Thieves Hacking Security Cameras?

The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""

Dumber than dumb

Has there ever been a more stupid quote than:

"If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."

Re:

Not TOO far from the truth. Often the security cameras are accessible to anyone with a browser and without password protection or with a password that's ridiculously easy to guess.

Re:Dumber than dumb

And easily found [google.com] if you know what to look for.

Re:Dumber than dumb

You just slashdotted a whole lotta webcams.

Re:

We need to get that on T-shirts. Black T-shirts. Just to scare non-techs.

Re:Dumber than dumb

This is called a JURY POOL TAINTING STATEMENT. It is designed to predispose those eligible for jury service in the jurisdictions involved to convict by using the element of fear and terror. Whenever a statement made by law enforcement officials about an alleged criminal act is broadcast, it should be quoted in the voir dire process to screen out the rubberstampers. These are defined as those who (are carefully instructed to) worry about wives, kids, homes, SUV's entertainment systems, 401k's vacations, etc. Since the media as an institution is presumed diligent in publishing such statements, there is a presumption of contamination on the part of the jury pool. That is why one of the boilerplate questions asked by the parties in court deals with this issue of media contaminating his/her worldview or view of the defendant.

Those who have a place in the system have no place in a jury.

Re:Dumber than dumb

I don't see anything controversial about that case. If you actively participate in a violent crime and someone dies then you're just as responsible as the person who pulls the trigger. Don't want to be responsible for a murder? Then don't be a getaway driver for a gang of doped up armed robbers. It's not difficult.

Re:Dumber than dumb

Has there ever been a more stupid quote than:
"If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."

Yes. I think "No, it's not loaded! Here, I'll prove it to you!" beats it.

Re:

"No, it's not loaded! Here, I'll prove it to you!"

If only we could get Police Chief Dick Heitschmidt to say that as well ;)

Re:Dumber than dumb

"hackers on steroids"
"internet hate machine"
Wait until these stores get dogs and curtains, than we'll be REALLY fucked.

Re:Dumber than dumb

From the article (Piro is the manager)....

"He then demanded that one of Piros' fingers be cut off for every hour his demands were not met, and another employee got a butcher knife on his orders"

Anybody wanna take bets on who was the first person fired after this incident?

Re:Dumber than dumb

You're right, but this isn't about "any forward-looking organization," it's about Wal-Mart, a company that has decided that prosecuting shoplifters isn't worth their time unless they're stealing a lot.

They'd probably harbor a sleeper cell in the loading dock as long as their supply chain of cheap Chinese crap doesn't slow down.

Hacking security cameras, huh?

I'm sure Jack Thompson will blame this on BioShock.

"wire money to his bank account"?

Can't they follow the money trail from there?

Strange.

Re:"wire money to his bank account"?

That depends on what country the bank account is in. In some countries, bank accounts can't necessarily be tracked back to the owner, they are secured only by a really, really fscking long account number.

Get the RIAA in on the case!

Why don't these stores copyright their video feed and then let loose the RIAA on the perps. That'll stop 'em!

Re:

That would be the MPAA. RIAA would be if the store's music that is constantly interrupted by screaming cashiers showed up on the Internet.

Is the footage on YouTube?

He did not record the security camera footage and upload it to You Tube? Dumb idiot. This is what dumbing down of America has done to the respectable profession of robbery.

CCTV

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

Re:CCTV

How else do you outsource your security work to India?

Re:CCTV

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

Many companies are cutting back on security staff by eliminating in-store people that watch the TV screens. The stores still have some roving security people, but the TV screen watching is now more automated, more centralized, and in some cases even pushed out to homes where people with broadband can be paid even less than the in-store people to sit and watch a bunch of TV camera images for hours, looking for suspect people.

It might be interesting if someone developed a way to fool those systems into thinking someone is watching (frequently clicking to see the next camera).

Re:CCTV

I run a security consulting business, and one of the things we do is CCTV Camera Systems.

Most of our clients are hell-bent on having internet access so that they can remotely view and control their cameras, card access systems, and PA systems.

Although it is possible to hack these systems, it is a remote chance if configured properly like anything else.

My guess is that these incidents are with default usernames and passwords on the DVR and other equipment.

However, my question is: how did they find the IP of a target store?
It's one thing to want to rob a store, but it's another to know this type of sensitive information.
And in many cases, even large stores are using DSL or Cable where they get a dynamic IP.

Sounds like an inside job to me.

Re:

It's easy - most of the cameras have a default control page. You just Google for that keyword and it' will often return lots of hits of cameras with webservers that are exposed to the internet- say that $CAMERAMAKER has a default webpage of http://camerasi [camerasite]

Re:

However, my question is: how did they find the IP of a target store?

