Tag Archives: hacking

From carjack to carhack

As if you didn’t have enough things to worry about when you’re driving… researchers have demonstrated some rather worrying security holes that could allow an attacker to PWN your car’s onboard computer systems by spoofing the signals from the wireless tyre pressure sensors [via George Dvorsky]:

… previous experiments showed what could be done with a physical connection to a vehicle’s computer. The new work by teams from the University of South Carolina and Rutgers tried a different tack: spoofing the wireless sensors in wheels used by tire pressure monitoring systems, required in all new U.S. vehicles since 2008.

The researchers didn’t find a wide-open door so much as the security employed by a 1920s speakeasy: once they learned the secret knock, the unidentified test car’s controls let them in no questions asked. The team sent fake warning messages from 40 meters away, and in another experiment, got the test car to flash a warning that a tire had lost all pressure while beaming the signal from another car as both drove 68 mph.

Because each sensor uses a unique ID tag, it was also possible to track specific vehicles, in a way that would be far less noticeable than roadside cameras.

The hacked car usually reset its warnings after the spoofed messages stopped. But after two days of tests, the electronic control unit for the tire monitors fell off its twig and had to be replaced by a dealer. The researchers note that it took several hours of graduate-level engineering to devise their tools and crack into the monitors, but that the actual technology for doing so cost about $1,500.

Buying off-the-shelf kits to accomplish this sort of hack will be as easy as buying an ATM credit card skimmer or a few hours of run-time on a botnet; it’s just chips and code, after all. And now, would the congregation please join with me in chanting the votive mantra of Futurismic: Everything Can And Will Be Hacked.

Cheaper, more open tablets: this is exactly why I had no interest in buying an iPad

No, I’m not about to start bitching about Apple’s flagship gizmo and what it can or can’t do (although, if you want to buy me a beer or two in meatspace, I’d be more than happy to give you my two uninformed but moderately passionate cents on that).

Instead, I’m just going to point to evidence of exactly what I’ve been saying would happen: that within a very short amount of time after the iPad’s launch, you’d be able to get cheaper hardware with the same or greater functionality, and run a FOSS operating system on it that lets you get applications from anywhere you choose. So, via eBooknewser, here’s a guide to hacking the US$200 Pandigital Novel tablet device so it’ll run the Android operating system. Come Christmas time this year, there’ll be dozens of machines just like that kicking around all over the place, only cheaper still.

Speaking of Android, there’s a lot of noise about the way that Google are working on a kind of visual development system that’s designed to let folk with minimal coding knowledge to develop apps that will run on Android – again, a stark comparison to the walled-garden quality control of Apple’s development kits. Sure, the Android market will be flooded with crap and/or dodgy apps as a result… but letting the good stuff bubble to the top is what user rating systems and [editors/curators/gatekeepers] are for, right?

It’s a man’s life in the global pseudocorporate cybercrime conglomerates!

PC Pro has an interesting insight into the daily goings-on at a defunct scareware corporation from Ukraine [via SlashDot], which – if it’s to be taken at face value – demonstrates how similar such blackhat operations are to many (arguably more legitimate) organisations, at least as far as flim-flamming the people they screw over and rewarding their star employees is concerned:

According to court documents, former employees and investigators, a receptionist greeted visitors at the door of the company, known as Innovative Marketing Ukraine. Communications cables lay jumbled on the floor and a small coffee maker sat on the desk of one worker.

As business boomed, the firm added a human resources department, hired an internal IT staff and built a call center to dissuade its victims from seeking credit card refunds. Employees were treated to catered holiday parties and picnics with paintball competitions.

Top performers got bonuses as young workers turned a blind eye to the harm the software was doing. “When you are just 20, you don’t think a lot about ethics,” said Maxim, a former Innovative Marketing programer who now works for a Kiev bank and asked that only his first name be used for this story. “I had a good salary and I know that most employees also had pretty good salaries.”

Hardly the two-geeks-and-a-table operation that you might expect, eh? If only that infuriating 50% of internet users would stop opening spam emails

Ideological cyberwarfare and the marketing of intangible threats

Ars Technica points us to a BBC report that claims botnets are increasingly being deployed by ideological and political activist groups as well as the more traditional spammers ‘n’ scammers. There’s undoubtedly a kernel of truth here, but given that the data that informs this conclusion comes from Prolexic, a company whose profits depend on selling computer security solutions to businesses and governments, I find myself wanting to poke holes in the story. It’s easily done, too.

First of all, Anonymous are described as an “anti-Scientology group”, which is a massive oversimplification. If they can be said to be anything at all, Anonymous is an amorphous and capricious cloud of nihilistic pranksters, but framing them as a single-interest group makes them more understandable to the corporate mind-set, as well as portraying them as “something that could happen to you“.

