A Hacker’s Marginal Security Helps Return Stolen Computer

Gather round and hear the story of how a hacker outsmarts a criminal. [Zoz] was robbed and they got his desktop computer. Gone, right? Nope. Because of a peculiar combination of his computer’s configuration, and the stupidity of the criminal, he got it back. He shares the tale during his Defcon 18 talk (PDF), the video is embedded after the break.

[Zoz’s] first bit of luck came because he had set up the machine to use a dynamic DNS service, updated via a script. Since the criminal didn’t wipe the hard drive he was able to find the machine online. From there he discovered that he could SSH into it, and even use VNC to eavesdrop on the new owner. This, along with a keylogger he installed, got him all the information he needed; the guy’s name, birth date, login and password information for websites, and most importantly his street address. He passed along this juicy data to police and they managed to recover the system.

http://www.youtube.com/watch?v=U4oB28ksiIo

[Thanks Ferdinand via Gizmodo]

76 thoughts on “A Hacker’s Marginal Security Helps Return Stolen Computer

  1. Unlikely story! How did the criminal establish an account on this stolen Linux machine without also knowing vital passwords? Even if the machine was set to login to a user automatically, the Linux system would still prompt him for vital passwords occasionally. It is unlikely that a stolen machine like this running Linux could even be usable to someone who didn’t know vital passwords. The fact that the “thief’s” street address was retrieved seems far fetched when the thief is dealing with a foreign Linux operating system. Why would the thief use a foreign Linux machine like this so intimately? It’s not April Fool’s Day, is it?

  2. As a security certified individual this seems to make sense. A Keep-alive should be implemented on all computers to ping, or some other network transaction every hour or so. If you control a website, you can locate your missing computer with a router or firewall log, or an IDS configured properly.

    OpenSSH is a great and secure technology which allows secure backdoor access to your devices.

  3. Vigilante justice, it’s usually a bad thing but this guy did a perfect job.

    To be a good thief you need to be intelligent, espcially these days.

    Truecrypt and track your stuff. Paranoia is always the rule.

    A couple of thieves got into the company i work at and stole computers and cellphones. I told my boss to phone in the IMEI numbers to the police so they could track the thieves. The thieves got busted and i got a raise.

    I’d like an IMEI for computers. I know some people would object to this privacy-intrusion. But dumb assholes could be easily busted for stealing with this tech.

  4. Jons, IANAL, so I’ll just wonder out loud which takes precedence: (1) the legal owner of a device using said device; (2) intentionally accessing a computer without “authorization” per 18 U.S.C. § 1030 and as subsequently amended.

    I’ll make a wild ass guess that (1) is the winning answer. I’d better hope so, as I had already set up my son’s college laptop with a few scripts and ssh access as a backup to a commercial thief tracking package.

    The whine of the pendant: since Zoz wasn’t home when his computer took a hike, he wasn’t “robbed”. He was burgled.

  5. I don’t understand why this is “news”. Homegrown as well as commercial off-the-shelf solutions have been available for years, such as the popular “Undercover” for MacOS and Computrace for Windows.

    He does make a good point that less security can be advantage. Full Desk Encryption, BIOS/EFI passwords, and login passwords can both help and hinder asset recovery. These measures will usually prevent unauthorized users from connecting to the Internet and activating the anti-theft platform. A frustrated thief may try to sell the property, or they may abandon it. In the best case they will return it.

    It is a common suggestion to leave an unpriveleged “Guest User” available on laptops so that thieves (and guests) can use it. Make sure there is a web browser and you can connect to Wi-Fi.

    Remember, if the thief must reinstall the OS to use the computer, the reinstall would result in the removal of OS resident anti-theft.

    Hardware embedded security such as Absolute, Intel AT and Phoenix FailSafe will survive an OS install, allowing the tracking component to reactivate after a knowledgeable user or a computer service shop has bypassed other security. However, this requires more work and skill, and may not be possible with some BIOS passwords. The person who ends up with a working laptop could be far from the original thief.

    And, at least on Dell and Toshiba computers, the security install state is visible right in the BIOS. It can be checked even without entering the setup password (if set), and explains that the feature is anti-theft. It’s useful for genuine owners to check their security but this could also tip off an unauthorized would-be user as well.

  6. “as a security certified individual” ???

    (with worthless gibberish following it)…
    dude, where did you get your “certification” ?
    (and what did you do before you got it ?).

    based on your comments, it tells me you’re
    like so many of these ‘graduates’ of some lame
    certificate program, where memorization is
    more important than actual hands on HACKING
    experience.

    and i’m an “old school guy” from the Heathkit H11,
    and IMSAI 8080 days.

    ZoZ is 3l33t ! …. if he’d only lay off with
    that annoying lip smacking noises though.

  7. @Chris
    This is why this is incredibly stupid.
    Guzman could have easily bought it off craigslist. I wonder if the owner’s response would have been the same if it was an elderly woman, instead of a young minority.
    Don’t think so.

