Slashdot Mirror
Laptop Thief Caught via AOL Login
Mundocani writes "Yahoo (Reuters) is reporting that the FBI has caught the guy who stole computers from Wells Fargo. The interesting part is that 'Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers.' Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login."
Maybe that intel CPU serial number.
It not's very difficult. Once you have the IP address, you just do a query at ARIN. That will tell you which ISP the address belongs to, so you phone the ISP and ask them for the information about which subscriber had that IP address at the time you are concerned about. Almost All ISPs maintain this sort of information for auditing/logging purposes.
Actually, I would say that is less than likely. I haven't heard of any company that installs software like that by default, even on laptops. And it would be much easier for AOL to check for a MAC address Wells Fargo provided.
According to another source "He logged onto an (America Online) account that was registered on that computer and we traced it back to his phone number and address''.
It's the 4th item down on the page, under "Suspected thief arrested".
[Set Cain on fire and steal his lute.]
You are missing the point. If laptop had phone home - software, it could easily inform it's IP address to "home" when it detects that internet connection is available. After IP address has been received, one can easily trace what ISP computer is using. ISPs usually knows ARP address of computers (network interfaces actually) that are connected to their gateways because DHCP-servers are caching them. I don't have details about this but I'm pretty sure about that DHCP stuff.
So one doesn't have to know MAC address, just IP address and that's enough. And on the other hand tracing MAC address in internet is almost impossible so you need that IP address.
You don't know what you don't know.
Actually, the kind of security software implied by the original poster does work on IPs since you can't track a MAC address back across the Internet. When you log in, the laptop transmits its current IP address back to the servers of the "phone home" application vendor along with an ID. If that ID is flagged as belonging to a stolen system, then that IP is used to identify the ISP, who will then be informed of the situation and will hopefully be able to identify which user was using that IP at the time. Tie that user back to a person and contact details through billing records and you can proceed to make an arrest.
UNIX? They're not even circumcised! Savages!
Though why AOL should be tracking mac addresses to user logins is beyond me.
Its called good administration. AOL is a large ISP if you didn't know. They have a lot of members and non-members trying to send Spam threw them, hack other computers threw them, and hack and Spam their own systems. So when someone puts out a complaint that so and so spam them threw AOL or was being tracked threw AOL and you show them proof then they can check the logs to see when they logged in and if they actually did that, at least coinciding with the login times and the times the incident occurred. I am pretty sure that they are also recording your telephone number that you used to call in as well. This is not a part of some Evil scheme or government plot. It is a way that a company the size of AOL uses to protect its butt. Because if they don't track this information and enforce it, (And yes some times they may need to call the police and some times the police asked them for some information) then they will be getting lawsuits left and right saying your servers attacked my computer, and AOL is not even showing good faith to remedy the situation. System Administration is sometimes public administration as well, especially when the public uses your systems.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The MAC address goes no further than the first router , in this case his broadband modem if thats what he's using.
If he's using dialup the MAC address doesn't even come into it.
I found this version posted on www.securityfocus.com. It says the thief used the laptop owner's dial-up AOL account, which the FBI had asked AOL to monitor.
his Mac address and machine name.. what an idiot
Don't Tread on OpenSource
- Use WHOIS to find out which ISP owns the IP address
- Get the ISP to look at their logs to determine which dial-up session was assigned that IP at the time.
- Look at the logs for the access platform to identify the caller's line ID. This is usually the same as the telephone number, but not necessarily, and is *always* known to the remote system, even if you withhold you phone number because it's used in call setup.
- Take that number to the Telco that owns it and look at *their* logs to give you the physical location of the phone that made the connection (or owner of the mobile).
- Arrest the perp.
While that glosses over the paperwork, and assumes that the ISP maintain sufficiently details logs of calls and authentication, which many small ones don't, that's pretty much it.UNIX? They're not even circumcised! Savages!
Perhaps they used the SMBIOS Serial number
SMBIOS fields such as make, model, serial number and chassis type are populated on pretty much all tier 1/2 machines these days.
SMBIOS table method extraction is really safe, really fast, non-intrusive and can be performed with basic level user access (doesn't require local administrator) on any Windows box without any resident drivers or services (unlike DMI).
Moving one step futher - The collection of SMBIOS information by a large ISP such as AOL would allow for some pretty sophisticated profiling for future service provision.
From a big brother perspective, SMBIOS will not tell your ISP your name, your credit card details or what you've been doing since your last online session.
For example, they could profile users by processor type, or memory capacity, they could even send out email offers to users who had free memory slots.
Back to the point - It would be relatively easy for ISPs to be given a 'stolen' list to compare detected serial numbers against, customers just need to use decent Asset Management processes so they know what was stolen........
