WhiteHat Consulting

DCECU ATM issue still ongoing. Power box has a padlock, but it can still be turned off by anyone who decides to pull up and flick the switch. I called DCECU a few months ago (in addition to almost two years ago) telling them of the issue and they said they’d send someone out to see what they can do.

I no longer do business with DCECU as of April of 2009. The way I see it, they can send someone out to grab and drop off cash from a remote ATM, but they can’t put a lock on the power switch to prevent misuse. Seriously? Normally I would just say “oh well”, but it’s been almost two years now and the problem still exists. So now that I have moved my money and loans elsewhere, now I’ll say “oh well”.

I happened to be traveling through Scottsdale, Arizona today and came across a sign I had never seen before. It makes one wonder… Do they really put cars worth stealing (or breaking in to) in their parking lot or is it a security theater? With times being tough like they are, is it *really* in the budget to park cars that tempt would-be thieves to break into them? I highly doubt it.

If you’ve been to any store with a bottle return, chances are you’ve seen these before.

About a year ago, I had noticed that most Meijer stores leave the front doors of these bottle returns unlocked. This means anyone can open up the door, cause damage to the machine, or even steal the paper used for bottle returns to create their own slips at home. Most Wal-Mart locations are also guilty of leaving the front door open. When I had asked an employee why they would leave them unlocked, the answer was disappointing. It was so they didn’t have to “find a key” in their “back room”. What’s the point of even having a lock then?

The employee also stated that they have had issues in the past regarding forged bottle return slips. Nice eh?

Used hard drives that haven’t been formatted are the absolute easiest way to obtain information about the previous owner. Even if the hard drive has been formatted or the operating system has been re-installed, this does not assure that the previous data has not been written over or is not retrievable.

A few places you can find used hard drives at low cost, or in some cases free, would be at a flea market, garage sale, or even Freecycle. Last summer I went to a few garage sales and a flea market in search of older computer parts. I purchased one computer from a local Elementary School teacher who didn’t bother to format the hard drive. She still had some of her work on the hard drive including student names, the grade she taught, the classroom number, and various other information in plain view. Bought the computer, monitor, keyboard/mouse at her garage sale for $10.

More recently, I came across a few computers being given away by a hospital as they had upgraded all of their workstations. I was pleasantly surprised to find that all of the hard drives have been removed from every workstation, but found a few software CDs still in the CD-ROMs. Sure the CDs could have ended up containing databases/spreadsheets/documents with patient info because the trays weren’t checked, but they did not. Also, you still have to commend an admin that has the sense to know that hard drives are sensitive to exploitation – especially in a medical environment.

Materials: A little bit of cash, a few used hard drives, and some free time.

I happened to be looking through the Saturn owner’s manual for something completely unrelated and found a page that ended up being a bit humorous. Apparently Saturn engineers went through all of the trouble to make sure that the remote transmitter didn’t send the same signal twice so that it couldn’t be “sniffed” and re-broadcast for a thief to break in. Unfortunately, when creating the owner’s manual, they decided to share how to bypass the security of the remote transmitter so that anyone with a Saturn transmitter can get into your car.

If you flip to page 79, the manual states:

"Syncronization may be requried due to the security method used by this system. The transmitter does not send the same signal twice. The receiver will not accept a signal that has been sent to it more than once. This eliminates the possibility that the signal will be recorded and played back."

Now for the kicker. The very next sentence tells you how to bypass it:

"To syncronize your transmitter with the receiver, press and hold the LOCK and UNLOCK buttons on the transmitter, at the same time for about 10 seconds, near your Saturn."

Kind of senseless to go through all of that trouble to change the signal each time you use the remote. It takes a little more technical knowledge to record and retransmit a signal than it does to hold two buttons on a remote for 10 seconds. I would imagine that this method would be similar on other vehicles, so I guess it’s time to check your owner’s manual for something similar. Luckily the Saturn I drive does not have keyless entry.

Materials: 2000 Saturn owner’s manual.

A couple of weeks ago or so I filled the trunk with bottles that needed to be taken back for bottle return. Not my favorite job in the world, but it eventually has to be done. While filling the machine full of empty 0.5 liter bottles, I happened to notice something that was kind of silly – the front door to the machine was unlocked and could be opened. I looked around and it turned out that all of the bottle return machines were like that. I was kind of hoping that this was just a fluke and that maintenance was being performed on the machines.

No such luck.

