Sysadmin cracked military PC’s security by reading the manual Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived. This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard …
Many years ago I had need to ask our graphics/marketing literature deaigner to move the nice Vauxhall Carlton hed bought newish sexondhand off the comaony.
As usual, it took ages for him to appear, by which time Id got bored, found a chunk of parcel strappimg, opened the car and was waiting for him.
His reaction: You camt have done that its an executive range car.
Another time, our admin lassie rang in from town, having locked herself out of her Datsun (it WAS a long time ago). Went to her rescue and managed to spring the catch on the back window then rwach in and unscrew the catch from the glass, open the window enough to reach the hinges, unscrew them, lift out the window and finally get at the door latxh.
Despite the two of us doing thus in the middle of a carpark and making no secret of it, no-one took the blindest notice of us.
"Summarily killing the messenger who brings bad news goes back probably several thousand years."
Some background searching suggests that in fact people were usually exhorted NOT to kill the messenger. Basically they were granted immunity by either convention or law - and breaches were usually regretted.
Back when I was doing QA for Packard Bell/NEC in the era of Pentium 200MHz & Windows 95, I figured out how to crash the system using the registry editor & MS Paint. Open the editor, copy a bunch of text, open paint, paste in the text, edit the text (it didn't matter how only that you made some change), copy the edited text from paint, paste it back into the registry, & tell it to save. The system would promptly shit itself since paint did something wonky to the text that the registry editor didn't like & the whole thing keeled over like the Titanic.
I notified my boss whom contacted the software folks whom contacted MS; we got a visit from a bunch of MS geeks later that week & they had me repeat the issue. The computer wasn't the only thing to shit itself that day. The MS geeks left in disbelief because "That's not possible!" except they now had proof that not only was it but easily done.
It was at that point my fellow QA team handed me & my partner matching t-shirts: white background, black classic bomb-with-burning-fuze logo & black lettering proclaiming "QA Bomb Squad - if you want it to pass don't hand it to me!" I loved that shirt. I think I wore it to death.
AC because if my old boss is reading this he'll come smack me for all the hell I put him through. :-D
a lifetime ago I did QA testing for OKI (very temporary job) - one of the jobs was an automated power test on the printer boards (they were being soldered in the same room). we would hook up the control board, and press a button on the computer, and it would run the tests on the board. I was bored with how long it took, so stated playing around with the computer (DOS 3.1 I believe) - discovered that I could adjust the parameters of the test, and if it ran too quickly it would ALWAYS blow a couple of caps - and require a resolder. I did find a sweet spot where the boards would still pass, but the tests took less than half the usual time.
happy days
I once crashed Windows '95 by starting a small visual basic app,then starting up a second instancee, third, etc, until Redmond decided that 56 running programs was the limit. I then tried to log out to stop all the instances without having to click them all separately. This was enough to crash Windows '95. Later I crashed an old NT server by firing ping packets at it without the customary 1 second delay and in other ways.
More interesting was when I upgraded a PC of the local student union from Windows '98 to NT 4.0. This worked until I looked at the registry settings and noticed that mostly any logged in user could change any setting, so I tried to secure it, but I went a little further than intended. Now nobody had access - even Administrator and System. NT could not boot without registry access. The usual trick of trying to upgrade Windows (to the same version as it was running) also failed without registry access. Only reformatting the disc helped.
AC because if my old boss is reading this he'll come smack me
Naw, mate. AC because:
Back when I was doing QA for Packard Bell
Back in the P60 days those things were abominable, with that shitty operating environment slapped on top of Windows. And those god-awful WinModems. I shudder at the thought these days. The number of them we sent back as faulty...
Still, can't blame you. Worse things have been done in the name of paying the mortgage...
In about the year 2007, a colleague had made a nifty spreadsheet that was password protected because he didn't want anyone to know how he'd done certain 'cool' effects. He had hidden columns and all sorts of stuff like that.
