Slashdot Mirror
The Khaki Bandit Strikes At IT - 130 Stolen Laptops
destinyland writes "'The khaki bandit' posed as an office worker at several corporations and successfully stole over 130 laptops which he later sold on eBay. The ease of theft from the corporate offices (including FedEx and Burger King) shows just how bad corporate security can be. In some cases, the career thief just walked into the office behind an employee with a security badge. Two million laptops were stolen just in 2004, and of those 97 percent were never recovered. Ultimately it was the corporate headquarters of Outback Steakhouse who caught the thief with a bugged laptop that notified them when he re-connected it to the internet."
In fact, just a couple of weeks ago, one of our directors went on vacation and left his laptop and projector just sitting on the conference room where he had last used it (a large, wide-open conference room used by hundreds of outside people each week). They sat there for several days before anyone noticed.
SJW: Someone who has run out of real oppression, and has to fake it.
why did he not blow away the HDD and reload before putting the thing on the internet?
FOXTROT UNIFORM CHARLIE KILO
from the article
"Larry Brass, the Tampa Police detective who arrested Eric Almly this spring, says he's not permitted to endorse a particular product. But he says if Outback's laptops were not outfitted with software called Computrace LoJack for Laptops, made by Absolute Software, there is "no question" Almly would be walking free today."
He will learn a valuable lesson out of this once he's out of jail: Wipe the laptop BEFORE connecting it to a network connection...
From the article "Over the years he'd pocketed at least $20,000", which comes to a mere $153.85.
No wonder eBay shoppers were happy with the deals they got.
God: An invisible friend for grown-ups.
For the bold and motivated thief, walking in and then out with a laptop is easy. Just look like you are supposed to be there. Slipping it into a briefcase helps with the illusion.
On the other hand, someone waltzed off with a 24" LCD monitor from the desk of a co-worker not long ago. His office was the furthest in from the door, so someone needed to be particularly bold to go all the way in, disconnect the monitor, and walk back out. No one saw him either, which is impressive considering the size of the load he was carrying. It's a lot harder to look and act natural about carrying a large monitor than a laptop.
...I work in a shop on occasion, and the number of stolen laptops that come through with people trying to sell them to us is simply mind-boggling. I'm not talking about pissy little Pentiums, either, these are the latest, greatest in portable number crunching. Some have passwords on them as their only real identifying feature (the serial numbers and Microsoft licenses are usually scratched off), which I tell the seller is not possible to circumvent (in some cases they're not, being on the BIOS rather than the OS). Other tricks they have is coming in claiming they've lost or wrecked the power adapter (how convenient) and need a cheapo universal one. Sure, I'll sell them the universal brick but they're not testing the thing in the store.
Net bugs are a good thing to have, I think (got one on here), particularly given the plentiful supply of open wireless points in most large cities now. Turn on machine, bug sends data burst, thief is cornered. Hell, he doesn't even need to physically connect to a network these days.
Operation Guillotine is in effect.
Do I really need to write up a how-to for would-be criminals?
Virtualize the hard drive!
Remove networking from the VM.
Look for whatever goodies you're looking for on the HD.
Blow away the HD
Profit!
"If the theives guild invested in blue overalls with Al on them, they could get away with anything." Social engineering IS one of the easiest to exploit security holes. It isn't much of a surpise that laptops were stolen using this technique.
seems like UPS means "Unidentified PC Stealer" as well as United Postal Service.
...this is categorically NOT possible on any significant number of laptops manufactured in the last 10 years. Modern BIOS passwords are secure enough to effectively brick any device where the password is lost, without significant expertise or specialist kit to bypass. Ric
This sounds like something Ricky and Julian, er, I mean Cory and Trevor would pull
Admittedly no genius. But what about the state of our corporate security, when it takes a mega corporation like Outback to catch a idiot, and the meager FedEx et al just write it off.
"No rules.* Just right."
* Except "Don't steal our laptops, mate."
United Parcel Service.
Support a few technologists in Washington.
FTA: "outfitted with software called Computrace LoJack for Laptops, made by Absolute Software"
It really is just a piece of software running in the background.
