Archive for January, 2009


The Geek Squad

January 25, 2009

Ok… I don’t condone black hat hacking or password stealing, but I found this very interesting. I found this article in the Summer 2008 (Volume 25, #2) issue of 2600, the Hacker Quarterly. While it explains how to capture login and password information, it speaks volumes to the ineptitude of Best Buy’s “Geek Squad.” The article is written by Turgon.

Ahh, the Geek Squad: love them or hate them, they’re here to stay. Best Buy’s computer “task force” can be found in every store, at your home or office, or on the road in their black and white VW Beetles.
A majority of their employees, who are known as Agents, are high school kids with a basic understanding of Windows Vista and XP, but more than a few of them really know their stuff. Some even read and contribute to 2600 Magazine.
What is this article about? Well, it isn’t a rant about incompetence. Sorry guys and gals, but you can find plenty of that on or on countless forums. No, what I am here to talk about is a tiny security issue with huge consequences. Here’s how to wreak havoc in five easy steps:

First Step: Call the Geek Squad at 1-800-433-5778 and set up and appointment for a wireless network security install. This is their cheapest and quickest service. Unfortunately, it will cost you $59; as we’ll see later, though, this is a small price to pay for such a prize.

Second Step: Install a keylogger on your laptop or desktop computer. Software, hardware, doesn’t matter.

Third Step: Reset your wireless router settings to the defaults; disable WEP and WPA, and use the default SSID. Then, sit back and wait for your appointment. A field tech, who we’ll call Double Agent, will show up at your door. He or she will take a look at your situation and secure your router with WPA: piece of cake! Thank the agent for their amazing WPA-typing skills and reject any other additional services they may try to “up-sell.”

Fourth Step: Your hero agent will now sit down at your computer, open a Web browser, and go to Once there, they will type in their login credentials. The username will be something like 123456; the password will be a case-sensitive combination of letters and numbers. The agent will pull up your name and account on the Geek Squad system, which is called “STS,” and which is able to take credit cards via a shopping cart feature, print receipts, add charges, remove charges, and so on. Your receipt will print out, and the Agent will log out and close the browser.

Fifth Step: With the agent gone, you should first change your WPA key to something else. You’ve now got the agent’s STS login and password.
Thanks to your keylogger, you now have login credentials for STS, giving you access to Geek Squad’s entire customer database of literally millions of customers. Addresses, phone numbers, and e-mail addresses are just the beginning. Most agents, per corporate policy, also log copious notes of every customers’ WPA or WEP key, SSID, IP address, PC make and model, O/S, RAM amount, viruses found, and lots more. The Geek Squad database contains information not only about individuals but also about their numerous small business clients.

Note that agents are required to reset their STS passwords on a regular basis, and a hacked password is easily reset by corporate. Therefore, having an agent’s login credentials is only good for information gathering; once an agent realizes that his password has been changed, he’ll have it reset in minutes. There’s no easy way for an agent to know if an account is being abused, as it’s possible to login from multiple computers or browsers at the same time. One could theoretically have unfettered access for months before the agent is forced to change the password at a server prompt.
Agents are usually clever enough to find keyloggers if they are performing virus removals, system optimizations or upgrades, and similar jobs. The simple fact that they’re only out to encrypt your wireless router means they won’t even look twice to check background programs or physically examine the machine and inspect for hardware loggers.
Best Buy likes to cut corners, and its employees and customers always get the short end of the stick. A workable solution to the security issue I have discussed would be for Best Buy to provide a laptop to its agents for on-site use. Companies like HP, Toshiba or Gateway would probably even split the cost to have these “respected” Geek Squad agents toting their brand’s laptop into impressionable customers’ homes. Other prevention techniques that Best Buy might employ include a server-side upgrade requiring a SecurID token for access to STS or limiting lowly Agents’ access to the huge database of customer information.
For a company at the cutting edge of new technology, Best Buy is setting their Geek Squad brand up for major trouble. There’s huge risk that any of their over 2,000 field agents might enter their credentials into a comprimised computer. There’s also the risk of abuse. At all times, any agent, Best Buy manager, or call center phone jockey has access to an extravagant amount of customer data. I am no whistle blower or disgruntled employee, but corporations like Best Buy are reactionary. They only act on behalf of customers or employees when they get in trouble. When all other methods fail, I turn to the community!


