WhiteHat Consulting

I recently bought some furniture from Art Van in Saginaw, Michigan. As most furniture stores go, after you make the purchase you need to drive to the side or rear of the store to pick up your order. To my surprise, I was asked for my name, address, and driver’s license number for verification of who I am. I have a big problem with that…mainly the driver’s license number bit. However, apparently out of the (approximately) 30 people on the list, only myself and one other person did not give them our driver’s license number.

First – I never gave them my driver’s license number to begin with, so how would that verify who I am. Especially since they didn’t actually LOOK at my driver’s license or the driver’s license of the guy behind me.

Second – Why is the number written down? I can understand if you want a photo ID so that I can prove who I am, but to actually write down that information? I don’t think so…

Third – After the number is written down, where does that sheet go? From what information I gathered (social engineering alert!), it gets “filed” somewhere. Umm…where, for how long, and most importantly – WHY?!

Lastly – When the files are finally purged, what happens to the papers? Are they shredded? How do I or any other customer know that personally identifiable information is kept secure?

This is wrong on so many levels and Art Van should be ashamed of themselves. There is absolutely no reason for them to request anything other than a visual check of a photo ID so that they may match the customer name with the merchandise. They certainly couldn’t deny me the merchandise – after all, I had my receipt in hand – so what was the point of attempting to obtain my driver’s license number?

This reminds me of when Hollywood Video used to (still might, I have no idea) ask for a Social Security Number as identification when you open a new account. Even worse, when you were opening your new account they would verbally ask for a customer’s SSN in front of other customers…in addition to their name, phone number, and address.

A couple of weeks ago I was sent a package in the mail that kind of took me by surprise. It was addressed to me, but wasn’t something I would order, expect, or even consider ordering. However, I was sent several Scantron-style sheets, some brand new plastic bags labeled “biohazard”, and other information including an account number for supplies for a medical office. Trying to do the right thing, I did a lookup on the company that sent the package and they swore up and down that they had the correct address and told me I was a specific Doctor. After a quick lookup of previous owners of the address this package was sent to (I have more than a few addresses), there was no record of any Doctors living at this specific home.

So I called the company back. This time, I was greeted by someone that appeared to be a bit grumpy. Apparently, the company was looking for a specific Doctor. After asking a few questions, I found out the doctor lived at an address in Minneapolis, Minnesota that was…well…not really very close to the one on the package. Numbers were switched around, the street name was a bit scrambled, and our names were not close at all. However, the address on the package was definitely one of mine. The last place this Doctor practised was in Saginaw, Michigan, but this company had discovered that the Doctor moved to Midland, Michigan. Since they couldn’t find him, they asked if I knew him. Not knowing what everything was all about, nor what they wanted with the Doctor, I told them I did not know him. Then the ignorance started – they told me that I “need” to find the Doctor and give him the package. Apparently I’m a delivery service and didn’t know it. Needless to say, I let them know I wasn’t about to do their detective work. They then had told me that I need to return the package, but I would need to pay for postage. Again, I refused. They then had threatened to call the police and I reminded them that the mail was addressed to me and is legally mine (I did this out of spite at this point) and hung up the phone.

Two days later, they called my phone asking for the Doctor they were looking for. I told them that there was no Doctor at this number. They had then told me that I need to give the Doctor a message to call them. I reminded them again that there is no Doctor at this number and they hung up. I haven’t heard back since then, but decided that this encounter was worthy of a write-up.

Now I can assure you, I’m not a Doctor (especially a Medical Doctor) by any stretch of the word. Imagine what the possibilities are having the supplier’s name, address, number, and the account number of this Doctor as well as his name thanks to the company disclosing his name and information. I’m still shocked that something this sensitive landed in my lap out of the blue like this. I can only imagine how often something like this happens, or the consequences of when something like this happens. Do HIPAA laws come into play here? Any other privacy laws? This is similar to if a bank statement ended up being sent to me that was really someone else’s account. And yes, that happened to me too about two years ago.

