As expected, IoT devices are filled with vulnerabilities:
As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.
In any event, Hron said the ransom attack is just the beginning of what an attacker could do. With more work, he believes, an attacker could program a coffee maker — and possibly other appliances made by Smarter — to attack the router, computers, or other devices connected to the same network. And the attacker could probably do it with no overt sign anything was amiss.
Posted on September 29, 2020 at 6:16 AM •
A Dusseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city.
I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but there were no documented fatalities from that event.
The police are treating this as a homicide.
Posted on September 23, 2020 at 6:03 AM •
Amazon drivers — all gig workers who don’t work for the company — are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are:
The phones in trees seem to serve as master devices that dispatch routes to multiple nearby drivers in on the plot, according to drivers who have observed the process. They believe an unidentified person or entity is acting as an intermediary between Amazon and the drivers and charging drivers to secure more routes, which is against Amazon’s policies.
The perpetrators likely dangle multiple phones in the trees to spread the work around to multiple Amazon Flex accounts and avoid detection by Amazon, said Chetan Sharma, a wireless industry consultant. If all the routes were fed through one device, it would be easy for Amazon to detect, he said.
“They’re gaming the system in a way that makes it harder for Amazon to figure it out,” Sharma said. “They’re just a step ahead of Amazon’s algorithm and its developers.”
Posted on September 22, 2020 at 6:36 AM •
The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt:
The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.
Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:
Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.
How does FIN7 actualize this vision? This is CrimeOps:
- Repeatable business process
- CrimeBosses manage workers, projects, data and money.
- CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
- Frontline workers don’t need to innovate (because the process is repeatable)
Posted on September 16, 2020 at 6:00 AM •
The company Edgenuity sells AI systems for grading tests. Turns out that they just search for keywords without doing any actual semantic analysis.
Posted on September 4, 2020 at 6:02 AM •
Interesting story of a class break against the entire Tesla fleet.
Posted on September 3, 2020 at 6:18 AM •
The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:
This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
The level of detail is impressive, as seems to be common in CISA’s alerts and analysis reports.
Posted on September 1, 2020 at 6:17 AM •
Interesting paper on recent hack-and-leak operations attributed to the UAE:
Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” – deliberate attempts to direct moral judgement against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.
Posted on August 13, 2020 at 9:28 AM •
Yet another Internet-connected door lock is insecure:
Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec’s $139.99 UltraLoq is marketed as a “secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code.”
Users can share temporary codes and ‘Ekeys’ to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device’s MAC address can help themselves to an access key, too.
UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they’re doing.
EDITED TO ADD (8/12): More.
Posted on August 10, 2020 at 6:23 AM •
A 17-year-old Florida boy was arrested and charged with last week’s Twitter hack.
News articles. Boing Boing post. Florida state attorney press release.
This is a developing story. Post any additional news in the comments.
EDITED TO ADD (8/1): Two others have been charged as well.
EDITED TO ADD (8/11): The online bail hearing was hacked.
Posted on July 31, 2020 at 4:03 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.