Cruise Cracking

Jesters8  (Jesters8@yahoo.com)

Recently I went on vacation and I took a cruise through Alaska.  I was sailing on the Carnival Spirit.  It was a good time, but as I got a little restless I wondered just what things of interest could be found onboard.

Background

Let me give a little background on how the technological aspects of the ship work.

When you come onboard for the first time, every person receives a "Sail and Sign Card."  At first it seemed like nothing more then a glorified room key, but as the features of the card were explained, it seemed to be more and more useful.  Not only did the magnetic strip card act as a room key, but it also was a credit card and photo ID to get back onboard the ship after we docked in a port.

After I was issued a card, I stood in front of a booth and my picture was taken.  I could see as I walked around behind the booth that it was a touch-screen computer that stored everyone's pictures.

Later I learned that once someone boarded the ship again, the security officer only had to look at the stored photo (which would appear when the card was swiped) to make sure it was truly that person.

The cruise was what they referred to as a "cashless cruise."  To buy something in the gift shop or bar, you gave them your card and signed a receipt, much like a credit card.  Then, your room was billed and when you got home you wrote a check.

The card designers had some sense when making their system.  The card has a four-digit ID number (called a "folio" number) but no room number, so if someone accidentally found your card, they couldn't break into your room unless they had some other way of knowing where you were staying.

Another interesting system used by the cruise was a way of ordering tickets to do different things onshore.  With your TV, you used your remote to pick out something and then entered your folio number.  The next morning tickets were delivered to your door.

Along with ordering things, you could also see everything you had paid for by typing in your folio number.  This seemed to have numerous voyeuristic possibilities, so to test it out I asked a friend of mine from a different room to enter his number on my TV.

It seems they matched your folio number to your room number inside the purchase checking system, so your folio number could only be accessed through your own room.  To further check this I rode on the elevator a few times, memorizing the folio numbers on cards people had out.  I returned to my room and found that all of the numbers that I knew were valid ID numbers could not be accessed from my TV.

The Internet Cafe

All of this leads me to the most interesting part of the ship for an inquisitive mind - the Internet Cafe.

This was a library-like room on the ship with a dozen computers, although the only thing accessible was the monitor, keyboard, and mouse.  The actual computer was inside a locked wooden cabinet.  To get to use one of these machines you had to log in and suffer charges that equated to highway robbery.

To log in, you typed in your first initial, last name, and room number as your username, and your folio number as your password (which could later be changed to anything).

For example, if my name were John Smith, my login would be: jsmith1234

Not wanting to pay these exorbitant charges, but not wanting to really steal access, I resolved myself to poking around the system.  To see if the login manager could be exited I tried every hotkey combination I could think of, all the Ctrl-, Alt-, Shift-, Ctrl-Alt-, Ctrl-Alt-Shift-, etc.

This proved fruitless.  By right-clicking, I learned that the login system was made in Flash and playing in Flash Player 6.0.

Next, if I clicked on the option in the right-click menu that said About Macromedia Flash Player 6.0 for a brief moment the Taskbar appeared.  If you were quick you could access a limited Start menu.  It only allowed access to Programs, but I was able to look at the Start Up menu.  It had two executables that appeared to be written in VB, because it had that VB executable icon instead of the standard Windows one.  The two programs were named DSIBILLINGXP.EXE and SYSCKXP.EXE.

Googling these names revealed that something called SYSCK.EXE is a Motorola cable modem driver.

However, this may not be related to the program on the ship's computers, because the ISP for the ship was Digital Seas, Inc., a satellite broadband ISP designed just for cruising ships.  I managed to crash the computer by trying to run DSIBILLINGXP.EXE.

F8 was disabled as the computer rebooted, so I couldn't access Safe Mode or anything.  I did learn that the machines were made by Compaq and running Windows XP Pro.  It didn't use the normal XP logon with the list of users and little pictures, but the Windows network login.

Since it displayed the last login name, I found out the user name for the passengers' systems was: cruise

I tried common passwords and things that might seem logical, but I couldn't crack the password.  It wouldn't be of much value even if I did because it would start the two programs and bring me right back to where I started.  The default logins for administrator privileges and guest had been disabled.

I still wanted to see if it was possible to get access without paying, so it was time for a little social engineering.

Since you needed a room number, a name, and a folio number, a room card would not be enough to get on a computer.  There was one thing that had all this information, however.  It was a receipt.  When you bought something at the bar and signed for it, you kept the customer copy and this had your full name, room number, and folio number printed on it.

There weren't exactly Dumpsters onboard to go through, but I had an idea.  I got a piece of paper with something printed on it and folded it over.  I headed for the bar and approached a fifty-something woman (not trying to be sexist, but she seemed convincible).  I told her I was playing in a family scavenger hunt and that one of the items was a drink receipt.  I asked if I could have hers.  She handed it over without hesitation.

Now being the good person I am, I wasn't going to do anything with her personal information.  But the point is I could have.  Anyone could have used it to quickly rack up hefty charges to her bill.

In conclusion, their computer systems seemed secure to basic intrusion attempts, but the weakness in the system lies in the customers.

Greetz:  Merlin122 for always being there when I need him.