Hacking FedEx
by PhranSyS Drak3
Along with the advent of the computer, man's other crowning achievement is the ability to move parcels from Point A to Point B in a rapid fashion. In other words, Overnight Delivery.
Overnight Delivery is a fiercely competitive and ever-changing market, but no other company has utilized as much technology in their rise to the top as Federal Express. In this article, I will attempt to give an overview of FedEx's monolith mainframe, a look at FedEx security methods and even a few tips should anyone decide to try and hack FedEx.
The System
FedEx runs its mainframe off of a Cray supercomputer. This is needed to deal with the overwhelming logistics of mass shipping. Though employee records, customer account information, and other internal functions are on the mainframe, the heart of FedEx's computer system is called COSMOS, which stands for Customer Oriented Services and Management Operating System.
COSMOS (consisting of well over 240 screens) is used for dispatching, tracking and tracing shipments, and communicating between FedEx locations. Vital information such as service delays and customer info is also kept in COSMOS . One will be surprised and a bit elated to find the home addresses and phone numbers of celebs like Shawn Kemp of the Seattle SuperSonics and Tom Brokaw of NBC Nightly News fame spread on CRT for all to see.
Needless to say, COSMOS is probably the most vital subsystem in FedEx's massive network. Over two million packages go through Federal Express' air/ground network (referred to by most FedEx employees as simply "the system") each day. Of these two million packages, 60 percent go through the system with no problem.
However, the rest may have attention called to them by customers who:
A.) Want to change the status of a package such as delivery info, billing changes, or service changes.
B.) Want to obtain info on who signed for their package, where, and at what time.
C.) Just want to know where their package is as it moves through the system.
Let's assume our case is C.
Let's say Wintel Corp. has just shipped you two gigs of RAM as a thank you for not bashing them. You'd like to know where it is. You pick up your phone and dial: 1-800-GO-FEDEX
Instantly, your call is diverted to one of the many Call Centers in the nation where thousands of FedEx employees are set up to deal with customer calls. Usually for tracking packages, an automated system will read off the data entered in COSMOS. However, if one navigates the automated voice prompts elsewhere or the package status is unclear, the caller will be transferred to a live person. The person who answers (called a Call Center Agent) will then ask for your tracking number. He or she will then proceed to access COSMOS for the information.
By the way, since this is an IBM AS/400 mainframe interface, all of COSMOS' screens are function key driven. In this case, the screen the Call Center Agent will access is selected with PF8, thus called the "8" screen by FedEx personnel. This screen tracks every move the package makes.
From the time it is scanned to the time it is delivered to its destination, the package is frequently scanned and its status updated. S/he will then read this info and communicate with the appropriate FedEx facility that currently (or last) has the package (using info in COSMOS which shows info on every facility including internal phone numbers and directions to specific locations) and may even transfer you to them. The info in the "8" screen is probably the most dynamic of all of COSMOS' sub-screens and is updated thousands of time a minute. All of COSMOS' data is available via remote access to managers, directors, select sales reps, and other need-to-know employees.
It is also available to (clever) inquiring minds. I don't think I need to tell the readers the applications possible if one possesses access to data of this sort. Whether or not the applications you choose fall on the side of legality or not is entirely up to you. I'm just providing the readers with a look into one of the largest private systems and a "heads-up" should anyone be interested in a good and challenging hack
Security in the FedEx Network
Of course other data resides on FedEx's network other than package info.
There is the company's intranet, internal bulletin boards with loads of info on everything from Corporate Security memos to employee profiles. One day I even learned a certain station manager's profile including her full name, the names of her two children, what kind of car she drove, and the fact that she enjoyed listening to gospel music in her spare time. My point? Once inside, there is virtually no sense of security other than barring those without appropriate duty codes from accessing certain screens.
Even a few of IBM's default passwords for the AS/400 mainframe system work. While internally lax, getting in from the outside is considerably much more strict. Those familiar with any UNIX system or mainframe OS know a good admin requires the user to change passwords regularly, will check logs for unauthorized login attempts, and will revoke user IDs on a "3-and-out" basis for bad passwords.
FedEx does all these wonderful things to discourage unauthorized access. But again, those don't make the system hard. What does is a little system I have nicknamed "The Beast" that is one of the most clever devices I have come across in years.
While chatting with a friend of mine who is a sales rep, the subject of security came up. He then pulled out The Beast. It looked like one of the dime-a-dozen credit card sized calculators you'd find in the checkout aisle of your favorite grocery store. It has eleven keys (numbers 0-9 and an enter key) and what appears to be a 10-digit LCD display. How is it used? Well, this sales rep has a username and password to log on with. Nothing unusual there also has a four-digit PIN. Uncommon, but not all that unusual.