Web Application Vulnerabilities

January 11, 2009

As programmers add increased functionality to Websites and Web browsers, the potential for security vulnerabilities increases. The biggest danger is the tendency toward integrating the Web browser functionality with other computer applications and even the operating system (O/S) itself. This means if a Web browser security vulnerability is exploited, an authorized user has access to the core system files and data of someone’s computer. The following outlines some of the more popular Web application components and the security vulnerabilities they might create.


JavaScript is a scripting language created by Netscape but it isn’t related to the Java programming language. JavaScript’s code isn’t compiled; instead, it’s interpreted by the Web browser. JavaScript can interact with HTML source code, enabling Web authors to create Websites with dynamic content.
Since the appearance of JavaScript, the language has been plagued with security issues. The problems originate from the nature of JavaScript, which allows executable content to be embedded in Webpages. These vulnerabilities include the capability for hackers to read files on a user’s hard drive, and to monitor and intercept a user’s Web activities. Security precautions are required to prevent malicious code from entering, executing, and retrieving data from the underlying systems.
The insecurities of Web browsers that implement JavaScript, rather than its language, are the source of the vulnerabilities. Most security problems discovered in JavaScript implementations require the installation of software patches from the Web browser vendor. JavaScript can also be disabled on your Web browser as an option. Check your Web browser options to disable or enable the use of JavaScript for Websites you access.


Java is an object-oriented, platform-independent programming language created by Sun Microsystems. Java is typically used on Internet Websites to provide small programs called applets, which can be downloaded to a user’s Web browser. Because Java is platform-independent and can run on any type of machine or O/S), it requires the use of a Java Virtual Machine (JVM) to convert the program to the code understood by the local machine. Java programs run in their own special area, called a sandbox, which restricts the applet’s access to certain parts of the system. This prevents malicious or buggy software from accessing critical parts of your system. Hackers, however, are able to program applets that can bypass the security features of the sandbox and can access the data on users’ hard drives. For added security, most Web browsers can be configured to allow only certain access privileges to Java programs.

Signed Applets

Signed Java applets are programs that are authenticated through the use of a digital signature that provides information on where the applet originated. The Web browser reads this signature and checks to see if it comes from a known, trusted source. This allows an applet to have less restrictions put on its operations, as would a normal unsigned applet. An authenticated signed applet is usually given more access over O/S functions to perform an application.


ActiveX is a technology created by Microsoft to create reusable components across Windows applications. This includes increasing the functionality of Internet applications. Similar to components created with Java, ActiveX components can be downloaded to the computer through the Web browser. Unlike Java, which has software controls that only allow programs to run in a certain area of memory and influence. ActiveX functions are controlled by the users themselves. This requires the need for greater security controls because a malicious ActiveX component can be downloaded that could comprimise the security of your system. Users must be more careful when configuring their Web browser to control ActiveX programs.
For Web browsing security, ActiveX uses a form of authentication control based on security levels. The user’s Web browser can be configured to set a certain security level at which ActiveX controls can operate. The lowest level allows all ActiveX components to be downloaded automatically. Increased levels provide warning dialog boxes to alert you of an ActiveX element and enable you to download it or not. ActiveX relies on digital certificates and trusting certificate authorities to authenticate the origin of ActiveX controls.
As always, your Web browser should be updated to the latest version, so the most recent security controls are in place and any previous security vulnerabilities are removed.

