literally anything can be done with your computer at that point, so it's no surprise to hear that the machine was very weird thereafter. Sending your usernames and passwords to some external site is trivial. > I know hackers use what is known as "spoofing" IP addresses. But in > spite of that I was wondering is there any way law enforcement experts > or computer security specialists can trace a hacker's whereabouts? Even packets with spoofed origins have to come from somewhere. And if the attacker is actually wanting to *use* your computer (as opposed to just flooding it with garbage that could literally come from anywhere) then they need to use a real IP address so they can interact. Assuming that they *are* using a real IP address, yes, they can be traced. Or at least the computer can be traced. It's harder to prove that some specific individual was sitting in front of it. Every IP address belongs to someone, and that information is stored in the globally-distributed WHOIS database. If it's a typical connection through an ISP, then the ISP will have logs showing which customer account was using that IP address the time. If it's a dial-up line and the ISP logs caller ID info, then they can also match it to a specific telephone line. The issues aren't so much whether the information is *possible* to obtain but whether it's *practical* to obtain and *useful* when you get it. Even if a "real" IP address is being used, consider: * ISPs generally protect the privacy of their users, and will probably only release logs to law enforcement agencies. Are the police (probably under-resourced for Internet work) at all interested in your case? * The ISP says the IP address in question belongs to an Internet cafe which uses Network Address Translation (NAT), allowing them to put 100 computers on the Internet through one IP address. So which of those machines was used for the attack? Who knows! Who was sitting at that computer? I dunno, they just came in and paid cash for a half-hour session. * The IP address belongs to a dial-up customer, but when the customer is asked he says he doesn't know anything about what you're claiming. Besides, the kids use the computer -- and they're all such *good* boys... * The IP address belongs to some generic ISP in China or Uzbekistan or Bolivia or somewhere else where they don't give a toss about following up Internet crime. End of investigation. [Important note for American readers: Most Internet users are somewhere other than the United States. Most websites are in languages other than English. The FBI is a *US* law-enforcement body. US law doesn't apply outside the US. Sorry to whinge, but it's an important point and often completely overlooked.] * Attackers will sometimes (often?) use multiple trans-national links to cover their tracks further. Yep, the machine that attacked you was in, say, Florida. But looking closer reveals that *that* machine was itself attacked and under control of a machine in France. That machine was hacked from Moscow, and that one from ... you get the idea. * Due to some miracle, the attack can be traced to a specific computer in a house where no-one lives except this one guy, and there's no-one's fingerprints on the keyboard except his. What are you going to *do* now that you're tracked him down? Tell him off, perhaps -- and then he'll have a grudge against you and you're probably find yourself subject to more frequent, persistent and technically sophisticated attacks. * If you wish to pursue some legal sanction, consider the legal concept of "chain of custody" that applies to evidence. There must be no doubt that any evidence being presented hasn't been tampered with. In the case of computer log files, this is tricky, as all digital data is by definition, um, virtual. Now all that negative stuff said, it *is* possible to trace people. About a year ago, some guy was making threats in an online chat environment, and when I checked it out I felt that from the way he was talking he wasn't just trying to sound tough. He meant it. This was in IRC, and I had logging turned on, and the logs showed the IP address he was connected from. I saved the log to disc and -- important point -- immediately printed a hard copy, and signed and dated it. I took that down to the local police station -- I'm in Sydney, Australia, so this is the state police in New South Wales. I did have to explain the situation, and I did have to tell the constable at the front desk how he could track this guy down. But the detectives followed it up, and within 48 hours this guy had uniforms on his doorstep. There are two points about this story which may not apply everywhere. First, under NSW law, making a threat is a crime in and of itself. And it's a crime whether the threat is made to someone's face, written on a postcard or sent via the Internet. Also, the threat was made against gay men on the basis of their sexuality, and Sydney is a city where the police make a conscious effort to treat sexuality-related crime properly -- at least in theory and in media releases. Your mileage may vary. Going back to spoofed addresses, yes, it's also possible to trace them back to their origin. It's a matter, though, of tracing upstream from the target computer, monitoring the traffic and seeing where it's *really* coming from. But that's tedious, and requires the cooperation of every sysadmin upstream. And, because traffic isn't (in general) logged in full, you'd need to do this while the attack was actually happening. > If there presently is no way at all for someone in authority, network > administrators, or computer security specialists to locate a hacker's > whereabouts, then perhaps research should best be focused in this area. Easy enough to find which computer. Much harder to do anything with it, especially with respect to gathering evidence that'll hold up in a courtroom. Assuming a courtroom is where you want to define reality... There are also databases mapping IP addresses onto geographic locations, but there are (mostly) still experimental. Plus, just because I've dialled into the Internet through an ISP's point of presence in Seattle, it doesn't mean *I* am in Seattle. I could be phoning from anywhere in the world. And those who hack the phone system claim it isn't too hard to fake caller ID information either. > Incidentally someone posted some information about the Diffie-Hellman > algorithm (actually called in Number Theory a certain kind of ... Oooooh this is where i bail out! :) Any help? Stil -- : Stilgherrian, Director of Operations, prussia.net : Internet infrastructure services focussing on the essentials : http://www.prussia.net/ : ARBN BN97858688, ABN 15 148 757 893 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls