Tag: hacks

Big business ignores smart meter security risks for short term profit

Smart meter vendors are ignoring the cyber security risks associated with this technology, pushing it on the masses mostly to drive profits.

A recent FBI report highlighted a number of cyber attacks against smart meter installations over the past several years. It said the attacks could have cost the US hundreds of millions of dollars per year.

According to the Krebsonsecurity blog, the report warned that insiders and individuals with only a moderate level of computer knowledge could hack meters with low-cost tools and software, which could be bought quite easily over the internet.  This could then be used to change the details of the smart meter and ramp up electricity bills for households.

According to a security expert, speaking under anonymity, this isn’t a new threat.

“We’ve been saying for years that smart meters are targets for hackers but companies looking to make money from this technology have ploughed ahead regardless,” our source said. “Now it seems that governments and the legal authorities are finally waking up to what a big threat this is”.

Back in 2009, the Georgia Tech Information Security Centre warned that cyber tactics could be used to defraud utilities or perhaps cause power outages. They said the threats applied to water and gas systems, which are rolling out smart meters and advanced metering infrastructure. A further warning was issued that hospital infrastructure could be caught up in the attacks either through a direct attack, or accidentally through unpatched software on critical systems.

“There is a problem and this latest FBI finding is just bringing it to the surface,” TechEye heard. “The fact that most small time hackers can break into one of these shows there’s a huge gap in the regulatory market”.

Earlier this year, E.ON got heavy handed and criticised the UK parliament for citing cyber security fears as delaying the UK’s smart meter roll out.

However, our source told us this “may have been one of the most sensible things parliament had done in a very long time.”

“Ruled by big businesses,” our source said, “governments are having their hands forced into signing requirements for this technology without being 100 percent sure about the cyber security consequences”.

“They are ruling the roost and putting huge pressure on authorities and businesses.

“Until big business butts out and stops forcing authorities to make rash decisions we’ll have a problem on our hands. And as this technology grows and companies and vendors continue to push on regardless of the consequences, then we could see a lot more problems.”

Krebsonsecurity agreed: “Two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.”

According to our source, there are other worrying implications, which suggest that big business is being short sighted and, most likely, is in danger of shooting itself in the foot.

“If the smart meter has personal information, such as names and addresses, these could be used for ID theft,” TechEye was told. “Secondly, if they can hack a residential meter, then hackers can also move onto big businesses, smart grids and much more.”

Vendors need to “for once” put cash aside and “really think about consequences” – or they could team up and create security regulatory and research into how these abuses can be curbed. “Of course,” our source said, “this will never happen.”
 

Murdoch's tablet project tanks

A year after Rupert Murdoch announced that a deal with Apple was going to save the newspaper industry, it appears that his iPad newspaper idea has gone belly up.

According to the Independent, News International has abandoned a project to produce content for the company’s brand on the Apple tablet and similar devices.

Murdoch had set up a team called Project Two22 to bring about newspapers on tablets, but the scheme has been a failure and the staff have been shipped back to Wapping.

They were building apps that specialised in entertainment news and sport. The hope was to find a way to use the iPad to draw a more upscale audience to The Sun’s content.

The project was the last gasp for many staff from the disgraced News of the World, who were shifted over when the rag closed down in July over the phone hacking scandal. They have now been offered a choice of working for the Sun’s digital department or getting a redundancy cheque.

Anonymous hacktivists attack Finnish neo-Nazis

Anonymous hacktivists have attacked a neo-Nazi website in Finland and caused the resignation of a parliamentary aide over her links to the group.

Ulla Pyysalo, who worked for True Finns MP Juho Eerola, has resigned after her name appeared on a database of members of the neo-Nazi group Kansallinen Vastarinta.

The True Finns are already a controversial, right-wing political party in Finland.

The list was published by Anonymous Finland after it successfully hacked the website.

Anonymous said it had no tolerance for any group based on racial, sexual and religion discrimination as well as for all the people belonging to them and sharing their ideologies.

Anonymous said here it was behind a series of attacks on websites unrelated to political extremism that exposed the personal details of 16,000 people. The hackers published online included social security numbers, addresses, telephone numbers, street addresses, and email addresses.

“We strongly recommend and invite You to check it out. You may find out Your neighbour or best friend is a dumbass Neo-Nazi,” the hackers said.

According to the Daily Telegraph the attacks were dubbed irresponsible by Mikko Hypponen, chief research officer of the Finnish internet security firm F-Secure, because they exposed the details of so many people. 

But it is hard to feel sorry for Nazi sympathisers.

