Home Tags CCTV

Tag: CCTV

The cost of launching a DDoS attack

Almost anyone can fall victim to a DDoS attack.

They are relatively cheap and easy to organize, and can be highly effective if reliable protection is not in place.

Based on analysis of the data obtained from open sources, we managed to find out the current cost of a DDoS attack on the black market. We also established what exactly the cybercriminals behind DDoS attacks offer their customers.

Nest CCTV cameras can be easily blacked out by Bluetooth burglars

So far, no patch available to the public Nest's Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage.

This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.…

New(ish) Mirai Spreader Poses New Risks

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.

This is not the case.
Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.

Scottish court issues damages to couple over distress caused by neighbour’s...

Personal data gathering ruled 'intrusive, excessive and unjustified' A Scottish couple have been awarded damages of more than £17,000 in total for the "extreme stress" they suffered as a result of the "highly intrusive" use of CCTV systems by the owner of a neighbouring property.…

Two Arrested For CCTV Camera Hack On Washington, DC

A British man and Swedish woman have reportedly been arrested in the UK for the cyberattack ahead of Trump's inauguration.

Ransomware Attack On CCTV Cameras In Washington DC Ahead Of Trump...

Around 70% of public surveillance cameras were found non-functional due to attack by two ransomware variants.

DC police surveillance cameras were infected with ransomware before inauguration

Malware seized 70 percent of DC police DVRs a week before Trump’s inauguration.

Ransomware disrupts Washington DC’s CCTV system

About 70 percent of the cameras hooked up to the police’s closed-circuit TV (CCTV) system in Washington, D.C., were reportedly unable to record footage for several days before President Trump’s inauguration due to a ransomware attack.The attack affected 123 of the 187 network video recorders that form the city’s CCTV system, the Washington Post reported Saturday.

Each of these devices is used to store video footage captured by up to four cameras installed in public spaces.To read this article in full or to leave a comment, please click here

Ransomware killed 70% of Washington DC CCTV ahead of inauguration

Huge ransomware.

The best ransomware. Ransomware fixed with a wipe-and-restore Criminals infected 70 percent of storage devices tied to closed-circuit TVs in Washington DC eight days before the inauguration of President Donald Trump.…

Digital video recorder installers master password list ‘leaked’ – claims

If true, we're talking remote viewing of people's CCTV cams Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again. The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online. "If the creds are what we think they are, they may be enough to remotely take over certain CCTV systems," Ken Munro, a director at UK security consultancy Pen Test Partners (PTP), told El Reg. "[It's] a bit like Mirai, but the consequence is remote viewing of people's CCTV cameras." PTP found the leaked list on the LinkedIn page for a CCTV installer in Nigeria.

This list, which covers login credentials for the rest of 2017, is essentially a one-time pad or per-day superuser password for a DVR service. One-time pads are only effective if they are shared in complete confidence and not reused. Mikko Hyponnen, CRO of security software firm F-Secure, has since noted the same documents elsewhere on the internet. The document references XMEye, a cloud service offered by ZY Security for remotely accessing DVR video streams. "The service only appears available to certain DVR types, which we can't find on sale outside of China," according to Munro. "[We] still haven't successfully attributed the creds, but this is yet another massive Xiongmai DVR fail." Some private forums and the vendor suggest that they're local, but the document suggests it's for a web service.

The vendor involved has acknowledged the bug in private support channels without publicly confirming the problem. PTP would have to ship in a DVR from China to access the scope of the problem, but it's already clear that mistakes have been made. "Sharing superuser account credentials with installers and expecting them not to leak is asking for trouble," Munro said. PTP came across the leaked list during its ongoing research into the security of DVRs for CCTV systems. Munro said PTP has seen undocumented hidden superuser accounts on some other similar DVRs. El Reg invited Xiongmai to comment on the credential leak on Monday. We're yet to hear back but we'll update this story as and when we hear more.
In the meantime – and despite notification by El Reg and others – the leaked credentials remain online. PTP went public on the issue with a blog post late on Tuesday. Xiongmai makes components (motherboards, network modules and more) for security surveillance systems, CCTVs and associated video recorders. ® Sponsored: Customer Identity and Access Management

Another Massive DDoS Closes Out 2016, But Mirai Not To Blame

Using a new malware variant called Leet, the 650 Gbps DDoS attack matched Mirai's floods of traffic. This past year has been one for the record books when it comes to distributed denial of service (DDoS) attacks, so it is only proper that 2016 closes out with news of another massive DDoS attack, reported by Imperva researchers.

According to them, the Imperva Incapsula network was forced to mitigate a 650 Gbps DDoS attack just a few days before Christmas. One of the largest DDoS attacks on record, this particular assault is notable because it strayed from the bad guys' recent DDoS playbook.

For much of the year, attackers have been testing the bounds of DDoS traffic-pushing capabilities using the advanced Mirai botnet, which consists of hijacked IoT devices.

