Security Basics mailing list archives
RE: Wireless IP leads to arrest.. (UNCLASSIFIED)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Oct 2007 10:04:19 -0700
With wireless, unless the ISP itself is a wireless carrier (and I don't know the details of how, say, ClearWire works) there is usually an AP and a modem. The mac address of the clients of the AP are not passed to the ISP thus knowing the identity of the person, authorized or not, using the wireless AP is not a certainty.
This is not correct. Most APs -- as opposed to wireless routers! -- function as *switches*, propagating client MAC addresses out to the (wired, usually) backbone. Even when the "AP" *is* a router, it's usually possible and even easy for the entity which manages it to query it and obtain the MAC addresses of associated clients. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nic Stevens Sent: Wednesday, October 10, 2007 7:16 PM To: security-basics () securityfocus com Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED) I guess what I was getting at -- and not so well put is this: With wireless, unless the ISP itself is a wireless carrier (and I don't know the details of how, say, ClearWire works) there is usually an AP and a modem. The mac address of the clients of the AP are not passed to the ISP thus knowing the identity of the person, authorized or not, using the wireless AP is not a certainty. Example: A router doesn't use WPA and we all know WEP is not secure, further, MAC addresses can, as pointed out on this list before, be spoofed across those APs as well. Really there is nothing preventing Party A's next door neighbor (Party B) from using various scanning tools to crack into their AP and using their wireless to download porn, chase little girls, rob the bank of all their money or any other crimes that can be done online. The only thing that is certain are the modem and AP addresses. Let's be frank, most people don't secure their AP's which is clear to my by taking a trip through my neighborhood scanning for AP's. I'm no lawyer but I think that the ability for Party B to use Party A's AP without their knowledge constitutes reasonable doubt. Chinea, Jose L. Jr. (Contractor) wrote:Classification: UNCLASSIFIED Caveats: NONE Well, let me rephrase what I said. You may not need to "Log In" to use your ISP resources with a username/password, but thereis one tiedto your modem as you stated. So the provider can release that information (with a warrant if not they violate privacy) to the investigators after reviewing log files (assuming that theyhave that setup - most do).Also, there was a comment on this earlier, that the MACcannot be tiedto an IP? Yes it can! If the system in question is DIRECTLY connected to the ISP (i.e. ISP -> Modem -> System / No Router) they can map the MAC of the system to IP in their log files (NBTSTAT anyone?). If the system IS NOT directly connected (i.e. using a router or firewall) the MAC of the router is obtained.Either case,it can always be mapped back to the user. Once theinvetigators nabthe equipment, all they have to do is verify the MAC toensure the activity is truly from that system which was tied to IP.Luis Computer Systems Analyst II -----Original Message----- From: Tremaine Lea [mailto:tremaine () gmail com] Sent: Tuesday, October 09, 2007 11:02 PM To: Chinea, Jose L. Jr. (Contractor) Cc: cobrajet; security-basics () securityfocus com Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Not every ISP requires a username/pass to connect to theirservice.I've had 3 different high speed providers and was neverrequired to 'log on'to the network in any way. Connect network gear, and go. Having said that, they could also search their dhcp logsfor the timeperiod being investigated and the requested IP, tie that to a mac address, locate that mac on their network and identifywhich cable modem it's attached to.From their the cable modem is tied to a customer accountand viola,bobs yeruncle and it's off to pmita prison. Which is why any reasonably bright monkey would boot alaptop from alivecd, run macchanger, connect to an insecure wireless network and then find an anonymous proxy somewhere. --- Tremaine Lea Network Security Consultant Intrepid ACL "Paranoia for hire" On 9-Oct-07, at 3:42 PM, Chinea, Jose L. Jr. (Contractor) wrote:Classification: UNCLASSIFIED Caveats: NONE This one is simple! The media has no idea what it istalking about!How