Pirates Hacked Shipping Firm's CMS To Plan Attacks, Find Valuable Cargo (softpedia.com) 104
An anonymous reader writes: Verizon's most recent Data Breach Digest includes a curious hacking case. Apparently a group of sea pirates have hired a hacker who uploaded a Web shell to a shipping company's CMS that allowed them to download cargo inventories and ship routes. They then used this information to attack ships, equipped with a barcode reader (and weapons of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.
Are they still called pirates? (Score:3)
Now that we are referring to netflix subscribers by the same name we may need to come up with another name for people who steal at sea. What should we call them? Searates? Picaroons? Thieves?
Re: (Score:1)
It depends if they have good lawyers or not. For safety I would suggest Unlicensed Goods Removals and Relocations Corporations. You never know when somebody might sue.
Re: (Score:3)
Re: (Score:3)
Well, the nautical version has been around a long time, and the copyright version has been around since the 17th century or so when copyright was first established.
Though I have to admit, this is one of the few times where the two worlds collide...
Maybe we can do what the Navy does - where "pilot" is an overloaded term
Re: (Score:2)
Politicians?
Comment removed (Score:3, Interesting)
Re: (Score:1)
If a ship was armed with weapons, that would just make it a bigger target, since it must have something valuable to protect.
No it wouldn't. a) people don't have to know b) under the plan proposed all vessels would have weapons so it wouldn't give anything away.
The problem is different. When you choose to attack something, you study it and it's weaknesses. If the thing is armed with Gatling guns then you come along with autocannon. If it's armed with autocannon you come with missiles. Once we start arming ships, carrying arms will no longer be a sign of being a pirate and so it won't be possible to arrest these people becaus
Re: (Score:2)
Re: (Score:2)
They are a bit more expensive to buy and operate though, and that makes it rather uneconomically. Your "QED" comes from some fundamental misunderstandings.
Re:Unarmed ships are helpless. (Score:5, Informative)
There are legal issues about having weapons on a ship. That is, when they transit different national waters, they may, or may not, be allowed to have some, or any, weapons on the ship, regardless if it's stored or not.
Simpler. Say your boat leaves a country where you can legally have Gatling guns. You transit inside another nation's waters where you can't legally have one, such as the Canada, US, or Mexico. You could end up in jail over it. Depending on the rules and policies, it could be the responsible party, captain, or crew. Unmounting the Gatling gun, and placing it in a locker isn't usually good enough.
Cargo ships can be transiting the waters of many nations during their cruise.
I wouldn't really focus on the chance of escalating force. The pirates that are committing most of these crimes are working on a real shoe-string budget. Like, a small boats, where the pirates are armed with knives, rifles, and the (very) occasional RPG. Clicking through the pirate activity map, I couldn't find any reports stating heavier weapons than rifles. Most were unarmed, or armed with knives. If they could afford, or steal, better ships and weapons, they'd be doing it already.
Pirate activity map [icc-ccs.org]
Here is a writeup on the issue [huffingtonpost.com]
Re: (Score:2)
I guess it's good that I haven't gotten into the piracy business. I could do well with "liberating" the ships and cargo from the previous owners. :)
Hostages have to be clothed, fed, and otherwise taken care of. It's easier to just let them go at the first safe port.
A while back, I wrote up a theoretical plan on amassing a flotilla of pirate ships. It looked good on paper, and could probably make a great piece of fiction. In real life, I'm allergic to things like having my flotilla being blown out of the
Re: (Score:2)
Did you just call Somalia 'ungoverned?' Hmm... You've never been to Somalia, have you? Somalia is *over-governed* by any definition. It's not a representative government, it's not a good government, it's not government that is recognized by the UN, but government it is and there sure is a lot of it. They've even got paperwork, treaties, trade agreements and the likes. They've got judicial, executive, and legislative powers. No, Somalia's *very* governed. It's kind of strange that people don't think so.
Re: (Score:2)
News outlets keep referring to it as ungoverned. We were all taught to trust the news, so there should be little reason to research a fact that is repeated without being contradicted. Except, news outlets can be wrong.
News outlets have gotten very good at copy & paste. It isn't just within a single story passed around. They'll keep copy & pasting pieces from stories, assuming nothing has changed, and that the fact checkers at the previous publication did their job.
