No Zombie Uprising, But Problems Persist With Emergency Alert System 54
chicksdaddy writes "More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. In a blog post, Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of 'bad and predictable' login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials. Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the 'dead are rising from their graves,' and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware."
Anyone noticed. . . (Score:4, Insightful)
Re: (Score:3, Insightful)
We haven't lost the war. Cheap bastards simply don't care about security.
Re: (Score:3)
"Cheap"?
Some people have figured out that wining and dining can get you lucrative government contracts (can anybody come up with a single valid reason why Diebold are still in the supply chain?), but "cheap" isn't a suitable adjective.
Re: (Score:2)
Re: (Score:1)
On the other hand, what idiot would think hacking an emergency alert system was funny?
Re: (Score:2)
Oh lighten up. Zombies are hardly believable and it is quite funny.
If they wanted to be malicious there are far worse things they could have said.
Re: (Score:3)
Nah, it's the typical engineering trilemma... fast, good, cheap; pick two.
Though if you want good, it won't be cheap, just cheaper than good and fast. That and for certain values of "fast", there's not enough money in the world to make it happen, buggy shit is inevitable.
There's countless halfass buggy code embedded devices out there, and now more and more they are getting connected to the outside world. So we'll see more and more 'zombie attacks', or plant meltdowns or whatnot, I'm sure.
Maybe the MBAs will
Re: (Score:3)
Well it took the NSA the snowden leaks before they implemented a 2 man sysadmin rule. the only way to teach half the population that fire is hot is by sticking their hands in the fire.
The only way to prove that you need security is by letting them get burned by the lack of it a couple of times.
Re: (Score:2)
Why does an early warning system need to be 'fast'?
A latency in minutes won't make much difference to the general population. It just gives them an extra minute of panic.
Re: (Score:3)
For a forest fire or flooding situation you'd probably be right, minutes aren't going to matter much. But for something like a poison gas release at a chemical plant or tornado warning seconds can count. Theirs stories from tornado alley where people heard an emergency alert over the radio/TV and as they were making their way to their basement/shelter a minute later the house was being torn apart around them.
Re: (Score:2)
if you contract to the persons who offered you biggest bribes you might very well end up with shitty, expensive and slowly delivered.
contracting isn't just about cheap, fast or good.
Re: (Score:2)
They really just need to put their best brains together on it.
Re: (Score:2)
They can't. The zombies already ate their brains.
Re: (Score:2)
OT TWC EAS Rant... (Score:5, Interesting)
Time warner cable recently "upgraded" several of our analog cable channels to the basic digital tier which now requires a digital adapter. Unfortunately some of these are local stations that I watch regularly, so if I want to watch them I need the adapter, and using the adapter is mutually exclusive with regular analog cable without running a convoluted system of splitters and coax. Now after "upgrading" with the free digital adapter it's been *incessant* EAS tests and bogus alerts, sometimes going off every hour for days at a time, and the people at TWC can't or won't even attempt to fix it. This is annoying enough, but during one of these swarms of false alerts there was a REAL alert of a TORNADO in the area that ended up doing a lot of damage nearby. TWC's stupid mismanagement of the EAS system has completely undermined the use of the system itself. Bastards. Rant over.
Re:OT TWC EAS Rant... (Score:5, Insightful)
As long as there is no fine for this kind of behaviour, it will not change. The only language corporations understand is one that hits them in their wallet.
Re: (Score:1)
Well, either that or targeted killing of the board members with drones.
Re: (Score:2)
Didn't hear the news? These things are woefully inaccurate. Else I'd agree, but you might hit someone who'd actually do some meaningful work, so no go.
Re: (Score:1)
Re: (Score:2)
I live in the country about 35 miles from the nearest city with a TV station. I found long ago that I could use the amplified rabit ear style antennas and pick up about 15 stations. Granted, some of those stations are split channels of another station but I find all the major networks are more then covered. I get OBS, the local Fox, cbs, nbc, abd, CW and some religious channels that believe it or not, have some decent movies that aren't all preachy.
Anyways, I think the rabbit ears cost about $35 and I neede
Re: (Score:2)
Re: (Score:2)
Reletively flat compared to mountians in north corolina but im in a vally. I don't have good reception without the amplified antenna and the switch to digital made a huge difference.
All i can suggest is to try and find out on one tv before cutting the cable.
Re: (Score:2)
Won't get an argument from me about that point. I do without cable just fine. But, I can only get 2 channels (cbs and ion, PBS if I can ever keep the cat away from the VHF rabbit ears). I'm less than 35 from the broadcast towers for about 6 stations, but my line of sight hits so many hills that I'd need a highly directional antenna with a pre-amp according to the various websites that do that topology map stuff. My omni antenna or the small directional that I can put in the window (rented place, no rooftop
Re: (Score:2)
Lined or not does not matter. The only thing that matters is whether at the end of the day playing by the rules or considering the fines some sort of cost of operation is cheaper.
More and more often, rules and regulations (and the fines associated with them) are handled by risk management rather than legal. As soon as legal decides that there is no loophole, risk management gets to assess the chance to be caught and after that, all that matters is the equation "cost to mitigate vs chance to be caught times
Re: (Score:2)
I agree with the perp-walk. Perhaps even just 50 hours of nothing-but-no-negotiation trash pick up on the highway for 8-10 weekends.
Executives and board members tend to be douchenozzles. Make the buck stop there and I think we would be pleasantly surprised how employees and contractors would be heavily motivated by management to perform actual quality control.
Money is a poor motivator when your time is priceless. I've always said that a weekend of community service can be worse than the heftiest fine...
Afte
Re: (Score:2)
Considering that C-suite executives tend to change employers every few years, often it's also a matter of whether management thinks the problem will come home to roost before they've found another company to destroy.
Crying "Wolf!" (Score:1)
Re: (Score:3)
That's the plan, son. That's the plan.
Re: (Score:2)
Serious fake messages (Score:1)
Last time it was zombies and we kind of know that to be fake when we hear it. Next time it might be something serious like a nuclear reactor meltdown and people will flee. Maybe it will be secure enough to prevent the average hacker from getting in, but what if the hacker turns out to be an expert team of special agents from another country? We don't have to consider if they have a motive for doing so because they might have a motive we will never figure out, at least not in advance.
When will people in char
Re: (Score:2)
It'll probably be PF McChangs.
The real problem... (Score:3)
... is when your message me and a 6 million others at 4 in the morning because some kid (white) is missing.
Do your fucking jobs, assholes. Next time you message me, you are agreeing to the updated ToS that you will find in your inbox next week. Each message I receive will cost you a $1000. Is it worth it?
Scratch that, let's make it $10K.
Law is fun.
Re: (Score:2)
ob (Score:2)
They need MyCleanPC!
time to extradite an aspie ... (Score:2)
Hey, if it's good enough for the pentagon...