I came across a link to the MacLockPick USB product made by SubRosaSoft. It sounded pretty wrong to me for a variety of reasons.
It is described by SubRosa as:
MacLockPickâ„¢ is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible.
[...]
MacLockPick takes advantage of the fact that the default state of the Apple Keychain is open, even if the system has been put to sleep.It also makes use of the openly readable settings files used to keep track of your suspect’s contacts, activities and history. These data sources even include items that your suspect may have previously deleted or has migrated from previous Mac OS X computers.
I contacted Apple’s security team to see if they were aware of this, if it works as described and, if so, why would such mechanisms exist in any responsible operating system. I asked them:
If this works as advertised, and it seems reasonable to assume that it does as SubRosaSoft is an established software product vendor, that malware on usb drives are an Apple supported technology. Could you give me more information on the thinking behind why this is allowed to work?
I would think that auto-running USB executables and allowing it access to user keychains would not be in keeping with industry best practices. What does Apple have to say about this type of software? Does Apple enable or encourage the sale and availability of this software? If so, why? If not, what can be done to correct this behavior?
Their response was interesting and made sense given what I already knew about how the modern Apple operating system.
Ah yes, Mac Lock Pick. I’ve had discussions with SubRosaSoft about the product and it cannot unlock a password protected Mac. The Mac must be on and cannot have “Require a password to wake this computer from sleep or screen saver” preference checked in order to work. Also if the Keychain is locked it cannot get at the Keychain data until a password is supplied. So if you leave your Mac open this type of product can work, but if you lock it down it cannot.
You may like the security config guide we put together with the NSA. It has some good advice for users who need more security than the default configuration of OS X offers.
Erik Hutslar, Security Product Marketing Manager, Apple
So basically this MacLockPick software is only effective with those that are not locking their keychains and/or you have password protection on your screensaver and coming back from system suspend.
Using FileVault, the integrated OSX encrypted filesystem solution, wouldn’t be a bad idea either so that your home directory will be AES encrypted. The NSA guides are a bit hard to find on the poorly maintained NSA website, but I have located them for you here for workstation and here for server.
I am still a bit unclear on how this product would execute on insertion into a USB port. The same source at Apple told me that OSX does not perform this way unlike another popular operating system:
We don’t auto-run anything from a USB stick shoved in the port by default.
So if no program is executed upon insertion, how does this program execute itself in order to copy these assets from a subject computer? If such a supported mechanism exists, how can we be sure that only law enforcement will make use of it? Would chain of evidence be intact for use as evidence?
Technorati Tags: apple, autorun, law enforcement, osx, usb
Related posts:
Recent Comments