Tracing computers via AOL?

Discussion in 'Computer Security' started by Don Kelloway, Nov 27, 2003.

  1. Don Kelloway

    Don Kelloway Guest

    It's early and I haven't had my coffee yet, but I though this would be
    an interesting subject I'd like to discuss.

    The other day I read about a theft of a laptop from Wells Fargo that
    contained sensitive information. This morning I read a follow-up that
    stated the individual involved was arrested after investigators were
    able to locate the computer after the individual signed onto AOL. Now
    here's the paragraph that caused me to stop and think. How?

    "Investigators traced the computer to Krastof when he logged onto his
    own America Online account at home through one of the stolen computers,
    White said. That enabled authorities to connect the computer's Internet
    Protocol address, a number that identifies a computer on the Internet,
    to Krastof's home address through his AOL account, White said."

    Hmmm? Is there something missing from that paragraph? Yes. We know IP
    addresses are unique and yes we know ISP records will allocation, etc.
    But how did investigators know to look for this specific computer
    amongst the tens of millions that sign onto AOL every day? And even
    then what was so identifiable about this specific computer once it
    established an connection to AOL? The only methods that come to mind
    (note: still drinking first cup) of identifying the computer amongst any
    other would be if:

    A. There was some sort of 'phone home' utility installed, or

    B. The individual tried to sign on with the user account of the owner of
    the laptop, thus identifying himself to AOL.

    Any other ideas?

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
    Don Kelloway, Nov 27, 2003
    #1
    1. Advertising

  2. Don Kelloway

    Leythos Guest

    In article <Fjnxb.23907$>,
    says...
    > It's early and I haven't had my coffee yet, but I though this would be
    > an interesting subject I'd like to discuss.
    >
    > The other day I read about a theft of a laptop from Wells Fargo that
    > contained sensitive information. This morning I read a follow-up that
    > stated the individual involved was arrested after investigators were
    > able to locate the computer after the individual signed onto AOL. Now
    > here's the paragraph that caused me to stop and think. How?
    >
    > "Investigators traced the computer to Krastof when he logged onto his
    > own America Online account at home through one of the stolen computers,
    > White said. That enabled authorities to connect the computer's Internet
    > Protocol address, a number that identifies a computer on the Internet,
    > to Krastof's home address through his AOL account, White said."
    >
    > Hmmm? Is there something missing from that paragraph? Yes. We know IP
    > addresses are unique and yes we know ISP records will allocation, etc.
    > But how did investigators know to look for this specific computer
    > amongst the tens of millions that sign onto AOL every day? And even
    > then what was so identifiable about this specific computer once it
    > established an connection to AOL? The only methods that come to mind
    > (note: still drinking first cup) of identifying the computer amongst any
    > other would be if:
    >
    > A. There was some sort of 'phone home' utility installed, or
    >
    > B. The individual tried to sign on with the user account of the owner of
    > the laptop, thus identifying himself to AOL.
    >
    > Any other ideas?


    The MAC address of the network card is unique - if he connected to the
    IPS they would know the MAC address.

    There are also other apps that could be running and alert the owner and
    then the owner could contact the ISP. Even a simple PING from the laptop
    to the owners monitoring system would give the IP.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Nov 27, 2003
    #2
    1. Advertising

  3. "Leythos" <> wrote in message
    news:...
    > In article <Fjnxb.23907$>,
    > says...
    > > It's early and I haven't had my coffee yet, but I though this would be
    > > an interesting subject I'd like to discuss.
    > >
    > > The other day I read about a theft of a laptop from Wells Fargo that
    > > contained sensitive information. This morning I read a follow-up that
    > > stated the individual involved was arrested after investigators were
    > > able to locate the computer after the individual signed onto AOL. Now
    > > here's the paragraph that caused me to stop and think. How?
    > >
    > > "Investigators traced the computer to Krastof when he logged onto his
    > > own America Online account at home through one of the stolen computers,
    > > White said. That enabled authorities to connect the computer's Internet
    > > Protocol address, a number that identifies a computer on the Internet,
    > > to Krastof's home address through his AOL account, White said."
    > >
    > > Hmmm? Is there something missing from that paragraph? Yes. We know IP
    > > addresses are unique and yes we know ISP records will allocation, etc.
    > > But how did investigators know to look for this specific computer
    > > amongst the tens of millions that sign onto AOL every day? And even
    > > then what was so identifiable about this specific computer once it
    > > established an connection to AOL? The only methods that come to mind
    > > (note: still drinking first cup) of identifying the computer amongst any
    > > other would be if:
    > >
    > > A. There was some sort of 'phone home' utility installed, or
    > >
    > > B. The individual tried to sign on with the user account of the owner of
    > > the laptop, thus identifying himself to AOL.
    > >
    > > Any other ideas?

