Thugs'r'Us
"Stephens could not be reached for comment in response to LookC's threats at the time of going to press on Friday afternoon (19 September)."
Probably best all round whenever Golightly loses the plot and turns heavy.
A row has broken out between a supplier of secure CCTV products and a whistle blower who discovered a vulnerability with the company's products that allowed world+dog to view static images from any camera connected to its servers. The flaw affects The LookC 4x4 server and Pro IX server, some of which are installed in primary …
Turn off your LookC camera, because they apparently have a security hole in them and you are exposing yourself to legal liability by using it now that you've been told they have the vulnerability.
You don't know if they're secure now, or if LookC are just threatening researchers to conceal the insecurities. All you know is they *had* or *have* a security hole and tried to cover it up with threats and false accusations made to the police.
Their statement to the police is clearly false, publishing info on a vulnerability on a website clearly does NOT show criminal intent. Ergo if they lie to the police, they can lie to you.
Also since they don't let you know what that security hole is, you have no way of testing to see if it's been closed yourself. You can neither trust their word, nor test it yourself.
So I'd turn off your LookC camera and avoid buying LookC products until their products can stand up to independent public security testing.
can only be the result of criminal intent. The CEO MUST be a paedo and wanted "plausible deniability" for his perversions if caught.
After all, why would someone put cameras in all the private places of a school if not to view the antics of innocent children at play?!?
If you find something rotten in your company, you can 'go through channels' and lose your job, be sidelined, be fobbed off and strangely find yourself redundant in six months,or be bought off.
If you want something to change, to have to put it out there in enough places that the sun will shine on it.
Not 'criminal intent' but serious intent.
I strongly believe that in the cases where exploits are in the wild, or vendors refuse to cooperate, that public disclosure of vulnerabilities is in the best interests of users. There's no evidence of either of these here. It's very possible that the company wouldn't have given a toss without public disclosure, but we'll never know, will we? This guy has given this company enough rope to hang HIM by, all for want of a bit of patience and probably the desire for kudos. Posting an exploit is a lot sexier than pointing to a patch and saying "I found that issue"
How is this a hack? The cameras, if not configured with security details, publish themselves on the public internet, saying "Cooo-ee boys! Look at me!" This guy merely said "Hey - here's how you can find them with a simply Google search."
It's like, say I had this car, and the..... Oh buggerit - no bad analogies needed - it's just simply not a hack.
The informer shouldn't have made the precise "hack" public. It's one thing to warn people about an insecurity but it's a different matter when you tell people how to take advantage of it.
If the CCTV company had failed to act quickly then perhaps upping the ante by posting screenshots (with mosaic fuzz where necessary) of the hack in action would be justified to cause the panic and bad PR necessary to get it fixed.
The post explains it.
Here is the (short) part about the flaw (that's criminally obvious security hole, too):
"The vulnerability is so simple, I bet LookC kicked themselves when they found out they missed something as obvious as this.
Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”.
In this example, we will use a made up server with the IP address of 123.456.789.10
Using your web browser navigate to this address.
http://123.456.789.10/
Simply by adding the following after the last slash, we can open a backdoor and view a static image of the requested camera. Note the two queries in the URL.. "&card" and "&camera". As it would suggest, "&card" is which card in the server we are accessing, and "&camera" is the CCTV camera we are accessing. There are 4 cameras to each card, so once we have reached camera 4 we would change the card value to “2” and the camera value back to “1”.. This would display the 5th camera on the server.
media/getimage_sid.php?card=1&camera=1
The URL should read,
http://123.456.789.10/media/getimage...ard=1&camera=1
If you hit Refresh on your browser you can easily produce an almost streaming image of the CCTV Camera."
I seem to remember that you can find tens of similar "google hacks" where they belong, but in that case the cams are marketted as secure (!).
Thanks to google cache and a quick web search I can confirm that this "exploit" is so easy as to be labeled stupid. I really couldn't call this an exploit or hack as you simply have to put the correct URL into your browser and you have images. There is no security whatsoever, as far as I could tell.
where is the ROFLMAO icon.
He has no duty to them, if he didn't report it to them, so what, their tough luck for releasing a buggy product. Even if it's -4 days, or NEVER.
