Wednesday, January 22, 2014

How to Break Staples

It was announced this last week that a teenager in Russia is the source of the malware that allegedly exposed the information of Target’s customers. It is rumored that several retailers have been hit by this teen’s software.

Of course the real question is how it got there in the first place.

Well, my dear friends, you came to the right place for that information or my thoughts given my time at that horrible company called Staples. I will say that my information was true for when I was employed with the company up to 2009, but I expect nothing has changed since or very little.

First thing to consider is that Staples runs old software on their registers and other equipment in the store. When I worked there, the registers ran Windows 2000, which was already an outdated operating system. It was actually quite easy to access any non-adult website with any of their registers with just a few mouse clicks. No passwords or funky logins needed. Just a few well-placed mouse clicks and you were at the Internet Explorer web browser.

Here we have many problems right off the bat. Obviously, anyone could access some malicious site and download software into any of the registers or computers without hardly any difficulty at all. To make matters worse, I tried once to go to Windows Update and the site said that the machine needed over 100(!) updates. However, when I tried to download these updates, I was stopped cold because I didn’t have the proper credentials. So I could download any malicious software onto the machines, but I can’t secure the machine with the latest Windows updates. Does anyone else see a problem with this? Any machine with an internet connection should always be updated to the latest Windows patches. There is absolutely NO excuse for this EVER!

While on the subject of software, if you were looking for antivirus or security software, forget about it. You won’t find any anywhere. In the same vein as the Windows updates, the antivirus or security software would also be needed to be updated quite frequently, therefore it would be too much for the company to maintain. Or at least that is the excuse that I will use for them.

So far I have punched to very large holes in any security that Staples would have in their system. Let’s punch another one.

The Staples stores had Wi-Fi access both inside the building and several feet outside the building as well. The bad thing about this access was that it was unsecured. What this means is that data could flow freely and that anybody could pick the bits of information out of the air if they could get into the right flow channel. As far as I knew, this was for all transactions that were handled by the registers, the main server in the main office, and any access to the staples.com website. What really is bothersome is that at times I saw some vehicles in our parking lot night after night for hours at a time with someone in the vehicle while on their mobile device. Did these people attack our system without us even know it? It is unknown because chances are that given the above mentioned lack of antivirus or security software would allow anybody to easily slip under the radar without ever being spotted.

Are you getting paranoid yet?

You should be.

Now I will punch the remaining wall off of Staples entire system

Are you ready?

Here it is.

Here is the story:

One night while I happened to be on the staples.com website, I managed to get into the file system of the server or even possibly the home office server. It didn’t require any special logins or any special passwords. All it took was about a dozen or so mouse clicks. When I got to the file system, I noticed some odd named files and decided just for the heck of it to delete a couple of them.

Let me say that at no point should system files be able to be deleted especially at a remote terminal at a remote location. This certainly adds to even more problems to the security of the entire system and can destroy the integrity of the entire system.

And it did.

Just minutes later, our entire credit card processing system stopped working. Not slow, just dead. Apparently the files deleted were part of the credit card system.

Let me point out that this was not meant to be in anyway malicious, but is proof of the flaws of Staples’ file system. At no point should this ever be allowed as anybody who could access these files could easily replace them with their own therefore redirecting or reading credit card information before it is sent to the credit card companies for processing. Of course, I never told anybody what I did as I probably would have been fired despite it being their problem not mine.

Whether or not this is how Target and Neiman Marcus was attacked is to be seen. However given how easy it was for me to hack Staples system with just a few mouse clicks, this is proof that something needs to change. I don’t know if in the nearly 5 years since I left if this has changed, but I highly doubt it.

So overall, how could all of this be avoided in the future? Here are my suggestions:

· Get antivirus or security software. It is just one solution to the big problem but it would have possibly recognized a file change in the system.

· Update Windows or better yet scrap it all together. As far as I concerned, no register system (POS) should ever use Windows, MacOS, or Linux. Software should be written at the core foundation as a POS system with no underlying operating system. Sure, it will cost money, but isn’t that better than having over 100 million people pissed off at your company.

· Finally, secure the Wi-Fi connection. Nothing is worse than somebody in the parking lot with their mobile device hacking into a store’s system. It is extremely easy for them to do their damage and then drive off into the night without ever being noticed.

Overall, companies should be more aggressive in protecting their systems. It should never be as easy as a few mouse clicks to bring down an entire store. It was a lesson that I secretly learned the hard way.

Do I regret it?

Looking back at it, not on your life, I don’t regret especially now that I no longer work for the company.

And on that note: Happy Hacking Everybody!

By the way, did you really think I was going to say what steps I took to get into the file system? Consider the answer to be never.

No comments:

Post a Comment