It's trivial to check with res
Re: (Score:2)
That's true too but not really the intent of my response. They have a whole lot of government - it's just not the legitimate government, not recognized, and not one by or for the people. It's not a representative government, not at all. It's not a good government, not even remotely. But they're governed pretty damned hard.
It's strange that people say it. It's like saying North Korea doesn't have a government except Somalia's full of small, regional, Kim Jong Un-esque people. They've got paperwork to go from
Re: (Score:2)
I was agreeing with you. :) I haven't been there, and really don't see a need for it in the near future.
With as much as they've changed, according to the current public information, I can understand someone thinking there was no law. There is always a law. As you said, there is the government, and there are warlords. Any good gang or self-declared local gov't, has some sort of organization and laws. In anarchy and chaos, someone will always strive to have power over others. They have to adopt at le
Re: (Score:2)
> I was agreeing with you.
I kind of figured/knew that you were. I thought I'd elaborate and make it more clear if you weren't really sure what I meant. I haven't re-read my post but if there's any "you" in there, it's the generic you and not you personally. Ah well... Sorry if there was any confusion. I'll make up for it by writing a small novella for you. I'm actually lacking time again today so this cannot be all that lengthy. You don't really *have* to read it, of course, but I'll see if I can think o
Re: (Score:2)
There are legal issues about having weapons on a ship. That is, when they transit different national waters, they may, or may not, be allowed to have some, or any, weapons on the ship, regardless if it's stored or not.
Simpler. Say your boat leaves a country where you can legally have Gatling guns. You transit inside another nation's waters where you can't legally have one, such as the Canada, US, or Mexico.
If enough shipping companies got together and said "we can't ship to the US since we can't have guns" that would change overnight.
200 years ago it was a given that a decent ship would be outfitted with cannon and defensive measures. We're back in the age where pirating at sea is a profitable criminal enterprise, so it's time that ships become armed again. Most pirates just come in small fast boats that would be trivial to destroy with any sort of boat-mounted weapon.
The other issue that needs to be addres
Re: (Score:2)
Wouldn't they be protected by safe harbour provisions as long as they are flying a flag of a country that permits carrying weapons and never remove them from the vessel?
Re: (Score:2)
That depends on the country. Most would say no. You could check with DHS. As I understand it, if you brought an armed ship within the US EEZ (200 nautical miles), you would find out that it isn't exactly welcome.
Simple breakdown chart [wikipedia.org]
A NOAA breakdown of distances from shore with brief descriptions of each zone. [noaa.gov]
Re: (Score:2)
Some of the companies after a quick google...
Sea Marshals
ESC Global Security
ESS&SA
McRoberts Protective Agency
Agema-Services
Rokada
Seagull Maritime Security
International Ma
Re: (Score:1)
Re: (Score:2, Insightful)
Re: (Score:2)
http://www.hsph.harvard.edu/hi... [harvard.edu]
Real people are more concerned about protecting their ego than their person. But yeah, keep pretending you're just defending yourself and your neighbours.
Re: (Score:2)
Re: Unarmed ships are helpless. (Score:2)
Re: (Score:3)
The idea has definitely been discussed. It would seem very irresponsible to travel unarmed in pirate-infested waters such as near Somalia. However, it's not clear where this attack took place. It should be relatively safe to ship through the north Pacific or north Atlantic. I'd also expect the Southern Ocean is pretty safe because there isn't too much down there.
There's an article from the Christian Science Monitor [csmonitor.com] that does a really good job of explaining the issues with protecting ships. It says that if c
Re: (Score:2)
The idea has definitely been discussed. It would seem very irresponsible to travel unarmed in pirate-infested waters such as near Somalia. However, it's not clear where this attack took place. It should be relatively safe to ship through the north Pacific or north Atlantic. I'd also expect the Southern Ocean is pretty safe because there isn't too much down there.
There's an article from the Christian Science Monitor [csmonitor.com] that does a really good job of explaining the issues with protecting ships. It says that if crews are armed, pirates may retaliate if fired upon, injuring the crew or damaging the ship. Similarly, they believe that having specific armed security on ships will result in pirates getting more powerful weapons and firing from a distance. In short, they don't want to create an arms race with the pirates. There are other measures to protect ships, though they're somewhat expensive. I'd guess that shipping companies don't want to spend the money to protect ships traveling in areas where pirates aren't common.
Well then follow up with a drone strike of the base camps they use and a torpedo for the mother ship.
If that doesn't work, I am sure a B1-B or two can carry a payload to fix the problem. Just one of those can carry enough land mines and sea mines to fuck up their areas of deployment real well.
