Categories
Security

‘Anti-capitalist’ Verkada hacker charged by US government with attacks on dozens of companies

A Swiss computer hacker named Till Kottmann has been charged by the US government with multiple accounts of wire fraud, conspiracy, and identity theft. The indictment accuses Kottmann and co-conspirators of hacking “dozens of companies and government entities,” and posting private data and source code belonging to more than 100 firms online.

The 21-year-old Kottmann, who uses they / them pronouns and is better known as Tillie, was most recently connected to the security breach of US firm Verkada, which exposed footage from more than 150,000 of the companies’ surveillance cameras. But the charges filed this week date back to 2019, with Kottmann and associates accused of targeting online code repositories (known as “gits”) belonging to major private and public sector entities, ripping their contents and sharing them to a website they founded and maintained named git.rip.

Git.rip has since been seized by the FBI, but previously shared code and data belonging to numerous companies including Microsoft, Intel, Nissan, Nintendo, Disney, AMD, Qualcomm, Motorola, Adobe, Lenovo, Roblox, and many others (though no firms are explicitly named in the indictment). The exact nature of this data varied in each case. A rip of hundreds of code repositories maintained by German automaker Daimler AG contained the source code for valuable smart car components, for example, while a breach of Nintendo’s systems (which Kottmann said did not originate from them directly but which they reshared through a Telegram channel) offered gamers rare insight into unreleased features from old games.

In interviews about earlier breaches, Kottmann noted repeatedly that the data they found was usually exposed by companies’ own poor security standards. “I often just hunt for interesting GitLab instances, mostly with just simple Google dorks, when I’m bored, and I keep being amazed by how little thought seems to go into the security settings,” Kottmann told ZDNet in May 2020. (“Google dorks” or “Google dorking” refers to the use of advanced search strings to find vulnerabilities on public servers using Google.)

In the case of the Verkada breach, Kottmann and their associates reportedly found “super admin” credentials that gave them unfettered access to the company’s systems that were “publicly exposed on the internet.” These logins allowed the hackers to look through the live feeds of more than 150,000 internet-connected cameras. These cameras were installed in various facilities including prisons, hospitals, warehouses, and Tesla factories.

Kottmann said they were motivated by a hacktivist spirit: wanting to expose the poor security work of corporations before malicious actors could cause greater damage. Kottmann told BleedingComputer last June that they didn’t always contact companies before exposing their data, but that they attempted to prevent direct harm. “I try to do my best to prevent any major things resulting directly from my releases,” they said.

After the Verkada breach, Kottmann told Bloomberg their reasons for hacking were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

The US government, not surprisingly, takes a dimmer view of these activities. “Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech — it is theft and fraud,” Acting U.S. Attorney Tessa M. Gorman said in a press statement. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”

The indictment includes as evidence, numerous tweets and messages sent by Kottmann using handles including @deletescape and @antiproprietary. These include a tweet sent on May 17, 2020 saying “i love helping companies open source their code;” messages to an unnamed associate soliciting “access to any confidential info, documents, binaries or source code;” and tweets sent on October 21 in which Kottmann said that “stealing and releasing” corporate data was “the morally correct thing to do.”

Kottmann is currently located in Lucerne, Switzerland, where their premises were recently raided by Swiss authorities and their devices seized. Whether or not they will be extradited to the US is unclear. Bloomberg reports that Kottmann has retained the services of Zurich lawyer Marcel Bosonnet, who previously represented Edward Snowden. The charges against Kottmann carry up to 20 year prison sentences.

Repost: Original Source and Author Link

Categories
Security

Tens of thousands of Verkada cameras were easily accessible to employees as well as hackers

Employees of cloud-based surveillance firm Verkada had widespread access to feeds from customers’ cameras, according to new reports from Bloomberg and The Washington Post.

Verkada’s systems were recently breached by a “hacktivist” collective which gained access to more than 150,000 of the company’s cameras in locations ranging from Tesla factories, to police stations, gyms, schools, jails, and hospitals. The group, who call themselves Advanced Persistent Threat 69420, stumbled across log-in credentials for Verkada’s “Super Admin” accounts online. They publicized their findings, saying they were motivated by “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

Now, anonymous Verkada employees say the same “Super Admin” accounts that the hackers accessed were also widely shared in the company itself. More than 100 employees had Super Admin privileges, reports Bloomberg, meaning that these individuals could browse the live feeds from tens of thousands of cameras around the world at any time. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” one former senior-level employee told the publication.

Verkada, meanwhile, says access was limited to employees who needed to fix technical problems or address user complaints. “Verkada’s training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” said the Silicon Valley firm in a statement given to Bloomberg.

The Washington Post, though, cites the testimony of surveillance researcher Charles Rollet, who says individuals with close knowledge of the company told him that Verkada employees could access feeds without customers’ knowledge. “People don’t realize what happens on the back-end, and they assume that there are always these super-formal processes when it comes to accessing footage, and that the company will always need to give explicit consent,” said Rollet. But clearly that’s not always the case.”

Another former employee told Bloomberg that although Verkada’s internal systems asked workers to explain why they were accessing a customer’s camera, this documentation was not taken seriously. “Nobody cared about checking the logs,” said the employee. “You could put whatever you wanted in that note; you could even just enter a single space.”

Verkada’s cameras offer AI-powered analytics, including facial recognition and the ability to search footage for specific individuals.
Image: Verkada

Verkada’s cloud-based cameras were sold to customers in part on the strength of their analytical software. One feature called “People Analytics” let customers “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face,” said Verkada in a blog post. Their cloud-based systems that gave customers’ easy access to their camera’s feeds also enabled the breach.

The hacker collective Advanced Persistent Threat 69420 (the name is a nod to the taxonomy used by cybersecurity companies to catalog state-sponsored hackers combined with the meme numbers 69 and 420) say they wanted to inform the public of the dangers of such ubiquitous surveillance. The breach “exposes just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit,” one member of the group told Bloomberg. “It’s just wild how I can just see the things we always knew are happening, but we never got to see.”

Repost: Original Source and Author Link

Categories
Security

Security startup Verkada hack exposes 150,000 security cameras in Tesla factories, jails, and more

Verkada, a Silicon Valley security startup that provides cloud-based security camera services, has suffered a major security breach. Hackers gained access to over 150,000 of the company’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.

According to Tillie Kottmann, one of the members of the international hacker collective that breached the system, the hack was meant to show how commonplace the company’s security cameras are and how easily they’re able to be hacked. In addition to the live feeds, the group also claimed to have had access to the full video archive of all of Verkada’s customers.

In a statement to Bloomberg, a Verkada representative commented: “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this potential issue.” Following Bloomberg’s request to Verkada, the group lost access to both the company’s live feeds and archives.

The hack was apparently relatively simple: the group managed to gain “Super Admin”-level access to Verkada’s system using a username and password they found publicly on the internet. From there, they were able to access the entire company’s network, including root access to the cameras themselves, which, in turn, allowed the group to access the internal networks of some of Verkada’s customers.

Verkada prides itself on offering internet-connected security cameras, promising a Silicon Valley “software-first approach” to make security “as seamless and modern as the organizations we protect.” The cloud-connected cameras include a slick, web-based interface for companies to monitor their feeds and offer (optional) facial recognition software, too.

The company has also come under fire in the past for accusations of sexism and discrimination after an incident in 2019 where a sales director used Verkada’s office security cameras to harass female co-workers by secretly photographing and posting pictures of them in a company Slack channel. In response, Verkada’s CEO offered members of the Slack channel a choice between leaving the company or having their stock options cut.

The list of clients that use Verkada is broad: in addition to companies like Tesla and Cloudflare, the group gained access to Verkada cameras inside Halifax Health, a Florida hospital; Sandy Hook Elementary School in Newtown, Connecticut; Madison County Jail in Huntsville, Alabama; and Wadley Regional Medical Center, a hospital in Texarkana, Texas. In addition to the camera footage, the group also says that it was able to access the full list of Verkada’s thousands of customers and its private financial information.

Repost: Original Source and Author Link