In the olden days of modem-connected monitoring equipment, we called it "war dialing". What do the kids call it now, "war surfing"? Start at 0.0.0.0 and increment through FF.FF.FF.FF,

IP sensitive?

However, my question is: how did they find the IP of a target store? It's one thing to want to rob a store, but it's another to know this type of sensitive information.

IPs are about as sensitive as a street address. Send an email to the store's staff about any stupid thing that would warrant a reply, get an IP back in the headers. Or just give them a web link to click, or an email that takes advantage of crappy Outloo

Wireless

However, my question is: how did they find the IP of a target store?
It's one thing to want to rob a store, but it's another to know this type of sensitive information.

In my WarDriving travels, I've come apon many SSID-hidden wireless networks around stores. Sometimes they aren't even encrypted. My recent curiosity with these nets reveals a few wifi networked cameras in some locations, and sometimes if you log into these networks, you can find a nat. From there it's simply accessing a site that gives you a IP.

But why bother when you already have access to there cameras via a unsecured access point?

Anonymous for obvious reasons.

Re:

Although it is possible to hack these systems, it is a remote chance if configured properly like anything else.

They rarely are. as a Technology specialist company that also does cameras, we find that 9 times out fo ten the default passwords are set for t

Re:CCTV

Mod Parent up - this was actually withdrawn yesterday - the cops spread at little FUD with their Internet Hackers working the Security Camera Comments - but now they have backed off on this statement, particularly since the Hutchinson Incident was caused by locals who have been taken into custody.
see here [kansas.com]
Oh and no bombs have ever been found, there are a lot of embarrassed people out there who have really overreacted to these 'menacing & scary' phone calls.

Why CCTV is on the internet

It's a valid question. Companies put security cameras on the internet to enable remote recording and control. It lets the central office or outsourced security firm handle all the digital video and dispatch police/fire services from a cost-efficient central location. If you owned 100 convenience stores in 10 states, where would you put the security office and how would you link them?

Rather than build a dedicated hardwired telecom network, companies are using the internet to connect everything together (security systems, financial systems, medical records, industrial control, etc.) As we can see from this example, they think they've created their own virtual network (of some degree of privacy), but in practice, the system is extremely vulnerable. I'd bet that more than a few internet-connected security cameras run with factory-default passwords.

Re:

I'd bet that more than a few internet-connected security cameras run with factory-default passwords.

And even if they change it, there's still the "Joshua" back door.

Re:

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

I don't know that they actually are interwebbed, but if they were, it would be to save money over having a dedicated

Re:CCTV

Last year we put a security camera system into a auto recycling yard using IP cameras. They had been suffering a rash of after-hours breakins to steal the platinum that is in old catalytic converters. The system recorded to a DVR, but also was hooked to motion sensors that, when activated, would call the manager's cell phone, as well as start pitching still shots across the internet to a remote ftp server.

Two weeks after installation, the thieves broke in. When they saw the cameras and the DVR, they set fire to the place to destroy the evidence, but the still photos were enough to identify and convict them. They haven't had a problem since.

Re:CCTV

They haven't had a problem since.

Is that on account of no longer having a business as it was destroyed by fire?

Re:CCTV

Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

Read further in TFA:

Initially, the caller led employees to believe he was observing them.

"After a while, it sounded like he was just taking a shot in the dark at what they might be doing, or what they looked like or how they were reacting to his call," Prescott police Lt. Ken Morley said.

I was fooled too

My wife came in a found me sitting on the floor in my underwear. I had only skimmed the slashdot article and thought that it was a disrobe-or-get-bombed threat against me. It seems that the Slashdot is only _reporting_ a bomb threat and isn't actually going to blow us up.
Also, would CowboyNeal please send back my $3,000?

Sparks

This could be one of the first, and certainly not the last, case of people using security devices against the people whom they were designed to protect.

How are those net-enabled security cameras working out for you?

Re:

link?

Internet security system ..

"officials were investigating whether the caller was out of state and may have hacked [kpho.com] into the store's security system"

"If they can access the Internet, they can get to anything"

"Anyone in the whole world could have access, if that's what really happened"

What kind of idiot would connect the security system to the Internet so that 'they' could get to anything. Didn't they put it on a private VPN or use a password even?

"The FBI was looking into whether the calls to the banks and stores were being placed from overseas"

I thought DCSNet [slashdot.org] was designed to provide instant access to such information. Provides absolutly no evidence of any such hacking. Sounds to me like a low level extortion plot apart from the mention of the (scary) Internet and hackers (even more scary). Since when do sophisticated thieves use Western Union and wire themselves $3,000 with a $150 service charge. Who paid the charge I wonder.

