MacLockPick
Has anyone seen this before?
MacLockPick
Now this is for law enforcement professionals but what if it "escapes" in the wild? Scary to say the least.
Can anyone explain how and what in Mac OS X made such a sotfware possible?


Now this is for law enforcement professionals but what if it "escapes" in the wild? Scary to say the least.
Can anyone explain how and what in Mac OS X made such a sotfware possible?
Comments
They want $500 for a software that reads files from the logged in user?
But how is possible to read passwords for encrypted disk images if they are not stored in the (unlocked) Keychain? Also they say more than once that the software is not limited to the described features. So what else is there? Admin passwords, root access?
But how is possible to read passwords for encrypted disk images if they are not stored in the (unlocked) Keychain?
Where do you see that? I see:
General - Includes (but is not limited to) passwords for encrypted disk images,
That's from the login keychain, which in the default settings is unlocked whenever you're logged in. The other mention of disk images merely refers to the paths of which ones were open, not to being able to mount them.
I admit I've only skimmed the page (largely because it's written in such a sensationalist OMG HAXOR SOFTWAREZ manner), but I see nothing too unusual thus far.
Where do you see that?
I do not see it explicitly but the description lets you easily to assume it.
That's from the login keychain, which in the default settings is unlocked whenever you're logged in. The other mention of disk images merely refers to the paths of which ones were open, not to being able to mount them.
It says:
Includes (but is not limited to) passwords for encrypted disk images.
This tells me that the software can somehow read the password of a protected disk image, plain and simple. I thought this was nearly impossible.
Also I don't see what is the meaning of this phrase:
The user password of the logged in user. Often this is shared for root access and FileVault encryption.
Does this means that it is possible to get root access and break the FileVault protection using the password of a regular user?
Includes (but is not limited to) passwords for encrypted disk images.
This tells me that the software can somehow read the password of a protected disk image, plain and simple. I thought this was nearly impossible.
Read it from the unlocked keychain.
Also I don't see what is the meaning of this phrase:
The user password of the logged in user. Often this is shared for root access and FileVault encryption.
Does this means that it is possible to get root access and break the FileVault protection using the password of a regular user?
When he's logged in, sure. That's the entire point.
As for root access, some applications are so dumb as to store the root password in the keychain, yes.
When he's logged in, sure. That's the entire point.
But how? Keychain again?
If all this is about just the keychain, then I understand your initial reaction. This should not be more than an inexpensive shareware.
But how? Keychain again?
Since FileVault is just an encrypted sparse disk image of your entire home directory, and disk image passwords are stored in keychain: yep.
If all this is about just the keychain, then I understand your initial reaction. This should not be more than an inexpensive shareware.
Well, I could be terribly wrong. I just haven't found anything in the description yet that makes me wonder 'how do they do that?'. And if there was something, it would make for a compelling (and perhaps justified in price) piece of software, but it would also raise a lot of questions the morals of its developers, since it would imply security holes that they should have reported to Apple long ago.
Instead, all I see is mechanisms that work just the way they are supposed to, with the one exception that you shouldn't be able to find the root password in keychain. Like I said, however, I have indeed come across apps that, unfortunately, place it in there.
Whatever the case, I would appreciate if someone could prove me wrong.
Since FileVault is just an encrypted sparse disk image of your entire home directory, and disk image passwords are stored in keychain: yep.
Oh, no!
Well, I could be terribly wrong. I just haven't found anything in the description yet that makes me wonder 'how do they do that?'. And if there was something, it would make for a compelling (and perhaps justified in price) piece of software, but it would also raise a lot of questions the morals of its developers, since it would imply security holes that they should have reported to Apple long ago.
Instead, all I see is mechanisms that work just the way they are supposed to, with the one exception that you shouldn't be able to find the root password in keychain. Like I said, however, I have indeed come across apps that, unfortunately, place it in there.
Whatever the case, I would appreciate if someone could prove me wrong.
To be honest, and as it was apparent from my posts, I did not well understand what all this is about and how it works. The price point indicates that there is something much less trivial than Keychain, but this is just an indication and nothing more. Otherwise, we have a problem here Houston.
The price point indicates that there is something much less trivial than Keychain
Price point is always relative to the target market. It's not meant for home users.
It does do more than keychain stuff though. The disk image password feature is listed under the keychain category.
There's a more powerful version at twice the price:
http://www.macforensicslab.com/
All in all, it looks pretty standard stuff to me.