I was hoping it would be some sort of BIOS level code, but it looks like a system wipe would do the trick.
I remember when MOD was an audio format, and DOS wasn't a network attack....
Obviously laptops and similar technology are the most desirable things to snatch in the workplace, but this is by far a new story, and old fashion thieves still steal old fashioned things.
We had a thief walk in one day and snatch a purse right off a desk 3 feet from me. I wasn't at my desk at the time. The thief walked right out the front door and even nodded to the receptionist, who noticed him as unusual and didn't recognize him but didn't see the purse. She did remember it was a man and that's about it.
She quickly cancelled her cards and got a replacement cell phone and the thief fortunately only got away with a few bucks in cash. Since then I never leave my desk without my cell phone or my wallet (which I used to leave in my coat in the winter).
We all want to be trusting of everyone around us, because it makes us feel good, and we don't know absolutely everyone, even in a business of 300 people. We implemented security since this and other incidents around the building. The company's been around since the 1960s and it's the first time we felt we needed security.
"All great wisdom is contained in .signature files"
...are really not enough for security. I work at a building that I need keycard access to, but cards eventually become worn and some break so that they cannot be displayed anymore, and the company won't pay for a new one every time that happens. So there are two results: People don't wear them explicitly, and people don't question who they are letting into the front door behind them. I'm personally in favor of having a guard stationed at a single entry, at least for larger buildings; someone who can recognize people's faces and can be held responsible for stopping people he doesn't know. ...There's the danger of him being an asshole, but I'd be willing to take that chance.
http://www.wulfram.com?mkid=31257 - Sounds like this is going to start a wave of corporations bugging their laptops to ensure employees don't steal them and reconnect to the net! What fool didn't format the bloody thing anyway?
http://www.wulfram.com?mkid=31257
The article says it's Computrace's LoJack for Laptops. We looked into the corporate version awhile ago due to the remote-wipe feature.
If the laptop has the proper version of TPM, it will even automatically re-install itself if the thief reinstalls Windows. Not sure if that's a good thing or a bad thing, having the BIOS infecting the machine... If it's stolen though, it's a good thing.
I was working in a high security environment. You know, the whole thing with magnetic cards, guards sitting there and watching people going in and out of the building, timestamps everywhere, in short, the company knew down to a second where you've been all day.
Or rather, where your key card has been.
You guess what happened? Exactly. One of those cards was stolen, one of the high level IT cards to boot, and the thief just waltzed in and went out with 2 servers. Nobody bothered to ask him what he's doing there. He has access to highly sensitive areas, so why bother asking why he's hauling around servers. That's his job, you know?
When nobody is supposed to do something, nobody expects anything's wrong when someone does what isn't supposed to be done. Especially in a high rotation hire and fire environment. Do you think anyone would question it when you put on a uniform and a trainee button and just go behind the counter of some fast food restaurant? Just tell everyone you're the new guy and avoid the manager.
It works.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I couldn't find the post asking how the guy was caught (i.e. what software), but here you go.
FTA:
Larry Brass, the Tampa Police detective who arrested Eric Almly this spring, says he's not permitted to endorse a particular product. But he says if Outback's laptops were not outfitted with software called Computrace LoJack for Laptops, made by Absolute Software, there is "no question" Almly would be walking free today.
Here is how it works: after a computer is stolen, the victim notifies Absolute's recovery team. When the thief accesses the Internet via that computer, the Computrace software on his computer silently broadcasts information that allows the team to determine his physical location.
With a street address in hand, police can make an arrest. The corporate version of the software gives subscribers the ability to remotely delete sensitive information from a computer.
Your sig(k) has been stolen. There is a puff of smoke!
As the article says Ebay doesn't require listing laptops' serial #s. I would want to know the serial # of a laptop as a buyer to be sure it wasn't stolen.
From what I've heard, the piece of software in question (Computrace) works by installing itself to the Windows partition (so it will auto-reinstall when Windows is wiped and reinstalled). Of course, it will not work if the thief simply installs Linux.
Ultimately it was the corporate headquarters of Outback Steakhouse who caught the thief with a bugged laptop that notified them when he re-connected it to the internet.
