US Gas Pump Hacked With 'Anonymous' Tagline 101
An anonymous reader writes Researchers at Trend Micro have uncovered a gas pump in the United States whose ID has been changed from 'DIESEL' to 'WE_ARE_LEGION' — the call-sign of the Anonymous hacking group. Following up recent revelations regarding the vulnerability of gas pump systems to online attackers, the researchers found 1,515 completely unprotected gas pump monitoring devices via the Shodan device-based search engine. The report notes that the exposed devices are capable of being protected via six-digit pins, but this security measure is not being used. The report concludes: "Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse."
But... (Score:5, Insightful)
Re: (Score:2)
3. Go to Guantanamo. Go directly to Guantanamo. Do not pass Go. Do not collect $200 billion.
Re: (Score:1)
Guantanamo? Pasty basement script-kiddies aren't going to Guantanamo; that's for the the jihadists.
Jihadists? Guantanamo isn't for jihadists; it's for the drivers and cooks and possible past neighbors of jihadists.
Re: (Score:2)
How do you know? Who is there and why is a secret! Anybody could be in Guantanamo if you can't find them!
Re: (Score:3)
Gitmo isn't a secret prison. That's not where they send the people who they really want to keep hidden. The real point of Gitmo is storage of people who they don't want to give a civilian trial to, not secret incarceration.
Those secret prisoners that we have are likely located in places where the media and general population aren't talking about.
Butt, butt... Re:But... (Score:1)
Those secret prisoners that we have are likely located in places where the media and general population aren't talking about.
Ah, you must mean the basement restrooms of MSNBC and Fox News. I never hear anyone talking about those places on the air or at the water-cooler, and it makes you wonder what is really happening down there.
Re: (Score:2)
Guantanamo is for everyone who threatens the status qu... huh? Damn, 2015, really?
Uh... disregard 'til 2018, ok?
Re: (Score:2)
What makes you think it will change in 2018?
Re: (Score:2)
What makes you think it will change in 2018?
The new candidates will campaign on a platform of "change" and presumably will pledge to close gitmo. Oh wait....shit.
Re: (Score:3)
3. Go to Guantanamo. Go directly to Guantanamo. Do not pass Go. Do not collect $200 billion.
What do you mean? Isn't Guantanamo all about collecting $200 billion?
Re: (Score:2)
More like:
1. Buy a gasoline refinery
2. Jack up the market price immediately when oil futures rise
3. Delay dropping the price when the futures drop.
4. Too big to fail PROFIT!!!
Re: (Score:3)
From the article photo, it looks like the 'pump' is actually some sort of monitoring device used to track how much gas/diesel is in the storage tanks. I imagine that gets used by suppliers to anticipate delivery requirements.
I don't know if the same system is used to control the pricing at the customer pumps, and the article doesn't make it clear. I'd guess than since this was published there are going to be some who will be trying it out though.
Re: (Score:2)
From the article photo, it looks like the 'pump' is actually some sort of monitoring device used to track how much gas/diesel is in the storage tanks. I imagine that gets used by suppliers to anticipate delivery requirements.
I don't know if the same system is used to control the pricing at the customer pumps, and the article doesn't make it clear. I'd guess than since this was published there are going to be some who will be trying it out though.
Depends on the monitoring device. Some of the monitoring devices connect to both the pumps and the tanks so that you can compare how much gas was pumped vs how much gas is left in the tank. Although it is not 100% accurate, if there are leaks or pumps that are way out of calibration, the device might be the first indication that there is a problem. And yes, the major use is to track how many times a tanker needs to come by and fill up the storage tanks.
On systems with Pay-at-the-Pump that take credit/debit
Re: (Score:2)
If you are going to go to that trouble, why not just attach a skimmer to the credit card reader?
How about skewing local wholesale prices? (Score:2)
What if the storage tank levels and their consumption rates were aggregated and reported to distributors or refiners, and these demand indicators helped set local wholesale prices by some kind of automated system?
I'm guessing gas prices are mostly "set" by the price of a barrel of oil (or some regional crude oil price), but even if retail inventory wasn't used for calculating price it may be used to influence regional refinery production which could influence price (ie, demand appears slack, refinery output
Re: (Score:2)
Yes, but you have to have substantial capital to use as influence in the commodities market and perhaps a connection to some mercenaries in an oil-rich country, primarily in the middle east.
Re: (Score:3)
Dude, you got it wrong. If you talk to god, it's called prayer. If god talks to you, it's called psychosis.
Re: (Score:3)
I dunno, allowing someone to do open heart surgery on me who already once botched a similar operation concerning a rib transplant...
Re: (Score:3)
Or, and I'm just spitballing here, people could not commit a crime or go somewhere they're not supposed to be.
You know, personal responsibility, do unto others and all that other crap I keep reading on here about how we're supposed to be caring and understanding of our fellow humans.
If you think it's acceptable for someone to do whatever they want to someone else's property/equipment and not expect to be penalized, then I will be sure to do the same to you and expect the same treatment.
Re: (Score:2)
Re: (Score:2)
What negligence? You mean someone left their door unlocked and they deserve to have their stuff stolen? You're blaming the victim?
As I said in my initial post, how about people not steal other people's stuff or go places they shouldn't be? Or is personal responsibility being cast to the dustbin of history?
You can try to spin it all you want, but in the end it comes down to one thing: people doing things they shouldn't be doing in the first place.
Re: (Score:2)
Internet of Things (Score:5, Insightful)
Can't wait to have internet connected devices all over my house!
Re: (Score:2)
Re: (Score:2)
To be fair, if the manufacturers of the devices you have in your house are as competent as the manufacturers of the devices compromised here,
How much hope for security do you have in a system which has no password by default, and limits the password to a six-digit numeric code? You don't think that system is vulnerable all over the place?
Re: (Score:2)
but even a weak security measure is better than none at all
At least the vendors put *some* thought into security. These systems are intended to be accessed via other systems which often have a numeric keypad as their only source of input, so it actually makes sense that the password would be so limited; it's stronger than your ATM PIN, which is really only secure because it's backed by somewhat robust intrusion detection (fail your PIN 3 times, ATM keeps the card, attack stops).
Mind you, there are ways around that, but it's enough to stop most attackers, as the d
Re: (Score:2)
IMO shipping with *no* default password is safer than shipping with, say, the same default on all devices or a default based on the device's serial number, which seems to be the norm lately; at least then you *know* it's not actually protected. Default passwords provide a false sense of security to people who don't realize that everyone and their mother has the means to find out what that password is; it's the equivalent to no password at all, without the benefit of being so obviously insecure.
If you're trying to help incompetent people, it's better to not let the device operate until they set up a password (and then not let them use any password that shows up on a 'thousand most common passwords' list.
If you don't have time to do it the right way now, when will you find time to fix it?
Nice sig.
Re: (Score:2)
In the "Internet of Things" world (Score:5, Insightful)
Anonymous owns your fridge, your eighty thousand pound Tesla, your PACEMAKER.
Take your Internet of Things and stick it up your arse. My shit might be stone age, but I OWN IT.
Comment removed (Score:4, Funny)
Re: (Score:2)
oh snap! lol you nearly had me up until the Mt. Gox thing.
Well played.
Re: (Score:1)
Re: (Score:2)
I don't know, I've found my Internet connected pacemaker to be pretty useful, gives me stats, automatically informs my doctor if there's a problem, it's nice. And there is good security with a password and full logging, as anyone browsing to http //172.16.54.138/admin.php?include=/usr/share/www/basic-authentication.php&log=/home/pacemaker/default.log&addlog=2015-02-12%2011:21:00%20Initiated%20login can clearly see.
Best part: the guy who wrote the software apparently used to work for what was, until
Re: (Score:3)
My shit might be stone age, but I OWN IT.
Uh.... Mosanto's on the line, they want to have a word with you...
Re: (Score:2)
I'd respond with something witty but I'm laughing too fuckin' hard! :D
Re: (Score:2)
You may be laughing, but I'm fairly sure their lawyers are already finding out whether they can slap you with a fine for not paying for those "derived works" you create with their product.
Re:In the "Internet of Things" world (Score:4, Funny)
My shit might be stone age
Damn, what the hell have you been eating?
Re:In the "Internet of Things" world (Score:5, Funny)
Paleo diet strikes again....
Re: (Score:2)
Yep, people think I am crazy for being stone age with old stuff (Casio Data Bank 150 watch, analog bone conduction hearing aid, KVM from Y2K for VGA and PS/2 stuff, analog speakers, VCR, CRT TV, etc.) I still use. They still work for me, so why do I need newer stuff?
Re: (Score:2)
dude, CDB150?? My watch is powered by a spring! The most advanced bit on it is the slide rule bezel. Which for some reason pushes its insurable value to ridiculous.
Re: (Score:2)
But can it do math, record appointments, alarms, stopwatch, keep phone numbers, etc.?
Re: (Score:2)
it does math, it has a stopwatch, and there is even built in ability to navigate anywhere on the planet without the need to download maps.
Re: (Score:2)
Yeah? Show me.
Re: (Score:2)
here it is: http://www.leguidedesmontres.c... [leguidedesmontres.com]
It is a beautiful piece of kit. Stupendously accurate, reassuringly ticktickticktick in a quiet room (I say it's too noisy if I can't hear my watch!), and since I was given it I've never had to pick up my calculator. Or my Tomtom. I can use just what you see there to pinpoint my location down to 17 yards within less time than it takes my Tomtom to lock in.
Re: (Score:2)
Cool, but where is the phonebook, calendar, etc.? :P
Re: (Score:2)
didn't say it had those... but that's nothing a folded slip of paper under the case won't fix ;)
Re: (Score:2)
Bah. Useless then. Pretty, but useless.
Re: (Score:2)
say that when your battery dies. :)
Re: (Score:2)
:P
Wrong summary title (Score:5, Informative)
TFA says that a Gas Pump Monitoring device was hacked, and the pic in TFA shows a screen capture from an inventory system. No mention is made of a Gas Pump being hacked. Thus the headline of TFS stating that a gas pump was hacked is pure click bait.