After checking with the post office, since this was sent to me at one of my addresses, this piece of mail is mine and they don’t have the right to ask for it back.

Materials used:  Nothing – this just ended up being sent to me via snail mail.

Used hard drives that haven’t been formatted are the absolute easiest way to obtain information about the previous owner. Even if the hard drive has been formatted or the operating system has been re-installed, this does not assure that the previous data has not been written over or is not retrievable.

A few places you can find used hard drives at low cost, or in some cases free, would be at a flea market, garage sale, or even Freecycle. Last summer I went to a few garage sales and a flea market in search of older computer parts. I purchased one computer from a local Elementary School teacher who didn’t bother to format the hard drive. She still had some of her work on the hard drive including student names, the grade she taught, the classroom number, and various other information in plain view. Bought the computer, monitor, keyboard/mouse at her garage sale for $10.

More recently, I came across a few computers being given away by a hospital as they had upgraded all of their workstations. I was pleasantly surprised to find that all of the hard drives have been removed from every workstation, but found a few software CDs still in the CD-ROMs. Sure the CDs could have ended up containing databases/spreadsheets/documents with patient info because the trays weren’t checked, but they did not. Also, you still have to commend an admin that has the sense to know that hard drives are sensitive to exploitation – especially in a medical environment.

Materials: A little bit of cash, a few used hard drives, and some free time.

A while back I had to go to Walgreens to pick up a prescription around noon. It was quite busy and there was a line-up, however, I decided to wait for my prescription and people-watch. As I was waiting, customers and the pharmacists were giving out information as if nobody were around them to hear it. I heard names, phone numbers, birth dates, social security numbers (for insurance company ID verification), and the names of drugs being picked up. I couldn’t help but to think that this is wide open to exploitation given the fact that almost everyone has a cell phone capable of text messaging and note taking.

Over the course of 30 minutes while I was waiting, I had overheard, and subsequently could have stored on my phone, the personal information stated above for 10 different customers. It would seem that Walgreens would find a way to “silence” information that could be overheard. When I had went in, the only personally identifiable information they asked for was my phone number and tied me to that number. This is also fairly insecure as anyone can look up a phone number as it is public information and impersonate someone else. I would suggest that perhaps a quick drivers license check would be a better idea for ID verification. It’s silent, easily accessible, and has all the information they would need right there on a credit card sized document.

Materials: Some spare time and a cell phone capable of saving/sending text.

I happened to be looking through the Saturn owner’s manual for something completely unrelated and found a page that ended up being a bit humorous. Apparently Saturn engineers went through all of the trouble to make sure that the remote transmitter didn’t send the same signal twice so that it couldn’t be “sniffed” and re-broadcast for a thief to break in. Unfortunately, when creating the owner’s manual, they decided to share how to bypass the security of the remote transmitter so that anyone with a Saturn transmitter can get into your car.

If you flip to page 79, the manual states:

"Syncronization may be requried due to the security method used by this system. The transmitter does not send the same signal twice. The receiver will not accept a signal that has been sent to it more than once. This eliminates the possibility that the signal will be recorded and played back."

Now for the kicker. The very next sentence tells you how to bypass it:

"To syncronize your transmitter with the receiver, press and hold the LOCK and UNLOCK buttons on the transmitter, at the same time for about 10 seconds, near your Saturn."

Kind of senseless to go through all of that trouble to change the signal each time you use the remote. It takes a little more technical knowledge to record and retransmit a signal than it does to hold two buttons on a remote for 10 seconds. I would imagine that this method would be similar on other vehicles, so I guess it’s time to check your owner’s manual for something similar. Luckily the Saturn I drive does not have keyless entry.

Materials: 2000 Saturn owner’s manual.

