Computer Security
216-438-004, Spring 2002
Prof Clauer
Monday, March 25, 2002
Student: Bill Lang
Reconnaissance
Project
Methodology for finding data 3
Company Purpose 5
Roundy's Mission Statement 5
Organizations Roundy's Belongs to 5
Advertising and Public relations 5
Key Financial Numbers 5
Financial Facts from WWW.Roundys.com 6
Top Competitors 6
Divisions and Subsidiaries 6
Division & Store Organization Chart 7
Personnel Organization charts 8
Personnel Organization charts - continued 9
Network Environment 10
Contact person 10
Domain Name 10
Domain servers and IP addresses 10
IP Address Range 10
Internet Server OS 10
Email servers 11
Other servers 11
Email Name Patterns 12
Phone Banks 13
Systems 13
Vendors 13
Platforms 13
Mainframe 14
OS 14
Online 14
Databases 14
Languages 14
Applications and Software Information 14
Conclusions 16
Opportunities 16
Summary of Security Risks 17
Appendix of Figures 18
Figure 0.3 Court Cases 18
Figure 0.4 Conferences and Expositions 19
Figure 0.5 E-commerce 19
Figure 0.6 www.Roundys.com Press Releases 20
Figure 1.0 CEO Lestina Information 21
Figure 1.1 Advertising Vendor Information 22
Figure 1.2 Hoovers on Roundy's Corporate Information 22
Figure 1.3 Hoovers on Roundy's Corporate Information 22
Figure 1.4 Hoovers on Roundy's Division and Store Information 23
Figure 1.5 LexisNexis information 24
Figure 1.6 ISD Store System Application 25
Figure 1.7 XATA Driver Productivity Tool 26
Figure 1.8 Formula One EDI 26
Figure 1.9 Advantage Gen's COM Proxy Software 26
Figure 3.1 Web Browser whois at www.internic.ord 26
Figure 3.2 Sam Spade Results - Whois 27
Figure 3.3 Sam Spade nslookup for 204.95.160.2 and 204.95.160.4 27
Figure 3.4 Sam Spade zone transfer for roundys.com and DNS 204.95.160.4 28
Figure 3.5 Sam Spade zone transfer for roundys.com and DNS 204.95.160.2 28
Figure 3.6 Sam Spade digs for 204.95.160.4 204.95.160.2 29
Figure 3.6 Sam Spade 03/16/02 07:37:22 IP block 204.95.160.2 29
Figure 3.7 Sam Spade smtp email relay check 30
Figure 3.8 Sam Spade trace route 31
Figure 3.9 Sam Spade finger 31
Figure 3.10 Sam Spade IP Block 31
Figure 4.1 Netcraft.com Results - What are they running? 32
Figure 5.1 WWW.ROUNDYS.COM People at divisions 32
Figure 5.2 WWW.ROUNDYS.COM Divisions, people, userids, and extensions 33
Figure 5.3 WWW.ROUNDYS.COM EDI Information 35
Figure 6.0 Sam Spade – copps.com – whois 35
Figure 6.1 Sam Spade – copps.com – DNS 36
Figure 6.2 Sam Spade – copps.com – dig 36
Figure 6.3 Sam Spade copps.com zone transfer 36
Figure 7.0 Captured User Group Messages 37
Figure 8.0 SMTP Relay Results 38
Methodology for finding data
The web contains vast amounts of information that can be used to profile a company and determine how one could attack it's technology infrastructure. The following is an outline of desired information and where it came from.
