[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMEAJDJMDLJLOIOCIKJJEEFBGOAA.exibar@thelair.com>
Date: Tue Dec 27 20:41:44 2005
From: exibar at thelair.com (Exibar)
Subject: [inbox] Breaking LoJack for Laptops
in another life, I played witht eh computrace software. If I remember
correctly it transmits it's data before the OS fully boots, and it is
supposed to survive a Ghost re-image or an OS re-install. I believe it
hooks the Floppy controller if I remember correctly. If the floppy wasn't
set to boot from first, the software was defeated. The process that you
mentioned, if killed, won't stop the phone home process at boot time. Throw
a sniffer on a spanned port on your switch and sniff the traffic coming from
your laptop's port and you'll see the computrace packets go out before the
laptop is booted.
Now, this was about 5 years ago, I mentioned to them that they shold have
hooks from the BIOS itself, that would invoke their code to "phone home". A
hook in the BIOS would be the only sure way to catch a stolen laptop, if the
stolen laptop is plugged into a phone line or network jack that is.
They said, yes 5 years ago now, that they were working with Dell to get
hooks in the Dell bios. Not sure if this ever happened or not...
Exibar
> -----Original Message-----
> From: obnoxious@...h.com [mailto:obnoxious@...h.com]
> Sent: Saturday, December 24, 2005 10:06 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [inbox] [Full-disclosure] Breaking LoJack for Laptops
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Breaking Computrace?s Lo Jack for Laptops
> J. Oquendo
> obnoxious@...h.com :: "Can you hear me now?"
> 12/24/05
>
>
> After my company spent a pretty penny purchasing this Absolute?s
> Computrace ?Lojack for Laptops? product, I decided to write up a
> "How-To Defeat LoJack For Laptops" article. Why? Why not? Maybe the
> vendor can step it up a notch and create something that actually
> functions without flaw. This is not to say the product doesn't work
> to some capacity, this article tends to solely clarify what this
> product is and how simple it is to disable it.
>
> Here is Asbolute's advertisement:
>
> LAPTOP SECURITY PREVENTS LAPTOP THEFT.
>
> Computrace is laptop security and tracking software which deters
> laptop theft and recovers stolen computers ? guaranteed. Absolute
> also provides software inventory, computer inventory, PC inventory,
> PC audits, IT asset management, asset tracking, software license
> management, and data security tools and services.
>
> I'd like to know how their product prevents laptop theft or even
> minimizes it. The ad is humorous. For the company to guarantee they
> can deter theft is another oddity. For starters there are no
> markings on my own laptop that state "Protected by Absolute" or
> anything similar. Even if there were, I highly doubt - that even if
> there were markings on my laptop - that would stop someone from
> picking up my machine and taking off with it. Secondly to state
> they can recover my laptop is even stranger. Lastly, someone might
> confuse Absolute with Absolut and snicker at it. To date my laptop
> has not "called in" for about sixty plus days. Should I call
> Absolute and put them to the test? The outcome would be nothing
> more than a refund for Computrace. Data? Laptop? Sayanora.
>
> So here is what Computrace is; it is nothing more than a piece of
> software that details what your machine is, and reports this data
> back to the Absolute website. This is some the information the
> reporting contains for some for those machines running this
> gimmick:
>
> Call Tracking Information (for my own laptop)
> Computrace Agent first installed on (first call): 11/10/2005
> 9:06:38 AM
> Computrace Agent version: 814
> Computrace Agent last called on: 11/13/2005
> 2:20:17 PM
> Computrace Agent last called from: 192.168.0.1
> Computrace Agent next call scheduled for: 11/14/2005
> 2:50:17 PM
> Asset tracking data last collected on:
> 11/13/2005 2:20:17 PM
>
> MY_USERNAME
> MY_LAPTOP_NAME
> Assig. Username:
> Make: Dell Computer
> Model: INSPIRON_6000 Serial# XXXXXXX
> Asset# 11/13/2005 2:20:17 PM 814 Active
>
> Today is December 24th 2005. Prior to the 11/10 date, I had the
> program installed and disabled it without any notice for
> approximately 64 days, then reinstalled it for testing purposes.
> Obviously had I stolen this laptop, Absolute wouldn't be able to do
> anything about it. They don?t know where it?s at. At least they let
> me know something was cooking:
> Dear Customer Center User:
>
>
> This is an automatic e-mail notification generated by the Customer
> Center alerting system.
>
> Please visit https://www.Absolute.com/public/secure/login.asp to
> investigate your new alert.
