WhiteHat Consulting

I thought I’d write this up so others don’t have to search all over for it. I have recently switched from a Palm Treo 700P to a Motorola Droid. Verizon employees couldn’t figure out how to move my contacts from the Palm to the Droid, but I did and thought I’d share. Here’s how to do it.

You have a couple of options – either have the Verizon people do it (which didn’t work in my case), set up a GMail account and export all of your contacts there (why give Google access to all of that info?), OR you can export all of your own contacts from your Palm Desktop application into the Droid itself without the middleman. Be sure to follow these steps in the order in which they are written.

-Sync your Palm to make sure all of your contact information is up to date
-Open the Palm Desktop application
-Go to the Contacts section, click on Edit -> Select All
-Once all contacts are highlighted, click on File -> Export -> Export as VCard
-Connect the Droid to your computer
-When prompted on your Droid, select Notifications -> USB -> Mount
-Your Droid should show up as a new drive on your PC at this point
-Copy your VCard file (should end in “vcf”) that you exported to the Droid “drive”
-Unmount and then disconnect the Droid from your PC (important)
-Open Contacts on your Droid and choose Import/Export from the options on the menu
-Choose to Import from SD Card
-After importing, go to Contacts and chose Display Options from the menu
-Expand your gmail account menu and check everything that has “System Group:” by it. In my case, for example, it was “System Group: My Contacts”, “System Group: Friends”, “System Group: Family”, “System Group: Business”
-Done

The export to vCard will bring your numbers, emails, and addresses for each contact, in addition to notes you may have written about each contact. The only issue I had is that it didn’t like to import all of the pictures from the Palm so I had to edit the VCard file slightly by hand. Other than that, smooth as silk. I’ll also be posting this to my own web site along with a full review soon…

UPDATE: Just another bit of information – you can export contacts in VCard format from a variety of email applications including Outlook and Evolution. The whole process basically works the same way whether using Windows, Linux, or a Mac.

Used hard drives that haven’t been formatted are the absolute easiest way to obtain information about the previous owner. Even if the hard drive has been formatted or the operating system has been re-installed, this does not assure that the previous data has not been written over or is not retrievable.

A few places you can find used hard drives at low cost, or in some cases free, would be at a flea market, garage sale, or even Freecycle. Last summer I went to a few garage sales and a flea market in search of older computer parts. I purchased one computer from a local Elementary School teacher who didn’t bother to format the hard drive. She still had some of her work on the hard drive including student names, the grade she taught, the classroom number, and various other information in plain view. Bought the computer, monitor, keyboard/mouse at her garage sale for $10.

More recently, I came across a few computers being given away by a hospital as they had upgraded all of their workstations. I was pleasantly surprised to find that all of the hard drives have been removed from every workstation, but found a few software CDs still in the CD-ROMs. Sure the CDs could have ended up containing databases/spreadsheets/documents with patient info because the trays weren’t checked, but they did not. Also, you still have to commend an admin that has the sense to know that hard drives are sensitive to exploitation – especially in a medical environment.

Materials: A little bit of cash, a few used hard drives, and some free time.

I happened to be looking through the Saturn owner’s manual for something completely unrelated and found a page that ended up being a bit humorous. Apparently Saturn engineers went through all of the trouble to make sure that the remote transmitter didn’t send the same signal twice so that it couldn’t be “sniffed” and re-broadcast for a thief to break in. Unfortunately, when creating the owner’s manual, they decided to share how to bypass the security of the remote transmitter so that anyone with a Saturn transmitter can get into your car.

If you flip to page 79, the manual states:

"Syncronization may be requried due to the security method used by this system. The transmitter does not send the same signal twice. The receiver will not accept a signal that has been sent to it more than once. This eliminates the possibility that the signal will be recorded and played back."

Now for the kicker. The very next sentence tells you how to bypass it:

"To syncronize your transmitter with the receiver, press and hold the LOCK and UNLOCK buttons on the transmitter, at the same time for about 10 seconds, near your Saturn."

Kind of senseless to go through all of that trouble to change the signal each time you use the remote. It takes a little more technical knowledge to record and retransmit a signal than it does to hold two buttons on a remote for 10 seconds. I would imagine that this method would be similar on other vehicles, so I guess it’s time to check your owner’s manual for something similar. Luckily the Saturn I drive does not have keyless entry.

Materials: 2000 Saturn owner’s manual.

A couple of weeks ago or so I filled the trunk with bottles that needed to be taken back for bottle return. Not my favorite job in the world, but it eventually has to be done. While filling the machine full of empty 0.5 liter bottles, I happened to notice something that was kind of silly – the front door to the machine was unlocked and could be opened. I looked around and it turned out that all of the bottle return machines were like that. I was kind of hoping that this was just a fluke and that maintenance was being performed on the machines.

No such luck.