Next item – look at this excerpt:

In one attack both large and small perfume firms were hit in an apparent attempt, said Mr Sop, by green activists to express their disquiet with the way the companies made and tested their products.


These techniques are far removed from those favoured by organised criminals. Some targeted databases behind a website in a bid to swamp that with bogus login attempts or lengthy search requests that would knock out the server and take out the website too.

Note the use of “apparent”, and the lack of any defined enemy. They have no idea who did it, in other words; the “green activists” thing is likely a guess, one that plays into current fears about ideological activism by companies whose business practices might put them in line for such. Isn’t it at least equally likely that the botnet was hired by another perfume business in order to throw some caltrops in the path of its competitors? Is it so implausible that “organised criminals” could have upped their technological game in recent months? It’s not an area in which I have great experience (or, indeed, any experience at all), but I’d imagine that staying on top in the world of international gangsterism involves making sure you’re using the best tools available… because if you’re not, your competition surely will be.

Furthermore, how many “green” activist groups with a special interest in perfumery have the spare money to waste on this sort of warfare? A big part of activist psychology is the desire to be seen to be doing something; this sort of clandestine skulduggery doesn’t sound like the work of placard-waving protesters to me, and I doubt they’d have the money or contacts to call down the botnet fist-of-god on their enemies. There’s nothing to say it couldn’t be, of course, but I’d want better proof – especially from a source who stands to benefit from setting up straw-man opponents which it can then offer protection from.

A few more bits from the bottom:

Mr Sop said Prolexic suspected that some of the attacks it had seen in recent months were being mounted by governments or their proxies in the hacking community as a way to demonstrate their cyber capabilities.

*cough* *wink* China *nudge* *cough* The Red Peril! The Other! The monsters under Western capitalism’s bed! They’re coming for you!

The resources being put into the attacks, some of which targeted very expensive pieces of net hardware, ruled out the involvement of organised crime, he said.

Really? Why would organised criminal syndicates not be interested in attacking “expensive net hardware” when political or ideological activists would be? And this hardware – what is so different about it that makes it expensive by comparison to “not-so-expensive” net hardware, exactly? Are the victim servers plated with gold, perhaps?

OK, so I’m going a bit overboard here, but everything about the report from these Prolexic people stinks of under-the-radar button-pushing infomercial. Ideologically-targetted botnets are certainly a real issue, and probably more so than they were a year ago… but I suspect this shift in PR focus by security firms to be born of the realisation that defined threats enable sales better than amorphous ones. Which is the more tangible risk, as perceived by a CEO – “scammers might hijack your server because it’s essentially a box that can do anything if instructed properly” or “people who object to your ideology or business practices could treat your network infrastructure as a weak point”? The former is a statistical long-shot; the latter plays on the fear of competition that is key to any successful business.

Getting back to the core point, though, the rise of ideological deployments of botnets is hardly surprising. The people who run botnets are mercenaries of the old school, renting out their services by the day (or maybe even by the hour) to anyone who can meet the price… and for those groups who can’t meet the price (or don’t like dealing with middle-men), it’s depressingly easy to build one yourself, if you’ve the time and motivation. But that’s the key – time and motivation, and the afore-mentioned visibility. Single-issue activist groups want their protests to be seen and attributed to them, because otherwise they’re wasting their time; the stealthy anonymous attacks are logically far more likely to originate from corporations (legitimate or criminal) and nation-states.

So, yes, ideological cyberwarfare is a real and rising threat… but I’m not convinced it’s as grass-roots a threat as it’s being portrayed. After all, if you want to sell your product to corporations and governments, you can’t go demonising your potential customers in your ad copy.

Phishing for carbon credits

power station chimneysWherever there’s a fast buck to be made, there you’ll find phishing scams and internet fraudsters. Some enterprising souls evidently decided that phishing for the credit card details of ordinary people was insufficiently ambitious, so they turned their attention to the nascent carbon credits market:

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded.

When workers entered their credentials into a bogus web page linked in the e-mail, the hackers were able to hi-jack the credentials to access the companies’ Trading Authority accounts and transfer their carbon credits to two other accounts controlled by the hackers.

[…]According to the BBC, it’s estimated the hackers stole 250,000 carbon credit permits from six companies worth more than $4 million. At least seven out of 2,000 German firms that were targeted in the phishing scam fell for it. One of these unidentified firms reportedly lost $2.1 million in credits in the fraud.

Now, in no way do I condone this sort of criminal activity… but I can’t help but feel that any organisation dealing with big-money transactions that doesn’t train its employees in decent email security procedures in this day and age is only getting what it deserves. Phishing is essentially a mediated version of the social engineering hack, and that’s an old enough phenomenon that you’d think any organisation with a lot to lose would take a little more care over it… I wonder if we’ll ever learn, or if we’re hardwired to fall for confidence tricks and bluff deceptions in perpetuity? [image by foto43]