Messing With Staples

by Maverick(212)

Well, as you might guess, I used to work for Staples, The Office Superstore.  Used to, that is, until they fired me over something which was, even for them, ridiculous.  So, here I am, spilling my guts about the technology used in their stores.

Phones

The stores use a standard Meridian phone system with six lines: the first three outgoing local and the last three special lines.  These special lines are only good for 800 calls and calls to other stores and cannot be used for regular local and/or long distance calls.

To dial another store, either hit one of the regular line buttons and dial the regular phone number, or, from any of the lines, dial the store's 700 number.  Each store has two 700 numbers, one for voice and the other for fax.

The voice lines are always 1-700-444-XXXX, where XXXX is the 4-digit store number, padded with initial zeros, if needed.  The fax lines are always 1-700-555-XXXX.  As far as I know, these 700 numbers are only good when calling from inside a store.

Sometimes, the outgoing lines require a password.  This is not too common, but is easily circumvented.  By punching FEATURE** from any phone, you can access the phone system's configuration menus.  It does ask for a login and password but the defaults are invariably 266344 (CONFIG).  The only phone line in the stores that will work in a power outage is the one the fax machine at the copy center is plugged into.

The phones also feature, in the lower-right corner, a Page button.  "May I have your attention, Staples shoppers..."

Ribbon Computer

Located next to the selection of typewriter and printer ribbons in every Staples store is an old Intel 386 computer that is constantly running a program which is supposed to assist customers in finding the proper ribbon.

This stand-alone system has no security whatsoever.  Simply pressing the Spacebar to kick off the screen saver and hitting Ctrl-Break is enough to drop you to a DOS prompt.  (Rebooting and breaking out of the AUTOEXEC.BAT is also trivially possible.)  Unfortunately, once you are at a DOS prompt, there is really nothing much to do, as all the ribbon-finder files are in a special format.  One thing that is possible is changing the screen saver image.  It's located at C:\RIBNFNDR\SCRNSVR2.PCX, and is a standard 640x480 pixel PCX file.

Proteva

Staples sells custom-built Proteva computers.

These are displayed and sold through a stand-alone system at one end of the computer wall.  The "kiosk" simply allows customers to look at specs, select various system packages and options, and print out a price quote.

This system runs Windows NT, and is susceptible to the NTFSDOS trick.  (Booting from a floppy and running the shareware program NTFSDOS allows read-only access to the hard drive.)  Copying the SAM file and running it through L0phtCrack reveals five different users and passwords.  The Administrator password is at least somewhat secure - a full two weeks running L0phtCrack didn't reveal it.

The other logins/passwords are:

  • Guest / (none)  - This account is disabled.

  • customer / (none)  - This account is used for regular customer browsing.

  • update / STAPLES1234  - This one automatically loads new features/pricing from a diskette.

  • mis / STAPLES1234  - This allows you to change the current pricing and make an update diskette which can be loaded on the same or other machine using account update.

Compaq Build-to-Order

Staples also sells Compaq "Built-to-Order" computers.

These are viewed and ordered from a Compaq computer, which is usually placed right next to the Proteva.  Unlike the Proteva, however, the Compaq "kiosk" has a power-up BIOS password and is networked into Staples' corporate WAN.  This is necessary because the kiosk is only used as a viewer for Compaq's website where the specs, option lists, and ordering forms really are.  The site is available at: www.compaq.com/retail

Login and passwords are STAPXXXX, where XXXX is the 4- digit store code, padded with initial zeros as needed.

There is very little security on this computer.  Simply pressing Ctrl-Alt-Del, and "End Task"-ing the kiosk software (really Microsoft Internet Explorer run full-screen without the toolbars, etc.) drops you directly to Windows 95.  A new browser can be fired up and whooosh, you can surf the Net.  Or you can go into Network Neighborhood and look around a little.  What else is on the local network?  Read on...

Office Computers

Years ago, all each Staples store had in the way of computers was an AS/400 terminal.  This ran over a 9600 bps leased line to the corporate headquarters and was used for inventory control, printing price signs, entering damages, and many other tasks.  About two years ago, Staples installed Frame Relay T1s to all its stores and ungraded to three actual computers in each store.

The Sales Manager's office received a computer, as did the General Manager's.  The third was set up as a training computer for employee use, usually in the larger of the two offices.  These were generally 266 to 333 MHz Pentiums with either 32 or 64 MB of memory.  All ran Windows NT 4.0 SP3.

The computer in the Sales Manager's office was usually kept running a terminal program that simulated the AS/400 terminal that had been removed.  The General Manager's computer was used for making employee schedules and keeping track of employee punches at the timeclock.  It was also used every Sunday to do employees' payroll.  The training computer was loaded with various certification and educational software and kept track of which employees had passed which "courses" at "Staples U."  All three computers had browsers and could surf Staples intranet and the Internet.

Using NTFSDOS and L0phtCrack on these machines revealed the following accounts:

  • Administrator / 01BSdufWH.9  - Thought they'd make it more secure using a period.  Heh heh.

  • Guest / (none)  - Disabled.

  • InstallNT / InstallMe  - Used, obviously, for maintenance and installation.

  • StaplesService / ecivreSselpatS  - Yes, the login backwards.

  • Associate / SELL  - What we were supposed to do.

  • Manager / CARE  - What the managers didn't.

  • Sales / SPLS  - Our stock symbol.

  • userid / PASSWORD  - Yes, this account actually exists.  Someone must have taken the instructions a little too literally when asked to type in their user ID and password.

The Gun

With the arrival of the office computers, Staples stores also received a remote terminal hooked up into the system.

This "gun" has a small LCD screen, an alphanumeric keypad and a scanning laser.  Almost any function you can do from the AS/400 terminal is available from the gun, including price checks, sign printing, and inventory functions.

Security Personnel

Most Staples stores have a security guard at the front door.

He (it's usually a he) is the one who asks you to leave your bag with him when you enter the store.  He's basically powerless to do anything, though.  If pushed hard enough, and backed by a store manager, he can refuse you entry to the store if you refuse to leave your bags with him.  But most of the time, he'll let you in with a "I'll have to check your bag when you leave."  Of course, you don't have to let him, and he can't make you.

Security Procedures

Staples policy is that a manager can only stop a suspected shoplifter at the door if that manager has kept the suspect in sight at all times from the moment they take something and hide it to the moment they try to walk out the door.

This is very difficult, if not impossible, especially if the manager is following the suspect - the manager has to run past the suspect to get to the door first in order to stop him, but can't take his eyes off him.  This rule is often ignored, however, as managers sometimes take the word of the security guard, or even the associates as to what has happened.  Many times, nothing is done to the suspect, as there is no proof and inadequate surveillance.

Staples has a special code word to indicate a security problem.

This code is "Fred Klein," who used to be the head of Loss Prevention for Staples many years ago.  By simply paging "Fred Klein to aisle four," any associate can indicate that there is a suspicious person in that aisle.  All other associates are supposed to drop what they are doing and converge on that location en masse in, basically, an attempt to scare the suspect into leaving.

Security Devices

Certain Staples stores, usually those with the highest losses, have gotten a security system installed.

It consists of a set of "gates" set on either side of the entrance and exit doors, and rolls of stickers which are placed on high-ticket items.  The stickers interrupt the weak magnetic field put out by the gates which causes the gates to beep.  This can obviously be defeated easily by removing the stickers from the merchandise.

Some stores also have cameras, usually aimed at the main entrance, and possibly one in the money room.

Well, that's enough for now.  When I dig up some more information, I'll be sure to write another article.  Until then - happy hacking!
Return to $2600 Index