Tracing computers via AOL?

It's early and I haven't had my coffee yet, but I though this would be
an interesting subject I'd like to discuss.

The other day I read about a theft of a laptop from Wells Fargo that
contained sensitive information. This morning I read a follow-up that
stated the individual involved was arrested after investigators were
able to locate the computer after the individual signed onto AOL. Now
here's the paragraph that caused me to stop and think. How?

"Investigators traced the computer to Krastof when he logged onto his
own America Online account at home through one of the stolen computers,
White said. That enabled authorities to connect the computer's Internet
Protocol address, a number that identifies a computer on the Internet,
to Krastof's home address through his AOL account, White said."

Hmmm? Is there something missing from that paragraph? Yes. We know IP
addresses are unique and yes we know ISP records will allocation, etc.
But how did investigators know to look for this specific computer
amongst the tens of millions that sign onto AOL every day? And even
then what was so identifiable about this specific computer once it
established an connection to AOL? The only methods that come to mind
(note: still drinking first cup) of identifying the computer amongst any
other would be if:

A. There was some sort of 'phone home' utility installed, or

B. The individual tried to sign on with the user account of the owner of
the laptop, thus identifying himself to AOL.

Any other ideas?

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

Don Kelloway

In article <Fjnxb.23907$ k.net>,
says...
> It's early and I haven't had my coffee yet, but I though this would be
> an interesting subject I'd like to discuss.
>
> The other day I read about a theft of a laptop from Wells Fargo that
> contained sensitive information. This morning I read a follow-up that
> stated the individual involved was arrested after investigators were
> able to locate the computer after the individual signed onto AOL. Now
> here's the paragraph that caused me to stop and think. How?
>
> "Investigators traced the computer to Krastof when he logged onto his
> own America Online account at home through one of the stolen computers,
> White said. That enabled authorities to connect the computer's Internet
> Protocol address, a number that identifies a computer on the Internet,
> to Krastof's home address through his AOL account, White said."
>
> Hmmm? Is there something missing from that paragraph? Yes. We know IP
> addresses are unique and yes we know ISP records will allocation, etc.
> But how did investigators know to look for this specific computer
> amongst the tens of millions that sign onto AOL every day? And even
> then what was so identifiable about this specific computer once it
> established an connection to AOL? The only methods that come to mind
> (note: still drinking first cup) of identifying the computer amongst any
> other would be if:
>
> A. There was some sort of 'phone home' utility installed, or
>
> B. The individual tried to sign on with the user account of the owner of
> the laptop, thus identifying himself to AOL.
>
> Any other ideas?

The MAC address of the network card is unique - if he connected to the
IPS they would know the MAC address.

There are also other apps that could be running and alert the owner and
then the owner could contact the ISP. Even a simple PING from the laptop
to the owners monitoring system would give the IP.

--
--

(Remove 999 to reply to me)

"Leythos" <> wrote in message
news:...
> In article <Fjnxb.23907$ k.net>,
> says...
> > It's early and I haven't had my coffee yet, but I though this would be
> > an interesting subject I'd like to discuss.
> >
> > The other day I read about a theft of a laptop from Wells Fargo that
> > contained sensitive information. This morning I read a follow-up that
> > stated the individual involved was arrested after investigators were
> > able to locate the computer after the individual signed onto AOL. Now
> > here's the paragraph that caused me to stop and think. How?
> >
> > "Investigators traced the computer to Krastof when he logged onto his
> > own America Online account at home through one of the stolen computers,
> > White said. That enabled authorities to connect the computer's Internet
> > Protocol address, a number that identifies a computer on the Internet,
> > to Krastof's home address through his AOL account, White said."
> >
> > Hmmm? Is there something missing from that paragraph? Yes. We know IP
> > addresses are unique and yes we know ISP records will allocation, etc.
> > But how did investigators know to look for this specific computer
> > amongst the tens of millions that sign onto AOL every day? And even
> > then what was so identifiable about this specific computer once it
> > established an connection to AOL? The only methods that come to mind
> > (note: still drinking first cup) of identifying the computer amongst any
> > other would be if:
> >
> > A. There was some sort of 'phone home' utility installed, or
> >
> > B. The individual tried to sign on with the user account of the owner of
> > the laptop, thus identifying himself to AOL.
> >
> > Any other ideas?
>
> The MAC address of the network card is unique - if he connected to the
> IPS they would know the MAC address.