>
> The following alert(s) configured for your account have been
> triggered:
>
> * Alert Name: Last called 20 days ago
> * Description: Pre-defined alert - if you don't wish to use this
> alert, leave it in a suspended status (note that it will be
> recreated in a suspended status if deleted)
> * Alert Type: Automatic Reset in 10 days
> * Alert Condition: Last Call Time - Greater or Equal To - 20 day(s)
> since last call
> * Detected on: 24 Dec 2005 00:28:34:5
>
> You have computers that have not called within a specific time
> period (as defined by the alert condition).
>
> For customers with the recovery guarantee: Note that the guarantee
> becomes invalid for computers that have not called in more than 30
> days. Please refer to your Terms and Conditions for more
> information.
>
> For customers with the recovery service: The chances of recovering
> a computer post-theft are reduced if the computer is not calling
> regularly.
>
> For customers with asset tracking: your asset data is likely to be
> out of date for computers that haven't called in recently
>
> All Customers: You can use the ctmweb management tool to confirm
> that the agent software is installed and, if necessary, reinstall
> it. If the agent is installed, the ctmweb management tool can be
> used to perform a test call. Once machines call into the
> monitoring center, they automatically meet the call-back criteria
> for eligibility for the guarantee.To retrieve the list of
> computers, log into the Customer Center and follow the instructions
> below:
>
> a. Click on Reports.
> b. Go to "Call History and Loss Control" , click on "Missing
> Computers".
>
> In the box below "Show all Computers where...", under where it
> states: "group name is" use the drop down to select the group
> name: "Recovery Guarantee" then to the right, enter 20 days. Once
> done, click on "show results".This will provide you with a list of
> computers that need attention.
>
> ESN: XXXXXXXXXXXXXXXXXXXX PC Name: [MACHINE_X] Username:
> [username] Department: [departmentname]
>
>
> That message is reassuring. It?s letting me know MACHINE_X hasn?t
> been online. It is up to me to report it stolen so Absolute can
> retrieve it. But how do they expect to do this. There isn?t
> anything other than a little program which runs after Windows has
> started that waits for connectivity to scream for help.
>
> Now let's look at what Absolute is using to find a stolen machine
> shall we?
>
> Computrace Agent last called from: 192.168.0.1
>
> Secure? Doubtful. Absolute is solely relying on an IP address to
> track a machine. One of the problems with this is that they will
> need to go to court and request the information from the ISP on who
> used that IP address, after getting this information, they can only
> hope they will find the machine at that location. How much would it
> cost Absolute to go through these motions? Even if they did go
> through these motions, why should they when they can just refund
> someone the cost of the Computrace software. Or, what happens when
> a stolen laptop is using stolen resources for connections? Like say
> an open Wi-Fi hotspot? What does Computrace expect to do when
> someone reinstalls an operating system over the system with their
> software running. That software is useless.
>
> It's that simple. Reinstalling an operating system over a stolen
> laptop will automaGically make Computrace as useful as an
> industrial freezer in Antarctica, useless.
>
> Now supposing you stole a laptop with Computrace installed on it,
> and actually wanted to keep the data, you have one of a few
> choices: copy the data, wipe the drive and make a clean OS
> installation, or you can simply kill the process and modify the
> Windows registry to rid yourself of this gimmick.
>
> What are you looking for? A program called RPCNETP.EXE. You could
> search the registry for it and rename it, delete it entirely, stop
> the services by going to the Windows Control Panel/Administrative
> Tools/Services and stop it from there. Use Sysinternal's Process
> Explorer, Knoppix. I could count numerous ways to disable this
> product. As for the service Absolute offers, I've logged in twice
> in six months because I was wondering who was sending me those
> annoying alerts, and I wanted to see exactly what information was
> being passed over to Absolute's databases.
>
> Final word? Want security think Biometrics before a bios boot up,
> disabling CD/DVD start ups, passwording the bios. All in all there
> is little one can do when a laptop is stolen. Other than insurance
> purposes, I see this product as being nothing more than a gimmick.
> Sadly I was hoping I could give them some form of kudos. Maybe I
> can, their website and packaging are nice.
>
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkOtY7wACgkQo8cxM8/cskousQCgvWJNpxfseItFts2OeTJMEBRjhEYA
> oK4F3A9hl5L66qX3R5A/29zMsQKN
> =sVF5
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Instantly send FREE secure email,
> no account required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
Powered by blists - more mailing lists