Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Zombie Uprising, But Problems Persist With Emergency Alert System

Posted by Soulskill on from the can-it-be-aliens-next-time-please dept.

chicksdaddy writes "More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. In a blog post, Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of 'bad and predictable' login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials. Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the 'dead are rising from their graves,' and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware."

54 comments

  1. Anyone noticed. . . by djupedal · · Score: 3, Insightful

    It's no longer just an uphill battle trying to make things secure - we've lost the war.

    1. Re:Anyone noticed. . . by Anonymous Coward · · Score: 3, Insightful

      We haven't lost the war. Cheap bastards simply don't care about security.

    2. Re:Anyone noticed. . . by Anonymous Coward · · Score: 0

      Or maybe management just want the $ and are incompetent.

    3. Re:Anyone noticed. . . by mirix · · Score: 2

      Nah, it's the typical engineering trilemma... fast, good, cheap; pick two.

      Though if you want good, it won't be cheap, just cheaper than good and fast. That and for certain values of "fast", there's not enough money in the world to make it happen, buggy shit is inevitable.

      There's countless halfass buggy code embedded devices out there, and now more and more they are getting connected to the outside world. So we'll see more and more 'zombie attacks', or plant meltdowns or whatnot, I'm sure.

      Maybe the MBAs will eventually figure out the importance of security, but not likely.

      --
      Sent from my PDP-11
    4. Re:Anyone noticed. . . by alostpacket · · Score: 1

      They really just need to put their best brains together on it.

      --
      PocketPermissions Android Permission Guide
    5. Re:Anyone noticed. . . by peragrin · · Score: 2

      Well it took the NSA the snowden leaks before they implemented a 2 man sysadmin rule. the only way to teach half the population that fire is hot is by sticking their hands in the fire.

      The only way to prove that you need security is by letting them get burned by the lack of it a couple of times.

      --
      i thought once I was found, but it was only a dream.
    6. Re:Anyone noticed. . . by Joce640k · · Score: 2

      "Cheap"?

      Some people have figured out that wining and dining can get you lucrative government contracts (can anybody come up with a single valid reason why Diebold are still in the supply chain?), but "cheap" isn't a suitable adjective.

      --
      No sig today...
    7. Re:Anyone noticed. . . by Joce640k · · Score: 1

      Why does an early warning system need to be 'fast'?

      A latency in minutes won't make much difference to the general population. It just gives them an extra minute of panic.

      --
      No sig today...
    8. Re:Anyone noticed. . . by gl4ss · · Score: 1

      if you contract to the persons who offered you biggest bribes you might very well end up with shitty, expensive and slowly delivered.

      contracting isn't just about cheap, fast or good.

      --
      world was created 5 seconds before this post as it is.
    9. Re:Anyone noticed. . . by Anonymous Coward · · Score: 0

      'Fast' refers to the time it takes to implement the system, not to operate it once running. An emergency alert system isn't much use if it's delivered 10 years after a major disaster.

    10. Re:Anyone noticed. . . by Dereck1701 · · Score: 2

      For a forest fire or flooding situation you'd probably be right, minutes aren't going to matter much. But for something like a poison gas release at a chemical plant or tornado warning seconds can count. Theirs stories from tornado alley where people heard an emergency alert over the radio/TV and as they were making their way to their basement/shelter a minute later the house was being torn apart around them.

    11. Re:Anyone noticed. . . by garyoa1 · · Score: 1

      On the other hand, what idiot would think hacking an emergency alert system was funny?

      --
      Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
    12. Re:Anyone noticed. . . by LifesABeach · · Score: 1

      One can only hope that Zombies don't seek legal representation for this Hate Crime?

    13. Re:Anyone noticed. . . by cheater512 · · Score: 1

      Oh lighten up. Zombies are hardly believable and it is quite funny.

      If they wanted to be malicious there are far worse things they could have said.

    14. Re:Anyone noticed. . . by cheater512 · · Score: 1

      They can't. The zombies already ate their brains.

