[Full-disclosure] Re: Breaking Computrace LoJack Part II



Maybe, Just maybe. There's a parallel universe with you and a mirror
of your laptop. Of course in the other universe, Somethings would be
different such as the DoD IP address block

On 1/7/06, obnoxious@xxxxxxxx <obnoxious@xxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Breaking Computrace's LoJack Part II
>
> After my first hurried document, I figured I'd offer some follow
> information. An employee from Absolute.com contacted my employer
> rambling on about me being misinformed on their product. The
> employee from Absolute was more than likely a salesman as he
> couldn't answer technical questions so I requested that he send me
> information about my laptop since he was "concerned" that it had
> not "phoned home". But yet he was stating it had "phoned home" and
> Absolute was still able to track my machine.
>
> One thing this person stated was that "my machine was still calling
> in, but not updating their database with information on the state
> of my machine to their front end, but the back end was still
> working". Meaning, although my machine was not phoning home, it was
> phoning home. After a quick chuckle I again iterated that if this
> were the case - that my machine still contacting his company - he
> should be able to provide me with the information my machine was
> supposedly sending. After I received his response I sent off a
> detailed e-mail calling his bluff.
>
> According to the staff at Absolute.com, my machine had called in
> yesterday (January 06th 2006) morning at 9:45am. They even provided
> me with an IP address. I was shocked and ready to throw in the
> towel at that point, but decided to respond right back to them.
>
> Firstly, on January 06th 2005, my machine was powered down.
> Secondly, it was not physically plugged into any network. Thirdly,
> Troppix was running on the machine and the CD was still in its
> drive. Now I wondered what a marvelous feat it would be for 1)
> Absolute to create a kinetic based program to power up my machine
> at will. Such a great feat would bring them millions in revenue
> from people seeking to conserve money on power. I then thought even
> neater of them to have the ability to connect my machine to a
> network without my knowledge. Zeroconf (www.zeroconf.org) must have
> sped up production and given rights to Absolute or something.
> Almost lastly would be the fact that they've ported over Windows
> executable's and DLL's over to Linux.
>
> If that wasn't enough of a slap in the face, Absolute graciously
> provided me with what they labeled an IP address. The address they
> gave me was 485819880. So I wondered? 1CFC05E8?
> 00011100111101010000010111101000? What kind of crap are they giving
> me? If that's a decimal IP that would place me at 28.245.5.232.
> That would mean that my machine was "phoning home" from a
> Department of Defense" network which would probably make me a
> terrorist. Now I informed Absolute that I have a static address at
> home, this I could verify with my company's syslog server as well
> as 4 other (non company) servers which could provide them with my
> IP address if they wanted it for verification purposes. Surely a
> provider wouldn't pull Absolute's chain and give them false
> information so any claims by Absolute of me "fabricating my IP
> address" would be an insult.
>
> [root@imposter security]# echo 485819880 | trans.pl
> [root@imposter security]# 28.245.5.232
>
> [root@imposter security]# whois -h whois.arin.net 28.245.5.232
> [Querying whois.arin.net]
> [whois.arin.net]
>
> OrgName: DoD Network Information Center
> OrgID: DNIC
> Address: 3990 E. Broad Street
> City: Columbus
> StateProv: OH
> PostalCode: 43218
> Country: US
>
> NetRange: 28.0.0.0 - 28.255.255.255
> CIDR: 28.0.0.0/8
> NetName: DSI-NORTH2
> NetHandle: NET-28-0-0-0-1
> Parent:
> NetType: Direct Allocation
> Comment: ARPA DSI JPO
> Comment: 7790 Science Applicationis Crt.,
> Comment: Vienna, VA 22183 US
> RegDate: 1996-03-11
> Updated: 2000-04-13
>
> So now as it stands, Absolute has a kinetic, Zeroconf, password
> cracking, interchangeable (Windows executable to Linux binary)
> product capable of finding anyone anywhere on the planet. For those
> wondering about the password cracking part, how else could it have
> booted up Troppix and logged in - in order to send out information.
