Re: Tracing computers via AOL?
From: *Vanguard* (no-email_at_post-reply-in-newsgroup.nix)
Date: 11/27/03
- Next message: Per Pedersen: "Re: How do i remove the Administrative Shares in Windows XP Pro ?"
- Previous message: Bill Unruh: "Re: End of all Open Source."
- In reply to: Don Kelloway: "Tracing computers via AOL?"
- Next in thread: Hairy One Kenobi: "Re: Tracing computers via AOL?"
- Reply: Hairy One Kenobi: "Re: Tracing computers via AOL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Nov 2003 17:45:35 GMT
Don Kelloway wrote:
> It's early and I haven't had my coffee yet, but I though this would be
> an interesting subject I'd like to discuss.
>
> The other day I read about a theft of a laptop from Wells Fargo that
> contained sensitive information. This morning I read a follow-up that
> stated the individual involved was arrested after investigators were
> able to locate the computer after the individual signed onto AOL. Now
> here's the paragraph that caused me to stop and think. How?
>
> "Investigators traced the computer to Krastof when he logged onto his
> own America Online account at home through one of the stolen
> computers, White said. That enabled authorities to connect the
> computer's Internet Protocol address, a number that identifies a
> computer on the Internet, to Krastof's home address through his AOL
> account, White said."
>
> Hmmm? Is there something missing from that paragraph? Yes. We know
> IP addresses are unique and yes we know ISP records will allocation,
> etc. But how did investigators know to look for this specific computer
> amongst the tens of millions that sign onto AOL every day? And even
> then what was so identifiable about this specific computer once it
> established an connection to AOL? The only methods that come to mind
> (note: still drinking first cup) of identifying the computer amongst
> any other would be if:
>
> A. There was some sort of 'phone home' utility installed, or
>
> B. The individual tried to sign on with the user account of the owner
> of the laptop, thus identifying himself to AOL.
>
> Any other ideas?
There are programs (see http://www.stolenlaptop.com/ although there are
LOTS of these type of products) that will report on the computer the
next time it logs on the Internet. I don't know how well it works with
firewalls, though. If the thief purges all application firewall rules
for an existing software firewall or installs one, and when zTrace
attempts to make a connection, then a popup will alert the thief that
zTrace is requesting a connection and the thief can "just say no".
Obviously software protection requires that the thief doesn't reformat
the drive (i.e., they want the hardware and not the software and data).
If they want the unencrypted data, they certainly don't need an Internet
connection to access it; just don't connect the NIC (i.e., use it
offline). I don't know if the software anti-theft products will also
guard the access of all files on the hard drives so disabling it from
running, its uninstallation, or its reinstall would bar access to the
protected files; i.e., it must be running to allow access, if
uninstalled then access is denied, and if reinstalled then the
randomly-generated fingerprint on install doesn't match the one used by
the prior install. This would add some overhead (delay) on opening
files.
Some users leave the serial number enabled (for Intel CPUs). An ActiveX
control (if you allow it to download and install unless you're stupid
enough to leave the option enabled to download AX without prompt) can be
used to interrogate the CPU's serial number and then report that back
when an Internet connection. Tis easy 'nuff to find out who was logged
in using that IP address at that time through that ISP (provided you get
cooperation from the ISP or a court order). Just check the connect
logfiles. I don't know if AOL downloads such an AX control or if they
include it in their software, but tis easy 'nuff to get the CPU serial
number - if it wasn't disabled in the BIOS (and if the CPU was an
Intel). But that also requires the owner actually record the CPU serial
number so they know what number to report to the police. How many have
the CPU serial number enabled in their BIOS (if an option)? Of those,
how many have recorded the CPU serial number?
It's usually not the hardware that is most important to a company when a
laptop gets stolen. It's the data. The user should be synchronizing
the data regularly to prevent a minimal loss, or the important data
should be online or on the company's hosts (and the user uses the files
there). They should also be encrypting it, especially for mobile
computers, using EFS in NT-based Windows or a 3rd party product to
provide encryption.