Recently, my mortgage lender made a mistake and I had to visit their office to assist in correcting their problem. As always, I was curious as to how their policies/procedures worked and kept an eye out for vulnerabilities. After all, I do some banking through these people, so I want to feel at least somewhat confident in how they handle my personal information. What I had discovered was quite interesting.

I met with the mortgage loan officer who had greeted me and led me into his office. He proceeded to call the corporate office to inquire about my loan and to make a few changes like the SEV, the estimated value of the home, and the amount taken out via escrow for city taxes. Verification of his identity over the phone to the corporate office was only his name and an internal “identification number”. The internal I.D. number was read off by the loan officer very casually and could have been heard by anyone near or in his office. I texted his I.D. to myself and grabbed a business card for all of his other business information. One could imagine how this could potentially be abused – especially as this particular loan officer managed mortgage loans for a fairly large portion of these banks in the mid-Michigan area.

Materials: Motorola Razr phone with text messaging.

I meant to go back and follow up a little more, but for now I’ll post my findings so far. Honestly, Davenport has their act together for the most part – I only discovered very minor things that are easy fixes and do not pose an immediate security threat.

Back on March 12th, I needed to use the library for a short while. I used the map command to see what I’m already connected to for the heck of it. Afterwards, I started playing around in My Network Places – specifically the Novell Connections. First I played around with a share called Midland_4x, but nothing was too interesting there. Of course another one of the first things I had to check out was the part that said “STAFF” Still nothing interesting really. I played around in the tree a little longer and finally found something that caught my eye – something that appeared to be a unix-based server with SSH. It used the default port (22), but ended up being either down or filtered by the firewall. Then I found another server that looked like it was for grad students that had somebody’s resume on it. The whole directory appeared to be world readable/writable. Two other things I’ll have to check out later are a front page to their Novell OpenEnterprise Server (Novell and Suse – good stuff!) and what appeared to be an OpenSource Project page. Nice I wasn’t sure what to make of their BMC Service Desk Express page or the APC InfrastruXure Manager page. Looks like I’ll have to do some more research on those when I get some time. One thing that should probably be addressed is Apache being installed and running on several Novell servers. As you can see from the screenshot, the default index page is still up, which tells me that the administrators may not know Apache is running. As we are taught in several classes, unused services should never be running. /etc/init.d/apache2 stop

About a week later I went back to look for anything else that might catch my eye. I found what I was looking for in the “Documents and Settings” folder. If you surf to C:\Documents and Settings\, you’ll find the names of everyone who had logged into the computer. You’re also able to poke around in their folders, which show information such as downloaded programs, personal files saved to “My Documents”, and their “Favorites” amongst other things. While it could take forever to look for anything of interest in all of those folders at the library, all you have to do is output the tree command to a text file for later viewing. In defense of Davenport, they’re not the only one’s who have this issue – Delta College does as well. They allow viewing of cookies and recent documents, which could reveal some information about themselves or their online identities including hotmail, student email addresses, projects they are working on (assuming that’s a project), facebook identity, and more.

Overall, I was pretty happy with what I discovered…which wasn’t a lot

I previously discussed Delta College’s Linux email vulnerabilities, so I thought I’d discuss other vulnerabilities from the past as well. I have been frustrated with the responses I have received from Delta regarding security since back in 2003. The responses from all but one person have been “well, it’s our server and we’ll configure it how we want to”. Hey, I completely understand except for one tiny little detail – your server has MY PERSONAL INFORMATION attached to it as well as THOUSANDS of other student’s personal information. That and you’re a publicly funded school, so you should probably take the proper measures to make sure your student’s information is adequately protected. On the bright side, that, to me, means that they don’t mind the information I find being posted publicly.

eLearning is a wonderful tool that allows students the flexibility of not having specific class hours. It allows students that work during the day the ability to work on a class in the evening if a regular classroom setting isn’t available in the evening. It’s very similar, though not as functional, as the Blackboard Acedemic Suite. I had emailed the eLearning manager about a year and a half ago regarding potential security risks that could affect all students using the eLearning web site. The more “minor” risk of the two is the ability to use any HTML tag in the post. This should be restricted to using only the following tags: bold, italicize, underline, a href (links), and the rest should be stripped – PERIOD.

