Hi all, In response to the following email: >I think the cotse.com anonymizer service is down now. BTW, am I reading this >wrong or was the question: > > ...methods/technologies are used to _discover_ anonymous users? I believe that it is important to know what services are out there to be able to detect if a suspect has been using such facilities. If you do a check on their cache, history or bookmarks and notice they have listings from these services then you have a good chance that they may use these facilities. I think discovering anonymous users is a bit like detecting Steganography, one person told me that the only way they detect it is if they suspect someone of using it. Detecting the use of anonymous users I believe on a technical front would be the same as detecting it on a seized computers (however in the scope of forensic examination we would not detect in real time so logs are very important) you would know the possible services people can use and in your proxy/firewall settings or even snort you set it to detect such addresses. I am aware that these services probably have a number of fake addresses so that you do not notice but I believe if you try a few of these services out you can weed which ones you can detect and which ones you can not. You can use IP spoofing however this can be detected in some instances, ditto with mac address spoofing. In the book Digital Crime [1] he mentions the use of Internet terminals, Internet cafes and libraries. Programs to spoof mail can help you achieve anonymity in your communications. Even hacking at sendmail (older versions at least) can do this as well but then you need some way to help keep your identity concealed from the people owning the sendmail server. Use someone else's account or an account you know 10+ ppl have the password for can help your chances not to be caught. It can be a difficult problems but normally when catching people who do bad things on the net requires real investigation technics, as one person mentioned to me recently. The other thing is even if you can track it down to an account or a phone number then you still do not know if that computer was hacked or that account is used by other people.. Hats off to people who are able to track these people. Usernames, material which is looked at by the attacker, words used, commands typed can be used to help track the person. Say if they use a regional slang or type an openBSD command then this will minimise the possible people. Sorry all for another long email got carried away. -Daniel Heinonen [1] Barrett, N. Digital Crime, 1996, Kogan Page, London At 03:45 PM 16/07/01 -0400, you wrote: ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:40:16 PDT