    >
    > The MAC address of the network card is unique - if he connected to the
    > IPS they would know the MAC address.


    My guess would be the "phone home" approach - get a notification, read the
    IP, hit WHOIS, then get onto the ISP.

    Either specific software (my guess, and something about which Wells Fargo
    would be understandably twitchy about providing details) or something
    "silly" like an auto-running IM client.

    MAC addresses are not preserved across intelligent devices, e.g. routers.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Nov 27, 2003
    #3
  4. Don Kelloway

    *Vanguard* Guest

    Don Kelloway wrote:
    > It's early and I haven't had my coffee yet, but I though this would be
    > an interesting subject I'd like to discuss.
    >
    > The other day I read about a theft of a laptop from Wells Fargo that
    > contained sensitive information. This morning I read a follow-up that
    > stated the individual involved was arrested after investigators were
    > able to locate the computer after the individual signed onto AOL. Now
    > here's the paragraph that caused me to stop and think. How?
    >
    > "Investigators traced the computer to Krastof when he logged onto his
    > own America Online account at home through one of the stolen
    > computers, White said. That enabled authorities to connect the
    > computer's Internet Protocol address, a number that identifies a
    > computer on the Internet, to Krastof's home address through his AOL
    > account, White said."
    >
    > Hmmm? Is there something missing from that paragraph? Yes. We know
    > IP addresses are unique and yes we know ISP records will allocation,
    > etc. But how did investigators know to look for this specific computer
    > amongst the tens of millions that sign onto AOL every day? And even
    > then what was so identifiable about this specific computer once it
    > established an connection to AOL? The only methods that come to mind
    > (note: still drinking first cup) of identifying the computer amongst
    > any other would be if:
    >
    > A. There was some sort of 'phone home' utility installed, or
    >
    > B. The individual tried to sign on with the user account of the owner
    > of the laptop, thus identifying himself to AOL.
    >
    > Any other ideas?


    There are programs (see http://www.stolenlaptop.com/ although there are
    LOTS of these type of products) that will report on the computer the
    next time it logs on the Internet. I don't know how well it works with
    firewalls, though. If the thief purges all application firewall rules
    for an existing software firewall or installs one, and when zTrace
    attempts to make a connection, then a popup will alert the thief that
    zTrace is requesting a connection and the thief can "just say no".
    Obviously software protection requires that the thief doesn't reformat
    the drive (i.e., they want the hardware and not the software and data).
    If they want the unencrypted data, they certainly don't need an Internet
    connection to access it; just don't connect the NIC (i.e., use it
    offline). I don't know if the software anti-theft products will also
    guard the access of all files on the hard drives so disabling it from
    running, its uninstallation, or its reinstall would bar access to the
    protected files; i.e., it must be running to allow access, if
    uninstalled then access is denied, and if reinstalled then the
    randomly-generated fingerprint on install doesn't match the one used by
    the prior install. This would add some overhead (delay) on opening
    files.

    Some users leave the serial number enabled (for Intel CPUs). An ActiveX
    control (if you allow it to download and install unless you're stupid
    enough to leave the option enabled to download AX without prompt) can be
    used to interrogate the CPU's serial number and then report that back
    when an Internet connection. Tis easy 'nuff to find out who was logged
    in using that IP address at that time through that ISP (provided you get
    cooperation from the ISP or a court order). Just check the connect
    logfiles. I don't know if AOL downloads such an AX control or if they
    include it in their software, but tis easy 'nuff to get the CPU serial
    number - if it wasn't disabled in the BIOS (and if the CPU was an
    Intel). But that also requires the owner actually record the CPU serial
    number so they know what number to report to the police. How many have
    the CPU serial number enabled in their BIOS (if an option)? Of those,
    how many have recorded the CPU serial number?

    It's usually not the hardware that is most important to a company when a
    laptop gets stolen. It's the data. The user should be synchronizing
    the data regularly to prevent a minimal loss, or the important data
    should be online or on the company's hosts (and the user uses the files
    there). They should also be encrypting it, especially for mobile
    computers, using EFS in NT-based Windows or a 3rd party product to
    provide encryption.

    The MAC probably cannot be seen past the user's intranet so it probably
    isn't query-able past the modem or router. I know I can use the
    "arp -a" command to get the MAC address of any host to which I connect
    but that's only for hosts on my intranet. I certainly don't get to see
    the MAC address of hosts outside my intranet. Do an "arp -a", then
    "telnet ftp.microsoft.com 21", and then redo "arp -a" and you won't see
    Microsoft's MAC address added. I don't have enough info on ARP to know
    if it's not a routable protocol or what limits its scope. At a certain
    point, the MAC won't be available and just TCP/IP is involved. When
    talking to my ISP's tech reps, even they don't know my MAC address based
    on any connections to their hosts. They need to query their cable modem
    to see what it got as the MAC address of the host connected to it but
    that could be a router! You can define any MAC address you want in the
    router (i.e., you don't need to clone it from a host's NIC), so the MAC
    address of any computer on the LAN side of the router is unreachable.
    The only MAC address the cable modem can get is the one in the router,
    and that's configurable.

