Daily Archives: January 17, 2019

Yes, you can remotely hack factory, building site cranes more easily than a garage door

Posted on by

Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn’t matter: they’re alarmingly vulnerable to being hacked, according to Trend Micro.

Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one’s own custom havoc-wreaking commands to remotely controlled equipment.

“Our findings show that current industrial remote controllers are less secure than garage door openers,” said Trend Micro in its report – “A security analysis of radio remote controllers” – published today.

As a relatively obscure field, from the IT world’s point of view at any rate, remotely controlled industrial equipment appears to be surprisingly insecure by design, according to Trend: “One of the vendors that we contacted specifically mentioned multiple inquiries from its clients, which wanted to remove the need for physically pressing the buttons on the hand-held remote, replacing this with a computer, connected to the very same remote that will issue commands as part of a more complex automation process, with no humans in the loop.”

Even the pairing mechanisms between radio frequency (RF) controllers and their associated plant are only present “to prevent protocol-level interferences and allow multiple devices to operate simultaneously in a safe way,” Trend said.

Yes, by design some of these pieces of industrial gear allow one operator to issue simultaneous commands to multiple pieces of equipment.

In addition to basic replay attacks, where commands broadcast by a legitimate operator are recorded by an attacker and rebroadcast in order to take over a targeted plant, attack vectors also included command injection, “e-stop abuse” (where miscreants can induce a denial-of-service condition by continually broadcasting emergency stop commands) and even malicious reprogramming. During detailed testing of one controller/receiver pair, Trend Micro researchers found that forged e-stop commands drowned out legitimate operator commands to the target device.

One vendor’s equipment used identical checksum values in all of its RF packets, making it much easier for mischievous folk to sniff and successfully reverse-engineer those particular protocols. Another target device did not even implement a rolling code mechanism, meaning the receiving device did not authenticate received code in any way prior to executing it, like how a naughty child with an infrared signal recorder/transmitter could turn off the neighbour’s telly through the living room window.

Trend Micro also found that of the user-reprogrammable devices it tested, “none of them had implemented any protection mechanism to prevent unattended reprogramming (e.g. operator authentication)”.

Source: Yes, you can remotely hack factory, building site cranes. Wait, what? • The Register

The Dirty Truth About Turning Seawater Into Drinking Water

Posted on by

A paper published Monday by United Nations University’s Institute for Water, Environment, and Health in the journal Science of the Total Environment found that desalination plants globally produce enough brine—a salty, chemical-laden byproduct—in a year to cover all of Florida in nearly a foot of it. That’s a lot of brine.

In fact, the study concluded that for every liter of freshwater a plant produces, 0.4 gallons (1.5 liters) of brine are produced on average. For all the 15,906 plants around the world, that means 37.5 billion gallons (142 billion liters) of this salty-ass junk every day. Brine production in just four Middle Eastern countries—Saudi Arabia, Kuwait, Qatar, and the United Arab Emirates—accounts for more than half of this.

The study authors, who hail from Canada, the Netherlands, and South Korea, aren’t saying desalination plants are evil. They’re raising the alarm that this level of waste requires a plan. This untreated salt water can’t just hang around in ponds—or, in worst-case scenarios, go into oceans or sewers. Disposal depends on geography, but typically the waste does go into oceans or sewers, if not injected into wells or kept in evaporation ponds. The high concentrations of salt, as well as chemicals like copper and chlorine, can make it toxic to marine life.

“Brine underflows deplete dissolved oxygen in the receiving waters,” said lead author Edward Jones, who worked at the institute and is now at Wageningen University in the Netherlands, in a press release. “High salinity and reduced dissolved oxygen levels can have profound impacts on benthic organisms, which can translate into ecological effects observable throughout the food chain.”

Instead of carelessly dumping this byproduct, the authors suggest recycling to generate new economic value. Some crop species tolerate saltwater, so why not use it to irrigate them? Or how about generating electricity with hydropower? Or why not recover the minerals (salt, chlorine, calcium) to reuse elsewhere? At the very least, we should be treating the brine so it’s safe to discharge into the ocean.

Countries that rely heavily on desalination have to be leaders in this space if they don’t want to erode their resources further. And this problem must be solved before our dependency on desalination grows.

The technology is becoming more affordable, as it should, so lower-income countries that need water may be able to hop on the wave soon. While this brine is a problem now, it doesn’t have to be by then.

Source: The Dirty Truth About Turning Seawater Into Drinking Water

Project Alias is a DIY project that deafens your home voice assistant until you want it to listen to you

Posted on by

Alias is a teachable “parasite” that is designed to give users more control over their smart assistants, both when it comes to customisation and privacy. Through a simple app the user can train Alias to react on a custom wake-word/sound, and once trained, Alias can take control over your home assistant by activating it for you.

