Spying on a stolen laptop

Imagine your laptop gets stolen. Wouldn't it be great to remotely spy on the machine and get it back?

Clair Fleener, chief executive of IT outsourcer InertLogic, got that chance after a laptop belonging to a customer was stolen.

Fleener was instrumental in the investigation that led to the recovery of the laptop, monitoring the activities of the laptop user for two weeks using remote software and sharing the information with law enforcement in Omaha, Neb.

The story starts back in mid-May, right around Mother's Day, Fleener recounted this week. Someone broke into the car of an employee working for an InertLogic customer and stole the laptop, which had work and personal information on it.

Months went by before anyone realized that technology InertLogic uses to help manage equipment remotely was sitting on the laptop and could be flipped on to monitor it. The technology, from Kaseya, captures screenshots from remote machines and can be used to install keyloggers, as well as record audio and images from a Webcam.

Fleener relied only on the screenshots that were taken captured every 5 or 10 seconds to see what the user of the laptop was up to. Within a short time, he learned the name, address, and other sensitive information about the man using the laptop. (Fleener is careful not to accuse the individual of being the thief because there is no proof of that.)

The man visited Facebook, MySpace, and other social networks, according to Fleener. He used Google to search for auto parts and did queries on how to remove security tags from merchandise. He looked at porn and made pirate copies of DVDs, including "Harry Potter and the Half-Blood Prince." Every time the laptop went online, typically on weekend nights and never on Tuesday, Fleener and others got paged.

Benjamin Lavalley, a senior engineer at Kaseya, figured out that by looking at the nearby Wi-Fi access points and doing an online map search, they could try to find out the exact location of the laptop.

The list of Wi-Fi access points indicated that an AT&T store, a Burger King, and a Cubbies restaurant were all nearby. Lavalley searched Google Earth for a location with those merchants in close proximity and narrowed the location down to a spot about 20 miles away from where the laptop was stolen. A drive-by confirmed it--the laptop appeared to be in an automotive shop and gas station where the man using it happened to work.

This screen shot shows an AT&T store and a nearby Burger King on Google Earth, helping investigators pinpoint the location of the stolen laptop based on Wi-Fi networks available.

(Credit: InertLogic/Kaseya)

On Wednesday night, about two weeks after the sleuthing began, sheriff's agents went to the auto shop and caught the man using the laptop.

"He had a cover story and it was pretty well thought out," Fleener said, explaining why no arrest was made. The man claimed he had bought the laptop from a customer of his for $500 and didn't know it was stolen. Despite losing the money, he handed the machine over with no objections, Fleener said.

"It's like every movie or TV program where there's a mystery involved," Fleener said of the investigation. "You find yourself getting involved in the story. It was very exciting."

[CITechnologies]

Smart enough to Google how to remove security tabs, but not smart enough to reload the OS on a stolen laptop. Classic idiocy from stupid crooks. No there weren't any arrests, but the searches made would be enough to make the accusation.

[mbenedict]

Frankly, this incident demonstrates VERY POOR SECURITY for a managed corporate device.

That laptop should have been *encrypted* using whole disk encryption technology. No one should have been able to access the laptop without proper credentials. The fact that someone was able to log in and use the laptop is inexcusable.

If I were InertLogic or Kaseya, I wouldn't be bragging about this incident.

[ben-kaseya]

Just getting the laptop back is good enough most of the time, it's up to law enforcement to decide if they want to make an arrest. This is the third case I worked on where one of our customers had a stolen laptop that they were able to get back with Kaseya -- the previous two resulted in an arrest and a warrant, one in Sydney, Australia the other in California.

To mbenedict who responded about disk encryption...

Is full disk encryption all that necessary these days when the applications and data accessed by the laptop were all run 'in the cloud' and there isn't any corporate information consistently present on the device?

Disk encryption could still be used on particular folders or user profiles. How do you know this wasn't in this case? The pertinent corporate data could have been encrypted and otherwise inaccessible without a password yet the system could have still been used with another local account.

In this economy I think getting a small business a stolen asset back in their possession is a win and it was a benefit the thief was able to log in. Full disk encryption in many small to medium businesses doesn't seem to be a very common practice -- depending how user-level security is handled and where the corporate data resides, it may not be necessary and I don't think the comments of 'inexcusable' or 'very poor security' apply given the information mentioned in the article.

[mbenedict]

Of course for company laptops full disk encryption is still needed, even if data is obtained from the cloud. Encrypting certain folders or files is NOT enough.