I went back a couple of days later to do some grocery shopping and found the same thing. This time I decided to open the door and take a look inside. There was another key (that could be removed) and a numeric keypad asking for an admin password – numeric password of course. Well, at least there was multi-factor authentication in place (outside key, inside key, password), but they already removed one of those factors by leaving the front door open. Not only that, but the receipts the bottle return prints out with the Meijer’s logo on it are easily accessible. If a somewhat smart theif grabbed a roll, they could be used for fraudulent purposes – print bar codes on receipt paper for bottle return money. Not good.

As coincidence would have it, a fellow student worked at Meijer’s and gave me a brief explanation as to why they left the doors open rather than locked – they kept losing the keys. So rather than make extra keys or make it mandatory to return keys to a certain location, they just forget the keys altogether and leave the front door unlocked. Apparently they already had the fake receipt problem described above with their Coinstar machine.

Don’t even get me started on the UScan self-service checkout machines…that’s for another post another time

Solution: Simple – lock the doors. I went there again a few nights ago and locked all of them by pushing in the locking handles.

Materials: Voyager cell phone (camera).

As I was making some purchases in Menard’s yesterday, I happened to visit a kiosk that had about 4 PCs sitting there with a screensaver on. I couldn’t really tell if they were for employees only or not, so I walked up to one and moved the mouse. Unfortunately, it asked for a password and I wasn’t about to try to start guessing. Instead, I hit CTRL+ALT+DEL and saw the option to reboot. So I rebooted the machine and walked away. I came back about a minute later to find the machine updating. Not just patches, updates, and the like, but rather new pricing, new products, and other store-related updates. I took a couple of screenshots with my camera phone (by the way, Motorola Razr phone cameras suck) of the updates taking place and a list of completed and upcoming updates. Sorry about the poor picture quality – Razr phone cameras have absolutely terrible quality.

Materials: Motorola Razr camera phone.

I took a trip to Lowe’s to pick up some building supplies for the house I’m fixing up. I had to pick up a lot of stuff and I saw a “no interest for one year” card offer. I figured deferred payments would be a good thing so I applied for the card and was given a “temporary credit card” for immediate use, which consisted of my name, account number, and expiration date printed out on a piece of paper. Just like a regular credit card, it requested my signature on the paper so they could match up my signature with the one on the paper. Like most people, I never signed it.

What really bugged me was that there was no verification of who I was after I received the “temporary credit card”, so if I had dropped it, someone else could have gone on a shopping spree at my expense. I was amazed that I could walk up, purchase $540.00 worth of building materials, and walk out the door using this “temporary credit card” with no questions asked.

Solution: At the very least, they should require that I sign the paper immediately after they issued it to me. Then the cashier should have verified my temporary card by asking for my ID. Any time a cashier asks for my ID when I’m making a credit card purchase, I actually thank them for taking that extra step.

Materials: Application for a Lowe’s credit card.

As far as biometrics go, they are fundamentally flawed. If that biometric data is compromised or duplicated, you can’t just change it like a password.

At a previous employer of mine, they used a hand scanner to punch in and out. You punched in your employee number (everyone knew everyone else’s employee number) and put your hand in the scanner. The scanner detected the shape of your hand and if your hand was a 70% match or better, you were good to go. Unfortunately this was not a very secure form of biometric use either. I was able to punch in and out for 5 other people and vice versa. This is because hand sizes are not all that different and if you only need to be “fairly close”, as the 70% match factor proved.

Fingerprints aren’t much better either. Recently, the German Secretary of the Interior, Wolfgang Schauble, had has fingerprint published online by the Chaos Computer Club. They lifted it from a glass that Wolfgang drank from during a panel discussion. The CCC also published their magazine that included a plastic foil reproducing Wolfgang’s fingerprint making it easy to glue to someone else’s finger to bypass biometric security measures. You don’t have to go to any special measures really to do fool fingerprint biometrics. Plastic and all those synthetic rubber moulds and stuff that the average person couldn’t do is a bit excessive. Remember on mythbusters when they tried to beat that “unbeatable” fingerprint lock on a door and managed to do it by printing off the fingerprint with a laser printer and licking it?

Some people think “DNA now that is good, and it is something difficult to duplicate.” No need to duplicate it, free samples are falling off you everywhere you go. So no, DNA isn’t a very good form of biometric security either.

There is, however, a very good biometric that one can use. A neural imprint of a specific token; it currently can’t be read without the cooperation of the person, it leaves no imprint around except as the owner desires and controls. It’s known as a “password”. A technology that is, perhaps, new and radical, but far more secure than other biometrics. Which, unfortunately, isn’t particularly secure, just less insecure than the garbage the scam artists of the biometrics industry are trying to push on the gullible.

At least until extreme body modification is commonplace, biometrics are not the way to go for identification. It’s the only modern “security” mechanism that lacks revocation. Without revocation, a security model is eternally broken as soon as one broken link is found.