Sounds like "we don't actually want to solve the problem, just whine about it" to me. Typical pussy generation. Maybe try handing out trophies to all the pirates or something. I am sure that would work.
The decidi
Re:Unarmed ships are helpless. (Score:4, Insightful)
Get Gatling guns on one ship, the next pirate crew will show up with an RPG. If I was a sailor on one of those ships, there would be no chance in frozen hell I would fire back on a pirate to protect some rich dude's shit on board that's probably insured anyway. You can be as gun-ho about this as you want from your armchair, I'm throwing my hands in the air and letting the pirates go with the cargo.
Re: (Score:2)
Get Gatling guns on one ship, the next pirate crew will show up with an RPG.
Next?
http://i.telegraph.co.uk/multi... [telegraph.co.uk]
They've already been doing that for years.
You can be as gun-ho about this as you want from your armchair
The crew of the ship where that picture was taken faced off the RPG wielder with molotov cocktails.
Re: (Score:2)
Get Gatling guns on one ship, the next pirate crew will show up with an RPG. If I was a sailor on one of those ships, there would be no chance in frozen hell I would fire back on a pirate to protect some rich dude's shit on board that's probably insured anyway. You can be as gun-ho about this as you want from your armchair, I'm throwing my hands in the air and letting the pirates go with the cargo.
Except the pirates, the Somali ones, want you. They want to take you hostage and get a ransom for you. If they don't get ransom your ass is toast.
Now do you want to defend yourself?
Re: (Score:2)
Case in point. [icc-ccs.org]
There are tons more like it.
Re: (Score:3)
The inherent right of individual or collective self defense seems to have been totally blocked by the big powerful nations who could have allowed more protections at any time in the past decades but ensured nothing was useful was done.
All they did was update the forbidden cargo lists to contain nations doing bad exports
Re: (Score:2)
Well, the BIG problem is firearms and every country has a ton of laws around it. It's been debated, and most shipping companies are averse to it because the permits and paperwork involved would basically halt the industry. Especially if you're transiting waters.
It's why they typically use water canno
Re: (Score:2)
The usual pirate scenario seems to be a fairly small fishing type boat attacking a large ocean going ship. The former is usually wooden and the latter a multi-story sized hunk of steel.
I'm not sure why even a .50 cal semi-auto sniper-style rifle wouldn't be more than a match for pirates in a small wooden boat. The effective range of RPGs is only a few hundred meters and the ability to fire it accurately from a small boat in the ocean seems pretty limited. It's slow to fire repeated rounds and the effect
Re: (Score:2)
The usual pirate scenario seems to be a fairly small fishing type boat attacking a large ocean going ship. The former is usually wooden and the latter a multi-story sized hunk of steel.
I'm not sure why even a .50 cal semi-auto sniper-style rifle wouldn't be more than a match for pirates in a small wooden boat. The effective range of RPGs is only a few hundred meters and the ability to fire it accurately from a small boat in the ocean seems pretty limited. It's slow to fire repeated rounds and the effect is likely to be limited against a large, steel ocean going freighter.
The .50 round is effective at much longer ranges, a large ship would provide a much more stable and accurate firing platform in addition to being able to fire multiple rounds quickly. One guy with a .50 sniper rifle could probably do serious damage to a wooden fishing boat, with nowhere safe to hide for its crew and way outside the effective range of a RPG.
And by "serious damage" you mean "sink it".
Re: (Score:2)
Depending on the nature of the vessel and shot placement, it may just damage it in some non-critical way or it may actually do enough damage to remove propulsion or actually sink it. There's a lot of variables, from pirate vessel materials, construction, shot placement, and the ability of the boat to handle a leak of some kind.
Decent bilge pumps may be able to keep it from sinking long enough to make it back to port if the hull is only punctured once or above the average waterline. A steel hulled vessel m
Re: (Score:2)
Throwaway guns (Score:1)
Easy. Get a bunch of guns to defend the ship as it sails thru the pirate waters. When it approaches a country where guns are not legal,
throw them overboard (or melt them). The cost, compared to the alternative, is trivial.
Re: (Score:1)
Or just do what they currently do, and have security services aboard the ships in dangerous waters. It may shock you to discover, but the shipping companies have already thought about this a lot more than you have.
