|
Title: Counterattacking a hacker Post by: sil on April 14, 2011, 02:48:47 PM Because I'd been asked more than 3x in a week's timespan, I decided to write about the legalities which are sketchy and stupidities associated with counterattacking a hacker.
http://www.infiltrated.net/index.php?option=com_content&view=article&id=29&Itemid=35 Title: Re: Counterattacking a hacker Post by: kriscamaro68 on April 14, 2011, 04:19:27 PM Enjoyed the writeup. Makes complete sense as well unless you believe in hollywood type hacking.
Title: Re: Counterattacking a hacker Post by: lorddicranius on April 14, 2011, 04:59:28 PM Good read. It seems peoples belief that one can trace an IP back to an attacker is more common than it thought. Or maybe I'm just lucky and have learned that early enough in my security training ???
Title: Re: Counterattacking a hacker Post by: SephStorm on April 14, 2011, 06:00:43 PM I would say the reason is that obviously it has to be possible. Law enforcement tracks down hackers, goverments trace hacking attacks. I'm sure many of these individuals try to hide their origns.
Isnt this the reason we have CHFI's and what not? Title: Re: Counterattacking a hacker Post by: kriscamaro68 on April 14, 2011, 06:13:17 PM I would say the reason is that obviously it has to be possible. Law enforcement tracks down hackers, goverments trace hacking attacks. I'm sure many of these individuals try to hide their origns. Isnt this the reason we have CHFI's and what not? I believe it is possible to track an ip back to a hacker/script kiddie but like sil mentioned it would be because they did not spoof their ip from the get go, or because the counter attcker is only tracing the ip back to where the attack looks like it originated from, and is of the belief that this is the hackers source ip. Title: Re: Counterattacking a hacker Post by: sil on April 15, 2011, 09:37:02 AM Well, researchers stated they can now track the location of an IP address to within about 125 miles. Normally I would not bother pointing out the obvious, however, I feel the need to bring this into the "security mainstream" as a fail. Before doing so though, here is their "secret sauce:"
Quote "The new method zooms in through three stages to locate a target computer. The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target’s possible location to a radius of around 200 kilometres." [1] What this does for tracking the identity of a potential attacker when it comes to security? Absolutely nothing. Here is a quote I could never get enough of from Cisco's Fred Baker. For those who have not had the opportunity to read Fred's excellent posts on mailing lists, his RFCs or writings, here is a summary [3]: [Fred] currently co-chairs the IPv6 Operations Working Group in the IETF, is a member of the Smart Grid Interoperability Panel and its Architecture Committee, and is Cisco's representative to BITAG. For more insight of who he is, please see an insightful interview of Fred, see: "Fred Baker: Cisco Fellow, Network IT Enthusiast, World Traveler." [4] Anyhow, the purpose of stating who is he is to understand the weight/validity of the following statement: Quote Well, let me ask you you think 171.70.120.60 is. I'll give you a hint; at this instant, there are 72 of us. Here's another question. Whom would you suspect 171.71.241.89 is? At this point in time, I am in Barcelona; if I were home, that would be my address as you would see it, but my address as I would see it would bein 10.32.244.216/29. There might be several hundred people you would see using 171.71.241.89; One of the big issues with the Tsinghua SAVA proposal in the IETF is specifically the confusion of the application layer with the IP layer. They propose to embed personal identity into the IP address, and in that there are a number of issues. Internet Address != application layer identification. An the physical location of Internet Address (IP) is not altogether a "conclusive" mechanism to be used as an identity. While it may give an indicator it is not definitive. For example, let us also assume that I needed to perform some form of competitive intelligence slash corporate espionage targeting my competitor. Let us also assume for a moment that I needed to compromise a machine physically located across the street. If I used my own connection to undertake this task, it would obviously be the equivalent of me walking into the office with a banner that read: "Look at me, across the street hacking you!" Quite absurd. So what are my options to sidestep this? Simple, I could use an Internet cafe, I could use an open wireless network or I could pick yet a third competitor, compromise them and leave them holding a loaded gun. Complete with their fingerprints all over the murder weapon. This is a long standing problem with IP addresses, attribution. While you can state that in the above comment - IP address 171.70.120.60 connected to you - you cannot definitively state any individual connected to you. With the rise in client side attacks, attribution is even more difficult. [1] http://blogs.wsj.com/tech-europe/2011/04/11/tracking-system-can-locate-user-to-within-100m/?mod=google_news_blog [2] http://www.mcabee.org/lists/nanog/Jan-08/msg00729.html [3] http://en.wikipedia.org/wiki/Fred_Baker_%28IETF_chair%29 [4] https://learningnetwork.cisco.com/docs/DOC-1720 Title: Re: Counterattacking a hacker Post by: kriscamaro68 on April 15, 2011, 12:23:35 PM http://www.newscientist.com/article/dn20336-internet-probe-can-track-you-down-to-within-690-metres.html
This article is a good read showing that if their theory works they can track it closer. Still you are in the same predicament as before even if you can trace that close nonetheless still interesting. Title: Re: Counterattacking a hacker Post by: mallaigh on April 15, 2011, 03:50:10 PM Very nice write-up sil. I've been following your Cyberwarfare writes, and have to say, I've enjoyed them all.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |