Slashdot Mirror
Laptop Thief Caught via AOL Login
Mundocani writes "Yahoo (Reuters) is reporting that the FBI has caught the guy who stole computers from Wells Fargo. The interesting part is that 'Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers.' Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login."
"You've got jail!"
1. When you steal computers, don't steal laptops.
2. After stealing a dedsktop PC, even if it has the latest Windows OS and Service Pack, format the disk and load RedHat.
3. If you steal a Linux PC, install Windows on it for a year, then switch back - even AOL can't maintain that big a log!
4. Don't use AOl - switch over to MSN - it's much more secure - instead of the FBI, it'll be the BSA that's after you!
If you keep throwing chairs, one day you'll break windows....
Well's Fargo is using some cool 'Phone Home' software that was described on Slashdot several times that MOST everyone thought was a good idea...
Why is it a good idea when it will protect your laptop or employer's laptop, but suddenly, the FBI has some nefarious hooks into AOL when they publish that they captured a laptop thief because the thief logged into AOL?
Anyone care to give that answer that?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
It not's very difficult. Once you have the IP address, you just do a query at ARIN. That will tell you which ISP the address belongs to, so you phone the ISP and ask them for the information about which subscriber had that IP address at the time you are concerned about. Almost All ISPs maintain this sort of information for auditing/logging purposes.
I hate to say that Slashdot readers have obvious biases, but why is it that when the police do something smart with computers, you get:
Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login.
And when they can't solve a computer crime case, you get 100 posts about how the police are computer dummys. I'll be honest, I'm not too worried about my ISP having my MAC address, or even the make and model of my video card if they are interested. It's just nice to see a criminal get busted
How was this thief even able to use this stolen laptop? Were they not running a password protected operating system, at least Windows 2000 or Windows XP?
I know that if ANY of the laptops and roughly ALL of our desktop PC's would be useless to any thieves unless they format each and every machine, since there isn't a single account that doesn't have a password that isn't controlled by our Domain Controller...
I am not so happy about Wells Fargo's apparent disinterest in keeping things secure...
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Actually, I would say that is less than likely. I haven't heard of any company that installs software like that by default, even on laptops. And it would be much easier for AOL to check for a MAC address Wells Fargo provided.
According to another source "He logged onto an (America Online) account that was registered on that computer and we traced it back to his phone number and address''.
It's the 4th item down on the page, under "Suspected thief arrested".
[Set Cain on fire and steal his lute.]
Actually, the kind of security software implied by the original poster does work on IPs since you can't track a MAC address back across the Internet. When you log in, the laptop transmits its current IP address back to the servers of the "phone home" application vendor along with an ID. If that ID is flagged as belonging to a stolen system, then that IP is used to identify the ISP, who will then be informed of the situation and will hopefully be able to identify which user was using that IP at the time. Tie that user back to a person and contact details through billing records and you can proceed to make an arrest.
UNIX? They're not even circumcised! Savages!
Though why AOL should be tracking mac addresses to user logins is beyond me.
Its called good administration. AOL is a large ISP if you didn't know. They have a lot of members and non-members trying to send Spam threw them, hack other computers threw them, and hack and Spam their own systems. So when someone puts out a complaint that so and so spam them threw AOL or was being tracked threw AOL and you show them proof then they can check the logs to see when they logged in and if they actually did that, at least coinciding with the login times and the times the incident occurred. I am pretty sure that they are also recording your telephone number that you used to call in as well. This is not a part of some Evil scheme or government plot. It is a way that a company the size of AOL uses to protect its butt. Because if they don't track this information and enforce it, (And yes some times they may need to call the police and some times the police asked them for some information) then they will be getting lawsuits left and right saying your servers attacked my computer, and AOL is not even showing good faith to remedy the situation. System Administration is sometimes public administration as well, especially when the public uses your systems.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The MAC address goes no further than the first router , in this case his broadband modem if thats what he's using.
If he's using dialup the MAC address doesn't even come into it.
Avantslash - View Slashdot cleanly on your mobile phone.
- Use WHOIS to find out which ISP owns the IP address
- Get the ISP to look at their logs to determine which dial-up session was assigned that IP at the time.
