Researching security - any help appreciated

Just recently, due to something which happened to me, I had an idea about a crime story. Unfortunately it starts with somebody hacking into a forum and somebody - my main character - trying to find out what’s happening, and why. I don’t have any idea, technically speaking, how my hero could find some clues which will lead him to the villain; you now, the guy who used another ones username on a board like this. Like getting the IP and so on. I think I would need an expert on this and I hope some of you will know one.

See you around,

There are two ways to go with this:

  1. The standard way.
  2. The reality way.

I think the question is “do you want to SELL this story?” If not then #2 is a viable option. Let’s face it, system security if boring. Even those of us who deal with it for a living find it tedious and mundane.

On the other hand, you can “make s@@@ up” with #1. Lots of fun, but ridicule will rain down from those who do this crap on a daily basis. the last thing we need is another punk kid “doing computers for a living 'cause hydra in swordfish was so cool!”. BAH!

That said, let me know if you have any specific questions. I am sure you will come to hate yourself for heading down this road, but at least you won’t be alone.

Yes, I am this cynical at work as well.

Great, thanks for the help - and encouraging as hell, I’m sure you intended to be :wink:. But I think, if told properly, even network security might be as entertaining to read about as a murderers knife, gun - whatever. I can at least try :wink:

Now, I think I’d like to know more about option #2; If it sounds way too complicated I can always trim it a bit without sounding too ridiculous. Assume we have somebody who starts posting within a board using another one’s user name. My first thought: lets check for the IP-Address of the impostor using something like GeoIP and do the same with the real user. If something like that is at all possible, that is. So, that would be the first question - is all the data stored and is it at least possible to look something like that up?
The second one: might it be possible to trace someone who is currently using the said IP-Address (or whatever, my Airport here checks far a MAC-Adress, I gather this is my Airport-Card, right? Might it be possible to figure out that one? They are supposed to unique, somebody told me some years ago) and, using that information, doing some magic search to correlate the villains activity in order to get to know him/her a bit better…

I hope you understand my gibberish… and thanks again for your help.

This is a side detail, but it might be useful: I know of at least one message board where any moderator can see the poster’s IP address, and most if not all message boards let the admins see posters’ IPs.

But someone who knows enough to commit a computer crime will probably know to use a rotating IP address.

Also, the kind of person who gets asked to be a mod on one board tends to get asked in other places, too. Maybe your char is a mod on one of the boards, starts seeing the different-sounding posts under that other username, and either is a mod or PMs one of the mods to ask about the possibility of checking the IP, because it sounds different from the person he knows?

Of course, it’ll have to be a very unique username for that. Even mine, “Carradee”, though it’s me MOST places that you’ll find it, is someone else on Wikipedia.

Hope this is at least a bit helpful.

I myself prefer a blend of #1 and #2, but that is probably because I am slightly more aware of #2 than most people. For example, I practically cheered in the theatre when I saw Trinity running a rootkit to break into the UNIX system running at a hard wired terminal from the power plant. Even there, we aren’t talking 100% #2, but at least it isn’t Hugh Jackman waving and clapping at a home theatre system running looped animations of Jello Jigglers on Sticks.

If you want a nice blend of #1 and #2, check out Cryptonomicon by Neal Stephenson. There is at least one scene where our furry protagonist uses a trick that would do exactly what you are wanting.

There was a lot of humor intended in my original reply. Although it really is as dry as I said. It is kind of like being a lawyer. For every Perry Mason moment there are 10^26 mind numbingly mundane moments.

rotating IP: This is called DHCP (dynamic host configuration protocol) and is standard for most providers. This is not an issue as most providers track who has what IP when. A bigger problem would be zombie systems or anon-proxies. We can discuss those later.

You are on the right track. Every investigation starts with

  1. Detection of the violation (automated or manual)
  2. Info gathering – server logs will contain IP address
  3. Categorization of threat (you would be surprised how many we ignore daily).

From that things get ugly.

The moderator idea is not a bad one. I would make it a bit less obvious than a common username. Maybe it is a common symbol used as an avitar overlay. The idea is there. Pattern matching is a key part of detection.