Re: (Score:2)
OK .. well after posting my comment I read the TFA again and saw that the headline of the TFA says gas pump and the body of the TFA says gas pump monitoring system. So there is confusion all over the place in TFA.
But when you dig down into the report that TFA refers to, you find that the heading of that is Is Anonymous Attacking Internet Exposed Gas Pump Monitoring Systems in the US?
So even though my comment was a bit sloppy, the context of the story was changed between the original report and TFA.
Nooooooo!!!!! (Score:1)
Like setting gas to $0.01 a gallon.
We Are Legion? (Score:2)
Re: (Score:1)
Reference, obviously. Anonymous is a legion of evil spirits, liable to possess and drown a herd of swine.
Re: (Score:3)
>>And Jesus asked him, “What is your name?” He replied, “My name is Legion, for we are many.”
Six digit PINs? (Score:3)
I don't get why these devices are on the Internet in the first place. If access is needed to read statistics, have an internal server scoop the info from the SCADA servers, hand it to a DMZ server, and the external applications use SSL with client authentication (both sides authenticate to each other using keys), to fetch the data, or if it has to be a person doing this, have a web server on the DMZ that is accessed via 2FA for this info. If the SCADA boxes have to be controlled through the Internet, then there is always a high security VPN that uses smart cards or USB crypto tokens.
One project I had a few years ago was to get data from manufacturing systems (systems which could be on the Internet, but at best, had security strapped on at the last moment... so they were not secure) to remote receivers. I ended up putting the systems on one isolated subnet with a Linux box that would scan them, then shove the data through a serial port with the Rx line cut (so it could only transmit, not receive.) The machine on the other end of the cable would take the data from the serial port and format it into useful reports, which wound up on a decently secure webserver.
No, this system wasn't fast, but it did the job where info could be read but a blackhat couldn't tamper with the isolated network without physical access.
Re: (Score:2)
TFTFY.
The parts you left out are why you don't grasp why the devices are on the internet.
Re: (Score:2)
The ironic thing is that this setup has been in place for at least seven years, and is still working without issue. Otherwise, I'd definitely be made aware that it was not working.
I'll turn the question around... why does a device have to be onto the Internet if it doesn't have to? I do admit I did a low tech solution without going through extensive third party data diode, firewall, and other offerings... but it has worked without issue or need for upkeep for years now.
Re: (Score:2)
You can't draw a curve through a single point.
Well, the "doesn't have to" represent an assumption on your part. For a lot of things, it's awfully dang convenient, reduces or eliminates, human error, and saves a ton of man
Re: (Score:2)
I don't get why these devices are on the Internet in the first place. If access is needed to read statistics, have an internal server scoop the info from the SCADA servers, hand it to a DMZ server, and the external applications use SSL with client authentication (both sides authenticate to each other using keys), to fetch the data, or if it has to be a person doing this, have a web server on the DMZ that is accessed via 2FA for this info. If the SCADA boxes have to be controlled through the Internet, then there is always a high security VPN that uses smart cards or USB crypto tokens.
One project I had a few years ago was to get data from manufacturing systems (systems which could be on the Internet, but at best, had security strapped on at the last moment... so they were not secure) to remote receivers. I ended up putting the systems on one isolated subnet with a Linux box that would scan them, then shove the data through a serial port with the Rx line cut (so it could only transmit, not receive.) The machine on the other end of the cable would take the data from the serial port and format it into useful reports, which wound up on a decently secure webserver.
No, this system wasn't fast, but it did the job where info could be read but a blackhat couldn't tamper with the isolated network without physical access.
We're talking gas stations here. Frequently these are small businesses with a single location, sometimes operating on a franchise model. Even if you think that the parent franchise should be pushing high security standards, there are a lot of independent 1-location operators out there. They aren't going to be set up the same as an industrial plant. Berating them for that is a bit silly.
Re: (Score:1)
The devices are installed by the oil company/credit card processor (yes, they're usually one in the same). The fuel stations are run by people (either owner/operators or corporate employees) who have skill sets in things other than network administration. They probably never read the manual that came with the devices.
Re: (Score:2)
Say No to IoT (Score:2)
This idea that we need to connect /everything/ _directly_ to the internet is insane.
Device manufacturers have a hard enough time makin devices work, let alone secure them. Even important things like manage switches and home routers have gaping security holes in them, I don't expect a mass sudden outbreak of common sense anytime soon, so we're all doomed, doomed I tell ya!
Re: (Score:3)
I would, if I could.
You may rest assured, though, that it will be very, very hard to do so. For a few reasons that are quite obvious. One, adding such a gimmick is trivially cheap and since it's one thing you can add to the tickbox list of features, every item will have it. For reference, see cellphones and cameras. I don't want it, I don't need it, I would especially love to get it for our workers (for the obvious reason) but there is not a single cellphone that has no camera or where it is at least easily
Re: (Score:2)
Legion... sounds familiar (Score:2)
Re: (Score:2)
How do we know its not Trend Micro (Score:2)