    15. Re:Anyone noticed. . . by Neil+Boekend · · Score: 1

      The "cheap" is their relevant expenses part. Not what they charge.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  2. OT TWC EAS Rant... by glavenoid · · Score: 4, Interesting

    Time warner cable recently "upgraded" several of our analog cable channels to the basic digital tier which now requires a digital adapter. Unfortunately some of these are local stations that I watch regularly, so if I want to watch them I need the adapter, and using the adapter is mutually exclusive with regular analog cable without running a convoluted system of splitters and coax. Now after "upgrading" with the free digital adapter it's been *incessant* EAS tests and bogus alerts, sometimes going off every hour for days at a time, and the people at TWC can't or won't even attempt to fix it. This is annoying enough, but during one of these swarms of false alerts there was a REAL alert of a TORNADO in the area that ended up doing a lot of damage nearby. TWC's stupid mismanagement of the EAS system has completely undermined the use of the system itself. Bastards. Rant over.

    --
    I, for one, am looking forward to the inevitable /. beta rollout fallout.
    1. Re:OT TWC EAS Rant... by Opportunist · · Score: 4, Insightful

      As long as there is no fine for this kind of behaviour, it will not change. The only language corporations understand is one that hits them in their wallet.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:OT TWC EAS Rant... by Anonymous Coward · · Score: 1

      Well, either that or targeted killing of the board members with drones.

    3. Re:OT TWC EAS Rant... by Anonymous Coward · · Score: 0

      Nope, their wallets well padded with ill gotten gains. About the only thing that will grab their attention is having them do the perp-walk with no bail.

    4. Re:OT TWC EAS Rant... by Anonymous Coward · · Score: 0

      I do not know what is more laughable the idiots in the media/press that completely missed this joke/prank or the millions of idiots that are stupid enough to believe in zombies? Does it really surprise anyone the this to could easily be hacked! DOes it surprise anyone that despite this hacking of "infrastructure" for 20+ years there is no standard practice to thoroughly test it before going live , most hardware makers seem to rely on it being hacked, or some security firm that "happen" across something!!

      And worse yet the companies put out half assed patches that band-aid one problem without going over there entire systems/hardware packages to find out what else could be exposed.

    5. Re:OT TWC EAS Rant... by Opportunist · · Score: 1

      Didn't hear the news? These things are woefully inaccurate. Else I'd agree, but you might hit someone who'd actually do some meaningful work, so no go.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:OT TWC EAS Rant... by Opportunist · · Score: 1

      Lined or not does not matter. The only thing that matters is whether at the end of the day playing by the rules or considering the fines some sort of cost of operation is cheaper.

      More and more often, rules and regulations (and the fines associated with them) are handled by risk management rather than legal. As soon as legal decides that there is no loophole, risk management gets to assess the chance to be caught and after that, all that matters is the equation "cost to mitigate vs chance to be caught times fine".

      So if you ever wonder why a corporation doesn't fix something, more likely than not the fine for not fixing it is too low.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:OT TWC EAS Rant... by Anonymous Coward · · Score: 0

      I dunno, convict CEOs for fraud (if the spec called for a secure product and they claimed to meet the requirements) and you would go a long way towards cleaning this up. All companies like money but jail terms look bad on anybody's record. Alternatively you should fine them some multiple of the contract for failing to meet basic requirements specs.
      Simply 'freezing them out of the bidding' has NEVER worked against DoD contractors because they just have to lobby hard enough and their suspension ends. You have to actually punish the decisionmakers somehow, and making them wait longer for more toys is not good enough.

    8. Re:OT TWC EAS Rant... by EdIII · · Score: 1

      I agree with the perp-walk. Perhaps even just 50 hours of nothing-but-no-negotiation trash pick up on the highway for 8-10 weekends.

      Executives and board members tend to be douchenozzles. Make the buck stop there and I think we would be pleasantly surprised how employees and contractors would be heavily motivated by management to perform actual quality control.

      Money is a poor motivator when your time is priceless. I've always said that a weekend of community service can be worse than the heftiest fine...

      After all, how can you enjoy hookers & blow on your yacht when you're picking up trash along with the plebes?