    Being able to track the thief doesn't mean you (via the police) get to
    nab them. Could be they are in a different country, like the one you
    travelled to. Could be there is no reciprocity (for law) between your
    country and theirs. Could be the theft is too small for the authorities
    to care about (I think the FBI has a minimum loss value of $25,000).
    Sounds like the best bet is to insure it, use a secure version of the OS
    (and use *strong* passwords, rename the Administrator account, etc.),
    encrypt any sensitive local data, require critical data be retained on
    online servers (online data storage or back on your company's network
    hosts), and collect the insurance when it gets stolen (be sure to
    include "replacement value" so you don't collect on just depreciated
    value).

    Rather than get the unit back, I'd like the Mission Impossible gear.
    When stolen, send a signal using satellites that will fry the computer's
    components when it next gets turned on and can receive the signal.
    Having it explode would not be acceptable; you don't kill or maim just
    because of property theft and there could be nearby innocents. Of
    course, rather than frying the gear, just have it permanently disabled
    so it becomes unusable until a secret code gets entered, all of which
    has to be handled in hardware and not by software. Not all components
    would need this feature; just the motherboard would be sufficient.
    Actually, to some degree, there already some of this functionality: the
    BIOS password. But that would only be a secure option if there was no
    way to clear the CMOS copy of the BIOS tables or the password was never
    stored in the CMOS and always came from the EEPROM used to record the
    BIOS. The BIOS chips would also have to be soldered and not socketed.
    I suppose you could use a solder iron and remove the pins for the 2-pin
    jumper header used to clear CMOS, but the pads would still be there that
    you could short across. The BIOS would also have to support long and
    strong passwords. Then when the laptop got stolen, the thief would have
    a hard time trying to boot it up. He could cannabalize it for parts,
    like yanking out the hard drive (though remember that you should be
    encrypting sensitive data for mobile computers and using a secure OS
    with strong passwords), but that's not why the laptop got stolen.
    Having to replace the motherboard would make it too costly to steal a
    laptop. However, if YOU (the owner) ever forgot the hardened BIOS
    password then you, too, cannot use the laptop. Either it's secure or
    it's easy. Security and ease-of-use are often dipolar. Just putting a
    bright sticker on the laptop that says, "Hardware is password protected
    and cannot be cleared or disabled" might work (but, of course, actually
    having that claim backed up by the hardware would be far better). Won't
    stop employee theft (i.e., the one that got permission to use the unit
    and pretends it got stolen).

    As a warning, if you aren't using EFS (encrypted file system) already
    provided by Windows 2000/XP then your data is at risk from theft.
    Assigning permissions by account is NOT secure. Permissions are based
    on the SID for the account. Yank the drive out, put it into another
    computer (even if running the same OS) as a "data" drive (i.e., don't
    boot from it), and all those permissions are gone. That SID was not
    created by that other instance of the OS which won't know how to apply
    permissions to those unknown SIDs. It behooves you when using EFS to
    export the security certificate onto floppy or CD so you can recover a
    system or move a drive and still retain access to the EFS-protected
    file. You need to use NTFS to have EFS available.

    --
    ____________________________________________________________
    *** Post replies to newsgroup. E-mail is not accepted. ***
    ____________________________________________________________
    *Vanguard*, Nov 27, 2003
    #4
  5. "*Vanguard*" <> wrote in message
    news:3Lqxb.325116$Tr4.998754@attbi_s03...
    > Don Kelloway wrote:


    <snip & digress>

    > I don't have enough info on ARP to know
    > if it's not a routable protocol or what limits its scope. At a certain
    > point, the MAC won't be available and just TCP/IP is involved. When
    > talking to my ISP's tech reps, even they don't know my MAC address based
    > on any connections to their hosts.


    ARP ("Address Resolution Protocol") is used to determine a MAC address,
    given a request for an IP address. It is used between router and client
    (sort of "not routable by design")

    A decent router also has a significant amount of cache (to remove the
    transmission delay that an ARP broadcast would cause), but can still be set
    up badly (e.g. NTL in the UK)

    H1K
    Hairy One Kenobi, Nov 27, 2003
    #5
  6. Don Kelloway

    Don Kelloway Guest

    "Leythos" <> wrote in message
    news:...
    >
    > The MAC address of the network card is unique - if he connected to the
    > IPS they would know the MAC address.
    >
    > There are also other apps that could be running and alert the owner

    and
    > then the owner could contact the ISP. Even a simple PING from the

    laptop
    > to the owners monitoring system would give the IP.
    >


    Thanks for replying,

    re: MAC
    Sure it's unique, but it's not passed because of routers in between.

    re: other apps
    This was the only viable thing I can think of and is what I was
    referring to about 'phoning home'.

