lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat Dec 24 15:05:53 2005
From: obnoxious at hush.com (obnoxious@...h.com)
Subject: Breaking LoJack for Laptops

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Breaking Computrace’s Lo Jack for Laptops
J. Oquendo
obnoxious@...h.com :: "Can you hear me now?"
12/24/05


After my company spent a pretty penny purchasing this Absolute’s
Computrace “Lojack for Laptops” product, I decided to write up a
"How-To Defeat LoJack For Laptops" article. Why? Why not? Maybe the
vendor can step it up a notch and create something that actually
functions without flaw. This is not to say the product doesn't work
to some capacity, this article tends to solely clarify what this
product is and how simple it is to disable it.

Here is Asbolute's advertisement:

LAPTOP SECURITY PREVENTS LAPTOP THEFT.

Computrace is laptop security and tracking software which deters
laptop theft and recovers stolen computers – guaranteed. Absolute
also provides software inventory, computer inventory, PC inventory,
PC audits, IT asset management, asset tracking, software license
management, and data security tools and services.

I'd like to know how their product prevents laptop theft or even
minimizes it. The ad is humorous. For the company to guarantee they
can deter theft is another oddity. For starters there are no
markings on my own laptop that state "Protected by Absolute" or
anything similar. Even if there were, I highly doubt - that even if
there were markings on my laptop - that would stop someone from
picking up my machine and taking off with it. Secondly to state
they can recover my laptop is even stranger. Lastly, someone might
confuse Absolute with Absolut and snicker at it. To date my laptop
has not "called in" for about sixty plus days. Should I call
Absolute and put them to the test? The outcome would be nothing
more than a refund for Computrace. Data? Laptop? Sayanora.

So here is what Computrace is; it is nothing more than a piece of
software that details what your machine is, and reports this data
back to the Absolute website. This is some the information the
reporting contains for some for those machines running this
gimmick:

Call Tracking Information (for my own laptop)
Computrace Agent first installed on (first call): 	11/10/2005
9:06:38 AM
Computrace Agent version: 				814
Computrace Agent last called on: 			11/13/2005 2:20:17 PM
Computrace Agent last called from: 			192.168.0.1
Computrace Agent next call scheduled for: 		11/14/2005 2:50:17 PM
Asset tracking data last collected on: 			11/13/2005 2:20:17 PM

MY_USERNAME
MY_LAPTOP_NAME
Assig. Username:
Make: Dell Computer
Model: INSPIRON_6000		Serial# XXXXXXX
Asset# 	 11/13/2005 2:20:17 PM		814	Active

Today is December 24th 2005. Prior to the 11/10 date, I had the
program installed and disabled it without any notice for
approximately 64 days, then reinstalled it for testing purposes.
Obviously had I stolen this laptop, Absolute wouldn't be able to do
anything about it. They don’t know where it’s at. At least they let
me know something was cooking:
Dear Customer Center User:


This is an automatic e-mail notification generated by the Customer
Center alerting system.

Please visit https://www.Absolute.com/public/secure/login.asp to
investigate your new alert.

The following alert(s) configured for your account have been
triggered:

* Alert Name: Last called 20 days ago
* Description: Pre-defined alert - if you don't wish to use this
alert, leave it in a suspended status (note that it will be
recreated in a suspended status if deleted)
* Alert Type: Automatic Reset in 10 days
* Alert Condition: Last Call Time - Greater or Equal To - 20 day(s)
since last call
* Detected on: 24 Dec 2005 00:28:34:5

You have computers that have not called within a specific time
period (as defined by the alert condition).

For customers with the recovery guarantee: Note that the guarantee
becomes invalid for computers that have not called in more than 30
days. Please refer to your Terms and Conditions for more
information.

For customers with the recovery service:  The chances of recovering
a computer post-theft are reduced if the computer is not calling
regularly.

For customers with asset tracking: your asset data is likely to be
out of date for computers that haven't called in recently

All Customers: You can use the ctmweb management tool to confirm
that the agent software is installed and, if necessary, reinstall
it.  If the agent is installed, the ctmweb management tool can be
used to perform a test call.  Once machines call into the
monitoring center, they automatically meet the call-back criteria
for eligibility for the guarantee.To retrieve the list of
computers, log into the Customer Center and follow the instructions
below:

a. Click on Reports.
b. Go to "Call History and Loss Control" , click on "Missing
Computers".

In the box below "Show all Computers where...", under where it
states:  "group name is" use the drop down to select the group
name: "Recovery Guarantee" then to the right, enter 20 days.  Once
done, click on "show results".This will provide you with a list of
computers that need attention.

ESN: XXXXXXXXXXXXXXXXXXXX PC Name: [MACHINE_X]  Username:
[username]  Department: [departmentname]


That message is reassuring. It’s letting me know MACHINE_X hasn’t
been online. It is up to me to report it stolen so Absolute can
retrieve it. But how do they expect to do this. There isn’t
anything other than a little program which runs after Windows has
started that waits for connectivity to scream for help.

Now let's look at what Absolute is using to find a stolen machine
shall we?

Computrace Agent last called from: 			192.168.0.1

Secure? Doubtful. Absolute is solely relying on an IP address to
track a machine. One of the problems with this is that they will
need to go to court and request the information from the ISP on who
used that IP address, after getting this information, they can only
hope they will find the machine at that location. How much would it
cost Absolute to go through these motions? Even if they did go
through these motions, why should they when they can just refund
someone the cost of the Computrace software. Or, what happens when
a stolen laptop is using stolen resources for connections? Like say
an open Wi-Fi hotspot? What does Computrace expect to do when
someone reinstalls an operating system over the system with their
software running. That software is useless.

It's that simple. Reinstalling an operating system over a stolen
laptop will automaGically make Computrace as useful as an
industrial freezer in Antarctica, useless.

Now supposing you stole a laptop with Computrace installed on it,
and actually wanted to keep the data, you have one of a few
choices: copy the data, wipe the drive and make a clean OS
installation, or you can simply kill the process and modify the
Windows registry to rid yourself of this gimmick.

What are you looking for? A program called RPCNETP.EXE. You could
search the registry for it and rename it, delete it entirely, stop
the services by going to the Windows Control Panel/Administrative
Tools/Services and stop it from there. Use Sysinternal's Process
Explorer, Knoppix. I could count numerous ways to disable this
product. As for the service Absolute offers, I've logged in twice
in six months because I was wondering who was sending me those
annoying alerts, and I wanted to see exactly what information was
being passed over to Absolute's databases.

Final word? Want security think Biometrics before a bios boot up,
disabling CD/DVD start ups, passwording the bios. All in all there
is little one can do when a laptop is stolen. Other than insurance
purposes, I see this product as being nothing more than a gimmick.
Sadly I was hoping I could give them some form of kudos. Maybe I
can, their website and packaging are nice.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkOtY7wACgkQo8cxM8/cskousQCgvWJNpxfseItFts2OeTJMEBRjhEYA
oK4F3A9hl5L66qX3R5A/29zMsQKN
=sVF5
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