Posted by KenB on October 29, 2000, at 2:18:22
In reply to Re: What is ICQ? , posted by dj on October 29, 2000, at 1:05:55
This information, from a well-known internet security site, explains how IRC/ICQ systems are used to identify, categorize and database users. Can we suppose "hackers" are the *only* internet users being secretly databased by 24/7 bots? ________________________________________________
Here's a rather simple statement to think about: It's easier to find out information when people aren't trying to hide it from you. Hackers that aren't doing anything illegal don't try to hide their identities to the degree that hackers who are doing illegal things do. Now, here's the trick. Gather data about hackers BEFORE they start doing the "hacking". So simple it sounds unimportant, I know. Here's one example of how we at XXsite_name_deletedXX apply this principle.Let's go back to IRC for a moment. We at XXsite_name_deletedXX have things called "bots", or programs that go on IRC to gather information for us. We got access to accounts on several different systems to place these bots on, so that the hackers don't realize that they're ours.
One of the things that these bots collect are the "hostmasks" of every user in different IRC chat channels that relate to technology and hacking. A hostmask has two parts to it, and EVERY user that goes on IRC has one. Hostmasks take the form of username@domain. So, for example, when I'm on IRC I may show up as ??@??.XXsite_name_deletedXX .net.
Now, the hacker can make the "username" whatever he wants. The domain, is the name that his computer gets when it connects to the internet. When hackers are trying to hide, they'll either "spoof", or falsify, their domain, or they'll "jump", or telnet to a hacked shell account and come on IRC from there. In either case, it makes it more difficult to determine what the "true domain" of the hacker is. However, if a hacker is not trying to hide himself, he'll simply connect directly to an IRC server, and you'll be able to see his true domain in the hostmask.
So, by collecting the hostmask of every individual that goes into any of those channels, 24 hours a day, 7 days a week, we're able to keep a fairly thorough database. If a hacker breaks into a high profile site, and starts "hiding" himself on irc, we're able to look back a month or two, and see what domain he came on from then.
Once again, this is just one of MANY possible techniques under the category of "But, I Haven't Done Anything...YET (Find It Before They Need To Hide It)". I hope that it gives you a feel for how this technique can be valuable, and gets you thinking of other ways that can be used to implement it.
poster:KenB
thread:1772
URL: http://www.dr-bob.org/babble/social/20001011/msgs/1805.html