On 9 November Dutch tech journalist and author Daniël Verlaan hacked the online lighting system of the Erasmus Bridge in Rotterdam. Although he went for the colour pink, most people said it looked more like purple, but that’s besides the point.
In a tweet he claims that the lighting system had been accessible to everyone for a year, and there wasn’t even a password protecting it. That fact is very interesting since his very first book just came out and is aptly called ‘Ik weet je wachtwoord‘ (‘I Know Your Password’). Verlaan got the tip from a white hat hacker who pointed the wide open bridge system out to him. Using the keyword ‘Rotterdam’, the open system showed up in one of the first results on search engine Shodan.io, made for smart devices. The system was accessible online using an IP, protected by an easy to circumvent login.
The city of Rotterdam has now taken the system offline. And the lights are only for special occasions.
(Link: rtlnieuws.nl, Photo of Erasmus Bridge by Joop van Houdt – Beeldbank.rws.nlSome rights reserved)
Tags: Erasmus Bridge, hackers, hacking, Rotterdam
Just before Christmas, the University of Maastricht fell victim to a cyberattack, as their IT system was held hostage and shut down for weeks. The university saw no other way out than to pay a whopping 197.000 euro to get control back of their computers.
According to a computer security company, hackers got into the system after someone on a laptop clicked on a link in a phishing email. In October and November 2019, the hackers were getting ready to hold six servers hostage that didn’t have the proper updated security updates. On 21 November, they controlled the entire system, and on 23 December, they deactivated the antivirus software and froze up the entire IT system.
The hackers were probably Grace-RAT (TA505), an Eastern European, Russian-speaking cybercriminals who have been around since 2014 and from the likes of it, business is going well: 197,000 euro is a whole lot of ‘dengi’ (‘money’).
Tags: cyberattack, hackers, Maastricht, ransomware, University of Maastricht
Need some cash? As of today if you find a proper security leak in the online systems of the city of Apeldoorn, Gelderland they’ll give you 300 euro for it. However, there are some rules to follow to get your hands on the cash.
– You can’t expose or mess around with employee data
– You can’t damage the system and make it inaccessible
– You can’t post any information you find online
If you’re up for the challenge, hit up Apeldoorn with your security leak by mailing them to firstname.lastname@example.org, I’m guessing preferably in Dutch. You’ll be asked to encrypt your findings and if all goes well, 300 euro and more could be yours. Let the hacking begin!
Tags: Apeldoorn, hackers, hacking
A British judge has imposed a ban in favour of car manufacturer Volkswagen who claims that the publication of research on car-starting codes for luxury cars would be detrimental to their business. Roel Verdult and Baris Ege of the Radboud Universiteit Nijmegen together with Flavio Garcia of the University of Birmingham wrote the publication ‘Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser. Since Volkswagen and other car manufacturers don’t want all those codes out in the open, they went to court in the UK and won. Oddly enough, much of the information has apparently already been floating around the Internet since 2009 but nobody really noticed until now.
The Radboud Universiteit Nijmegen is not taking it lying down and is going to court to fight the ban. The university claims that the researchers’ aim was to improve security for everyone, not to give criminals a helping hand at hacking into high-end cars. They argued that “the public have a right to see weaknesses in security on which they rely exposed”. Otherwise, the “industry and criminals know security is weak but the public do not”.
It seems to me that basing a security algorithm on secrecy rather than complexity is asking for problems once someone cracks the code, and assuming that that will never happen is not smart. The researchers didn’t do anything illegal yet they got a gag order. Why not comprise with a ban for like 6 months to let the car manufacturers get their act together? And do the researchers really need to publish damaging details to make their point that the security is weak? Stay tuned.
(Links: www.theguardian.com, www.bright.nl, Photo: guusterbeek.nl)
Tags: hackers, hacking, Radboud Universiteit Nijmegen
In 2011 Dutch web certificate company DigiNotar was compromised completely by an Iranian hacker, and a report released this week details how it was done.
The report, written by security auditors Fox-IT and published by the state last Monday, shows that the hacker managed to get access to Diginotar’s public website, which had already been hacked in 2009. In fact, the defacements from that year were still online when the hack was discovered in August 2011, security.nl reported at the time.
According to Webwereld, Fox-IT’s report reads like a how-to for pwning a badly secured system. The hacker installed a shell on the web server, which must have been easy to do, as the still online defacements showed the way. DigiNotar had a firewall between its public network (which it called the Demilitarised Zone) and its segmented internal network, but it also had a long list of exceptions in the firewall. The certificate servers were also attached to the office network of DigiNotar, so that the hacker could use the standard MS Windows Remote Desktop tool to create false certificates.
Just another day at the office for an experienced black hat hacker.
Techworld reports that the DigiNotar hack was mainly used to attack Gmail users in Iran. DigiNotar declared bankruptcy in September 2011. The company’s certificates were heavily relied upon by the Dutch government, but also by Google.
Web certificates are a means to tell your browser that the website you are visiting real is the website it claims to be. This is useful for online banking and so on.
Tags: certificates, DigiNotar, Dutch government, hackers, hacking, security, web sites
If students and pizza (and probably beer) is not the perfect combination, then imagine students and pizza for next to no money and the money to buy beer.
For months, hundreds of students from cities such as Groningen, Breukelen and Utrecht had been getting pizza from Dutch website Justeat.nl for EUR 0.01 or 0.05 after hacking into the payment system. Just before paying for the pizza through an online banking system, a page was added somewhere to be able to change the final price to a few cents. In other words, the payment system wasn’t installed properly and certainly not secure.
The manager of the website is going to try and get the students to pay for the pizzas after all, as he’s out EUR 30,000. I think he should kick the IT incompetents he hired to install the payment system on his site really hard and claim damages (we don’t run out and sue here). It’s not like he’s the first ever online restaurant using the highly praised and easy-to-use Ideal payment system. Going after the smart students is easier, but lame, and they have no money.
(Link: nu.nl, Photo of Pizza pie by Adam Kuban, some rights reserved)
Tags: hackers, hacking, pizza, students
Last December, Paul Wiegmans from Alkmaar discovered an ATM skimming device (Dutch) attached to an NS ticket vending machine (Nederlandse Spoorwegen, i.e. Dutch railways). Being a hacker, he pulled the device loose and photographed it extensively before turning it in to the police. Marvel at the diminutive size of these things!
The Nederlandse Bank estimates that skimming at train stations and banks results in ten million euro in damages per year, reports Algemeen Dagblad (Dutch). The NS told the same daily that approximately two skimming accidents occur per day at its train stations. That’s a rather small amount compared to the number of ATM transactions taking place per day there—200,000.
Update: Meanwhile, Salima Douhou and Jan Magnus of the University of Tilburg claim that skimming would become almost impossible if banks incorporated code that would verify the way people type their PIN codes, reports De Telegraaf (Dutch). Apparently, nobody does that quite the same way, making your punch as distinct as your signature. The article unfortunately doesn’t mention what the percentage of false positives is with this method, and calls the method “almost unhackable”, which in this reality means the same as positively hackable.
(Photo: Paul Wiegmans.)
Tags: banking, crime, Dutch railways, hackers, hacking, money, skimming