On a recent trip to the mall the other day in Midland, Michigan, I decided to go through the J.C. Penny’s entrance. Right after I got through the doors, there was one of those “Apply for employment here” kiosks. I was surprised to see a desktop with a blue “E” and the label “Kiosk” on it. So what’s a curious passerby to do? Why fire up IE of course and see if I can surf the net!
I found that I couldn’t visit whitehatconsulting.net as it was administratively prohibited, however, I could visit my favorite news site on the net. I couldn’t help but think that the system administrators like to surf slashdot as well, so they left that on the whitelist
If you take a closer look at the URL, you’ll notice that it’s not an internet URL, but rather an intranet URL. The server serving up the Access Denied page is “jweb” and has an interesting string of directories below it that caught my interest. Unfortunately, I didn’t have much time so I’ll have to go back eventually to investigate their intranet at a later date.
Once again, I decided to take a trip to Delta College and prod around a bit. I visited their library, which his home to about 100 PCs and a handful of Macs. Rather than jump on a PC and play, I decided that I would just sit down and observe for a few minutes. I noticed that about 50% of the computers had people with their MySpace accounts open, about 25% doing homework, and the rest just doing some general surfing. I also noticed that quite a few people were just getting up and walking out despite the desktop background that reminds them to log out of their account when they are finished at the public computers. After one person got up, I decided to walk over to their computer and jump on. I hadn’t noticed that they didn’t log out until I actually sat down at the computer and saw a desktop.
Since I wasn’t violating Delta’s policy by logging in as someone else (they logged themselves on), I decided to see (to a point) what the dangers were of not logging off. One thing that you could view would be the history of places they visited on the internet using their web browser. While the student forgot to log off their computer, they did remember to log off of their MySpace account. However, I was still able to view some of the places they visited on MySpace.
Now in Delta’s case, they specifically advise you to restart the computer on their desktop image. This is because they use a software called Deep Freeze by Faronics. What this software does is clear any changes that were made to the computer when it reboots and reverts the computer to an image that is saved on the computer. It’s a good idea to do so because if you just simply log out, changes made to the computer are not erased. For example, on Delta’s computers, your browsing history, cookies, and recent documents are shown under your login name, which is readable by anyone else who logs on to the computer.
Solution: Always reboot or log off a public computer after you are finished. Even more advisable would be to clear the history and cache on any browser you use while on that public computer.
Last July I had some free time and decided to go on a road trip and ended up in Niagara Falls, New York. It was probably the most impressive natural beauty I have ever seen in my life. However, my geek side had to also explore the area. After booking a room at the Swiss Cottage Inn on the New York side, I decided that I was going to take advantage of their free wireless service and do some school work for a short time before exploring the sights.
Unfortunately, I wasn’t able to get on the internet so I decided to do some troubleshooting. I had found out that they were using a Linksys router with the SSID broadcasting and encryption enabled. They had also changed the IP address of the router to 192.168.2.1 rather than the regular 192.168.1.1. The funny thing is, even though they changed the default SSID, changed the default IP address, and enabled encryption, they never bothered to changed the default login and password (“admin” and “admin”). This left the router wide open for abuse and allowed anyone to see their WEP encryption passphrase (“mario”).
Unfortunately, wireless is one of those monsters where the technology grew faster than people being educated on how to secure it properly. Even the 802.11 protocol itself had security as an afterthought as older versions such as 802.11A and 802.11B generally had weak encryption available, but not enabled by default on most routers. Even on newer routers, basic security is often ignored by the end users because these units are able to be plugged in and “just work” out of the box.
Solution: The best ways to secure your wireless router are to disable SSID broadcasting, enable MAC address authentication by using a whitelist rather than a blacklist, enable encryption – at the very least use 128bit WEP encryption, change the default password to something fairly complex, and if you can, change the default login name as well.
On February 14th, 2008, I had strolled into Delta College’s library to play around on the network a bit. I thought that I might find something interesting to write about even if it’s just minor. What I actually found was quite disturbing in my opinion. I found that the area in which students could upload files for their personal web area (http://student.delta.edu/{student_name}) was world readable/writable by all students.
This might not seem like a big deal to many on the surface. However, consider that you have thousands of students and a majority of them use their personal web area for required school projects (used in CST-110, CST-133, CST-210, and many more), it turns into a big deal. Especially since some instructors use the same area for posting assignments, quizes, and tests as well. Another potential possibility for abuse would be you can get a full listing of every student at Delta using the TREE command and outputting to a text file. This could be used for spamming user accounts at a later date, or just seeing if there’s anything interesting (like resumes or other personal information) in user directories at your leisure. Lastly, someone could easily create a shell or batch script to overwrite the index file in all student directories for a mass defacement of web pages.
