WhiteHat Consulting

Diebold Accuvote voting machines, as most people know, have had a hard time gaining and keeping any credibility in the world of information security. This is nothing new, but to add to the thought of how insecure these machines are, here is an image of the keys that some people have made copies of – just from the image itself. A group of students at Princeton discovered the Accuvote keys are actually a common office furniture key used for hotel minibars, electronic equipment, and jukeboxes.

But of course you don’t have to make your own key because Diebold will sell you one fairly cheap: “Replacement Access Keys”, part number GS-567311-1000, $5.90 for a set of 2. Order by phone at 1-800-769-3246.

So while taking physical security into consideration, one should also consider that just being able to take a picture of a set of keys can be just as effective as “shoulder surfing” while someone is entering a numeric password on a keypad.

For several years prior to Davenport University, I had attended Delta College and eventually earned an Associates in Applied Science geared toward Network Technology. It was a great place to get started and was a stepping stone that eventually made me want to become a college instructor thanks to several inspirational instructors that teach there. I honestly can say I have no complaints whatsoever about the Delta staff. The company they outsource their IT management to on the other hand…well, that’s another story. I’ll be posting several security issues that I have discovered at Delta that either still haven’t been fixed by their outsourced IT staff or have been poorly addressed. Since I have given sufficient time to fix any problems I have found, and have reported all issues I have found, I feel the need to make the information publicly available. This will be one of several posts in the future regarding Delta College security.

This one is fairly minor, but could be abused terribly considering other security flaws found on their network that have not been published yet. Delta College uses Microsoft Exchange for their email system (yeah, I know, but it’s their choice) and after I had became a little more familiar with Exchange I started prodding around. After receiving an email some time ago that appeared to be sent to pretty much every student in the address book, I started looking around in the address book for things that appeared insecure. What I found were groups like “facultysalary”, “business”, “facilities, and “StudentBody” which, as implied, is every student at Delta College. Not good. Access to use these groups should be extremely restricted. For example, restrict access for sending an email to the StudentBody group to only those who are members of the Faculty group. Then again, I guess I can understand why Exchange is configured this way since the outsourced IT staff has to publicly ask how to do their jobs. And to think they inked a deal for $5 million for a 5 year contract back in ’96. I can only wonder what we’re (community college!) paying now…I’m really thinking Delta’s not getting their money’s worth…

Materials: A student account at Delta College.

For a Valentine vacation, I decided to check out the Mount Pleasant hotel Baymont Inn from February 14th to February 15th. It was close to the casino, dinner, a pool, and had a hot tub in the room.

The hotel issued those credit card style keys with magnetic strips on them (magstripe cards) that swipe through a slot above the door handle. When you swipe it, you either get a red light (key not correct), yellow light (error, swipe again), or a green light (unlocked). Once the hotel issued me two cards, I had thought to myself there is a possibility that these cards could work on rooms other than my own. So off down the hall I went to try it out. Out of the 4 random rooms that I tested the credit-card-type key, it opened 1 door other than my own (133 worked for 109 and 109 worked for 133).

When I had claimed that I lost one of my two magstripe cards, I asked for another and he stated that the key would no longer work the next day. Not only did the new one he issued me work on the same room two days later, so did the other two keys that were initially issued to me. When checking out, I was told that I do not need to turn in the cards and would not be charged for the cards that I had kept. They had a machine there that created the magnetic strip cards. A phone call to the hotel needs to be made to find out the make and model of the machine.

The hotel also had free, open wireless available. No traffic was encrypted, the SSID was “baymont”, and there were no authentication requirements (no password, no mac address authentication).

Possible solution: Perhaps for the wireless situation Baymont could create a login/password combination like room number/last name for each of the guests. This information could be pulled from a database at set intervals such as every 15 minutes and pushed to the wireless access points. For the magcards working on multiple rooms, I saw that the person behind the desk was able to input some numbers before creating the card. I’m quite sure they could make new cards for every guest with a unique number, however, the task of updating the locks on each door might be very time consuming.

One question I would like answered is how often these locks are “changed” or are they all set to accept a certain list of pre-determined codes? For example, if the entire hotel only has 25 codes, but has 200 rooms, the problem arises of how to assign a certain amount of codes to each door lock. You can’t give all 25 codes to every lock because then every key could open every door. You can’t give just one code to each door because then anyone could come back later and get back in the room. No matter how they are seperated though, I’m sure there would be a master lock (for the cleaning crew, manager, etc) and with a limited amount of combinations that could be stored to each lock, I can see where it would be difficult to secure.

Materials/methods: Social engineering, magstripe cards issued by the hotel.

One important thing I have learned is that you should never take physical security for granted. If you have physical access to something, your options for compromising a potential target increase greatly. This runs true for everything from computers, to homes, to cars, to banks, and even garbage receptacles.

One day while driving through Freeland, Michigan, I happened to notice something a little out of the ordinary. I drove up to a credit union’s remote ATM to pull out some money for a trip and became a little concerned. It appears that whoever had installed this particular drive-up ATM did not make a conscious attempt to make sure it isn’t subject to a simple, physical denial of service attack. Note that there is nothing stopping the arm on the switchbox from being thrown to “off”. Granted, if one wanted to physically harm the ATM, they could always drive into it or something similar. However, this was much more simple – just turn off the power on the breaker switch and the ATM gets shut down. It was not locked in the on position, which is understandable, but it was not guarded or enclosed in any way.

This is an example of how physical security is commonly overlooked and should be taken into account whenever possible. You don’t park your car in a parking lot with valuables on the dash for the world to see and leave your doors unlocked. You wouldn’t take a vacation and leave your front door/garage door open while you were gone. You wouldn’t throw away an old credit card without first cutting it up with scissors. There are people out there who have the capability and motivation to cause harm. Don’t give them the opportunity to do so – take physical security into consideration whenever possible.

Materials:  About $10 in gas, Voyager cell phone (camera)

Wardriving has been a hobby of mine for quite a few years and every so often I get on a wardriving kick where I like to get adventurous and try out new cities and towns. On February 2nd, I decided to go on an overnight trip to Ludington, Michigan. Since I was going to be checking out the area anyway, I figured it would be a good time to take care of my wardriving habit. Here is a video I took while taking a drive…

Materials: Compaq Presario laptop (2135US), Belkin wireless card (F5D6020), about $10 in gas, Kodak Digital Camera (C743), assistance from Rebecca.

Ludington Netstumbler file – 1st pass
Ludington Netstumbler file – 2st pass

While staying in Ludington, Michigan and taking a short drive through the town, I found that the hotel I was staying at had not changed their “passphrase” for encryption in quite some time:

Viking Arms Inn
SSID: Viking_Arms_Inn
Passphrase: abcabcabc1

Same as it has been for years per other previous guests. It would seem kind of pointless to have a passphrase if it never changes – especially if the passphrase is to be used by, or is available to, many people. Once a person stays there once, does this mean they have permanent wireless access?

While this is great for the casual surfer, it leaves the door wide open for abuse. Think about it for a moment from a malicious point of view. Other than the obvious searching for shared folders and possibly hijacking other computers on the open wireless network, there are even worse scenarios. If I were a virus writer, the smartest thing to do to prevent being caught is to release it from someone else’s network. If I were a spammer, I could have a field day on someone else’s network. If I were a real jerk, I could create a shell script to delete everything on every shared drive I gain access to while driving by at 40 mph.