Which is funny as hell, because I've read several times on Slashdot (sorry, no time to search) about people who have their laptops set to do just that, but when they inform the police that their laptop is in use by a customer of this ISP with that IP address, they're told to go pound sand, that the police don't have time to go catch criminals that you can lead them to. It's trivial--especially with MacBooks--to have it send you not only the IP address but a picture of the theif if you want--but it seems to do no good.
Maybe the thing to do would be to get laptop insurance and then have the info emailed to the insurance company.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Disclaimer:
Educational purposes only - submission as evidence by prosecution and/or plaintiff constitutes mistral, dismissal with utmost prejudice and/or overturn on appeal.
~ Gloves first
~ Use Isopropanol wipes to remove fingerprints
~ use hydrogen peroxide wipes to destroy DNA residue; don't use bleach for it is a corrosive.
~ Research make and model for security features, such as BIOS level wireless ID broadcasting (such info may not be published due to public policy reasons).
~ Do NOT power up laptop as is.
~ Remove NVRAM battery to clear NVRAM.
~ Remove any devices in the card bus slots and identify. If such are NICs, dispose (MAC addresses are unique therefore traceable)
~ Remove hard drive and copy contents thereof onto desktop system (dd if=/dev/hd? of=/home/spy/hdimage)
~ Wipe laptop hard drive clean (dd bs=256k if=/dev/zero of=/dev/hd?)
~ Disable any and all integrated NICs because there may exist BIOS level 'rat code'.
~ With all NICs disabled, copy and reverse assemble BIOS to check for any such code.
~ For those with $$$, build a copper RF shielding box (NSA, anyone?) with a WAP inside tied to a PC running tcpdump (isolated subnet) to see if it is trying to 'phone home'.
As for the net bug feature, that has some false incrimination potential.
Actually
How (apart from physically separating the NIC from the rest of the system, i.e. rip the chip off the board or cut the relevant PCB traces) would you go about that ?
It consists of never buying new equipment unless it is absolutely necessary, and then buying second-hand if at all possible.
If a thief made it into the building and walked out with all the computers here, he might make $150 on ebay if lucky.
But he'd be more likely to just get a hernia.
The brazen airport computer theft that has Australia's anti-terror fighters up in arms
--
Simon
Somehow I have a hard time believing 2,000,000 laptops were stolen in a single year. That's nearly 5,500 per DAY. I don't think Dell even move than many laptops in a day. And I don't know a single person, personally, who had their laptop stolen. Ever. Where do these numbers come from? Are people just reporting stolen laptops for insurance claims? And now they have two laptops?
No sig for you. YOU GET NO SIG!
VANCOUVER, Dec. 13 /PRNewswire-FirstCall/ -- Absolute(R) Software ("Absolute") (TSX: ABT), the leading provider of computer theft protection and secure asset tracking solutions, today announced a milestone in the company's efforts to drive the standard for PC theft recovery and Secure Asset Tracking(TM) - the availability of Computrace support in the BIOS across all four of the top tier PC manufacturers' commercial notebook lines.
Absolute first announced BIOS support for its theft protection technology with IBM/Lenovo on February 1, 2005; followed by announcements with Gateway on August 9th and HP on October 4th. Today, Dell announced a set of customer solutions that leverages Dell's embedded BIOS support for Computrace allowing customers to address issues of regulatory compliance, data protection and PC theft recovery.
We don't use it here, but I believe once you enable it in the BIOS, it can't be disabled. Obviously, there's always a way to disable everything, but it's not a matter of formatting a drive or changing a BIOS setting. It comes down to hex-editing the BIOS data or replacing the BIOS chip or something.
Right. My question is:
What percent of ALL stolen property is ever recovered. I bet it is no different than laptops. Heck, laptops seems likely to have a BETTER rate of return.
My experience is that if you get robbed, the cops fill out a report so you can send it to your insurance but otherwise have important speeding tickets to give out.
