
Romanian Hackers Infiltrated 65% of DC Outdoor Surveillance Cameras - QAPereo
http://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c
======
3pt14159
When I was an irresponsible high school grey hat (2001) I was part of a small
group of people that shared exploits. We weren't that talented, but one of the
guys in our group was still able to get into the cameras in the parking lot of
the CIA.

This is the problem with cyber security: Even if you're the most knowledgeable
organization on earth you still fuck it up. Any one person can fuck up any one
thing and if it isn't part of your predetermined threat vector analysis then
it gets through and you lose everything.

The guy took steps to hide his identity then reported it to the CIA. They
emailed back with a job offer. Back then we assumed it was trap to get him to
travel to the USA from Canada, but these days, based on what I've seen, I
think it was legitimate.

Sometimes I like to let thoughts simmer:

In 2001 a shitty high school hacker had a reasonably credible offer from the
CIA.

~~~
babuskov
I agree with the rest of your points, but that "shitty" high school hacker
managed to hide his identity from CIA. You're underestimating him. Majority of
wannabe hackers would screw up some detail and get discovered.

~~~
r3bl
Or, since he's taken steps to protect his identity, CIA might have offered a
fake job offer for the purpose of him revealing his identity.

~~~
throwaway5665
I think this what happened.. the government has very formal hiring procedures,
a government employee can’t just send spurious offer letters to foreign
nationals.

~~~
user5994461
An email is not a job offer. It's just an invitation to interview. There are
no procedures against that.

~~~
throwaway5665
He literally said job offer.

~~~
3pt14159
I may have misrembered. It was so long ago.

------
wybiral
DVR devices are insane. I do regular surveys of random IP addresses and find
these devices _everywhere_. They're easily identified by the headers that the
embedded servers respond with.

Typically they're cheap devices from China using the same tech just with
slightly different branding.

They usually have default passwords like admin:admin that users aren't
required to change and often have vulnerabilities that grant access to the
rest of the network. And people expose the ports for these things to the
entire internet. Maybe people just assume nobody will happen upon their IP
address?

The irony, of course, is that people install these for security.

Remember when wifi devices rarely had passwords and you could use your
neighbors internet? What caused the change to the modern practice of unique
strong passwords by default? Was it consumer driven or was there some other
factors? Whatever happened, we need that for IoT devices too.

~~~
johncolanduoni
A big factor might have been ISP-provided routers coming with random passwords
printed on the underside of the router instead of uniform defaults. The same
tactic would work with many IoT devices but the incentive isn't there.

~~~
wybiral
What incentive pushed the manufacturers of those routers in that direction
though?

~~~
TeMPOraL
Torrenting and child porn, I would guess. I remember the slow transition from
people using open networks to securing the shit out of them, and there was
this big fear that someone could use your network to download copyright-
protected and/or illegal material, and it would be tied to your IP.

~~~
userbinator
Indeed, 10-15 years ago in almost any area with a population you could easily
find an open network to get onto the Internet when you wanted to. I could
check email and lookup some quick things even while riding public transit,
without needing mobile data. There was also a grassroots movement of sorts to
"share your WiFi", and even a well-known security professional opened his:
[https://www.schneier.com/blog/archives/2008/01/my_open_wirel...](https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html).

Now there's almost none of those left, and what places _do_ advertise "free
WiFi" are captive/login portals. It was more free and open back then, I
actually quite miss those days...

~~~
TeMPOraL
I miss them too, though less than I did in the period between when people
started locking down Wi-Fi and when mobile data became cheap.

Anyway, this is just yet another example of computing getting worse the more
money there is to be made in it from mainstream use.

------
gumby
Much kudos to submitter for using the text-only cnn.io version. Instead of
loading a megabyte of executable crud, moving images etc for three paragraphs
of text I got...three paragraphs of text!

~~~
QAPereo
Thanks, but all credit goes back to HN for turning me onto cnn.io in the first
place.

~~~
nawtacawp
TIL I needed this. -- do you use any other text based sites?

~~~
IA21
NPR also has a text only version:

[http://text.npr.org](http://text.npr.org)

------
ausjke
Too many cameras exploits in the wild these days indeed.

Need a OSS system for the cameras, just like OSS firmware such as Openwrt to
replace vendor firmwares.

Camera itself does not have enough resource to deal with DDOS or brutal-force
attach or updating-with-CVE-quickly if they'are exposed to the public internet
_directly_, they should sit behind some firewall. I hope those important
cameras, or privacy-concerned cameras, are at least not installed with a
public IP, not sure if that is true though, otherwise more exploits will keep
coming.

~~~
paulie_a
Doesn't open wrt have a pretty shoddy security track record

~~~
ausjke
any source? openwrt can't fix kernel security bugs, or OpenSSL issues, but it
can provide a fast fix after those exploits are announced at least.

i have not hearded wide spread problem with openwrt yet.

~~~
fencepost
That may be based on vendor implementations - I think there are a bunch of
consumer routers or there that are based on reskinned old versions of OpenWRT.