A more major flaw is that students are/were able to post using their teacher’s name. This is not done by changing the font colors, but is actually a flaw in the eLearning software itself. Again, it could easily be fixed if they blocked HTML tags except for the few I’ve suggested. As of this posting, I’m unsure if the flaw still exists as I haven’t had an online class at Delta in a couple of years.

Everything looks very secure as far as changing your password at Delta. SSL login and 3 pieces of “personal” information make it difficult for someone to brute force their way in to be able to change your password. I had went over this recently.

Delta’s strongest links are webmail, MyDelta, and their signup page. This isn’t because they’re using specific server software or a specific OS – that’s irrelevant in the overall security. The reason they’re strong points in Delta’s network from a client standpoint is that they implement SSL for encrypted logins. More recently, after analyzing some packets while a friend logged in to their eLearning account, I found that logins are encrypted even though the front page is not (normally) using SSL unless the address is altered to use SSL (https vs. http).

One of Delta’s weakest links would have been educator (eLearning) because the login was not encrypted. You used to be able to sniff passwords from fellow students or even your teachers. A certain teacher showed up in another class I used to take to check Educator before he went to his other class each day. I was able to capture his login name and password in clear text because eLearning did not implement SSL at the time. This was dangerous since students could alter their grades or other student’s grades if they were to log in as the teacher. It is also dangerous because Delta’s idea of security is sharing the same password across all Delta resources both encrypted and unencrypted. Hence, if you sniff the password from the unencrypted sessions, the encrypted sessions mean nothing.

Another weak link is their Redhat Linux Enterprise server – telnetting to xserver is unencrypted and leaves the door wide open for login/password interception. This had been discussed once before. This could easily be fixed by implementing OpenSSH (they used to have it running) and using a good, solid SSH client rather than NetTerm, which is currently installed. When I had downloaded and installed NetTerm years ago, by default it used to have a FTP server built in that was on when installed and allowed anonymous login sessions. That’s not a good position to put students in regarding the security of their own machines.

When I had notified Delta about xserver’s issues, I was blown off and then disallowed access once the semester was completed and have not been able to log on using my account since. This was not a standard operating procedure at Delta as all of my fellow students still had access to xserver after the class was finished and on into the next school year. Most of the issues raised were not fixed until sometime during the summer of 2005 – well over a year after being told about the issues in the first place.

Unfortunately, xserver still remains insecure.

Delta has definitely shown more of a reactive stance than a proactive stance when it comes to security. If the solution to a security issue is simple, it can be tested fairly simply, and implemented in a fairly short amount of time. In fact, in the case of the SSH installation on xserver, it already *was* installed, then Delta removed it. Why they would do such a thing is beyond me.

Since Delta College is now offering a degree in Information Security and Technology, they’re losing credibility in my eyes. If Delta can’t secure their own network with some good security measures, how can they be considered a credible institution for this new program? Are they ready for possible identity theft because students have social security numbers, phone numbers, addresses, and credit card numbers associated with their Delta ID?

I guess the most offensive part of this whole situation is that when I approached Delta faculty about these security issues, one particular faculty member had responsed in an almost threatening manner and never bothered to fix some of the most serious misconfigurations until 14-16 months later. Yes, that’s over a year and the remaining misconfigurations still exist that threaten the security of the server. That’s right – their way of fixing the problem is to remove the problem – me. Unfortunately for them, I know other students that attend Delta College and allow me to look around at xserver every so often under their account (and supervision – I insist upon it.).

Anyway, since telling the faculty does nothing more than singles me out, I decided to present this information in a presentation to two classes I previously had and here.