Buffer Overflows

Buffer overflow is a programming term used to describe when input data exceeds the limits recognized by a program. For example, a program might only be expecting a certain amount of characters in an input dialog box. If the amount of characters exceeds the limit, the added information might also be processed. This extra code could be malicious in nature and cause the program or even the entire system to crash.
For Internet Web applications, this buffer overflow vulnerability is a common security concern for Web servers and Web browsers. A malicious Web server set up by a hacker can crash the systems of the users connecting to that Website by sending various HTTP buffer overflow data streams to the client. Similarly, a hacker using a simple Web browser can send certain HTTP data to a Web server that overflows its software buffers and crashes the Website.
Buffer overflows are mainly caused by bad programming, which allows illegal data to be entered into the application. Software, especially Internet applications, should be carefully programmed to accept only certain types of data. You should ensure that all your software is current with the latest software patches and service packs to prevent these types of errors. Patches can be downloaded from the software vendor’s Website and installed onto your computer to fix the application.


Cookies are special files saved on your computer when you visit a Website. A cookie is used to save information particular to that Website. Cookies are typically used by Websites for tracking demographic or user-specific information pertaining to that site. This information can be used by the Websites themselves or for advertising purposes. For example, the first time you visit a Website, you could be required to register by filling out a Web form. Some information from this form is saved on your computer as a cookie. If you specified your age and gender, this information is read from the cookie the next time you visit that site and the next time you visit that site and the advertising is altered accordingly for your demographic group.
Most cookies contain relatively harmless information, but some of them could contain usernames or passwords for certain Internet and Website accounts. Cookies of this nature are usually encrypted by the distributing site, but those that aren’t are vulnerable to unauthorized users accessing this information.
Most Web browsers let you customize the capability to use cookies or enable more strict controls on their use. Cookies can be disabled completely, but this could cause certain Websites not to work at all in your Web browser.


Common Gateway Interface (CGI) scripts are programs designed to accept and return data that conforms to the CGI specifications. The programs are typically written in scripting languages, such as PERL, and are the most common way for Web servers to interact dynamically with users. Webpages that contain forms typically use a CGI program to process the form’s data once it’s submitted.
A security concern with CGI is this: each time a CGI script is executed, a new process is started. For some Websites, multiple CGI requests can noticeably slow the server. CGI scripts also are vulnerable to programming bugs, so they should be written with the same care and attention as any software application.
Poorly-programmed CGI scripts can intentionally or unintentionally provide information about the host system that can aid hackers in accessing the Web server. Scripts that utilize user input from Web forms can be used against the client machine. For example, on a server system, a subverted CGI can be used to run malicious code as a privileged user and provide unauthorized access to any part of the system, including sensitive user data, as well as logins and passwords. Another concern of CGI scripting is the capability of the user to input data that can be used to attack the Web server through buffer overflows and malformed requests.



January 9, 2009

The best way to know when a problem is brewing is to know how things perform when all’s well with the system. You need to establish a baseline – a static picture of your network and servers when they are working correctly. One of the common tools used to create a baseline is the Performance Monitor utility that comes with Windows NT/2000/XP (but you can also create baselines using most network management utilities).


