As most people are aware, several individuals were recently arrested and accused of being deep cover agents spying on the USA on behalf of Russia. There are some interesting details emerging on how these individuals were tracked, with some news papers/ sites stating that these individuals had been under surveillance for quite some time.
One thing I found really fascinating about this whole event is why the individuals under surveillance did not change their MAC addresses; perhaps they simply did not see it as a major risk in being used to identify them given all the other layers of security they had in place, ie some level of stenography (there are mixed reports as to whether cryptography was involved as well), and the fact that they were using ad-hoc wireless networks. I think there is also a possibility that given that they were using ad-hoc networks the mac addresses may have been what the agents used to identify each other and determine whether they were in the appropriate network.
Reports, postings and other Media on this story:
The SANS storm centre has a diary entry which looks at some of the technical issues raised in this case
http://isc.sans.edu/diary.html?storyid=9094
http://www.thestar.com/news/world/article/829914--u-s-says-alleged-russian-spies-posed-as-canadians
http://www.dailytech.com/Russian+Femme+Fatale+Spy+10+Others+Busted+by+FBI/article18898c.htm
Jamal: On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http://goo.gl/ramnu What is your opinion? --Ben
ReplyDeleteHi Ben,
ReplyDeleteWill definitely check it out.