Thursday, January 23, 2014
Thursday, January 9, 2014
Tracing a hacker
Source: Tracing a hacker
Table of Contents
Introduction Have you ever been connected to your computer when something strange happens? A CD drive opens on its own, your mouse moves by itself, programs close without any errors, or your printer starts printing out of nowhere? When this happens, one of the first thoughts that may pop into your head is that someone has hacked your computer and is playing around with you. Then you start feeling anger tinged with a bit of fear, because someone is violating your personal space without your permission and potentially accessing your private data. At these times instead of panicking, this tutorial will show what to do and how to potentially help you track down the hacker and report them to the authorities. When your computer is hacked, a hacker will typically install a Remote Access Trojan, or RAT, that will allow them to gain access to it again in the future. This trojan will listen on a TCP or UDP port and wait for connections from the remote user. Once the remote user is connected they will have full access to your computer and be able to access files, programs, screen shots, and possibly your web cam. While the hacker is connected, though, they are vulnerable because we can use programs that allow us to see the IP address that the user is connected from. This IP addresscan be used to find their approximate geographic location, possibly login names from their computer, and identity clues from their host names. We can then use this information to report them to the authorities or law enforcement. The first step is to proceed to the next section where you will learn how to use a tool called TCPView to examine the connections between your computer and a remote one. Using TCPView in Windows to see who is connected to your computer TCPView is a powerful tool for Windows that allows you to see all of the current TCP/IP network connections on your computer. As almost all remote hacks are perpetrated over the Internet, you will be able to use TCPView to quickly spot any remote computers that are connected to your computer. To use TCPView please download it from the following location and save it on your desktop: TCPView Download LinkTo find a hacker that may be connected to your computer, run TCPView and accept the license agreement. You will now be shown a page that displays all of the active TCP/IP connections on your computer. If there is a remote user connected to your computer at this time, then TCPView will show their connection and the IP address they are connecting from. When using TCPView always be sure to disable the resolve address feature as we want to see the connected IP addresses. To do this, when TCPView is open, click on theOptions menu and then uncheck Resolve Addresses. Now that TCPView is setup properly, let's see how TCPView works by looking at a screen shot of TCPView showing only legitimate connections.  As you can see from the image above, the only programs that show an ESTABLISHED connection are related to the Internet Explorer process. If Internet Explorer was just used within the last 5-10 minutes, then these connections are legitimate connections that were made to various web sites. The processes that are in a LISTENING state look to be legitimate Windows programs, so they can be ignored as well. To be safe, though, you should always check the paths of all LISTENING programs by double-clicking on the program name. This will open a small dialog that shows you the path to the executable. If the program is in the proper place then you have confirmed that these are legitimate programs. Now, let's say that you were using your computer and your CD drive ejected on its own. As this is a little strange you should start TCPView and look at its connections.  Can you spot the strange connection in the screen above? We see ESTABLISHED Internet Explorer connections to a variety of hosts, but if you recently used it then that is normal. At the very top, though, is a strange process called a.exe that has an established connection to to the remote IP address 67.83.7.212 and is listening on the local port number 26666. If you do not recognize the program or the remote address, then you should immediately become suspicious. The next step is to see if there is any legitimate program that uses that port number. By looking at this Wikipedia Page we see that there is no legitimate program assigned to the 26666 port number. If you are concerned that you are seeing a suspicious connection, you should definitely write down the name of the program, its file location, and the remote user's IP address so that you have it available later. You may also want to take screen shots in the event you need to show it to the authorities. Finally, we double-click on the process name to see where it is located and find that it is stored directly in the C:\Program Files folder.  Executable programs should not be stored directly in the C:\Program Files folder, so it paints a stronger case that this is not a legitimate program and that someone was accessing your computer without your permission. To be safe, you should end the process so that the hacker is no longer connected to the computer. Now that you know that someone has been accessing your computer without your permission, you should continue to the next section to learn how to use the information we just gathered to track them down. Using our clues to track down the hacker Now that you know the potential hackers IP address, you can use that to track them down. The first thing you want to do is get a general geographical location for the user. This can be done using the GeoIPTool site. When you are at that site, enter the IP address for the remote user you saw connected to your computer. GeoIPTool will then display the general location for this IP address as shown below.  As you can see from the above image, the remote IP address that connected to your computer is supposedly located in Clifton, New Jersey in the USA. Unfortunately, the GeoIP information is not always accurate, so we want to use another tool called Traceroute to corroborate what the GeoIPTool showed. Traceroute is a program that will print out the host names of all the devices between your computer and the remote one. As ISPs typically give hosts names to their devices using geographical names, we can get further clues as to the location of the IP address. To use Traceroute you can go to this web site: http://www.net.princeton.edu/traceroute.html. Once there, enter the hackers IP address and click on the Go button. A traceroute process can take a while, so you may want to do something for 5-10 minutes and then come back and check the results. When done, you should see output similar to what is shown below.  Notice the hostname of the last device in the traceroute and the portion that I highlighted. Based upon the information we received from GeoIPTool, this further confirms that the IP address most likely belongs to someone from Clifton, New Jersey. In a real example, though, it will not always be as easy to figure out the location of a remote IP address. In those situations your best bet is to contact the abuse department for the ISP that owns the remote IP address and let them know what is going on. They will usually issue an alert to the hacker, which if nothing else, will scare them enough that maybe they wont do it again. To find out the name of the ISP that owns the particular IP address, you can go to http://whois.arin.net and enter the IP address in the Search Whois field in the top right of the home page. This will look up and list the Internet service provider that owns that particular IP address and will usually contain an email you can contact. If you plan on reporting this hack to the authorities, you should avoid contacting the ISP at this time. Finally, someone accessing your computer without permission can be a federal crime, so if you are truly concerned, you can gather all of this information and contact your local police department's cyber crime division. If your police department does not have this division then you can contact the FBI Cyber Crime division. What you should do once you know you have been hacked Once you know you have been hacked you should immediately harden your computer's security so that it cannot happen again. To do this please perform each of these steps:
Conclusion Hopefully the information in this tutorial will help you to gain control of your computer in the event someone hacks it. When reviewing this information, though, it is important to not to jump to conclusions and assume every unknown established connection is a hacker. In most cases, connections you see in TCPView are all legitimate and nothing to be concerned about. If you do encounter something that looks suspicious to you, feel free ask us in the tech support forums. One of our members can help you determine if this connection is something that you really need to worry about.
