Local Emergency Alert System Hacked, Warns Dead Rising From Graves 235
First time accepted submitter Rawlsian writes "Great Falls, Montana, television station KRTC issued a denial of an Emergency Alert System report that 'dead bodies are rising from their graves.' The denial surmises that 'someone apparently hacked into the Emergency Alert System...This message did not originate from KRTV, and there is no emergency.'"
Hurry (Score:5, Funny)
Re:Hurry (Score:4, Insightful)
forget that 30 day urban legend. it's whether or not the Tall Man is still around. and give priority to shooting down flying chrome balls over zombies.
"You think when you die, you go to heaven.......... You come to us! " -- the Tall Man
Re: (Score:3)
Re:Hurry (Score:5, Informative)
And they said I was crazy preparing my zombie apocalypse survival kit.
Hardly. Even the top levels of the US government recommend being prepared for a Zombie Apocalypse [cdc.gov]. I mean, this is the same group of folks that wants you to get a flu shot.
Re:Hurry (Score:5, Funny)
Even the top levels of the US government recommend being prepared for a Zombie Apocalypse [cdc.gov]. I mean, this is the same group of folks that wants you to get a flu shot.
And just where do you think zombies come from, hmm? You don't really think its from hell being full now, do you?
Re:Hurry (Score:4, Funny)
Even the top levels of the US government recommend being prepared for a Zombie Apocalypse [cdc.gov]. I mean, this is the same group of folks that wants you to get a flu shot.
And just where do you think zombies come from, hmm? You don't really think its from hell being full now, do you?
Cadavers Destroying Civilization ?
Re: (Score:2)
And just where do you think zombies come from, hmm? You don't really think its from hell being full now, do you?
Vaccine-laced pot? Wait until they run out of munchies food...
Re: (Score:3)
1. Someone at the CDC has a sense of humor
2. Many of your zombie preparations are actually useful for other disasters.
Re: (Score:3)
Re:Hurry (Score:5, Funny)
Re: (Score:3)
Hail to the king, baby.
Re: (Score:3)
Fleeing upwards (Score:3, Funny)
And remember not to run up stairs to escape them, leaving you stranded on the roof like EVERY FUCKING MOVIE IN EXISTANCE.
Re: (Score:2)
But if you can get them up stairs withith you you can outrun them downstairs... Oh wait that's bears and cows. Zombies you just walk away from.
I wanna do a movie where the survivors wear ripstop nylon (or something similar) to stop bites while they sleep and just out walk the zombies.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2, Interesting)
yup. Last time I looked, I could only get 300 win mag. And I don't have any guns that take that.
22LR and 5.56 are IMPOSSIBLE to find, and my personal stockpile is only 300 rounds for each of my rifles and barely over a hundred total for my pistols.
It doesn't help any I don't like spending time around the conservatives who usually frequent gun shops.
typical. (Score:5, Funny)
Re:typical. (Score:5, Funny)
> First the undead rise from their graves. Then the establishment covers it
> up. And it's not a coincidence that there are shortages and limits on ammo.
Chinese infiltrators in the US government want zombies to survive, so that they can be enslaved into preparing food at Chinese restaurants... the project codename is "Dead Men Wokking".
Re:Hurry (Score:4, Insightful)
Have you BEEN to gun store lately? There's few firearms available and damn near zero ammo, especially in common sizes like 9mm. All you will find are bare shelves -and if you do find some ammo, you better buy it. Don't even stop to look at the prices.
About the only ammo easily in stock is shotgun shells and slugs. Everything else is gone the moment it hits the shelves. It's been this way since 2008, had gotten better but went to hell in a handbasket after Sandy Hook.
Re: (Score:2)
Guns are available if you are willing to pay a premium (retardedly so for AR or AK pattern rifles). Ammo though is horrifically hard to find unless you happen to have a gun in every conceivable caliber.
Re: (Score:2)
Not sure where you live, but even in MD, ammo has been trivially available from at least 2010 until shortly after Sandy Hook. And having just come back from South Carolina I can say, while the shelves aren't brimming, a bit of shopping around got my gf and I more than a bit of ammo.
Yeah, still hardly any 5.56 though :(
Re: (Score:2)
1. Cardio
2. The Double Tap
3. Beware of Bathrooms
4. Seatbelts
And find a kick-ass partner ASAP.
Good night and good luck, Godspeed to you all...
Re: (Score:3)
While this is just a joke, one thing is dead wrong:
In any case of big emergency, you should not head to common stores or malls, but to big warehouses that are usually outside towns/cities.
