June 2006

Taking a sip from his second glass, midfr0st just shook his head watching the error page. Too bloody simple, he sighed. Once again midfr0st thanked the W3Schools site for cutting off a few hours of his work day. Although these kinds of blatantly obvious cases of sql injection had become boring of late, midfr0st liked the fact that a lot of people visited sites like the W3School when they were learning to code asp/php/html and such. Sure the site does a service to the public, but why terms like sql injection or input validation didn’t exist (aside from a reference to a php function) was a mystery to midfr0st.

After a few tries he was able to log in to the admin part of the CMS system. Using Quiriths showcase customer, midfr0st played around in the system to get familiar with it.

His neighbors below him had obviously been drinking much more than he had and were now laughing mad. midfr0st left the empty wine bottle outside, I can’t think with that noise. He fired up Sepultura’s Chaos A/D.

It was time to focus on Meriabeck’s internal network. A few days ago he had asked tr0y, an online friend of his, if he had any connections in Meriabeck that could be used. Although tr0y didn’t have anything on the company he was very eager to hear about midfr0st’s plans. Though there was a risk telling others, tr0y could be trusted to not spread the word and when offered $6500 midfr0st just couldn’t turn his friend down.

In the end midfr0st decided to target a sales manager who had his email address on Meriabecks public website. He was going to use an Excel vulnerability he had known about for some time but since it was public now its usefulness would be running out.

To: jake.gordon@meriabeck.com
From: john.houte@hdg-furniture.com
Subject: Chip Inquiry

Hello Jake,

My name is John, my company HDG-Furniture have been looking into the RFID technology to lower our costs related shipping and warehousing. I have read about your reference customers and would like to hear more about your solutions.

Attached you will find a Word document describing what we want to do, in the Excel you have the relevant data.

John Houte
HDG-Furniture

midfr0st had found HDG-Furniture at random, he knew that the company didn’t have an employee named John Houte. midfr0st also knew that hdg-furniture.com didn’t bounce any mails even if the to address was invalid. So when Jake replied to the email he would believe “John” had received it.

He was sure that Jake would open the Excel file, it was just a matter of time. Midfr0st headed out for a smoke, he increased the volume of his speakers which were playing In Flames, Reroute to Remain.

After a few hours midfr0st went to bed, in the morning he had an inbound tcp connection from Meriabeck’s ip range.

Tags: security, stories, fiction, social engineering

The size of my wallet tends to grow fat every once and a while, I usually don’t carry a lot of cash so I blame all the receipts I tend to keep. Since I try to avoid carrying cash I pay almost everything with my credit card. Out of curiosity I wanted to see if I could get my credit card number by combining all the different receipts.

The card has sixteen numbers in four groups, not counting the secret three on the back of the card, and an expiration date.

Practically every receipt had the expiration date printed on them, from the rest there was a big variation. Given that my card number would be:

1234 5678 9012 3456

Some would mask all but one group:

**** **** **** 3456

Others would just mask one group:

1234 5678 **** 3456

After going through them all it seemed like group three was always masked, I have a feeling that this would be different if I had more receipts then again I can’t be sure. I’ll be checking this in the future. I’ve read about a law in the US (Federal Fair Credit Reporting Act) that would require that only the last 5 numbers are shown. In Sweden I don’t know if we have such a law.

The last receipt I found in my wallet was the one from the taxi home on Friday when I had had a night out. This taxi company actually printed out my full credit card number on the receipt along with the expiration date.

I can’t imagine how the company can be that stupid, I’ve sent them an email and now I’m eagerly awaiting their response.

I don’t know how many dumpster divers we have in my area, but it would be nice to not have to shred everything you through away, I mean it is a bit hot to use the fireplace during the summer.

Tags: security, credit cards, stupidity

midfr0st was enjoying a smoke on his balcony, far below him his neighbors were having a barbeque out in the grass. A world where he could sit out eating with neighbors seemed alien to him, his life had become a digital one. A pretty girl living in the same apartment complex was the only one he greeted if they passed each other. The rest he just avoided, trying to be noticed. This was of course difficult with him being 6′5″, his plan was instead not to make friends with anyone and hope no one would notice if he disappeared. midfr0st had a few exit plans but he wanted to remain himself and all the other plans meant he would have to change his identity.

In his vision he would reclaim the social life he once had, but at this stage it was too dangerous. For now he settled with opening a bottle of red wine and poured himself a glass.

The deadline was crawling closer, still five weeks off he was looking at Meriabeck’s web site. midfr0st had most of the current website memorized and it didn’t interest him anymore, instead he was looking for clues at the Internet Archive. Meriabeck had gotten a new website about a year ago, for the first month the footer had contained the text “Created by Quirith Design”.

Opening up a new tab in his browser midfr0st surfed to quirith.com, as he suspected they were web designers. midfr0st had a sip of his wine while waiting for the flash animations to load.

The company offered web sites starting from just low end static pages to more advanced sites using their own QuirithCMS. In midfr0st’s experience security was just an afterthought for web designers (among others). If they did think about it, it was in the lines of “Yeah sure, we’re using SSL 128 bit encryption!”

The reason why web designers developed their own CMS system was beyond midfr0st, the only reason he could think of was that they could charge their clients more money.

Moving on, midfr0st went to the websites for Quirith’s showcase customers. One of them had a nice little link in the bottom left corner titled “Admin”, the href for the link pointed to /QuirithCMSAdm/.

Opening up a new tab he typed in the url http://www.meriabeck.com/QuirithCMSAdm/. midfr0st was presented with a login form asking for username and password.

Not wanting to warn Meriabeck by tripping on any wires, midfr0st went back to the other customer’s page. He typed a single character in each field and pressed the login button.

500 – Internal Server Error

midfr0st drained his glass and poured himself another one.

Tags: security, stories, fiction