SoylentNews is people
SoylentNews
The BBC reports that several Target stores in the US have had their public address systems hacked, resulting in explicit pornographic audio being broadcast across the stores, in some cases for more than 15 minutes at a time.
An email obtained by the BBC, sent by company bosses to Target store managers across the US on Friday afternoon, outlines a weakness in the store's PA system being used to carry out the prank.I've removed a key detail for obvious reasons.
"Non-Target team members are attempting to access the intercom system by calling stores and requesting to be connected to line [xxxx]," it reads. "If connected, callers have control of the intercom until they hang up. We are actively working to limit intercom access to the Guest Services phone only. In the meantime, inform all operators to not connect any calls to line [xxxx]."
So in other words, if you ring up Target and ask to be put through to a certain extension, you're suddenly live on the PA system for as long as you like. Hardly the hack of the century, granted, but a reminder that there are people out there that will find even the most obscure vulnerabilities and exploit them.
I don't condone breaching computer systems but I guess that's one way to draw attention to vulnerabilities. Too bad they didn't pick something more kid-friendly. Like broadcasting that for the next 60 minutes there would be an 80% discount on everything in the store.
(Score: 2) by ledow on Monday October 19 2015, @01:33PM
That's not a hack.
That's just social engineering. Without the co-operation of the guy on the phone with a (should be) suspicious action, nothing can happen.
That said, it's stupid, and why their phones aren't already in this mode I can't fathom. When would you EVER need to dial into a store and talk directly to the public address? It seems that this should have been limited to internal calls only from the start. And even then, do they have a staff phone visible anywhere in the store where kids could pick up it and dial this extension? Same problem.
What's worse is that this is an indication that NOBODY has thought of this kind of thing. Likely their voicemail PINs are all the same, etc. too and that's more dangerous.
(Score: 2) by dyingtolive on Monday October 19 2015, @03:10PM
I recall social engineering counting when Mitnick did it.
Don't blame me, I voted for moose wang!
(Score: 2, Interesting) by Ethanol-fueled on Monday October 19 2015, @07:24PM
People still get away with it.
Suppose you want to pen-test your theme park or whatever. Have the pen-tester show up with a spouse and kids and, whoops, he forgot to print his tickets but he has them stored on a thumb-drive. One of the staff sticks the thumb drive into their terminal, opens a compromised pdf or whatever, and they're owned.
Because somebody going to a theme park with a spouse and kids couldn't possibly be a crook, right?
They'd be more likely than you to fall for something like that, because they're not very I.T. savvy and probably just trying to move customers so they can sneak off to give the guy in the Goofy suit a handjob behind the enchanted castle during their next lunch break.
(Score: 0) by Anonymous Coward on Tuesday October 20 2015, @03:35AM
And what's the impact of most of these hacks really? Who cares if you pwn a theme park anyway? They get embarrassed but months or even weeks later hardly anyone cares or remembers.
You regularly see reports that millions of credit card numbers get stolen. The card holders get their cards cancelled, life goes on. How many USD millions of costs are passed to the consumers? Insignificant compared to how much the Investment Bankers have cost us.
Thus if you talk about social engineering hacks most of these wannabe hackers are amateurs compared to the bankers who have really exploited our systems in genuinely harmful and significant ways.
(Score: 2) by Hyperturtle on Monday October 19 2015, @04:41PM
I agree with you, it's not a computer security hack, but I disagree in that I still think social engineering is a hack. Convincing someone to do something can be a lot harder than running a script... but then again, I hear that some people can be replaced by scripts, so its a wash.
You bring up an excellent point of the poor security; though, and these have been issues for years and really have become worse. The people in charge of those systems are not looking at it from a security perspective and only vaguely have, if only to prevent pranks like this...
I think they should have played old blue-light special in aisle 20 sorts of announcements, but I think everyone recognizes porn as a sort of universal cultural disruptive technology.
(Score: 0) by Anonymous Coward on Monday October 19 2015, @05:11PM
These are not the droids you're looking for.
(Score: 2) by Hyperturtle on Monday October 19 2015, @07:53PM
I have to wonder when all of those laid off IT people start running NMAP.