Showing posts with label Baltimore. Show all posts
Showing posts with label Baltimore. Show all posts

Friday, July 31, 2015

Leaked Zerofox documents outline Baltimore network infrastructure vulnerabilities

Several days ago a document from the corporation Zerofox was leaked on the internet. Zerofox is a domestic spying organization there is no other word for them. They are paid obscene amounts of money to monitor people's Twitter and Facebook accounts, and provide the results of their stalking to police departments and other people who are in theory bound to respect the autonomy of free political speech. In the document that was leaked, Zerofox claimed to have "mitigated" 19 "threats" and "monitored" hundreds of others. The document is available here.

What constitutes a threat? Political speech that is critical of the police. At the top of the list of "physical threats" are #blacklivesmatter activists Deeray McKesson and Johnetta Elzie, neither of whom have ever been convicted of a violent crime AFAICT. The report recommends that police engage in "continuous monitoring" of the pair and justify this absurd response because they have "coordinated protests". The two were not alone on the list, which lists several other protesters and bloggers. Several times Zerofox recommended police perform a social media "profile takedown"; one of these recommendations was justified by Zerofox because an individual "slandered" a police officer. The slander consisted of taking screenshots of the police officer's Facebook posts - posts that included long, rambling racist screeds.

Most of this is well known, or will be over the next couple of days. This is a tech website! So what is my angle?

After the first few pages of creepy Stasi-style investigation, the report began to list what Zerofox believed were vulnerabilities in City of Baltimore networks. The "vulnerability reports" are laughably amateurish and consist almost entirely of information available from WHOIS, googling lists of applications combined with the word "exploit" and maybe nmap scans.

baltimore servers joshua wieder zerofox
2 kilos of WHOIS; street value $250,000
There are two things about this report that are interesting. First of all, it includes a list of Baltimore city online resources that would not immediately be publicly available - servers like email backups and an Exchange server that is either entirely for internal use or horrifically misconfigured (it lacks an rDNS entry, so it won't be doing a lot of sending to email servers setup by grown-ups).


And secondly, I really can't stress enough how bottom of the barrel this is. Let's just set aside the first part of this product that the people of Baltimore were forced to purchase. If this is what municipal governments believe infosec looks like, we are in for quite a few more repeats of Office of Personnel Management "cyber-warfare Pearl Harbors".

(Did you just vomit a little? I always vomit a little when I hear anything that begins with the prefix "cyber-")

Tuesday, December 11, 2012

Best to Hush on the Bus - Cities Across the US Install Surveillance Equipment on Public Transit

This IP camera with microphone, the Safety Vision SVC2200, is being installed on buses in San Francisco, California; Eugene, Oregon; Traverse City, Michigan; Columbus, Ohio; Baltimore Maryland; Hartford, Connecticut; and Athens, Georgia. The microphones are sensitive enough to record conversations audibly. This leads one to wonder what such technology could possibly be used for. Cameras can be used for evidence in cases of violent crime. Recordings are not nearly as important in establishing proof of violence as they are in assisting with more subversive forms of surveillance. No doubt this information is headed in a roundabout way to your local DHS "Fusion Center", where it will be shuffled, cataloged and shuffled again.

The IP cameras are listed as supporting the following protocols: IPv4/v6, TCP/IP, UDP, RTP, RTSP, HTTP, HTTPS, ICMP, FTP, SMTP, DHCP, PPPoE, UPnP, IGMP, SNMP, QoS & ONVIF, although one wonders in what capacity they 'support' QoS ... a few of these are likely the efforts of marketeers gone wild with acronym copy pasting. Whats important is they talk TCP/IP, and VPN compatibility is not on that list. They have an RJ-45 input and use PoE, but also have a microSD port. Finally,with a field of vision at 78° horizontal, 45° vertical, these devices provide a very tempting opportunity to the on-site hacker.

The cameras are supposed to connect to and be managed by a central web server - and remember the lack of VPN above, it looks like just a straightforward wireless of 3g-based network connection will be established to that server. While the video on that web server may not be so exciting to attackers, an opportunity to establish an "in" with a local network maintained by a city transportation administration or law enforcement agency would be an incredibly enticing target. Of even greater value would be the possibility of infecting video files with malicious software to be uploaded to whatever federal spy agency is its final destination. Finally, security cameras rely on motion detection in order to limit storage to relevant data. As the traffic on buses is continuous, there will be constant motion and noise. This will lead to huge data sets of worthless audio and video that will increase storage costs to absurd heights in short order (the alternative of a regular deletion schedule would defeat the purpose of collecting the data). As such, this project is a foolish one. There is little advantage to be gained in the data from these devices, and the system architecture as currently stated will lead to significant security failures. At best the devices would have a slight freezing effect on violent crimes that occur on the bus, which are few and far between to begin with. At worst these devices will turn into a blackhole for taxpayer money funneled into storage and maintenance costs that is somehow simultaneously worthless to law enforcement and reviled as a degradation of the 4th Amendment of the United States Bill of Rights for targeting a service provided almost exclusively to  the poor and in many cases to populations that are predominately black and latino (the 4th is the amendment that was intended to protect citizens from unreasonable searches and seizures).

***A Bit of Conjecture

There is one feature to this infrastructure that would be worth the trouble. Facial recognition capability is a hot topic for discussion amongst law enforcement officials of every jurisdiction. Imagine if you will a closely knit hodgepodge of surveillance video data that includes E-Pass toll cameras, red light cameras, intersection surveillance cameras these new public transportation cameras and drone-based surveillance. With immediate license plate identification and federal warrant checks based on video surveillance already in place in many US cities, facial recognition for off-the-roads automated identity checks is what is missing. This would provide a *huge* advantage for law enforcement. Man hunts would be a thing of the past. For fugitives, enemies of the state, and normal folks like you and I, there would be nowhere remotely resembling civilization to run. Even in this paranoid scenario, however, there is no need for audio recording.

[Hat Tip to Wired magazine for the scoop]

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...