On February 15th, 2008, I had emailed an instructor I have come in contact with before on several occasions. In the email, I had given details about the file share permissions problem. The instructor, in turn, forwarded my message on to the company they outsource their IT infrastructure to and they still haven’t done anything despite it being a simple fix.
Unfortunately I have other security issues to share, but I would like to give Delta more time to fix them as they are a little more complex. Stay tuned.
Solution: Simple – change permissions on the share so that students cannot view/edit the entire directory contents of the STUDENT server and only have permission to view/edit their OWN directory. The help files on their server might help a little too – particularly this area. Change the company they outsource their IT infrastructure to or hire their own full-time IT personel…these security issues are getting ridiculous.
Years ago I had made Delta aware of several vulnerabilities I found on their Linux server (xserver.delta.edu). One happened to be the email server and it’s insecure setup. You can google the commands to use to send an email by telnetting to a mail server fairly easily. Back in 2005 or so, you could telnet into the xserver mail server from anywhere – on their network or at home. You could then send an email to any recipient on xserver. This sounds fairly innocent at first, but you could create a batch script to spam every user account on xserver if you desired with pretty good anonyminity as you didn’t have to have a user account on the server.
Fast forward to today and the only difference is that you have to be using one of Delta’s IP addresses instead of any other public IP address. That’s it. Good job, guys. The workaround is simple – bring in your own computer and plug your cat5 cable into any one of their network ports. DHCP does the rest for you and you’re free to start sending mail again. You don’t need to be an “expert” to know that stopping spam isn’t just about having a spam filter such as SpamAssassin in place, it’s also about making sure your mail server is properly configured.
Materials: Any computer on Delta College’s network.
Physical security on remote ATMs don’t seem to be as up to par as they should be. As discussed in a previous post, their power sources seem to be wide open for tampering. While on the surface, it may seem more like just an annoyance that an ATM may be shut down and not working. However, there is a possibility that the power failure could either remove or trigger alarm functions that could alert someone that the ATM is being tampered with. Without knowing more about how the ATMs work, let’s assume that the power removes any alarm that is triggered.
With full physical access to a remote ATM location out of the view of the general public, potential theives could install hardware keyloggers, sniffers, take the money from the ATM, etc. Keyloggers and sniffers could capture all information a user enters or any transactions between the ATM and the bank. Packets could also be altered before being sent to the bank’s database, which leaves even more potential for account compromises. Since a lot of ATMs are made by Diebold, I’m sure their locks aren’t up to par considering what they protect.
So back to the main power shut off. After finding the ATM in Freeland that had the main power shut off in plain view and not locked to prevent people from flipping the switch, I decided to look around at other ATMs. One of the first ones I drove by was a local bank ATM in Midland. If you look at the main power switch, it’s covered, but not locked. Just down the road, there’s another ATM that had the main power switch covered, but again, it was not locked.
One possible solution would be to use locks on the power switch boxes. Either that or enclose the power switch inside of a door in the ATM itself somewhere.
Materials: About $3 in gas, Kodak Digital Camera (C743).
On March 11th, I had a little more free time, so I went to Bay City to wardrive and ended up over in Saginaw to do the same. The Saginaw wardrive started on State Street towards Bay Road and ended up at the end of Bay Road. Here is a video I took while taking a drive…
Materials: Compaq Presario laptop (2135US), Belkin wireless card (F5D6020), about $6 in gas, Kodak Digital Camera (C743), assistance from Rebecca.
On March 11th, I decided to take a wardriving trip to Bay City, Michigan. The trip started on Center Avenue, went down Wilder Road, went around the mall, drove by Wal-Mart and Home Depot, then ended up on Euclid Avenue. Here is a video I took while taking a drive…
Materials: Compaq Presario laptop (2135US), Belkin wireless card (F5D6020), about $10 in gas, Kodak Digital Camera (C743), assistance from Rebecca.
Back in November I purchased two Linksys WRT54g routers from Best Buy as they were having a sale. When you purchased the router for $50, you got a $15 gift card. So the router essentially cost $35, which is cheaper than most wireless network cards. The best part is, dd-wrt allows a Linksys WRT54g router to act as a client bridge. What this means is rather than spend ~$150 on a Linksys wireless bridge, you can make the WRT54g act as a bridge for less than half the price (and more functionality I might add).
Below is a video showing how to install dd-wrt on a Linksys WRT54g router. Enjoy!
Materials: Firmware from dd-wrt.com for WRT54g router, Linksys WRT54g router, Compaq Presario laptop (2135US), Kodak Digital Camera (C743).