So how would you keep someone from doing this to your laptop? I mean the fuzz are going to do what they want, but some jackass in the airport stealing laptops could bypass the login, whipe it clean (once he got all my financial data) and resell my my MBP. Could be worth the $500 investment.
What makes it even worse is that you can find this software for free. A quick google search with come up with at least a dozen sites you can get it from. It sucks that applications like this are readily available. What's the point of having all the security and locking features, if all someone has to do is download a torrent and have all your information?
What makes it even worse is that you can find this software for free. A quick google search with come up with at least a dozen sites you can get it from. It sucks that applications like this are readily available. What's the point of having all the security and locking features, if all someone has to do is download a torrent and have all your information?
So how would you keep someone from doing this to your laptop? I mean the fuzz are going to do what they want, but some jackass in the airport stealing laptops could bypass the login, whipe it clean (once he got all my financial data) and resell my my MBP. Could be worth the $500 investment.
Price point is always relative to the target market. It's not meant for home users.
It does do more than keychain stuff though. The disk image password feature is listed under the keychain category.
There's a more powerful version at twice the price:
http://www.macforensicslab.com/
All in all, it looks pretty standard stuff to me.
Oh, no!
To be honest, and as it was apparent from my posts, I did not well understand what all this is about and how it works. The price point indicates that there is something much less trivial than Keychain, but this is just an indication and nothing more. Otherwise, we have a problem here Houston.
As a non-developer, this thread has me very worried about vaunted Mac Security,as does the email interview with Dino Dai Zovi by John Gruber of Daring Fireball --
http://daringfireball.net/2007/04/in..._dino_dai_zovi
I have a 2 part question for Chucker, PB, Marvin and the other trusted developer sources on this forum.
First, in light of what happened at CanSecWest (see the Dino Dai Zovi email interview with John Gruber of Daring Fireball), what advice would you give to the non-developer user to maximally protect their machine (Dai Zovi provides what seems to me to be very wise advice in his responses)?
Second, in light of the "forensic" programs described in this thread, is there anything Apple should be doing to modify the architecture of OS X that can prevent such programs from being used by malicious individuals to exploit our machines? (PB mentioned one "Apple should reconsider its policy about Keychain. This should not be unlocked by default when a user logs in.")
Thanks. I think you folks provide a great service on this forum and to the Mac community in general.
What makes it even worse is that you can find this software for free. A quick google search with come up with at least a dozen sites you can get it from. It sucks that applications like this are readily available. What's the point of having all the security and locking features, if all someone has to do is download a torrent and have all your information?
So all I can do is hope that a) my laptop doesn't get stolen; or , b) if it does the individual that ends up with it is at least a dumb and uniformed as I am - if not more so. Good times.
So how would you keep someone from doing this to your laptop? I mean the fuzz are going to do what they want, but some jackass in the airport stealing laptops could bypass the login, whipe it clean (once he got all my financial data) and resell my my MBP. Could be worth the $500 investment.
You can do that with an installer disc though. It allows you to reset passwords or just wipe the system. I can't really see that many uses for this device.
As a non-developer, this thread has me very worried about vaunted Mac Security,as does the email interview with Dino Dai Zovi by John Gruber of Daring Fireball
The fact that he uses a Mac himself for his main computer and more shows that if he's not worried about the security of his system then you shouldn't be either.
First, in light of what happened at CanSecWest (see the Dino Dai Zovi email interview with John Gruber of Daring Fireball), what advice would you give to the non-developer user to maximally protect their machine (Dai Zovi provides what seems to me to be very wise advice in his responses)?
First you should consign yourself to the fact that no computer is invulnerable to an attack. If you have information you want to protect, keep that information offline and/or encrypt it.
No software can break standard encryption methods, it's just not possible to do, if it was you'd know about it by now and there would be a system update pretty quick. All this software is doing is looking for clues about user activity for the most part. The best feature of the device really is just looking at the keychain assuming that OS X has left it open. If you don't use keychain then you have nothing to worry about.
Dai Zovi mentions not using an admin account and this would certainly protect from modifying system level components but I don't bother so much about that. If you have an up-to-date offline bootable backup then if any malicious software damages your files, you just replace them.
Second, in light of the "forensic" programs described in this thread, is there anything Apple should be doing to modify the architecture of OS X that can prevent such programs from being used by malicious individuals to exploit our machines? (PB mentioned one "Apple should reconsider its policy about Keychain. This should not be unlocked by default when a user logs in.")