    Best regards,
    Don Kelloway
    Don Kelloway, Nov 28, 2003
    #6
  7. Don Kelloway

    Leythos Guest

    In article <Q0Axb.27198$>,
    says...
    >
    > "Leythos" <> wrote in message
    > news:...
    > >
    > > The MAC address of the network card is unique - if he connected to the
    > > IPS they would know the MAC address.
    > >
    > > There are also other apps that could be running and alert the owner

    > and
    > > then the owner could contact the ISP. Even a simple PING from the

    > laptop
    > > to the owners monitoring system would give the IP.
    > >

    >
    > Thanks for replying,
    >
    > re: MAC
    > Sure it's unique, but it's not passed because of routers in between.


    If you monitor traffic in the switch or via DHCP requests you can see
    the MAC.

    >
    > re: other apps
    > This was the only viable thing I can think of and is what I was
    > referring to about 'phoning home'.
    >
    > Best regards,
    > Don Kelloway
    >
    >
    >


    --
    --

    (Remove 999 to reply to me)
    Leythos, Nov 28, 2003
    #7
  8. "Leythos" <> wrote in message
    news:...
    > In article <Q0Axb.27198$>,
    > says...
    > >
    > > "Leythos" <> wrote in message
    > > news:...
    > > >
    > > > The MAC address of the network card is unique - if he connected to the
    > > > IPS they would know the MAC address.
    > > >
    > > > There are also other apps that could be running and alert the owner

    > > and
    > > > then the owner could contact the ISP. Even a simple PING from the

    > > laptop
    > > > to the owners monitoring system would give the IP.
    > > >

    > >
    > > Thanks for replying,
    > >
    > > re: MAC
    > > Sure it's unique, but it's not passed because of routers in between.

    >
    > If you monitor traffic in the switch or via DHCP requests you can see
    > the MAC.


    ...and if you monitor it after *any* router, you see a different one. As a
    test, I did a traceroute to their web server (different from address pool, I
    know, but it'll serve as an example).

    17 router hops, which means 17 different MAC addresses. In addition to the
    actual client device (which doesn't even get out of the LAN, given that I'm
    also using routers at the DMZ and interface)

    Given the context of what we're talking about (tracing a laptop from further
    away than the ISP's switch room), the MAC address isn't that useful.

    H1K
    Hairy One Kenobi, Nov 28, 2003
    #8
  9. Don Kelloway

    Guest

    If I'm not mistaken, the MAC is generic for RAS/PPP connections.
    , Nov 28, 2003
    #9
  10. Don Kelloway

    Don Kelloway Guest

    "Leythos" <> wrote in message
    news:...
    > In article <Q0Axb.27198$>,
    > says...
    > >
    > > "Leythos" <> wrote in message
    > > news:...
    > > >
    > > > The MAC address of the network card is unique - if he connected to

    the
    > > > IPS they would know the MAC address.
    > > >
    > > > There are also other apps that could be running and alert the

    owner
    > > and
    > > > then the owner could contact the ISP. Even a simple PING from the

    > > laptop
    > > > to the owners monitoring system would give the IP.
    > > >

    > >
    > > Thanks for replying,
    > >
    > > re: MAC
    > > Sure it's unique, but it's not passed because of routers in between.

    >
    > If you monitor traffic in the switch or via DHCP requests you can see
    > the MAC.
    >


    Only if you conduct the sniff within the same subnet will you be able to
    ascertain the MAC. Though I do concur that it could be possible for AOL
    to have configured their servers (which assign IP's in the 172.x.y.z
    range over their tunnel) to sound off if a particular MAC were logged.

    Hmmm, I suppose they could have done that. IOW with knowing the MAC in
    advance, configure their servers to alarm when it's seen and allocated
    an IP (for their tunnel) to. Of course the gamble is that the
    individual involved would have to attempt to logon to AOL with the
    laptop.

    Best regards,
    Don Kelloway
    Don Kelloway, Nov 29, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick
    Replies:
    1
    Views:
    410
    [ Doc Jeff ]
    Sep 5, 2003
  2. Mike
    Replies:
    3
    Views:
    652
  3. Cliff
    Replies:
    2
    Views:
    2,217
  4. mariablues

    Tracing an aol screen name using a 3rd party search

    mariablues, Apr 28, 2007, in forum: Computer Support
    Replies:
    4
    Views:
    2,973
    Plato
    Apr 28, 2007
  5. Anthony  Divasto

    Home Page Hijack by AOL. We dont use aol

    Anthony Divasto, Aug 25, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    793
    Anthony Divasto
    Aug 25, 2007
Loading...

Share This Page