When you don’t use it, Alias will make sure the assistant is paralysed and unable to listen by interrupting its microphones.

Follow the build guide on Instructables
or get the source code on GitHub

alias_selected-9-no-wire

Alias acts as a middle-man device that is designed to appropriate any voice activated device. Equipped with speakers and a microphone, Alias is able to communicate and manipulate the home assistant when placed on top of it. The speakers of Alias are used to interrupt the assistance with a constant low noise/sound that feeds directly into the microphone of the assistant. First when Alias recognises the user created wake-word, it stops the noise and quietly activates the assistant with a sound recording of the original wake-word. From here the assistant can be used as normally.

The wake word detection is made with a small neural network that runs locally on Alias, which can be trained and modified through live examples. The app acts as a controller to reset, train and turn on/off Alias.

The way Alias manipulates the home assistance allows to create new custom functionalities and commands that the products were not originally intended for. Alias can be programmed to send any speech commands to the assistant’s speakers, which leaves us with a lot of new possibilities.

Source: Bjørn Karmann › project_alias

International stock trading scheme hacked into SEC database EDGAR – again

Posted on by

Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission’s EDGAR corporate filing system.

The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were “test filings,” which corporations upload to the SEC’s website.

The charges were announced Tuesday by Craig Carpenito, U.S. Attorney for the District of New Jersey, alongside the SEC, the Federal Bureau of Investigation and the U.S. Secret Service, which investigates financial crimes.

watch now
VIDEO00:30
SEC sues traders for hacking Edgar system in 2016

The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services.

Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public,” he said.

Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies’ stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito.

watch now
VIDEO02:08
Risk factor

The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said. The EDGAR service operates in New Jersey, which is why the Justice Department office in Newark was involved in the case.

Stephanie Avakian, co-head of the SEC’s Division of Enforcement, said the same criminals also stole advance press releases sent to three newswire services, though she didn’t name the newswires. The hackers used multiple broker accounts to collect the illicit gains, she said.

Two Ukrainians were charged by the Justice Department with hacking the database — Oleksandr Ieremenko and Artem Radchenko. Seven further individuals and entities were also named in a civil suit by the SEC for trading on the illicit information: Sungjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (owned by Olefir) and Spirit Trade Ltd.

Consolidated Audit Trail fears

Also at the time, the incident sparked fears over the SEC’s Consolidated Audit Trail database, known as CAT. The CAT was meant to record every trade and order — either stock or option — made in the U.S., with the goal of providing enough data to analyze for detecting market manipulations and other malicious behavior.

Full implementation of the CAT has been plagued by delays, with equities reporting now scheduled to begin in November. The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth.

In September 2017, SEC chairman Jay Clayton announced the EDGAR database had been hacked in a lengthy statement. The commission said the database was penetrated in 2016 but the incident wasn’t detected until August 2017.

“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” Clayton said at the time. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Source: International stock trading scheme hacked into SEC database

North Korean Hackers Gain Access to Chilean ATMs Through Skype

Posted on by

The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position. After setting up a Skype interview, the employee was then asked to install a program called ApplicationPDF.exe on their computer, trendTIC reports. The program was reportedly explained to be part of the recruitment process and generated a standard application form. But it was not an application form, it was malware.

Because the malware was then installed on a company computer, the hackers reportedly received important info about the employee’s work computer, including username, hardware and OS, and proxy settings. With all that info, the hackers would then be able to later deliver a second-stage payload to the infected computer.

As for the link to North Korea, an analysis by security firm Flashpoint indicates the malware utilized PowerRatankba, a malicious toolkit associated with Lazarus Group, a hacking organization with ties to Pyongyang. If you haven’t heard of these guys, you’ve definitely heard of the stuff they’ve been up to. Also known as Hidden Cobra, the Lazarus Group is linked with the Sony hack in 2014 and the WannaCry 2.0 virus, which infected 230,000 computers in 150 countries in 2017. They’re also known for targeting major banking and financial institutions and have reportedly absconded with $571 million in cryptocurrency since January 2017.

The hack reportedly took place at the end of December, but it was only made public after Chilean Senator Felipe Harboe took to Twitter last week to blast Redbanc for keeping the breach secret. Redbanc later acknowledged the breach occurred in a statement, but the company failed to mention any details.

That said, there were some serious security 101 no-no’s committed by the Redbanc employee that we can all learn from. Mainly, it doesn’t matter how much you hate your current gig, you should be suspicious if a prospective employer asks you to download any program that asks for personal information. Also, for multiple common-sense reasons, maybe don’t do job interviews on your dedicated work computer. And while it’s hard these days not to take work home, for security reasons, you should definitely be more discerning about the programs you download onto a work-issued device. Sounds simple enough, but then again, it happened to this poor fellow.