They do have a duty to make their products secure, perhaps they would consider that, rather than silence researchers?
If they don't make crap products then people will not discover they are crap. The fix here is for LookC to make less crap products.
So that's how El Reg gets their hands on all that wonderful CCTV footage of major stories. Is this the end of the quality insider reporting on such important issues? And I was really hoping to see some of that famous cctv footage of pirates today on International Talk Like a Pirate day, with Optimus Prime making an appearnace of course.
Please, Please, Please dedicate your top Hacker-Reporter-Boffins to finding us a new source for these quality images.
Seems CCTV needs pulling out of schools. If anybody puts a CCTV camera thats filming a school on the public networks, they should be taken out back and shot.
I personally never liked the fact that I am watched without my consent almost everywhere these days. CCTV in public should require a licence!!
There will be a nice audit trail - e.g. telephone bills showing he phoned the company, emails being sent, a late lamentable reply. etc.
However, the threat of a company with finance to hire the best lawyers against one individual is enough to make the individual want to back off and go into hiding.
I personally would have emailed the Information Commissioner via this form:
http://www.ico.gov.uk/ESDWebPages/GenEnq.asp
Now, if he didn't respond to this risk to children within a week then I'd be forced to do exactly what this chap has done and include my correspondence in the posting.
I wonder if anyone has told the Information Commissioner that many educational institutions are in breach because of a lack of due-diligence on their part ?
Unbelievable - the supplier appears oblivious to similar recent disclosures (xref transport system payment cards) and how not to respond:
http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0821
Let alone how to stop digging when in a hole:
http://en.wikipedia.org/wiki/Streisand_effect
Idiots.
The internet gets what the internet wants...
I wondered what LookC had to say themselves, in the name of impartiality...
Not seeing anything on this <surely> critical update I thought I'd try News and Support. Nope nothing there...
Then I tried myLookC link... ha ha ha (For impartiality I tried it on Chrome, Firefox, and Exploder)
http://www.grayzone.co.uk/lookc.jpg
Nothing much I can add to that, a security firm who doesn't know their security...
Paris, cos she possibly has better security from CCTV.
Nk
Now that's a name some security "professionals" should know better.
AC, Of course Stephens had a duty -- not to LookC, perhaps, but to their customers. It's not a duty born of law or contract, but of ethics. He was right to disclose the fact that there was a flaw, and he was right to disclose the existence of that flaw to both LookC and the general public. Where he failed is in publishing not just the flaw, but (a) how to exploit the flaw, and (b) further information on how to use Google to find flawed systems to exploit. If you wish, you may be able to justify (a) as giving customers the info needed to test their systems, but (b) does nothing but ensure that anyone can exploit any of the flawed systems. It doesn't help fix the problem in any way, and releasing that information without giving LookC or its customers time to respond to the discovery of the flaw, he did nothing but make the problem worse.
what the fuck are schools doing connecting their CCTV system to the internet. Just a small detail I know, but how did anyone with even a minimum of intelligence not see a slight flaw in that plan?
Whatever next? Banks trusting estate agents to sell mortgages....oh yeah right the whole crunch thing.....mines the one with a pair of wire snips in the pocket.
criminal intent meaning....................looking at the CCTV images and killing them with your death ray vision from 5000 miles away (through a monitor too. Impressive.) ?
Who cares if they supposedly 'exploited' it by giving the information out. Why should that be a crime? Oh, we must sweep this under the rug and try to stop this kind of information getting out. Umm.. why??? The last time I heard, it was not illegal to refuse to cover someone else's ass.
The problem should've been fixed or MAYBE...you know.. not insecure in the first place.
Have a look at: http://www.wiretrip.net/rfp/policy.html
As you can see, the vendor has 5 days to reply the first email (5 days is a reasonable time to avoid problems with holidays, time zone and so on...). Even if I don't like the vendor's reply, this is not ethical full disclosure indeed.
Maybe. Its a dumb to put backdoors in like this, but.... if you put a video camera on the internet instead of behind a firewall, its a little like leaving the keys in your car and the doors wide open. Sure its illegal to steal it, but who would be surprised if it went?
