lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1e6e35b60601070956p1a042984ke68d1b027019c558@mail.gmail.com>
Date: Sat Jan  7 17:56:30 2006
From: labeneator at gmail.com (Lmwangi)
Subject: Re: Breaking Computrace LoJack Part II

Maybe, Just maybe. There's a parallel universe with you and a mirror
of your laptop. Of course in the other universe, Somethings would be
different such as the DoD IP address block

On 1/7/06, obnoxious@...h.com <obnoxious@...h.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Breaking Computrace's LoJack Part II
>
> After my first hurried document, I figured I'd offer some follow
> information. An employee from Absolute.com contacted my employer
> rambling on about me being misinformed on their product. The
> employee from Absolute was more than likely a salesman as he
> couldn't answer technical questions so I requested that he send me
> information about my laptop since he was "concerned" that it had
> not "phoned home". But yet he was stating it had "phoned home" and
> Absolute was still able to track my machine.
>
> One thing this person stated was that "my machine was still calling
> in, but not updating their database with information on the state
> of my machine to their front end, but the back end was still
> working". Meaning, although my machine was not phoning home, it was
> phoning home. After a quick chuckle I again iterated that if this
> were the case - that my machine still contacting his company - he
> should be able to provide me with the information my machine was
> supposedly sending. After I received his response I sent off a
> detailed e-mail calling his bluff.
>
> According to the staff at Absolute.com, my machine had called in
> yesterday (January 06th 2006) morning at 9:45am. They even provided
> me with an IP address. I was shocked and ready to throw in the
> towel at that point, but decided to respond right back to them.
>
> Firstly, on January 06th 2005, my machine was powered down.
> Secondly, it was not physically plugged into any network. Thirdly,
> Troppix was running on the machine and the CD was still in its
> drive. Now I wondered what a marvelous feat it would be for 1)
> Absolute to create a kinetic based program to power up my machine
> at will. Such a great feat would bring them millions in revenue
> from people seeking to conserve money on power. I then thought even
> neater of them to have the ability to connect my machine to a
> network without my knowledge. Zeroconf (www.zeroconf.org) must have
> sped up production and given rights to Absolute or something.
> Almost lastly would be the fact that they've ported over Windows
> executable's and DLL's over to Linux.
>
> If that wasn't enough of a slap in the face, Absolute graciously
> provided me with what they labeled an IP address. The address they
> gave me was 485819880. So I wondered? 1CFC05E8?
> 00011100111101010000010111101000? What kind of crap are they giving
> me? If that's a decimal IP that would place me at 28.245.5.232.
> That would mean that my machine was "phoning home" from a
> Department of Defense" network which would probably make me a
> terrorist. Now I informed Absolute that I have a static address at
> home, this I could verify with my company's syslog server as well
> as 4 other (non company) servers which could provide them with my
> IP address if they wanted it for verification purposes. Surely a
> provider wouldn't pull Absolute's chain and give them false
> information so any claims by Absolute of me "fabricating my IP
> address" would be an insult.
>
> [root@...oster security]# echo 485819880 | trans.pl
> [root@...oster security]# 28.245.5.232
>
> [root@...oster security]# whois -h whois.arin.net 28.245.5.232
> [Querying whois.arin.net]
> [whois.arin.net]
>
> OrgName:    DoD Network Information Center
> OrgID:      DNIC
> Address:    3990 E. Broad Street
> City:       Columbus
> StateProv:  OH
> PostalCode: 43218
> Country:    US
>
> NetRange:   28.0.0.0 - 28.255.255.255
> CIDR:       28.0.0.0/8
> NetName:    DSI-NORTH2
> NetHandle:  NET-28-0-0-0-1
> Parent:
> NetType:    Direct Allocation
> Comment:    ARPA DSI JPO
> Comment:    7790 Science Applicationis Crt.,
> Comment:    Vienna, VA 22183 US
> RegDate:    1996-03-11
> Updated:    2000-04-13
>
> So now as it stands, Absolute has a kinetic, Zeroconf, password
> cracking, interchangeable (Windows executable to Linux binary)
> product capable of finding anyone anywhere on the planet. For those
> wondering about the password cracking part, how else could it have
> booted up Troppix and logged in - in order to send out information.
