Thieves Hacking Security Cameras?

The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""

"wire money to his bank account"?

[TheLink]

Can't they follow the money trail from there?

Strange.

CCTV

[Recovering Hater]

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

Re:CCTV

[Skapare]

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

Many companies are cutting back on security staff by eliminating in-store people that watch the TV screens. The stores still have some roving security people, but the TV screen watching is now more automated, more centralized, and in some cases even pushed out to homes where people with broadband can be paid even less than the in-store people to sit and watch a bunch of TV camera images for hours, looking for suspect people.

It might be interesting if someone developed a way to fool those systems into thinking someone is watching (frequently clicking to see the next camera).

Re:CCTV

[Egonis]

I run a security consulting business, and one of the things we do is CCTV Camera Systems.

Most of our clients are hell-bent on having internet access so that they can remotely view and control their cameras, card access systems, and PA systems.

Although it is possible to hack these systems, it is a remote chance if configured properly like anything else.

My guess is that these incidents are with default usernames and passwords on the DVR and other equipment.

However, my question is: how did they find the IP of a target store?
It's one thing to want to rob a store, but it's another to know this type of sensitive information.
And in many cases, even large stores are using DSL or Cable where they get a dynamic IP.

Sounds like an inside job to me.

Re:CCTV

[canUbeleiveIT]

Last year we put a security camera system into a auto recycling yard using IP cameras. They had been suffering a rash of after-hours breakins to steal the platinum that is in old catalytic converters. The system recorded to a DVR, but also was hooked to motion sensors that, when activated, would call the manager's cell phone, as well as start pitching still shots across the internet to a remote ftp server.

Two weeks after installation, the thieves broke in. When they saw the cameras and the DVR, they set fire to the place to destroy the evidence, but the still photos were enough to identify and convict them. They haven't had a problem since.

Re:Dumber than dumb

[KudyardRipling]

This is called a JURY POOL TAINTING STATEMENT. It is designed to predispose those eligible for jury service in the jurisdictions involved to convict by using the element of fear and terror. Whenever a statement made by law enforcement officials about an alleged criminal act is broadcast, it should be quoted in the voir dire process to screen out the rubberstampers. These are defined as those who (are carefully instructed to) worry about wives, kids, homes, SUV's entertainment systems, 401k's vacations, etc. Since the media as an institution is presumed diligent in publishing such statements, there is a presumption of contamination on the part of the jury pool. That is why one of the boilerplate questions asked by the parties in court deals with this issue of media contaminating his/her worldview or view of the defendant.

Those who have a place in the system have no place in a jury.

Re:"wire money to his bank account"?

[Anonymous Coward]

That depends on what country the bank account is in. In some countries, bank accounts can't necessarily be tracked back to the owner, they are secured only by a really, really fscking long account number.

In civilized countries, bank accounts are always tracked back to the owner. Even in Switzerland, Luxembourg, Liechtenstein, etc. They are required to do so by the FATF and the OECD.

Whether the bank will cooperate is another story. Swiss banks will cooperate in cases of serious crime, if the offense is a crime in Switzerland. This case sounds like it would be a crime in Switzerland.

However, tax evasion is not a serious crime in Switzerland, so a Swiss bank will not cooperate when investigating tax evasion. This is one reason Swiss banks are so popular with foreigners.

Wireless

[Anonymous Coward]

However, my question is: how did they find the IP of a target store?
It's one thing to want to rob a store, but it's another to know this type of sensitive information.

In my WarDriving travels, I've come apon many SSID-hidden wireless networks around stores. Sometimes they aren't even encrypted. My recent curiosity with these nets reveals a few wifi networked cameras in some locations, and sometimes if you log into these networks, you can find a nat. From there it's simply accessing a site that gives you a IP.

But why bother when you already have access to there cameras via a unsecured access point?

Anonymous for obvious reasons.

YOU FUCKING LOVE IT

[Anonymous Coward]

inurl:/view/index.shtml
inurl:"ViewerFrame?Mode="
inurl:netw_tcp.shtml
intitle:"supervisioncam protocol"
inurl:CgiStart?page=Single
inurl:index Frame.shtml?newstyle=Quad
intitle:liveapplet inurl:LvAppl
inurl:/showcam.php?camid
inurl:vide o.cgi?resolution=
inurl:image?cachebust=
intitle :"Live View / - AXIS"
inurl:view/view.shtml
intext:"MOBOTIX M1"
intext:"Open Menu"
intitle:snc-rz30
inurl:home/
inurl:"Multi CameraFrame?Mode="
intitle:"EvoCam" inurl:"webcam.html"
intitle:"Live NetSnap Cam-Server feed"
intitle:"Live View / - AXIS 206M"
intitle:"Live View / - AXIS 206W"
intitle:"Live View / - AXIS 210"
inurl:indexFrame.shtml Axis
inurl:"ViewerFrame?Mode="
inurl:"MultiCamer aFrame?Mode=Motion"
intitle:start inurl:cgistart
intitle:"WJ-NT104 Main Page"
intext:"MOBOTIX M1" intext:"Open Menu"
intext:"MOBOTIX M10" intext:"Open Menu"
intext:"MOBOTIX D10" intext:"Open Menu"
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:"sony network camera snc-p1"
intitle:"sony network camera snc-m1"
site:.viewnetcam.com -www.viewnetcam.com
intitle:"Toshiba Network Camera" user login
intitle:"netcam live image"
intitle:"i-Catcher Console - Web Monitor"
inurl:/home/home

Re:Dumber than dumb

[CellBlock]

You're right, but this isn't about "any forward-looking organization," it's about Wal-Mart, a company that has decided that prosecuting shoplifters isn't worth their time unless they're stealing a lot.

They'd probably harbor a sleeper cell in the loading dock as long as their supply chain of cheap Chinese crap doesn't slow down.