This time around, Imperva researchers say the holiday attack came at the hands of a new malicious network it calls Leet Botnet. Earlier this fall, Mirai was behind the 620 Gbps attack against KrebsOnSecurity.com, a 990 Gbps attack against French hosting provider OVH that reportedly utilized a network that could have been capable of pushing up to 1.5 Tbps in malicious traffic, and the massive DDoS in October against DNS provider Dyn that reached an estimated 1.2 Tbps in malicious traffic.

To pull off these attacks, Mirai primarily relied on tens of thousands of IoT devices, most of which were compromised CCTV cameras and DVR machines. Imperva researchers report that spoofed IPs make it impossible to figure out what kind of devices carried out the Christmas attack.

Their analysis of the payload does at least lead them to conclusively determine it was another botnet wreaking havoc. "So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware," wrote Avishay Zawoznik and Dima Bekerman of Imperva. "However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault." Like many recent DDoS attacks, the Leet Botnet used a combination of both large and small SYN packet sizes "to both clog network pipes and bring down network switches," the pair wrote.

The smaller packets were used to push up packet rates up past 150 million packets per second (Mpps), while the larger ones were used to increase the overall attack capacity.
Imperva dubbed the botnet Leet because of a 'signature' left in some of the TCP Options headers of the smaller packets that spelled out "1337." What really interested researchers, though, was Leet's larger payloads, which were populated by shredded lists of IP addresses that indicated Leet was accessing local files of compromised devices and scrambling them up to generate its payloads. "Basically, the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised devices," Zawoznik and Bekerman wrote. "It makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets."  This year we saw DDoS attacks escalate to record heights and these high-powered botnets are a symptom of the times. So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware. However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault. Related content: Ericka Chickowski specializes in coverage of information technology and business innovation.
She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio More Insights

Stealing, scamming, bluffing: El Reg rides along with pen-testing ‘red team...

Broad smiles, good suits and fake IDs test security in new dimensions FEATURE "Go to this McDonald's," Chris Gatford told me. "There's a 'Create Your Taste' burger-builder PC there and you should be able to access the OS.

Find that machine, open the command prompt and pretend to do something important. "I'll be watching you." Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called "red teaming", wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado. He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars. Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit. Chris Gatford (Image: Darren Pauli / The Register) So when the McDonald's computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building's lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM. I can't see a way into the locked room.
I think I see a security camera peering down from the roof, but later on I'm not sure I did.
I can't think of a way in and I'm trying to look so casual I know I'm certain to look nervous. Time's up.

Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors. I mutter something stupid about using a hair dryer.

Gatford laughs and reminds me about heat packs you'd slip into gloves or ski boots. "Slide one of those under the crack," he says. I've failed that test but stayed cool, so Gatford decides he's happy to have me along on a red-team raid, if only because red teams seldom face significant resistance. "At the end of the day, people just want to help," Gatford says. Red alert Costume is therefore an important element of a red team raid.

For this raid, our software exploits are suits and clipboards.
Sometimes it's high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate. Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding.

Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised.

Think a real-world capture the flag where the flags are located in the CEO's office, the guard office, and highly secure areas behind multiple layers of locked doors. By scoring flags, testers demonstrate the fallibility of physical defences. Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all.
It catches tech teams off guard and can make them look bad.

Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences. Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads. Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. "I was walking out to leave and I looked over and saw this truck," Henderson says. "It was full of the company's disks ready to be shredded.

The keys were in it." Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers.
It was, and if it weren't for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads Dell's new red-teaming unit in the United States, which he also built from the ground up. "There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks," Nathaniel Carew and Michael McKinnon from Sense of Security's Melbourne office say. "They should always ensure they carry with them a letter of authority from the enterprise." Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window.

Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits.

Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears. One of Australia's notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary. Equipment check A fortnight after the ATM incident, The Register is at HackLabs' Manly office.
It's an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf.

Then there's the equipment area.
Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles.

There's a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks.

A trio of neon hard hats dangle from hooks. "What do you think?" Gatford asks.
It's impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction.

This is a workshop of tools, not toys. "No one uses the secure stuff, mate." In his office, Gatford revealed the target customer. The Register agrees to obscure the client's name, and any identifying particulars, so the pseudonym "Estate Brokers" will serve.

Gatford speaks of the industry in which it operates, Brokers' clientele, and their likely approach to security. The customer has multiple properties in Sydney's central business district, some housing clients of high value to attackers.
It has undergone technical security testing before, but has not yet evaluated its social engineering resilience. The day before, Gatford ran some reconnaissance of the first building we are to hit, watching the flow of people in and out of the building from the pavement. Our targets, he says, are the bottlenecks like doors and escalators that force people to bunch up. JavaScript Disabled Please Enable JavaScript to use this feature. He unzips a small suitcase revealing what looks like a large scanner, with cables and D-cell batteries flowing from circuit boards. "It's an access card reader", Gatford says.
It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists.