Re: (Score:1)
Instead use that money to:
-Add GPS tracking to the valuable cargo
-Improve insurance policies, which they probably already have
-Maybe start by using a more secure CMS
-Lock down the cargo better, so plasma cutter etc would be required to open
-Encrypt cargo labeling, where decryption key is not onboard
These are just some 5 second ideas which may not stop pirates but should at least slo
Re: (Score:2)
Seeing as the ships have to travel internationally and dock in different countries, that is a terrible idea, as it will instantly limit the ports said ship can sail to.
My cousins work protection on cargo ships - they are delivered to the ship (with weapons), and stay with it when at sea. When they approach territorial waters, they leave the ship. This is the only sensible, non-knee-jerky way to deal with the security of cargo vessels. Just sticking guns to everything might seem like quite a sensible solu
Re: (Score:2)
I don't know. Do they take the original loot, or are they making copies of it?
Re: (Score:3)
I don't know. Do they take the original loot, or are they making copies of it?
Probably the one that carries a smaller penalty.
Hacker uploaded shell to shipping company's CMS (Score:1)
What was the name of this CMS and who originally installed it?
Coldfusion? Joe in 2001? (Score:2)
Although interesting on the surface, that softpedia piece reads like it was written by Verizon PR. No surprise, since the "article" is basically a regurgitation of the Verizon "whitepaper" most likely regurgitated by someone who has none to a basic understanding of pen testing and web security:
"With all this information in hand, Verizon helped the company block the hacker's IP, remove the Web shell, take down its server, reset passwords for all compromised accounts, and upgrade the CMS."
And the world was gr
Re: (Score:2)
How do they know that was their home ip address and not just another compromised host?
And even if it was their ip, were they in a jurisdiction where they don't care about exposing it?
Re: (Score:2)
What was the name of this CMS and who originally installed it?
Don't expect such info from this article, if you find gems such as the following:
Fortunately, the hacker wasn't that skilled. Verizon says that the attacker used a Web shell that didn't support SSL, meaning that all executed commands were recorded in the Web server's log.
A newspaper that isn't skilled enough to know the difference between SSL and POST (if that's what they meant...) certainly wouldn't know the difference between Joomla, Drupal or Wordpress either.
Re: (Score:1)
Silly pirates (Score:1)
Apparently a group of sea pirates have hired a hacker who uploaded a Web shell to a shipping company's CMS that allowed them to download cargo inventories and ship routes. They then used this information to attack ships,
That sounds like a lot of work. Haven't these pirates heard of torrents?
Re: (Score:2)
That sounds like a lot of work. Haven't these pirates heard of torrents?
Have you heard of any big ships with valuable cargo that travel on torrents?
Cyberpunk / Shadowrun at its best (Score:2)
Sounds like something straight from a William Gibson or Neal Stephenson novel. Crafty little beggars, you have to give them that.
the part left out of the summary: (Score:2)
upon boarding the ship, the lead pirate announced, "Me scurvy dogs and me be after yer booty so we're scannin all yer baaarrrcodes."
Pirates of the Carribian? (Score:2)
Must be the laid off Disney IT workers....
Re:Pirates of the Caribbean? (Score:2)
Must be the laid off Disney IT workers....
Way To Much Effort (Score:2, Insightful)
if you've got that much access, why not just reassign valuable packages/containers deliveries to addresses or shipping companies you control in,and just drive the goods away. Who looks inside a shipping contain
Re: (Score:1)
The reconsignment process would potentially draw attention to what was happening, as it's a fairly high-profile thing to do to a shipment.
Seen something like this before (Score:2)
I've worked in the Supply Chain / Shipping world for over 10 years now and have seen incidents like this multiple times.
One of the more memorable ones was where someone in the container yard in China was breaking into the containers and skimming product from the cartons inside the containers. In order to try and go undetected they were peeling off the carton labels that were printed out from our tracking system and reprinting the labels from a local device to reflect the new unit counts after they stole se
Piracy (Score:2)
It's not piracy... it's infringement of copyright! Piracy is... oh wait, never mind, yep, it's totally piracy. Sorry about that.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
These people are not being "bashed", they are being condemned for the actions of a few. No-one is claiming all Christians are savage terrorists because the IRA was made up of Christians, yet Muslims have to put up with this endlessly.
I understand why you think "Oh this bashing of one religion is not accepted, but the bashing of another one is - what gives?", but to ignore the precise nature of the "bashing" going on, and the context in which this "bashing" is happening will only lead you to the wrong concl