Shopping malls have low supplies and require to be restocked fairly frequenctly. Most of food is low duration or requires refrigeration and you will run out of anything that can be reliably stored in few weeks (depending on amount of people who get same idea - and that amount is going to be very high).
Big warehouses will h
Let me guess... (Score:4, Insightful)
Re:Let me guess... (Score:5, Informative)
If it was a Common Alerting Protocol-enabled system, it was entirely designed to be on the internet.
Re:Let me guess... (Score:4, Insightful)
You want to air-gap this system??!
so that when an emergency makes it impossible to travel by road, then someone has to travel by road to key in an alert about it?
Re: (Score:3)
so that when an emergency makes it impossible to travel by road, then someone has to travel by road to key in an alert about it?
I dunno about other states, but I assume they are the same as here. We have a statewide network of stations who listen (via radio) to other stations to get their alert notifications. There are portal stations that get out-of-state alerts.
I think it was done this way to avoid issues of network (internet) outages preventing notices from going out. Of course, the last major test was an utter fail -- except in the eyes of those who think that finding out that the system was a failure at actually notifying any
Re:Let me guess... (Score:5, Interesting)
Maybe that's what happened here. It's by no means difficult (though highly, highly illegal) to point a few-dozen watt transmitter at the receiving antenna with a highly directional antenna and spoof the EAS message from whatever station it listens to for alerts.
Re:Let me guess... (Score:4, Interesting)
It's by no means difficult (though highly, highly illegal) to point a few-dozen watt transmitter at the receiving antenna with a highly directional antenna
Its a hell of a lot simpler just to get really close and use a "low" power omni. If "they've" got 1e4 times the power but you're 1e6 times closer, you do the math for who wins the FM capture effect battle. Rather like a cheap mp3 transmitter can override a 50 kilowatt broadcast transmitter, well, for 10 feet or so. You can imagine the range a 50 watt mobile has vs a 1000 watt NOAA/NWS transmitter. This is in the news fairly often. Most commonly someone transmits over the NOAA weather radio freqs this way using some old VHF-hiband mobiles (now there's a well thats running dry...) reprogrammed.
Anybody who's ever written a SAME code decoder for weather radios or a SDR, or ever seriously considered it anyway, would not be very challenged by writing a SAME code encoder, in fact probably had to write one first, to test their decoder.
I enjoy the comedic stories I read in the newspaper about this. Those are real hacks. Like announcing a blizzard in Florida in the summer, heat warning in the frozen north during the winter. If I were still an impulsive teen I'd probably be doing that kind of thing.
However, the people who transmit sorta-plausible stuff intended to scare people are just jackasses. There's a fox news "joke" in there somewhere, or maybe not really a joke.
Re: (Score:2)
Re:Let me guess... (Score:5, Informative)
You don't need to be on the internet to have a "hack".
i.e. The road sign hack was actually funny the first time. :-)
https://www.google.com/search?q=l4d+road+sign+zombie+hack&tbm=isch [google.com]
Re: (Score:2)
Ha! Priceless!
See, this is further proof, if there's an input of any sort, it needs be secured. Either by lock and key or through proper admin filtering (that's not taking into account social engineering, but I don't think they've come up with filtering for human thought yet... unless TV counts).
Re: (Score:3)
IIRC, there was a story about a "Zombie Apocalapse" test message that was to be used on that net. I think the idea was supposed to be that it was so clearly a test message, that nobody would think it anything else.
This sounds like through some kind of glitch that message actually got released. There was probably no hacking involved.
Already air gapped. (Score:3, Funny)
Most local TV stations are already air gapped.
Not the equipment. The air gap is usually between the ears of the anchor
Capture of the broadcast (Score:5, Informative)
Supposedly this is the capture of the hacked broadcast: http://www.youtube.com/watch?v=nc60XPCXrh8 [youtube.com]
Re:Capture of the broadcast (Score:4, Informative)
I've found several videos of the alert during 2-3 different shows at YouTube (today's uploads: 'emergency zombie alert system' [youtube.com]) but haven't seen any that actually mention the zombies in the on-screen alert yet...they all just say that there's a civil emergency without mentioning what it is.
Primitive Tech (Score:5, Informative)
I'm entirely unsurprised that it's easy to hack in to EAS.
Re: (Score:2)
It's all in-band signalling, right? What could possible go wrong.
Re: (Score:2)
I recently built a decoder for EAS/SAME messages. You can read about the protocol it uses at the National Weather Service [noaa.gov]. Forget about cryptographic signatures; SAME has absolutely no concept of message integrity. There is no CRC or checksum—not even a lowly parity bit.
