Please create an account to participate in the Slashdot moderation system


Forgot your password?
Communications Security

No Zombie Uprising, But Problems Persist With Emergency Alert System 54

chicksdaddy writes "More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. In a blog post, Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of 'bad and predictable' login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials. Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the 'dead are rising from their graves,' and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware."
This discussion has been archived. No new comments can be posted.

No Zombie Uprising, But Problems Persist With Emergency Alert System

Comments Filter:
  • by djupedal ( 584558 ) on Saturday October 19, 2013 @11:21PM (#45178677)
    It's no longer just an uphill battle trying to make things secure - we've lost the war.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      We haven't lost the war. Cheap bastards simply don't care about security.

      • "Cheap"?

        Some people have figured out that wining and dining can get you lucrative government contracts (can anybody come up with a single valid reason why Diebold are still in the supply chain?), but "cheap" isn't a suitable adjective.

      • On the other hand, what idiot would think hacking an emergency alert system was funny?

        • Oh lighten up. Zombies are hardly believable and it is quite funny.

          If they wanted to be malicious there are far worse things they could have said.

    • by mirix ( 1649853 )

      Nah, it's the typical engineering trilemma... fast, good, cheap; pick two.

      Though if you want good, it won't be cheap, just cheaper than good and fast. That and for certain values of "fast", there's not enough money in the world to make it happen, buggy shit is inevitable.

      There's countless halfass buggy code embedded devices out there, and now more and more they are getting connected to the outside world. So we'll see more and more 'zombie attacks', or plant meltdowns or whatnot, I'm sure.

      Maybe the MBAs will

      • Well it took the NSA the snowden leaks before they implemented a 2 man sysadmin rule. the only way to teach half the population that fire is hot is by sticking their hands in the fire.

        The only way to prove that you need security is by letting them get burned by the lack of it a couple of times.

      • Why does an early warning system need to be 'fast'?

        A latency in minutes won't make much difference to the general population. It just gives them an extra minute of panic.

        • For a forest fire or flooding situation you'd probably be right, minutes aren't going to matter much. But for something like a poison gas release at a chemical plant or tornado warning seconds can count. Theirs stories from tornado alley where people heard an emergency alert over the radio/TV and as they were making their way to their basement/shelter a minute later the house was being torn apart around them.

      • by gl4ss ( 559668 )

        if you contract to the persons who offered you biggest bribes you might very well end up with shitty, expensive and slowly delivered.

        contracting isn't just about cheap, fast or good.

    • They really just need to put their best brains together on it.

    • One can only hope that Zombies don't seek legal representation for this Hate Crime?
  • OT TWC EAS Rant... (Score:5, Interesting)

    by glavenoid ( 636808 ) on Saturday October 19, 2013 @11:28PM (#45178699) Journal

    Time warner cable recently "upgraded" several of our analog cable channels to the basic digital tier which now requires a digital adapter. Unfortunately some of these are local stations that I watch regularly, so if I want to watch them I need the adapter, and using the adapter is mutually exclusive with regular analog cable without running a convoluted system of splitters and coax. Now after "upgrading" with the free digital adapter it's been *incessant* EAS tests and bogus alerts, sometimes going off every hour for days at a time, and the people at TWC can't or won't even attempt to fix it. This is annoying enough, but during one of these swarms of false alerts there was a REAL alert of a TORNADO in the area that ended up doing a lot of damage nearby. TWC's stupid mismanagement of the EAS system has completely undermined the use of the system itself. Bastards. Rant over.

    • by Opportunist ( 166417 ) on Saturday October 19, 2013 @11:41PM (#45178753)

      As long as there is no fine for this kind of behaviour, it will not change. The only language corporations understand is one that hits them in their wallet.

      • by Anonymous Coward

        Well, either that or targeted killing of the board members with drones.

        • Didn't hear the news? These things are woefully inaccurate. Else I'd agree, but you might hit someone who'd actually do some meaningful work, so no go.

      • No need to get the bought off politicians to fine them when you can simply stop doing business with them. Cable television is not a life essential service. One month of your cable bill is likely enough cash to purchase everything that most people would need for solid OTA reception.

        • I live in the country about 35 miles from the nearest city with a TV station. I found long ago that I could use the amplified rabit ear style antennas and pick up about 15 stations. Granted, some of those stations are split channels of another station but I find all the major networks are more then covered. I get OBS, the local Fox, cbs, nbc, abd, CW and some religious channels that believe it or not, have some decent movies that aren't all preachy.

          Anyways, I think the rabbit ears cost about $35 and I neede

          • by muridae ( 966931 )
            Flat land, or hills/mountains? Cause in the Appalachian mountains, 35 miles can be in range of one station in the city, and out of range of another just because of which hill they put their towers on. Can't imagine that the biggest west coast mountains would be any friendlier to TV signals.
            • Reletively flat compared to mountians in north corolina but im in a vally. I don't have good reception without the amplified antenna and the switch to digital made a huge difference.

              All i can suggest is to try and find out on one tv before cutting the cable.

              • by muridae ( 966931 )

                Won't get an argument from me about that point. I do without cable just fine. But, I can only get 2 channels (cbs and ion, PBS if I can ever keep the cat away from the VHF rabbit ears). I'm less than 35 from the broadcast towers for about 6 stations, but my line of sight hits so many hills that I'd need a highly directional antenna with a pre-amp according to the various websites that do that topology map stuff. My omni antenna or the small directional that I can put in the window (rented place, no rooftop

    • It's funny, I was going to say that I hope there isn't a REAL zombie uprising or we'd all be sitting around so complacent; and then you kill my joke with an actual life-threatening account...
    • NOAA Weather Radio [] should be receivable anywhere in CONUS and there are decent radios to be had (that will activate automatically during severe weather events) for less than $50. Something worth considering.

      As far as the asshats at TWC, have you considered going OTA-only or at least OTA for your local channels? If you're lucky you have a local station with a good weather operation that will go above and beyond the EAS reporting -- one of our local stations preempted NBC for the better part of an hour wh

  • by Anonymous Coward

    Last time it was zombies and we kind of know that to be fake when we hear it. Next time it might be something serious like a nuclear reactor meltdown and people will flee. Maybe it will be secure enough to prevent the average hacker from getting in, but what if the hacker turns out to be an expert team of special agents from another country? We don't have to consider if they have a motive for doing so because they might have a motive we will never figure out, at least not in advance.

    When will people in char

  • by betterprimate ( 2679747 ) on Sunday October 20, 2013 @12:50AM (#45178963)

    ... is when your message me and a 6 million others at 4 in the morning because some kid (white) is missing.

    Do your fucking jobs, assholes. Next time you message me, you are agreeing to the updated ToS that you will find in your inbox next week. Each message I receive will cost you a $1000. Is it worth it?

    Scratch that, let's make it $10K.

    Law is fun.

    • Wow. I am glad that Amber Alerts are opt-in in the Netherlands. Granted: I opted in, but to have no choice would suck.
  • They need MyCleanPC!

  • They include the use of âoepredictable and hard-coded keys and passwords,â

    Hey, if it's good enough for the pentagon...

Usage: fortune -P [] -a [xsz] [Q: [file]] [rKe9] -v6[+] dataspec ... inputdir