Picking Computer Case Locks

Recently, I found the (legitimate) need to pick a computer case lock on a PC tower in a situation where the hard drive resided in a hot swap bay, but the key was not included. Computer keys are most commonly found as a short, tube-shape piece with a stubby handle and a small bump to put torque on the lock. Upon initial inspection, nothing looks to be unique about case lock keys. I actually tried two “homeless” keys, but with no avail. Shortly thereafter, I noticed that there were four small cuts in the outer edge of the key tube, sliced at different heights. Comparing one key to another, I found that they were indeed different, and were quite similar to the bumps on a household key. The locks work the same way, but the pins are simply in a circular arrangement instead of linear. With every pin exposed instead of hidden deeper and deeper into the lock, it should be far easier to pick than a household lock. I just had to try.

With a pair of thin needlenose pliers clamped on to apply tension to the lock’s center tumbler, I pressed a straightened paperclip into each pin location. After a few gentle presses, the lock turned just slightly. The first set of pins was then picked. Without removing pressure with the pliers, I moved on to the next three sets of pins, doing the same procedure to each. Upon pressing in the fourth pin, the lock tumbler turned completely, and the drive was freed. Not terribly secure, but I’m guessing they’re not meant to be.

Picking Computer Case Locks

Sony Rootkit Roundup

BoingBoing has a great timeline of the Sony “rootkit” fiasco that’s recently made news around the world. I’ll leave the details up to them. For a great audio summary, download the related Security Now! podcast. The EFF has also posted an open letter, asking Sony to make good. Here’s hoping that Sony receives legal action as a result of their spyware-like tactics. Lastly, Wired magazine is calling for consumers to boycott Sony copy-protected CDs until they come clean and recall all the infected discs.

Sony Rootkit Roundup

Comcast Setup

Here’s a scary article detailing the unsafe security practices of Comcast’s cable modem setup software. Definitely worth a read if you have or plan to set up cable internet through Comcast. I’m glad I’ve always insisted on just calling them up after receiving the cable modem and simply reading off the serial number and MAC address off the bottom of the modem.

Setting up an internet connection really shouldn’t require anything complicated, much less software that poses a significant security threat to your computer. If Macs do eventually end up with viruses and trojans and all that mess, it will be because of serious oversights like this on the part of other companies, not bugs within OS itself. That said, I’ve been quite happy with the speed of Comcast’s service, that’s for sure.

Comcast Setup

Secure Communication

An interesting article describes how scientists are using a single beam of photons to create a “secure” data line, as opposed to lasers, which emit many streams. How having a single beam helps make it more secure, I’m not quite certain. I would guess that if you could intercept one beam of photons from a laser, it would be possible to intercept the single one as well.

The security of information depends on the properties of light that is used to transmit data. Laser beams which are used at the moment send billions of photons, making it easy for hackers to steal some of them and break the code, said Rabeau.

Despite their efforts, this won’t stop people from writing their passwords down beside the sending or receiving computer at either end. The weakest link of the chain is often the people involved, not the technology. That’s not to say it isn’t susceptible to attack, but unfortunately all the advanced technology in the world can’t stop the power of a Post-It. [via digg]

Secure Communication

Uncrackable

While I’d like to keep this a Mac-oriented site, I can’t help but chuckle at how fast technology gets cracked. Case in point: Several days ago, Microsoft launched their Windows Genuine Advantage program which ensures that only real, licensed copies of Windows can receive updates. Pirated copies of Windows will only be able to get patches up to the launch of the WGA program, but will be left behind from future updates. Not anymore.

It’s always a bad idea to tout your product as uncrackable. Doing so is nothing more than a big, blinking, neon sign attracting talented individuals to try their best to break it. I can’t think of a piece of technology yet that hasn’t been cracked in some way. Xbox, PSP, TiVo, and software activation of all sorts have been cracked…

Uncrackable

One Less Phishing Website

I take back what I said about hacking not being the best way to get rid of phishing/scam websites — it’s a great way! Why the sudden change? Here’s my experience…

Earlier today, I got a standard PayPal phishing email with the subject “Your account will be suspended!”, claiming that my account would be removed shortly if I didn’t fill in my PayPal information. This is an extremely common ploy, and PayPal frequently reminds you never to follow through with these kinds of emails. Out of curiousity, I copied the link they so desperately wanted me to click, and pasted it into my browser. I examined it closely to make sure my email address wasn’t encoded into the URL in some way, and hit Return to load the page. While the address started out with a valid-looking domain, it was actually an eBay banner link which was modified to redirect me to a fake server further down the link (and out of view in a standard browser window). A page loaded which looked exactly like the PayPal homepage, but you can be sure it wasn’t.

Judging by the “/~test/” in the address in my browser, I could see that the scam site was located on a server under a user’s account. To see what else was there, I removed the PayPal scam directories from the address, and went to the user’s folder. I couldn’t believe what I stumbled upon.

Before my eyes was a page labeled “PHP Shell 1.7,” with a command line, execute button, and output area. Knowing full well what this was — a PHP script which executed the given instruction at the command line of the server it resided on — I typed “ls” and hit Execute Command. The contents of the user’s folder were displayed in the text field below the command, just as if I were sitting at a keyboard connected to that machine. I knew what was next. I took another look at the scam address from the email, and used the PHP Shell to change directory to the actual folder where the scam files were located. Using a simple ‘tar’ command, I gathered all the files into one, and grabbed the whole lot (for further investigation, as well as a backup…just in case). After that, I did a simple “rm -r PayPal” to delete the entire scam website. Revisiting the link in the phishing email returned a 404 Not Found. I tried to remove the single PHP Shell script itself, so other users of the site aren’t at any possible risk, however it had permissions which denied my removal attempt.

While my efforts were hardly what I’d consider hacking, if what I did helped save one person from having their information stolen, I feel it was it was worth it. That’s just one phishing site among thousands, though. The real solution is to educate people about the malicious intent of scammers, and to give them the knowledge to simply ignore fraudulent emails.

One Less Phishing Website

Hackers Take On Scam Websites

Angered by the growing number of Internet scams, online “vigilantes” have started to take justice into their own hands by hacking into suspected fraud sites and defacing them.

These hackers have targeted fake websites set up to resemble the sites of banks or financial institutions in recent weeks, and have inserted new pages or messages. Some say “Warning – This was a Scam Site” or “This Bank Was Fraudulent and Is Now Removed.”

While I can’t say that hacking is the best way to go about shutting down phishing sites, it’s probably the quickest way to stop them from gathering unsuspecting users’ information. It’s nice to know there are some people out there willing to do something about it, even if it means breaking in. Read the rest. [via]

Hackers Take On Scam Websites