Re: Is It possible to trace a hacker, and on Diffie-Hellman
Robert, to comment on the first half of your posting at least (the maths of cryptography is still something I haven't explored)... On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Knowing universities, chances are the attacker was *already* inside the network. Universities are chock full of unattended computers, all inside the firewall defences, and all capable of being used maliciously. The statistics show that 80%-ish of informaton security incidents come from insiders. And it's almost a rite of passage for a computing science student to break open a system. In the case of NetBus, at some point someone actually had to install the trojan on your computer. This is easier than you might imagine. Is your computer *always* under lock and key when not in use? Do you *never* run software downloaded from anywhere except official sources, and then only after thorough scanning with today's anti-virus software? Have you religiously installed *every* security update for your operating system and application software? Really? :) Once NetBus is on your machine, the attacker has complete control. Literally anything can be done with your computer at that point, so it's no surprise to hear that the machine was very weird thereafter. Sending your usernames and passwords to some external site is trivial. I know hackers use what is known as spoofing IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Even packets with spoofed origins have to come from somewhere. And if the attacker is actually wanting to *use* your computer (as opposed to just flooding it with garbage that could literally come from anywhere) then they need to use a real IP address so they can interact. Assuming that they *are* using a real IP address, yes, they can be traced. Or at least the computer can be traced. It's harder to prove that some specific individual was sitting in front of it. Every IP address belongs to someone, and that information is stored in the globally-distributed WHOIS database. If it's a typical connection through an ISP, then the ISP will have logs showing which customer account was using that IP address the time. If it's a dial-up line and the ISP logs caller ID info, then they can also match it to a specific telephone line. The issues aren't so much whether the information is *possible* to obtain but whether it's *practical* to obtain and *useful* when you get it. Even if a real IP address is being used, consider: * ISPs generally protect the privacy of their users, and will probably only release logs to law enforcement agencies. Are the police (probably under-resourced for Internet work) at all interested in your case? * The ISP says the IP address in question belongs to an Internet cafe which uses Network Address Translation (NAT), allowing them to put 100 computers on the Internet through one IP address. So which of those machines was used for the attack? Who knows! Who was sitting at that computer? I dunno, they just came in and paid cash for a half-hour session. * The IP address belongs to a dial-up customer, but when the customer is asked he says he doesn't know anything about what you're claiming. Besides, the kids use the computer -- and they're all such *good* boys... * The IP address belongs to some generic ISP in China or Uzbekistan or Bolivia or somewhere else where they don't give a toss about following up Internet crime. End of investigation. [Important note for American readers: Most Internet users are somewhere other than the United States. Most websites are in languages other than English. The FBI is a *US* law-enforcement body. US law doesn't apply outside the US. Sorry to whinge, but it's an important point and often completely overlooked.] * Attackers will sometimes (often?) use multiple trans-national links to cover their tracks further. Yep, the machine that attacked you was in, say, Florida. But looking closer reveals that *that* machine was itself attacked and under control of a machine in France. That machine was hacked from Moscow, and that one from ... you get the idea. * Due to some miracle, the attack can be traced to a specific
Re: Is It possible to trace a hacker, and on Diffie-Hellman
Yes it is possible to track a hacker but unless you have proof and can trace it to someone in the US it's a moot point. If you want to trace an attacker you should have the following: 1. An active intrusion detection system (IDS) that can perform a trace back to the source regardless of spoofing. 2. Detailedlogging of your perimeter router, firewall and intrusion detection system. 3. Daily review of the log filesand immediate actionif any penetrations are detected. Immediate action is required because most ISPs do not maintain adequate records. 4. Proof that a crime was actually committed, i.e., server, firewall, ids logs. The DOJ will not prosecutedoor knocking. (Most ISPs have abusepolicies and will terminate service for door knockers.) . To aid in the prosecution of perpetrators security banners should also be in place. Most of our attack attempts come from Eastern Europe and China. In this case finding that an attack came from Chinese university is useless. Since the key to security is prevention I use the IDS to dynamically block sites once a hack attempt is detected. While you may not have an IDS, youshould monitor your log files and place access lists on you perimeter router and firewall.Also,security patches,updated software, and browser and system security settingsmight have prevented your Netbus attack. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 06, 2002 5:30 PM Subject: Is It possible to trace a hacker, and on Diffie-Hellman My background is not computer security, but mathematics, and I was wondering if I might be humbly allowed to ask a question: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Incidentally, two months ago a hacker got into the Apple computer of one of the professor's in the Mathematics Department. I learned after he gave me a research paper to read, because there was a computer technician there working on his PC to help him reinstall his backed up files. I know hackers use what is known as "spoofing" IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Some years back there wereseveral Scientific American articles in one issue on these matters, that is, firewalls, malicious hackers, attacks on networks, denial of service attacks, etc. But I could not follow very well the peculiar, nearly "fictional narrative" one of the contributors to these Scientific American articles gave to show how the network administrator and the FBI caught the fictitious hacker in the article. If there presently is no way at all for someone in authority, network administrators, or computer security specialists to locate a hacker's whereabouts, then perhaps research should best be focused in this area. Incidentally someone posted some information about the Diffie-Hellman algorithm (actually called in Number Theorya certain kind of exponentiation cipher), saying that the keys are found by using elements of a finite group (a finite field, actually), which is quite true. Suppose parties A and B want a common key. Then if they use a cryptosystem like DES, they take two elements h and k from that finite field, multiply them together, then raise the integer b to the power hk, or b^hk. This is the common key, and A sends b^h to B, B sends b^k to A, and both are able to decipher the encrypted messages. Usually the integers h and k are very large prime numbers, too large for a malicious hacker to guess. Thanking you for your patience in advance, Robert Betts
Re: Is It possible to trace a hacker, and on Diffie-Hellman
Robert, to comment on the first half of your posting at least (the maths of cryptography is still something I haven't explored)... On Sun, Jan 06, 2002 at 06:30:16PM -0500, [EMAIL PROTECTED] wrote: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Knowing universities, chances are the attacker was *already* inside the network. Universities are chock full of unattended computers, all inside the firewall defences, and all capable of being used maliciously. The statistics show that 80%-ish of informaton security incidents come from insiders. And it's almost a rite of passage for a computing science student to break open a system. In the case of NetBus, at some point someone actually had to install the trojan on your computer. This is easier than you might imagine. Is your computer *always* under lock and key when not in use? Do you *never* run software downloaded from anywhere except official sources, and then only after thorough scanning with today's anti-virus software? Have you religiously installed *every* security update for your operating system and application software? Really? :) Once NetBus is on your machine, the attacker has complete control. Literally anything can be done with your computer at that point, so it's no surprise to hear that the machine was very weird thereafter. Sending your usernames and passwords to some external site is trivial. I know hackers use what is known as spoofing IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Even packets with spoofed origins have to come from somewhere. And if the attacker is actually wanting to *use* your computer (as opposed to just flooding it with garbage that could literally come from anywhere) then they need to use a real IP address so they can interact. Assuming that they *are* using a real IP address, yes, they can be traced. Or at least the computer can be traced. It's harder to prove that some specific individual was sitting in front of it. Every IP address belongs to someone, and that information is stored in the globally-distributed WHOIS database. If it's a typical connection through an ISP, then the ISP will have logs showing which customer account was using that IP address the time. If it's a dial-up line and the ISP logs caller ID info, then they can also match it to a specific telephone line. The issues aren't so much whether the information is *possible* to obtain but whether it's *practical* to obtain and *useful* when you get it. Even if a real IP address is being used, consider: * ISPs generally protect the privacy of their users, and will probably only release logs to law enforcement agencies. Are the police (probably under-resourced for Internet work) at all interested in your case? * The ISP says the IP address in question belongs to an Internet cafe which uses Network Address Translation (NAT), allowing them to put 100 computers on the Internet through one IP address. So which of those machines was used for the attack? Who knows! Who was sitting at that computer? I dunno, they just came in and paid cash for a half-hour session. * The IP address belongs to a dial-up customer, but when the customer is asked he says he doesn't know anything about what you're claiming. Besides, the kids use the computer -- and they're all such *good* boys... * The IP address belongs to some generic ISP in China or Uzbekistan or Bolivia or somewhere else where they don't give a toss about following up Internet crime. End of investigation. [Important note for American readers: Most Internet users are somewhere other than the United States. Most websites are in languages other than English. The FBI is a *US* law-enforcement body. US law doesn't apply outside the US. Sorry to whinge, but it's an important point and often completely overlooked.] * Attackers will sometimes (often?) use multiple trans-national links to cover their tracks further. Yep, the machine that attacked you was in, say, Florida. But looking closer reveals that *that* machine was itself attacked and under control of a machine in France. That machine was hacked from Moscow, and that one from ... you get the idea. * Due to some miracle, the attack can be traced to a specific
Re: Is It possible to trace a hacker, and on Diffie-Hellman
In the case of NetBus, at some point someone actually had to install the trojan on your computer. This is easier than you might imagine. Is your computer *always* under lock and key when not in use? Do you *never* run software downloaded from anywhere except official sources, and then only after thorough scanning with today's anti-virus software? Have you religiously installed *every* security update for your operating system and application software? Really? :) Given that it was most likely the user himself that 'installed' the trojan. Most likely by clicking on an attachment of accepting a trojan via the irc system or any of the messaging systems such asAOL instant messanger AIM, msn messanger, or the other variants. Though an unattended PC or laptop could well have been trojaned while he was away from it. And given this, it's likely the intruder was a fellow student. Doesn't that make one feel safe?! In fact, it's very likely the prof's pc he mentioned was hacked by a local stdent, as likely as it being an outside intrusion...students do love to play and test what they learn in class and from 'pals'... Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
