So I happened upon an auction for a collection of HP All-In-One PCs. I’ve always thought they were great general purpose solutions for classroom, lab, specific location browser use. Not what any PC fetishist would want, but fine for group use or general use purposes.
The price was right, so I picked them up, not knowing the complete specs, with only pictures and a “tested and working” claim attached to them.
I fired the first one up during the November meeting the other night. It booted into Windows, with an enterprise login screen for a medical group — brilliant, they sold medical PCs without wiping the hard drives. Mucked around with the BIOS settings so that I could boot Ubuntu to determine the specs of the machine without opening it up, found out it had bitlocker, which didn’t like me mucking with BIOS settings.
Tried to install Kali via Fog, something was busted in my Fog installation, so I just installed Ubuntu from a USB. It turns out they have an i5 4590s quad-core in them, along with 8GB RAM and a 500GD HDD. 4x USB 3.0 ports, 2x USB 2.0 ports. Gigabit ethernet and Wifi built-in. Not too shabby, glad I picked up this auction.
So the other night, I fixed Fog (firewalld was blocking TFTP), and deployed Kali. Updated and re-captured the image so that the future builds would be more up-to-date, then imaged the second unit this morning. Imaging a new unit just takes two minutes when connected via Gig-E.
Late last night I noticed one showed a CD in the drive. Popped the tray, and what do I find but a CD, labeled by a medical services vendor, with the attached label on it.
The file on the CD was a PDF file. The file name was the patient’s full name in last, first middle format.
It took just a minute or to to create a file with every possible date for the last century, seconds to normalize the password hash so that security tools could use it, and then just seconds to run a brute force tool against the hash using the wordlist I created. Within just a few minutes of discovering the CD, I was able to view a patient’s FULL MEDICAL HISTORY.
Some lessons here:
1) DON’T leave sensitive media in PCs that are going up for auction or to be “destroyed.” Never trust that process to someone else. Remove ALL media — USB, CD, hard drives, etc. Wipe/destroy them separately.
2) DON’T put a label on something telling whoever has possession of it the exact format of a password — it really narrows things down and makes it much easier for us to “guess” it.
3) DON’T make the filename the person’s full name.
4) DON’T use DOB as a password field. It’s absolutely not complex enough. Make it a long password and hand that piece of paper to them separately, or make it available in your highly-secured medical portal.
Most excellent!