lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060107174239.DF7A333C23@mailserver5.hushmail.com>
Date: Sat Jan  7 17:42:52 2006
From: obnoxious at hush.com (obnoxious@...h.com)
Subject: Breaking Computrace LoJack Part II

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Breaking Computrace's LoJack Part II

After my first hurried document, I figured I'd offer some follow
information. An employee from Absolute.com contacted my employer
rambling on about me being misinformed on their product. The
employee from Absolute was more than likely a salesman as he
couldn't answer technical questions so I requested that he send me
information about my laptop since he was "concerned" that it had
not "phoned home". But yet he was stating it had "phoned home" and
Absolute was still able to track my machine.

One thing this person stated was that "my machine was still calling
in, but not updating their database with information on the state
of my machine to their front end, but the back end was still
working". Meaning, although my machine was not phoning home, it was
phoning home. After a quick chuckle I again iterated that if this
were the case - that my machine still contacting his company - he
should be able to provide me with the information my machine was
supposedly sending. After I received his response I sent off a
detailed e-mail calling his bluff.

According to the staff at Absolute.com, my machine had called in
yesterday (January 06th 2006) morning at 9:45am. They even provided
me with an IP address. I was shocked and ready to throw in the
towel at that point, but decided to respond right back to them.

Firstly, on January 06th 2005, my machine was powered down.
Secondly, it was not physically plugged into any network. Thirdly,
Troppix was running on the machine and the CD was still in its
drive. Now I wondered what a marvelous feat it would be for 1)
Absolute to create a kinetic based program to power up my machine
at will. Such a great feat would bring them millions in revenue
from people seeking to conserve money on power. I then thought even
neater of them to have the ability to connect my machine to a
network without my knowledge. Zeroconf (www.zeroconf.org) must have
sped up production and given rights to Absolute or something.
Almost lastly would be the fact that they've ported over Windows
executable's and DLL's over to Linux.

If that wasn't enough of a slap in the face, Absolute graciously
provided me with what they labeled an IP address. The address they
gave me was 485819880. So I wondered? 1CFC05E8?
00011100111101010000010111101000? What kind of crap are they giving
me? If that's a decimal IP that would place me at 28.245.5.232.
That would mean that my machine was "phoning home" from a
Department of Defense" network which would probably make me a
terrorist. Now I informed Absolute that I have a static address at
home, this I could verify with my company's syslog server as well
as 4 other (non company) servers which could provide them with my
IP address if they wanted it for verification purposes. Surely a
provider wouldn't pull Absolute's chain and give them false
information so any claims by Absolute of me "fabricating my IP
address" would be an insult.

[root@...oster security]# echo 485819880 | trans.pl
[root@...oster security]# 28.245.5.232

[root@...oster security]# whois -h whois.arin.net 28.245.5.232
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   28.0.0.0 - 28.255.255.255
CIDR:       28.0.0.0/8
NetName:    DSI-NORTH2
NetHandle:  NET-28-0-0-0-1
Parent:
NetType:    Direct Allocation
Comment:    ARPA DSI JPO
Comment:    7790 Science Applicationis Crt.,
Comment:    Vienna, VA 22183 US
RegDate:    1996-03-11
Updated:    2000-04-13

So now as it stands, Absolute has a kinetic, Zeroconf, password
cracking, interchangeable (Windows executable to Linux binary)
product capable of finding anyone anywhere on the planet. For those
wondering about the password cracking part, how else could it have
booted up Troppix and logged in - in order to send out information.

To be fair I decided to boot into Windows XP turn on my firewall
and watch whatever tries to connect to - where and why. Sure enough
Internet Explorer was trying to send out information to a site that
just so happened to be owned by Absolute. Packet data anyone?

Protocol :		TCP
Local Address : 	10.10.10.10
Local Port :		1596
Remote Name :		search.namequery.com
Remote Address :	209.53.113.223
Remote Port : 		80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
	Destination: 	00-09-5b-6d-a0-9c
	Source: 	00-12-f0-44-4e-4b
Type: IP (0x0800)
Internet Protocol
	Version: 4
	Header Length: 20 bytes
	Flags:
		.1.. = Don't fragment: Set
		..0. = More fragments: Not set
	Fragment offset:0
	Time to live: 128
	Protocol: 0x6 (TCP - Transmission Control Protocol)
	Header checksum: 0xa878 (Correct)
	Source: 10.10.10.10
	Destination: 209.53.113.223
Transmission Control Protocol (TCP)
	Source port: 1596
	Destination port: 80
	Sequence number: 3493489526
	Acknowledgment number: 0
	Header length: 28
	Flags:
		0... .... = Congestion Window Reduce (CWR): Not set
		.0.. .... = ECN-Echo: Not set
		..0. .... = Urgent: Not set
		...0 .... = Acknowledgment: Not set
		.... 0... = Push: Not set
		.... .0.. = Reset: Not set
		.... ..1. = Syn: Set
		.... ...0 = Fin: Not set
	Checksum: 0x1dfd (Correct)
	Data (0 Bytes)

Binary dump of the packet:
0000:  00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
...[m.....DNK..E.
0010:  00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
..0~[@...x......5
0020:  71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
q..<.P.:kv....p.
0030:  40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
@.............na
0040:  6D 65 71 75 65 72 79 03 : 63 6F 6D 00             |
mequery.com.

So what was the best thing to do? Block it via my firewall or play
with my hosts file:

echo "search.namequery.com   127.0.0.1" >> C:\PATH\TO MY\HOSTS ...

Maybe I could have played with Absolute using Scapy
(http://www.secdev.org/projects/scapy/):

<Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
version=4L
 ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
chksum=0xa878
 src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337
dport=80 seq=0L
 ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
urgptr=0
 options=[] |<Raw load='POST /1DJ1TS' |>>>>

Perhaps change IP addressing every 5 minutes on a script, call them
and ask them "Can you hear me now..." ... "Can you hear me now..."

Anywho(w)...

Now I'd really like to know what Absolute has to say about 1) their
miraculous methods of finding my machine even when it is booted
into Windows with me redirecting via my hosts file. I'd also like
to know why if they were so concerned - as this salesperson's call
alluded to, why didn't he mention the 3-4 other laptops in my
stable that haven't "phoned home".

Anyhow, the jury is out on this... Absolute has yet to respond
(once again). So for those from Absolute reading this (you've done
so before... Obviously in order to contact me at work) let it be
known, prior to the original writing being posted, and prior to
this one being sent, your company was notified.

J. Oquendo
obnoxious||hush.com
"Please no tears no sympathy" -- VNV Nation Epicentre
echo "\$|[\$_-
>{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA
nRqFBg14AaunNHf3wVeRLTNjPxd/
=xTxH
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