    9. Re:OT TWC EAS Rant... by cusco · · Score: 1

      Considering that C-suite executives tend to change employers every few years, often it's also a matter of whether management thinks the problem will come home to roost before they've found another company to destroy.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  3. Crying "Wolf!" by kackle · · Score: 1

    It's funny, I was going to say that I hope there isn't a REAL zombie uprising or we'd all be sitting around so complacent; and then you kill my joke with an actual life-threatening account...

    1. Re:Crying "Wolf!" by jtownatpunk.net · · Score: 2

      That's the plan, son. That's the plan.

  4. Goverment == useless by Anonymous Coward · · Score: 0

    Give that shit to a private contractor if you want it done RIGHT.

  5. Monroe Republic sucks by Anonymous Coward · · Score: 0

    Damn you, Bass Monroe!

  6. Alternate Theory by Anonymous Coward · · Score: 0

    What if it was real zombies, the government testing some sort of containment protocol, and subsequent cover-up?

  7. AIR GAP !!! by Anonymous Coward · · Score: 0

    This is a non-issue that they probably have spent hundreds of thousands of dollars on so far and want more money to fix. More studies, network security, login keys, blah, blah...

  8. Serious fake messages by Anonymous Coward · · Score: 1

    Last time it was zombies and we kind of know that to be fake when we hear it. Next time it might be something serious like a nuclear reactor meltdown and people will flee. Maybe it will be secure enough to prevent the average hacker from getting in, but what if the hacker turns out to be an expert team of special agents from another country? We don't have to consider if they have a motive for doing so because they might have a motive we will never figure out, at least not in advance.

    When will people in charge realize that the only way to keep a system secure is to deny it access to the internet? This includes indirect access like access to computers with access to the internet. Trying to secure the software is a bit like detective series, except the detective have to solve the murder before it happens and then take action to prevent it. He would fail as he might catch 500 out of 501, but he did miss one.

    1. Re:Serious fake messages by Anonymous Coward · · Score: 0

      Why does it have to be from another country? You PSYOP guys need more xenophobia on the homefront to peddle another war?

  9. the mantra by Anonymous Coward · · Score: 0

    1. ``i am not secure, but i want to be.''
    2. ``ignorance will not make me more secure''
    3. ``no product available will make me completely secure''
    4. ``if i cannot understand the entirety of my system, i can make no claims to it's security''
    5. ``just because knowledge is denied, does not mean that knowledge is protected.''
    6. ``i am not secure, but i want to be.''

    1. Re:the mantra by Anonymous Coward · · Score: 0

      0:

      "Security has no ROI."

  10. I have mine 100% disabled by Anonymous Coward · · Score: 0

    If the chinese attacks, I won't know until all mcdonalds are switched with PF Chang and churches are replaced with assembly factories.

    1. Re:I have mine 100% disabled by 93+Escort+Wagon · · Score: 1

      It'll probably be PF McChangs.

      --
      #DeleteChrome
  11. NOAA Weather Radio + OTA TV for the win... by Shakrai · · Score: 2

    NOAA Weather Radio should be receivable anywhere in CONUS and there are decent radios to be had (that will activate automatically during severe weather events) for less than $50. Something worth considering.

    As far as the asshats at TWC, have you considered going OTA-only or at least OTA for your local channels? If you're lucky you have a local station with a good weather operation that will go above and beyond the EAS reporting -- one of our local stations preempted NBC for the better part of an hour when we had a tornado earlier this year -- but even if they don't you'd still be assured of getting the EAS alerts.

    Check out TV Fool and AntennaWeb as starting resources for determining if OTA reception is feasible from your location and what kind of antenna system you would need to make it happen. As an added bonus, you'll get a far better HD picture than anything Time Warner is sending down their pipe, they compress the hell out of their digital channels.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  12. Vote with your wallet by Shakrai · · Score: 1

    No need to get the bought off politicians to fine them when you can simply stop doing business with them. Cable television is not a life essential service. One month of your cable bill is likely enough cash to purchase everything that most people would need for solid OTA reception.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
    1. Re:Vote with your wallet by sumdumass · · Score: 1

      I live in the country about 35 miles from the nearest city with a TV station. I found long ago that I could use the amplified rabit ear style antennas and pick up about 15 stations. Granted, some of those stations are split channels of another station but I find all the major networks are more then covered. I get OBS, the local Fox, cbs, nbc, abd, CW and some religious channels that believe it or not, have some decent movies that aren't all preachy.