Search the Web for references to Roundy's to determine:
1. Company purpose
1.1. Searched Google, Yahoo, Altavista for references to "Roundy's" finding
1.1.1. names of people, titles and phone numbers
1.1.2. division names and phone numbers
1.1.3. web hosting companies
1.1.4. links to divisions and subsidiaries
1.1.5. press releases
1.2. Went to www.roundys.com and reviewed company information finding
1.2.1. names of people, titles and phone numbers
1.2.2. division names and phone numbers
1.2.3. web hosting companies
1.2.4. links to divisions and subsidiaries
1.2.5. press releases
2. Divisions/subsidiaries/Organization Charts
2.1. Searched Google, Yahoo, Altavista for references to "Roundy's" + "divisions" + "subsidiaries" finding
2.1.1. names of people, titles and phone numbers
2.1.2. division names and phone numbers
2.1.3. press releases
2.2. Went to www.roundys.com and reviewed company information finding
2.2.1. division and management names as well as phone numbers
2.2.2. names of people, titles and phone numbers
2.2.3. press releases
2.2.4. Advertising agency
3. Network environment
3.1. Physical and Logical topology
3.1.1. Acquire Sam Spade (SS) freeware and use it's facilities to find network server names and IP addresses
3.1.1.1. Whois search found information about Roundy's, their DNS servers, and supporting vendors Time Warner and MCI Sprint
3.1.1.2. Nslookup provided IP addresses of DNS servers
3.1.1.3. Zone transfer provided nameservers, mail exchange names, server names
3.1.1.4. Digs found ARPA nameservers and IP addresses
3.1.1.5. SMTP email relay check found mail servers protected
3.1.1.6. Traceroute found 5 hops
3.1.1.7. Various fingers to different IP addresses found nothing
3.1.1.8. IP block scan found Roundy's IP addresses
3.1.2. Netcraft search found server OS, server types, IP addresses, and owners
3.1.2.1. SSL search produced nothing
3.2. Entry points
3.2.1. Possible phone areas and exchanges to dial
3.2.1.1. Found various phone blocks from internet search
3.3. NOS
3.3.1. From Netcraft and technical emails in user groups from Roundy's network people
3.4. Carriers
3.4.1.
3.5. Policies
3.5.1. Userid naming conventions
3.5.1.1. Web searches produced email addresses and naming conventions
3.5.2. Password naming conventions
3.5.2.1. Nothing really brought forward any indication of password policies
4. Computing environment
4.1. Hardware
4.1.1. Web searches produced information on computers used
4.2. Operating systems
4.2.1. Web searches produced vendors that use Roundy's as a reference and tell what software they use
4.3. Applications
4.3.1. Web searches produced vendors that use Roundy's as a reference and tell what software they use
4.4. Languages
4.4.1. Web searches produced vendors that use Roundy's as a reference and tell what software they use
5. Competitors
5.1. Web searches produced a list of major competitors
Company Purpose
Roundy's Mission Statement
Roundy's strives to become the premier retail support company throughout our region by providing value driven goods and services and maintaining the ultimate in customer satisfaction. (http://www.roundys.com/htmdocs/consumer/index.html)
Supermarket Wholesaler Roundy's Notes Net Earnings of $25.8 Million for 2001 March 2, 2002. Supermarket wholesaler and operator Roundy's Inc. reported Friday a 22 percent increase in net earnings for 2001 compared to the previous year. Roundy's, based in the City of Pewaukee, reported net earnings of $25.8 million. The company also reported revenue of $3.5 billion, a 16 percent increase over the prior year. (Figure 0.2)
Roundy's rounds up name-brand and private-label goods and distributes them to about 800 warehouse and grocery stores in 14 states, mostly in the Midwest and South. The company is a wholesale cooperative with nearly 60 members, operating about 100 stores in Wisconsin and Illinois, and it services nearly 700 independent stores (about 45% of sales). In addition, Roundy's owns about 50 food outlets under such names as Orchard Foods, Park & Save, and Pick 'n Save. The Pick 'n Save chain (which also includes independents) is Wisconsin's #1 food retailer. Founded in 1872, Roundy's offers members and customers a host of support services. Co-op members own about 65% of the company; employees and other investors own the rest. (Figure 1.3)
Organizations Roundy's Belongs to
Wisconsin Grocer's Association (Figure 1.0)
Food Distributors International (http://www.fdi.org/newsrm/011212foodxchg.html)
Ohio Grocers Association (http://www.ohiogrocers.org/2000Calendar.html)
Advisory Board for Natural Products Expos (Figure 04.)
Advertising and Public relations
Todd Robert Murphy Inc. is a full-service advertising and public relations agency, established in 1989 by the current president, Todd Robert Murphy. (Figure 1.1)
Key Financial Numbers
(Figure 1.2)
Company Type: Cooperative
Fiscal Year-End: December
2000 Sales (mil.): $2,990.9
1-Yr. Sales Growth: 9.7%
2000 Net Inc. (mil.): $21.1
1-Yr. Net Inc. Growth: 19.9%
2000 Employees: 9,071
1-Yr. Employee Growth: 61.5%
Pewaukee DCA Enterprise Number: 92854 Figure 1.5
Milwaukee DCA Enterprise Number: 92866 Figure 1.5
Entire Corporate Hierarchy (11 member companies) Figure 1.5
Financial Facts from WWW.Roundys.com
December 29, 2001 / / December 30, 2000Net sales and service fees / $3,449,480,300* / $2,983,724,000*
Earnings before patronage dividends / 50,319,700* / 40,598,000*
Patronage dividends / 8,680,600* / 5,035,300*
Net earnings / 25,783,600* / 21,105,200
Stockholders’ equity (1) / 179,736,100 / 160,668,900
Book value pershare / 170.20 / 153.60
Total assets / $794,510,400 / $662,372,200
(1) Includes redeemable common stock
* Indicates a company record.