  8. There are a number of commercial products that do this as well.
    A nice one for Mac is called Undercover: http://www.orbicule.com/undercover/

    Sure, it’s not free and open source, but it does do a few extra things like fake a hardware failure so the thief takes it to an Applestore, where the computer will recognise it’s at an apple store (via IP address or something) then set off alarms to let them know the computer is stolen.

  9. lol, great story.

    Moral of the story is “Always re-install the OS when you steal an electronic device.”

    I had my alpine car stereo stolen once, never got it back. Always wanted to add gps tracking to my stereo after that. Or booby-trap it with razor blades! And all my cd’s were taken too. I even had some of my band music in there. Cant be replaced :( Probably gave them a good laugh if they listened to it ;)

    I wonder if this guy had other stolen things in his house? Zoz never said if he got back his storage drives?

  10. Lucky it was dialup. One floor I ran into trying get a computer back was when it is re-connected behind a router or NAT there is no direct port access unless you get into the router and setup some port forwards.

    Phone home apps like LogMeIn and p2p vpn like Hamachi are life savers but does anyone know of a phone home reverse SSH?

  11. Hmm I think this wouldnt work in most cases. If the thief uses the stolen computer behind a router you’d never be able to SSH into the computer. By factory default, typical home routers block WAN ssh access (youd need to forward port 22 anyway) and wan pings.

    So did the owner just luck out and the thief was just directly connected to the net?

  12. Kudos to the victim for being smart enough to find his stolen machine this way.

    I often wonder why laptop manufacturers don’t securely lock all the components in their machines such as LCD panels (the most expensive part), Bluray drives etc with a mechanism that flashes “STOLEN!!!” in bright red flashing letters on the screen and renders the other parts unusable if anyone tries to install them in a machine they were not originally locked to.
    HDDs have this already but it is too easily bypassed.
    Would also reduce the number of stolen screens and mainboards that get laundered online as “2nd user” or “Refurb” etc.

    Wonder why this never caught on, the LCD panels have internal firmware and E2PROM ID chips so securely embedding code in this would be easily verifiable through the OS whatever it may be.

  13. @zeropointmodule — that is a horrible idea. It would be virtually impossible to get all of the manufacturers to settle on a standard to implement this (which is necessary because of the way consumer electronics are manufactured; company A and B make semi-compatible LCDs, company C makes the mainboard, company D makes the RAM, company E, D, F and G make the accessories, and company H makes the enclosure, and company I and J put it all together). not only would it cost much more to implement, but all of the cost would come back on the customer; two-fold, as it would be a selling point. this would also mean that the device can’t be upgraded after the fact, simply filling land fills even faster than the current rate.

    there are much better ways to combat this issue than the one you proposed.

  14. Just dont leave it out to get stolen! Keep it in a safe place. If they break into your house to steal it, get a gun to protect it.

    Seriously i could care less about the electronics and more about the data. Thats why i have a NAS box hidden, to back up data. And why i’m almost serious about building a server in a cement box in the back yard. or at least my nas box can go in it :)

    @vtl, your answer is above your question. The MAC had dialup.

    And it was probably about 8 years ago since G4’s were made in 1999-2004. i am suprised about the type of accounts the thief had considering it was 8 years ago. right when facebook and myspace were begining to be popular and he already had accounts? Maybe my 8 year time is not correct.

    Anyone know when this happened?

  15. If I did this the police would say “uh, what? Go away”
    If I then insisted they would get someone who knows computers who would then say “now prove this machine is yours, and you just admitted you hacked in someone else their computer, that is illegal, and how do we know you didn’t simply put info in that system remotely claiming it’s yours? Without evidence there is no possibility for us to act, now go away”

    Then I might say “I have a receipt with the serial number” (highly unlikely but for argument’s sake)
    And then they would say ‘but that still leaves only your claim he has it, we don’t feel like ransacking people’s home based on hearsay’

  16. @bullzebub:
    ifconfig hw ether 00:DE:AD:BE:EF:00
    Try doing that with your cellphone’s IMEI. MACs were never intended to be used for security.

    It is simple enough to create a reverse ssh tunnel for behind NAT. (Which I’d guess would happen most of the time, I’d guess most thieves would just steal wifi, not connect directly)
    Run the following occasionally(write a script and add it to cron):
    ssh -L10000:127.0.0.1:22 remoteserver.example.com -N
    Then, if it ever does get stolen, one can simply ssh to port 10000 of their remote server (which you hope wont be stolen), and now has a shell regardless of NAT. I’d love to see this made into a proper linux daemon!

    I never appreciated the advantages of leaving your machine somewhat open before this. Though you should still have some security in mind, and keep your own account locked. Configure a second guest account for them to use. (This way, they won’t be able to view / delete your data as easily.) Hopefully the average thief will be content with a functional machine and won’t bother wiping it.

  17. >Anyone know when this happened?
    — pRoFlT

    It happened within this year, dates from 2009-2010 show up in the slides of stuff showing the guy’s information. He also mentions the police recovered the computer right after he submitted the slides for the event.

  18. Although the recovery was a good thing, there is no way of knowing if Guzman actually stole the machine in the first place. He may have purchased the machine in good will. Although judging by the look of him…. hang on prejudice, much!