Solutions: What Delta College can do to remedy these situations would actually be fairly simple:

For eLearning:

*Set up a whitelist of HTML tags that users can post with. Reference www.slashdot.org for an example of the correct way of doing this. Slashdot’s code is open source and is freely available – it’s known as “Slashcode“.

*A link could redirect to a cloned page such as the “session has expired – please enter login/password” set up to steal passwords.

*A student could “embed src” an offsite page within Delta’s eLearning area to make it appear to be a part of eLearning. This could then be changed after the malicious activity is complete.

*The links at the bottom of the page could be hidden and malicious links could replace the legit links doing a “font color=”white”" font change or a !– hidden tag.

For xserver (Linux server):

*Install SSH on their Redhat server (xserver) by logging in as root and issuing the command “urpmi openssh-server” or installing it via Redhat’s GUI interface for package management. For Debian distro’s it would be a simple “apt-get install openssh-server” to install OpenSSH. When installed, it would automagically be available for all users.

*Require students to use the SSH client from SSH Communications (freeware) for xserver connections as well as FTP transfers. This would be better than requiring both NetTerm (used to be very insecure) and WS_FTP to be installed. One application to cover both functions and the login is now encrypted.

*Test and upgrade patches to their Redhat server – try any patch. The last time I had created a VNC session on their server (yet another issue…), not a single patch had been issued to xserver since the initial OS installation.

*To remove the ability for running X-specific binaries (xchat, gftp, vncserver), all they’d have to do is create a user group like “student” and allow them only to access/execute the files that are required to teach the CST-126 and CST-133 classes. Either that or just uninstall unnecessary programs using Redhat’s GUI package management system (up2date, yum, or whatever).

For FTP:

*Last I knew, alpha.delta.edu was a Windows machine running IIS and the FTP server associated with Windows Server. Either find a way to enable secure file transmissions to this server, or install the software and/or operating system that allows this type of transfer to occur.

Materials: An internet connection and in some cases, physical access to a Delta College computer.

I took a trip to Lowe’s to pick up some building supplies for the house I’m fixing up. I had to pick up a lot of stuff and I saw a “no interest for one year” card offer. I figured deferred payments would be a good thing so I applied for the card and was given a “temporary credit card” for immediate use, which consisted of my name, account number, and expiration date printed out on a piece of paper. Just like a regular credit card, it requested my signature on the paper so they could match up my signature with the one on the paper. Like most people, I never signed it.

What really bugged me was that there was no verification of who I was after I received the “temporary credit card”, so if I had dropped it, someone else could have gone on a shopping spree at my expense. I was amazed that I could walk up, purchase $540.00 worth of building materials, and walk out the door using this “temporary credit card” with no questions asked.

Solution: At the very least, they should require that I sign the paper immediately after they issued it to me. Then the cashier should have verified my temporary card by asking for my ID. Any time a cashier asks for my ID when I’m making a credit card purchase, I actually thank them for taking that extra step.

Materials: Application for a Lowe’s credit card.

Having been a former student of Delta College, as with any student, I was given a user name and password that was used for access to several services. These include network shares, email access, class registration through MyDelta, Educator (like Blackboard), FTP, and access to the Linux server amongst other things. So if I were a student and wanted to make sure that my password is secure, where would I start? Learn about the process and then find the weakest links of course!

First, as a new student you’re asked to go through the signup process, but when clicking through, you’re taken to the policy page first. Funny thing is that the page can be bypassed by just going directly to the sign up page instead. So yeah, legally, the policy is shaky ground since it can be bypassed during sign up. You enter all of your personal information in and you now have access with a single login and single password for all services.