Anonymous takes on Mexican drugs cartels

Anonymous appears to have changed tactics and has started taking on some seriously evil people.

According to Talking Points, a  video by a member of Anonymous Veracruz, Mexico, has named and shamed Los Zetas, one of the most powerful drug cartels in the country, of kidnapping an unnamed male Anonymous member and holding him hostage.

The video was apparently made using a text-to-speech program, features footage of a person in a Guy Fawkes mask and threatens Los Zetas that it will start releasing information about the cartel’s businesses and associates if the supposedly kidnapped person isn’t set free.

“You made a huge mistake by taking one of us. Release him. And if anything happens to him, you will always remember this upcoming November 5th,” the address in the video says.

The Anonymous member was kidnapped from Veracruz, Mexico while he was taking part in Paperstorm, which encouraged members to take to the streets of their cities with paper flyers.

The message accuses taxi drivers, journalists, newspapers and cops of being the “servants” of the cartel and threatens to expose them, publishing identifying information about them, including names, photographs and addresses…”to see if by doing so the government will arrest them.”

If it does this, then Los Zetas associates and civil servants could bumped off by a rival drug cartel, such as the Sinola. Sinola is the world’s leading trafficker of South American cocaine and no relation to Spinola who is the world’s leading traffic of whisky stolen from the editor’s drawer.

The Mexican government has been unable to stop the drugs cartels operating in its country. This is partly because the various factions own politicans and the cops. This has enabled them to kidnap whoever they like and carry out mass killings without anyone stopping them. 

US government sacrifices constitution to get wikileaks

The US government has thrown its constitution to the wind and obtained a secret court order so it can harass a WikiLeaks volunteer.

Attorney General Eric Holder has said the US is pursuing an ‘active criminal investigation’ of WikiLeaks and has forced Google and ISP Sonic.net to turn over information from the email accounts of WikiLeaks volunteer Jacob Appelbaum,.

According to documents found by the Wall Street Journal, Sonic fought the government’s order and lost, and was forced to turn over information.

Sonic’s chief executive, Dane Jasper said that the government wanted the email addresses of people Mr. Appelbaum corresponded with in the past two years, but not the full emails. Google and Sonic wanted to tell Appelbaum about the secret court orders, but was blocked.

Appelbaum, 28, hasn’t been charged with any crime. It seems investigators felt some of his friends might be involved in Wikileaks so they hoped his emails would reveal who it was that made the US look like a right tit in front of the known world.

The information was seized under the elderly Electronic Communications Privacy Act, which appears to violate the U.S. Constitution’s Fourth Amendment protections against unreasonable searches and seizures.

The law has been around before the internet but now appears to be the government’s weapon of choice.

This right is an important part of US history as most of the country’s founders were smugglers who did not like the way the English could simply stop and search them. In fact, some historians think that the whole revolution was engineered by US businessmen who resented paying for the policing that was keeping them making huge profits.

The fact that the US government seems keen to chuck this law out in its desperation to deal with WikiLeaks after it released a trove of classified government diplomatic cables last year, shows how miffed the government is about the leak.

Google, Microsoft and AT&T have asked Congress to update the law to require search warrants in more digital investigations.

Even the law’s author, US Senator Patrick Leahy,  thinks that it’s “significantly outdated and outpaced by rapid changes in technology.”

However Associate Deputy Attorney General James Baker warned that if Congress changed the standard for obtaining information under ECPA, the government might not be able to arrest anyone it likes as quickly as it wants. 

Wikileaks releases unpublished US cables

Online whistleblower WikiLeaks has released tens of thousands of previously unpublished US diplomatic cables.

Some of the 100,000 US embassy cables from around the world are classified and will be online by the end of today, Wikileaks leader Julian Assange tweeted.

The cables appear to be from a cache of more than 250,000 State Department reports leaked to the group. WikiLeaks began releasing the cables in smaller batches late last year, but until now had made them public slowly.

Reuters said that it has had complete sets of the cables for months. The cables started to be published yesterday afternoon.

Assange’s inner circle told Reuters that the mass release of documents was caused by a sense of dismay among WikiLeaks activists that media organisations had lost interest in publishing stories based on the material.

Wikileaks had hoped to release the documents slowly and thus get the maximum public attention. Clearly they did not work out that old news is not news and the cables sell buy date was well past.

Assange and his associates are apparently “frustrated” at the lack of media interest.

The timing also coincides with the news that a California Internet registrar which had hosted WikiLeaks, had received an order, generated by federal prosecutors in Alexandria, Virginia, requiring it to produce “information on Julian Assange.”