I renamed it as a .txt file and opened it in Notepad (which took a while). Near the start of the file was some text that looked very nuch like it was a password, it was his name plus some significant text. Sure enough, that was the password. I do hope the Excel password protection is more secure nowadays.
It is, thankfully
Mind you, after they stopped putting the password in plain text (office 7 or 10, not sure off the top of my head), they replaced it with a hashing system that had collisions. A *lot* of collisions. Very easy to brute-force with short strings, regardless of the password.
The current scheme in office 16+ is pretty decent, I think, but that might just mean no-one's pointed out the flaws yet.
(Anon because t' Computer Misuse Act says I ought not to know these things)
Excel's read-only password protection is still garbage.
For .xls files (which we still use a lot of), it's fast and easy to break - create new workbook, protect with random password, run brute-forcing macro, wait 2 minutes - macro produces a usable password and an unlocked worksheet.
For .xlsx files, it's only slightly harder. Rename to .zip, unzip, open xl/worksheets/sheet_.xml, delete the tag sheetProtection, save, rezip, rename to .xlsx, and open. You can probably put it back after editing the file, to reprotect it with the same (unknown) password.
(Just tried these in Office 365 ProPlus.)
I once attended an "advanced" Excel class at $employer. Instructor was trying to show us something, but couldn't because the sheet was edit-protected. Got the file from her, removed the password, and sent it back. The look on her face was priceless.
(AC, 'cos current $employer)
1. Take hard disk out of PC
2. Hang on another PC
3. Copy cmd.exe over the top of utilman.exe (may need to fart about with permissions)
4. Put hard disk back in original PC and boot
5. Click on accessibility icon when Windows Logon screen appears
6. Marvel at the command prompt that appears running in the context of SYSTEM
7. Use command line tools to create a new user, as member of administrators group
8. Full logged-in admin access to operating system at your fingertips
Yes, Bitlocker generally thwarts this approach; but it's a fairly quick way to earn £50 for unlocking people's home PCs when they've managed to forget their password.
Inherited one from a coworker. Back in the day, it had been a CAD workstation. He'd been using it as a footrest for some time. I wondered if I could get it to boot. After spending *way* too much money on keyboard, mouse, display and network adapters to convert the proprietary interfaces to the more commonly available PC versions, I powered it up...and was confronted with a demand for a username and password. The SGI systems are quite secure (see below), requiring a ROM password to bypass the default boot process, so I wasn't able to just look at the (SCSI-1) HDD without some effort.
No problem, I thought, I'll just ask the IT guys if they remember what they used back then for a root password. They told me...and it didn't work. However, Google told me that demo/demo might work (it did), so I was able to look through the /etc/passwd file (remember, this is *classic* UNIX). Said file was transferred to a PC using the network connection, and "John the Ripper" was applied to it. By the time I had returned from getting coffee, the password had popped out. And it worked.
Fast forward 6 months later and I get a phone call from the IT guys. Hey, they said, guess what we found while we were cleaning out the safe? An envelope, labeled "UNIX Root Password", which contained a piece of paper, on which was written the password I had recovered.
I managed to find a second SCSI HDD on Ebay, some IRIX OS upgrade CD images on a bittorrent site and created a new boot disk to play on. The system's sitting in my basement. The SGI graphics demos are wonderful, the system boards are impressively heavy and logging in is like taking a trip down memory lane!
T
I’ve spent years hacking away at locks and passwords but my favourite is still the first. I was working in an old church used as a museum, we found the proverbial “old locked desk drawer”.
After much mucking round it finally gave in and contained nothing but forty year old stationery and a pair of old photo negatives. I had a quick look at the negatives “Queenstown 1912 april 11th” and two mid distance shots of a ship.
Yup, you guessed it, I was holding the last two photos of Titanic ever taken. As this was before Ballard found the wreck they were unique.
I’ve opened up lots of locks since then but only ever found crud, that day was a good day.
I recently bought a phone from Ebay (boxed and complete with all original accessories, so not freshly acquired by a teenager on a moped), only to discover that there's a new security feature on some Android phones: after a factory reset, you have to log in with the old account to verify that the phone hasn't been stolen.
