Sunday, February 25, 2007

Internet Hide and Go Seek

Lavie and I were watching a recent episode of the CBS Television show Numb3rs.

In this one (like many) the crack F.B.I. team traces (real-time) the location of a bad-guy's Internet access and manages to locate his to a specific home, building, or neighborhood.

This makes for great and exciting TV and while I'm quite confident there are a lot of things law-enforcement (especially the federal agencies) can do, quite speedily, overall I'm not entirely convinced enough to get out my tinfoil hat just yet.

When one connects to the "Net", wirelessly or hard-line, it is through an IP (Internet Protocol) address. That IP address made up of numbers separated with dots tells the data packets where to go and how to get back to you.

Knowing an IP address can generally provide you a fair bit of knowledge about the owner and location of a server.

IP Addresses and WHOIS

Want to know a little bit about, say, Mozilla?

Open a command-prompt box and type the following --> PING www.mozilla.com

You should get something like this:

C:\>ping www.mozilla.com

Pinging www-mozilla-com.glb.mozilla.com [63.245.209.10] with 32 bytes of data:

Reply from 63.245.209.10: bytes=32 time=67ms TTL=241
Reply from 63.245.209.10: bytes=32 time=66ms TTL=241
Reply from 63.245.209.10: bytes=32 time=76ms TTL=241
Reply from 63.245.209.10: bytes=32 time=67ms TTL=241

Ping statistics for 63.245.209.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 66ms, Maximum = 76ms, Average = 69ms

That number 63.245.209.10 is the IP address of the server.

Now hop over to ARIN: WHOIS Database Search and put in that IP address in the search field and you will get some information on the owner.

The information here is only as good as the ISP requires and (especially on shadier web sites) may contain limited or bogus info...but it is a start.

More? OK!

Trace the Route Between IP Addresses

Going back to my Windows XP command-prompt box, let's run the following command

C:\>tracert 63.245.209.10

It should spit back a number of details of each router system the information request is passing through on its way to the destination.

This is great information for troubleshooting and seeing where you are headed.

traceroute - Wikipedia, the free encyclopedia

Want pretty pictures instead?

Hop over to the VisualRoute traceroute server web page and enter in the IP address.

Here you get a wide-view map, some performance graphs, and some analysis information for the TraceRoute between their server and the target IP address.

Visualware also provides a Lite Edition free for personal use. It's a great, fun little application that could be useful when troubleshooting home networking issues with your ISP Help Desk. It does lack the map and some other feature that the paid versions include, but it is a good place to get started.

I also like using Foundstone's Trout application to perform traceroute and Whois lookups. It is small, fast and can be kept on a USB stick. It also supports constant pings to monitor traffic times, good for dealing with a flaky network connection.

View an IP Address on a Map

Want to see a closer view of where an IP address is located near?

Drop the IP address into My IP Address Lookup and you can get a nice Google map and some summary information of the ISP's (Internet Service Provider) location.

You can even see a wide-view by street, satellite image, or both, thanks to Google Maps.

This is pretty cool stuff, but depending on how the ISP has set up it's system, most likely will only get you into the general neighborhood area of where the ISP's routers for that IP address are located. Still not at a specific street or building level.

Reality Check

You may not be aware of it, but besides the activity logs on your Net access kept by your ISP, many websites, servers and others may log your IP when you post a comment, upload/download a file(s), register for a user account, etc.

Though generally harmless to you, you could have to face some consequences if someone pulled those logs and came after you for illegal activity.

And that is where the real power of law-enforcement lies. Not so much in the "flashy drama" of real-time network activity tracing, but in the "gum-shoe" detective work of getting an IP address, getting a court-subpoena, and getting log records from an ISP for a particular IP.

Using an IP address, coupled with a MAC (media access control) address, and time-logs, a pretty good case could be made.

Yes, IP and MAC address can be spoofed (for more information see links: IP Spoofing and MAC spoofing), but it's only a matter of time and resources for a determined someone to unravel the Web woven.

Anonymizing tools can help make that task more difficult, but aren't fail-safe.

What following anonymizing tools will do (basically) is to give a different endpoint IP address for your browsing session instead of your "local" IP connection address. For most users...that is usually sufficient.

Going "Covert" with your Browsing

There are some free browsing tools to make it much more difficult to trace an IP from a web-browser session.

TorPark - This is application I am most familiar with from Torrify. Downloaded, it is a specialized build of Firefox (currently v1.5.0.7) that is portable for use directly on a Windows pc or off a USB drive and uses the TOR network for web anonymity.

OperaTor - This is a specialized version of Opera v9.10 that combines TOR and Privoxy. It also is portable.

DemocraKey - This is a new "suite" of secure browsing apps, packaged with a slick auto-launcher. It contains Clamwin for free anti-virus scanning, Thunderbird with GPG email encryption, and the TorPark DemocraKey Mod--a security enhanced version of Firefox 2.0 using TOR. Great for USB key based web-browsing. Be aware, it is not a small package, however.