Why make it so complex? The computer was reported stolen by Wells Fargo with all the information, so the FBI issued a request to AOL to notify them if anybody logs into such and such accounts. Once it happens, the FBI simply had to check the phone records to know what is the number of the guys connected and voila!
I work at a phone company in a country without secret services and sophisticated hooks into any ISP and we would be able to pull that out in a matter of minutes.
There are several software packages including Ztrace and Absolute Software's Computrace which deal with the issue of laptop theft directly. It seems very likely that these computers were protected with one of these type of programs.
There is no need for any "Phone Home" software or anything sending the CPUID to AOL. The story is much simpler than that and rather low-tech:
Nothing exceptional here. The FBI does not need any strange hooks into AOL. They only need stupid thieves. Case closed.
-Raphaël
Companies server receives the unique ID. Sysadmin: "Hey, Fred just logged in, but his machine was stolen. WTF? Hmm.. what IP did his request come from? Aaaah.. 69.69.69.69. Let's do a lookup.. hey.. it seems to be an AOL modem-pool". Company goes to police, policy goes to judge, police show credible evidence that a crime was committed, judge gives warrant, AOL gives info (login account or the phonenumber that was dialed in from) on who was logged in at that time on that modem in that modempool. Police goes to address, takes laptop, returns it to Fred, jails crook. Fred: "1337!".
karma capped
Maybe that intel CPU serial number.
Does the Pentium III processor broadcast its serial number when it is enabled and a user is connected to the Internet?
- No. The processor serial number is passive. Thus, it does not transmit or broadcast itself. If a person chooses to enable the feature, then, when visiting a website that can utilize processor serial numbers, the website needs to send software to the PC to read the processor serial number.
Beware: In C++, your friends can see your privates!
... oh, and even in a case where the P3 processor would send its serial number upon login, this only applies to P3 processors. From intel.com:
Only the Pentium(R) III Xeon(TM), Mobile Pentium(R) III and Pentium III processors support the processor serial number feature introduced by the Pentium(R) III processor. No other Intel(R) processor supports the processor serial number feature.
Beware: In C++, your friends can see your privates!
Mac address perhaps ?
For those of you who don't know, mac addresses are only valid on the same network segment, which means that the router would drop them, and so it can't be that (unless the login program sends that info). More likely it si something like the intel cpu id, etc.
LedgerSMB: Open source Accounting/ERP
Machines which dial in don't use ARP. ARP only applies to Ethernet
. Nontheless, I can easily see a machine with sensitive information wanting to report it's IP address to a central location whenever it connects. Cookies in the web browser might also help identify a stolen machine.
Using the default account and password stored on a machine seems stupid at first, until you consider that the guy had ID theft equipment... I don't use AOL, but I wouldn't be to surprised if you could fetch some ID-associated info by logging into the account of a stolen computer. In this case, the computer was of special interest, so the guy was picked up.
I wouldn't be surprised if more people could be caught by this same method, it's just that police aren't interested enough in following such tracks for 'normal' owners.
Free Software: Like love, it grows best when given away.
Here's an excerpt from another article on this matter:
This is TOTALLY un-scary. The Wells-Fargo guy apparently has his password cached on the machine. This guy just clicks "login" and logs in AS THE GUY WHOS COMPUTER WAS STOLEN. At this point it's a trivial bit of work to go catch the guy.
Its ok to point out the mistake, IMO, but FGS, tell him what he is doing wrong.
If he never took the time to do highschool, is he even going to bother looking up why you advised him to change the word?
Grandparent:
Threw is the past tense (means you already did it) of throw, as in PReD threw a brick at the parent.
Through means to pass between the inner restrictions of something, as in go through a tunnel.
No, that's OK, don't mod me up +5 informative, I don't need the Karma, but all donations are gratefully accepted.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
How was this thief even able to use this stolen laptop? Were they not running a password protected operating system, at least Windows 2000 or Windows XP?
Unfortunately Windows2000 and WindowsXP have an option that most people un-select which says "users must enter a name and password to access this system". It pretty much defies the use of HAVING a name and password when the computer automatically boots through it. The worst part is this is the default configuration. So most users never really even SEE that Windows has a password.
And AOL lets you SAVE the password on your computer, which is equally foolish.
there's also similar kind of programs for gsm phones (mainly the series60 phones, 7650,3650,6600,ngage&all) that can be configured to send and sms with all the knoweledge on the new simcard if it notices that the card gets changed.
now if i wasnt so goddamn lazy i might actually install one of those..
world was created 5 seconds before this post as it is.
Known stolen AOL account + phone number recorded by any ISP (radius does it by default) + call to phone comany by FBI = physical location.
No magic.
He tried to kill me with a forklift!
Modems don't have MAC addresses.