Sadly, the seller had done the factory reset, but hadn't followed up with the verification, and completely failed to respond to my queries; I ended up raising a refund/return request, and still only got an automated "you can return it now" response on the very last day before Ebay would have auto-refunded me.
Thankfully, a bit of searching around threw up a solution. I can't remember the exact details, but it was something along the lines of: open the keyboard's accessibility options and click through things until you got to a help page where you could trigger the Youtube app, from which you could get into the phone's settings and trigger a full credential reset.
Then it turned out that the phone was locked to the wrong network. Fortunately, there's people selling unlock codes on Ebay for 99p, so I just bought one of those - far cheaper than the high street or dedicated unlock websites, and I'd pretty much given up on trying to get anything else at all from the seller!
Some of the older variants of these tricks have been plugged by security updates. But when it's an older device and it's had a factory reset, it's back at the original security patch level. Rescued a Lenovo tablet a few weeks ago with one of these. First two I tried didn't work. Third time's the charm.
Ah yes, the good old days before ebay! I bought just over a hundred Toshiba laptops in our local auction from a company that went bust. All were BIOS locked, so as no-one could get in to them I managed to pick them up for peanuts.
This was back in the time though all you had to do is have a spare parallel port connector and solder a couple of wires to the back of the connector. Plug it in to the laptop, turn it on and one wiped bios password.
Hanoi, 5 years ago, I think they hotel was Blue Lotus or something like that: I could connect to the hotel wifi with the phone but there was no Internet access. Bummer, because I needed it to find out what to do in the city (What, talk to someone?! In person? Pfft.) Well, I put the gateway IP in browser...nice, a router login page! Tried the usual default admin passwords and voilà, I'm in. Looked through the configuration, couldn't see anything wrong so I just selected the reboot option, waited for a minute... and Internet! Yay!
Turns out the tourist guides are not worth anything. Just go to the street side stalls with the small plastic chairs, you get the best food there!
It's 1942. Artillery sergeant is teaching gunners how to fire a machine gun. Sgt asks if anybody has fired one before.
S. Milligan Esq continues the narrative: "I had but I said nothing. In the Army never volunteer for ANYTHING." - from "Adolf Hitler, My Part in his Downfall" by Spike Milligan (sorely missed).
John Pertwee's biography recounts a story of being asked if he spoke French when in the army. He was from an old French family in the channel islands and spoke it like a native - but of course kept quite.
He later met the fellow officer who had said yes - and had been posted as military liaison on Tahiti for years
" [...] and had been posted as military liaison on Tahiti for years"
An IT colleague had flown Sunderland flying boats in the war. He then obtained a job as a pilot on one of the legs of the Empire flying boat service to Australia - stationed in Tahiti. He said it was a dream posting - especially if you ignored the main city which looked like a clone from France.
"Sgt asks if anybody has fired one before."
Reminds me of the possibly apocryphal scene in the comedy film "Carry On Sergeant" (1958) - which is set just after WW2.
The sergeant is giving a lecture to the new conscripts about maintenance of a submachine gun. Having stripped it to a collection of components he notices that one guy is obviously not paying attention.
So the offender is told to put it back together - which he does with amazing speed and dexterity. The sergeant apologises for thinking him inattentive. The soldier admits he wasn't listening - but says his previous job was in the factory that made the gun - doing the final test assembly.
It was a very slick demonstration in one continuous take by Bob Monkhouse. He must have had a lot of practice.
...I was chuffed & know I was SUPER lucky.
Just been asked to get a password for Excel that was set to protect a sheet. Not the best of security I know but still. Normally use an article I found ages ago about the AllInternalPasswordMacro. Didn't use it this time, wanted to try something different.