The MAC probably cannot be seen past the user's intranet so it probably
isn't query-able past the modem or router. I know I can use the
"arp -a" command to get the MAC address of any host to which I connect
but that's only for hosts on my intranet. I certainly don't get to see
the MAC address of hosts outside my intranet. Do an "arp -a", then
"telnet ftp.microsoft.com 21", and then redo "arp -a" and you won't see
Microsoft's MAC address added. I don't have enough info on ARP to know
if it's not a routable protocol or what limits its scope. At a certain
point, the MAC won't be available and just TCP/IP is involved. When
talking to my ISP's tech reps, even they don't know my MAC address based
on any connections to their hosts. They need to query their cable modem
to see what it got as the MAC address of the host connected to it but
that could be a router! You can define any MAC address you want in the
router (i.e., you don't need to clone it from a host's NIC), so the MAC
address of any computer on the LAN side of the router is unreachable.
The only MAC address the cable modem can get is the one in the router,
and that's configurable.
Being able to track the thief doesn't mean you (via the police) get to
nab them. Could be they are in a different country, like the one you
travelled to. Could be there is no reciprocity (for law) between your
country and theirs. Could be the theft is too small for the authorities
to care about (I think the FBI has a minimum loss value of $25,000).
Sounds like the best bet is to insure it, use a secure version of the OS
(and use *strong* passwords, rename the Administrator account, etc.),
encrypt any sensitive local data, require critical data be retained on
online servers (online data storage or back on your company's network
hosts), and collect the insurance when it gets stolen (be sure to
include "replacement value" so you don't collect on just depreciated
value).
Rather than get the unit back, I'd like the Mission Impossible gear.
When stolen, send a signal using satellites that will fry the computer's
components when it next gets turned on and can receive the signal.
Having it explode would not be acceptable; you don't kill or maim just
because of property theft and there could be nearby innocents. Of
course, rather than frying the gear, just have it permanently disabled
so it becomes unusable until a secret code gets entered, all of which
has to be handled in hardware and not by software. Not all components
would need this feature; just the motherboard would be sufficient.
Actually, to some degree, there already some of this functionality: the
BIOS password. But that would only be a secure option if there was no
way to clear the CMOS copy of the BIOS tables or the password was never
stored in the CMOS and always came from the EEPROM used to record the
BIOS. The BIOS chips would also have to be soldered and not socketed.
I suppose you could use a solder iron and remove the pins for the 2-pin
jumper header used to clear CMOS, but the pads would still be there that
you could short across. The BIOS would also have to support long and
strong passwords. Then when the laptop got stolen, the thief would have
a hard time trying to boot it up. He could cannabalize it for parts,
like yanking out the hard drive (though remember that you should be
encrypting sensitive data for mobile computers and using a secure OS
with strong passwords), but that's not why the laptop got stolen.
Having to replace the motherboard would make it too costly to steal a
laptop. However, if YOU (the owner) ever forgot the hardened BIOS
password then you, too, cannot use the laptop. Either it's secure or
it's easy. Security and ease-of-use are often dipolar. Just putting a
bright sticker on the laptop that says, "Hardware is password protected
and cannot be cleared or disabled" might work (but, of course, actually
having that claim backed up by the hardware would be far better). Won't
stop employee theft (i.e., the one that got permission to use the unit
and pretends it got stolen).
As a warning, if you aren't using EFS (encrypted file system) already
provided by Windows 2000/XP then your data is at risk from theft.
Assigning permissions by account is NOT secure. Permissions are based
on the SID for the account. Yank the drive out, put it into another
computer (even if running the same OS) as a "data" drive (i.e., don't
boot from it), and all those permissions are gone. That SID was not
created by that other instance of the OS which won't know how to apply
permissions to those unknown SIDs. It behooves you when using EFS to
export the security certificate onto floppy or CD so you can recover a
system or move a drive and still retain access to the EFS-protected
file. You need to use NTFS to have EFS available.
-- ____________________________________________________________ *** Post replies to newsgroup. E-mail is not accepted. *** ____________________________________________________________
- Next message: Per Pedersen: "Re: How do i remove the Administrative Shares in Windows XP Pro ?"
- Previous message: Bill Unruh: "Re: End of all Open Source."
- In reply to: Don Kelloway: "Tracing computers via AOL?"
- Next in thread: Hairy One Kenobi: "Re: Tracing computers via AOL?"
- Reply: Hairy One Kenobi: "Re: Tracing computers via AOL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