Of course, it's difficult to use a checksum when you can't figure out when the message ends. Most systems use some kind of flag byte to tell the decoder where the end of the frame is, but SAME doesn't even have that. The decoder has to
yeah right (Score:5, Funny)
This message did not originate from KRTV, and there is no emergency
those are some wily zombies
Great... (Score:5, Funny)
Now when the REAL zombie apocalypse arrives, everyone will assume it's just another prank...
Re: (Score:2)
too late.. all those zombie movies have already desensitized us.. we should ban all zombie movies! ...just in case.. you know, for the children?
Full Recording of the Alert on KRTV (Score:5, Informative)
Re: (Score:2)
Gentle reminder about security (Score:5, Insightful)
I think these gentle reminders about security are great and are part of the spirit of hacking.
Which would the USA rather have: (a) goofball hackers create a zombie panic, or (b) our next enemy uses a coordinated attack to create actual panic?
Reminds me of the infamous "War of the Worlds" broadcast by Orson Welles. [wikipedia.org]
Michigan and Massachusetts as well (Score:2)
http://www.facebook.com/uppermichiganssource [facebook.com]
It's just another sign of the Zombie Apocalypse. (Score:2)
Well done (Score:2)
And tsk, tsk. What can I say, it's a battle between the young and the old internal geeks.
I also note sadly to myself that my old geek would scold, while the current enforcement mindset would encourage terrorist charges. And also noting that the fact that I would even _think about that_ is fucking sad.
Re: (Score:2)
Guess my inner geek is still young, as I thought it was quite amusing, as was one comment to a YouTube video of the alert begging "please someone hack into Fox News to do this on Easter!"
Astonishing news! (Score:5, Funny)
Amazing that this got through to the front page of /. in the same week that it happened!
Re: (Score:2)
Amazing that this got through to the front page of /. THE FIRST TIME in the same week that it happened!
Fixed that for you.
You're Early (Score:3)
Sounds like a test of the voting system the Republicans are planning to have in place for 2014. ;-)
Re: (Score:2)
Don't be silly. By 2014, there won't be any Republicans... only survivors.
Re: (Score:2)
It's times like this I wish Slashdot had a slightly different thread setup. That remark deserves to be rated "ROFL", or something like that.
Re: (Score:2)
No, it's definitely Republican. Like trying to do a riff on somebody else's joke and falling flat on your face.
It's just a simulation (Score:2)
Likely attack vector: NOAA weather radio (Score:5, Interesting)
This hack is clearly an invocation of the Emergency Alert System [wikipedia.org]. The EAS is a hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of attackable nodes.
The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit outside of the legal Amateur bands.
Step 4 (transmission) is extremely easy, even with low-powered equipment (250mW). Because of your proximity and the FM Capture Effect [wikipedia.org] you will have no problem overpowering the real source station without adversely affecting or alerting anyone outside a 1/2 mile radius.
My guess is the attackers here did precisely this. They probably exploited this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.
Hmm ... there may be an upside to this (Score:3)
They also don't take bathroom breaks, don't need time off. Health and safety laws don't apply to them, they're genuinely American (don't forget to bring geo-coded picture of your personal grave), if one or two get caught up in machinery or drop from scaffolding no-one will ask inconvenient questions, and they will work for a few pounds of squishy matter a day that should be easy enough to obtain.
Am I the only one who sees an opportunity here?
Re: (Score:3)
After all, most of them were born here, right? How exactly does their legal title to be in the US change on death?
After all, they wouldn't be deported while they rested quietly in their designated resting place, so why would that change now that they've suddenly decided to change their err ... unlife-style ... and become more active? There could be significant savings on legal risks here.
Re:find him, prosecute him (Score:5, Funny)
Re:find him, prosecute him (Score:5, Funny)
Obviously someone with half a brain should have believed it. Who else ate the missing half?
Re:find him, prosecute him (Score:5, Funny)
Re: (Score:3)
Re: (Score:2)
But what's to be done when the man from Mars stops eating cars and eating bars and now he only eats guitars (get up)? He already shot you dead and ate your head after all.
Re:find him, prosecute him (Score:5, Insightful)
On the contrary.
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed. It would have been much more harmful to send an alert about a more believable disaster. Can you imagine the panic if the hoax had been about rising floodwater, or an incoming storm or hurricane?
This hack has the benefit of exposing a weakness before it could be maliciously exploited, in probably the only way that guarantees action will be taken. As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
Re: (Score:2)
It didn't end in disaster, but it really could have been worse. Some people rely on warning systems like this...think of, for example, tornado warning systems.