I use Sysinternals software all the time. Didn't think it would help though, really need to look at memory I thought. So turned to Process Hacker. Ran Excel, got the Unprotect Sheet dialogue box up, put in anything, got the "The password you supplied is not correct" box up then looked in Process Hacker. Looked at the properties of Excel, looked at memory, then looked at Strings, did a filter for word "password" and only a few results back all related to the "The password you supplied is not correct" dialogue box. Double clicked it to show what was in memory at that moment in hex. Saw that wording and soon after saw
s.i.t.e-n.a.m.e
I wondered if this was some kind of hint prompt so put in the actual site name that the document was about. Sure enough it worked. I was in.
Nice.
I've tried to recreate it on the same document but can't. Haven't seen the s.i.t.e-n.a.m.e in the hex entries since. And playing with excel it appears when you set the password for the protection of a sheet, there is no option to give a password hint.
Got proper lucky on that one. Maybe I'll buy a lottery ticket tonight.
Where do I start...
My first proper job, not counting work experience during high school, was very late '70s to very early '80s. Working for a company that designed and built a S-100 computer. At one stage we had sold one of those computers to the company that ran the catering and housing for a mine site that was under construction. I got to live on site for a while, programming that computer, and then the second computer they bought.
At one stage they added some fancy security locks, two to keep the case locked, and eight front panel key switches to unlock various functions depending on what key you had. Some sort of unusual geometry of the keys, I think it was sorta 3D triangles or some such. Supposedly unpickable. So one day, I'm twiddling my thumbs while I wait for a compile, I have a medium sized screwdriver, and a gleam in my eye. I love a challenge. Stop me if you've heard this one before. Didn't take long to "pick" one of the case locks open, which was just shove the screwdriver in and jiggle it randomly a bit, barely any force needed. Close it up again, go get one of the bosses, demonstrate it to him.
Since the office computers where being used during business hours, I was often working on them during the night. Remember, this was early '80s, computers where rare. Since I was in the office of all night anyway, the client slung me a bit of extra cash to be the emergency accommodation officer. Late arrivals needing to sign in and get their rooms assigned, drunks coming home from the pub but lost their key so I had to cut them a new key, that sort of thing. The main accommodation was demountables with small rooms and cheap locks. Aluminium keys that would break off leaving half of it inside the lock, locks that would rust in the high tropical humidity and jam, etc. I became adept at pulling the pin out of hinges and opening the doors the other way, using needle nose pliers to grab the half key stuck in the lock and giving them a twist, and for those really hard cases, using a crowbar to break the seal on the windows and open them up, without actually breaking the windows. I've lost count of the number of places I have legally "broken and entered".
My next job was with the Department of Health. Usually I was in the IT offices, but once I had to go out to the head office, where they actually used the systems we developed. I should point out that up to that point, I had nothing to do with the IT security systems. For some reason or another I was in need of a real password to log onto some part of the system to check what ever they had sent me out to fix, something to do with patient records or billing I think. I didn't have a suitable real password, I only knew the test passwords. While someone went off to find a password for me, I pushed the return key for some reason. Once again, stop me if you've heard this one before. "Password" accepted, I was in. Repeat a few more times just to double check, indeed leaving the password field blank got past the password check. I reported this, and they asked me to fix it when I got back to my office.
Slightly off topic, but it did involve bypassing a security mechanism. At around about that time I had a game for my very own computer, on a floppy disk. It used the sort of copy protect mechanism where they use a laser to burn coded spots in the floppy disk. The idea is you write to those spots, of your can't read back what you wrote, the proper holes where in the disk, copy protection was in place, continue to boot the game. Naturally at some point the copy protection code managed to write to the wrong bits of disk, corrupting it so it would no longer boot. I'd paid good money for this game, and as state above, I love a challenge. Didn't take long at all to disassemble the boot code, find the call to the copy protection code, simply patch out the call, and boot my game. It was the copy protection code itself that had been corrupted. Some of the graphics had also been corrupted slightly, but it was still playable.
I'll stop now, the beginning of this comment is about to scroll off the top of my screen.
I worked for a nuclear power plant, and one access to the reactor building was through a 20-ton slab of concrete on the yard outside. It had the tiniest padlock, the kind I wouldn't even use on my bicycle, securing it on the ground.
