Archives from posts to the Home Page ...

---

Sunday, December 14, 2008  

A Stolen iMac...

A story from Tech Support at University of Waikato NZ:

The house of one the technical support guys was burgled a few weeks
for the second time in two months. In the first 
burglary he lost a big screen TV and a digital camera. The second 
time though it was his flat panel iMac, which is where it gets 
interesting. The owner uses a program on his home computer to that 
advertises its IP address, and a few days after the machine was 
stolen he noticed that it was once again online. So of course we 
grabbed the IP address and handed it to the cops, who quickly got 
the address from the ISP, acquired a search warrant and raided the 
customers address. Unfortunately they discovered the bemused owner 
operated an unsecured wireless access point and the actual machine, 
while definitely in the neighborhood wasn't in the house. The 
police couldn't do much at this point, Except give us the address 
of the place. But were we defeated? Never, crime mustn't pay, and 
there were irreplaceable baby pictures at stake! We spent the 
weekend coding up some bash and applescripts, and left a small 
script running that would call our cells if the poor lost iMac 
again screamed for help

A few days later our script announced that the Mac was once again 
online, and the IP range was in the same subnet so we assumed it 
was connecting to the wireless access point at the address the 
police had given us. We grabbed a macbook and drove on over, 
parked outside the house and connected to the (still unsecured) 
wireless network. Bonjour seemed to be off on all the network 
machines, and no device was browsable on the network using a name 
that was familiar so we monitored arp packets for a while until a 
familiar apple mac address appeared. A port scan showed that all 
the sharing services on the Mac had been turned off except smb, but 
luckily the owner had configured a samba share of the root of the boot 
drive and with our administrator access we were able to connect and 
mount the share. Once we were in we copied as much data 
off as possible (a lot had been deleted sadly) and uploaded our 
weekends scripting into /Library/LaunchDaemons. Then we headed 
back to work.

The next day we checked our FTP server and discovered that our 
first launchd script was working great! Every two minutes the Mac 
would fire up a small applescript that instructed it to take a 
picture with its built in isight and store them in /tmp. The 
second launchd script monitored for internet connectivity and upon 
connection (scurvy dog stole broadband as well as hardware!) ftp'd 
all the pictures it had taken to us at the university. And there 
were a lot!

We could see from these that the guy lived in a small apartment.  
There was only one apartment building in the neighbourhood we were 
in, so now we were pretty confident of the general address. The 
third script enabled reverse ssh tunneling, so we connected to the 
machine and discovered its host name had been changed to "Bxx- Hxxk".
Could this be our perps full name?
Digging round his iphoto library through ssh we found:

Aww how cute, they found Photo Booth! And confirmed his name for 
us. :)

We turned all this over to the Hamilton Burglary Squad and we heard 
this afternoon that Bxx has been arrested, the iMac has been 
rescued and is resting comfortably after its long ordeal. We 
haven't heard back yet about the much less cooperative big screen 
TV but we're hopeful it'll be there too. We're thinking now that 
we'll package up our ad-hoc scripts into a nice open source gui 
package, include a simple remote activation mechanism like the 
presence of the file "you_have_been_stolen!!!.txt" on the 
owners .Mac account and make it available for other junior crime 
fighters. We're thinking we could even expand it to upload logs, 
internet caches and history, even turn on its mike and record 
conversations. And none of this would have been possible if it'd been a PC!

Lots more fun than regular old work too. :)

posted by Donald  # 4:56 PM



<< Home

Thanks to Blogger for powering this page

Subscribe to
Posts [Atom]

Back to Top ↩

Home