Re: Is It possible to trace a hacker, and on Diffie-Hellman
Robert Betts wrote: I learned after he gave me a research paper to read, because there was a computer technician there working on his PC to help him reinstall his backed up files. How do you know this technician isnt the hacker in question? Which underscores the next point Stilgherrian wrote: If you wish to pursue some legal sanction, consider the legalconcept of "chain of custody" that applies to evidence. The hacker will get off based on the following: 1) Chain of custody: any evidence you have (logs, reports, disk files, etc) can not be proven to reflect the changes you indicate because these records could have been manufactured or tampered with after the fact 2) Direct evidence vs. hearsay evidence: The physical hard disk is the only direct source of evidence. Any report derived from hard disk records can be challenged. For a report to be admissible it must either be reproducible from a physical source that has had a proven chain of custody or else the report must have been created in the standard course of doing business and have been regularly audited (mitigating controls) 3) Glorification of the hacker: the jury/judge/police/etc lack of awareness that what has taken place is a serious crime The very act of responding and recovering from an attack will usually compromise both the chain of custody and direct evidence, and the ad-hock nature of printed reports will also undermine their weight in court. SOLUTION To catch and successfully prosecute an attacker you must take proactive steps including: 1) Have an incident response policy and security awareness training so that people know how to preserve evidence and chain of custody 2) Set up intrusion detection procedures that are regularly checked so that printed reports can be admissible in court Better yet, prevent the intrusion. In addition to applying you regular security patches, consider internal firewalls and personal firewalls. In a university setting the internal network is rife with hacking. Apply a firewall right in your office or local subnet. This can be done very inexpensively with an old Pentium 75 and Linux/IPCHAINS. -Karl Muenzinger, CISSP ADDENDUM: The Tokai Bank Limited disclaims all liability for the views and content of this message, except where the message states otherwise and the sender is authorized to make this statement on behalf of the bank. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you receive this in error please contact the sender and delete the material from any computer. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation.
Re: Is It possible to trace a hacker, and on Diffie-Hellman
hi robert it's not good that your pc was hacked..etc... if you didnt save your log files...before they erased it.. its lots harder to track your 'friends if you didn record the network activity as soon as you unpluged your hacked machine to see where they are coming from and trying to re-connect to your hacked machine... again its hard to track down if you want to track down hackers.. you might wanna prepare your servers and network for them to attack those honeypots while keeping all you rmain data and servers securely monitored behind a very secure network and network policy if this happened 2 months back... and have not seen any recurrance, consider yourself lucky... esp if there was no data loss if it is a university, call your local FBI office or local computer crime dept of your local police dept and they'd help track down the hacker... - they esp like it when the damanges are in excess of $10K or was it $15K when it gets their attention have fun alvin http://www.Linux-Sec.net/Tracking On Sun, 6 Jan 2002 [EMAIL PROTECTED] wrote: My background is not computer security, but mathematics, and I was wondering if I might be humbly allowed to ask a question: Last summer my PC was attacked by a malicious hacker who used a Trojan Horse NetBus. My Norton Personal Firewall alerted me about all five attacks, but I panicked, shut down and rebooted, but by doing that, somehow the malicious hacker got my username and password and even my email address (all replaced). He even took over my Norton firewall somehow and shut me out so that I could not reconfigure it or even do anything at all in my MSDOS screen to find mysterious or renamed Windows files. I was terrified that somehow this malicious hacker would get into the computer network at the university I am affiliated with. Incidentally, two months ago a hacker got into the Apple computer of one of the professor's in the Mathematics Department. I learned after he gave me a research paper to read, because there was a computer technician there working on his PC to help him reinstall his backed up files. I know hackers use what is known as spoofing IP addresses. But in spite of that I was wondering is there any way law enforcement experts or computer security specialists can trace a hacker's whereabouts? Some years back there were several Scientific American articles in one issue on these matters, that is, firewalls, malicious hackers, attacks on networks, denial of service attacks, etc. But I could not follow very well the peculiar, nearly fictional narrative one of the contributors to these Scientific American articles gave to show how the network administrator and the FBI caught the fictitious hacker in the article. If there presently is no way at all for someone in authority, network administrators, or computer security specialists to locate a hacker's whereabouts, then perhaps research should best be focused in this area. Incidentally someone posted some information about the Diffie-Hellman algorithm (actually called in Number Theory a certain kind of exponentiation cipher), saying that the keys are found by using elements of a finite group (a finite field, actually), which is quite true. Suppose parties A and B want a common key. Then if they use a cryptosystem like DES, they take two elements h and k from that finite field, multiply them together, then raise the integer b to the power hk, or b^hk. This is the common key, and A sends b^h to B, B sends b^k to A, and both are able to decipher the encrypted messages. Usually the integers h and k are very large prime numbers, too large for a malicious hacker to guess. Thanking you for your patience in advance, Robert Betts ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