many times do we hear on the media terminology that makes no sense at all!?!?!?! More than likely they tracked IP toan ISP andthen demanded the ISP to reliquish the MAC address tousername beingused at that time (every ISP has a username and passwordin order toaccess their resources). Also, if there was a 5 year investigation already going on, theymay havealready known of the hacker's location and narrowed down any monitoring to a single subnet on the ISP's network. just a theory.... but this is probably what happened and the media didn't know how to word it Luis Computer Systems Analyst II -----Original Message----- From: cobrajet [mailto:uby500 () yahoo com] Sent: Tuesday, October 09, 2007 3:12 PM To: security-basics () securityfocus com Subject: Re: Wireless IP leads to arrest.. Hi Guys, I am sorry for the delay in getting you more info on this (I was traveling). Here's the story as it appears on the web and for the life of me I can't fathom what damning electronic evidence they used to arrest this guy? ..or for that matter what the crime was (a criminal opinion?) "Type of Investigation: Forgery and Identity Theft; Dateand Time:3/25/06 at 1:00 pm; Location: V/Fredonia; Subject(s): xxxxxxxx, ofRock Hill,SC; Charges: Forgery 3rd, Identity Theft 3rd; Court:C/Dunkirk; Detailsof the Incident: A five-month investigation concluded in thearrest of abovesubject. It is alleged that the above subject opened ayahoo emailaddress with the name of the victim. The subject then sent a politically charged editorial letter to the Observer inthe name ofthe victim. This letter was published. An investigation into the opened yahoo profile and the sender of the letter showed internet addresses that came back to the above subject's addresses in South Carolina and Fredonia. The subject was issued appearancetickets forthe above charges and will appear in the C/Dunkirk Courtat a laterdate. This incident was investigated by the Chautauqua County Sheriff's Office by Inv. Lawrence S. Klajbor." How could they arrest someone using an IP address alone without siezing or analyzing anything? How could they determine (from many states away) who did what on a wireless PC network without supporting forensics or misc investiagting evidence? I was curious as to your comments/clarity nbecause this looks very odd to me. security-35 wrote:Maybe it was IP + Mac Address of the Wireless NIC? Where's the full story (link)? Eric Marden xentek: enlightened internet solutions http://xentek.net/ On Oct 6, 2007, at 11:03 AM, cobrajet wrote:How can this be possibile? A man in WNY was arrested and sentenced to a year injail over anemail with the sole piece of evidence being an IPaddress? (- and awirless IP address at that?! -) How can they determinefrom an IPaddress who in the house or on a network is actually on the computer? Can anyone explain this to me?8-O -- View this message in context: http://www.nabble.com/Wireless-IP- leads-to-arrest..-tf4580165.html#a13074514 Sent from the Security Basics mailing list archive at Nabble.com.-- View this message in context: http://www.nabble.com/Wireless-IP-leads-to-arrest..- tf4580165.html#a13124923 Sent from the Security Basics mailing list archive at Nabble.com. Classification: UNCLASSIFIED Caveats: NONEClassification: UNCLASSIFIED Caveats: NONE-- Rock is dead! Long live paper and scissors!
Current thread:
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED), (continued)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Yousef Syed (Oct 15)
- RE: Wireless IP leads to arrest.. (UNCLASSIFIED) Craig Wright (Oct 11)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Breno Brand Fernandes (Oct 10)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Scott Gorlick (Oct 10)
- Re: Wireless IP leads to arrest.. Eric Marden (Oct 09)
- Re: Wireless IP leads to arrest.. gjgowey (Oct 10)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Tremaine Lea (Oct 10)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) p1g (Oct 12)
- RE: Wireless IP leads to arrest.. (UNCLASSIFIED) Chinea, Jose L. Jr. (Contractor) (Oct 10)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Nic Stevens (Oct 11)
- RE: Wireless IP leads to arrest.. (UNCLASSIFIED) David Gillett (Oct 11)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) jam (Oct 11)
- RE: Wireless IP leads to arrest.. (UNCLASSIFIED) Craig Wright (Oct 11)
- Re: Wireless IP leads to arrest.. (UNCLASSIFIED) Nic Stevens (Oct 11)