Net sales and fees increased $465.8 million, or 15.6%, for the year 2001 compared to 2000. The increase was primarily due to the acquisition of The Copps Corporation, which was completed in 2001. Net sales, earnings before patronage dividends, patronage dividends and net earnings in 2001 all elevated to Company records and stockholders' equity rose $19.1 million. Book value per share increased to $170.20, or 10.8%.
Top Competitors
Fleming Companies, A&P, SUPERVALU (Figure 1.2)
Divisions and Subsidiaries
Roundy's paid $95 million for Copps, giving it 21 Copps Food Centers, a distribution center in Stevens Point and Copps' wholesale business with around 40 IGA supermarkets in Wisconsin and Michigan's Upper Peninsula. Roundy's owns 64 supermarkets, mainly in Wisconsin, and operates a wholesale business throughout the Midwest.
Badger Assurance, Ltd. Parent: Roundy's Inc. Address: 23000 Roundy Drive Pewaukee ,WI 53072 Association: CICA (http://www.captive.com/Single_Parent.html)
Aurora Pharmacies Close Deal on Copps Pharmacy Units STEVENS POINT, Wis. (October 15, 2001) -- As previously reported by SN, Milwaukee-based Aurora Pharmacies completed the acquisition of Copps Corp.’s 12 pharmacy locations on Friday, Oct. 5, according to David Busch, corporate vice president of administration for Roundy's, Pewaukee, Wis. The decision to convert the food retailer's pharmacy business to Aurora Pharmacies was ultimately a "win-win" situation for the consumer, said Busch, because the acquisition joins Copps' supermarket knowledge and Aurora Pharmacies' healthcare know-how together. He told SN, "With the aspect of being two entities together, we create for the consumer the ability to profit from both our expertise." Busch declined to comment on specific financial terms, including whether the retailer receives a percentage of Aurora's pharmacy sales. Jeff Squire, director of communications for Aurora Pharmacies, said, "This was an opportunity that came our way - we have expertise in operating pharmacies, and we were pleased they came to us." Aurora now operates 36 pharmacies in stores owned by Roundy's, Squire said. -- Stephanie Loughran.
http://www.supermarketnews.com/xref.cfm?&ID=2696&xref=pharmacy
Aurora Pharmacies Takes Over Copps Pharmacy Units MILWAUKEE (October 2, 2001) -- Aurora Pharmacies here told SN yesterday that it is close to acquiring Copps Corp.'s 12 pharmacy locations. Stevens Point, Wis.-based Copps, a 21-unit chain acquired earlier this year by Roundy's, Pewaukee, Wis., expects to complete the transaction with Aurora and convert its 12 pharmacy locations by the end of the week, according to Jim Krahn, marketing and communications coordinator for Aurora. He declined to discuss the terms of the acquisition. Aurora Pharmacies, which operates 105 pharmacies — both freestanding and inside Pick 'n Save supermarkets — plans to retain any Copps pharmacy personnel who wish to stay, said Krahn. Officials at Roundy's and Copps were not available for comment. -- Stephanie Loughran.
http://www.supermarketnews.com/xref.cfm?&ID=2696&xref=pharmacy
The divisions and subsidiaries were found under a variety of web sites most of which are located under Figure 1.4 in the appendix.
Division & Store Organization Chart
Information obtained from the following Web Sites:
http://hoovnews.hoovers.com/fp.asp?layout=query_displaynews&q=ROUNDY%27S&so=&dc=&ro=&ed=&sd=&s=1&boldtext=ROUNDY%5C%27S&sym=&doc_id=NR200203021180.3_15fa00024818344a
Personnel Organization charts
Information from Figures 0.3 through 1.9
Personnel Organization charts - continued
Information from Figures 0.3 through 1.9
Network Environment
Roundys has a network that spans all divisions and stores using Cisco routers.