ITT Tech - Official Site Associate, Bachelor Degree Programs Browse Programs Now & Learn More. www.itt-tech.edu
     |
Wednesday, January 8, 2014
As Yahoo makes encryption standard for email, weak implementation seen
Yahoo has started to automatically encrypt connections between users and its email service, adding an important security layer that rival Gmail has had for almost four years, but its implementation needs work, according to at least one security expert.
Yahoo Mail had support for full-session HTTPS—SSL/TLS encryption over HTTP—since late 2012, but users had to opt in to use the feature. Tuesday, the company delivered on a promise that it made in October to enable encryption for everyone by default by January 8.
”Anytime you use Yahoo Mail—whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP—it is 100% encrypted by default and protected with 2,048 bit certificates,” said Jeff Bonforte, senior vice-president of communication products at Yahoo, in a blog post. “This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.”
While this is a great step, the company’s HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases, according to Ivan Ristic, director of application security research at security firm Qualys, which runs the SSL Labs and SSL Pulse projects.
For example, some of Yahoo’s HTTPS email servers use RC4 as the preferred cipherwith most clients. “RC4 is considered weak, which is why we advise that people either don’t use it, or if they feel they must, use it as a last resort,” Ristic said.
Other servers, like login.yahoo.com, primarily use the AES cipher, but do not have mitigations for known attacks like BEAST and CRIME, the latter targeting a feature called TLS compression that login.yahoo.com still has enabled.
None of the servers checked by Ristic support forward secrecy, a feature that makes decryption of previously captured SSL traffic impossible even if the server’s private key is compromised in the future. This is a property of the Diffie-Hellman Ephemeral (DHE or ECDHE) key agreement protocols. Instead, the Yahoo servers use traditional RSA key exchange.
Google’s SSL configuration for Gmail supports forward secrecy since 2011 and Facebook and Twitter have also implemented it.
Because of various theoretical and practical attacks demonstrated against SSL in recent years, security experts also recommend the use of ciphers that function in Galois/Counter Mode (GCM). These are only available in TLS 1.2, the latest version of the protocol, but not all of Yahoo’s servers support TLS 1.2.
”I think we should accept that Yahoo needs time to get their servers in order when it comes to encryption, but perhaps they need to be more transparent about what they’re planning and doing,” Ristic said. “For example, I would have preferred to see something along the lines of: ‘We haven’t done these other things yet, but here’s our schedule for addressing them’.”
Yahoo’s move comes after repeated calls over the years from security experts and privacy advocates for the company to enable HTTPS for email. The recent revelations of mass Internet surveillance by the U.S. National Security Agency and U.K. Government Communications Headquarters that painted a picture of Yahoo being a primary target for user data collection by intelligence agencies have likely added to the pressure as well.
One top-secret document leaked by former NSA contractor Edward Snowden showed that in a single day in 2012, the NSA collected over 440,000 email address books from Yahoo, compared to around 100,000 from Hotmail, 82,000 from Facebook and 33,000 from Gmail.
Gmail has had HTTPS by default since 2010, Microsoft’s Outlook.com email service launched in July 2012 that eventually replaced Hotmail had this feature from the beginning, and Facebook started rolling out HTTPS by default to users in November 2012. All companies supported full-session HTTPS on an opt-in basis for some time before making it the standard setting.
The media reports about NSA’s data collection programs have also prompted Yahoo to expand its encryption efforts beyond email. The company plans to encrypt information moving between its data centers and to offer users the option to encrypt all data flows to and from Yahoo by the end of the first quarter of 2014, Yahoo CEO Marissa Mayer announced in November.
Subscribe to:
Posts (Atom)