I went back a couple of days later to do some grocery shopping and found the same thing. This time I decided to open the door and take a look inside. There was another key (that could be removed) and a numeric keypad asking for an admin password – numeric password of course. Well, at least there was multi-factor authentication in place (outside key, inside key, password), but they already removed one of those factors by leaving the front door open. Not only that, but the receipts the bottle return prints out with the Meijer’s logo on it are easily accessible. If a somewhat smart theif grabbed a roll, they could be used for fraudulent purposes – print bar codes on receipt paper for bottle return money. Not good.

As coincidence would have it, a fellow student worked at Meijer’s and gave me a brief explanation as to why they left the doors open rather than locked – they kept losing the keys. So rather than make extra keys or make it mandatory to return keys to a certain location, they just forget the keys altogether and leave the front door unlocked. Apparently they already had the fake receipt problem described above with their Coinstar machine.

Don’t even get me started on the UScan self-service checkout machines…that’s for another post another time

Solution: Simple – lock the doors. I went there again a few nights ago and locked all of them by pushing in the locking handles.

Materials: Voyager cell phone (camera).

Having been a former student of Delta College, as with any student, I was given a user name and password that was used for access to several services. These include network shares, email access, class registration through MyDelta, Educator (like Blackboard), FTP, and access to the Linux server amongst other things. So if I were a student and wanted to make sure that my password is secure, where would I start? Learn about the process and then find the weakest links of course!

First, as a new student you’re asked to go through the signup process, but when clicking through, you’re taken to the policy page first. Funny thing is that the page can be bypassed by just going directly to the sign up page instead. So yeah, legally, the policy is shaky ground since it can be bypassed during sign up. You enter all of your personal information in and you now have access with a single login and single password for all services.

So if someone wanted to hijack my account, what would they do? What plan of action would one take to steal my info? Well, if you click on the link that you lost your login name, you get directed to this page and are given this prompt. The same prompt is given if you click on the link that you want to update or change your password. Since nobody else should really know my SSN or Delta ID, and might only be able to figure out my birthday, it would make compromising my account more difficult. In essense, Delta is implimenting defense in depth. However, who needs a Delta ID when your login name is…your name. If your electronic account was created before Fall of 2002, your login name was your first initial, middle initial, and your last name. For example, John Q. Student would be jqstudent. After 2002, it’s simply your first name and last name (johnstudent). So hijacking your account via a “lost password” feature is too time consuming or too difficult. There has to be an easier way, right?

What about brute forcing the password with something like Brutus that does web-based password cracking? Probably not practical since Delta has a somewhat decent password policy in place and it would take forever to brute force the password this way. So that’s out of the question.

What about shoulder surfing at the library? Not really a bad idea, but it could be noticable by the victim. This method is definitely feasible, but could cause bodily harm or get you kicked out of the library. Then you would likely be watched closely during future visits.

What about services that could be exploited in some way or another? Maybe sniffing the password? Well, webmail is performed via SSL, so that make things difficult. MyDelta also uses SSL when you’re logging in as does Educator…finally after about a year or so after I made the suggestion to Educator staff. You’re not likely going to sniff anything while you’re logging in either. However, there are two services that are performed in clear text – FTP and telnet. These two services are only really used in a handful of classes, so you would have to devise a plan on how/where to sniff this traffic.

Telnet is used only for the Linux class (CST-126), but it’s also available online. Since their Linux server has a compiler installed, you could attempt to compile a sniffer from the command line, but that would likely be under your own account.

FTP is used mainly for uploading web pages in the CST-110, CST-133, and CST-210 classes. I’m not sure why you’d need to do that since the directory you upload to is world readable/writable by everyone, but that’s another post So one could sit in a CST-133 class during the web site creation tutorial week, flood the router with false MAC addresses, and sniff the passwords as people log in. The other option is to sit in one of the wireless hotspots and hope someone logs in and needs access to the telnet or FTP server. You might be waiting a while for that one…

Worst case scenario was a few years ago when you could log onto the Linux server and grab the /etc/shadow file, which held encrypted passwords for the entire student body. I’m not sure exactly how this happened as the /etc/shadow file is normally only viewable by root, but it was likely because of a misconfiguration or fat-fingered-mistake such as “chmod 777 /etc/shadow”. In a nutshell, if you could copy this file to a flash drive, you could take it home, run John the Ripper on the file, and have some accounts to play with.

Anyway, the point is that if you are able to obtain a student’s password, you have full access to that student’s account. This includes access to all of the resources available that are specific to that student as well as the ability to add and drop courses they are currently enrolled in or signed up for. That would help if you’re having a hard time getting into a class because it’s full, eh?