- Look at the logs for the access platform to identify the caller's line ID. This is usually the same as the telephone number, but not necessarily, and is *always* known to the remote system, even if you withhold you phone number because it's used in call setup.
- Take that number to the Telco that owns it and look at *their* logs to give you the physical location of the phone that made the connection (or owner of the mobile).
- Arrest the perp.
While that glosses over the paperwork, and assumes that the ISP maintain sufficiently details logs of calls and authentication, which many small ones don't, that's pretty much it.UNIX? They're not even circumcised! Savages!
Why make it so complex? The computer was reported stolen by Wells Fargo with all the information, so the FBI issued a request to AOL to notify them if anybody logs into such and such accounts. Once it happens, the FBI simply had to check the phone records to know what is the number of the guys connected and voila!
I work at a phone company in a country without secret services and sophisticated hooks into any ISP and we would be able to pull that out in a matter of minutes.
Makes you wonder what sort of hooks the FBI has into AOL or other ISPs and what hardware identification is being transmitted at login.
i bet it wasn't that complicated.
fbiAgentd00d99: Yo man, what's up?
LaptopThief2310: Not much, i just ripped off some computers! HA HA WOOT!
fbiAgentd00d99: SWEET!
LaptopThief2310: Yeah I rockxxorz. Now I'm takin' a pic of me, an all the computers i stoled w/ a sony cybershot i "found".
fbiAgentd00d99: You pwn3! Send me that pic! I'm gonna put it on my website!
There we have it folks, probable cause, as well as an IP address.
There are several software packages including Ztrace and Absolute Software's Computrace which deal with the issue of laptop theft directly. It seems very likely that these computers were protected with one of these type of programs.
Were they not running a password protected operating system, at least Windows 2000 or Windows XP?
You must be kidding, but I'm not sure.
It takes only a few minutes to change the administrator password on a Windows box with a Linux boot floppy.
Done it a couple of times (on Windows 2000), for users who didn't know the admin password.
I agree with you that a laptop with the sort of sensitive data that this one contained should never be connected directly to a public network - but such is the state of data security these days.
[Set Cain on fire and steal his lute.]
I kind of get the impression, that with this being a laptop and all, it would have been using a modem to connect. Last I heard a modem does not actually have a static MAC address in firmware like a network card. Since this is Slashdot, we might as well blame Microsoft for this confusion since they gernerate a MAC with the vendor ID of 44:45:53 to "internal adapters" such as modems.
UNIX? They're not even circumcised! Savages!
The Yahoo statement:
and the Herald statement:
I felt that the direct quote of Chief White was more credible, and less likely to be subject to an error of interpretation on the part of the reporter.
[Set Cain on fire and steal his lute.]
There is no need for any "Phone Home" software or anything sending the CPUID to AOL. The story is much simpler than that and rather low-tech:
Nothing exceptional here. The FBI does not need any strange hooks into AOL. They only need stupid thieves. Case closed.
-Raphaël
Companies server receives the unique ID. Sysadmin: "Hey, Fred just logged in, but his machine was stolen. WTF? Hmm.. what IP did his request come from? Aaaah.. 69.69.69.69. Let's do a lookup.. hey.. it seems to be an AOL modem-pool". Company goes to police, policy goes to judge, police show credible evidence that a crime was committed, judge gives warrant, AOL gives info (login account or the phonenumber that was dialed in from) on who was logged in at that time on that modem in that modempool. Police goes to address, takes laptop, returns it to Fred, jails crook. Fred: "1337!".
karma capped
I had one of my notebooks stolen at the LA airport. I had one in my suitcase (there's only so many I can carry) because of a conference. One of the baggage handlers must have helped himself to my notebook.
...
The funny thing is that the notebook was my personal, and because I did travel a lot at the time, I had an AOL account for convenience. Out of a whim, I called AOL and asked them for a log of my sign-ins. Lo and behold, turns out whoever stole my notebook was using my AOL account to surf! I pleaded with the tech person to at least give me the IP address so I can track the thief down. He sympathized with my problem and passed me to one of the network engineers who was very keen on helping me. I got the IP address and the phone number that he used to dial-in. He said that the Telecom department could give me the number that was used to dial in to AOL but I would have to get law involved as certain FCC regulations prevented him from sharing that info.