Ok, as far as I know the number of IP-Addresses are pretty much limited and the ISP’s have a bundle available which they offer their customers using DHCP (btw, my Airport has also a builtin DHCP-Server, right? Whereas the IP’s of my Macs are very different from the IP assigned to my Airport - so there has to be some arcane technique which translates one address … no, data meant for one address gets a new address to point it to the correct - or next - destination, therefore my Macbook will get this reply-page while that of my wife gets whatever she wants. Anyway, I’ll get to that kind of layer-thinking later on, I think). What exactly is stored in those logs? When I press the submit button below, does the logfile show my IP, Username, date&time - and probably a reference to this posting as well?

Now comes the time where I do have to blame myself: I assumed there might be software - tools - around, which might allow even a non-expert to break into a board. The person who breaks into it is not an expert in hacking, just a tool user - is something like that at all possible? Would be neat, cause the first layer would be a average user who got some really nice tools but wouldn’t have the slightest idea how to proceed without them.

Will do, thanks a lot. Edit: My, thats a huge one, isn’t it? 1100+ pages - and I thought Peter Hamilton is the only one who routinely produces books on that scale… Outright scary.

Stop right there. THATS MINE - Nah, just kidding.
Actually, there is a mod involved who happens, of course, to know others; that’s where the cross-checking kicks in, I think - at least unless somebody here tells me thats not possible. But I never thought of somebody who is a mod in more than one board - isn’t that too much trouble? By the way - what exactly is the difference between a mod and an admin - if any?

Thanks to all for your help!

  1. IP NAT (Network Address Translation), masquerading, and proxy will all provide you the “anonymization”. Your Airport uses masquerading. A malicious hacker will use a series of masqu’s and anonymizers which is what makes them hard to find.

  2. We call them “script kiddies”. Typically someone who really knows nothing about computers, networking, or programming. There are a number of “hacker kits” that are created by a relatively few number of real nightmare programmers. The tools are easy to find. they are not legal for me to point to here.

The tools operate on a couple of levels. The first is 'brute force". Simply guess enough usernames and password combinations and you are likely to get one right eventually. The second is “known exploit”. Someone finds a hole in IE, or Safari or directly in the TCP stack and develops a package to leverage the problem. Then it is shared with the community.

We may want to do come of this in less public communication. I don’t want KB to be associated with any claims of “they talk about hacking on that ship!” If the community (and kb) are ok we can continue here. If we get into real details I will obfuscate them and provide them to you publicly.


Well, I’ve been a mod in more than one place before simultaneously—and one of them was a very large online game at the time. (No, that wasn’t connected to the nearly 2 years I took a break from the game; why do you ask? [sarcasm intended] Might’ve been why some players remembered me and repaid some loans when I returned, though.)

As long as the boards are small, new, well-behaved, and/or there are enough mods, modding them shouldn’t be any more stressful than, say, getting involved in a very heated argument with other members of a messageboard. It’s the demographics of visitors that can make a lot of difference. If it’s a site that kids tend to frequent or there are a lot of emotions running rampant, then the modding gets difficult.

thinks If I see one of the mods for a smaller, more well-behaved game I play, soon, I’ll ask how much work that is for 'em. Since I often chat w/ 'em or see 'em playing pranks on people, I’m going to guess it isn’t bad, but I’ve also seen other players get freaked when they see the mods chatting with me, so that might not be the norm.

admin = “administrator” = The admin owns the actual board or has owner access. The admin can change how the site looks, which forums there are, can create/delete/ban users and mods, change user types, AND do everything a mod can do.

mod = “moderator” = A user who the admin trusts to help manage the site and enforce the rules. Mods can delete, edit, and move others’ posts to make them fit the board rules. They may have the ability to ban/delete users on some sites.

That’s a simple rundown from my personal experience. I’ve been both, an admin more recently than a mod.

That’s considered ordinary for Stephenson. His next story, Baroque Cycle, was of a length that would have had Marcel Proust blushing. Your absolute right, though, I should have qualified my recommendation. But, I do recommend it if you are interesting in creating a fun to read, but fairly technically accurate tech drama. Crypto is largely based on modern tech; it isn’t very speculative like some of his other fiction.

Incidentally, posting with fake IPs and under another user’s account name would be fairly trivial. The tricky part would be getting to that point. Once you had access to the DB storing the forum data itself, there would be few limits to what you could do. A clever person wouldn’t even need passwords, but could create phantom messages out of “thin air” linked to whatever user ID they wished.