>
> To be fair I decided to boot into Windows XP turn on my firewall
> and watch whatever tries to connect to - where and why. Sure enough
> Internet Explorer was trying to send out information to a site that
> just so happened to be owned by Absolute. Packet data anyone?
>
> Protocol :		TCP
> Local Address : 	10.10.10.10
> Local Port :		1596
> Remote Name :		search.namequery.com
> Remote Address :	209.53.113.223
> Remote Port : 		80 (HTTP - World Wide Web)
>
> Ethernet packet details:
> Ethernet II (Packet Length: 76)
> 	Destination: 	00-09-5b-6d-a0-9c
> 	Source: 	00-12-f0-44-4e-4b
> Type: IP (0x0800)
> Internet Protocol
> 	Version: 4
> 	Header Length: 20 bytes
> 	Flags:
> 		.1.. = Don't fragment: Set
> 		..0. = More fragments: Not set
> 	Fragment offset:0
> 	Time to live: 128
> 	Protocol: 0x6 (TCP - Transmission Control Protocol)
> 	Header checksum: 0xa878 (Correct)
> 	Source: 10.10.10.10
> 	Destination: 209.53.113.223
> Transmission Control Protocol (TCP)
> 	Source port: 1596
> 	Destination port: 80
> 	Sequence number: 3493489526
> 	Acknowledgment number: 0
> 	Header length: 28
> 	Flags:
> 		0... .... = Congestion Window Reduce (CWR): Not set
> 		.0.. .... = ECN-Echo: Not set
> 		..0. .... = Urgent: Not set
> 		...0 .... = Acknowledgment: Not set
> 		.... 0... = Push: Not set
> 		.... .0.. = Reset: Not set
> 		.... ..1. = Syn: Set
> 		.... ...0 = Fin: Not set
> 	Checksum: 0x1dfd (Correct)
> 	Data (0 Bytes)
>
> Binary dump of the packet:
> 0000:  00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
> ...[m.....DNK..E.
> 0010:  00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
> ..0~[@...x......5
> 0020:  71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
> q..<.P.:kv....p.
> 0030:  40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
> @.............na
> 0040:  6D 65 71 75 65 72 79 03 : 63 6F 6D 00             |
> mequery.com.
>
> So what was the best thing to do? Block it via my firewall or play
> with my hosts file:
>
> echo "search.namequery.com   127.0.0.1" >> C:\PATH\TO MY\HOSTS ...
>
> Maybe I could have played with Absolute using Scapy
> (http://www.secdev.org/projects/scapy/):
>
> <Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
> version=4L
>  ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
> chksum=0xa878
>  src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337
> dport=80 seq=0L
>  ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
> urgptr=0
>  options=[] |<Raw load='POST /1DJ1TS' |>>>>
>
> Perhaps change IP addressing every 5 minutes on a script, call them
> and ask them "Can you hear me now..." ... "Can you hear me now..."
>
> Anywho(w)...
>
> Now I'd really like to know what Absolute has to say about 1) their
> miraculous methods of finding my machine even when it is booted
> into Windows with me redirecting via my hosts file. I'd also like
> to know why if they were so concerned - as this salesperson's call
> alluded to, why didn't he mention the 3-4 other laptops in my
> stable that haven't "phoned home".
>
> Anyhow, the jury is out on this... Absolute has yet to respond
> (once again). So for those from Absolute reading this (you've done
> so before... Obviously in order to contact me at work) let it be
> known, prior to the original writing being posted, and prior to
> this one being sent, your company was notified.
>
> J. Oquendo
> obnoxious||hush.com
> "Please no tears no sympathy" -- VNV Nation Epicentre
> echo "\$|[\$_-
> >{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA
> nRqFBg14AaunNHf3wVeRLTNjPxd/
> =xTxH
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no account
> required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
Article:
-
    And an unknown college dropout named Bill Gates, together with his
partner Paul Allen, wrote a version of the programming language BASIC
for the Altair, forming a company called Micro-Soft in the process. He
would later drop the hyphen and the capital S, and make billions of
dollars.
--
Comment:
+++
Dammit Slashdot! If you would just drop the capital S, you could be
making billions of dollars too!
+++++
http://slashdot.org/comments.pl?sid=171335&cid=14270286
+++++++
www.opensource.or.ke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