TSA's Security Equipment Is Controlled By Hackers
Two devices that may be used at airport and other security checkpoints have “backdoors”—usernames and passwords hard-coded into the equipment that a hacker could use to get into the machines.
A hacker, could log into and control these machines using the technician credentials and from there get into whatever networks the devices connect to.
TSA Checkpoints Vulnerable To Hacks Through Backdoors
Why would a manufacturer create that kind of risk? It’s actually quite common—usually for ease of maintenance, so technicians can get in and service the machine.
Rios, director of threat intelligence at Qualys (QLYS), which provides cybersecurity services, bought the two different devices on eBay: a time-clock system used to track TSA employees’ work for about $200, and and a narcotics and explosives detection system called an Itemiser for about $800.
The time-tracking system, made by Kronos, had two back doors via hardcoded usernames and passwords. Worse, Rios found about 6,000 of the devices connected to the Internet, including one at San Francisco International Airport—which Rios says he worked with the Department of Homeland Security to get taken offline.
He, or a hacker, could have logged into and controlled those machines using the technician credentials and from there get into whatever networks the devices connect to. If the Kronos was being used for access control, for example, you’d also able to subvert or manipulate that, says Rios.
“The most important thing for people to take away is if the device is connected to the Internet and to another network, which is extremely common, you basically have a bridge,” he says. “For non-airports, the risk is still the same.
If you have a Kronos connected to the Internet and also to your corporate network, well, now you’ve given someone access to your corporate network.”
Rios was quoted by Bloomberg Business week as saying: “The most important thing for people to take away is if the device is connected to the Internet and to another network, which is extremely common, you basically have a bridge.
“For non-airports, the risk is still the same. If you have a Kronos connected to the Internet and also to your corporate network, well, now you’ve given someone access to your corporate network.”
In addition to the Itemiser, there are several devices, when left online, would turn out to be a bridge to the internal TSA web network, further potentially allowing hackers to compromise the system from anywhere in the world.
Urging the TSA to make proper software reviews prior to acquiring any security systems, Rios noted: "What's more likely is, they have an acquisition process but they don't know how to do a software assessment of these devices."
Recently, the Department of Homeland Security's (DHS) ICS-CERT issued an advisory noting that Morpho Itemiser 3 v 8.17’s trace detection scanner ‘could be exploited remotely.’
The second piece of equipment, Morpho Detection’s Itemiser 3, is a machine that can find traces of narcotics or explosives after a security officer has wiped a swab on your hands or bag. Rios bought one online that had a tag from a Federal prison, he says.
(Buy/Rent/Layaway)
Rios wasn’t able to buy the version that TSA uses—a newer model called Itemiser DX—or to see how many of those devices are connected to the Internet.
Morpho Detection discontinued production of the Itemiser 3 in 2010, and the TSA doesn’t own or operate any, according to an e-mailed statement from Karen Bomba, the company’s president and chief executive officer, and it is planning to remove the vulnerability in the Itemiser 3 before the end of the year.
Rios, meanwhile, submitted his analysis to the Department of Homeland Security, which issued an advisory in July that assigned the Itemiser vulnerability the highest possible severity rating.
The point, says Rios, is that TSA may not have a good understanding of the cybersecurity risks in the devices it’s buying.
(Buy/Rent/Layaway)
“I hope they start upping their cybersecurity standards,” he says, pushing vendors to get rid of flaws such as hardcoded credentials. “TSA does have enough clout to start moving the ball in the right direction, and they have a responsibility to do so, as well.”
(Buy/Rent/Layaway)
Ross Feinstein, a spokesman for TSA, says the agency has a rigorous certification and accreditation process for technology:
(Buy/Rent/Layaway)
“This process ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity.”
Monty Henry, Owner
Additional Resources:
* The Future Outlook For Hand-Held, Desktop Explosives And Narcotics (Drug) Detection
* How To Prevent The Theft of Intellectual Property
* How Do I Know If I’ve Been Bugged?
* Operating The Brain By Remote Control
What is BitCoin and How Does It Work?
* The Creature From Jekyll Island: This Blog And Video Playlist Explains Why The U.S. Financial System is Corrupt and How It Came To Be That Way
* Number of Americans Renouncing Citizenship Surges To Escape Oppressive Tax Rules
* Dropping Off The Grid: A Growing Movement In America: Part I
* Online Privacy Tools and Tips
Next-Generation Bug / Microwave / ELF / Spy Phone / GSM And Camera Detectors (Buy, Rent, Layaway) tinyurl.com/2eo8mlz Open...
— Spy Store Rentals (@MontyHenry1)
Nanny IP (Internet) Cameras, GPS Trackers, Bug Detectors and Listening Devices, etc, (Buy / Rent / Layaway): tinyurl.com/396jlw6...
— Spy Store Rentals (@MontyHenry1)
NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA.
Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.
NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA: http://www.dpl-surveillance-equipment.com/wireless_hidden_cameras.html
Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.
• Remote Video Access
• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)
• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)
• Live Monitoring, Recording And Event Playback Via Internet
• Back-up SD Storage Up To 32GB (SD Not Included)
• Digital Wireless Transmission (No Camera Interference)
• View LIVE On Your SmartPhone!
Includes:
* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver
FACT SHEET: HIDDEN NANNY-SPY (VIEW VIA THE INTERNET) CAMERAS
Specifications:
Receiver Specs:
* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD
Camera Specs:
* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking
• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)
• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)
• Live Monitoring, Recording And Event Playback Via Internet
• Back-up SD Storage Up To 32GB (SD Not Included)
• Digital Wireless Transmission (No Camera Interference)
• View LIVE On Your SmartPhone!