      Anyways, I think the rabbit ears cost about $35 and I needed 2 of them. I also needed a converter box for one of the TVs but decided to upgrade the VCR/DVD player and got one that can burn dvds and also has the digital tuner. But I hear you can get a converter box for around $50. I place the rabbit ear behind the TV and they are barely noticeable.

      So all told, it cost me about $120 to get rid of a $60 per month cable bill and I didn't miss anything that I cared about. That was 5 or 6 years ago.

    2. Re:Vote with your wallet by muridae · · Score: 1

      Flat land, or hills/mountains? Cause in the Appalachian mountains, 35 miles can be in range of one station in the city, and out of range of another just because of which hill they put their towers on. Can't imagine that the biggest west coast mountains would be any friendlier to TV signals.

    3. Re:Vote with your wallet by sumdumass · · Score: 1

      Reletively flat compared to mountians in north corolina but im in a vally. I don't have good reception without the amplified antenna and the switch to digital made a huge difference.

      All i can suggest is to try and find out on one tv before cutting the cable.

    4. Re:Vote with your wallet by muridae · · Score: 1

      Won't get an argument from me about that point. I do without cable just fine. But, I can only get 2 channels (cbs and ion, PBS if I can ever keep the cat away from the VHF rabbit ears). I'm less than 35 from the broadcast towers for about 6 stations, but my line of sight hits so many hills that I'd need a highly directional antenna with a pre-amp according to the various websites that do that topology map stuff. My omni antenna or the small directional that I can put in the window (rented place, no rooftop stuff) just won't get a SNR that the amp can do anything with.

      Funny thing was, here anyways, before the digital switch I could get the channels from VHF's tendency to bounce better. The channels were still noisy, but my eye's SNR tolerance is better than the one that digital decoders need; I could pick out the figures and listen to channels that now don't come in at all.

  13. The real problem... by betterprimate · · Score: 2

    ... is when your message me and a 6 million others at 4 in the morning because some kid (white) is missing.

    Do your fucking jobs, assholes. Next time you message me, you are agreeing to the updated ToS that you will find in your inbox next week. Each message I receive will cost you a $1000. Is it worth it?

    Scratch that, let's make it $10K.

    Law is fun.

    1. Re:The real problem... by Anonymous Coward · · Score: 0

      Why don't you just disable it? Without hacking your phone, you can disable everything but presidential messages. Get cyanogenmod or aokp and stop bitching. And your understanding in law is laughable.

    2. Re:The real problem... by Anonymous Coward · · Score: 0

      How does this crap even work? Is it SMS, or an IP-based messaging protocoll with a client on the end-user-device?

    3. Re:The real problem... by Anonymous Coward · · Score: 0

      Its called Cell Broadcast. Unlike SMS, its a one-to-many protocol, instead of one-to-one. If they did the same thing with SMS, it would clog up the network to send out that many messages.

    4. Re:The real problem... by Neil+Boekend · · Score: 1

      Wow. I am glad that Amber Alerts are opt-in in the Netherlands. Granted: I opted in, but to have no choice would suck.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  14. Waking me up 3 times a night for the weekly by Anonymous Coward · · Score: 0

    test made me turn on the radio not the TV at night.

  15. The Zombie Warning Was Legit by Anonymous Coward · · Score: 0

    The Zombie Warning Was Legit, they've just decided that they want to cover it up now. Nuke the site from orbit..... its the only way to be sure.

  16. ob by Hognoxious · · Score: 1

    They need MyCleanPC!

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  17. time to extradite an aspie ... by Hognoxious · · Score: 1

    They include the use of âoepredictable and hard-coded keys and passwords,â

    Hey, if it's good enough for the pentagon...

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."