If its sophisticated enough to have a built in webserver, doesn't it have ip address connection filters to protect it at the network layer?
Skull icon - he's rolled his eyes back so far they fell out.
Here is a company in the security business that prefers to threaten the person that told the world about a hole in their product that threatens the security of their customers instead of fixing the problem and keeping their customers save. "It's OK. If they don't know about it then it doesn't matter."
I'm not sure which is more frightening from a security company; That they might think it's OK for a flaw to exist as long as the customer doesn't find out or that they might be living in fairyland and believe that there aren't people on the net that would exploit it. The other possibility is that their understanding of computer security is so poor they've made such a mess and made this exploitable code so essential to their software that they can't fix it without having to throw the whole thing away and start again.
Continued selling a product that they new had a flaw of this severity *strike 1*
Didn't fix it as a matter or urgency *strike 2*
Tried to muzzle the messenger to stop customers finding out *strike 3*
Clearly not a company I could ever trust. They've been added to my mental Rolodex of companies that will never find their way through the door at any of my customers if I have anything to do with it.
I beg to differ. By publishing the details, the company was forced to fix its buggy product.
A software company who, no doubt, hides behind a EULA that states something to the effect of "we are not liable if this software screws up your PC or your life".
Even companies like Microsoft can take an age to fix security bugs if they are not under pressure.
Even naughtier is to put cameras in schools without putting some form of security in place. This "hack" is no such thing, any more than I can "hack" your computer by sitting next to you and watching what you type...
This exploit should have been absolutely impossible. It should never have been IN the product. Releasing this information on how there IS NO SECURITY is the only thing that can be done.
Google camera surfing is ooooold news.
There's loads of cameras out there with this "vulnerability" and quite a few owners who know about it.
Kinda hard to miss when some of the cameras are controllable via the web. This was news in 2005 :(
Points for anyone that can find a link to the German(?) guy that offers you cake when you play with the camera.
For those who have been complaining that 3--4 days isn't enough to close the hole, let me put on my imagination cap and help you (and LookC) find a quick solution. 1) The leak was shown to be via a URL. 2) Either the URL was to a static page, in which case 3a) you lock down that directory and all is well, or it was to a dynamic script, in which case 3b) you remove that script from the web site. Since the primary function of the web side of the system seems to be to provide a live feed rather than static (albeit "live") snapshots. Notwithstanding the suggestion of hitting refresh repeatedly to get a "live feed" this "feature" seems to be surplus to requirements and shutting it down should hardly cause any knock-on effects to the core functionality of the system. Of course, all of this assumes a certain degree of care in designing and coding the system in the first place. Oh, right... Sorry, I just seem to have shot my argument in the foot there...
https://82.144.238.157/media/getimage_sid.php?card=2&camera=3
Seems like a bar. This is the front of house.
https://82.144.238.157/media/getimage_sid.php?card=3&camera=3
This is the kitchen.
Just had fun watching the two watiresses having fun...
https://82.144.238.157/media/getimage_sid.php?card=4&camera=3
Behind the bar...
Very interesting...
"Stephens said he informed LookC about the flaw on 9 September and went public with the vulnerability on 12 September, via a security advisory on his website"
...
"A problem concerning the live image acquisition by unauthorised internet users was reported to us on 12 September 2008"
So either:
a) Stephens lied about when he informed LookC,
b) LookC lied about when Stephens informed them, or
c) LookC didn't care, ignored the email and hoped Stephens would leave it at that.
And as for:
"The person who highlighted the vulnerability to us also saw fit to publicise the means of hacking the LookC servers on the internet and then to log on to other blogs to point other internet users and hackers to the article. We can only guess at the motivation behind this action but have not ruled out criminal intent"
Assuming (a) above is not true, did LookC immediately check their servers, and warn their customers? Not so far as I know. So Stephens did it for them. Now admins can implement some form of temporary fix to protect themselves (most likely for legal reasons), while LookC play the blame game and try to have Stephens arrested.
Thing is, especialy with such a simple "hack", if an honest person has found an exploit and reporsted it, it is likesly that a DISHONEST person has already discovered it and started using it to their advantage. So Stephens has done you a favour guys, stop bitching and fix your damned product!!