Includes:
* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver
FACT SHEET: HIDDEN NANNY-SPY (VIEW VIA THE INTERNET) CAMERAS
Specifications:
Receiver Specs:
* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD
Camera Specs:
* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking
Make Your Own Nanny Cameras: Make Tons Of Money In A Booming, Nearly Recession-Proof Industry!
Your Primary Customers Include But Are Not Limited To Anyone In The Private Investigator, Government, Law Enforcement And/Or Intelligence Agencies Fields!
* You Buy Our DVR Boards And We'll Build Your Products! (Optional)
* You Buy Our DVR Boards And We'll Build Your Products! (Optional)
Our New Layaway Plan Adds Convenience For Online Shoppers
DPL-Surveillance-Equipment's
layaway plan makes it easy for you to buy the products and services
that you want by paying for them through manageable monthly payments
that you set. Our intuitive calculator allows you to break down your
order's purchase price into smaller payment amounts. Payments can be
automatically deducted from your bank account or made in cash using
MoneyGram® ExpressPayment® Services and you will receive your order once
it's paid in full. Use it to plan and budget for holiday purchases,
anniversaries, birthdays, vacations and more!
DPL-Surveillance-Equipment's
Customers can now use the convenience of layaway online to help them
get through these tough economic times.
We all shop now
and then just to face a hard reality -- big credit card bills. However,
our latest financing innovation can help you avoid that. Find out why
more and more shoppers are checking out DPL-Surveillance-Equipment's
e-layaway plan.
If you're drooling over a new nanny
camera, longing for a GPS tracker, or wishing for that spy watch, but
you're strapped for cash and can't afford to do credit, do what Jennie
Kheen did. She bought her iPod docking station (hidden camera
w/motion-activated DVR) online using our convenient lay-away plan.
Our
online layaway plan works like the old-fashioned service stores used to
offer. But, in Kheen's case, she went to
DPL-Surveillance-Equipment.com, found the iPod docking station (hidden
camera w/motion-activated DVR), then set up a payment plan.
"It's automatically drawn from my account," she said. "I have a budget, $208.00 a month.
In
three months, Kheen had paid off the $650.00 iPod docking station. She
paid another 3.9 percent service fee, which amounted to about $25.35
(plus $12.00 for shipping) for a total of $687.35.
"You
pay a little bit each month," Kheen said. "It's paid off when you get
it and you don't have it lingering over your head. It's great."
Flexible
payment terms and automated payments make our layaway plan an
affordable and fiscally responsible alternative to credit cards.
1. Register:
It's quick, easy and FREE! No credit check required!
2. Shop:
Select
the items or service you want and choose "e-layaway" as your payment
option. Our payment calculator makes it easy for you to set up your
payment terms.
3. Make Payments:
Payments are made on the schedule YOU set. Check your order status or adjust your payments online in a secure environment.
4. Receive Products:
Receive the product shortly after your last payment. The best part, it's paid in full... NO DEBT.
More Buying Power:
*
Our lay-away plan offers a safe and affordable payment alternative
without tying up your credit or subjecting the purchase to high-interest
credit card fees.
No Credit Checks or Special Qualifications:
* Anyone 18 years old or older can join. All you need is an active bank account.
Freedom From Credit Cards:
*
If you are near or beyond your credit limit or simply want to avoid
high interest credit card fees, our e-layaway is the smart choice for
you.
Flexible Payment Schedules:
*
Similar to traditional layaway, e-layaway lets you make regular payments
towards merchandise, with delivery upon payment in full. Payments are
automatically deducted from your bank account or made in cash using
MoneyGram® ExpressPayment®
A Tool for Planning Ahead:
*
Our e-layaway makes it easy for smart shoppers like you to plan ahead
and buy items such as bug detectors, nanny cameras, audio bugs, gps
trackers, and more!
No Hidden Charges or Mounting Interest:
Our
e-layaway makes shopping painless by eliminating hidden charges and
monthly interest fees. Our customers pay a flat transaction fee on the
initial purchase price.
NO RISK:
* You have the right to cancel any purchase and will receive a refund less a cancellation fee. See website for details.
Security and Identity Protection:
DPL-Surveillance-Equipment
has partnered with trusted experts like McAfee and IDology to ensure
the security and integrity of every transaction. Identity verification
measures are integrated into our e-layaway system to prevent fraudulent
purchases.
Note: Simply Choose e-Lay-Away as a "Payment Option" in The Shopping Cart
DPL-Surveillance-Equipment.com
is a world leader in providing surveillance and security products and
services to Government, Law Enforcement, Private Investigators, small
and large companies worldwide. We have one of the largest varieties of
state-of-the-art surveillance and counter-surveillance equipment
including Personal Protection
and Bug Detection Products.
Buy, rent or lease the same
state-of-the-art surveillance and security equipment Detectives, PI's,
the CIA and FBI use. Take back control!
DPL-Surveillance-Equipment.com
Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320
Monty@DPL-Surveillance-Equipment.com
Google+ and Gmail
DPLSURVE
Twitter
DPLSURVE
MSN
Monty@DPL-Surveillance-Equipment.com
AOL Instant Messenger
DPLSURVE32
Skype
Montyl32
Yahoo Instant Messenger
Montyi32
Alternate Email Address
montyi32@yahoo.com
Join my Yahoo Group!
My RSS Feed
Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320
Monty@DPL-Surveillance-Equipment.com
Google+ and Gmail
DPLSURVE
DPLSURVE
MSN
Monty@DPL-Surveillance-Equipment.com
AOL Instant Messenger
DPLSURVE32
Skype
Montyl32
Yahoo Instant Messenger
Montyi32
Alternate Email Address
montyi32@yahoo.com
Join my Yahoo Group!
My RSS Feed
posted by DPL-Surveillance-Equipment | 9:02 AM
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.
<< Home