What makes this unusual is that after he enters his PIN, the login system spits out a six-digit number for him to enter into The Beast. The Beast then spits out yet another number for him to enter into the terminal to complete his login. Oh, I almost forgot. For all you MIT and GaTech-ites who can run complex algorithms in your head in your sleep, there's one final catch: you have ten seconds from when you get the number from The Beast to enter it in the terminal or else you are logged out and the process begins again. With, might I add, a whole new set of confirmation numbers.
Another unintentional, but highly effective, form of security is the tendency of mega corporations to immerse themselves in insider jargon and acronyms. I would even go so far as to say that our good government has only a few more TLA's than FedEx. As is the case with the government, if you try to social engineer yourself info or a password using that drivel in Secrets of a SuperHacker, you will be sharing your deepest thoughts with a dial tone. FedEx corporate lingo is very deep and complicated. Outsiders are easily spotted. Especially those of you who call FedEx couriers "drivers."
So You Wanna Try Anyway...
I see a few of you have decided to be persistent despite what I've told you. Even though it is an improbable process, it is not impossible.
First off, it is imperative to gather information on your enemy. Two of the hacker's oldest and most basic tools are trashing and social engineering. First of all, trashing.
No FedEx station I know has a corporate policy on shredding. I know of many stations and ramps that have shredders in their offices but do not use them. What can be found? A veritable gold mine of information. There are printouts of screens (usually the "8" screen used for package tracking and the "9" screen used for detailed info on traced packages). These are important for understanding how these vital screens look and giving you an idea of how packages are scanned as they move through the system. Internal phone numbers can also be found trashing. Why is this of value? Call the 800 number and get the location of your nearest FedEx station (not Kinko's or Mail Boxes Etc. I mean an actual FedEx facility). Now with this info, try and get their phone number. Without extraordinary means such as war dialing or tip-boxing, the number is virtually impossible to obtain. FedEx employees guard station numbers fiercely. Not so much for security reasons, but to keep hundreds of customers from calling stations instead of the Call Centers.
Lastly (and most importantly), trashing can bring goodies like manuals and job aids. Didn't I say FedEx operates as backwards as the government? Let's assume there is a manual for Service Agents (who, by the way, know nearly as much, if not more, than managers) in a station. A few pages worth of info happens to change in it as FedEx updates a few processes to change with the times. Instead of the company issuing a memo or an addendum, they will rewrite the whole damn thing, reissue them, and order for the older manuals to be destroyed (i.e., thrown away).
If you come across one of these in your trashings, you might as well work for FedEx. I've even lucked up on some old corporate phone directories with over 90 percent of the numbers current. Along with the obvious, these also provide an outline of the corporate structure. This way when you get to the social engineering phase, you'll know that instead of "Bob from Computer Security" that you are "Robert Smith from Data Protection down here in Memphis."
Now that you have some info from trashing, let's use our second basic tool: social engineering. We've gotten a phone number to the station and a few names. It's not too hard to dial up and say you're from a Call Center or Data Protection and con even more info out of the hapless soul on the other end. Again, here's where a little of that inside info we found trashing pays off. What do you ask for? A good place to start is asking a Service Agent about the manager. He or she is the one most likely to have remote access. Say you're an employee from another station looking to transfer to that location. Chit-chat for a while about how you hate where you're at and how the weather/people/whatever are so much nicer there. Don't overuse this as you risk being asked something you can't answer. Now ask for that manager's employee number so you can email him. Congratulations! You now have his COSMOS login. Just remember: know who you "are" and what you are talking about before attempting to SE.
All this is fine and dandy, but what about The Beast? Well, the bad news is the Beast does exist and has big, sharp teeth. The good news? Not everyone with remote access uses the Beast. I know for a fact that regular station managers do not use it. It appears that only employees with high level access to sensitive info that competitors like UPS and Airborne Express would want are issued a Beast. I'd also venture a guess that this is information like discounted rates for major accounts. Not grunt level data like COSMOS. The other bit of good news is that the Beast is manufactured by an outside company - not FedEx. I'm sure that they want to attract more customers and a phone call or an email from an "interested potential customer" would land you plenty of info on their product.
This device is made by a company called Enigma Logic. Their address is 2151 Salvio St., Suite 301, Concorde, CA, phone number (510) 827-5702.
I hope this helps a bit. I guess your final question is "How does PhranSyS Drak3 know all this?" Well, it should be obvious to a retarded ape that I am or once was probably an insider. Why, then am I divulging company secrets? There will come a day, my friends, in the not too distant future where mega corporations will control most of the world's vital information. Especially things they would like to keep private for unscrupulous reasons. They will exploit the common man for the almighty dollar as long as no one keeps tabs on them. It's up to us to safeguard and protect ourselves by keeping information free and accessible.
Happy Hunting!