
Pirates hack into shipping company’s servers to identify booty - pavornyoh
http://arstechnica.com/security/2016/03/pirates-hack-into-shipping-companys-servers-to-identify-booty/
======
bkor
This story is pretty sensationalized.

1\. A container shipping company does not store the bar code of
crates/packages. I've easily read 100s of booking details and never seen this.
At most you maybe find one booking where the customer gave too much info and
the customer service person copy/pasted too much. Anyway, either the article
is talking about the container number or the hacked company is a logistics
company.

2\. If it is a logistics company, they wouldn't know exactly where the
container is on the vessel. You can ask "above/below deck", but exact details
aren't normally shared. You'd need to hack two companies if the pirates
behaved like the article suggests.

3\. Boarding a container ship isn't that easy as a lot of them are huge.

4\. A container might just be reachable. Hint: For some commodities special
care is taken to ensure that the vessel crew can still reach it. It's much
easier to target a container after it has left a terminal and is e.g. on a
truck. Note that even with full access it is better to somehow takeover a
truck than to pick it up yourself; they check and your identification
(passport/drivers license) when you pick up.

At most this might be about some logistics company that uses small vessels.
E.g. intra Asia trade. Any big company I would be surprised if the hackers
would make sense of all the systems :-P

That said, every so often you do see news articles whereby someone within
either customs or a shipping company sells the details to others. Those others
then steal the goods. But not by boarding vessels though, they takeover the
truck.

~~~
chockablock
So, you're claiming the story is fabricated?

Quoting: "They’d board a vessel, locate by bar code specific sought-after
crates containing valuables, steal the contents of that crate—and that crate
only—and then depart the vessel without further incident."

You can download the Verizon report (that is the source for this article)
here:
[http://www.verizonenterprise.com/resources/reports/rp_data-b...](http://www.verizonenterprise.com/resources/reports/rp_data-
breach-digest_xg_en.pdf)

~~~
bkor
No, I'm saying the details aren't correct. I never implied fabricated, so
unsure why you're suggesting this.

From reading the report it seems they confused container numbers with crate
bar codes.

This bit: "They’d board a vessel, locate by bar code specific sought-after
crates containing valuables, steal the contents of that crate—and that crate
only—and then depart the vessel without further incident."

When you board a vessel with container numbers, you don't see crates. However,
you can find the container then search through the container and determine the
crate. But the crate bar code? That's incorrect. A bill of lading will show
the crate contents as well as its container number. It does NOT contain a bar
code.

The PDF is obviously a marketing piece; it is not surprising some details are
incorrect.

If you ignore the bar code part, then yeah, if the target was a shipping
company then you could determine the contents of containers within reach and
what is in them. Still need to go through the container though.

------
BWStearns
Hacker pirates: finally, we live in the future!

Aside from that though, I wonder if we'll be seeing increasing criminal
activity like this or if it'll stay as an occasional source of funny
headlines.

On the one hand the resources and knowledge of how to compromise a server are
more accessible all the time.

On the other, exploited vulnerabilities are patched and the walls stay a bit
higher than the cheap ladders. This will pretty much ensure that there is
almost always at least a non-trivial amount of learning that needs to be done
in order to profitably compromise equipment for practical purposes.

I'm thinking that the prevalence of basic technical savvy (roughly "has strong
google-fu in the service of troubleshooting" or better) is going to be the
largest influence on whether hacking-augmented crime increases or not.

My logic here is that it would happen more if more criminals knew how to go
about learning how to hack since that gap between pre-built tools and
practical application is always going to be there, but it's certainly
bridgeable with some curiosity.

More technically savvy population, more cybercrime. It makes sense, but it can
also be used as a kind of fluency metric. I thereby propose the frequency of
computer-aided criminal activity as a fraction of all criminal activity to be
a target metric for US technology education, higher is better.

~~~
nxzero
All depends on who you define as a pirate, hacker, etc. if you consider social
engineering hacking and stealing goods in transit, then using the two together
is as good as written history.

~~~
BWStearns
Especially if you consider national flag swapping and the like to be breaking
an information system (or at least abusing a weak auth system).

------
yeukhon
What is a booty? The urban slang "booty" or something else like bootleg?

~~~
ConroyBumpus
It's another term for pirate's treasure.

~~~
yeukhon
Thank you.

BTW, the pirates out there, keep downvoting :-) I don't speak your pirate
language.

------
rwmj
The next step is to reprogramme the delivery address and have the booty sent
to the pirates.

~~~
dredmorbius
Precisely the point I made elsewhere.

Or: start a shipping services company and "lose" the odd lot.

~~~
gregw134
A la season 2 of the wire.

------
germerconsult
Reminds me of the hack that happened in Antwerp. Basically the mob obtained
access to data through extortion of IT consultants and was able to present the
correct documents at the gates and drive away with the containers before the
correct truck arrived. [http://www.bloomberg.com/graphics/2015-mob-technology-
consul...](http://www.bloomberg.com/graphics/2015-mob-technology-consultants-
help-drug-traffickers/) [http://motherboard.vice.com/blog/how-traffickers-
hack-shippi...](http://motherboard.vice.com/blog/how-traffickers-hack-
shipping-containers-to-move-drugs)

------
dates
the Da Vinci virus is a cover up for something even more sinister...

------
SixSigma
Sound like it could have been a lot more devastating if the attackers had more
(mad) skill(z). I am curious, though, why law enforcement didn't become more
involved and track them down rather than just block them.

~~~
xigency
What kind of solution is it to block one IP address?

~~~
rossdavidh
My thinking exactly. It seems like it would have been a much better solution
to get law enforcement involved, since there was a decent chance of getting
the pirates to attack whatever ship you wanted by planting (bogus) info about
valuable cargo on it. The "solution" they used instead seems like it will last
about as long as it takes to get a new IP address.

------
gadders
Funnily enough, I just finished reading a short story by Brad Taylor on this
very topic:

[http://www.goodreads.com/book/show/18849590-black-
flag](http://www.goodreads.com/book/show/18849590-black-flag)

Entertaining if you like reading modern special forces fiction.

------
codeisawesome
> "These threat actors, while given points for creativity, were clearly not
> highly skilled..."

Wait so a few script kiddies were able to pwn a sophisticated company's "in
house CMS" (as if that was ever a good idea), and these guys are smug about
the fact that the Pirates made a few typos?!

~~~
jkot
And they ended future attacks by blocking IP address.. :-)

~~~
codeisawesome
Hahaha

------
bitwize
To paraphrase Grace Hopper -- first actual case of software pirates being
found.

------
bsder
I was going to make a comment about international waters and privateers ...

And then realized that simply closing the security hole gains them the same
amount of profit.

------
Joof
I like the part where they point out how unskilled they are, but still managed
to get the job done.

------
kartika-
if they're looking for booty why don't they use a porn site?