A person only has 20 digits, 2 palms, 2 soles, 2 retinas, and one genome. All of the biometric properties of those can easily be duplicated with noninvasive methods (simply enrolling in a biometric system requires the same access as duplication would). When one of those 27 properties is compromised, how do you revoke its use? I guess start with the fingers and palms and as people get older they have to start using their feet for identification, and at the very last make them get pricked for each identification. When all the biometric identifiers are used up, the now useless (at least in a secure society) people can be recycled in the soylent green program or something.

Quite often you’ll see people with a pay-as-you-go cell phone when they feel they won’t use a cell phone enough to justify a $40+ per month payment. They work great for emergency-only purposes and to give younger kids an idea of the responsibilities involved with having a cell phone. While travelling through Wal-Mart, I happened to find a phone sitting on a shelf – a Motorola i415 Boost Mobile phone. After no luck attempting to find the owner, I decided to take the phone home with me and take a look at it as I have never played around with a phone like this before.

Luckily there was a decent charge on the phone that allowed me to write down the number of “Mom” and “Dad” to attempt to find the owner of the phone “Tennie”. However, before taking the phone back to the owner, I decided to play around a little bit. Two interesting things I found were an IP address associated with a message that was sent – 10.197.58.243. The other thing I found was that they had Yahoo! instant messenger installed and opted to save the login name and password in the phone. All one would have to do is connect and assume their online identity. Fortunately, after speaking with the owner of the phone, right after they realized they lost the phone, they called their service provider and reported the phone stolen so it couldn’t be used. This was good to hear.

The video is blurry, which probably isn’t a bad thing as it protects the information viewed on the phone from the general public. The point wasn’t to expose their personal information, but rather to explore a phone I had never played with before and do the right thing by returning it to the owner.

Materials: Motorola i415 Boost Mobile phone, Kodak Digital Camera (C743), assistance from Rebecca.

So here I am writing this post from Delta College’s library. I started playing on the Windows network again, but I honestly prefer Linux and the only operating systems they have available in the library are Windows and MacOSX. I brought my handy dandy Ubuntu Linux bootable CD so that I could work in a more familiar (and comfortable) environment. The machines they have are actually quite nice – Dell Optiplex GX520.

Unfortunately, I had a hard time booting the CD only because rather than the boot order allowing you to boot from CD, you had to boot it from CD “manually”. Rather than entering the BIOS by hitting the normal suspects such as the Delete key, Escape key, F8, etc, Dell gives you a boot menu by pressing either F12 or Ctrl+Alt+F8 during boot. After obtaining that piece of knowledge, I was on my way.

There’s nothing really new to report other than they still haven’t fixed the permissions issue on the STUDENT share. Even the main page for the STUDENTS server is writable along with every other file. Thanks once again to Collegis/SunGard for their prompt action. Talk about lax security and lazy admins – it’s really quite sickening that a simple, but potentially damaging permissions issue can’t get resolved quickly. So I left a message this time although it will likely still continue to get ignored.

Anyway, I booted up Ubuntu 7.10 and then started looking around on the network again. Honestly, I really couldn’t think of much more to do so I figured I’d run a network scan with nmap. I started with just scanning 10.101.7.0/24, but it seemed to be too quick and I had more time to waste. I stepped it up to 10.101.0.0/16 Much better – I found a few more machines with more interesting services. I also found the lone Linux machine

Anyway, for those interested, here are the results of the 10.101.0.0/16 scan in normal format, in XML format (prettier), and in grepable format.

Materials: Ubuntu 7.10 live CD, Motorola Razr camera phone.

Physical security on remote ATMs don’t seem to be as up to par as they should be. As discussed in a previous post, their power sources seem to be wide open for tampering. While on the surface, it may seem more like just an annoyance that an ATM may be shut down and not working. However, there is a possibility that the power failure could either remove or trigger alarm functions that could alert someone that the ATM is being tampered with. Without knowing more about how the ATMs work, let’s assume that the power removes any alarm that is triggered.

With full physical access to a remote ATM location out of the view of the general public, potential theives could install hardware keyloggers, sniffers, take the money from the ATM, etc. Keyloggers and sniffers could capture all information a user enters or any transactions between the ATM and the bank. Packets could also be altered before being sent to the bank’s database, which leaves even more potential for account compromises. Since a lot of ATMs are made by Diebold, I’m sure their locks aren’t up to par considering what they protect.

So back to the main power shut off. After finding the ATM in Freeland that had the main power shut off in plain view and not locked to prevent people from flipping the switch, I decided to look around at other ATMs. One of the first ones I drove by was a local bank ATM in Midland. If you look at the main power switch, it’s covered, but not locked. Just down the road, there’s another ATM that had the main power switch covered, but again, it was not locked.