So if someone wanted to hijack my account, what would they do? What plan of action would one take to steal my info? Well, if you click on the link that you lost your login name, you get directed to this page and are given this prompt. The same prompt is given if you click on the link that you want to update or change your password. Since nobody else should really know my SSN or Delta ID, and might only be able to figure out my birthday, it would make compromising my account more difficult. In essense, Delta is implimenting defense in depth. However, who needs a Delta ID when your login name is…your name. If your electronic account was created before Fall of 2002, your login name was your first initial, middle initial, and your last name. For example, John Q. Student would be jqstudent. After 2002, it’s simply your first name and last name (johnstudent). So hijacking your account via a “lost password” feature is too time consuming or too difficult. There has to be an easier way, right?

What about brute forcing the password with something like Brutus that does web-based password cracking? Probably not practical since Delta has a somewhat decent password policy in place and it would take forever to brute force the password this way. So that’s out of the question.

What about shoulder surfing at the library? Not really a bad idea, but it could be noticable by the victim. This method is definitely feasible, but could cause bodily harm or get you kicked out of the library. Then you would likely be watched closely during future visits.

What about services that could be exploited in some way or another? Maybe sniffing the password? Well, webmail is performed via SSL, so that make things difficult. MyDelta also uses SSL when you’re logging in as does Educator…finally after about a year or so after I made the suggestion to Educator staff. You’re not likely going to sniff anything while you’re logging in either. However, there are two services that are performed in clear text – FTP and telnet. These two services are only really used in a handful of classes, so you would have to devise a plan on how/where to sniff this traffic.

Telnet is used only for the Linux class (CST-126), but it’s also available online. Since their Linux server has a compiler installed, you could attempt to compile a sniffer from the command line, but that would likely be under your own account.

FTP is used mainly for uploading web pages in the CST-110, CST-133, and CST-210 classes. I’m not sure why you’d need to do that since the directory you upload to is world readable/writable by everyone, but that’s another post So one could sit in a CST-133 class during the web site creation tutorial week, flood the router with false MAC addresses, and sniff the passwords as people log in. The other option is to sit in one of the wireless hotspots and hope someone logs in and needs access to the telnet or FTP server. You might be waiting a while for that one…

Worst case scenario was a few years ago when you could log onto the Linux server and grab the /etc/shadow file, which held encrypted passwords for the entire student body. I’m not sure exactly how this happened as the /etc/shadow file is normally only viewable by root, but it was likely because of a misconfiguration or fat-fingered-mistake such as “chmod 777 /etc/shadow”. In a nutshell, if you could copy this file to a flash drive, you could take it home, run John the Ripper on the file, and have some accounts to play with.

Anyway, the point is that if you are able to obtain a student’s password, you have full access to that student’s account. This includes access to all of the resources available that are specific to that student as well as the ability to add and drop courses they are currently enrolled in or signed up for. That would help if you’re having a hard time getting into a class because it’s full, eh?

Disclaimer: Just as any post I make, I do not condone or encourage any malicious activity. I post the information I do to give people a little nudge in the right direction and take security a little more seriously. After all, there’s a lot of people’s trust in your hands and it’s your responsibility to keep the bad guys from breaking that trust. As usual, I have to rip on Collegis/SunGard because they’re the ones that handle Delta College’s IT sources including security. Unfortunately, they can’t seem to nail down the security part.

Materials: Access to a Delta College workstation and an Ubuntu Linux live CD.

As far as biometrics go, they are fundamentally flawed. If that biometric data is compromised or duplicated, you can’t just change it like a password.

At a previous employer of mine, they used a hand scanner to punch in and out. You punched in your employee number (everyone knew everyone else’s employee number) and put your hand in the scanner. The scanner detected the shape of your hand and if your hand was a 70% match or better, you were good to go. Unfortunately this was not a very secure form of biometric use either. I was able to punch in and out for 5 other people and vice versa. This is because hand sizes are not all that different and if you only need to be “fairly close”, as the 70% match factor proved.