And, btw, tracing MAC addresses across the Internet is not "almost impossible" but "by definition impossible". Traffic on any internet (but especially The Internet) crosses routers (that's what the "inter" part refers to). Routers kill OSI Level 2 identifiers, like hardware addresses.
All's true that is mistrusted
LAPD is way too busy with serious crime
Like that in the UK. The Police are too busy catching people doing 80mph on the motorway to bother with the boring stuff like murder and gangland shootings
I used to work as 3rd-level tech support at an American ISP, and I'd guess at AOL it is probably policy to divulge ANI phone numbers upon request when an account is reported compromised, as long as the caller can recite their credit card number or some other form of verbal ID. I bet AOL helps owners and cops find at least dozens of stolen laptops each year this way.
All this fuss, just because Yahoo messed up:
/.
elsewhere on
"He logged onto an (America Online) account that was registered on that computer and we traced it back to his phone number and address"
Let's do a lookup.. hey.. it seems to be an AOL modem-pool". Company goes to police, policy goes to judge, police show credible evidence that a crime was committed, judge gives warrant, AOL gives info (login account or the phonenumber that was dialed in from) on who was logged in at that time on that modem in that modempool. Police goes to address, takes laptop, returns it to Fred, jails crook. Fred: "1337!".
Thanks to the DMCA, they can probably skip 3 or 4 of those steps and just demand the info directly from AOL (with no judicial or LE oversight) and then raid the guy themselves.
Were he pirating music, that is probably what would have happened.
Computrace
I know an office that uses this software... it's not bad, it stays quite hidden in the OS (Windows only of course). Login with your ID and you get a list of all your laptops and the last IP they were detected as being logged in from.
I'll have something intelligent to add one of these days...
I work at Wells Fargo and there is a pile of 8 laptops on my desk and the images I apply to them don't have any "call home" software. FYI.
Not so easy as pulling out batteries on laptops.
If you lose the CMOS/Bios password you usually have to RMA the laptop back for a new bios (unless you can find it and solder or replace it yourself). Thus requiring receipt or tracking of serial numbers of which any big company can cross reference against service contracts.
I downloaded onto floppy disc the program here and had reset the admin password on my Win XP box within seconds. Never seen anything so simple in my life. Though others recommend LC4 which also works.
Phillip.
Property for sale in Nice, France
Read ifconfig(8) to see how you can do it under Linux. Google for "sea.c" to see how you can do it under OpenBSD.
Don't you guys realize that MAC addresses can be changed? It is fairly easy to do with software, but extremely hard to do directly to the hardware.
If you guys really want to know how the government does the forensics, read "Computer Forensics: Incident Response Essentials" by Kruse and Heiser. Well written book that is easy to read and teaches you a lot about this type of stuff and also analyzing machines.
It is easier to read the book than prove that Big Brother is out to get you.
That said, the 2.6.x Linux kernels have the ability to mangle and spoof MAC addys, in addition to NAT/MASQ and building firewalls based on MAC. This is in addition to all the iptables godness.
My firewall uses iptables *and* echoes the desired behavior into kernel-space by setting the desired values in /proc with a script at bootup. For ex:
## Disable accepting IP source routing
for f in /proc/sys/net/ipv4/conf/all/accept_source_route;
do
echo 0 > $f
done
As far as the chmod goes, one could also use chattr to set the "immutable" bit e.g. "chattr +i foo.bar". Its more potent than chmod since not even root can touch an immutable file; you have to become root and remove the immutable bit first.
C|N>K
I work for WF but do not mean to represent my employer here. Your answer pretty close to right on. Our network logs ALL accesses, but of course denies access to our intranet from the internet at large. Ergo, any request in the access log (like when OutLook tries to connect to our mailserver, for example)that originate outside the intranet are automatically red-flagged. Requests to certain ports within our network are a more serious red-flag as it indicates someone is starting internal application from outside the intranet. IPs are logged, tracert to AOL, have FBI get AOL's access log to match temporary IP/date/time to originating login... not exactly rocket science, folks... There are other applications that as a matter of operation 'call home', so really the moral of the story is that it is a dumb idea to steal computers from work unless you really know how the computer is configured.
Seems Reuters screwed up on the facts.
When I was buying my IBM Thinkpad, it came with a feature of calling home, should the machine be stolen. The call home mechanism is build in, and cannot be removed. What it requires is a subscription fee to activate the feature, sort of like LoJack for laptop.
For the people with sensative information, it's bitter price that must be pay.
http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/11/26/financial1853EST0113.DTL
Moved to Archive at:
h ronicle/archive/2003/11/27/MNGUO3BN101.DTL
http://www.sfgate.com/cgi-bin/article.cgi?file=/c
this looks as if the thief was simply attempting to log into the account of the *original owner*, which was preconfigured on the stolen laptop. Of course this is easily detectable and easy to trace back.