I used keychain once by accident for a disk image password and stopped using it as soon as I saw it was unlocked at login. I think that's one of the stupidest designs ever. The way I think it should work is that it shows some visual cue like a mounted volume when it is open and it should always request a password to open the first time. It should also close when on screensaver or asleep.
One thing that I absolutely hate about OS X from a security point of view is the installer software. It asks you for your password without telling you what it is going to do. I normally install stuff manually. You can open the package, decompress the archive and put files in place. You can also use a program called Pacifist, which makes the process a bit easier.
What's the point of having all the security and locking features, if all someone has to do is download a torrent and have all your information?
That's not all they have to do if you follow secure habits.
I keep all my sensitive documents and passwords like online banking details in an ecrypted disk image. The password for this is not stored in keychain. The only thing I use keychain for is passwords to website forums like this one so the worst that anyone can do is post a comment that looks like it comes from me (and you can easily disable this functionality in Safari). Every other file on my system, I couldn't care if someone looks at because I can almost guarantee they'd be of no interest to anyone.
Also, remember this software is for local use, not remote access. Like I say, if someone has a boot disc and access to your machine, it's about the same.
I keep all my sensitive documents and passwords like online banking details in an ecrypted disk image.
Where can I learn how to do this?
1) Keychain unlock at login
If you want to disable this, you can. Open Keychain Access in the Utilities folder and go to Preferences-> First Aid. Adjust the behavior as you wish.
2) You can also go to the Security pane of the System Preference and set the system to automatically log you out after so much inactivity. This will re-lock the keychain at that time.
3) Make sure to disable any automatic login
4) Set the requirement to need a password when waking from sleep.
Where can I learn how to do this?
To make an encrypted disk image, you just open Disk Utility, File menu, new > blank disk image. Then choose the size and whether or not you want encryption on it. You'd make it read/write and choose AES encryption. Uncheck the box that says to use keychain because this will store your password in keychain.
Choose the size depending on what you want to put in it. Don't use sparse images because they can be corrupted quite easily (which incidentally is one reason not to use filevault because that's what it uses). If you need more space, make a new image and just drag the old stuff over. You can just delete the old image because it's still encrypted.
You just mount this image when you need to get its contents and it will ask for your password each time. Unmount the image to secure the contents again. Remember if you have a file on the image open, you won't be able to eject it. You need to close those files/programs first. If you can't find those, you can force eject it by opening a terminal and typing hdiutil eject -force and dragging the image into the window and hitting return.
Thanks for posting that info on keychain physguy. It's good to know there are more secure options for it. The thing I prefer about disk images is it's all manual. Keychain feels like the system is controlling access to sensitive data and I can't control it. Also, I can put anything in disk images including applications. Best of all, I can back them up easily and access the contents from another computer.
There are some easier ways to deal with some of these issues
1) Keychain unlock at login
If you want to disable this, you can. Open Keychain Access in the Utilities folder and go to Preferences-> First Aid. Adjust the behavior as you wish.
2) You can also go to the Security pane of the System Preference and set the system to automatically log you out after so much inactivity. This will re-lock the keychain at that time.
3) Make sure to disable any automatic login
4) Set the requirement to need a password when waking from sleep.
To make an encrypted disk image, you just open Disk Utility, File menu, new > blank disk image. Then choose the size and whether or not you want encryption on it. You'd make it read/write and choose AES encryption. Uncheck the box that says to use keychain because this will store your password in keychain.
Choose the size depending on what you want to put in it. Don't use sparse images because they can be corrupted quite easily (which incidentally is one reason not to use filevault because that's what it uses). If you need more space, make a new image and just drag the old stuff over. You can just delete the old image because it's still encrypted.
You just mount this image when you need to get its contents and it will ask for your password each time. Unmount the image to secure the contents again. Remember if you have a file on the image open, you won't be able to eject it. You need to close those files/programs first. If you can't find those, you can force eject it by opening a terminal and typing hdiutil eject -force and dragging the image into the window and hitting return.
Thanks for posting that info on keychain physguy. It's good to know there are more secure options for it. The thing I prefer about disk images is it's all manual. Keychain feels like the system is controlling access to sensitive data and I can't control it. Also, I can put anything in disk images including applications. Best of all, I can back them up easily and access the contents from another computer.
Marvin and physguy,
Two great posts. I especially like the idea of using encrypted disk images for all of my important stuff --bank statements , taxes, confidential work docs, etc. I also like knowing I can now control Keychain selectively for situations that are important to me. Many thanks guys.