If I am running a wireless access point on my lan, and passwords, wep encryption keys, etc... are sniffed so that an attacker can login to the network, how can I prosecute the person?

I was thinking mainly along the lines of 4 things:

1) Viewing logs which connect a certain person to the crimes. For example, if someone logs into their yahoo account while on the lan, then it is fairly easy to find the suspect.

2) Wireless MAC addresses. If you can log the mac address of the wireless card, you can have a fairly good idea of where to start. Is there a place to look up mac addresses to find out which manufactureer to contact?

3) Other hardware. Is there a way to get unique serial numbers for other hardware such as the hard drives, etc? What about the supposed 'unique key' built into all recent pentium chips?

4) Physical location. If you have security cams, etc... I realize this is a long shot, but still an option. Also, could you trace a signal back to the originating point? For example, detect what car the rogue laptop is in while it is still on the network?

Any other ideas/specifics/helpful URL's????

thanks.

I think that you're on the right track.

Certainly the MAC address will positively identify the person (if you can find them and their equipment). I don't think that vendors or resellers keep track of who they sell specific radio NICs (i.e., MAC addresses) to. Vendors are normally assigned a block of MAC addresses, but I'm not sure how you can find which vendors have specific addresses. if you knew that, however, you'd only learn the vendor of the intruder's radio NIC (not the name of the user).

A good way of catching hackers is to pinpoint their location and capture them before they get away. Thus, you need to start by detecting an intrusion (most sniffers can monitor for unauthorized MAC addresses). Then, you can find them using a directional antenna by pointing the antenna toward the stronger signal and walk until you find them. Security cameras would probably help visualize someone using a laptop or other handheld device while sitting in a car in the parking lot.

MAC addresses consist of two parts - a vendor ID and a serial number. Each is 6 bytes. Manufacturers do not track what serial numbers are sold and to whom, and in any case, someone paying for a card at CompUSA with cash would be untraceable anyway.

Realistically, your chances of detection, identification, and prosecution is low enough as to be considered negligible. That's why prevention is key.