One possible solution would be to use locks on the power switch boxes. Either that or enclose the power switch inside of a door in the ATM itself somewhere.

Materials: About $3 in gas, Kodak Digital Camera (C743).

Diebold Accuvote voting machines, as most people know, have had a hard time gaining and keeping any credibility in the world of information security. This is nothing new, but to add to the thought of how insecure these machines are, here is an image of the keys that some people have made copies of – just from the image itself. A group of students at Princeton discovered the Accuvote keys are actually a common office furniture key used for hotel minibars, electronic equipment, and jukeboxes.

But of course you don’t have to make your own key because Diebold will sell you one fairly cheap: “Replacement Access Keys”, part number GS-567311-1000, $5.90 for a set of 2. Order by phone at 1-800-769-3246.

So while taking physical security into consideration, one should also consider that just being able to take a picture of a set of keys can be just as effective as “shoulder surfing” while someone is entering a numeric password on a keypad.

For a Valentine vacation, I decided to check out the Mount Pleasant hotel Baymont Inn from February 14th to February 15th. It was close to the casino, dinner, a pool, and had a hot tub in the room.

The hotel issued those credit card style keys with magnetic strips on them (magstripe cards) that swipe through a slot above the door handle. When you swipe it, you either get a red light (key not correct), yellow light (error, swipe again), or a green light (unlocked). Once the hotel issued me two cards, I had thought to myself there is a possibility that these cards could work on rooms other than my own. So off down the hall I went to try it out. Out of the 4 random rooms that I tested the credit-card-type key, it opened 1 door other than my own (133 worked for 109 and 109 worked for 133).

When I had claimed that I lost one of my two magstripe cards, I asked for another and he stated that the key would no longer work the next day. Not only did the new one he issued me work on the same room two days later, so did the other two keys that were initially issued to me. When checking out, I was told that I do not need to turn in the cards and would not be charged for the cards that I had kept. They had a machine there that created the magnetic strip cards. A phone call to the hotel needs to be made to find out the make and model of the machine.

The hotel also had free, open wireless available. No traffic was encrypted, the SSID was “baymont”, and there were no authentication requirements (no password, no mac address authentication).

Possible solution: Perhaps for the wireless situation Baymont could create a login/password combination like room number/last name for each of the guests. This information could be pulled from a database at set intervals such as every 15 minutes and pushed to the wireless access points. For the magcards working on multiple rooms, I saw that the person behind the desk was able to input some numbers before creating the card. I’m quite sure they could make new cards for every guest with a unique number, however, the task of updating the locks on each door might be very time consuming.

One question I would like answered is how often these locks are “changed” or are they all set to accept a certain list of pre-determined codes? For example, if the entire hotel only has 25 codes, but has 200 rooms, the problem arises of how to assign a certain amount of codes to each door lock. You can’t give all 25 codes to every lock because then every key could open every door. You can’t give just one code to each door because then anyone could come back later and get back in the room. No matter how they are seperated though, I’m sure there would be a master lock (for the cleaning crew, manager, etc) and with a limited amount of combinations that could be stored to each lock, I can see where it would be difficult to secure.

Materials/methods: Social engineering, magstripe cards issued by the hotel.

One important thing I have learned is that you should never take physical security for granted. If you have physical access to something, your options for compromising a potential target increase greatly. This runs true for everything from computers, to homes, to cars, to banks, and even garbage receptacles.

One day while driving through Freeland, Michigan, I happened to notice something a little out of the ordinary. I drove up to a credit union’s remote ATM to pull out some money for a trip and became a little concerned. It appears that whoever had installed this particular drive-up ATM did not make a conscious attempt to make sure it isn’t subject to a simple, physical denial of service attack. Note that there is nothing stopping the arm on the switchbox from being thrown to “off”. Granted, if one wanted to physically harm the ATM, they could always drive into it or something similar. However, this was much more simple – just turn off the power on the breaker switch and the ATM gets shut down. It was not locked in the on position, which is understandable, but it was not guarded or enclosed in any way.

This is an example of how physical security is commonly overlooked and should be taken into account whenever possible. You don’t park your car in a parking lot with valuables on the dash for the world to see and leave your doors unlocked. You wouldn’t take a vacation and leave your front door/garage door open while you were gone. You wouldn’t throw away an old credit card without first cutting it up with scissors. There are people out there who have the capability and motivation to cause harm. Don’t give them the opportunity to do so – take physical security into consideration whenever possible.

Materials:  About $10 in gas, Voyager cell phone (camera)