Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses Government The Almighty Buck

Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com) 190

An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
This discussion has been archived. No new comments can be posted.

Contractors Lose Jobs After Hacking CIA's In-House Vending Machines

Comments Filter:
  • Who wrote this? (Score:5, Informative)

    by redback ( 15527 ) on Wednesday June 28, 2017 @09:03AM (#54704093)

    1. They weren't fired for hacking, they were fired for STEALING.

    2. Unplugging the network cable doesn't count as hacking.

    • by Anonymous Coward

      It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.

      AND they're bolted to the floor!

      • by Anonymous Coward

        Yes, I'm sure they have machine intelligence, to figure out the best way to rotate the spool in there to drop the products out. No way that could be done with a simple stepper motor, uh uh, no way. Has to have machine intelligence.

        By these standards I guess back in high school we were hacking the vending machines in our cafeteria because we figured out if you put the money in to buy a soda and hit the buttons really fast you could get multiple cans (sometimes up to 10) to drop.

      • It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.

        A machine is only as smart as the human programming it, and is only as secure as the budget that funds it. Reference "IoT Security" for more detail.

        AND they're bolted to the floor!

        And hacking used to require this kind of effort. Now it seems all you have to lift is a network cable.

        • They're bolted to the floor BECAUSE they have machine intelligence.

          Imagine the havok a sentient CIA snax machine could cause!!!
          • Re: (Score:3, Funny)

            by davester666 ( 731373 )

            Yeah, it sneaks up on you and goes "Here, have a Snickers bar." Pretty soon, everyone is too fat to move.

      • It couldn't have been that easy - these machines have MACHINE INTELLIGENCE.

        AND they're bolted to the floor!

        Right, that is why these guys got caught. When the network cable was reconnected and the transactions couldn't be processed, the machine intelligently wrote down the information and notified the appropriate authority.

        Same as any human retail clerk, these machines aren't instructed to try to prevent all cases of fraud, instead they're trained to follow strict procedures and write down any exceptions or oddities for auditing at another layer.

        In the old days when the machines were stupid, you could just rock i

    • Re:Who wrote this? (Score:5, Informative)

      by oobayly ( 1056050 ) on Wednesday June 28, 2017 @09:12AM (#54704137)

      2. Unplugging the network cable doesn't count as hacking.

      It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.

      • by pahles ( 701275 )

        It would in the UK. A man was prosecuted here for adding a couple of "../" to a URI, which then provided him access to the root file system. I'm trying to find a reference to it.

        What does that have to do with unplugging a cable?

        • What does that have to do with unplugging a cable?

          It is an example of something absurd that has nothing to do with hacking, in reference to the GP's post.

        • He thinks "hacking" means "getting charged with computer crimes," so he missed the point.

      • by houghi ( 78078 )

        I add /. to my daily browsing. I am the L33T hax0r known as 4Chan. (How do you do the reverse L and 7 again?)

      • No surprise considering this is the same shithole where it's illegal to injure an assailant...
    • by XXongo ( 3986865 ) on Wednesday June 28, 2017 @09:13AM (#54704145) Homepage

      2. Unplugging the network cable doesn't count as hacking.

      Possibly they disconnected it with a hachet, making it literally hacking.

    • While you are correct on both counts, what this story illustrates is the irony of large organizations (in commercial industry and government alike) that say "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box" (or similar feel-good sounding things) when what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organizatio

      • by Anonymous Coward

        Stealing from your startup employer would also get you fired.

      • by rhazz ( 2853871 )

        what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organization."

        Having morals and thinking outside the box aren't mutually exclusive. The CIA might be an exception, but most businesses subcontract the handling of vending machines to other companies. If the same is true for the CIA, then these idiots were stealing from another company. The CIA's rep is bad enough without that.

      • Re:Who wrote this? (Score:5, Insightful)

        by swb ( 14022 ) on Wednesday June 28, 2017 @09:56AM (#54704383)

        The CIA or any organization like it wants unicorns. They want the tiny subset of the Venn diagram where people are bold thinkers AND organizationally compliant rule followers.

        Like high-end spec-ops, not only do they want really tough super-athletes, they want high intelligence, independent thinkers AND chain of command rule followers.

        It's a small subset of people that match all those qualities.

      • The same people who are dumb and cheap enough to steal snacks are the same ones most likely to sell out your state secrets for money.

        Anyone who's willing to risk their career and a criminal record for a $1 bag of junk food is not someone who you want working with sensitive information.

      • Are you really that dense or are you trolling? They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.

        • They were stealing. That shows a lack of character. I'd fire them as well, even if I were running a startup.

          If you were running a startup, you'd be giving them free candy bars.

          So I hear. I've never worked for a startup that had venture capital...

        • They were stealing.

          In other words, they should be considered for jobs as field agents.

      • While you are correct on both counts, what this story illustrates is the irony of large organizations (in commercial industry and government alike) that say "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box" (or similar feel-good sounding things) when what they really mean is "we want innovators/bold thinkers/unconventional thinkers/people who think outside the box but who also remain within the strict policies/structures/conventions of the organization."

        Is it any wonder that people who perceive themselves as truly talented tend to want to go work for startups or perhaps create their own startup? The type of people places like the CIA and big companies claim to be seeking are precisely the type of people who look at places like that and say "no way am I going subject myself to all that bureaucracy." Stories like those sort of prove the point.

        One or two free candy bars, to see how the thing works would be "innovators/bold thinkers". Taking $3,000 of snacks is stealing. I can hack the cafeteria at work. If I go in late afternoon when there's only one worker, I can wait for them to go on a smoke break when the place is deserted, and load up my backpack with all sorts of free snacks. But I don't. Because it's stealing.

    • by DontBeAMoran ( 4843879 ) on Wednesday June 28, 2017 @09:22AM (#54704191)

      2. Unplugging the network cable doesn't count as hacking.

      Sure it does! Look, I'm going to hack my computer right n{#`%${%&`+'${`%&NO CARRIER

    • why would anyone settle for snacks when the cc info is there...
      • ...it's easier to eat the evidence?

      • by Anonymous Coward

        There is no CC card... It's a pre-paid card system - reloaded with cash ... thus using a card when it has $0, and the device is off-net, the device trusts the user (as we're in a trusted location) and will debit the acct when it comes back online. This can't even be seen as a weakness as its in a secure location, but to actually exploit the organizations trust is something different. (by stealing)

    • by Anonymous Coward

      Par for the course for clickbait mills.

      The summary even states it's from Buzzfeed.

    • The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines.

      It was written by someone who doesn't know a complete sentence from their asshole.

    • Posted by BeauHD - what do you expect? If it isn't an anti-conservative hit piece that has nothing to do with technology, she doesn't know what to do with it.

    • Lawyers like to law, teach them to law better, and they are going to law all over the place.

      Wrestlers like to wrestle, teach them to wrestle better, and will wrestle all over the place.

      Brewers brew......

      Soldiers soldier....

      Politicians politic.... ....and hackers hack.

      And for the record, if unplugging the network cable after a secure handshake allows you to force a target to do something specifically opposite to what it was designed to do, such as dispense free candy, then it very much is a hardware exploit.

  • by bill_mcgonigle ( 4333 ) * on Wednesday June 28, 2017 @09:16AM (#54704157) Homepage Journal

    How did they not get a promotion?

    • They were supposed to hack the vending machines inside the Russian embassy.
    • How did they not get a promotion?

      Believe it or not... It seams the CIA apparently has issues with stealing from vending machines... So there are some morals and ethics left.... Leaking classified data is A OK, putting classified information on a private E-mail server is A OK, spying on US citizens with abandon is fine, but don't you dare steal from the vending machine in the break room down the hall.. Who knew?

    • Most Vending machine companies are owned by big corps now.
    • Because they were caught. The CIA only wants employees smart enough to not get caught doing these things. Honestly, if you're dumb enough to get caught stealing from a !@#$ vending machine, how can they trust you to steal from the Russians?

  • Disconnecting the network cable. Really?
  • by acoustix ( 123925 ) on Wednesday June 28, 2017 @09:47AM (#54704343)

    If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.

    • by Anonymous Coward

      If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.

      Not saying I *necessarily* agree or disagree with the practice, but isn't that the whole reason to use contractors in the first place? No long-term retirement liabilities and all that.

    • If these were federal employees they wouldn't have been fired. They would have been reassigned. Or asked to take early retirement. Of course this would have happened after being suspended with pay.

      ...for three years...

    • by rhazz ( 2853871 )
      That's the difference between being a unionized employee versus temporary labour.
  • FreedomPay (Score:4, Insightful)

    by tangent3 ( 449222 ) on Wednesday June 28, 2017 @10:09AM (#54704453)

    Contractors did not realize the "free" in FreedomPay means free speech not free beer.

    • Contractors did not realize the "free" in FreedomPay means free speech not free beer.

      They do a much better job explaining that to contractors [wikipedia.org] at the NSA [wikipedia.org].

  • Throughout my working life I have amazed that people with good jobs would be willing to jeopardize them for nickels and dimes -- stealing stationery, fudging expense vouchers, and now, apparently, cheating a company vending machine. Don't these people realize that they are putting their livelihoods at risk by stealing from their employer?

    • Depends on where the company have their focus. I did a PC refresh project eBay and had to take a drug test before I got hired in 2011. Management was afraid that the contractors would steal their new Dell workstations. The funny thing was that management had no concern about employees stealing the old workstations. Unlike other PC refresh projects, we weren't required to pull the hard drives out. Security went ballistic when they found some of these old workstations with asset tags and hard drives on the eB
  • CIA hires break laws then the CIA covers it up.

  • Think about it. Intelligence agencies routinely do things which violate norms of civilized behavior. Suborning treason (in other countries' nationals) and invading privacy are standard operating procedure. Yet you depend on your employees to scrupulously follow the rules and norms when it comes to your own agency.

    So you give people symbols, rituals and training which ground them in the traditions and identity of your service. I expect this works pretty well, because pride and belonging are powerful motivato

  • Why in the HELL are there IoT vending machines in the CIA? Even I know IoT devices are not secure especially if they are coming from a vendor. If anything, the vending machine company should be held responsible for not providing enough security on their device that could have allowed rogue elements to access it and use it for breaking into internal network resources based on it being on-site. WTF!?
  • ... attempted to make a run for it. But they were pursued and apprehended quickly.

  • Here I expected the story to detail how they analyzed the network traffic and devised a MitM attack to trick the machine into thinking it was getting paid, or discovering an administrative backdoor they managed to crack the root password for, or 3:00am hacking into the firmware through a JTAG connection, decompilation of the firmware, then substituting doctored firmware to enable a secret button-press sequence to enable all selections to be $0.00.. but no! They disconnected a network cable! BORING! I don't
  • They were fired for Theft. Stealing is such a low level sleazy crime
    they need to go work in a fast food joint to work off the debt!
    "Hacking" is HARDLY what they did - its just theft

  • > Severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.

    Is this really what passes for "hacking" these days?

  • I'm assuming they were hired specifically for this sort of out-of-the-box workarounds. You cannot turn someone into something they are not and telling them to be anything other than what they are impedes them from performing at their best when you need them to. If I was the supervisor that had been made aware of this, I would have found a way to expense payments to the vendor without letting the employee's know. 1) it keeps skills from workers you may need solidly in the 'asset' category, 2) it keeps their

  • The CIA probably asked for the option that these vending machines still work if there are network outages, on the basis that it's employees and contractors should be trusted enough not to steal shit and they're the only ones with physical access to the machines.

    The other options are: No network, no food. Pay with cash.

    The last think you want is a hungry IT department trying to fix your broken network.

  • This story ran weeks ago and was already on /. once before. STALE!

In the realm of scientific observation, luck is granted only to those who are prepared. - Louis Pasteur

Working...