RE: WinPac 2.0

[Mike Shaw <mshaw () wwisp com>]

http://www.cardacc.com/cards.htm

To my knowledge there is no information (location, company code, etc)--at 
least I've never specified it in ordering the cards nor in the software 
when we set it up initially.  It's just a number.  I still don't know if 
you can request a range or something...might take some social engineering 
"yeah, company X next door has the 25000 range...can we get 26000 for 
simplicity?"

A EE buddy of mine works at a Web based surveillance camera company who is 
moving into the proximity card area.  When he gets his hands on that stuff 
we were going to take a look at how it operates at the hardware level.  I 
think it's similar to the shoplifting alarm deals you see at wal-mart, 
etc.  Wouldn't that be cool to have a fake plant or something that was 
secretly harvesting proximity card numbers?  Or what if you had a little 
device that would sniff them from a few feet away and then mimic them?

There are some ISO standards (see 14443 on 
http://www.iso.ch/iso/en/CatalogueListPage.CatalogueList?ICS1=35&ICS2=240&ICS3=15) 
but I haven't seen where the NC system complies with that or any other 
standard.  I doubt they are smart cards, but I hope they are using some 
sort of cryptography in the protocol.  I wouldn't be surprise if the cards 
just spit a number out somehow though.

-Mike


At 03:59 PM 1/11/2002 -0600, Magnus Ullberg wrote:
> Thanks, good info.
>
> What I was wondering is whether i could order a card with the same number as
> another card and get access to what that card has access to.
> Or if there is aditional info stored on the card (location, unique company
> code, etc.) to prevent that.
> The cards here were bought in two different batches, one is in the 26000
> range and the other in a much lower range. I dont know if you can specify
> the range when you order them, but if you can i thought that if i could get
> the number of the back of a admin card i could gain  access to the building.
>
>
> -----Original Message-----
> From: Mike Shaw [mailto:mshaw () wwisp com]
> Sent: Friday, January 11, 2002 2:57 PM
> To: Magnus Ullberg; 'pen-test () securityfocus com'
> Subject: Re: WinPac 2.0
>
>
> Interesting that you should mention this, because I just worked with
> someone who put a system like this in.
>
>  From what I could tell, the 5 digit number on the card is the only
> identifier, although I think it's pretty difficult to replicate these
> cards.  I've wondered about collisions, but I guess until you got upwards
> of 5-10 thousand employees, the chances of a collision/birthday effect are
> low.  It would be interesting to see if you could request a certain number
> from a distributor.
>
> Some further interesting info form the northern site
> (http://www.nciaccessworld.com):
> "The default login and password are: Log In = Admin Password = (leave
> blank) no password If the default login and password are no longer in the
> software please contact Northern Computers technical support so a
> technician can instruct you how to send the database to Northern Computers
> so we can reset it to default for you. "
>       and....
> "The defualt passwords for WIN-PAK are: login = SYSTEM password = startup
> These passwords are case sensitive. "
>
> There are also manuals there if you need them.  The product is based of an
> access database, so I can't imagine that snagging the password would be
> that difficult if it's not a default password.  If the workstation is
> accessible from the network, or it's physically insecure, there may be some
> leverage there too.
>
> -Mike
>
> At 11:22 AM 1/11/2002 -0600, Magnus Ullberg wrote:
> >Anybody have information about Win-Pac 2.0?
> >It is the system used to control doors and manage proximity cards.
> >Each card has a 5 digit number on it. Anybody know if that number is the
> >only thing that identifies the card or if there
> >is some additional info on the card.
> >
> >Thanks,
> >Magnus Ullberg
> >Network Coordinator
> >
> >
> >---------------------------------------------------------------------------
> -
> >This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> >Service. For more information on SecurityFocus' SIA service which
> >automatically alerts you to the latest security vulnerabilities please see:
> >https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/