[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.
Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.
The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.
Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.
Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.
The Science Channel has a new show premiering tomorrow night that we think you won’t want to miss.
JUNKies takes a look at a group of junkyard engineers led by [Jimmy “The Junk Genius” Ruocco], who also happens to be the junkyard’s owner. From the trailer you can see below, the show looks like it will be pretty entertaining, combining the best parts of Junkyard Wars, Mythbusters, and even Jackass – with hilarious and interesting results.
The show includes crazy stuff that [Jimmy] and his crew piece together, as well as the creations of individuals that come by the shop looking for parts. When the crew is not busy concocting crazy machines, they seem more than happy to help random inventors and makers dig out just the right parts for their projects.
The show airs tomorrow night, 8/18, at 10 PM Eastern, so be sure to check it out and let us know what you think!
[Phillip Torrone] recently wrote an article over at Make regarding Sony and their “War on Makers, Hackers, and Innovators“. In the article, he traces Sony’s history as a well-liked hardware company that once produced innovative products, to its current state as an enemy to all who would dare wield a screwdriver and soldering iron. He took quite a bit of time scouring the Internet to dig up very specific examples of Sony’s perceived assault on the hacking community. That’s not to say he simply lambasts the company and leaves it at that. Rather, he reflects on their past as a staple in nearly every American home, how they have changed since venturing into the content business, as well as what we might be able to do as hackers to change the way Sony treats its customers.
One specific example he mentions is the lawsuits that plagued the Sony Aibo modding scene, a case very near and dear to his heart. This scenario is one where the voice of the people was eventually heard, though too late to make a difference. He laments the loss of interest in the platform by the modding community as a clear cut example of the disastrous nature of Sony’s litigious nature.
You should definitely take a moment to read the article if you have the time. [Phillip] brings up some very good points, giving you plenty to consider the next time you make an electronics purchase, large or small.
We’d love to hear your take on the matter as well.
[Dale Dougherty] interviews [Steven Levy] about the history of hacking. [Levy]’s book Hackers has been released in a 25th anniversary edition. The interview alone is fascinating and the book is a must read for any hacker. If they offered a course in hacker culture somewhere, we’re positive that this book would be the textbook. The 25th anniversary edition has been updated to include major figures from the last 25 years including [Bill Gates], [Steve Wozniak] and others that have impacted our lives drastically.
Yahoo has issued a public apology for an event that occurred at their recent Hack Day in Taiwan. Apparently they hired strippers for the event, two years in a row. The girls did their usual bump and grind all over some poor hackers. Poor guys. While there is a part of us that says, “what about the little girls getting into hacking?” the other part of us says, well, you know what it says. Wow, we’re suddenly feeling the urge to use yahoo for all of our services. How peculiar.
MySpace users are very familiar with the visage of their first “friend” and MySpace cofounder [Tom Anderson], but did you ever wonder what he used to do before he became everyone’s friend? TechCrunch’s investigative reporting revealed that [Tom] was a hacker in the eighties who hacked into the Chase Manhattan Bank computer system, which attracted the attention of the FBI. Under the handle “Lord Flathead”, he became the leader of a black hat hacker group by the time he was fourteen. His activities (along with those of other hackers) led to one of the largest FBI raids in California history. Because he was a minor at the time, he was not arrested, but put on probation in exchange for an agreement to stop committing computer crimes. This definitely makes having [Tom Anderson] on your friends list just a bit more interesting, doesn’t it?
It looks like it’s time to update our event list. Here are some hacking related events happening through the rest of the year.
- ToorCon September 26-28 San Diego, CA – In its tenth year, ToorCon has always been one of our favorites. The conference is fairly small, but features great content like last year’s fuzzing talk.
- Arse Elektronika (NSFW) September 25-28 San Francisco, CA – Happening the same time as ToorCon, this conference covers the sexual side of human and machine interaction. The device list has gems like The Seismic Dildo, which only turns on if there is seismic activity in the world.
- Maker Faire October 18-19 Austin, TX – It’s Maker Faire! In Texas!
- Roboexotica December 4-7 Vienna, Austria – The premier festival for cocktail robotics is also back for the tenth time. They’re always looking for more exhibitors. Check out our Hackit for ideas.
- 25C3 December 27-30 Berlin, Germany I think we pretty much covered all the bases on this incredible conference yesterday.
Did we miss anything?