Thursday, November 18, 2010

Things you can do to aid recovering one's stolen laptop part 1

I was inspired by a presentation i saw on securitytube.net, "Pwned by the owner", presented at defcon 18 by Zoz. The presenter gave us his story of an incident where his laptop was stolen by an individual and the series of the things that he was able to do that led to its recovery. It was a very interesting and eye opening presentation that i would encourage all to watch.

In summary, as a result of a few services that were running silently in the background, he already had a foot into his system. He had some sort of dyndns client running on his system that sent all updated public IP addresses to his dyndns account. What this means is that whenever his laptop was connected to internet at any location, the dyndns client will detect any changes to its public IP address and update your dyndns account record. With this IP address you can do a reverse lookup of the IP address, find out location information and the current ISP of the connected node (Can also contact the ISP and report this to authorities). In some cases given the right software, if your laptop is connected via wifi, it is possible to get an idea , within reasonable distance, of where your laptop is on the map (like phone navigation with no built-in gps reciever).

When Zoz discovered that his dyndns account recorded a new IP, he proceed to do nslookups did pings at multiple times until he recieved a response (this can be scripted as well so you can be notified when the host is up. Think of a bash script with a cron job). When he finally got ping replys and his host was up, he then attempted to connect to some of the services that he had running on his box before it was stolen. These services included ssh and vnc. As it was his laptop he knew all the required passwords so he eventually had inside access. From then on here, he did some recon. He was able to find out pictures of the criminal that were stored on the hard drive. A history of his browser cookies and browser history cache gave us a profile of this criminal (seems like he was into dating sites and lots of porn). What was left to do at this point was to get a street address. Although the public IP can give you the city that the individual resides in, it more than likely will not give you more than that. Finding an exact location was next on Zoz's to do list.

A keylogger was implemented on his system and as you would guess, all usernames and passwords were obtained for the sites he was registerd to, including porn sites and ebay. By investigating the return shipping address of his ebay account, the relevant addressing information was obtained and the authorities then were able to detain the thief.

As soon as i completed watching this presentation i was a little paranoid and wanted to immediately prepare myself for such an incident. Zoz was lucky to obtain the Public IP from his dyndns provider. Without that, he would have no apparent lead and would've been left with a broken heart and lots of regret.

Resources / Good Reading:
pwned by the owner

No comments:

Post a Comment