[ZDNet]

Source: North Korean Hackers Gain Access to Chilean ATMs Through Skype

Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim

Posted on by

Google has won a patent dispute over its famous “I’m feeling lucky” button that immediately connects a user to its top-raking search link with a single click.

The search engine giant was sued in 2016 by Israeli company Spring Ventures (previously Buy2 Networks) for allegedly infringing on its patent, US 8,661,094, that covers displaying a web page without extra user input.

The patent was originally filed in 1999, and the company won a continuation of it in 2014. Soon after it started sending letters to Google insisting that its button infringed at least 14 separate aspects of the patent because it allowed users to reach a webpage without providing a specific URL.

Google, funnily enough, ignored the upstart’s licensing demands, and so Spring Ventures sued in the United States. In response, Google went to the Patent Trial and Appeal Board (PTAB) and asked it to review the patent’s validity.

And the three-person review came back this week with its answer: the patent was not valid because of its “obviousness.”

That may sound like a harsh putdown but in the rarefied world of patent law, the term “obvious” has a tediously precise meaning. You can read the full decision to find out precisely what it means but we don’t recommend it: patent lawyers have habit of turning written English into a gaspingly turgid explanation of a concept.

And so here is the plain English version: Spring Ventures patent a system for finding web pages that were not written in English (presumably there is a Yiddish aspect in there). The internet and the world wide web to this day remain a painfully ASCII medium thanks to all its early inventors only speaking English and so only writing that in their code.

This created a lot of problems for people used to non-ASCII symbols and letters in their everyday written language and so Spring Ventures patented a way for people to type in something very close to a non-ASCII name in ASCII and have it automatically figure out what they were looking for. Useful stuff.

For example.com

At some point however it decided that this meant it had control over any system that automatically took a user to a website without them typing in the full website address e.g. example.com.

Google took issue with this argument and pointed out that this wasn’t exactly the first time that people had thought about how to make the vast landscape of web pages more manageable.

And so it dug back into the annals of internet browsing history and specifically Joe Belfiore’s patent for “Intelligent automatic searching” which he developed while working for Microsoft back in the Internet Explorer days (Belfiore is still at Microsoft btw). He filed it back in 1997.

There is another earlier patent too – Bernardo Sotomayor’s one for “Qualified searching of electronically stored documents” – which was explained in an article in Infoworld back in 1997 written by Serge Koren and talking about a product called EchoSearch.

Basically, Belfiore came up with a system for passing a search request in a browser bar that wasn’t a full URL through to a search engine and giving the user a results page – rather than just saying “this webpage doesn’t exist.” And EchoSearch was Java-run software that displayed results from several search engines pulled into a single page in response to a specific search.

Obvious, mate

Google argued that considering these two systems were already in place and in use before Spring Ventures made it patent application, that its whole concept was not some new imaginative leap that needed protecting but instead a pretty obvious thing that people were already doing.

And the patent board agreed [PDF].

The lawsuit that Spring Ventures initiated against Google has been on hold until the PTAB made a determination and will now die unless the Israeli appeals and successful persuades the board to reverse its decision – something that is possible given that the USPTO just changed its guidelines to make it easier to patent software applications. But it seems unlikely.

Which is lucky for Google. We can only imagine the payout if its one-click button was found to be infringing a patent

Source: Do you feel ‘lucky’, well, do you, punk? Google faces down magic button patent claim • The Register

Incredible, the amount of money that must have been spent on lawyers to come to this obvious conclusion.

South Korea says mystery hackers cracked advanced weapons servers

Posted on by

The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .

Korea’s Dong-A Ilbo reports that the targeted machines belonged to the ministry’s Defense Acquisition Program Administration, the office in charge of military procurement.

The report notes that the breached machines would have held information on purchases for things such as “next-generation fighter jets,” though the Administration noted that no confidential information was accessed by North Korea the yet-to-be identified infiltrators.

North Korea The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.

After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency’s intellectual property servers.

An investigation eventually unearthed the breach, and concluded that North Korea the mystery hackers did get into a number of machines but didn’t steal anything that would be of use to North Korea a hostile government .

The incident was disclosed earlier this week in a report from a South Korean politician.

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Dong-A Ilbo quotes Lthe politico as saying.

“Further investigation to find out if the source of attacks is North Korea or any other party.”

The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by North Korea an unknown group to infiltrate networks throughout the South Korean government in order to steal data.

The government says it is working on “extra countermeasures” to prevent future attacks by North Korea mystery foreign groups.

Source: South Korea says mystery hackers cracked advanced weapons servers • The Register