Poll connected to the "Network Admin" thread.


PDA






Jim March
December 6, 2004, 03:58 PM
This poll is connected to the thread here:

http://thehighroad.org/showthread.php?p=1393854

Answer ONLY if you are reasonably geeky about things like IP addresses, DHCP, etc.

If you enjoyed reading about "Poll connected to the "Network Admin" thread." here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!
Erich
December 6, 2004, 04:01 PM
I'm confused but amused. :) And I didn't vote.

foghornl
December 6, 2004, 04:06 PM
Dieiold is so sloppy and non-security aware that I changed banks when my former bank put in a new bunch of Diebold ATM's. Same transaction now takes about twice as long, because you have to select Engish or Spanish, and then confirm EVERY choice. And you can't complete a transaction from they keypad or the touch-screen exclusively, you have to keep jumping back and forth.

DigitalWarrior
December 6, 2004, 04:33 PM
I think that there is nothing nefariousabout that message, but there may be some interesting vulnerabilities now that that message has been comprimised.

Why is the machine specifically denied with a NACK? No answer is not a NACK. Where was it?

I know what IP range they are using. I would be interested in finding out what would happen if the machine got it's IP. Does it periodically report it's findings?

You might be able to shut the whole thing down with a DOS by in-lining a custom bit of hardware that screams I am all IPs in the segment, or more devious, in-line a DHCP sever that issues bad IPs (there is no Authentication function with DCHP), orders releases of good ones. All that and in size of a pager.

What is the authentication process between these?

I now have a MAC address (and probably a range of MACs that are "Diebold machines"

Flyboy
December 6, 2004, 04:47 PM
Jim:

I can probably help you track this down, but I'll need more information from you. I'm a sysadmin/netadmin by trade (radiology networking), so I'm reasonably familiar with this sort of stuff. If you're interested, PM me, and I'll give you my phone number, or we'll figure something out so I can talk to you a little more directly; it'll be a lot easier to troubleshoot semi-interactively.

Just as an initial impression, I'm going to guess that this thing is trying to get a DHCP lease because it was originally configured over the network (yes, four years ago, when it was built), and they just never removed the card or disabled it in Windows. Odds are, it's just carelessness (never ascribe to malice that which can be adequately explained by stupidity), but I'll help you figure it out if you like.

why_me
December 6, 2004, 05:03 PM
but diebolds software is an embarrasment
there is no hacking involved in hacking it. its totally sick there security implementation.

anapex
December 6, 2004, 06:24 PM
Without seeing the full logs I can't say for certain but right now it doesn't seem like anything harmful is going on. I can say though that after 3-4 years in the Information Assurance field that I'm GLAD none of my projects looked like Diebolds.

RevDisk
December 6, 2004, 06:39 PM
If possible, set up your own network, include a computer with the listed IP address and see what flows. There are dozens of good packet sniffers around. Without access to the machine, I'd say it's likely a development feature or a misconfigured box.

I'd be rather interested to see what the code looks like. Even if you could nab the code, I assume these Diebold machines have some specialized firmware. Ideally, a Diebold machine plus source code would probably provide a lot of "interesting" facts. Is there any legal way to get your hands on either (or preferably both)?

From what I gather, Diebold's information assurance is non-existent. Watching the Diebold video Mr March created, I was cringing every ten seconds. To any computer geek, it was painful to watch. Heck, employing MD5 hashes would seem like an excellent way to make sure the data wasn't tampered.

Unofficial Intro to MD5 (http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html)

I'd vote that Diebold is extremely incompetent. Bordering on criminal stupidity, ditto for the people that certified the program. Malicious intent, aside from the stupidity, would be a little harder to prove without efficient evidence. In other words, I'm not yet convinced it's an intentional voting rigging attempt.

It's possible that it could be another way to hack a Diebold machine. (Ie, plug a small computer or PDA into the ethernet port on any Diebold machine, and use it to change data on the Diebold machine. People now use the GameCube to do so on normal networks.

Ham Hock
December 6, 2004, 06:50 PM
192.168.x.x is reserved for your own network, be it home or business (as has been stated before).

I usually number my networked computers 192.168.1.1, 192.168.1.2, etc, but after 192.168. you can put just about any numbers you want. 192.168.2.4 is not really that unusual.

geekWithA.45
December 7, 2004, 01:44 AM
There's always a _slight_ possibility something shifty is going on, but my take on it is that this is a fairly normal looking config snafu that takes place all the time when staging these sorts of things.

MS OS's have a LOT of stuff running on them that aren't apparent, even to the skilled eye, and killing off all default, fundamental, and generally desirable behaviors of the system (like finding itself a LAN IP address, for example) is pretty durned hard, as the system will often "helpfully" turn on sub dependent systems for you, and simple requests cascade.

To make it worse, most of the NT family assumes that they're in play to provide NT services to the network, and have a full complement of Internet and MS related services up and at 'em out of the box.

This is exactly the sort of thing that would escape the notice of your garden variety, marginally competent QA/config management team.

Dave Markowitz
December 7, 2004, 10:24 AM
Unless and until we are able to see the logs in questions all comments are mere speculation. It would be beneficial to see ALL the logs on the box under investigation.

From a legal standpoint, unless an adequate chain of custody can be proven the relevance of these logs is iffy.

cfabe
December 12, 2004, 04:37 PM
I too would like to see the logs, but my initial reaction is that nothing shady is going on here. Nobody in this thread knows exactly how the diebold software works, and how exactly it uses window's networking facilities to connect over the modem, over a direct serial cable, etc. There are numerous situations where sloppy software design could be causing these DHCP messages to be generated. The fact that these messages exist in a log somewhere is not evidence to indicate that the computer is or was ever connected to any unauthorized network. No offense to you jim, but I think you might want to loosen up the tin foil hat a bit.

HEiST
December 12, 2004, 04:48 PM
I think it's proof of Diebold being idiots.

If you enjoyed reading about "Poll connected to the "Network Admin" thread." here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!