This is a comment I posted on Fark: I kid you not, I know this guy. In the early 90's, we had a landlord who put a stove on our porch. It sat there for six weeks. We finally put it on the landlords porch after repeatedly requesting it be moved and were evicted for said offense. Our friend moved in after us (even after being warned) and so did this Eric guy. We knew Eric as we would go visit our friends who still lived there. One day our friend went downstairs into the basement and it was covered in dust. It turns out that he had broken into a real estate business (might have been home based) and stole a safe. He was breaking the safe open with a hammer and concrete dust was everywhere. The police were called and to misuse a fark term, jailarity ensued. Our friend was then kicked out for stupid reasons and Eric had a new home for a while courtesy of the state of Minnesota if you know what I mean. He really was a one-kid crime wave. I'm not going to give Eric a lot of credit for being smart, as when he was breaking open the safe he was smashing through the top which was quite thick instead of the bottom which was much thinner. Maybe a dumbass tag is appropriate ...
A really smart thief gets someone else to do the dirty work for them, IMHO, of course (not that I really know :-)
Went to school at local Tech College about 20 years ago. Guy parked a van right outside he building on a sidewalk, came in and took several IBM mainframe terminals on a cart and left. The person who was monitoring the lab helped them load them onto the cart. They were worth about $1,000 each back then. He had overalls that had an IBM logo on it and a big white van. No one said anything until later. That is the biggest issue for all data and equipment at a corporation. People give out their passwords over the phone to the "IT Department", who should never need it. People need training, technology can not solve the problem of stupid people.
What this guy did I've done many times. Sure I didn't steal anything but using this tactic to get the advantage over others is dead easy. for example... long line in front of a store selling the new Wii "sorry, passing trough - sorry i work here." and 5 minutes later I walked out with my wii while others spend hours waiting. It just takes a certain aura really when people see you walk by they have to think "he belongs here" you'd be surprised how easily I can cut a line in a attraction park wearing a old repair company jacket I got for a spare time job. Why wait a hour or more if you can just walk past everyone... I'm pretty sure I could walk in most large companies take almost anything I want and walk out without anyone questioning it. As mentioned above just stick a big sticker "RMA" or "repair" on a 30" monitor and walk outlike you're just doing your job. I wonder if this falls under social engineering.. I mean you're basically (ab)using the people around you to believe you're someone else.
?? Alright, so I kidnapped some dude chanting "Yankees Suck!" in the North End, but how exactly do I tie him to the PC? I thought bungie cords might do the trick, but fuck is this guy greasy.
This is another case of an illegal wiretap of American citizens! They did not get a warrent from the FISA court before installing the software on his laptop, making it completely illegal. This is an abuse of private citizens by an overzealous government! This poor fellow should be immediately freed, his criminal history cleared, and an apology with monetary reimbursements for his trouble! The owners of the Outback Steakhouse should immediately be imprisoned for casuing this travesty of justice!
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
The university I work for requires that all devices used on campus have their MAC addresses registered. If a device is reported stolen we can then find out which switch port or AP the thing is connected to. I've recovered several notebooks this way for users who had been ripped off by someone on campus.
I'd rather have a full bottle in front of me than a full frontal lobotomy.
The reason I know we were hit by him is that one of the surveillance camera photos in one article was taken with our surveillance camera.
Why was it possible? Several people in that office, lots of walk-in and walk-through traffic, and nothing was locked down. We provided and required the use of locking cables, but the employees there hated locking things up. Someone needs to invent a locking docking station with fingerprint reader to release the lock.
Losing things is part of corporate business, and if things aren't encrypted (even on desktops), then it's your fault. Every place I have worked has had a slow, steady trickle of laptops departing by way of cleaning staff, terminated employees, underpaid employees, and the normal dishonest employees.
Can be seen here
Ironic someone said they didn't trust him, he was a fraud. At least one bidder got the scoop.
A feeling of having made the same mistake before: Deja Foobar
To disable ethernet, just don't plug a cable into it. To disable 802.11, physically move the machine to anyplace that is NOT in a wireless hotspot.
If fate makes you a motorcycle, you become a motorcycle.
It's an American restaurant. They just use Australian marketing themes.