Disclaimer: Just as any post I make, I do not condone or encourage any malicious activity. I post the information I do to give people a little nudge in the right direction and take security a little more seriously. After all, there’s a lot of people’s trust in your hands and it’s your responsibility to keep the bad guys from breaking that trust. As usual, I have to rip on Collegis/SunGard because they’re the ones that handle Delta College’s IT sources including security. Unfortunately, they can’t seem to nail down the security part.

Materials: Access to a Delta College workstation and an Ubuntu Linux live CD.

Last July I had some free time and decided to go on a road trip and ended up in Niagara Falls, New York. It was probably the most impressive natural beauty I have ever seen in my life. However, my geek side had to also explore the area. After booking a room at the Swiss Cottage Inn on the New York side, I decided that I was going to take advantage of their free wireless service and do some school work for a short time before exploring the sights.

Unfortunately, I wasn’t able to get on the internet so I decided to do some troubleshooting. I had found out that they were using a Linksys router with the SSID broadcasting and encryption enabled. They had also changed the IP address of the router to 192.168.2.1 rather than the regular 192.168.1.1. The funny thing is, even though they changed the default SSID, changed the default IP address, and enabled encryption, they never bothered to changed the default login and password (“admin” and “admin”). This left the router wide open for abuse and allowed anyone to see their WEP encryption passphrase (“mario”).

Unfortunately, wireless is one of those monsters where the technology grew faster than people being educated on how to secure it properly. Even the 802.11 protocol itself had security as an afterthought as older versions such as 802.11A and 802.11B generally had weak encryption available, but not enabled by default on most routers. Even on newer routers, basic security is often ignored by the end users because these units are able to be plugged in and “just work” out of the box.

Solution: The best ways to secure your wireless router are to disable SSID broadcasting, enable MAC address authentication by using a whitelist rather than a blacklist, enable encryption – at the very least use 128bit WEP encryption, change the default password to something fairly complex, and if you can, change the default login name as well.

Materials: Compaq Presario laptop (2135US), Belkin wireless card (F5D6020).

Back in November I purchased two Linksys WRT54g routers from Best Buy as they were having a sale. When you purchased the router for $50, you got a $15 gift card. So the router essentially cost $35, which is cheaper than most wireless network cards. The best part is, dd-wrt allows a Linksys WRT54g router to act as a client bridge. What this means is rather than spend ~$150 on a Linksys wireless bridge, you can make the WRT54g act as a bridge for less than half the price (and more functionality I might add).

Below is a video showing how to install dd-wrt on a Linksys WRT54g router. Enjoy!

Materials: Firmware from dd-wrt.com for WRT54g router, Linksys WRT54g router, Compaq Presario laptop (2135US), Kodak Digital Camera (C743).

For a Valentine vacation, I decided to check out the Mount Pleasant hotel Baymont Inn from February 14th to February 15th. It was close to the casino, dinner, a pool, and had a hot tub in the room.

The hotel issued those credit card style keys with magnetic strips on them (magstripe cards) that swipe through a slot above the door handle. When you swipe it, you either get a red light (key not correct), yellow light (error, swipe again), or a green light (unlocked). Once the hotel issued me two cards, I had thought to myself there is a possibility that these cards could work on rooms other than my own. So off down the hall I went to try it out. Out of the 4 random rooms that I tested the credit-card-type key, it opened 1 door other than my own (133 worked for 109 and 109 worked for 133).

When I had claimed that I lost one of my two magstripe cards, I asked for another and he stated that the key would no longer work the next day. Not only did the new one he issued me work on the same room two days later, so did the other two keys that were initially issued to me. When checking out, I was told that I do not need to turn in the cards and would not be charged for the cards that I had kept. They had a machine there that created the magnetic strip cards. A phone call to the hotel needs to be made to find out the make and model of the machine.

The hotel also had free, open wireless available. No traffic was encrypted, the SSID was “baymont”, and there were no authentication requirements (no password, no mac address authentication).

Possible solution: Perhaps for the wireless situation Baymont could create a login/password combination like room number/last name for each of the guests. This information could be pulled from a database at set intervals such as every 15 minutes and pushed to the wireless access points. For the magcards working on multiple rooms, I saw that the person behind the desk was able to input some numbers before creating the card. I’m quite sure they could make new cards for every guest with a unique number, however, the task of updating the locks on each door might be very time consuming.

One question I would like answered is how often these locks are “changed” or are they all set to accept a certain list of pre-determined codes? For example, if the entire hotel only has 25 codes, but has 200 rooms, the problem arises of how to assign a certain amount of codes to each door lock. You can’t give all 25 codes to every lock because then every key could open every door. You can’t give just one code to each door because then anyone could come back later and get back in the room. No matter how they are seperated though, I’m sure there would be a master lock (for the cleaning crew, manager, etc) and with a limited amount of combinations that could be stored to each lock, I can see where it would be difficult to secure.

Materials/methods: Social engineering, magstripe cards issued by the hotel.