Avatar
Guy Swann 1y ago šŸ’¬ 55

Scenario:

#Hacking #Bitcoin #Cypherpunks

Say you had 10 minutes (minus finding it and setting up) with someoneā€™s MacBook, and you wanted to ā€œinfectā€ or pull as much information from it as possible without ANY logs showing that youā€™ve done anything to it, or plugged in any devices.

The MacBook is closed, asleep, and locked with the basic password.

What could you do, and could you ensure that there was no indication at all (no logs whatever) that suggested you had tampered with it?

If yes, what would you need to pull it off?

#asknostr

Reply to this note

Please Login to reply.

Discussion

Avatar
utxo the webmaster šŸ§‘ā€šŸ’» 1y ago

Boot into tails via and copy files

Avatar
Guy Swann 1y ago

How could you prevent usb logging though? I plugged in nothing but a charge cable and immediately unplugged it and there were like 100+ IOPort logs and kernel logs.

Avatar
Currency of Distrust 1y ago

Booting to another OS would happen at the firmware/BIOS level, I donā€™t think it would create a macOS level event in the logs

Avatar
Jeff Swann 1y ago

But the laptop was on but closed & asleep, how would you shut down, boot into another OS & then return it to the previous state without logs?

Avatar
Currency of Distrust 1y ago

Ya fair! I was only thinking USB logs in that specific instance, not thinking through the whole scenario

Avatar
SuiGenerisJohn 1y ago

Aren't newer macbooks hard drives natively encrypted so that the files would be encrypted on download? I also don't think TAILS can boot on Apple Silicon (yet)

Avatar
Currency of Distrust 1y ago

I donā€™t think Tails would have access to the local filesystem

Avatar
utxo the webmaster šŸ§‘ā€šŸ’» 1y ago

I'm not a good hacker

Avatar
Currency of Distrust 1y ago

Tis what I do šŸ˜…

Avatar
Diacone Frost 1y ago

the data are encrypted

Avatar
semisol 1y ago

Recovery is a better way, you can even reset passwords, itā€™s integrated, no logs

Avatar
Bitcoin ETF 1y ago

Tails still does not support M-series chips. MacOS recommends to encrypt all data on the first setup.

Avatar
Currency of Distrust 1y ago

Easy. Rubber Ducky. Wouldnā€™t necessarily meet the no logs requirement, but thereā€™s a lot you can do to obscure the commands you run. Plus, almost no one has the skill required to go through logs and craft together what actually happened.

https://shop.hak5.org/products/usb-rubber-ducky

Avatar
Guy Swann 1y ago

In this case there are explicitly zero logs whatever for the time in which this wouldā€™ve occurred.

Avatar
Currency of Distrust 1y ago

I donā€™t see how thatā€™s possible tbh. At some level SOME log has to exist for activities performed.

Avatar
crany šŸ‘½šŸ§”šŸ—æ 1y ago

Does a MacOS filesystem log reads (mounted read only) if not natively booted? And does Mac BIOS setting for USB boot or an encrypted filesystem/storage remain an obstacle to a viable attack vector?

I'm not a hacker or a Mac user since long ago. I'm an defender of opsec for self and those who value it.

Avatar
Currency of Distrust 1y ago

I think by default the filesystem is encrypted, so you wouldnā€™t be able to read if you booted from another drive. There are times where there are vulnerabilities in firmware that allow this sort of thing though.

Avatar
Currency of Distrust 1y ago

If youā€™re talking about a specific thing thatā€™s happened, what likely happened is the attacker just deleted the logs of their activities.

Avatar
Guy Swann 1y ago

How would they get root access to delete the logs? They wouldnā€™t be able to without it right?

The real question is about whether someone got into the computer at all, or if it wasnā€™t even touched. Because during the time span the logging has no records.

So either it was a sophisticated actor with merging Iā€™m not aware of, or they could get root access. But then the question is how they could get root access to delete logs, and then also are there separate logs for deleting things from the file system? šŸ¤”

Avatar
Currency of Distrust 1y ago

So ya Iā€™d say that if there are ZERO logs of any kind at the exact time of attack, thatā€™s definitely suspicious. MacOS is extremely verbose, so I canā€™t see that happening.

As far as getting root, itā€™s possible they found a privilege escalation vulnerability. Itā€™s not terribly uncommon, especially if youā€™ve heavily customized things or write a lot of code, which could inevitably give someone a way to root.

As far as logs for deleting logs, itā€™s definitely possible but Iā€™m not familiar enough with their logging structure to say off hand.

Sucks dude, hope you figure out what happened. One thing you can do is hire a forensics firm, but thatā€™s big money.

Avatar
Guy Swann 1y ago

I tested it for 10 minutes while asleep just in this train ride. Zero logs whatever. It appears to be shockingly asleep when it is in fact asleep.

When I plug **anything** into any port however, for even the slightest amount of time, there are hundreds of logs.

Avatar
Currency of Distrust 1y ago

Hmmā€¦ this kinda makes me think youā€™re safe then tbh. Does it create those logs if you plug in while itā€™s asleep?

Avatar
oadissin 1y ago

Take out the hard drive and replace it with a new hard drive perfectly set to make the pc work.

How would you do it?

Avatar
Guy Swann 1y ago

I have no idea. Iā€™m trying to find out if someone got into my MacBook because someone broke into our room and rummaged through our shit

Avatar
SuiGenerisJohn 1y ago

That's shit.

Avatar
Currency of Distrust 1y ago

If someone rummaged through your stuff, whatā€™s the likelihood they have the technical ability to pull it off that quickly? Do you know who it was? Or was it a break in?