Administrators use Performance Monitor (PerfMon) to view the behavior of hardware and other resources on NT/2000/XP machines, either locally or remotely. PerfMon can monitor both real-time and historical data about the performance of your systems. To access the Performance Monitor applet, choose Start/Programs/Administrative Tools/Performance Monitor from any Windows NT machine. Windows 2000/XP machines call the option simply “Performance.”
Once you access Performance Monitor, you need to configure it to display data. The process of configuring Performance Monitor requires you to understand the concept of objects, counters and views. An object in Performance Monitor relates directly to the component of your system that you want to monitor, such as the processor or memory. Each object has different measurable aspects, called counters. Counters, in other words, are the portions of an object that you want to track. as you decide which object(s) to monitor in your system, select one or multiple counters for each object. Add these counters to whichever view you need to use. Performance Monitor can display selected counter information in a variety of views, with each view imparting different types of information. The Log view, for example, lets you store data about your systems to be reviewed later. This is the view used to create a baseline, although the other views (i.e. Chart, Alert, and Report) are useful for troubleshooting problems as they arise.
To access the Log view, either click the Log view button or choose view/Log. To add objects to the Log view, either click the Add To button (the + sign) or choose Edit/Add To Log. In the Add To dialog box, first select the computer to monitor. Choose either the local machine (the default) or a remote machine. To monitor a remote machine, type in the computer name using the Universal Naming Convention (UNC). To monitor a machine named HOUBDC1, for example, you would type \\HOUBDC1 in the computer field. You can also use the Select Computer button (at the right end of the Computer field) to view the available machines and select the one you want to monitor.
While it is often easiest to monitor a machine locally, it is often more accurate to monitor the machines remotely. Performance Monitor running on a machine uses a certain amount of resources to take the measurements and to display data graphically. Especially when you troubleshoot issues with disk performance, memory and paging, or processor use, you should not corrupt your results by monitoring locally. There are some cases where monitoring locally is preferred or required. If you are monitoring network access or networking protocol objects, for example, monitoring locally will affect the readings less than monitoring remotely. Similarly, you must monitor a system locally if you cannot access the system over the network. Finally, when you monitor objects created by a specific application, such as Exchange, you should monitor locally, as the objects related to this application are only created locally and will not be available from another system.
Once you have selected a system to monitor, either locally or remotely, you must select the object to monitor. Select one or more objects to monitor from the list in the Object Field. Note that the Log view is somewhat different from the other views in that you only add objects to the view, not the specific counters for objects.
After you select the objects for Performance Monitor to track and log, select Options/Log Options to save the data to a log file and to start the logging by clicking the Start Log button. The dialog box also gives you the opportunity to select the update method and time.
After you have configured the log to save to a particular file, you can see the log file name, status of the logging process, log interval, and file size of the log in the Performance Monitor dialog box. To stop collecting data in a log, open the Log Options dialog box again and click Stop Log. You can then choose to create a new log file and begin logging again, if necessary. You will also have the ability to view data from one of these saved log files by selecting Options/Data From. In the Data From dialog box, you can choose to continue obtaining data from the current activity or to obtain data from a particular log file.
When you choose to obtain data from a saved log, you go back to that frozen moment in time and add counters to the other views for the objects you chose to save in the log. You may want to select a wide variety of objects, so that when you open the log to display in any of the other views (i.e. Chart, Alert and Report), you can add any counters necessary.

NetWare Monitor

On a NetWare server, most of the critical information you might need to see and document to establish your baseline can be obtained by loading the Monitor application on the server itself (you can view the program remotely on a client PC, but it runs on the server). Novell calls a program that runs on the server in this way a NetWare Loadable Module or NLM, and you issue the command ‘LOAD MONITOR’ at the server’s console prompt to start the program.
The Monitor NLM can display a wide range of information, from memory usage to individual statistics about the NIC’s installed in the server. Many system managers leave Monitor running all the time so that they can keep an eye on things; it can also be used to kick users off the server and see which files they are accessing.



January 8, 2009

An important component of any relational database is how those relations are associated with each other. These associations, or relationships, link relations together in ways that are meaningful to each other, helping to ensure the integrity of the data so that an action taken in one relation does not negatively impact data in another relation.

A relational database supports three primary types of relationships:

One-to-One: A relationship between two relations in which a tuple in the first relation is related to only one tuple in the second relation, and a tuple in the second relation is related to only one tuple in the first relation.

One-to-Many: A relation between two relations in which a tuple in the first relation is related to one or more tuples in the second relation, but a tuple in the second relation is related to only one tuple in the first relation.

Many-to-Many: A relationship between two relations in which a tuple in the first relation is related to one or more tuples in the second relation, and a tuple in the second relation is related to one or more tuples in the first relation.

Note: A many-to-many relationship is physically implemented by adding a third relation between the first and second relation to create two one-to-many relationships.