Fun With International Internet Cafes

by route

Recently, when traveling to Phucket, I stayed at a resort along the Kamala Beach strip.

After a week in Bangkok and now into my second week at Phucket I began suffering technology depravation and sought the nearest Internet cafe.  Fortunately for me (and others) the resort offered its guests an air conditioned small scaled Internet cafe where, for a very reasonable price </sarcasm> of approximately 300 baht (around ten Australian dollars at the time), I would be given a pre-printed code to access one of three PCs connected (albeit slowly) to the Internet for 60 minutes.

Ten bucks may not sound overpriced for a four star resort on the beach, but the average daily income for a local was around 500 baht.

Anyway, back to the Internet cafe service.

The setup offered MSN access, MS Office, Internet Explorer 5.0, Notepad, and a few other apps.  The PCs themselves were beside the desks and fully accessible, a comfortable chair and decent peripherals were provided and, best of all, I had a chance to get out of the heat and cool off with some good ol' fashioned geeking.

When you first turn the 17" LCDs on, you are confronted with a login screen consuming the entire desktop.  Your only option is to enter a login code and click O.K.  All shortcuts failed to close this screen or even prompt for more options.  I was curious if there was in fact a way around this software and just how up to date their security was.  Earlier that day, I had read a local article explaining how far behind their Internet access was, average speeds, coverage, etc.

So I disappointedly entered my alphanumeric login code and was taken to the typical Windows XP desktop, where the only out of place item was the large counter in the top-right hand corner that counted down my remaining usage time.  Task Manager was disabled and so was right-clicking.  I couldn't terminate this counter.  But, unfortunately for this resort, that is where the security stopped.

I thought most likely when these PCs were booted up in the morning the staff logged them into Windows and through startup, MSCONFIG.EXE, or the registry, this Internet cafe software loaded, disabling all special keys and consuming the entire screen.

I was right.  I opened MSCONFIG.EXE and found INETCAFE.EXE under the Startup tab.  It couldn't be that easy, I thought.  So I unchecked this option and rebooted the PC.

I wasn't terribly worried about being caught "tampering with their computers" as I had given a fake name and room number when receiving my 60 minute code.

Up came the BIOS and so too did a BIOS password prompt.  Noticing it was running Award BIOS, I remembered an old backdoor Award used around seven years ago.

I entered AWARD_PW and in I logged.  Here's where it just gets lazy.

Windows logged me straight in with no further authentication, and I was now connected to the Internet.  No code to track me from and no time restrictions.

To be honest, I was a little disappointed it took four minutes to circumvent their security so I started looking around.

They had numerous shares displayed (most empty), and even a space for the good folks working in the kitchen.  Funny... I never noticed digital room service.

After getting bored of attempting to read broken English, my interest turned towards their logging capabilities.  A quick browse to the EXE's home directory on shared D: was all it took to find log.txt.

A fairly massive unencrypted straight text file that listed dates, times, and codes used to access all three PCs.  To make things even easier, it logged how long each session lasted.

So after loading the text file into a quick VBA app I wrote, I now had a list of all codes whose sessions still had valid time remaining.

Great, I thought, as I copied these down in a small notepad, turned the Internet cafe app back on, and rebooted the PC.

After returning the PC back to the state it was in when I found it, I went to the bar, had a whiskey and lime, and reflected on my afternoon's activities.

The next day, I returned from doing the "touristy" thing and headed to the Internet cafe for another look around.  I logged in with one of the valid codes I had scribbled down, and up popped MSN Messenger.

The thoughtful person before me had obviously run out of usage time (when the time runs out, the login screen opens again - pity if you're doing your online banking at the time).

A lessor person would have read their email and had some fun, but I wasn't interested.  I wanted to know what download restrictions were in place.  So I opened IE and visited 2600.com, THC, Packet Storm, etc. but not once was I restricted from accessing these pages.

I then proceeded to download and set up a keylogger.  Once the keylogger was in place and working, I removed any trace I was there, and walked up to reception.

After a good 20 minutes, no one had any idea what I was trying to tell them and I don't think they actually cared.  Blank smiles were all I received.

I'd like to also add that upon returning home all efforts to locate the vendor of this software were useless.  It appeared they were no longer in business and with code like that it's not hard to see why.

While what I have just described isn't the most technical hack, it does demonstrate just how poor some security is.  Never underestimate anyone the way they underestimate you.