» Anonymity

Tor, The Onion Routing Project.

carrumba — Sun, 09 Aug 2009 22:28:24 +0000


Tool name :	Tor

Description :	Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features. For a free cross-platform GUI, users recommend Vidalia

Homepage :	www.torproject.org

Six ways how hackers protect themselves when unleashing malware (2 of 2)

carrumba — Tue, 21 Apr 2009 11:49:52 +0000

In the first part of this series we had a closer look at the basic precondition how an attacker prepares his own computer to eliminate telltale traces when surfing the Internet. In this second part we will go into the details how they connect to the Internet anonymously without leaving a betraying IP address which would reveal their identity.

1. Anonymizing proxies

Reasons why attackers work from home is laziness and the desire for comfort. The means that offer the regular Internet user anonymity and privacy are also quite convenient for people with malicious intentions. Anonymizing services like TOR or I2P are popular among people who want to protect their privacy. And so do the hackers. They profit from these anonymizing services too which allows them doing their business from home with low risk being traced back.

2. The phone booth

There were times, many years ago at about 1993, where acoustic couplers were still in use and often found as a part in the service technicians equipment box.When connecting to the Internet or an other dial-up computer from home the home modem was the first choice. They replaced the acoustic couplers from the home offices and urged them into their niche. An acoustic coupler allows to connect to the Internet by putting it to a regular telephone jack and establishing a modem connection to an ISP (Internet Service Provider). By using an acoustic coupler from a phone booth, a place where the phone number is not related with the caller, the identity of the user can not be determined. This is an ideal way for an attacker to protect his identity.

But public phone booths are everything else but anonymous. At least concerning the physical presence and when other people are watching someone with half his home computer equipment installation inside the booth people get curious what is going on inside. This method requires some previous precautions to ensure none takes note of the attackers presence and his activities what makes it to a rather uncomfortable method.

3. Accessible telephone switch box

When walking through the neighbourhood and having a closer look at the buildings you can see the boxes from the telcos electric installations fixed on the outside wall or just somewhere close to the building. If you open these boxes you find the telephone copper wire pairs. One pair for each apartment. When connecting the internal laptop modem to these wire pairs an attacker gets a carrier signal that is ready to use. But as with the the phone booth the physical presence poses a big obstacle to an attacker that he has to overcome first. A person standing with a laptop on a switch box is quite suspicious and will attract peoples attention. Exactly the opposite of his planned goal, to stay anonymous.

4. Neighbouring wireless LANs

Internet access is available in almost every household in industrialized countries and if one is not living in a remote place somewhere up in the mountains, at least one of the neighbours has an Internet access and a router with the wireless access point activated. In the small village where I live when walking around my house and searching for WLANs there are at least 10 of them. So availability shouldn’t be a problem nowadays but rather whether the access points have activated protection mechanisms. But even if these mechanisms are activated the days where WEP stopped people from using other persons WLAN actually never existed. And also using WPA or WPA2 can’t protect from every attack and with more or less effort also these obstacles can be overcome. For further information how to crack WEP/WPA have a look at this document.

Using a neighbours wireless LAN alone to access the Internet is not really effective to hide ones identity. If a notorious hacker is living next to a person with no previous conviction and he is now blamed for unleashing malware because his IP address was found in the log files it is more likely the hacker is a suspect considering the neighbour has a weakly protected access point at home. Using a neighbours open wireless LAN is a weak layer of protection when attacking a system and probably preferred by people that don’t want to pay for Internet access but want to use it anyway.

5. Using wireless LANs

Instead of using the neighbours WLAN access point it is safer to use a WLAN outside the own town. Sitting in the car, driving through the quarters and scanning for open or weakly protected wireless LANs is a promising tactic to get anonymous access to the Internet. And it eliminates the drawback from the previous example not attracting the attention to the area where the attacker is living.

