Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Network

Hacker Opens 2,732 PickPoint Package Lockers Across Moscow (zdnet.com) 31

A mysterious hacker sed a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow. ZDNet reports: The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg. Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address. Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app. However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday.

Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint's lockers, leaving thousands of packages exposed to theft across Moscow. The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities. The Russian company said it is currently working to restore its network, which has been damaged during the attack. It also remains unclear if packages were stolen from lockers. As the company highlighted in a press release on Saturday, this appears to be "the world's first targeted cyberattack against a post-gateway network."

This discussion has been archived. No new comments can be posted.

Hacker Opens 2,732 PickPoint Package Lockers Across Moscow

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Monday December 07, 2020 @07:16PM (#60805084)

    Wow, sed is even more powerful than I thought! I've only used it for string replacement...

    • by Entrope ( 68843 ) on Monday December 07, 2020 @07:37PM (#60805154) Homepage

      Just wait until someone discovers awk!

    • It's funny, people ask me which tools try should get and learn, in order to be a "leet haxor". I use mostly sed, awk, wget ... after using a lot of Google and reading too darn many RFCs and books. Then learn nmap and metasploit - after you have the foundation to know what to do with those tools, how to craft payloads, etc.

      I wouldn't be at all surprised if sed were in fact used by the culprit.

      • *sad Perl noises*

        (Perl's point was originally to replace sed and awk.)

        • Apropriate XKCD:
          Standards [xkcd.com]
        • Has Larry said Perl was supposed to *replace* sed? That seems very un-Larry. Larry normally likes a little bit of this, a little but of that. Something old, something new, something borrowed .... You see that in how Perl has a objects but not everything is an object, Perl does functional programming with constructs like map(), it's obviously borrowed a lot from sed, and yet you can inline Cobol.

          You may know ed was the original editor.
          sed is ed for streams (stream ed)
          Add doesn't replace ed - ed for static

        • There is a utility called 'ped' (for Perl sED), which is a perl implementation of sed. I use it because it handles Unicode characters using the full regex expression set of perl, which is quite powerful. Unfortunately, it's considerably slower than sed.

          As a linguist, I work with non-ASCII writing systems a lot, and the standard Linux utilities are IMNSHO sadly lacking when it comes to non-ASCII text. Decades after the acceptance of Unicode, particularly its UTF8 encoding, the grep -P parameter (which is

  • Really its massive attack in Russia, which is one of the most IT security Country and Kaspersky Birthplace Country
  • by Anonymous Coward

    The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities.

    Sure it's "unknown." What's the bet it was Broken Access Controls - trusting the web app on end user's devices to unlock only the locker code displayed on the user's screen and not enumerate every possible locker code to open them all. Somebody should send these guys a link to the OWASP Top Ten [owasp.org] vulnerabilities list.

    • The problem isn't any particular technical nit, it's the use of computerised "security" anything. If you leave out one single component, the computer, then mass compromise of this kind becomes impossible. Even with a physical 0day in hand you'd need to travel to each location and attack each thing one at a time. It's only the addition of computerisation to "security" systems that makes it possible to compromise all of them all at once with a few mouse clicks.

      My house has non-"smart" physical locks, non-"

  • Comment removed based on user account deletion
    • by Entrope ( 68843 )

      It's like post-modern, if you could mail a modern?

      I think it's just an infelicitous translation from a Russian thought or phrase, where "post" means "postal" and "gateway" means controlling access to the precedent (postal items). Or maybe it's a neologism intended to make them sound buzzword-compliant and cutting-edge, in which case a better translation would be "Ponzi-compliant".

    • yeah could just be Russian for 'locker door network.'

    • by gweihir ( 88907 )

      Sounds like a "delivery network endpoint" or the like.

  • by TWX ( 665546 ) on Monday December 07, 2020 @07:42PM (#60805180)

    What if the point was not because they wanted to cause problems for the company, but because they wanted one specific package and the easiest way to hide the true crime among the crimes-of-opportunity was to open enough of these lockers to induce a lot of random theft?

    • That's some fucking Ocean's Eleven or Borne shit right there.
      • by TWX ( 665546 )

        Not really. More like The Italian Job, and I mean the original, and even then, only up until they've gotten the loot. The whole car chase thing after through an entirely congested Turin is a different matter.

    • by AmiMoJo ( 196126 )

      Could have just been crap code. Submit the locker number to the API, but oops you submitted only part of the number and the API matched it to 1/3rd of all the lockers in the system.

      Seen that sort of thing happen before, someone used the wrong comparison function.

  • in Soviet Russia we hack you!

  • by crow ( 16139 ) on Monday December 07, 2020 @07:43PM (#60805188) Homepage Journal

    My first thought is that this sounds like someone didn't pay the extortion money, but it could have been several other things. Someone may have been stealing packages, and decided to open a bunch more so that their thefts would get lost in the noise. Someone could have been playing with a vulnerability and not realized they had done as much damage as they did, or someone was playing and knew exactly what they were doing, but thought it was fun. We may never know unless they catch the culprit.

  • Hacker Opens 2,732 PickPoint Package Lockers Across Moscow

    Peter Piper's PickPoint Package Parkers

  • Isn't this a Russian company? Operating in Russia?

    • Easy. When the Soviet Union's borders weakened in the mid-80s, a flood of consumer goods (well, not exactly the flood until 1991, but enough) went in. And Russians got a notion that if a product is named in English, it must be good (because foreign consumer goods were better than what was produced inside). This tactic successfully worked in the 90s and still works to some degree (i.e., many consumer electronics brands here have English names but are owned by Russians, made specifically for Russia, made in
  • by mcswell ( 1102107 ) on Tuesday December 08, 2020 @10:37PM (#60810378)

    How many lockers could a lock picker pick if a lock picker could pick PickPoint lockers?

He who steps on others to reach the top has good balance.

Working...