WikiLeaks said Dynadot had complied with the order. 

I deleted Wikileaks whistleblower evidence

The right-hand man of Wikileaks‘ Julian Assange has admitted that he destroyed 3500 unpublished files leaked to the whistleblower site.

Daniel Domscheit-Berg, who left WikiLeaks last year after a falling out with Assange, told Der Spiegel  that he destroyed the complete US no-fly list, five gigabytes of Bank of America documents and detailed information about 20 neo-Nazi groups.

Domscheit-Berg said he had the files “shredded to ensure that the sources are not compromised”. WikiLeaks claims Domscheit-Berg was in bed with the spooks and protected many neo-nazi groups. The files included human rights abuses, mass telecommunications interception, banking and the planning of dozens of neo-nazi groups.

Domscheit-Berg also took the entire Wikileaks encrypted submission system with him to start OpenLeaks. This meant that WikiLeaks was unable to receive leaked documents online for a year.

Domscheit-Berg claims that the reason he fell out with Assange was the fear that 400,000 classified US documents about the Iraq war were being released too early without taking the time to properly redact names of US collaborators and informants.

In his book, which will be released this year, Inside WikiLeaks, Domscheit-Berg accused Assange of being autocratic and said the reason he took the submission system and unpublished documents was because “children shouldn’t play with guns”.

Assange claims that Domscheit-Berg is in contact with the FBI, helping the US investigation into WikiLeaks and Assange. He also insists that Domscheit-Berg’s wife, Anke, is connected to the CIA and once stole his tin foil hat (we made the last bit up). 

Washington Post hacked

Hackers have attacked the jobs section of the Washington Post’s website and managed to find 1.2 million email addresses.

According to a FAQ, a Post spokesperson said that the worst users would have to face is a series of spam emails, which should be ignored.

The face said that readers may receive some unsolicited spam as a result of this incident. It went on to trot out the usual “well, you should avoid opening suspicious or unsolicited e-mail” anyway sort of statement.

But the Post has not said how its security was clearly turned over by the hackers. It is one of the downsides of an operation that clearly harvests the personal details of its readers. The Post demanded that online readers fork over a small amount of personal information before registering on the site.

Most people assume that the data will be kept safe, in this case it clearly was not.

The fact that the attack has not been announced by any of the usual suspects means that it was not carried out by Anonymous. The whole point of these operations is to make their attacks public.

This means that the site was probably bought down by someone who was looking for data which could be used in spam or fraud.

Readers of the Post might be wondering how secure the rest the site is. 

Anonymous net gets very wide

It seems that the hacking outfit Anonymous is casting its net fairly wide to take out people who really are not that important in the scheme of things.

After making some high profile attacks, Anonymous appeared to take time out to take out a Sydney council website yesterday, leaving about 10 staff accounts vulnerable.

OK we are not talking about the FBI website, with thousands of user details exposed, but it seems that Anonymous wants to get into grass roots hacking.

Four Mosman Municipal Council website databases were leaked in the incident by the hacking group ”Anonymous” in a link posted on the social networking site Twitter.

The hack means that anyone interested in Mosman Municipal Council’s doings can download a file containing the hacked council’s information.

While most of the information was public already, some of it contained user names, encrypted passwords and the email addresses of about 10 staff used for making changes to a council site. The passwords were encrypted and by the time anyone tries a brute force attack on them they will have changed.

The manager of IT services at the council, Kevin Nonweile told the Sydney Morning Herald  that the staff account details had been leaked and that the council was in discussions with its website hosting provider ”to validate how it occurred”.

Nonweile admitted that the council was more surprised that Anonymous had taken the time to hack it.

Sony's Thai servers hacked

Finnish insecurity company F-Secure has kicked the slightly apologetic Sony when it is down, unearthing a phishing scheme on a server over in Thailand. It is, however, small fry compared to the other events in recent months.

It is unrelated to the mammoth hacking attempt which brought the PSN network down for all of its users, while leaking private details. 

F-Secure found a phishing website hosted on Sony’s servers which looks pretty authentic and appears to be aiming to scrape Italian credit card details through a CartaSi portal. But the URL is most definitely on hdworld.sony.co.th.

“Basically this means Sony has been hacked, again. Although in this case the server is probably not very important,” F-Secure said from its bog, where you can see the screen grabs.  It says the URL is barred for F-Secure users and Sony has been notified.

Sony recently told partners its server re-buff is very secure indeed.

While the hack is certainly not monumental like the historic attack it initially blamed on Anonymous, it will not reassure some partners that things are well in Sony-land.