Fingerprints aren’t much better either. Recently, the German Secretary of the Interior, Wolfgang Schauble, had has fingerprint published online by the Chaos Computer Club. They lifted it from a glass that Wolfgang drank from during a panel discussion. The CCC also published their magazine that included a plastic foil reproducing Wolfgang’s fingerprint making it easy to glue to someone else’s finger to bypass biometric security measures. You don’t have to go to any special measures really to do fool fingerprint biometrics. Plastic and all those synthetic rubber moulds and stuff that the average person couldn’t do is a bit excessive. Remember on mythbusters when they tried to beat that “unbeatable” fingerprint lock on a door and managed to do it by printing off the fingerprint with a laser printer and licking it?

Some people think “DNA now that is good, and it is something difficult to duplicate.” No need to duplicate it, free samples are falling off you everywhere you go. So no, DNA isn’t a very good form of biometric security either.

There is, however, a very good biometric that one can use. A neural imprint of a specific token; it currently can’t be read without the cooperation of the person, it leaves no imprint around except as the owner desires and controls. It’s known as a “password”. A technology that is, perhaps, new and radical, but far more secure than other biometrics. Which, unfortunately, isn’t particularly secure, just less insecure than the garbage the scam artists of the biometrics industry are trying to push on the gullible.

At least until extreme body modification is commonplace, biometrics are not the way to go for identification. It’s the only modern “security” mechanism that lacks revocation. Without revocation, a security model is eternally broken as soon as one broken link is found.

A person only has 20 digits, 2 palms, 2 soles, 2 retinas, and one genome. All of the biometric properties of those can easily be duplicated with noninvasive methods (simply enrolling in a biometric system requires the same access as duplication would). When one of those 27 properties is compromised, how do you revoke its use? I guess start with the fingers and palms and as people get older they have to start using their feet for identification, and at the very last make them get pricked for each identification. When all the biometric identifiers are used up, the now useless (at least in a secure society) people can be recycled in the soylent green program or something.

I happened to stroll into Walgreen’s today to pick up a prescription. Unfortunately I had to wait, but it gave me some time to think and observe. While I was sitting there, other customers went up to the counter asking for their prescription. I noticed that all they needed was a name and they were given a prescription with no ID or other proof of who you are required. Well who cares about picking up someone elses medication unless you’re some sort of junkie, right? But then another customer came up and the person behind the counter had to verify their insurance information over the phone, which is a common occurance as I saw while waiting for my prescription for 30 minutes.

So what’s the point of all of this? The information given over the phone consisted of the persons name, SSN, their insurance numbers, plan number, prescription number, address, and phone number. You could hear all of this quite clearly as the phone was right by the customer pickup window. That’s quite a bit of personal information all wrapped up into one quick visit to Walgreen’s. If you have a cell phone (most people do – it’s 2008), you can key in this information seperated by stars, periods, or whatever while just sitting there waiting for a prescription. Or you could just sit there and gather this information without waiting for a prescription. If they ask if they can help you, just state that you’re waiting for a friend – it’s not like they’ll ask you to leave if you’re sitting there quietly.

Materials: A cell phone that allows text messaging or the ability to key in a large amount of numbers and some free time.

So here I am writing this post from Delta College’s library. I started playing on the Windows network again, but I honestly prefer Linux and the only operating systems they have available in the library are Windows and MacOSX. I brought my handy dandy Ubuntu Linux bootable CD so that I could work in a more familiar (and comfortable) environment. The machines they have are actually quite nice – Dell Optiplex GX520.

Unfortunately, I had a hard time booting the CD only because rather than the boot order allowing you to boot from CD, you had to boot it from CD “manually”. Rather than entering the BIOS by hitting the normal suspects such as the Delete key, Escape key, F8, etc, Dell gives you a boot menu by pressing either F12 or Ctrl+Alt+F8 during boot. After obtaining that piece of knowledge, I was on my way.

There’s nothing really new to report other than they still haven’t fixed the permissions issue on the STUDENT share. Even the main page for the STUDENTS server is writable along with every other file. Thanks once again to Collegis/SunGard for their prompt action. Talk about lax security and lazy admins – it’s really quite sickening that a simple, but potentially damaging permissions issue can’t get resolved quickly. So I left a message this time although it will likely still continue to get ignored.

