Home page logo
/

basics logo Security Basics mailing list archives

RE: Wireless IP leads to arrest.. (UNCLASSIFIED)
From: "Chinea, Jose L. Jr. (Contractor)" <luis.chinea () us army mil>
Date: Wed, 10 Oct 2007 09:57:54 -0600

Classification:  UNCLASSIFIED 
Caveats: NONE

Well, let me rephrase what I said.  You may not need to "Log In" to use your
ISP resources with a username/password, but there is one tied to your modem
as you stated.  So the provider can release that information (with a warrant
if not they violate privacy) to the investigators after reviewing log files
(assuming that they have that setup - most do).

Also, there was a comment on this earlier, that the MAC cannot be tied to an
IP?  Yes it can!  If the system in question is DIRECTLY connected to the ISP
(i.e. ISP -> Modem -> System / No Router) they can map the MAC of the system
to IP in their log files (NBTSTAT anyone?).  If the system IS NOT directly
connected (i.e. using a router or firewall) the MAC of the router is
obtained.  Either case, it can always be mapped back to the user.  Once the
invetigators nab the equipment, all they have to do is verify the MAC to
ensure the activity is truly from that system which was tied to IP. 


Luis
Computer Systems Analyst II

 
-----Original Message-----
From: Tremaine Lea [mailto:tremaine () gmail com] 
Sent: Tuesday, October 09, 2007 11:02 PM
To: Chinea, Jose L. Jr. (Contractor)
Cc: cobrajet; security-basics () securityfocus com
Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED)

Not every ISP requires a username/pass to connect to their service.   
I've had 3 different high speed providers and was never required to 'log on'
to the network in any way.  Connect network gear, and go.

Having said that, they could also search their dhcp logs for the time period
being investigated and the requested IP, tie that to a mac address, locate
that mac on their network and identify which cable modem it's attached to.
From their the cable modem is tied to a customer account and viola, bobs yer
uncle and it's off to pmita prison.

Which is why any reasonably bright monkey would boot a laptop from a livecd,
run macchanger, connect to an insecure wireless network and then find an
anonymous proxy somewhere.

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 9-Oct-07, at 3:42 PM, Chinea, Jose L. Jr. (Contractor) wrote:

Classification:  UNCLASSIFIED
Caveats: NONE

This one is simple!  The media has no idea what it is talking  
about!  How
many times do we hear on the media terminology that makes no sense at
all!?!?!?!  More than likely they tracked IP to an ISP and then  
demanded the
ISP to reliquish the MAC address to username being used at that  
time (every
ISP has a username and password in order to access their  
resources).   Also,
if there was a 5 year investigation already going on, they may have  
already
known of the hacker's location and narrowed down any monitoring to  
a single
subnet on the ISP's network.

just a theory.... but this is probably what happened and the media  
didn't
know how to word it


Luis
Computer Systems Analyst II



-----Original Message-----
From: cobrajet [mailto:uby500 () yahoo com]
Sent: Tuesday, October 09, 2007 3:12 PM
To: security-basics () securityfocus com
Subject: Re: Wireless IP leads to arrest..


Hi Guys,

I am sorry for the delay in getting you more info on this (I was  
traveling).
Here's the story as it appears on the web and for the life of me I  
can't
fathom what damning electronic evidence they used to arrest this  
guy? ..or
for that matter what the crime was (a criminal opinion?)

"Type of Investigation: Forgery and Identity Theft; Date and Time:  
3/25/06
at 1:00 pm; Location: V/Fredonia; Subject(s): xxxxxxxx, of Rock  
Hill, SC;
Charges: Forgery 3rd, Identity Theft 3rd; Court: C/Dunkirk; Details  
of the
Incident: A five-month investigation concluded in the arrest of above
subject.  It is alleged that the above subject opened a yahoo email  
address
with the name of the victim. The subject then sent a politically  
charged
editorial letter to the Observer in the name of the victim.  This  
letter was
published.  An investigation into the opened yahoo profile and the  
sender of
the letter showed internet addresses that came back to the above  
subject's
addresses in South Carolina and Fredonia.  The subject was issued  
appearance
tickets for the above charges and will appear in the C/Dunkirk  
Court at a
later date.  This incident was investigated by the Chautauqua County
Sheriff's Office by Inv. Lawrence S. Klajbor."


How could they arrest someone using an IP address alone without  
siezing or
analyzing anything? How could they determine (from many states  
away) who did
what on a wireless PC network without supporting forensics or misc
investiagting evidence?

I was curious as to your comments/clarity nbecause this looks very  
odd to
me.






security-35 wrote:

Maybe it was IP + Mac Address of the Wireless NIC?

Where's the full story (link)?


Eric Marden
xentek: enlightened internet solutions http://xentek.net/

On Oct 6, 2007, at 11:03 AM, cobrajet wrote:


How can this be possibile?

A man in WNY was arrested and sentenced to a year in jail over an
email with the sole piece of evidence being an IP address? (- and a
wirless IP address at that?! -) How can they determine from an IP
address who in the house or on a network is actually on the  
computer?

Can anyone explain this to me?8-O
--
View this message in context: http://www.nabble.com/Wireless-IP-
leads-to-arrest..-tf4580165.html#a13074514
Sent from the Security Basics mailing list archive at Nabble.com.





--
View this message in context:
http://www.nabble.com/Wireless-IP-leads-to-arrest..- 
tf4580165.html#a13124923
Sent from the Security Basics mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]