Attachment: Password Security Breaches.txt ___________________________ / / / /\ ______/ ____/ ____/ / / / / / / ____/ / / /____ / ____/ / / / / / / / / / / /_/_/_/________/________/________/ / \_____\________\________\________\/ / . ../Macintosh Security/.. . / /________________________________/ Presents: Security Breaches in the Password Security Control Panel Owners of PowerBooks have the option of using the Control Panel "Password Security". With Password Security turned on the owner of the PowerBook can password-protect his/her computer. This involves a password dialog asking for a password every time the Hard Drive is mounted. In a day to day use this means that every time the computer boots up or is "woken up" from sleep, the dialog asking for the password appears. If an incorrect password is entered three times the computer either shuts down or "puts itself to sleep". The Password Security Control Panel stores it's settings in a file called "aaaaaaaaAPWD" in the root folder of the Hard Drive. This file is impossible to access under OS 8.5 due to the fact that it has the attribute of a disk. It can neither be moved, opened nor copied. It is, however, important to notice that this file contains a bit-flag indicating whether Password Security is turned on or off. It contains, furthermore, an encrypted version of the password. The first security breach in the Password Security Control Panel is that it generates an emergency password every time the password dialog is displayed. This password is a number generated using the current date, number of ticks since startup and the name of the Hard Drive. Due to these criteria it is almost impossible to generate the emergency password using another application. It is however possible to force the Control Panel to display the emergency password. This would, however, require tedious programing. There is unfortunately a much easier way to turn off the Control Panel. Using an emergency startup disk (or CD) and Norton Disk Editor anyone can turn off the Password Security Control Panel and even change the password. If the PowerBook is booted up using an emergency startup disk the password dialog will appear when the Hard Drive is being mounted. If the user cancels this operation the PowerBook will still be usable, although the Hard Drive will not mount, leaving all information on the Hard Drive unavailable. However, Norton Disk Editor has the ability to display and change data even on unmounted disks. Since the settings file, aaaaaaaaAPWD, can be accessed this way anyone can toggle the "on/off" mode of the Control Panel. This can be achieved by changing the value of the byte at offset three in the data fork from 01 to 00. Since the encrypted password is stored at offset 4 in the datafork of the file even that can be changed. Unfortunately there is no way to protect oneself from these security breaches currently. As always, the best way to protect information on a computer is by using "secure" encryption applications. --==< Disclaimer >==-- These security holes are very real and may be exploited for "damaging" purposes. The objective of this text file was NOT to encourage such behavior but simply to point out the existing security breaches of the Control Panel "Password Security". Therefore will neither mSec nor any of it's past, current or future members take any responsibility for any kind of damage that may occur due to any direct or indirect use of the information provided. --==< End Notes >==-- These security breaches were found by mSec. If you want to find out more about mSec please visit our homepage at: www.msec.net. You can also reach us and chat with the members on our Hotline server at: msec.net. This text file was put together by ProZaq. If you have any questions or comments, my e-mail address is: prozaq@usa.net