  19. @cruisefx

    >> Linux machine

    It’s/wasn’t a “Linux” machine.

    >> set to login to a user automatically,

    You can configure sudo on “Linux” to allow a user to run commands as other users without knowing that users password and if you configure it incorrectly you can run commands as other users/root without even knowing the user you are logged in as’s password.

    >the Linux system

    It’s not Linux.. oh and Linux is an “kernel” not a full operating environment.

    >this running Linux could

    It’s not running Linux. How to root a stolen Linux machine? init=/bin/sh ..

    >“thief’s” street address was

    If you even cared to watch the video you would see that the guy installed a key logging KEXT into the **OSX** kernel.. so anything that guy typed into his browser was logged.. and the guy was visiting online dating sites, checking his credit card, looking for a job. And if you watch the video you will see he got his street address from his credit card’s internet banking page.

    >> a foreign Linux operating system.

    A: An operating system is only what runs in supervisor/protected mode in most cases.. it’s not the desktop environment, shell etc. There are literally hundreds of Linux distributions out there and tens of desktop environments. Some of them are even “easy to use”.

    B: The computer in question is/was running OSX.

    >It’s not April Fool’s Day, is it?

    No, it’s not April Fool’s Day. You just can’t understand what the guy in the video is saying and don’t know anything about “Linux”.

    @Adam Outler

    >As a security certified individual

    Certified by who for what?

    “A Keep-alive should be implemented”

    Why and where? If the guy in question wasn’t such a retard he would have re-installed that machine and bye bye “keep-alive”. The machine being configured to automatically login as the main user is the only reason he didn’t re-install it. If he couldn’t have logged in he would have ebayed or downloaded an OSX disk and the DynDNS updates that allowed the owner to locate the machine wouldn’t have happened.

    “on all computers to ping,”

    That isn’t a keep-alive is it? And no, all computers shouldn’t have to report to an online heartbeat service. People shouldn’t steal other people’s stuff in the first place.

    >>control a website,

    Why do you need to control a website?
    All my machines have OpenVPN installed and on boot connect to one of my co-located boxes. This is how I do back-ups etc.. if some tit stole one of my machines and booted it up I would have access to it. OpenVPN has no problems going through a NAT etc.

    >> with a router or firewall log

    Which router? Which firewall log? If the machine is calling home.. why do you need to look at a log at all? Also you can’t reliably find a machine just from it’s IP alone.. you might be able to work out what city it’s in but you would still need to do like the guy did in the video and watch what the new user is doing until they give up some personal information.

    >> or an IDS configured properly.

    Huh?

    >> OpenSSH is a great and secure technology

    Well, the transport is secure.. if you use silly login credentials it’s not all that secure. The amount of people that don’t use public key logins and move SSH to unprivileged ports thinking that it makes it go into some sort of “stealth” mode is pretty high.

    >> which allows secure backdoor access

    For someone that is “certified” you really need to get a handle on your terminology. Since when is SSH a back door? It’s massive stinking front door.. it’s not a hole stuck in some other application to allow hidden remote access. It’s an application running on a machine that the local admin has full control over.

  20. @atrain

    >> love to see this made
    >> into a proper linux daemon!

    It’s called OpenVPN.

    @zeropointmodule
    >> I often wonder why laptop
    >> manufacturers don’t securely
    >> lock all the components

    Because that would be a really stupid idea.
    Let’s think about something that is regularly stolen and coded? Car stereos.. does coding work in the slightest? Does it stop stolen units turning up for sale unlocked? nope.

  21. Glad he recovered his hardware. Glad to know best practices are wasted on morons like the thief. Were I to steal a computer, I might check it for useful data, but would not bother connecting to any networks without a full wipe. Especially if the machine is windows based, it could have a virus. As far as encrypting/protecting the hardware components, like the LCD screens and rom drives, I also think that idea would be bad. I repair and rebuild laptops for people. If I can buy an LCD panel for $200-300 new, or an entire ‘dead’ laptop for $50, generally, most of my customers want the cheaper parts, exceptions being for things like hard drives, and sometimes (depending on cost) mainboards. I’m all for security, and being able to track my hardware, but there has to be a limit. I for one wouldn’t want to have to spend $1200 to buy a $350 laptop, nor would most people on a budget, although admittedly, in my case I’d just buy a new laptop and salvage the parts from my dead machine for someone else.

  22. I agree that this is a pretty unlikely story, seems strange that thief used the computer for all sorts of personal stuff… seems like a laptop thief would just sell it and you’d come after the person who bought it.

    @zeropointmodule and ReKlipz
    I think you both missed the point. What if my screen breaks and I want to legitimately replace it with a used screen to save some money?
    No way I’m going with some proprietary manufacturers crappy hardware that is locked down.

  23. And you call this guy a “hacker” who able to setup dyndns client and keylogger on a machie…

    I guess defcon gets more and more degenerated, good that i dont waste time going for cons.

    I also got ripped with a cellphone lately but i dont even bother reporting scammers because dont worth my time just buy another one.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.