Robert, to comment on the first half of your posting at least (the maths
of cryptography is still something I haven't explored)...
On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote:
> Last summer my PC was attacked by a malicious hacker who used a Trojan
> Horse NetBus. My Norton Personal Firewall alerted me about all five
> attacks, but I panicked, shut down and rebooted, but by doing that,
> somehow the malicious hacker got my username and password and even my
> email address (all replaced). He even took over my Norton firewall
> somehow and shut me out so that I could not reconfigure it or even do
> anything at all in my MSDOS screen to find mysterious or renamed Windows
> files. I was terrified that somehow this malicious hacker would get into
> the computer network at the university I am affiliated with.
Knowing universities, chances are the attacker was *already* inside
the network. Universities are chock full of unattended computers, all
inside the firewall defences, and all capable of being used maliciously.
The statistics show that 80%-ish of informaton security incidents come
from insiders. And it's almost a rite of passage for a computing science
student to break open a system.
In the case of NetBus, at some point someone actually had to install
the trojan on your computer. This is easier than you might imagine. Is
your computer *always* under lock and key when not in use? Do you
*never* run software downloaded from anywhere except official sources,
and then only after thorough scanning with today's anti-virus software?
Have you religiously installed *every* security update for your
operating system and application software? Really? :)
Once NetBus is on your machine, the attacker has complete control.
Literally anything can be done with your computer at that point, so
it's no surprise to hear that the machine was very weird thereafter.
Sending your usernames and passwords to some external site is trivial.
> I know hackers use what is known as "spoofing" IP addresses. But in
> spite of that I was wondering is there any way law enforcement experts
> or computer security specialists can trace a hacker's whereabouts?
Even packets with spoofed origins have to come from somewhere. And if
the attacker is actually wanting to *use* your computer (as opposed to
just flooding it with garbage that could literally come from anywhere)
then they need to use a real IP address so they can interact.
Assuming that they *are* using a real IP address, yes, they can be
traced. Or at least the computer can be traced. It's harder to prove
that some specific individual was sitting in front of it.
Every IP address belongs to someone, and that information is stored in
the globally-distributed WHOIS database. If it's a typical connection
through an ISP, then the ISP will have logs showing which customer
account was using that IP address the time. If it's a dial-up line and
the ISP logs caller ID info, then they can also match it to a specific
telephone line.
The issues aren't so much whether the information is *possible* to
obtain but whether it's *practical* to obtain and *useful* when you
get it.
Even if a "real" IP address is being used, consider:
* ISPs generally protect the privacy of their users, and will
probably only release logs to law enforcement agencies. Are
the police (probably under-resourced for Internet work) at
all interested in your case?
* The ISP says the IP address in question belongs to an Internet
cafe which uses Network Address Translation (NAT), allowing them
to put 100 computers on the Internet through one IP address. So
which of those machines was used for the attack? Who knows! Who
was sitting at that computer? I dunno, they just came in and
paid cash for a half-hour session.
* The IP address belongs to a dial-up customer, but when the
customer is asked he says he doesn't know anything about what
you're claiming. Besides, the kids use the computer -- and
they're all such *good* boys...
* The IP address belongs to some generic ISP in China or Uzbekistan
or Bolivia or somewhere else where they don't give a toss about
following up Internet crime. End of investigation.
[Important note for American readers: Most Internet users
are somewhere other than the United States. Most websites
are in languages other than English. The FBI is a *US*
law-enforcement body. US law doesn't apply outside the US.
Sorry to whinge, but it's an important point and often
completely overlooked.]
* Attackers will sometimes (often?) use multiple trans-national
links to cover their tracks further. Yep, the machine that
attacked you was in, say, Florida. But looking closer reveals
that *that* machine was itself attacked and under control of
a machine in France. That machine was hacked from Moscow, and
that one from ... you get the idea.
* Due to some miracle, the attack can be traced to a specific
computer in a house where no-one lives except this one guy, and
there's no-one's fingerprints on the keyboard except his. What
are you going to *do* now that you're tracked him down? Tell
him off, perhaps -- and then he'll have a grudge against you
and you're probably find yourself subject to more frequent,
persistent and technically sophisticated attacks.
* If you wish to pursue some legal sanction, consider the legal
concept of "chain of custody" that applies to evidence. There
must be no doubt that any evidence being presented hasn't been
tampered with. In the case of computer log files, this is
tricky, as all digital data is by definition, um, virtual.
Now all that negative stuff said, it *is* possible to trace people.
About a year ago, some guy was making threats in an online chat
environment, and when I checked it out I felt that from the way he was
talking he wasn't just trying to sound tough. He meant it. This was in
IRC, and I had logging turned on, and the logs showed the IP address he
was connected from.
I saved the log to disc and -- important point -- immediately printed
a hard copy, and signed and dated it. I took that down to the local
police station -- I'm in Sydney, Australia, so this is the state police
in New South Wales. I did have to explain the situation, and I did have
to tell the constable at the front desk how he could track this guy
down. But the detectives followed it up, and within 48 hours this guy
had uniforms on his doorstep.
There are two points about this story which may not apply everywhere.
First, under NSW law, making a threat is a crime in and of itself. And
it's a crime whether the threat is made to someone's face, written on
a postcard or sent via the Internet. Also, the threat was made against
gay men on the basis of their sexuality, and Sydney is a city where
the police make a conscious effort to treat sexuality-related crime
properly -- at least in theory and in media releases.
Your mileage may vary.
Going back to spoofed addresses, yes, it's also possible to trace them
back to their origin. It's a matter, though, of tracing upstream from
the target computer, monitoring the traffic and seeing where it's
*really* coming from. But that's tedious, and requires the cooperation
of every sysadmin upstream. And, because traffic isn't (in general)
logged in full, you'd need to do this while the attack was actually
happening.
> If there presently is no way at all for someone in authority, network
> administrators, or computer security specialists to locate a hacker's
> whereabouts, then perhaps research should best be focused in this area.
Easy enough to find which computer. Much harder to do anything with
it, especially with respect to gathering evidence that'll hold up in
a courtroom. Assuming a courtroom is where you want to define reality...
There are also databases mapping IP addresses onto geographic locations,
but there are (mostly) still experimental. Plus, just because I've
dialled into the Internet through an ISP's point of presence in Seattle,
it doesn't mean *I* am in Seattle. I could be phoning from anywhere in
the world. And those who hack the phone system claim it isn't too hard
to fake caller ID information either.
> Incidentally someone posted some information about the Diffie-Hellman
> algorithm (actually called in Number Theory a certain kind of ...
Oooooh this is where i bail out! :)
Any help?
Stil
--
: Stilgherrian, Director of Operations, prussia.net
: Internet infrastructure services focussing on the essentials
: http://www.prussia.net/
: ARBN BN97858688, ABN 15 148 757 893
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