Avatar
Guy Swann 1y ago

Iā€™ll be doing an episode on it, but it was in the hotel. We have video of him entering and when he left

Avatar
pup 1y ago

People fucking suck.

Avatar
MickBurke 1y ago

Were these guys there?

Avatar
semisol 1y ago

No FileVault?

Avatar
privatize_universe 1y ago

I think that modern macbook has storage soldered on motherboardā€¦

Avatar
āš”Lightning Goatsāš” 1y ago

You need a keyboard combo, an install disk to boot to, and a payload.

Interestingly enough, if I recall, you could at one time do an internet recovery on your Mac. If this is still the case. Boot into recovery set a root password, and set up ssh to accept connections. From there you can deliver payloads and gather information outside the constraints of the 10 minutes.

Avatar
Guy Swann 1y ago

Can you do that without interrupting the sleep though if the computer is already on and booted?

The computer was specifically asleep, then when checked there was literally no indication that Iā€™ve found so far of tampering. When I opened it back up it appeared to be in the exact same state. You couldnā€™t boot into another OS without closing the other down right? šŸ¤”

Avatar
Jimmy Bond 1y ago

Not without an exploit that hasn't been published anywhere.

Avatar
āš”Lightning Goatsāš” 1y ago

You need a keyboard combo, an install disk to boot to, and a payload.

Interestingly enough, if I recall, you could at one time do an internet recovery on your Mac. If this is still the case. Boot into recovery set a root password, and set up ssh to accept connections. From there you can deliver payloads and gather information outside the constraints of the 10 minutes.

Avatar
Currency of Distrust 1y ago

This is a definite possibility too, but logs would still be present

Avatar
SuiGenerisJohn 1y ago

Now that I've thought about this a little bit, it would probably be easier to throw a few little cameras into the room and a device to listen for key strokes, but if they rummaged and left a signal they were in there I doubt that's what happened.

Avatar
Guy Swann 1y ago

They actually didnā€™t leave much indication that they were there. No obvious suggestion that the laptop was even touched, BUT it happened at the bitcoin conference, was at the speakerā€™s hotel, and happened *during* the speakerā€™s dinner. It seems obvious that it was a targeted attack in at least some fashion.

Avatar
SuiGenerisJohn 1y ago

Then you might want to have a lookyloo around or request a room change, if the hotel can be trusted(maybe new hotel). Or just throw every corner of the room a close up of your asshole. Fuck these people.

Avatar
Emzy 1y ago

If the MacBook has not been restarted. So I still was on the same standby. I would think you are good.

For the future:

But best is to have it off when not in direct possession. I always power it off.

There are additional features like a firmware password you can set.

Avatar
SuiGenerisJohn 1y ago

Emzy reminded me that if its in standby the encryption would already be bypassed at that point. if its a silicon version.

Avatar
Theory of Everything 1y ago

I think it would be easier to go after someoneā€™s Apple ID. If you can log into the Apple ID, And their data is backed up on the cloud, You have access to pretty much everything. Itā€™s just the stuff downloaded onto the hard drive that you would not see. Otherwise removing and backing up the hard drive to an external hard drive would be the easiest way, But you actually just need to take apart the computer and plug in the hard drive to a backup device, You would not actually need the password for the Lock Screen. Apple security is basically meant to prevent attacks from stupid gangbanger types that stole someoneā€™s computer to sell for a quick buck. Trust me bro is a much more effective attack for actually getting someoneā€™s data. But good luck taking apart and re assembling someoneā€™s MacBook in 10 minutes without it looking tampered with.

Avatar
Enki 1y ago

Just a usb and about 60 seconds. Logs would still show up though so they would need to have some persistent way to log in remotely and delete logs.

Avatar
Guy Swann 1y ago

What would you have on the ISB, and how would you root it to get remote access later?

Avatar
Enki 1y ago

Not sure its still a valid project one called poisontap comes to mind. You would plug it in and it would Exfiltrate cookies, poison your DNS cache, and then installed persistent backdoor for logging in later. As far as I know it worked on all OS's

Avatar
Enki 1y ago

This was the project im refering to.

https://samy.pl/poisontap/

Avatar
semisol 1y ago

does not work with https and some new caching and isolation countermeasures added by browsers

Avatar
Enki 1y ago

Ah yeah. I knew it dident work with https. I was not aware of newer browser countermeasures, hence why I said it's probably not a valid project anymore.

Avatar
semisol 1y ago

Itā€™s a side effect of privacy ones actually.

Caching and cookies are now isolated by top level origin

Avatar
Diacone Frost 1y ago

I think you actually get the most data from the exterior.

serial numbers (potentially figure out when and where they bought it)

company inventory numbers (if it's for work), where they work, etc.

stickers (are you into bitcoin, games, ...)

steal it and return it, gain trust and start phishing...

Avatar
Brian 1y ago

The scenario as proposed is not possible. Not in only 10 minutes, and not without leaving ANY logs.

Avatar
Guy Swann 1y ago

nostr:npub1gnwpctdec0aa00hfy4lvadftu08ccs9677mr73h9ddv2zvw8fu9smmerrq had a good point though that with remote login they could delete the logs as soon as I got it turned back on maybe? šŸ¤”

Avatar
Brian 1y ago

My MacOS forensics skills are a little rusty, but even that would leave an indication that something happened for someone looking.

But I don't think you could even get that far if the device is locked and password protected unless you already know the password.

Avatar
Machu Pikacchu 1y ago

You mustā€™ve found Christine Lagardeā€™s laptop šŸ¤­

Avatar
SuiGenerisJohn 1y ago

Find any comfort after this scenario? Hope so, good luck brother.