Anyway, I booted up Ubuntu 7.10 and then started looking around on the network again. Honestly, I really couldn’t think of much more to do so I figured I’d run a network scan with nmap. I started with just scanning 10.101.7.0/24, but it seemed to be too quick and I had more time to waste. I stepped it up to 10.101.0.0/16 Much better – I found a few more machines with more interesting services. I also found the lone Linux machine

Anyway, for those interested, here are the results of the 10.101.0.0/16 scan in normal format, in XML format (prettier), and in grepable format.

Materials: Ubuntu 7.10 live CD, Motorola Razr camera phone.

Once again, I decided to take a trip to Delta College and prod around a bit. I visited their library, which his home to about 100 PCs and a handful of Macs. Rather than jump on a PC and play, I decided that I would just sit down and observe for a few minutes. I noticed that about 50% of the computers had people with their MySpace accounts open, about 25% doing homework, and the rest just doing some general surfing. I also noticed that quite a few people were just getting up and walking out despite the desktop background that reminds them to log out of their account when they are finished at the public computers. After one person got up, I decided to walk over to their computer and jump on. I hadn’t noticed that they didn’t log out until I actually sat down at the computer and saw a desktop.

Since I wasn’t violating Delta’s policy by logging in as someone else (they logged themselves on), I decided to see (to a point) what the dangers were of not logging off. One thing that you could view would be the history of places they visited on the internet using their web browser. While the student forgot to log off their computer, they did remember to log off of their MySpace account. However, I was still able to view some of the places they visited on MySpace.

Now in Delta’s case, they specifically advise you to restart the computer on their desktop image. This is because they use a software called Deep Freeze by Faronics. What this software does is clear any changes that were made to the computer when it reboots and reverts the computer to an image that is saved on the computer. It’s a good idea to do so because if you just simply log out, changes made to the computer are not erased. For example, on Delta’s computers, your browsing history, cookies, and recent documents are shown under your login name, which is readable by anyone else who logs on to the computer.

Solution: Always reboot or log off a public computer after you are finished. Even more advisable would be to clear the history and cache on any browser you use while on that public computer.

Materials: A public computer.

On February 14th, 2008, I had strolled into Delta College’s library to play around on the network a bit. I thought that I might find something interesting to write about even if it’s just minor. What I actually found was quite disturbing in my opinion. I found that the area in which students could upload files for their personal web area (http://student.delta.edu/{student_name}) was world readable/writable by all students.

This might not seem like a big deal to many on the surface. However, consider that you have thousands of students and a majority of them use their personal web area for required school projects (used in CST-110, CST-133, CST-210, and many more), it turns into a big deal. Especially since some instructors use the same area for posting assignments, quizes, and tests as well. Another potential possibility for abuse would be you can get a full listing of every student at Delta using the TREE command and outputting to a text file. This could be used for spamming user accounts at a later date, or just seeing if there’s anything interesting (like resumes or other personal information) in user directories at your leisure. Lastly, someone could easily create a shell or batch script to overwrite the index file in all student directories for a mass defacement of web pages.

On February 15th, 2008, I had emailed an instructor I have come in contact with before on several occasions. In the email, I had given details about the file share permissions problem. The instructor, in turn, forwarded my message on to the company they outsource their IT infrastructure to and they still haven’t done anything despite it being a simple fix.

Unfortunately I have other security issues to share, but I would like to give Delta more time to fix them as they are a little more complex. Stay tuned.

Solution: Simple – change permissions on the share so that students cannot view/edit the entire directory contents of the STUDENT server and only have permission to view/edit their OWN directory. The help files on their server might help a little too – particularly this area. Change the company they outsource their IT infrastructure to or hire their own full-time IT personel…these security issues are getting ridiculous.