Greg Merideth

Discovered March 2nd, 2012

Reported March 2nd, 2012

Status: Not Resolved

The beta SiriusXM web player stores the username and password in plain-text in the file "username.sol" located under the Macromedia flash settings folder located in your Application Data/Roaming folder.

The file is found in the flash local settings directory located at (via a Windows 7 profile path):

C:%HOMEPATH%\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\[profile]\www.siriusxm.com\
player\beta\siriusXMPlayer\siriusXM.swf\username.sol

As an administrator with access to users' desktops, I was able to scan for and find multiple credential files on our client's desktops. After discovering, I contacted SiriusXM, who replied application security is taken seriously and would pass on this information to the developers. One month later, nothing has changed. The username and password for a users' SiriusXM account are still stored in plain-text in this file.

If you listen to SiriusXM online I would recommend that do you not store your credential information locally using the "remember me" feature and, until resolved, do not use the beta player.

Storing the username and password in plain-text is basic programming failure. The number of instances of data theft is staggering yet developers are still making these egregious mistakes during development.

During a customers upgrade cycle we received over fifty desktops that had been wiped and cleaned by their internal IT staff. Users had been instructed to erase sensitive e-mail messages and mark important folders as requiring a secure wipe before formatting 1. We were asked to inventory the machines and determine which computers could be upgraded using combined parts to make backup or workstation machines. While inventorying the machines, we used freely available recovery utilities to restore drives and in some cases, simply undelete data from the machines. Security professionals know what’s coming next; everyone else should take a minute and read this.

While not being surprised that we were able to recover data from the drives we were surprised that almost none of the end users or administrators had taken the time to review the machines before formatting to see if they had been cleaned of sensitive data. We discovered Outlook PST’s and OST’s full of e-mail messages including user names, passwords, password reset requests and order confirmations from websites.

Read the rest of this entry »

For the 9000th time, I've had to hunt down a user on the network to find out what their password is to either have them a) log on themselves or b) tell me the password. Yes, we occasionally write them down but for the most part, we don't.

I've suggested, for a number of years, that administrators be able to log on a users profile, using the username of the intended account with the password of the administrator. The logged on account would run under the security context of the users account, not the administrator. This way, as the enterprise administrator, I can log onto any users account simply with their username and the administrators password.

Here is an example of what I am referring to(see pic below if you don't like reading). Instead of entering a username, you preface the login by the administrators account and the user you wish to impersonate in parenthesis or even the domain quantifier "\" or a double slash "\\" such as administrator(SomeOtherUser) with the administrators password. The system would then provide tickets for the (SomeOtherUser) account, loading in their profile and settings.

So lets all get together and ask Microsoft to include some process to log in users accounts as administrators without requiring their passwords.

Legality of Wireless Penetration

In recent months, the number of insecure wireless networks in my area has dropped. I credit this to well written articles and publications as to the danger of an insecure wireless access point and several lawsuits involving open access points. The virtual road however, is still wide open in many areas. This makes me ask the question, if you setup a wireless network that allows anyone to connect without passwords or authentication, should you be surprised when your computers are compromised or worse yet, illegal activity is carried out from your access point.

A recent post on the Security Focus Penetration discussion group asked the question, “is driving around, cracking WEP keys and drumming up new business acceptable?” These days I’m starting to lean more towards the “yes, yes it is” line of thought. Given the number of articles, whitepapers, blogs and conferences on the weakness of WEP, I’m still surprised when I see WEP encrypted networks in office buildings that I know for certain have a full time IT staff.

It’s time to find an even balance where companies that run insecure or trivially secure WEP wireless networks can be informed of their insecure networks without getting jumped on by lawyers claiming intellectual theft or in a few cases (speaking from personal experience here) accusations of intimidation, blackmail and extortion.

What do you think?

Books on WarDriving

WarDriving and Wireless Penetration Testing
http://search.barnesandnoble.com/booksearch/isbninquiry.asp?ISBN=9781597491112
I don't get paid to link to books or products that I've used or have read.