Home page logo
/

basics logo Security Basics mailing list archives

RE: Wireless IP leads to arrest.. (UNCLASSIFIED)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Oct 2007 10:04:19 -0700

With wireless, unless the ISP itself is a wireless carrier 
(and I don't know the details of how, say, ClearWire works) 
there is usually an AP and a  modem. The mac address of the 
clients of the AP are not passed to the ISP thus knowing the 
identity of the person, authorized or not, using the wireless 
AP is not a certainty.

  This is not correct.  Most APs -- as opposed to wireless routers! 
-- function as *switches*, propagating client MAC addresses out to 
the (wired, usually) backbone.
  Even when the "AP" *is* a router, it's usually possible and even
easy for the entity which manages it to query it and obtain the
MAC addresses of associated clients.

David Gillett


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Nic Stevens
Sent: Wednesday, October 10, 2007 7:16 PM
To: security-basics () securityfocus com
Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED)

I guess what I was getting at -- and not so well put is this:

With wireless, unless the ISP itself is a wireless carrier 
(and I don't know the details of how, say, ClearWire works) 
there is usually an AP and a  modem. The mac address of the 
clients of the AP are not passed to the ISP thus knowing the 
identity of the person, authorized or not, using the wireless 
AP is not a certainty.

Example: A router doesn't use WPA and we all know WEP is not 
secure, further, MAC addresses can, as pointed out on this 
list before, be spoofed across those APs as well.

Really there is nothing preventing Party A's next door neighbor (Party
B) from using various scanning tools to crack into their AP 
and using their wireless to download porn, chase little 
girls, rob the bank of all their money or any other crimes 
that can be done online. The only thing that is certain are 
the modem and AP addresses.

Let's be frank, most people don't secure their AP's which is 
clear to my by taking a trip through my neighborhood scanning 
for AP's.

I'm no lawyer but I think that the ability for Party B to use 
Party A's AP without their knowledge constitutes reasonable doubt.

Chinea, Jose L. Jr. (Contractor) wrote:
Classification:  UNCLASSIFIED
Caveats: NONE

Well, let me rephrase what I said.  You may not need to "Log In" to 
use your ISP resources with a username/password, but there 
is one tied 
to your modem as you stated.  So the provider can release that 
information (with a warrant if not they violate privacy) to the 
investigators after reviewing log files (assuming that they 
have that setup - most do).

Also, there was a comment on this earlier, that the MAC 
cannot be tied 
to an IP?  Yes it can!  If the system in question is DIRECTLY 
connected to the ISP (i.e. ISP -> Modem -> System / No Router) they 
can map the MAC of the system to IP in their log files (NBTSTAT 
anyone?).  If the system IS NOT directly connected (i.e. using a 
router or firewall) the MAC of the router is obtained.  
Either case, 
it can always be mapped back to the user.  Once the 
invetigators nab 
the equipment, all they have to do is verify the MAC to 
ensure the activity is truly from that system which was tied to IP.


Luis
Computer Systems Analyst II

 
-----Original Message-----
From: Tremaine Lea [mailto:tremaine () gmail com]
Sent: Tuesday, October 09, 2007 11:02 PM
To: Chinea, Jose L. Jr. (Contractor)
Cc: cobrajet; security-basics () securityfocus com
Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED)

Not every ISP requires a username/pass to connect to their 
service.   
I've had 3 different high speed providers and was never 
required to 'log on'
to the network in any way.  Connect network gear, and go.

Having said that, they could also search their dhcp logs 
for the time 
period being investigated and the requested IP, tie that to a mac 
address, locate that mac on their network and identify 
which cable modem it's attached to.
From their the cable modem is tied to a customer account 
and viola, 
bobs yer
uncle and it's off to pmita prison.

Which is why any reasonably bright monkey would boot a 
laptop from a 
livecd, run macchanger, connect to an insecure wireless network and 
then find an anonymous proxy somewhere.

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 9-Oct-07, at 3:42 PM, Chinea, Jose L. Jr. (Contractor) wrote:

  
Classification:  UNCLASSIFIED
Caveats: NONE

This one is simple!  The media has no idea what it is 
talking about!  
How many times do we hear on the media terminology that makes no 
sense at all!?!?!?!  More than likely they tracked IP to 
an ISP and 
then demanded the ISP to reliquish the MAC address to 
username being 
used at that time (every ISP has a username and password 
in order to 
access their
resources).   Also,
if there was a 5 year investigation already going on, they 
may have 
already known of the hacker's location and narrowed down any 
monitoring to a single subnet on the ISP's network.

just a theory.... but this is probably what happened and the media 
didn't know how to word it


Luis
Computer Systems Analyst II



-----Original Message-----
From: cobrajet [mailto:uby500 () yahoo com]
Sent: Tuesday, October 09, 2007 3:12 PM
To: security-basics () securityfocus com
Subject: Re: Wireless IP leads to arrest..


Hi Guys,

I am sorry for the delay in getting you more info on this (I was 
traveling).
Here's the story as it appears on the web and for the life of me I 
can't fathom what damning electronic evidence they used to arrest 
this guy? ..or for that matter what the crime was (a criminal 
opinion?)

"Type of Investigation: Forgery and Identity Theft; Date 
and Time:  
3/25/06
at 1:00 pm; Location: V/Fredonia; Subject(s): xxxxxxxx, of 
Rock Hill, 
SC;
Charges: Forgery 3rd, Identity Theft 3rd; Court: 
C/Dunkirk; Details 
of the
Incident: A five-month investigation concluded in the 
arrest of above 
subject.  It is alleged that the above subject opened a 
yahoo email 
address with the name of the victim. The subject then sent a 
politically charged editorial letter to the Observer in 
the name of 
the victim.  This letter was published.  An investigation into the 
opened yahoo profile and the sender of the letter showed internet 
addresses that came back to the above subject's addresses in South 
Carolina and Fredonia.  The subject was issued appearance 
tickets for 
the above charges and will appear in the C/Dunkirk Court 
at a later 
date.  This incident was investigated by the Chautauqua County 
Sheriff's Office by Inv. Lawrence S. Klajbor."


How could they arrest someone using an IP address alone without 
siezing or analyzing anything? How could they determine (from many 
states
away) who did
what on a wireless PC network without supporting forensics or misc 
investiagting evidence?

I was curious as to your comments/clarity nbecause this looks very 
odd to me.






security-35 wrote:
    
Maybe it was IP + Mac Address of the Wireless NIC?

Where's the full story (link)?


Eric Marden
xentek: enlightened internet solutions http://xentek.net/

On Oct 6, 2007, at 11:03 AM, cobrajet wrote:

      
How can this be possibile?

A man in WNY was arrested and sentenced to a year in 
jail over an 
email with the sole piece of evidence being an IP 
address? (- and a 
wirless IP address at that?! -) How can they determine 
from an IP 
address who in the house or on a network is actually on the 
computer?

Can anyone explain this to me?8-O
--
View this message in context: http://www.nabble.com/Wireless-IP-
leads-to-arrest..-tf4580165.html#a13074514
Sent from the Security Basics mailing list archive at Nabble.com.

        

      
--
View this message in context:
http://www.nabble.com/Wireless-IP-leads-to-arrest..-
tf4580165.html#a13124923
Sent from the Security Basics mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE

    
Classification:  UNCLASSIFIED
Caveats: NONE


  

--
Rock is dead! Long live paper and scissors! 



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault