Tractor hacking is growing increasingly popular because John Deere and other manufacturers have made it impossible to perform “unauthorized” repair on farm equipment, which farmers see as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time.
Source: Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware – Motherboard
A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for “crop loss, lost profits, loss of goodwill, loss of use of equipment … arising from the performance or non-performance of any aspect of the software.”
While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”
The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.
Source: How IoT hackers turned a university’s network against itself | ZDNet
The network that IoT devices must use should be isolated and secured by a firewall. This isn’t that difficult to do.
“When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.”
But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it’s not meant to do,” Hunt said, such as returning a piece of private data.
Source: The History of SQL Injection, the Hack That Will Never Go Away | Motherboard
Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added.
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.
Source: Online Cheating Site AshleyMadison Hacked — Krebs on Security
Last week, the OPM announced that a database containing the personal information of about 4 million current and former federal employees was hacked. Privately, U.S. officials said the Chinese government was behind the breach. The administration has not publicly pointed a finger at Beijing.
Source: Chinese hack compromised security-clearance database – The Washington Post
I’m surprised the Washington Post continues with this Chinese narrative as there has been no official condemnation of China over this and determining the true source of an intrusion is extremely difficult if not impossible in many cases. They still haven’t caught the culprits in the Target and Home Depot data breaches. The list of suspects with motive to obtain this kind of data is probably quite long so it’s irresponsible to assume a guilty party before any evidence has been leaked. No doubt consultants are working furiously tracing log records but at least wait until there is something concrete. The Washington Post is an institution with top notch journalists so they should know better.
And here’s the blurb that made me laugh.
Offensive actions might include directing a U.S. agency to locate the servers holding the stolen data and deleting or altering the data, the former official said.
Haha. Like whoever did this wouldn’t have backups 6 ways to Sunday of every bit gathered. There’s no way to delete anything digital once it’s out in the ether. Why would anyone publish a statement like that? The only thing an offensive cyber attack can accomplish is making the US government behave like the criminals who they denounce.
Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.
Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news
Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.
This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side. Making admin changes should happen rarely. One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want. Devices typically get a DNS address when they obtain an IP address from the router via DHCP.
Kicking the SOHO router seems to be a hot topic today. From: The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica
The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and compromise them. However, other experts disagree and call the report “deceiving.”
via US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree.
From: Cyberhijacking Airplanes: Truth or Fiction? – DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf.
● Nearly every protocol used in aviation is
● There is certainly the potential to annoy
ATC and/or small aircraft
● Increasing automation while continuing
with unsecured protocols is problematic
● Airliners are relatively safe (for now)
The above pdf is a good read.
In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren’t connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.
via Prosecutors suspect man hacked lottery computers to score winning ticket | Ars Technica.
Attribution Is Difficult If Not Impossible
First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.
Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit.
via The Evidence That North Korea Hacked Sony Is Flimsy | WIRED.
A list of previous Sony Hacks here.
“It’s really a phenomenally awesome hack—they completely owned this company,” Schneier, who is regularly consulted by the federal government on security issues, said. “But, I think this is just a regular hack. All the talk, it’s hyperbole and a joke. They’re [threatening violence] because it’s fun for them—why the hell not? They’re doing it because they actually hit Sony, because they’re acting like they’re 12, they’re doing it for the lulz, no one knows why.”
via Bruce Schneier: Sony Hackers ‘Completely Owned This Company’ | Motherboard.
Unless you know how infiltrators got into Sony’s system there is no way figuring out the who behind the hack. So far details of this has been lacking and as far as potential culprits targeting Sony, North Korea is probably least capable from an education standpoint and logistics. Social engineering, getting people inside Sony to cooperate is usually behind successful infiltrations. Sony’s Playstation network was taken down awhile ago. I suspect whoever did that probably is behind this despite what movie is about to be released soon.