We get bomb threats here all the time, so don't take any notice ...

"hacked" by simply using Google?

There are many store monitor camera systems that are installed with poor defaults and wide open access. Several makers' web interfaces have easy formulaic URLs to select different store views, and these commonly can be searched with plain old web search engines. This was a fun thing to do a few years back, with whole sites dedicated to lists of web cams that were likely not intended for global viewership. Without any real evidence that the web cameras were "hacked" I think it's a big stretch to assume any skill was involved here.

Another law broken?

I'm sure that in some states, 100 naked people in a store legally counts as an orgy.

In other news...

People are stupid. Google for: inurl:"ViewerFrame?Mode="

And have fun...

One of the dumber scams I've ever read about

Yeah, wire me the money - I'll get it someday when the police aren't looking...

This was a hoax, a prank. Somebody was just having fun jerking people around.

And see how easy it was. Anybody remember the Chinese Fire Drill in the book "Illuminatus?" Act authoritative - or threatening in this case - and spew out some orders, and everybody falls right into line like lemmings.

The first response to the bomb threat should have been, "Fine - set it off. We'll settle up later, asshole."

Cats Pets Donau City Strasse ..

You mean like this one ...

Re:Duh

Mostly it's incompetent IT and store managers that have installed panasonic IP cameras and left them not only wide open but on the internet because the store managers are retarted and want to spend their life watching the employees.

ALL of this stuff goes right back to raging incompetence. It's incredible how little these stores pay for IT, I had to teach the IT specialists for Walmart how to do basic networking when we were helping a client set up their network for their restaurant inside a new walmart store. The Walmart head of networking, or so he claimed to be, told me it was impossible to tunnel IP traffic safely through a network, no. he did not understand what a VPN was and then told me that VPN is not allowed as it's insecure and unencrypted!.... and then I had to hold their hands and show them how easy is really is to patch a phone line to a cat 5 jack in the phone room. Their network engineer told me flat out that DSL will not work over cat-5e cable. "The phone company uses Cat6 to your house!" is what he said. I was amazed at how undereducated these IT and networking people were.

With that kind of incompetence due to very low pay, it does not surprise me that security cameras are put on the net directly.

Re:

That's no wonder. What happens here is the combination of some unhealthy factors.

1. The cheapest guy gets the job. Now, the cheapest is never the best, and rarely even good enough to actually do it good.
2. As soon as it "works", stop working on it. As soon

YOU FUCKING LOVE IT

inurl:/view/index.shtml
inurl:"ViewerFrame?Mode="
inurl:netw_tcp.shtml
intitle:"supervisioncam protocol"
inurl:CgiStart?page=Single
inurl:index Frame.shtml?newstyle=Quad
intitle:liveapplet inurl:LvAppl
inurl:/showcam.php?camid
inurl:vide o.cgi?resolution=
inurl:image?cachebust=
intitle :"Live View / - AXIS"
inurl:view/view.shtml
intext:"MOBOTIX M1"
intext:"Open Menu"
intitle:snc-rz30
inurl:home/
inurl:"Multi CameraFrame?Mode="
intitle:"EvoCam" inurl:"webcam.html"
intitle:"Live NetSnap Cam-Server feed"
intitle:"Live View / - AXIS 206M"
intitle:"Live View / - AXIS 206W"
intitle:"Live View / - AXIS 210"
inurl:indexFrame.shtml Axis
inurl:"ViewerFrame?Mode="
inurl:"MultiCamer aFrame?Mode=Motion"
intitle:start inurl:cgistart
intitle:"WJ-NT104 Main Page"
intext:"MOBOTIX M1" intext:"Open Menu"
intext:"MOBOTIX M10" intext:"Open Menu"
intext:"MOBOTIX D10" intext:"Open Menu"
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:"sony network camera snc-p1"
intitle:"sony network camera snc-m1"
site:.viewnetcam.com -www.viewnetcam.com
intitle:"Toshiba Network Camera" user login
intitle:"netcam live image"
intitle:"i-Catcher Console - Web Monitor"
inurl:/home/home

Re:

Somebody sue google ... fast ...

Re:Duh

Have you tried

"Hi, I am ze plumber. I haf com to examine ze pipework, ver can I place my tooool ? It is ver huge and I can't keep it in here much longer"

Re:

Probably testing the waters (i.e. make sure they're intimidated into doing whatever the thieves say) before giving them bank account information to do the wire transfers.

Re:

1. Open store
2. Receive bomb threat
3. Ignore demands, find bomb
4. Sell bomb on black market
5. Profit!!!
6. Goto Step2