1

I'm curious to get an opinion on following:
If someone decides to exploit some sort of vulnerability in a web application of mine or performs something of malicious intent, would this individual be able to stay anonymous by adapting following procedure?

  1. attacker finds a crowded public space with Wi-Fi
  2. attacker brought a Tor Raspberry Pi which he connects to the public Wi-Fi
  3. attacker connects attacking device and proxy through the Tor Raspberry Pi
  4. attacker steals information and trashes the Tor Raspberry Pi

Would it be possible to identify the attacker in any way post exploitation?

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
NowsyMe
  • 167
  • 1
  • 8
  • The only way is to set up server(s) to track past proxys. which you would parallel two hosting instances, but one is serving pages while the other one tracks. Also geographically different servers on different layer 1 segments helps tracking them past any vpn used. People of the old DARPA project need to get involved to eliminate tor because it uses the internet in the way is wasn't designed to do so. Either that, or get rid of the ssl system entirely and go with a different system that makes server certificates with proxy connections not work. – drtechno Feb 24 '19 at 17:18
  • bandwidth usage. the getting mac address of emdedded node. something like: $mac = shell_exec("arp -a ".escapeshellarg($_SERVER['REMOTE_ADDR'])." | grep -o -E '(:xdigit:{1,2}:){5}:xdigit:{1,2}'"); will do... – drtechno Feb 24 '19 at 17:22

1 Answers1

3

Any of these tactics alone would probably be enough, unless the target is high profile enough to lead to a serious investigation by the authorities. If your blog or low-profile, low impact, application is pwned by an anonymous person (e.g. not immediately evident who it is), no investigation will probably happen in most jurisdictions.

A private person probably has slim to no chance of tracking down a user of e.g. a Burger King wifi on a given time, or to reveal a tor users identity. Remember that NSA is spending money targeting tor users to reveal their identities.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • How can NSA target a user if he uses above method? I assume contacting ISP for details would lead them to nowhere? they would really have to SE him into becoming lazy and make a mistake or something. 1) would scramble the location 2) would scramble the IP 3) would scramble the device 4) would make it impossible to identify? please correct me if i'm completely wrong, cheers. – NowsyMe Feb 24 '19 at 15:13
  • 1
    [By reading large chunks of the Internet Traffic](https://motherboard.vice.com/en_us/article/d73yd7/how-the-nsa-targets-tor-users) – vidarlo Feb 24 '19 at 15:20
  • that's an interesting article, here is another one: https://www.raconteur.net/risk-management/catching-hackers-is-not-getting-easier – NowsyMe Feb 24 '19 at 15:35
  • 1
    Basically because no-one is using the resources of NSA to go after most criminals. Doing so would publicize NSA's methods (which they do not want), and it would demand capacity. – vidarlo Feb 24 '19 at 15:39
  • I think this will change with time, more and more large organisations are working together and sharing resources like Interpol and europol, nsa etc. – NowsyMe Feb 24 '19 at 15:41
  • 1
    Sure, to an extent. But it's also a question on how much resources you want to spend on a given incident, and what to do if the government of the other country doesn't care... – vidarlo Feb 24 '19 at 15:52
  • The NSA just uses 0day exploits against the browser. This can be made more difficult by using something like Whonix with hardware separation or Tails. That's why they can deanonymize a small fraction of _targeted_ Tor users but are unable to deanonymize a large portion of traffic via dragnet methods. – forest Feb 25 '19 at 02:08