Contact person
Kevin Christopherson - 262/953-5962 (FAX) 262/953-5749
Domain Name
ROUNDYS.COM
Domain servers and IP addresses
In listed order:
NS1.TOSA.TWTELECOM.NET 204.95.160.2
Zone transfer (64.132.94.250) ...
INS2.TOSA.TWTELECOM.NET 204.95.160.4
Zone transfer
Both zone transfers gave the following information showing two domain name servers:
roundys.com NS (Nameserver) ns1.iplt.twtelecom.net
roundys.com NS (Nameserver) ns1.milw.twtelecom.net
Server information:
Primary NS: ns1.milw.twtelecom.net
serial:2002020100
refresh:10800s (3 hours)
retry:3600s (60 minutes)
expire:604800s (7 days)
minimum-ttl:600s (10 minutes)
Each domain name server is provided by Time Warner Telecom.
(http://www.google.com/search?hl=en&ie=ISO-8859-1&oe=ISO-8859-1&q=twtelecom.net&btnG=Google+Search)
A reverse domain name search using nslookup against the IP addresses shows that the doamin name servers are indeed provided by Time Warner Telecom out of Wauwatosa Wisconsin.
nslookup 204.95.160.2 Canonical name: ns1.tosa.twtelecom.net
nslookup 204.95.160.4 Canonical name: ns2.tosa.twtelecom.net
IP Address Range
Roundy's IP address range was displayed as part of the IP block search (Figure 3.10)
Roundy's Inc. (NETBLK-TWTC-MILW-C-ROUNDYS-0) TWTC-MILW-C-ROUNDYS-0
216.136.5.0 - 216.136.5.15
Internet Server OS
According to Netcraft.com, their Internet servers are running WebSitePro/2.5.8 on NT4/Windows 98 (Figure 4.1).
OS, Web Server and Hosting History for www.roundys.comOS / Server / Last changed / IP address / Netblock Owner
NT4/Windows 98 / WebSitePro/2.5.8 / 8-Feb-2002 / 168.215.72.140 / The Spin Group
NT4/Windows 98 / WebSitePro/2.5.8 / 4-Dec-2000 / 216.136.15.45 / NetStream, LLC
Email servers
The following email servers were discovered using a zone transfer (Figure 3.4).
roundys.com A (Address) 168.215.72.140
roundys.com MX (Mail Exchanger) Priority: 10 janus.roundys.com
roundys.com MX (Mail Exchanger) Priority: 20 mercury.roundys.com
In addition, a web email server was found at
groupwise.roundys.com A (Address) 216.136.5.10
A SMTP relay check for both janus.roundys.com and mercury.roundys.com did not work when using UWM and hotmail email addresses, but did work when using wlang.roundys.com. Figure 8.0.
By entering groupwise.roundys.com in a web browser you get to Groupwise Web Access signon screen.
We know that it is an email server by searching on 'groupwise' and finding information at
http://www.novell.com/products/groupwise/quicklook.html
Other servers
Some of these servers are running Novell (Figure 7.0) running at least Novell 4.1 as of 1997. This is for the Westville division, but is probably pretty close to Corporate standards. They have Client32 and EtherExpress Pro/10 PCI cards, Novell Client/32 software for Windows 95 and NT Workstation 4.0 (SP2), running nprinter on a workstation across a 56K WAN link. It's pretty safe to assume that each division has a WAN link of 56K.
Central billing server centralbill.roundys.com A (Address) 216.136.5.4
oms.roundys.com A (Address) 216.136.5.6
By entering centralbill.roundys.com or oms.roundys.com in a web browser you get to Roundys online central billing application signon screen. By viewing the source of the signon screen you can find that it was created by Michelle Johnston abd Denzil Wasson of Everware, Inc. The application Checks the Vendor Number entered against the vendor number in the DB2 database. Uses COOL:Gen as the back end for validation.
E-commerce server ecom.roundys.com A (Address) 216.136.5.7
DMZ server for customers extranet.roundys.com CNAME (Canonical Name) order.roundys.com
order.roundys.com A (Address) 216.136.5.5
By entering extranet.roundys.com or order.roundys.com in a web browser you get to Roundys extranet signon screen. By viewing the source of the signon screen you can find that the extranet is maintained by The Spin Group, Inc. with Conrad Ayala, and Gary Wong using JavaScript1.2, DTD HTML 3.2.
FTP Server ftp.roundys.com A (Address) 205.212.144.99
By entering ftp.roundys.com in a web browser you get to Roundys FTP server signon screen. By viewing the source of the signon screen you can find