There are many reasons for that, e.g.: 1) In a typical "cloud" scenario, accessed data gets cached on the local device, unencrypted; 2) users often download, process or move data outside of encrypted folders, such as to "Temp" folders or "Download" folders; 3) unencrypted data in memory is mirrored in swap files; 4) encrypted disks are tamper-resistant. Etc. Etc. Etc.

Compared to leaking confidential company data or exposing sensitive customer information, who cares about "getting the laptop back"? Laptops are inexpensive, and heck you can even make an insurance claim. Exposing your customer data on the other hand could bankrupt your company!! Which one should you care more about???

It's understandable that consumers might not be careful with their mobile devices. But this laptop was supposedly a professionally managed corporate device, with supposedly "secure" software installed. And yet some auto-shop perp was able to gain full access??? UNBELIEVABLE!!! We're not talking about a genius hacker here getting access. If that's not very poor security I don't know what is!!!

Industrial grade whole-disk encryption like PGP WDE cost like $149 retail. Heck you can get TrueCrypt for FREE. There is no excuse for a managed corporate laptop to be compromised in this way.

If I were InertLogic or Kaseya I'd be ashamed if this happened to one of my customers!!!

[Random_Walk]

...not smart enough to strip it for parts then fence them on eBay.

==
"The fact that someone was able to log in and use the laptop is inexcusable."

Heh - Five minutes and possession of the laptop is plenty of time to crack the SAM (on Windows) and change the local admin password to whatever suits you (you would be amazed at the number of utilites that do this, and they work just fine on all Windows versions, even Windows 7). Drive encryption could possibly protect most of the data after that - as long as it's third-party encryption, and doesn't rely on Windows' native gear to do it. Otherwise, the crim can fake the cached credentials if he/she knows how (a bit harder than popping the SAM, but the tools to do it are available easily enough)... then all bets are off.

(Note that the cached credentials problem can be mitigated, but if your company uses a lot of wireless networking, you won't be able to do that for long ;) ).

==

"Is full disk encryption all that necessary these days when the applications and data accessed by the laptop were all run 'in the cloud' and there isn't any corporate information consistently present on the device?"

This is a compelling question, but it cuts both ways.

With the right setup, the crim might know the data is out there and even where it is, but as long as the local side was set up right (to not store user/pass info, no local file caching, etc), then it's actually harder to access that data than it would be if it sat on the local disk, even under BitLocker encryption (which can usually be bypassed as detailed above).

"Disk encryption could still be used on particular folders or user profiles."

Agreed - even Windows can enforce this via GPO so the user wouldn't have a choice but to have it done on their behalf. There's no way to tell from the article whether the data was compromised or not.

==

"1) In a typical "cloud" scenario, accessed data gets cached on the local device, unencrypted"

Maybe, maybe not. It depends on how it's all set up.

For instance, with no encryption schema covering the whole hard disk, you can still be assured of at least a decent modicum of security:

For example, with VMWare View, you can set it up two ways - online or offline:
1 - nothing is downloaded because the whole session is a VM off in cloud-land (your farm, some 3rd-party farm, whatever), and all the data stays there - you only see it via a glorified RDP session.
2 - the whole thing is stored as an encrypted VM disk locally (which is checked-out from the cloud CVS/SVN style each time it is sync'd), and requires a separate login to get to. No login creds? No access. Unlike the Windows SAM, you'll have a much harder time cracking those creds, unless the user left a copy of them sitting on Notepad.

"Compared to leaking confidential company data or exposing sensitive customer information, who cares about "getting the laptop back"?"

Agreed - Or, some companies will simply make the employee pay for it. Either way, the hardware loss is no big deal (from the corp point of view anyway)... so long as one is certain that the data is safe.

Then again, there are lots of little screw-ups that can really make things hurt for a corp as well (e.g. using Cached Exchange Mode on in Outlook, which leaves copies of emails laying around on the laptop for local access... something you prolly don't want your CFO having on, eh?)

[ProDigit]

Well, they could charge him for making illegal copies of stuff...

They could also make him a suspect, he has no alibi.
If he has an alibi (the salesman), would mean that either the salesman is the thief (or connected to the thief), or the guy is lying, which makes him still a suspect.
Eventhough at times you can not know when someone sells you stolen goods,you should help the cops in their search for the perpetrator; owning stolen good, wether you purchased it or not is illegal, and you can go to jail for that!
He's probably going to have that as a warning on his record, and will be watched closely!

It is obvious the guy did not need the computer, so why stealing it?
We're getting in a time where people go to jail, because they can't find a job,and have to steal money,and have no other option.
But the guys who steal from others, just because they want gadgets (and often hurt, or kill people in the process) are worse than scum!