My guess would be the "phone home" approach - get a notification, read the
IP, hit WHOIS, then get onto the ISP.

Either specific software (my guess, and something about which Wells Fargo
would be understandably twitchy about providing details) or something
"silly" like an auto-running IM client.

MAC addresses are not preserved across intelligent devices, e.g. routers.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Don Kelloway wrote:
> It's early and I haven't had my coffee yet, but I though this would be
> an interesting subject I'd like to discuss.
>
> The other day I read about a theft of a laptop from Wells Fargo that
> contained sensitive information. This morning I read a follow-up that
> stated the individual involved was arrested after investigators were
> able to locate the computer after the individual signed onto AOL. Now
> here's the paragraph that caused me to stop and think. How?
>
> "Investigators traced the computer to Krastof when he logged onto his
> own America Online account at home through one of the stolen
> computers, White said. That enabled authorities to connect the
> computer's Internet Protocol address, a number that identifies a
> computer on the Internet, to Krastof's home address through his AOL
> account, White said."
>
> Hmmm? Is there something missing from that paragraph? Yes. We know
> IP addresses are unique and yes we know ISP records will allocation,
> etc. But how did investigators know to look for this specific computer
> amongst the tens of millions that sign onto AOL every day? And even
> then what was so identifiable about this specific computer once it
> established an connection to AOL? The only methods that come to mind
> (note: still drinking first cup) of identifying the computer amongst
> any other would be if:
>
> A. There was some sort of 'phone home' utility installed, or
>
> B. The individual tried to sign on with the user account of the owner
> of the laptop, thus identifying himself to AOL.
>
> Any other ideas?

There are programs (see http://www.stolenlaptop.com/ although there are
LOTS of these type of products) that will report on the computer the
next time it logs on the Internet. I don't know how well it works with
firewalls, though. If the thief purges all application firewall rules
for an existing software firewall or installs one, and when zTrace
attempts to make a connection, then a popup will alert the thief that
zTrace is requesting a connection and the thief can "just say no".
Obviously software protection requires that the thief doesn't reformat
the drive (i.e., they want the hardware and not the software and data).
If they want the unencrypted data, they certainly don't need an Internet
connection to access it; just don't connect the NIC (i.e., use it
offline). I don't know if the software anti-theft products will also
guard the access of all files on the hard drives so disabling it from
running, its uninstallation, or its reinstall would bar access to the
protected files; i.e., it must be running to allow access, if
uninstalled then access is denied, and if reinstalled then the
randomly-generated fingerprint on install doesn't match the one used by
the prior install. This would add some overhead (delay) on opening
files.

Some users leave the serial number enabled (for Intel CPUs). An ActiveX
control (if you allow it to download and install unless you're stupid
enough to leave the option enabled to download AX without prompt) can be
used to interrogate the CPU's serial number and then report that back
when an Internet connection. Tis easy 'nuff to find out who was logged
in using that IP address at that time through that ISP (provided you get
cooperation from the ISP or a court order). Just check the connect
logfiles. I don't know if AOL downloads such an AX control or if they
include it in their software, but tis easy 'nuff to get the CPU serial
number - if it wasn't disabled in the BIOS (and if the CPU was an
Intel). But that also requires the owner actually record the CPU serial
number so they know what number to report to the police. How many have
the CPU serial number enabled in their BIOS (if an option)? Of those,
how many have recorded the CPU serial number?

It's usually not the hardware that is most important to a company when a
laptop gets stolen. It's the data. The user should be synchronizing
the data regularly to prevent a minimal loss, or the important data
should be online or on the company's hosts (and the user uses the files
there). They should also be encrypting it, especially for mobile
computers, using EFS in NT-based Windows or a 3rd party product to
provide encryption.