I laughed, but then I got the explanation: that was a SEAL, to show signs of TAMPERING, or signs that something inside the building had gone possibly VERY wrong. Like, "steam blast pushing 20 tons slabs out of place" wrong.
If you get past security with a 20-ton hydraulic arm truck and manage to lift that slab without proper authorization there would be some chewing around... and in an emergency, security can authorize the slab to be raised like the padlock wasn't even there.
I spent 4 years getting by that padlock snickering and thinking how clever it was afterwards...
While outside the plant, in the nearest neighborhood, distribution had a problem in their hands: the switchgear cabinets kept having their padlocks broken, but no gear or copper stolen from them... those were old-school brass padlocks, most valuable to junkyards. Once replaced with steel ones, nobody stole them anymore.
Not IT related, but I found parallel to these padlocks in computers, like those darned hardlocks used for CAD sofware...
Details differ, but this story is about 90% in sync with one of my own.
In the early 1980s, I was on a mainframe system that had a punchcard interface, and a terminal interface, which was actually just a terminal that simulated the punchcard system. This is important to the story.
The system used 8 different queues, and the terminal queue was only one of them. However, all terminal jobs, for all users, were using the same queue, queue #1. So if 200 users were using terminal jobs in queue #1, if you ran your job in queue #2, it would run much faster.
However, terminals could not use any queue other than queue #2. So, the secret (documented in the manual) was to use the SUBMIT command, to submit the job in another queue. Of course, you'd have to write all of the terminal inputs into the card deck ahead of time so your job didn't get stuck, but once you did, you'd find your job would run in 90 seconds rather than 90 minutes.
Now, at a terminal, you logged in with username/password. When you submitted a job to a queue, you needed to put /USER(username,password) card at the top so the job would log into the queue. A neat trick was that the card deck you submitted was the INPUT file, and you could play with it like a file pointer.
In other words, the following job:
/USER(username,password)
REWIND(INPUT)
COPY(INPUT,OUTPUT)
When submitted would result in the output to your job appearing in your queue, and you would see USERNAME(MYUSERNAME,MYPASSWORD) in clear text. Amusing, but not very useful.
However, the mainframe was networked to another, and when you changed your password on one, it would change it on the other... eventually. So you could run this job to see what your current password was, ie. if the change had propagated over the network yet.
But how does it propagate over the network, I wondered. It turned out it was done as another job in the queue, but was done with the site admin's credentials. So, I wrote a batch job that changed my password, that looked like
/USER
CHANGEPASSWORD(password,newpassword)
REWIND(INPUT)
COPY(INPUT,OUTPUT)
And lo and behold, the following appeared in my batch queue:
USERNAME(myusername,mynewpassword)
CHANGEPASSWORDREQUEST
USERNAME(adminname,adminpassword)
CHANGEUSERPASSWORD(myusername,mynewpassword)
USERNAME(myusername,mynewpassword)
**END JOB**
And lo, I had the adminpassword, in clear text, in my input queue.
The admins denied I could do this. So, I logged in using their password. I was called into the head of network security's office who said no, this was not possible, and then I logged in at a terminal in front of him. He still didn't believe me, and he changed the admin password. I told him I could get it in 10 minutes, and I did.
The end result was "tell anyone about this and you will not only be fired, I will have you killed" or words to that effect.
I had been hoping/expecting that I'd uncovered an implementation issue that they hadn't properly configured, which could be fixed now that they knew of it. Instead, I'd found a design flaw in the network security layer than required an operating system patch. This was $BIGNAME$ corporation, which had mainframes around the world, in sensitive areas (far more sensitive than in the industry I was using it in), and the idea that a low-level user could crack the admin password in under 10 minutes stopped several hearts in the boardroom.