OS Level Anonymous Browsing

Anonym.OS Live CD - This is a Linux "LiveCD" distribution put out by the kaos.theory group. Based on the OpenBSD 3.8 LiveCD, it comes set up with additional tools for anonymizing and encrypting network connections. More details in this good ArsTechnica review.

Phantomix Live CD - This is another Linux "LiveCD" based on the popular Knoppix distribution.

The benefits of these approaches is that the entire operating system is configured to support anonymous browsing and Net activity. Plus they don't touch the hard-drive of the local machine, so you shouldn't leave as many "footprints" behind, especially on a machine that is not your own.

Performance Drawbacks

Because of the way it works, and network traffic at any given time the biggest drawback to using any of these solutions is speed.

These networks can run very slow as information requests hop all over the place. Sometimes REALLY slow.

Even if you have a really fast bandwidth connection and a very fast machine, they can be slow to render pages.

And I really wouldn't consider using them to download files. Slow.

But for general web-browsing, comment posting, and the like, they are pretty serviceable and get the job done.

So Am I Really Anonymous?

Depends on how you define "anonymous."

As I mentioned before, what these anonymizing tools will do is to give a different endpoint IP address for your browsing session instead of your "local" IP connection address.

Tech Guy Leo Notenboom posted a response to a question that these programs could be used by individuals or groups for nefarious purposes. In it Mr. Notenboom does a fantastic job of pointing out the limitations of "anonymity" with these applications:

Now, conceptually that's all very simple. But there are issues...

  • Your IP address is visible to the anonymization service: that's required for your connection to work. You are trusting that they are not logging your connection and logging who you're connecting to. You're further trusting that they won't reveal any of that to anyone else.

  • The service's IP address is visible: possibly making it obvious that you are using an anonymization service. That might make it look like you have something to hide.

  • Your IP address may not be the only thing that identifies you (#1): there's often other information included when you make a request that could identify you or could at least help distinguish your visits from someone else. Torpark addresses this by actually including Firefox to be used in conjunction with Torpark. Other services may, or may not, address this at all.

  • Your IP address may not be the only thing that identifies you (#2): as we saw with the recent search data "accidentally" released by AOL, you may not need an IP address to be identified. Many individuals were identified solely by the search queries that they made. As always, be careful with what information you provide as you browse; search terms, URLs, form information - individually they might mean nothing, but taken in aggregate you might be leaving an identifiable trail.

SANS-ISC had a post last year Hacking Tor, the anonymity onion routing network. In it, it provides a brief discussion on how a local IP can be confirmed via "track-back" use of a cookie as well as a link (PDF) to the paper "Practical Onion Hacking" by Andrew Christensen. (Another view from SearchSecurity.com here.)

So while TOR is a very good approach, it isn't fail-safe.

Beware the Wrath of Network Admin's

Another side to the "anonymous browsing" discussing regards compliance with any network policies that may (or may not) be in place.

Using any of these anonymizing software solutions at home should mostly be fair-game. But what if you use one from your work computer or laptop behind your employer's network? Or what if your kid uses one at school to bypass network filters and firewalls? Maybe you work for higher education or the government? Do you think they would care?

You might be surprised to find that they just might care, very much indeed. And not in a positive manner as well.

Case in point, Bowling Green State University assistant professor Paul Cesarini visit by the campus police after a Tor session: The Chronicle: 2/9/2007: Caught in the Network

To summarize, Mr. Cesarini got a visit from a campus network-security tech along with two campus police detectives. Mr. Cesarini had been using Tor to become familiar with it for a course lecture.

However his unusual traffic set off alarm bells with the network security and prompted the visit.

That use alone--regardless of purpose for use--was enough to make everyone nervous and initiate a checkup. They couldn't say what he had viewed, and the logs were not entirely accurate to his own usage (apparently another TOR user was active on the campus as well) but there were logs and they were enough to lead to his door.

So non-home users...know your company's policy very well before even considering using a TOR enhanced browser in your employer's network.

System Administrators and Network Policy Drafters...make sure you have updated your policy to include coverage of this area of network technology software and usage.

The Good with the Bad

As Mr. Cesarini, Mr. Notenboom, and countless others have pointed out, anonymous Web activity can clearly be used for ill by those with criminal intent. The nature of it the technology makes tracking that activity difficult (though not necessarily impossible) for law enforcement.

However, there is much good as well bundled with these tools.

Besides the obvious use by citizens of repressive governments to express dissent, maybe a corporate whistle blower has something to say, or someone wants to send a valuable tip to a newspaper or crime-stopper organization. Then there could be the user posting discussions in a controversial Web forum, or someone wanting to do web-searches on very private and personal health issues (remember the AOL search-data fiasco, anyone...). Heck, even undercover law-enforcement officers and detectives may find beneficial use of these technologies so their undercover work doesn't have their cover blown by someone tracing the IP they are using back to their headquarters.

There still remain many fair and valid reasons that support the good use of this technology.

And I am confident that hard-working law-enforcement officers are working hand-in-hand with the brightest network security specialists (and the ISP's via court orders) to get the network traffic information they need for their investigations, when they need it to keep us safe.

Just be aware of the issues and limitations and use the power responsibly.

--Claus

Related Links:

No comments: