RE: Wireless IP leads to arrest.. (UNCLASSIFIED)

["David Gillett" <gillettdavid () fhda edu>]

> With wireless, unless the ISP itself is a wireless carrier 
> (and I don't know the details of how, say, ClearWire works) 
> there is usually an AP and a  modem. The mac address of the 
> clients of the AP are not passed to the ISP thus knowing the 
> identity of the person, authorized or not, using the wireless 
> AP is not a certainty.

  This is not correct.  Most APs -- as opposed to wireless routers! 
-- function as *switches*, propagating client MAC addresses out to 
the (wired, usually) backbone.
  Even when the "AP" *is* a router, it's usually possible and even
easy for the entity which manages it to query it and obtain the
MAC addresses of associated clients.

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Nic Stevens
> Sent: Wednesday, October 10, 2007 7:16 PM
> To: security-basics () securityfocus com
> Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED)
>
> I guess what I was getting at -- and not so well put is this:
>
> With wireless, unless the ISP itself is a wireless carrier 
> (and I don't know the details of how, say, ClearWire works) 
> there is usually an AP and a  modem. The mac address of the 
> clients of the AP are not passed to the ISP thus knowing the 
> identity of the person, authorized or not, using the wireless 
> AP is not a certainty.
>
> Example: A router doesn't use WPA and we all know WEP is not 
> secure, further, MAC addresses can, as pointed out on this 
> list before, be spoofed across those APs as well.
>
> Really there is nothing preventing Party A's next door neighbor (Party
> B) from using various scanning tools to crack into their AP 
> and using their wireless to download porn, chase little 
> girls, rob the bank of all their money or any other crimes 
> that can be done online. The only thing that is certain are 
> the modem and AP addresses.
>
> Let's be frank, most people don't secure their AP's which is 
> clear to my by taking a trip through my neighborhood scanning 
> for AP's.
>
> I'm no lawyer but I think that the ability for Party B to use 
> Party A's AP without their knowledge constitutes reasonable doubt.
>
> Chinea, Jose L. Jr. (Contractor) wrote:
> > Classification:  UNCLASSIFIED
> > Caveats: NONE
> >
> > Well, let me rephrase what I said.  You may not need to "Log In" to 
> > use your ISP resources with a username/password, but there 
> is one tied 
> > to your modem as you stated.  So the provider can release that 
> > information (with a warrant if not they violate privacy) to the 
> > investigators after reviewing log files (assuming that they 
> have that setup - most do).
> > Also, there was a comment on this earlier, that the MAC 
> cannot be tied 
> > to an IP?  Yes it can!  If the system in question is DIRECTLY 
> > connected to the ISP (i.e. ISP -> Modem -> System / No Router) they 
> > can map the MAC of the system to IP in their log files (NBTSTAT 
> > anyone?).  If the system IS NOT directly connected (i.e. using a 
> > router or firewall) the MAC of the router is obtained.  
> Either case, 
> > it can always be mapped back to the user.  Once the 
> invetigators nab 
> > the equipment, all they have to do is verify the MAC to 
> ensure the activity is truly from that system which was tied to IP.
> > Luis
> > Computer Systems Analyst II
> >
> >  
> > -----Original Message-----
> > From: Tremaine Lea [mailto:tremaine () gmail com]
> > Sent: Tuesday, October 09, 2007 11:02 PM
> > To: Chinea, Jose L. Jr. (Contractor)
> > Cc: cobrajet; security-basics () securityfocus com
> > Subject: Re: Wireless IP leads to arrest.. (UNCLASSIFIED)
> >
> > Not every ISP requires a username/pass to connect to their 
> service.   
> > I've had 3 different high speed providers and was never 
> required to 'log on'
> > to the network in any way.  Connect network gear, and go.
> >
> > Having said that, they could also search their dhcp logs 
> for the time 
> > period being investigated and the requested IP, tie that to a mac 
> > address, locate that mac on their network and identify 
> which cable modem it's attached to.
> > > From their the cable modem is tied to a customer account 
> and viola, 
> > > bobs yer
> > uncle and it's off to pmita prison.
> >
> > Which is why any reasonably bright monkey would boot a 
> laptop from a 
> > livecd, run macchanger, connect to an insecure wireless network and 
> > then find an anonymous proxy somewhere.
> >
> > ---
> > Tremaine Lea
> > Network Security Consultant