If you wanted to create a fairly realistic method for the black hat to get to that point, you could have them using social methods to track down a mod or admin that uses Wi-Fi and clear text to access the DB or FTP. Packet sniffing the air waves and storing their password and login traffic. Either would work; with the latter that would give them access to the server directory, which would give them access to the PHP config file—and from there the DB password and likely shell access to the server. They could then localhost to the DB and only have to hide their SSH access.

For you and I this would be cool. I think zikade was looking more to the script kiddie route though.

My favorite would be a zombie attack to hide a buffer overflow attack. This would obfuscate the real attack enough that it might be missed in the flurry of activity. Once the buffer attack drops the payload we get the classic backdoor. From here we are at the same place but you don’t actually need to know anything to get this far. At this point we don’t need to hide logins and in most cases have root. Or as I like to think of it “your base is all ours”.

Actually, I was going to relate my favourite buffer overrun, but then decided that would be too technical and went for the social angle. Ha.

They put the backdoor code into a place that would come from a completely legitimate source, thus triggering no red flags: at the back end of a GIF file uploaded to a web advertisement service, bought with a phony credit card of course. I believe the bootstrap code was set to determine its location, and if it was executing anywhere but on the target machine it would destroy itself. This would avoid premature detection in case it took a while for the image to get loaded on the target, and of course had to look like an ordinary advertisement in the front portion of the GIF.

Now that all sounds pretty…weird. I will think about it during the next couple of days, visiting my and my wifes parents for a week - talking about weirdness there. Hah!
If you all raise no objections I would like to press you for more informations next week - thanks for your insights and your willingness to share.

Consider this is the mundane stuff and …

press away.

Greetings, Gentlemen…

All your base are belong to us.

P.S. This has been a very interesting read. I’ve learned a few things myself. Thanks to all.

This is the one I wanted!

As you can tell, I was not a big game player.

We are only touching the easy ones. The ssl/ssh “man in the middle” attacks are REAL interesting. There are also the more advanced folks who use the script kiddies to deliver payloads that only they know about.

Then there are the official espionage cases. Now THOSE are fun. This is the stuff movies really are made of, but the reality of the workings are not as glamorous. But I don’t get those these days…

Well, spending days with the family ist almost always kind of interesting, no doubt. Luckily I had enough time to write a few words, thanks to all your help.

That’s where I am heading - the mysterious black hat in the background who has millions (well, maybe not that many…) of unsuspecting minions who do the work without fully understanding what they are doing, but, in case of detection, are to be blamed.
I just read the corresponding mitm-wikipedia article, but somehow fail to get the point - besides the Belkin ad, perhaps (however, I do love the term “Turing porn farm”, poor Alan). Maybe I am not devious enough - what could one do with that? Just behaving like another person, a kind of digital lookalike? I think, I am confused. My knowledge of computer security is largely the result of playing Uplink a couple of years ago; where I could easily understand what one could do - like downloading or deleting some files, altering database entries and so on. But this man in the middle thing… It wouldn’t work in a near-realtime-envorinment, like VoIP, now would it? Heck, I just have to come with an explanation how it indeed could work that way…

Now, lets see: more and more of our telephone lines are replaced by VoIP, without being noticed … how about getting into that - if somehow i could tap ALL of that…

Please, tell this might be possible, even only in theory…

Is this something like those Matryoshka dolls?

IP telephony is a much different issue.

Matryoshka dolls… Yes. Great analogy.

KB, would you mind OK’ing this discussion or would you prefer that we take it into private space? While I promise not to provide detailed how-to, you may not want to be associated with this discussion.

Here I am again, hope you all missed me much. Been in a hospital for a while, courtesy of a slippery road at night, a tree - rather two, if I recall exactly - and a slightly drunken driver. There is one phrase to sum that one up, which is the very last sentence in the absolutely adorable movie “Leningrad Cowboys goes America”:

Sorry for that long break, it was neither intentionally nor foreseeable and I certainly did not want to be impolite to anyone who did help me so much.

Up to now, the story is still in its early draft stage, but most of its structure is done. I hope you will allow me to ask some further questions within the next couple of days.


Stories are less important than you. Information is easy to come by and has many sources. People on the other hand… Impossible to find an exact replacement.

Ask any questions you want it the answers are sensitive we can PM you directly.

Take care.