Hacker Opens 2,732 PickPoint Package Lockers Across Moscow (zdnet.com) 31
A mysterious hacker sed a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow. ZDNet reports: The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg. Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address. Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app. However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday.
Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint's lockers, leaving thousands of packages exposed to theft across Moscow. The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities. The Russian company said it is currently working to restore its network, which has been damaged during the attack. It also remains unclear if packages were stolen from lockers. As the company highlighted in a press release on Saturday, this appears to be "the world's first targeted cyberattack against a post-gateway network."
Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint's lockers, leaving thousands of packages exposed to theft across Moscow. The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities. The Russian company said it is currently working to restore its network, which has been damaged during the attack. It also remains unclear if packages were stolen from lockers. As the company highlighted in a press release on Saturday, this appears to be "the world's first targeted cyberattack against a post-gateway network."
"sed" a cyber-attack? (Score:3)
Wow, sed is even more powerful than I thought! I've only used it for string replacement...
Re:"sed" a cyber-attack? (Score:5, Funny)
Just wait until someone discovers awk!
Re: (Score:2)
I've of my most used hacking tools :) (Score:2)
It's funny, people ask me which tools try should get and learn, in order to be a "leet haxor". I use mostly sed, awk, wget ... after using a lot of Google and reading too darn many RFCs and books. Then learn nmap and metasploit - after you have the foundation to know what to do with those tools, how to craft payloads, etc.
I wouldn't be at all surprised if sed were in fact used by the culprit.
Re: I've of my most used hacking tools :) (Score:2)
*sad Perl noises*
(Perl's point was originally to replace sed and awk.)
Re: (Score:2)
Standards [xkcd.com]
I don't know about that - grep doesn't replace sed (Score:2)
Has Larry said Perl was supposed to *replace* sed? That seems very un-Larry. Larry normally likes a little bit of this, a little but of that. Something old, something new, something borrowed .... You see that in how Perl has a objects but not everything is an object, Perl does functional programming with constructs like map(), it's obviously borrowed a lot from sed, and yet you can inline Cobol.
You may know ed was the original editor.
sed is ed for streams (stream ed)
Add doesn't replace ed - ed for static
Re: (Score:2)
There is a utility called 'ped' (for Perl sED), which is a perl implementation of sed. I use it because it handles Unicode characters using the full regex expression set of perl, which is quite powerful. Unfortunately, it's considerably slower than sed.
As a linguist, I work with non-ASCII writing systems a lot, and the standard Linux utilities are IMNSHO sadly lacking when it comes to non-ASCII text. Decades after the acceptance of Unicode, particularly its UTF8 encoding, the grep -P parameter (which is
Comment for your story from youjobs.in (Score:1)
Yep, sure (Score:1)
Sure it's "unknown." What's the bet it was Broken Access Controls - trusting the web app on end user's devices to unlock only the locker code displayed on the user's screen and not enumerate every possible locker code to open them all. Somebody should send these guys a link to the OWASP Top Ten [owasp.org] vulnerabilities list.
Re: (Score:2)
The problem isn't any particular technical nit, it's the use of computerised "security" anything. If you leave out one single component, the computer, then mass compromise of this kind becomes impossible. Even with a physical 0day in hand you'd need to travel to each location and attack each thing one at a time. It's only the addition of computerisation to "security" systems that makes it possible to compromise all of them all at once with a few mouse clicks.
My house has non-"smart" physical locks, non-"
Re: (Score:2)
Re: (Score:2)
It's like post-modern, if you could mail a modern?
I think it's just an infelicitous translation from a Russian thought or phrase, where "post" means "postal" and "gateway" means controlling access to the precedent (postal items). Or maybe it's a neologism intended to make them sound buzzword-compliant and cutting-edge, in which case a better translation would be "Ponzi-compliant".
Re: (Score:2)
yeah could just be Russian for 'locker door network.'
Re: (Score:2)
Sounds like a "delivery network endpoint" or the like.
Heist and covering of tracks? (Score:5, Interesting)
What if the point was not because they wanted to cause problems for the company, but because they wanted one specific package and the easiest way to hide the true crime among the crimes-of-opportunity was to open enough of these lockers to induce a lot of random theft?
Re: (Score:2)
Re: (Score:2)
Not really. More like The Italian Job, and I mean the original, and even then, only up until they've gotten the loot. The whole car chase thing after through an entirely congested Turin is a different matter.
Re: (Score:2)
Could have just been crap code. Submit the locker number to the API, but oops you submitted only part of the number and the API matched it to 1/3rd of all the lockers in the system.
Seen that sort of thing happen before, someone used the wrong comparison function.
in Soviet Russia we hack you! (Score:2)
in Soviet Russia we hack you!
Several Posabilities (Score:3)
My first thought is that this sounds like someone didn't pay the extortion money, but it could have been several other things. Someone may have been stealing packages, and decided to open a bunch more so that their thefts would get lost in the noise. Someone could have been playing with a vulnerability and not realized they had done as much damage as they did, or someone was playing and knew exactly what they were doing, but thought it was fun. We may never know unless they catch the culprit.
Re: (Score:2)
or it's an test to get into the KGB hacking team.
Please tell me his name is Peter Piper (Score:2)
Hacker Opens 2,732 PickPoint Package Lockers Across Moscow
Peter Piper's PickPoint Package Parkers
Re: Please tell me his name is Peter Piper (Score:2)
Peter Piper lock picks PickPointsâ(TM) postal package pickup points.
Has the Lock Picking Lawyer been on holiday? (Score:2)
Did this guy recently go on holiday?
https://www.youtube.com/c/lock... [youtube.com]
What's with the English name? (Score:1)
Isn't this a Russian company? Operating in Russia?
Re: (Score:1)
wood chucks (Score:3)
How many lockers could a lock picker pick if a lock picker could pick PickPoint lockers?