So I collected all the info and sent the report to the security officer at the Airport, a copy to the LA sherrif's dept and another one to my insurance company (who I had hoped would be keen to solve the problem). After a few calls, I got nothing. Turns out that theft like that happens a lot at the LAX and the LAPD is way too busy with serious crime to investigate a crime committed to an out-of-towner.
The good thing is, my home insurance covered the theft, so I got a better model for basically the amount I paid for my notebook a year prior (minus deductible).
This was pre-2001 btw
Wearing pants should always be optional.
Machines which dial in don't use ARP. ARP only applies to Ethernet
. Nontheless, I can easily see a machine with sensitive information wanting to report it's IP address to a central location whenever it connects. Cookies in the web browser might also help identify a stolen machine.
Using the default account and password stored on a machine seems stupid at first, until you consider that the guy had ID theft equipment... I don't use AOL, but I wouldn't be to surprised if you could fetch some ID-associated info by logging into the account of a stolen computer. In this case, the computer was of special interest, so the guy was picked up.
I wouldn't be surprised if more people could be caught by this same method, it's just that police aren't interested enough in following such tracks for 'normal' owners.
Free Software: Like love, it grows best when given away.
Nah.. I have a copy of the evidence right here....
Subject: ME TOO
From: Krastof (Krastof@AOL.com)
Reply-To: Krastof@AOL.com
Newsgroups: comp.laptops.stolen
Date: Wed, 26 Nov 2003 09:18:22 -0500
Here's an excerpt from another article on this matter:
This is TOTALLY un-scary. The Wells-Fargo guy apparently has his password cached on the machine. This guy just clicks "login" and logs in AS THE GUY WHOS COMPUTER WAS STOLEN. At this point it's a trivial bit of work to go catch the guy.
I bet the machine had some email software on it (Outlook?) that checked for new mail once an internet connection was available. The mail server logs would show the IP address.
Fred sets his laptop up to log into AOL with a default account and password. The crook seals the laptop. Fred calls AOL asking what ANI-reported telephone number his account has logged in on since the theft. AOL tells Fred the phone number. Fred reports the number to the cops. The cops get reverse directory information from the phone company (without a warrant unless the number is unlisted.) The cops ask Fred to ask AOL to inform the cops upon the next login. The crook logs in again. AOL calls the cops. The phone numbers match. Cops bust down Crook's door without a warrant because they have knowledge that a crime is taking place. The crook is busted.
Really.
To the rest: Offering complete goofball theory after complete goofball theory, briefly resting only to scream 'violation of privacy' then going back and suggesting another goofball theory impresses nobody. CPUID/NIC MAC/Windows/Office/[you-name-it] identifers or serial numbers are not immediately accesssible just because you have a PPP sesion going over your modem. If a phone-home feature was installed, then fine, but that's a completely different story.
Another hilarious example was the the default-route theory, which someone suggested as a 'dead giveaway' to the feds. Hello!? Even if the routing table was accessible, routes associated with a NIC wouldn't be *in* the table unless the NIC was active, and the setting would only be visible in the registry, not typically accessible to the world, nor routinely queried by an ISP. And never mind the statistical probability that a corporate NIC is configured for DHCP, thus it wouldn't have a default route to begin with.
I simply can't believe the amount of idiotic pseudo-techies posting and feeling BIG because they could incorrectly apply page 254 of the MSCE prep guide to formulate a crackpot theory.
Bleeeeeeeeeeeechhhh.
Known stolen AOL account + phone number recorded by any ISP (radius does it by default) + call to phone comany by FBI = physical location.
No magic.
He tried to kill me with a forklift!
I work at Wells Fargo and there is a pile of 8 laptops on my desk and the images I apply to them don't have any "call home" software. FYI.
I downloaded onto floppy disc the program here and had reset the admin password on my Win XP box within seconds. Never seen anything so simple in my life. Though others recommend LC4 which also works.
Phillip.
Property for sale in Nice, France
Read ifconfig(8) to see how you can do it under Linux. Google for "sea.c" to see how you can do it under OpenBSD.
Seems Reuters screwed up on the facts.
http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/11/26/financial1853EST0113.DTL