[tektaktyks]

he could sue them for invading his privacy and spying on him without a warrant...

[davidmcelroy_dotmac]

@tektaktyks: You're confused. A law officer needs a warrant for a search, but these observations were not by police, but rather by a company working for the owner of the device. The owner (or agent of the owner) of a piece of property does not need a warrant to remotely access his own property. The perp would have zero grounds for a suit. You have no right to the privacy of a device that is not your own. Clearly, the guy would not invite further scrutiny of his thin cover story by pursuing a civil case of any kind.

[codynews]

@ tekaktyks... sue for invading his privacy? He is accessing HIS OWN MACHINE. Go apply for a job at the ACLU. They'd love your logic.

[zyxxy]

@codynews: You have your logic backward, the ACLU would defend your right to access your property in any case. They would side with the legal laptop owner, not the thief. Of course, if you really understood the ACLU, you wouldn't have made the snide comment in the first place.

[tektaktyks]

he could sue them for invading his privacy and spying on him without a warrant.. i'd be calling Al Sharpton right now if i was him

[zyxxy]

You have no privacy when you are on my property. I can install a key logger on my PC. It is mine, after all. If you want to borrow it, fine, but do not assume there are no key loggers installed. You can access the internet through my open WiFi port, but do not assume that Wireshark is not running on the router. Get it? You are using my property. You are using my assets.

[tektaktyks]

and if i use your bathroom you can have a spy cam there and record it?if the guy really bought that pc and he can prove it ?you're wrong.

[PixP]

Yeah. That was the first thing I thought it too. Why didn't they reinstall the OS. I wouldn't want someones crap on my shiny brand new stolen laptop.

[zyxxy]

When I buy a refurbished PC (and every one I buy is a refurb) I always reload the OS from the install disks. After all, the PC has been in someones possession before you, so do you trust the install? I don't. That goes double for used.

[terminalblue]

Odd story related to this article...
my house was broken into and i lost about $6000 worth of stuff...cameras, video game consoles, TV's....and two laptops and my server. that same day i went to every camera dealer, pawn shop, and computer store in about 25 miles and gave them a list of what was missing.

Three days later two people were arrested in Missouri (i live nearby in Illinois) trying to sell my Canon 50D (which still was in the camera bag with my info in it) and my XBox360, the camera dealer had called the cops using the info i had given them. However the police couldnt hold them for more then 20 hours despite having almost $3000 worth of my stuff (lenses, flashes, camera stuff...). One week later, they show up at a computer store 4 miles from where i live and tried to have my passwords removed from my server, the computer store called the cops based on the information i had given them. This time they arrested four people, one of them being the same guy they had arrested in Missouri a week earlier. As of right now, the one guy they arrested twice has been charged with the burglary ...

The odd thing is that these guys were part tech savvy and part retarded, they were smart enough to reset the BIOS on my server and set a password on the BIOS, (on the off chance i was using a service like LoJack i suppose), but not smart enough to get around the windows logon screen. of course, when they reset the BIOS, it screwed up the RAID setup and windows couldnt even boot, but for what ever reason they couldnt just pirate windows and install a new copy( at that point they couldnt because the default order of the boot drives changed so they couldnt without digging around the BIOS)?

Two other odd points, I could RDC my server, as well as do hundreds of other tasks to get it to reveal its net presence, but my personal laptop did most of the management and very little client side software. But every now and then, new music pops up on my zune playlist that i would never listen to and dont have in my collection, an indicator that some one else is using my zune client to play music on my laptop. And every now and then my Yahoo messenger client logs into another location, I try to message the client, but i never get a response. Everytime i see a change like that, i wished i had setup an RDC on my laptop...then maybe the cops would actually search this guys house.

[missionmom1]

calling someone part retarded is not only demeaning to people with special needs, it makes you look like a total tool.

[codynews]

@ missionmom1: waaaa. PC much? Get a thicker skin...

[terminalblue]

Maybe someone shoudl break into your house and see how you feel about it...or maybe i should just tell you what the cops told me...they wont search the guys house because...."His mom was helping them out".

So while i might be a complete tool that hates people that are retarded for doing something retarded like breaking into someones house, at least i am not a closeted fool like yourself.

[Random_Walk]

Dude - if you could RDC the thing and it was stolen, you could've wiped the relevant data off it in very short order. Shut off shadow copies, wipe the existing backups, then wipe the data. For a finishing touch, screw with the registry, or better yet install a keylogger, and steal _his_ creds (or whatever you want, really...)

After all - what's he going to do, call the cops?

