Sears Portrait Insecurities
by Stephonovich
I was recently hired at Sears Portrait Studio (SPS) and discovered some disturbing issues during my training. Their knowledge of basic security measures is tenuous at best, and they seem to regard customer privacy as little more than a nuisance.
First, you must understand the basic layout at SPS (their internal name). The front desk is typically free floating and customers could very easily get behind it without being seen. They would have any number of excuses should they be caught.
On the front desk there are at least two computers, more for bigger stores. There will be at least one standard desktop (all of them are Dell) and a Point of Sale (POS) terminal which is IBM. These are identical to the other POS terminals used in Sears. All of the desktops are running Windows XP Professional and I believe the IBM runs DOS. However, the only program they seem capable of running is the sales kiosk.
There is typically a dividing wall behind the desk but it doesn't extend fully to the sides.
In front of the wall is a row of cabinets (not locked) which contain records of all kinds, photos to be picked up, and so on. On top of the cabinets are assorted papers being used and the in-store printer. It wouldn't take much imagination to grab photos from this, since they're typically left sitting in the tray for some time before being sorted.
Connected to the printer is another desktop running Windows Server 2003. I'm not sure what its function is, other than it allows for full control of all images, print jobs, and customer databases. It also has remote access capability, since during a technical support call they were accessing it.
Behind the wall are the viewing stations.
This is where customers are taken after a shoot to decide which packages, sheets, and any enhancements (black-and-white, Sepia, duotone, etc.) they want. They are nothing more than another desktop with SPS software that allows image review, basic manipulation, printing, ordering from the lab, and many other functions.
Finally, in each studio there is another desktop which is connected directly to the camera and also has SPS software installed. Typically after a shoot, the photographer will do some basic manipulation on a few of the images, such as black and white or vignetting; which they will then show the customer at the viewing stations.
Now the interesting thing about the desktops is that they all have full access to the image database which contains every photo purchased for the past six months. They also have separate accounts set up under Windows, with user names such as sales, studio, and admin.
The passwords, sadly, are the same as the user name. Even worse, every associate knows this and is often seen repeating them out loud in front of customers while typing them in. (Some functions are disabled except to the administrator and so it is needed from time to time.)
From here, a malicious person could wipe out their entire image collection or insert their own. In theory, one could replace images in the print queue with one's own and then grab them from the printer before they were noticed.
The desktop at the front desk is the main terminal, which has access to the customer database and the appointments book. All of this is done through a web interface to the main SPS website. It uses standard 128-bit SSL, with the client running IE6.
This is probably the biggest security hole in the entire operation. The website is typically left up, to avoid having to open it back up every few minutes. From here you can view, modify, and add appointments, look up customer information, view sales figures, and, most importantly, clock in and out.
Note however that none of the desktops, including the front desk, have full Internet capability. The only website allowable is the previously mentioned web interface. Whether this is locally implemented or via a separate firewall is unknown.
Now the employee clock deserves a bit of background information.
Every SPS employee is issued a three digit associate number. It doesn't seem to follow any sort of pattern and they actually are guarded fairly well. This number, however, is not required to perform any of the above activities. It is only used for initial login of the kiosk but, as I mentioned, it's usually left logged in.
To clock in and out you use your Social Security number which pulls up your information. After verifying it is correct, you are clocked in.
The store manager has a unique ability, however. They are able to modify the clock times. So for instance if an employee forgets to clock in upon arrival, it can be modified to show that they did. The manager account has a few safeguards in place.
First, you must know the store's ID number. This is easily obtained either by glancing at the screen or through a small bit of social engineering. I imagine registering a complaint would be a valid excuse to obtain the number.
Second, you must know the manager's associate number and the last four-digits of the Social Security number. They are used together as a password of sorts.
As I mentioned, the associate numbers are fairly well guarded so you would have to hope for them to be pasted to the screen or some such.
In all honesty, that wouldn't be very far fetched. Above all, of course, you could try brute forcing it but trying 900 combinations by hand isn't very feasible.
As to the Social Security number, that would be a bigger challenge. The last four-digits schemes used by several companies now, including banks and travel agencies. It would be possible, therefore, to do a bit of social engineering with them, provided you had sufficient alternate information.
My biggest concern overall are the viewing stations.
They are completely at risk and not protected in the slightest. The photos they contain are the property of SPS.
It would be a significant financial loss if someone were to download them to a flash drive or similar, rather than pay the exorbitant fees ($80 currently) to buy the rights to them.
Worse yet, imagine an individual obtaining customer information, as well as a decent amount of photos, and then selling them at reduced prices to the clients. This would be completely undetectable as there are no logs or other safeguards in place.