> > Intrepid ACL
> > "Paranoia for hire"
> >
> >
> >
> > On 9-Oct-07, at 3:42 PM, Chinea, Jose L. Jr. (Contractor) wrote:
> >
> >   
> > > Classification:  UNCLASSIFIED
> > > Caveats: NONE
> > >
> > > This one is simple!  The media has no idea what it is 
> talking about!  
> > > How many times do we hear on the media terminology that makes no 
> > > sense at all!?!?!?!  More than likely they tracked IP to 
> an ISP and 
> > > then demanded the ISP to reliquish the MAC address to 
> username being 
> > > used at that time (every ISP has a username and password 
> in order to 
> > > access their
> > > resources).   Also,
> > > if there was a 5 year investigation already going on, they 
> may have 
> > > already known of the hacker's location and narrowed down any 
> > > monitoring to a single subnet on the ISP's network.
> > >
> > > just a theory.... but this is probably what happened and the media 
> > > didn't know how to word it
> > >
> > >
> > > Luis
> > > Computer Systems Analyst II
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: cobrajet [mailto:uby500 () yahoo com]
> > > Sent: Tuesday, October 09, 2007 3:12 PM
> > > To: security-basics () securityfocus com
> > > Subject: Re: Wireless IP leads to arrest..
> > >
> > >
> > > Hi Guys,
> > >
> > > I am sorry for the delay in getting you more info on this (I was 
> > > traveling).
> > > Here's the story as it appears on the web and for the life of me I 
> > > can't fathom what damning electronic evidence they used to arrest 
> > > this guy? ..or for that matter what the crime was (a criminal 
> > > opinion?)
> > >
> > > "Type of Investigation: Forgery and Identity Theft; Date 
> and Time:  
> > > 3/25/06
> > > at 1:00 pm; Location: V/Fredonia; Subject(s): xxxxxxxx, of 
> Rock Hill, 
> > > SC;
> > > Charges: Forgery 3rd, Identity Theft 3rd; Court: 
> C/Dunkirk; Details 
> > > of the
> > > Incident: A five-month investigation concluded in the 
> arrest of above 
> > > subject.  It is alleged that the above subject opened a 
> yahoo email 
> > > address with the name of the victim. The subject then sent a 
> > > politically charged editorial letter to the Observer in 
> the name of 
> > > the victim.  This letter was published.  An investigation into the 
> > > opened yahoo profile and the sender of the letter showed internet 
> > > addresses that came back to the above subject's addresses in South 
> > > Carolina and Fredonia.  The subject was issued appearance 
> tickets for 
> > > the above charges and will appear in the C/Dunkirk Court 
> at a later 
> > > date.  This incident was investigated by the Chautauqua County 
> > > Sheriff's Office by Inv. Lawrence S. Klajbor."
> > >
> > >
> > > How could they arrest someone using an IP address alone without 
> > > siezing or analyzing anything? How could they determine (from many 
> > > states
> > > away) who did
> > > what on a wireless PC network without supporting forensics or misc 
> > > investiagting evidence?
> > >
> > > I was curious as to your comments/clarity nbecause this looks very 
> > > odd to me.
> > >
> > >
> > >
> > >
> > >
> > >
> > > security-35 wrote:
> > >     
> > > > Maybe it was IP + Mac Address of the Wireless NIC?
> > > >
> > > > Where's the full story (link)?
> > > >
> > > >
> > > > Eric Marden
> > > > xentek: enlightened internet solutions http://xentek.net/
> > > >
> > > > On Oct 6, 2007, at 11:03 AM, cobrajet wrote:
> > > >
> > > >       
> > > > > How can this be possibile?
> > > > >
> > > > > A man in WNY was arrested and sentenced to a year in 
> jail over an 
> > > > > email with the sole piece of evidence being an IP 
> address? (- and a 
> > > > > wirless IP address at that?! -) How can they determine 
> from an IP 
> > > > > address who in the house or on a network is actually on the 
> > > > > computer?
> > > > >
> > > > > Can anyone explain this to me?8-O
> > > > > --
> > > > > View this message in context: http://www.nabble.com/Wireless-IP-
> > > > > leads-to-arrest..-tf4580165.html#a13074514
> > > > > Sent from the Security Basics mailing list archive at Nabble.com.
> > > > >
> > > > >         
> > > >
> > > >       
> > > --
> > > View this message in context:
> > > http://www.nabble.com/Wireless-IP-leads-to-arrest..-
> > > tf4580165.html#a13124923
> > > Sent from the Security Basics mailing list archive at Nabble.com.
> > > Classification:  UNCLASSIFIED
> > > Caveats: NONE
> > >
> > >     
> > Classification:  UNCLASSIFIED
> > Caveats: NONE
> >
> >
> >   
>
> --
> Rock is dead! Long live paper and scissors!