[terminalblue]

@random_walk
I could RDC my sever, but they never went online with it, it doesnt have wireless like my laptops. i would might have screwed with the registry or wiped it, but i am a photographer and i would have lost about ten years worth of pictures and client information if they got suspicious and just ditched it. i felt much more comfortable knowing that they couldnt get around my passwords and BIOS configuration. (and i got my server back, it would have sucked to get it back with none of the data on it)

my laptop now is setup so i can RDC and it is lojacked. i do wish i had my laptop a little more prepared for something like that, but it will not happen again.

[Mergatroid Mania]

@missionmom1:
How politically correct of you. People who object to words being used as a label are really not very smart. We all know that if another word starts being used to describe a condition then people start using that same word as a demeaning label.
For example, people used to call a person a *** if he did something they didn't like, now that has changed it to calling him gay instead. People used (and still do) call a person a retard as well, and now the label is starting to change to calling people mental (as in mentally handicapped) It's all semantics. To be offended by a word is stupid. And to freak out on someone about it is even stupider. And the only one here that looks like a "total tool" I'm afraid would be you.

[terminalblue]

@missionmom
I just looked at your comment history and ONLY comments you have ever made on CNet regard people calling people retards.

I have a suggestion, stop being such a retard a get a life.

[krosafcheg]

Receiving stolen property. Paid with a check, show me proof. Paid with cash, show me your ATM.

[RockBandPhenom]

@mbenidict

it said the laptop was from a customer of inertlogic

Clair Fleener, chief executive of IT outsourcer InertLogic, got that chance after a laptop belonging to a customer was stolen.

[n3td3v]

Intelligence Agency's are using the same method to spy on citizens throughout the world, by infecting your computer with malware.

Everything can be used for good and/or evil.

[codynews]

Proof of this?

[Random_Walk]

Guess you could point to, well, anything in China as a start...

[face0]

The great thing is everyone can do this for free with their own laptop. Here is one free set of scripts you can use with their free service, or, your own web server + gmail account: http://github.com/tomas/prey

If someone steels my macbook, I put a URL on my blog and start getting reports every 5 minutes the computer is on to my gmail account (including screen shots and webcam pictures)...

[lazycat202]

if i've your macbook, all of your facebook will gone to the wild :

[Random_Walk]

You could always script the MBP to send a small email to a monitoring account every time it logs in. The SMTP engine is already built-in.

[Pishkado]

There was a case a few months back of someone who stole an Apple employee's MacBook from a party. She logged in remotely, used the built-in Webcam to take a picture of the user before he realized what was happening, and showed the picture to the party's host. Case closed. (Someone can probably find the story and post the link if they want.)

[Pishkado]

Had a few spare minutes. Here's a link to the article in the May 10, 2008 New York Times:

http://www.nytimes.com/2008/05/10/nyregion/10laptop.html

I realize that rpageio's post (Oct. 24, 2009; 8:24 am PDT) wasn't specifically a reply to mine, but given that the article was in that paper, that it identified the employee and her place of work, and that it carried photos of the thieves, I think it's pretty high on the credibility scale. Maybe other stories about retrieving stolen computers with remote access software are urban legends or whatever, but it seems to me that this one happened as reported.

[rpageio]

I just don't believe everything I read. Checkbook journalism is still alive and well.

[codynews]

Huh? Care to explain?

[rpageio]

Too bad they can't keep 'slippery merchants' from advertising in READER COMMENTS.

[codynews]

Same to you... "huh? Care to explain?"

[DragonWizard]

"calling someone part retarded is not only demeaning to people with special needs, it makes you look like a total tool."

I have a screwdriver and a wrench that find the use of the word tool to be demeaning.....

[terminalblue]

lol

[Random_Walk]

I'm kind of surprised that the criminal didn't simply wipe the drive, then strip it for parts and fence those parts on eBay.

[terminalblue]

that would make sense, but there are a few reasons that doesn't ever happen.

criminals dont have paypal. also...
A buyer could ask for a SN to verify the warranty, and ebay can also ask for a SN.
It means that the computer is visible to anyone looking for it, not the best way to hide stolen goods.
a wipe sounds like it would work great against something like this, but if the were using lojack it would embed itself in the BIOS.
When you try to part something out like that you need a fair deal of expertise to do it...most criminals steal for the instant gratification of cash in hand, there is no reward like that when part out a computer.

So yeah, they might have been able to make a little bit more by parting it out, but the fact of the matter is that, they dont know how, and waiting for cash from ebay could take a while, especially since ebay wont let people pay for Hardware with Checks and MO's anymore.

[MrMe003]

eh, why they really want to use these laptops with the same Operating system installation? are they stupid or what :D