So its basically Root-kitting the BIOS via the Flash-ROM? Ok, you might want to do this to retrieve stolen laptops, but isnt this an obvious security issue? Should there be an open-source BIOS rootkit detector? This might not be too hard - just scan the BIOS ROM, generate checksums and check against a database of legitimate BIOSes..
"A nation that forgets its past is doomed to repeat it." - Churchill
AFAIK the product and its support was found to be rather deficient [PDF file].
Could be a good marketing coup, but I'd like to know how such a program could survive. To stick it "in the BIOS" implies deep knowledge of the BIOS (and a lot of space) of each system, so I have trouble believing that statement, especially if it then also does a re-install. Sorry, I have occasional attacks of gullibility but that is just too much to accept..
Insert
Its not true. Just remove battery from mobo for few H and BIOS password/settings willbe restet.
See http://www.trust-us.ch/cryptome/01-Cryptome-061213/lojack-hack.pdf. Maybe they did solve the problem, but that still makes me worried about responses to vulnerabilities.
And I don't like the idea of a system reporting to some 3rd party where it is. I have no way to check that information is only used in a benign way..
Insert
I'm appalled at how much cat hair I get in the keyboards of the laptops I get back from some of our employees! The CPU cycles being used by the virus spam mailers must be warming it up for the cat to snuggle with.
And crumbs too! "I'll tell you why your keyboard isn't working. It's got a full tablespoon of Dorrito crumbs spread evenly under every fucking key."
Maybe the thieves are stealing from each other.
I'd be rushing out to buy the product if I was convinced the statements I find are credible, but that's where my problem starts - the longer I look at what they're claiming the more problems I have with it.
The issue is the survivability of the software - they claim it will survive a reformat, and so far I heard a couple of theories how. Neither stacks up.
In principle, the claim is that they have somehow manage to write something with the capabilities of a boot sector virus, but which can hide itself in the system BIOS to survive a full reformat (to be precise, I don't think that was THEIR claim, someone else offered this as a theory ).
Let's consider how the code could survive.
(1) Read-only hard disk sector. There's no such thing, because it would be a dog to update. and to implement without special hardware, which would require device AND version specific code. I don't buy that.
(2) Hidden partition. This would mean they'd somehow managed to bribe M$ in using code that wouldn't look at a hard disk and spot the boot link to the code. Well, BIOS limits apply: it starts with a boot sector, and that gets overwritten. Bye bye code.
(3) Parked in the BIOS waiting for a bootup. Given the number of BIOS' out there and the variation per system and revision thereof I don't buy that one either. If it's so easy to do I would like to ask 3 questions:
- why can't the Linux BIOS project do the same
- why would a manufacturer leave so much on-chip space
- would you be happy with something going to close to the metal with respect to system stability? I wouldn't trust a laptop to boot up from a copy of Ubuntu if someone had messed with the BIOS, let alone Windows, and I don't believe you have enough code space there to hide something that is sophisticated enough to (a) detect the OS and (b) insert the correct code.
Based on the above, I think the more realistic scenario is that the guy jacked in the laptop BEFORE he reformatted it and thus triggered the transmission, but that wouldn't sound so swell in the article. The nice thing for the company selling Lojack is that it simply has to abstain from commenting for the sales-driving myth to grow. I can see lots of CEOs already calling their CIO and mandate this as a corporate standard - but AFAIK it's based on complete BS which makes me not just wary to buy the product, I would now actively avoid the company because it's selling a product that is mediocre at best. You get a hint of that by their claims that they employ ex law enforcement personnel. Start thinking as a business, and you'll soon start asking the question where the sense would be in that.
In conclusion, I don't buy it in more ways than one. I've been messing with PCs since the IBM XT got cloned, and I will need some serious convincing before I'd believe/buy this story. My theory is that the reporter misunderstood the technology and the reseller is happy to let the myth build.
Which says: AVOID! You will end up with people having a false sense of security, which is worse than having none - and that is unforgivable.
Insert
If this was remotely possible, don't you think there would be legions of professional criminal coders busy working out how it was done?
It's the holy grail of Trojan engineering..
Insert
Interesting - you appear to state something that the supplier itself categorically avoids addressing on their website.