>
> To be fair I decided to boot into Windows XP turn on my firewall
> and watch whatever tries to connect to - where and why. Sure enough
> Internet Explorer was trying to send out information to a site that
> just so happened to be owned by Absolute. Packet data anyone?
>
> Protocol : TCP
> Local Address : 10.10.10.10
> Local Port : 1596
> Remote Name : search.namequery.com
> Remote Address : 209.53.113.223
> Remote Port : 80 (HTTP - World Wide Web)
>
> Ethernet packet details:
> Ethernet II (Packet Length: 76)
> Destination: 00-09-5b-6d-a0-9c
> Source: 00-12-f0-44-4e-4b
> Type: IP (0x0800)
> Internet Protocol
> Version: 4
> Header Length: 20 bytes
> Flags:
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset:0
> Time to live: 128
> Protocol: 0x6 (TCP - Transmission Control Protocol)
> Header checksum: 0xa878 (Correct)
> Source: 10.10.10.10
> Destination: 209.53.113.223
> Transmission Control Protocol (TCP)
> Source port: 1596
> Destination port: 80
> Sequence number: 3493489526
> Acknowledgment number: 0
> Header length: 28
> Flags:
> 0... .... = Congestion Window Reduce (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...0 .... = Acknowledgment: Not set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..1. = Syn: Set
> .... ...0 = Fin: Not set
> Checksum: 0x1dfd (Correct)
> Data (0 Bytes)
>
> Binary dump of the packet:
> 0000: 00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
> ...[m.....DNK..E.
> 0010: 00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
> ..0~[@...x......5
> 0020: 71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
> q..<.P.:kv....p.
> 0030: 40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
> @.............na
> 0040: 6D 65 71 75 65 72 79 03 : 63 6F 6D 00 |
> mequery.com.
>
> So what was the best thing to do? Block it via my firewall or play
> with my hosts file:
>
> echo "search.namequery.com 127.0.0.1" >> C:\PATH\TO MY\HOSTS ...
>
> Maybe I could have played with Absolute using Scapy
> (http://www.secdev.org/projects/scapy/):
>
> <Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
> version=4L
> ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
> chksum=0xa878
> src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337
> dport=80 seq=0L
> ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
> urgptr=0
> options=[] |<Raw load='POST /1DJ1TS' |>>>>
>
> Perhaps change IP addressing every 5 minutes on a script, call them
> and ask them "Can you hear me now..." ... "Can you hear me now..."
>
> Anywho(w)...
>
> Now I'd really like to know what Absolute has to say about 1) their
> miraculous methods of finding my machine even when it is booted
> into Windows with me redirecting via my hosts file. I'd also like
> to know why if they were so concerned - as this salesperson's call
> alluded to, why didn't he mention the 3-4 other laptops in my
> stable that haven't "phoned home".
>
> Anyhow, the jury is out on this... Absolute has yet to respond
> (once again). So for those from Absolute reading this (you've done
> so before... Obviously in order to contact me at work) let it be
> known, prior to the original writing being posted, and prior to
> this one being sent, your company was notified.
>
> J. Oquendo
> obnoxious||hush.com
> "Please no tears no sympathy" -- VNV Nation Epicentre
> echo "\$|[\$_-
> >{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA
> nRqFBg14AaunNHf3wVeRLTNjPxd/
> =xTxH
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no account
> required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
Article:
-
And an unknown college dropout named Bill Gates, together with his
partner Paul Allen, wrote a version of the programming language BASIC
for the Altair, forming a company called Micro-Soft in the process. He
would later drop the hyphen and the capital S, and make billions of
dollars.
--
Comment:
+++
Dammit Slashdot! If you would just drop the capital S, you could be
making billions of dollars too!
+++++
http://slashdot.org/comments.pl?sid=171335&cid=14270286
+++++++
www.opensource.or.ke
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/