I'll admit, I laughed, and I do agree; it pointed out a weakness in the system that shouldn't have been there. Still, the right thing to do is to stop the culture of encouraging grey hat behavior by rewarding people who find weaknesses...rather than simply condoning them.
Re: (Score:2)
well what we do now is imprison them/ruin their careers, thus when they get out of jail after 20 years, the only thing left is to become a paid black hat for hire. ex-con murderers have an easier time of it..
gotta love laws written by ivy league lawyers who were ex popular-jocks in highschool.
Re:find him, prosecute him (Score:5, Funny)
He should have reported that Dihydrogen Monoxide has been detected in the city's water system. :-D
For the uninitiated (see http://dhmo.org/ [dhmo.org]
Dihydrogen monoxide:
is called "hydroxyl acid", the substance is the major component of acid rain.
contributes to the "greenhouse effect".
may cause severe burns.
is fatal if inhaled.
contributes to the erosion of our natural landscape.
accelerates corrosion and rusting of many metals.
may cause electrical failures and decreased effectiveness of automobile brakes.
has been found in excised tumors of terminal cancer patients.
Despite the danger, dihydrogen monoxide is often used:
as an industrial solvent and coolant.
in nuclear power plants.
in the production of Styrofoam.
as a fire retardant.
in many forms of cruel animal research.
in the distribution of pesticides. Even after washing, produce remains contaminated by this chemical.
as an additive in certain "junk-foods" and other food products.
Re:find him, prosecute him (Score:5, Funny)
Comment removed (Score:4, Informative)
Re: (Score:2)
No, of course it won't be funny when the dead start rising from their graves.
Now, about a week or two in, when there are shamblers and the general panic will be replaced with 'most of us are undead or eaten'? The zombie victim-bating and misc. mutilation games will be INSANELY funny.
Re:find him, prosecute him (Score:5, Insightful)
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed.
I doubt that. If you are referring to the local officials who implemented the system or maintain it, then no, they have nothing to be embarrassed about. They didn't design the system, they just installed what was compatible with everyone else. Those who designed the system will probably not be overly embarrassed, either.
I doubt you're referring to the prankster, who certainly won't be embarrassed at all, even though such public displays should be embarrassing to him. It's like finding a mailing list and sending a bunch of spam to it to prove how insecure it is; annoying everyone on the list who can do nothing about it and really changing nothing.
The only likely result of this will be a confirmation in the minds of the public that hackers are nutcases who need to be put in jail for doing stupid things, not a sudden realization that hackers are here to save us from our mistakes.
Re: (Score:2)
>This is an obvious prank, and is unlikely to cause any harm...
Isn't that just what CBS executives said before airing War of the Worlds?
http://en.wikipedia.org/wiki/War_of_the_Worlds_(radio) [wikipedia.org]
Re:find him, prosecute him (Score:5, Insightful)
Later studies suggested the panic was less widespread than newspapers had indicated at the time. During this period, many newspaper publishers were concerned that radio, a new medium, would render them obsolete. In that time of yellow journalism, print journalists took the opportunity to suggest that radio was dangerous by embellishing the story of the panic that ensued
The parallels almost write themselves...
Re: (Score:2, Interesting)
As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
I tried that. I reported to a school that they put social security number together with full name, address etc on a html page, made it accessible without logging in and they transferred it without any encryption. It looked it they made a page for each student and then emailed the student in question the URL to their "personal page". I ended up talking to some lady, who went "only criminals would detect such flaws. You must be a hacker. I'm calling the police right away". They didn't dare to keep the page up
Re: (Score:2, Insightful)
Nobody would be able to guess a hash value and get info on a stranger, right?
Actually, yeah. That's pretty much the exact function of a properly constructed cryptographic hash function.
Re: (Score:2)
Somehow I doubt the person who implemented it knows what 'cryptographic' means.
Re: (Score:2)
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed.
No one is cutting the hacker any slack anymore,
Prankster. White Hat, Black Hat, No one gives a damn about his motives, No one shares his sense of humor
Break into a system meant for emergency use only and the hammer will come down.
Re:find him, prosecute him (Score:5, Insightful)
Break into a system meant for emergency use only and the hammer will come down.
Fine. But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system and failed to do so. Anything else is scapegoating.
Re: (Score:2)
But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system
First you need to know if that is what they were paid to do or not. What was the intended level of security and did they meet that requirement? "Oh noes, a hacker broke in and made a fake announcement!" Was preventing that part of the original requirements? Easy to see in 20/20 hindsight.