:-), but the supplier carefully leaves the obvious question unanswered.
So we have now unsubstantiated claims in the wild the code will survive a reformat - but the manufacturer itself avoids any mention of survivability. I guess it's too obvious an instruction for wannabee thieves: zap the box before you plug it in. BTW, this is why I tend to remove recovery partitions - why help a thief to the original software? We have a DVD backup of it anyway (the Sony laptops need a dual layer one just to hold all the crap they install on top).
How did you arrive at the idea that Lojack survives a reformat? Do they state that in the product docs or FAQ? I'd be interested in the specific quote.
So, the conclusion is that this product requires a combination of dumb thieves and dumb buyers to work. That's still a pretty large group given the amount of Windows users (cough
Which is an answer in itself.
Insert
> A few years ago I was working in IT for a university.
:-)
> One of the professors didn't like the buttons by the touchpad because he
> would bump it with his palms while typing and end focus would change to
> some other app. So instead of disabling the touchpad, he just broke
> the buttons off. That was fun to explain to the Dell rep when he had
> some other hardware problems that needed to be replaced.
So what is wrong with that?
A laptop is just a tool - unless you work in advertising and use a Macbook Pro, that is
If you are a mechanic and feel that the long handle of the hammer is getting in your way when using it, you will saw off an inch or two.
Unless you share the hammer with other people who might need the extra length, that seems perfectly o.k. to me.
It is a longstanding tradition that professional craftsmen would improve and hone their personal tools to improve their efficiency.
You would expect a professor to be a outstanding mind and find creative solutions to all sorts of problems.
You probably do not have this kind of "problem" with the accounting department.
Could you imagine a guy like the late Feynman, wasting three hours of his time googling for tips on how to disable some keys, when a pair of pliers and 30 seconds would have solved a problem that began to annoy him some saturday evening when working on a difficult paper? Or him getting a ticket with IT on monday morning, so they get it fixed at some time during the week?
Yeah we've been having similar problems where I work. This guy, he keeps dressing up like a security guard, coming in, sabotaging security equipment so he doesn't get caught, and stealing the briefcase that a manager left on his desk. On top of that he somehow must access to our database, because the nametag on his security badge always has one of our names on it. On one occasion he was brazen enough to stroll in dressed like ME! I've tried to warn my people to keep an eye out at the entrances but they keep claiming they never saw him. It's like the guy's got some kind of cloaking field or something. I'm sick of getting stabbed in the back by these kinds of people. I swear to god, one of these days I'm gonna have to resort to just shooting everyone that walks in the door just to make sure they are who they appear to be.
"Over the years, he pocketed at least $20,000"
I would have thought that several years' worth of illicit labor should be worth more than what a minimum wage job pays in one year. 130 laptops, if laptops average $1000, well that's $130k. Of course, when it's stolen you want to move them for whatever price you can, but that still seems like he made very little money.
And now he's getting married to his cellmate. Doesn't seem worth it...
Thanks, I didn't find that in the regular product descriptions.
:-) - that addressed the size issue, although I found that it apparently needs a working copy of Windows re-installed before it can reconstruct itself. This seems to imply that the BIOS component merely kickstarts the install of whatever lives in the HPA, which would makes sense given size constraints.
The HPA area isn't that well protected but it would take at least a much smarter kind of criminal, and if you're that smart you could make a living in IT instead (there's an inclination and risk vs reward debate lurking here which I'm leaving aside
BIOS resident functions have implications for maintenance as you now have two different parties who have to collaborate for a BIOS patch, so I suspect this is based on some sort of API to keep it manageable. The ugly thing is that Lojack thus appears to have at least identified a potential route to write a TSR (Terminate & Stay resident) trojan, which is a door I would have hoped to stay closed a bit longer. I give it a couple of months before code appears to target that HPA component, and then the fun *really* starts - the moment someone finds a way to crack what's in the HPA you can replace it with your own version of the cookie monster and then all hell will break loose. This approach could offer a bigger industrial espionage backdoor to global information than Windows could ever present by itself.
This could get more interesting than I originally thought..
Thanks for the data.
Insert