6. Public Internet access

As a last possibility how to access the Internet anonymously is via publicly accessible Internet spots. The time where Internet access was available in the typical Internet Cafes or in shops where they offered their access to the public are actually over. Mainly tourists who want to write the friends in their countries how life is abroad are ready to pay that money. Internet cafes are rare but still exist and in towns at train stations or airports phone booths with integrated Internet surf stations are available.
Depending on the goal an attacker wants to achieve, a Internet phone booth is safe and comfortable enough to surf and hack via the web browser. To unleash malware a computer is required that allows to read your portable data storage. The attacker copies the malware on the computer and spreads it from there.

Six ways how hackers protect themselves when unleashing malware (1 of 2)

carrumba — Tue, 07 Apr 2009 15:45:11 +0000

It is a critical moment when hackers unleash their malware into the wild and have to get in touch with the outside world. They expose themselves for a short moment and risk to leave traceable tracks that may reveal their identity. We read and see regularly in the media malware is spreading successfully and unnoticed over the Internet. If done properly it is hardly possible to nip the propagation in the bud and to determine its originator.

The days where attackers were just hobbyists are definitely over. They posses deep knowledge in their field and know where their plan is critical and is asking for caution. The methods how to unleash malware are thoroughly tested and far more advanced compared to earlier methods. I will explain in this article how attackers proceed to cover their tracks and stay on the safe side.

Anonymity

We have already considered how hackers propagate malware and you know they proceed. But we ignore for now what way and which tool they’ve chosen. Let’s go one step back and examine the preconditions that are essential for all the attacking vectors and tools they choose. It is eminent to set up the system and the tools used for propagation in an anonymous state. This means every interface to the “outside” has to be anonymized to make traceability not only hard but impossible. We take a concrete example and assume an attacker plans to use a free webmail account to send a victim an infected attachment. The following parts in the communication chain could reveal an attackers identity or give valuable hints

Operating system/User profile : Propagation without computer is only in the rarest cases feasible, e.g. with removable data storage devices. Normally this is done in front of a computer. Remember you log into a system by identification and authentication. All my logins are somehow related to my realname, email address or a project name. An initial step among all the preparations an attacker makes is to anonymize his user profile under which he will propagate malware .

Tool set : The tool set used to propagate malware normally consists of browser, mail client or file sharing software and was downloaded from the Internet. We don’t exactly know what tell-tale information client software transmits to a network peer and analyzing its data stream with a sniffer would be a recommended for the sake of safety. Normally if necessary somewhere inside the tool configuration the transmission of such data can be disabled or anonymized; that way it doesn’t leave hints that lead back to the attacker.
But not only the client software itself can give hints to an attackers identity. If the software supports plugin mechanisms that can influence and direct the client software the attackers opponents could worm out valuable secrets he wants to keep for himself. Therefore its recommended to disable any unneeded plugins like Java, Javascript or even the Adobe Flash plugin. They can leak information about the system, its configuration like the browser version or the IP address.

Networking interface controller: A networking card is identified by its worldwide uniquely assigned MAC address. But as network administrators probably experienced already some manufactorers ignore the recomended practices and assign their NICs MAC addresses at their own discretion and these addresses are not that unique anymore as expected. Also changing the MAC address on Windows is done without bigger effort and an attacker will change the MAC address of his connected NIC to protect his identity.

IP address : The IP address is the most critical point the attacker wants to hide. Once it is possible to determine the attackers IP address the game is over. The address is traced back to the IAP (Internet Access Provider) and together with the connection timestamp this leads directly to the person behind the attack. It’s mandatory for an attacker to hide his real IP address or to use an untraceable one. There are two main ways and several sub variants how to proceed to be on the safer side which I will explain in the two following chapters.

In part two …

As some of the other articles I wrote before also this one has grown larger than expected and I decided to split it up in two parts. In the second part I will explain the possibilities how to connect to the Internet anonymously by using proxy servers and other people’s infrastructure like WLAN or a landline phone.