~~~
ausjke
yes the key is OSS openwrt instead of vendor-specific openwrt, which is
normally lagging behind still, probably slightly better than closed vendor
firmware, but not that much better.

true OSS openwrt has the fastest updates and security fixes, and it's solid.

------
amigoingtodie
It is 65% of outdoor cameras operated by the DC city police, not 65% of all
outdoor cameras in DC.

That would have been impressive, Person of Interest style.

~~~
juiyout
Yes 65% is a soundbite.

Cameras are notoriously easy to break into. I would venture to say those 123
cameras has the same manufacturer and share the same reset instruction.

~~~
bhk
A _false_ soundbite.

The first sentence of the article has more detail but is _still_ false. Then
the second sentence of the article contradicts the first sentence, adding the
phrase "of the DC city police". Shall we believe that version?

------
DarronWyke
I'd like to take this time to remind everyone of the Internet of Shit project:

[https://twitter.com/internetofshit](https://twitter.com/internetofshit)

Welcome to the IoT age. It's not going to get better, only get worse.

------
nottorp
Are there any actually secure ip cameras? Somehow I don't think this is a
badge of honor for the "romanian hackers". They probably just scanned for
default passwords and known vulnerabilities.

~~~
CaptSpify
How is that not hacking? Many hackers use known exploits to break into
systems.

~~~
nottorp
Who said it's not hacking? However, it's on the "unskilled labor" side of
hacking.

------
brk
Cyber security issues are only recently becoming a point of awareness in the
surveillance industry.

Some manufacturers have hard-coded backdoors/authentication bypasses, any
vulnerable devices spread across the US, and the rest of the world.

Here is an example of one vulnerability from one larger manufacturer
(Hikvision): [https://ipvm.com/reports/hik-hack-
map](https://ipvm.com/reports/hik-hack-map)

------
pavel_lishin
> They were traced through their registered email addresses, one of which
> roughly translates into "selling souls" in Romanian, according to the
> affidavit.

I wonder if it's a reference to Dead Souls
([https://en.wikipedia.org/wiki/Dead_Souls](https://en.wikipedia.org/wiki/Dead_Souls)).

------
sorinn
Hacking aside, it's great to see the perfect diversity score: 50% male/female.
Silicon Valley should take note.

~~~
announcerman
This is what makes me skeptical of the diversity movements in America. In
Romania and even Russia it seems women are very well represented in tech and
there are no movements there. It seems to me that these movements are mostly
used for political maneuvering and are not helpful at all.

~~~
virgilp
I'm from Romania. The general balance is pretty far from 50/50, and there are
some not-so-nice jokes about women in CS (e.g. "mamma had 2 girls; one was
smart & beautiful, the other one went on to study computer science"). Still,
from what I saw (I work in a US company) - I suspect it's far better than US,
and maybe even western europe[1]. There's no expectation that if you're a girl
you must suck at math (or science/engineering in general), and in general I'd
say programmers want/ like to have girls around. But it's still a fairly
masculine environment, with some fair level of "bro" culture, so it must be
somewhat tougher for a girl. It's double-edged though... the US "positive
discrimination" culture is making inroads here, so on some aspects it's easier
to be a girl in tech (I suspect it's actually easier to get a job compared to
an equally-qualified guy).

The thing is - positive discrimination doesn't solve the problem, because it
comes from school. You need to encourage girls to take science classes - it
has to be expected of them that they do so (rather than go towards, e.g.,
humanities). That, I don't think is actively happening in the US or even some
parts of western europe.... by the time you're dealing with graduates, it's
already too late to fix the gender-imbalance problem.

[1] My little daughter's godfathers are German (she grew up in Romania, but he
didn't). She told me that among german women, it's a thing of pride to be bad
at math. And that her daughter was praised in school that "you're pretty good,
for a girl". With that sort of attitudes during childhood... it's bound to be
hard to get gender balance later (that "praise" would be perceived as insult
here)

~~~
rdtsc
> There's no expectation that if you're a girl you must suck at math (or
> science/engineering in general),

When I was going to school girls were usually better at math. I remember
getting help from them with some calculus problems.

My CS teacher in high school was a woman as well and before teaching she
worked as a programmer. She was a great role model for girls I'd imagine. Well
she was a great role model for me too because she was a great teacher.