Eight months later, I was called back into the head of network security, and told to try it again. The bug had been addressed in a patch, but it was still being rolled out worldwide, and I was still not to speak of it "ever again". Which, technically, I guess I am, except (a) this story is 30+ years old, (b) the mainframe I refer to is almost entirely obsolete, as is the network it ran on, and (c) the issue would only affect said mainframe whose patch levels aren't at 1982 or so level yet.
Shorty after we had been upgraded from Win98 to NT3, the boss had changed his password only to find next morning that he couldn't log in. The IT bods insisted that the only way to get his PC up and running again was to completely re-install, losing all the stuff he had stored locally in the process.
5 minutes on the interweb found a downloadable linux utility which could read NTFS and remove passwords from the appropriate hive. Another 5 minutes to write a 3.5 floppy and return to his desk and he was up and running again. No where near as heroic as the original story but I got a £50 bonus at year end for excellence beyond my job description. I later worked out that he had caps lock on while creating the password but not on subsequent attempts which was why he didn't get the usual capslock waring.
Those were the good old days, sigh. An entire OS with hacking utilities all in 1.44 MB What has the world come to that even Linux needs a quarter Gig to run in, and Windows won't run any programs unless you have at least 2GB.
OK I know some one will come up with a version of linux you can self compile to do the same trick, so I expect a few downvotes.
"OK I know some one will come up with a version of linux you can self compile to do the same trick, so I expect a few downvotes."
No downvote, but an upvote instead, coz in general I agree.
Aboriginal Linux might be a start for that sort of thing. http://landley.net/aboriginal/about.html Development for it finished last year, but it's still usable. I've used it to build an OS for an embedded device.
Not security breaking, just breaking but related to the password issue.
I joined a team rolling out upgrades to a chain of opticians. We were upgrading both the Unix server and Windows client tills. I shadowed a guy the first time then was let loose on my own. I did the server upgrade not problem by following the script, then upgraded the clients, but I could not get them to talk to each other , tried typing the passkey at both end many times.
A visit from another engineer the next day (after they had been down all day for a 1 hour upgrade) showed me what I had done wrong. I normally use the number keys ont he main keyboard, above the letters, but the engineer I had been shadowing used the numberpad soI thought I would try it that way. What I hadn't noticed that was he had pressed numlock. I was typing in the same passkey on server and client, but one with numlock on and one without.
I never use the numberpad now.
...trust if I remember right they used Sophos encryption. I pointed out a flaw but was told "its a feature" because I "wasn't in with they boys" (c**ts more like. Harsh but fair description).
Sophos had a bad habit of locking us out of the laptops at boot. Would lock your account as well. But I had an old laptop I kept back that had my account on it that was unlocked. All I had to do was boot from the laptop with the unlocked account which would unlock the other laptop.
I gave up convincing them it was an issue. I left and later discovered someone else pointed it out. They finally listened and discovered they made the laptops overall the server instead of the other way round.
Dicks.
Elderly neighbour locked herself out, distressed at the cost of a bank holiday locksmith (but not quite distressed enough for the police to break in for her) she mentioned there were keys inside in the lock of the other door.
Out we went with toolbox and a small mirror to make something to hook the keys out through the front door letterbox. Took maybe an hour, Victorian terrace street plenty of people passing and not one single person queried or even jokingly mentioned what we were doing.
I guess it was the toolbox. I'm told a hi-viz and a bucket of water will get you in just about anywhere.
Neighbour let her door close behind her - and she didn't have the key with her. I was asked to help as it appears to be assumed I can almost walk on water with my life's experience of solving problems.
Fortunately the inside of the door lock mechanism was a lever handle not a knob. Shaped a wire coat hanger into an "L" - and pushed it through the letter box to loop over the handle. Then used the handle of the walking stick to apply a downward pressure on the wire - without it slipping off the door handle. No more than a minute in total and the door was open.
First time I had done that trick - but everyone was amazed a thief could gain access so easily if the door wasn't double locked with a key.
Same street, fire engine turns up outside one teatime and their radio came right through the hi-fi (A&R A60). Turns out the young female student occupant (details that seemed important to the fire service) had locked herself out with a fryer going on the hob.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