There are more secure versions that this particular device does not read without modification. "No one uses the secure stuff, mate," Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security. I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector.

Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner.
It beeps and card number data flashes up on a monitor. "So much for that," Gatford laughs. He taps away at his Mac, loading up Estate Brokers' website. "We'll need employee identity cards or we'll be asked too many questions," Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection. The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card.

Gatford does the same for himself. We're auditors come to itemise Estate Brokers' security systems and make sure everything is running. "We should get going," he says as he places hacking gear into a hard shell suitcase.
So off we go. Beep beep beep beepbeepbeep Our attack was staged in two parts over two days.

Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We'll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key. It is 4:32pm and employees are starting to pour out of the building.

Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. "Go get some cards," he says. Almost everyone clips access cards on their right hip.
If I can get the bag within 30cm of the cards, I'll hear the soft beep I've been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. "Hold your bag in your left hand, and pretend to check the time on your watch," Gatford says.

That raises the scanner high enough to get a hit. I'm talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day.

Beep.

Beep.

Beep, beep, beep, beep, beepbeepbeepbeep.

There are dozens of beeps, far too many to count.

Then we enter a crowded lift and it's like a musical.
It's fun, exhilarating stuff.

The staff hail from law firms, big tech, even the Federal Government.

And we now have their access cards. Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits.

Gatford knows the office and puts me in front. "Walk left, second right, second left, then right." I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open. We enter an open-plan office. "They are terrible for security," I recall Gatford saying earlier that day.
It allows attackers to walk anywhere without the challenge of doors. Lucky for us.

Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful. We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. "Look out for that guard down there," Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. "Tell you what, if you can get his card, I'll give you 50 bucks." "You're on," I say. The guard has his card so high on his chest it is almost under his chin.

At this point I think I'm unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange.
I don't care, though, because I figure customer service is a big thing in the corporate world and he'll keep his opinions to himself.
I ask him where some made-up law firm is as I hear the beep. Silver tongue It is 8:30am the next day and I am back in Gatford's office. We peruse the access cards. He opens up the large text file dump of yesterday's haul and tells me what the data fields represent. "These are the building numbers; they cycle between one and 255, and these are the floor numbers," he says.

There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards.

They work. More reconnaissance.

Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers.

Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points.
Some mapping services even let you go inside lobbies. Today's mission is to get into the guards' office and record the security controls in place.
If we can learn the name and version of the building management system, we've won.

Anything more is a bonus for Gatford's subsequent report. We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm's second site. "Don't hesitate, be confident." But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff.

Gatford gets talking to one lady and says how he has forgotten the building manager's name. "Jason sent us in," he says, truthfully. Jason is the guy who ordered the red team test, but we don't have anything else to help us.

The rest is up to Gatford's skills. It takes a few minutes for the waitress to come back.

The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand.
I quietly muse over how I would have clammed up and failed at this point, but I'm happily in the backseat, gazing at my phone. We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level.
It is a cold, white corridor, unkempt, and made for services, not customers.

There's a security door, but no one responds to our knocks.

There are CCTV cameras. We return down to the lobby. Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael's barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there's no answer.
I watch Gatford weave around Michael's questions and witness the subtle diffusion.
It's impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards. This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. "Don't hesitate, be confident," Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside. Gatford tells him our story. He's a nice bloke, around 50 years old, with a broad smile.

After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in. My pulse quickens as Gatford walks over to a terminal chatting away to the guard.

There are banks of CCTV screens showing footage from around the building.

A pile of access cards.
Some software boxes. I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective. "What version?" Gatford asks. "Uh, 7.1.
It crashes a lot." Bingo. Day one, heading up in a crowded lift.
Shot with a pen camera I look down and there are logins scrawled on Post-it notes. Of course.
I snap a few photos while their backs are turned. Behind me is a small room with a server rack and an unlocked cabinet full of keys.
I think Gatford should see it so I walk back out and think of a reason to chat to the guard.
I don't want to talk technology because I'm worried my nerves will make me say something stupid.
I see a motorbike helmet. "What do you ride?" I ask. He tells me about his BMW 1200GS. Nice bike.
I tell him I'm about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside. Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report. We thank the guard and leave.
I feel unshakably guilty. From the red to the black Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation. It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack. I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits. "You can't ignore one area of security just to focus on another," he says. "And you don't do red teaming in isolation." Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities. "Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational... and compliance problems and opportunities," they say in a client paper detailing aspects of red teaming [PDF]. "In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review." Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries. Gatford sells red teaming as a package.

Australia's boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients.

They point out the holes, and then help to heal.

They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure. For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming. He's started training those keen on entering red teaming through a three-day practical course. "Estate Brokers", like others signing up for this burgeoning area of security testing, will go through that training.

Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation. And how the next time, it could be real criminals who exploit their willingness to help. ®