The MAC probably cannot be seen past the user's intranet so it probably
isn't query-able past the modem or router. I know I can use the
"arp -a" command to get the MAC address of any host to which I connect
but that's only for hosts on my intranet. I certainly don't get to see
the MAC address of hosts outside my intranet. Do an "arp -a", then
"telnet ftp.microsoft.com 21", and then redo "arp -a" and you won't see
Microsoft's MAC address added. I don't have enough info on ARP to know
if it's not a routable protocol or what limits its scope. At a certain
point, the MAC won't be available and just TCP/IP is involved. When
talking to my ISP's tech reps, even they don't know my MAC address based
on any connections to their hosts. They need to query their cable modem
to see what it got as the MAC address of the host connected to it but
that could be a router! You can define any MAC address you want in the
router (i.e., you don't need to clone it from a host's NIC), so the MAC
address of any computer on the LAN side of the router is unreachable.
The only MAC address the cable modem can get is the one in the router,
and that's configurable.

Being able to track the thief doesn't mean you (via the police) get to
nab them. Could be they are in a different country, like the one you
travelled to. Could be there is no reciprocity (for law) between your
country and theirs. Could be the theft is too small for the authorities
to care about (I think the FBI has a minimum loss value of $25,000).
Sounds like the best bet is to insure it, use a secure version of the OS
(and use *strong* passwords, rename the Administrator account, etc.),
encrypt any sensitive local data, require critical data be retained on
online servers (online data storage or back on your company's network
hosts), and collect the insurance when it gets stolen (be sure to
include "replacement value" so you don't collect on just depreciated
value).

Rather than get the unit back, I'd like the Mission Impossible gear.
When stolen, send a signal using satellites that will fry the computer's
components when it next gets turned on and can receive the signal.
Having it explode would not be acceptable; you don't kill or maim just
because of property theft and there could be nearby innocents. Of
course, rather than frying the gear, just have it permanently disabled
so it becomes unusable until a secret code gets entered, all of which
has to be handled in hardware and not by software. Not all components
would need this feature; just the motherboard would be sufficient.
Actually, to some degree, there already some of this functionality: the
BIOS password. But that would only be a secure option if there was no
way to clear the CMOS copy of the BIOS tables or the password was never
stored in the CMOS and always came from the EEPROM used to record the
BIOS. The BIOS chips would also have to be soldered and not socketed.
I suppose you could use a solder iron and remove the pins for the 2-pin
jumper header used to clear CMOS, but the pads would still be there that
you could short across. The BIOS would also have to support long and
strong passwords. Then when the laptop got stolen, the thief would have
a hard time trying to boot it up. He could cannabalize it for parts,
like yanking out the hard drive (though remember that you should be
encrypting sensitive data for mobile computers and using a secure OS
with strong passwords), but that's not why the laptop got stolen.
Having to replace the motherboard would make it too costly to steal a
laptop. However, if YOU (the owner) ever forgot the hardened BIOS
password then you, too, cannot use the laptop. Either it's secure or
it's easy. Security and ease-of-use are often dipolar. Just putting a
bright sticker on the laptop that says, "Hardware is password protected
and cannot be cleared or disabled" might work (but, of course, actually
having that claim backed up by the hardware would be far better). Won't
stop employee theft (i.e., the one that got permission to use the unit
and pretends it got stolen).

As a warning, if you aren't using EFS (encrypted file system) already
provided by Windows 2000/XP then your data is at risk from theft.
Assigning permissions by account is NOT secure. Permissions are based
on the SID for the account. Yank the drive out, put it into another
computer (even if running the same OS) as a "data" drive (i.e., don't
boot from it), and all those permissions are gone. That SID was not
created by that other instance of the OS which won't know how to apply
permissions to those unknown SIDs. It behooves you when using EFS to
export the security certificate onto floppy or CD so you can recover a
system or move a drive and still retain access to the EFS-protected
file. You need to use NTFS to have EFS available.

--
__________________________________________________ __________
*** Post replies to newsgroup. E-mail is not accepted. ***
__________________________________________________ __________

"*Vanguard*" <no-> wrote in message
news:3Lqxb.325116$Tr4.998754@attbi_s03...
> Don Kelloway wrote:

<snip & digress>

> I don't have enough info on ARP to know
> if it's not a routable protocol or what limits its scope. At a certain
> point, the MAC won't be available and just TCP/IP is involved. When
> talking to my ISP's tech reps, even they don't know my MAC address based
> on any connections to their hosts.