And second, the people who accepted the money to build the system locally didn't design it or generate the requirements. They got money to buy something that worked with everything else being used. They could have refused
Re: (Score:2)
First you need to know if that is what they were paid to do or not. What was the intended level of security and did they meet that requirement? "Oh noes, a hacker broke in and made a fake announcement!" Was preventing that part of the original requirements?
Then the person who wrote the requirements should get hit with the hammer. An attacker compromised your system - sometime, somewhere, someone dropped the ball.
Re: (Score:2)
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed. It would have been much more harmful to send an alert about a more believable disaster.
Such as an invasion from Mars?
Re: (Score:3)
Being a good guy white-hat doesn't get you arrested. Not realizing the difference between telling someone "Hey your door is open" from the outside of their house and saying "Hey your door is open from in someone's bedroom" is what gets you arrested. Well that and the kind of self righteous attitude that makes "white hats" believe that if a vulnerability isn't fixed within a day of them having reported it they have the right to take down the system or reveal said vulnerability to the world. In other words, t
Re: (Score:2)
cry more you bitch.. There are too many wannabe insecure tyrants like yourself in this society who are cheering on the big ones.. It was a harmless prank that deserves a slap on the wrist at best. It doesn't even sound like it was a denial of service, nor was the context of the message believable by any stretch.
Get a grip.
Re: (Score:2)
Our government must maintain their monopoly on frightening the public and driving them into a mindless panic.
Re: (Score:2)
Agreed. The zombies thing is so obvious as to be wallowing in complete and utter lameness. I recommend caning, BTW.
OTOH, if he'd come up with something a bit more original and suited to the season... say, an invasion of Frost Giants...
Re: (Score:2)
This is no different than joyriding the fire trucks. The system is there for emergencies, and crap like this devalues it's emergency status.
I actually agree with you, but unfortunately my inner Responsible Adult who deplores this act for exactly the reasons you cite is having a loud argument right now with my inner child who is laughing his head off. I'm still not sure who is winning.
Re: (Score:2)
Even if it was wrong it was at least pretty obvious that it wasn't a real emergency. No need to bust people like that hard, it was highlighting a problem in the system that could have been abused in a lot worse manner.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2, Offtopic)
Who the hell on this site supported Adam Lanza?
Or Chris Dorner for that matter? You know if I didn't know better I'd suspect that AC was trying the cheap propaganda trick of linking the names Aaron Swartz, Julian Assange and Bradley Manning, (who, whether we agree with of their actions or not, we ought to recognise as men of high ideals), with those of crazy mass murderers?! But no, my friend AC would never do that kind of thing.
Re: (Score:2)
Well, one out of three, anyway.
Lemme guess ... Bradley?
Re: (Score:2)
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority [wikipedia.org]
Assange fled Sweden rather than defend himself against the charges.
Re:find him, prosecute him (Score:5, Informative)
I find nothing in that citation to indicate that Assange has been charged with any offence. On the contrary and to quote directly: "Assange has not yet been formally charged with any offence."
Re:find him, prosecute him (Score:5, Informative)
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority [wikipedia.org]
Assange fled Sweden rather than defend himself against the charges.
Hmmm
Except that is not correct, he did not flee, he left Sweden legally. It was only after he had left Sweden that the new prosecutor issued a new arrest warrant.
Re: (Score:2)
Except that is not correct, he did not flee
Nor is he charged; Nor if he were to be charged would definitely be with 'rape' (sexual misconduct seems more likely); nor were he charged would we be entitled to presume anything other than his innocence; nor were we to examine the publicly known facts that led to the warrant being issued would I (here YMMV) be led to doubt that innocence; nor was that expose (if I have the same book in mind) written by his "best friend"; nor is the accusation that he is "motiv
Re: (Score:2)
Here it is folks, proof positive that methamphetamine is bad for you.
Re:Helena too (Score:5, Informative)
All stations share their EAS infrastructure. The largest stations get their data direct; smaller stations get it from larger ones. All stations need to have at least two different data sources set up. It is actually a reasonably well set up topology, and it is tested on a very regular basis.
The FCC also imposes strict fines on anyone who fails a test; the base fine for a violation is $8,000 and is scaled up for repeat or blatant violations.
How the FCC handles fines in this case will be interesting. The EAS system is designed for speed and reliability, not for security; there is message validation built in to prevent unintentional activation, but a correctly-formatted bogus message inserted into the system will propogate as designed.
Re: (Score:2)
"Mine is the last voice you will ever hear. Don't be alarmed."