Spirits 2000 Insecurity
by drlecter
Disclaimer: This article is for informational purposes only. If you get caught, it's not my problem. You shouldn't have been so stupid.
Until recently, I worked at a rather nice liquor store.
We used a software suite called Spirits 2000, which has been widely used in retail liquor stores since the 1980s.
It was created by Atlantic Systems Incorporated (ASI). I read in a beverage magazine that the Spirits 2000 package starts at $10,000. This software keeps track of everything, including inventory, sales, employee information, shipments, and much more. It is a pretty robust system.
The brains of the software suite is called Spirits Backroom.
Backroom controls everything from prices to employee information to inventory adjustments - the whole nine yards. The place I worked at had several computers running this software, and any change made on one computer would automatically update the data on the others through a process called polling.
So, if I sold a bottle of Jack from one of the registers, the data files on all of the other computers would be updated with the sale information; that is, the sale price, discount given, time and date, and so on.
There are several different security levels you can assign users. The basic level allows users to look up the cost of an item and print price tags. That's about it.
The next level allows you to change prices and product names, discontinue products, and add or delete items.
Other levels include the ability to give discounts, do price matching, and return items. The boss has the highest level of permissions of course. He has access to all of the employee data including name, address, date of birth, alarm codes, Social Security number, and rate of pay.
Here is the problem, though.
Through Backroom, you have to have the management password to access employee information, but I found that if you navigate through the file system to C:\KSV\Data, there are a bunch of data files. One of the more interesting ones is: EMP.CDX
If you open this file in Notepad, it is barely readable; it's not even a comma delimited file. If instead, you open it in a program such as Microsoft Visual FoxPro, it opens as a nice neat database, displaying all of the employee info for all employees, past and present: everything that management has access to, but without a password.
It is also possible to access the journal files that contain information on all of the sales, the inventory files, and just about everything that upper-management doesn't want you to have access to. To make matters worse, the company that set the system up, ASI, set every computer to share the entire C: drive with read and write access! I am sure you can imagine some scary possibilities.
Another problem with this - ridiculous setup is that the last credit or debit card run on each register is stored either:
- C:\KSV\credit cards.txt
- C:\KSV\debit cards.txt
All of the credit card data is stored here: the full number, the expiration date, and the customers name.
So, with a couple of passes over the registers, you can get quite a few different credit card numbers. There are quite a few more things that you can access or change in the data directory, and much fun can be had with INI files, but that is beyond the scope of this article.
I mentioned a couple of these problems to the tech they sent out one time, and all he said was, "We aren't talking national security here."
That was very disturbing, to say the least. So I thought that maybe an article in a widely-read hacker magazine might get their attention.
Oh, I almost forgot: they set the router to be remotely accessible, with a four-character password, all lowercase letters, that I guessed in about three minutes.
In fact, it is the string of characters I use for email subjects when I am too lazy to think of something.
Getting the IP address was easy too; I would just send my boss an email about something, and then check the headers in his reply.
In closing, I would like to say that I hope this article does some good, and maybe helps to protect the privacy of liquor store employees and customers all over the country.
Hello to Mom, Dad, and Sam.