ARP ("Address Resolution Protocol") is used to determine a MAC address,
given a request for an IP address. It is used between router and client
(sort of "not routable by design")

A decent router also has a significant amount of cache (to remove the
transmission delay that an ARP broadcast would cause), but can still be set
up badly (e.g. NTL in the UK)

H1K

"Leythos" <> wrote in message
news:...
>
> The MAC address of the network card is unique - if he connected to the
> IPS they would know the MAC address.
>
> There are also other apps that could be running and alert the owner
and
> then the owner could contact the ISP. Even a simple PING from the
laptop
> to the owners monitoring system would give the IP.
>

Thanks for replying,

re: MAC
Sure it's unique, but it's not passed because of routers in between.

re: other apps
This was the only viable thing I can think of and is what I was
referring to about 'phoning home'.

Best regards,
Don Kelloway

In article <Q0Axb.27198$ k.net>,
says...
>
> "Leythos" <> wrote in message
> news:...
> >
> > The MAC address of the network card is unique - if he connected to the
> > IPS they would know the MAC address.
> >
> > There are also other apps that could be running and alert the owner
> and
> > then the owner could contact the ISP. Even a simple PING from the
> laptop
> > to the owners monitoring system would give the IP.
> >
>
> Thanks for replying,
>
> re: MAC
> Sure it's unique, but it's not passed because of routers in between.

If you monitor traffic in the switch or via DHCP requests you can see
the MAC.

>
> re: other apps
> This was the only viable thing I can think of and is what I was
> referring to about 'phoning home'.
>
> Best regards,
> Don Kelloway
>
>
>

--
--

(Remove 999 to reply to me)

"Leythos" <> wrote in message
news:...
> In article <Q0Axb.27198$ k.net>,
> says...
> >
> > "Leythos" <> wrote in message
> > news:...
> > >
> > > The MAC address of the network card is unique - if he connected to the
> > > IPS they would know the MAC address.
> > >
> > > There are also other apps that could be running and alert the owner
> > and
> > > then the owner could contact the ISP. Even a simple PING from the
> > laptop
> > > to the owners monitoring system would give the IP.
> > >
> >
> > Thanks for replying,
> >
> > re: MAC
> > Sure it's unique, but it's not passed because of routers in between.
>
> If you monitor traffic in the switch or via DHCP requests you can see
> the MAC.

...and if you monitor it after *any* router, you see a different one. As a
test, I did a traceroute to their web server (different from address pool, I
know, but it'll serve as an example).

17 router hops, which means 17 different MAC addresses. In addition to the
actual client device (which doesn't even get out of the LAN, given that I'm
also using routers at the DMZ and interface)

Given the context of what we're talking about (tracing a laptop from further
away than the ISP's switch room), the MAC address isn't that useful.

H1K

If I'm not mistaken, the MAC is generic for RAS/PPP connections.

"Leythos" <> wrote in message
news:...
> In article <Q0Axb.27198$ k.net>,
> says...
> >
> > "Leythos" <> wrote in message
> > news:...
> > >
> > > The MAC address of the network card is unique - if he connected to
the
> > > IPS they would know the MAC address.
> > >
> > > There are also other apps that could be running and alert the
owner
> > and
> > > then the owner could contact the ISP. Even a simple PING from the
> > laptop
> > > to the owners monitoring system would give the IP.
> > >
> >
> > Thanks for replying,
> >
> > re: MAC
> > Sure it's unique, but it's not passed because of routers in between.
>
> If you monitor traffic in the switch or via DHCP requests you can see
> the MAC.
>

Only if you conduct the sniff within the same subnet will you be able to
ascertain the MAC. Though I do concur that it could be possible for AOL
to have configured their servers (which assign IP's in the 172.x.y.z
range over their tunnel) to sound off if a particular MAC were logged.

Hmmm, I suppose they could have done that. IOW with knowing the MAC in
advance, configure their servers to alarm when it's seen and allocated
an IP (for their tunnel) to. Of course the gamble is that the
individual involved would have to attempt to logon to AOL with the
laptop.

Best regards,
Don Kelloway