Slashdot Mirror
Australian Police Database Lacked Root Password
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
That's the smell of someone being fired.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.
Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.
"Can you be charged with breaking and entering a house that has the door left wide open?"
Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.
It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.
TFS is very poorly written... it is not worthy of being a "Summary".
...nothing a few more laws won't fix.
THL phish sticks
couldhave
The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network
could HAVE
One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.
Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.
The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.
The OP is asking about being charged with anything just because the "door" wasn't on the "house" to keep them out...
That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
effect that you still stole the bike, even if there was no lock securing it..
It might be an interesting place to live if everything could be played with/used/stolen
as long as it wasn't secured..
As always, I may know nothing about anything, ever - and don't smoke crack.
"It could of [course have] been faster if I hadn't stopped to laugh so much."
How did they possibly have this major system running without even the most basic security protocols? This really makes you wonder where your tax dollars are going...
We don't need to secure anything...we've got a...
(Tympanic BOOM-BOOM-BOOM)
A FIREWALL!
I hope the crackers were polite enough to give it one....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Bragging about hacking into a database that is not password protected is only something an impotent prick would do.
I could rob any of my neighbors easily, it doesn't mean I should or will.
Let's get a better analogy:
"If you broke a window (pun intended), entered the house, saw safe on the floor, turned the handle and it was unlocked, would you be breaking and entering?"
Oh, did they leave it open not to be blamed to intrude because it was already wide open but it was them who leave it open in anticipation of the crime but it is somebody else s fault? There s an ulterior motive to make the analogy with an open house because it is not the same password than key. If the owner of the root password goes missing nobody else can ever take admin rights, right? So it is like giving ownership to a possibly missing gov employee or the equivalent to a small dictatorshop... (cat got your tongue, does it mean a cat looking guy is cutting tongues?)
I'd just like to point out that on Monday night EST, Four Corners one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.
1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
3. Essentially it was about Australian Federal Police (AFP) who were on the TV show, quite literally laughing at the hackers.
Now, I agree with the first point. I do not have time or appreciation for hackers black mailing then botnet'ting a company to Bankruptcy.
But I do want to make the point: Dumb people get what they deserve (point 2), and dumb organizations who instigate other organization that are much smarter than themselves also get what they deserve. I think "pie in the face" in an understatement in this instance.
I think the only good news in this Article was that the database didn't contain the Tax numbers or Criminal Records of every Australian. I have the highest respect for AFP and the Australia Police Service.
Where the majority of the "Dancing with the Stars," generation are concerned these days, that's about the level of competence that the police need to get the job done. People who know how to access MySQL databases at all probably aren't a large group, relative to the general population.
none of the people on the forums communicated via other methods? That the word wouldn't get out, and that the members/mods/admins didn't notice a change in IP addresses on the account the police assumed? Between this and using an unsecured MySQL db on a windoze box, the cops sound like the noobs here.
I think I need a timpani recording on my phone, to play on demand.
Does the idea of a recursive honeypot sound entirely ridiculous?
It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.
[my emphasis]
Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and they broke into a machine with poor security, it's probably not in their job description to fix up the victim's mysql password. So no, I doubt if anyone (in the AFP) will be sacked here.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
The article states they just used SQL injection
The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:
The journalist (Asher Moses) simply got it wrong. It happens.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
One of the things which I've always wondered is how hackers know they've broken into the real-deal versus a honeypot.
I wonder if it even occurs to most hacker/cracker types that the logon banner and machine name are completely arbitrary. I recently setup servers on a private section of the network with a banner which states, "You are not authorized to access this server; this incident will be reported..." (Now, granted, there's nothing of great importance on that particular machine, and it has not been "properly" secured.) But I could just as easily have used, "Bank of America Federal Clearing House" Had I done so, (and if this machine was internet-accessible), I would not at all be surprised to hear of a hacker group claiming to have compromised Bank of America.
How does a hacker know the machine to which he's gained access is doing anything more than merely logging his actions? How does he know if the data he's got is any good?
The society for a thought-free internet welcomes you.
I had the po' try to charge me like 15 years ago (I was a minor then). I pointed out the phone # I dialed, the system did not identify itself and it did not ask for a username or password. I asked what law I was being charged under, the Computer Crime Act of 1986 required $1000 minimum damages which seemed very dubious. They tried to have me sign away my Miranda rights too, which I refused to do, although I spoke frankly with them. They blustered about $1000s in fines and ended up finding some excuse to fine $50, which was basically not worth contesting.
I'm sure Australian law is different, but indeed, if there's no password it seems unlikely a crime was comitted. This won't stop them from trying to find one anyway.
According to the article they also used "SQL injection" except they described it wrong.
The person made a .php file through MySQL calls, but they referred to that as SQL injection.
Pancakes. Oh I blew it.
I've got a few of systems like that on my networks, except I call them honeypots.
POKE 36879,8
...but this reminds me of this, in a way.
http://bash.org/?117002 [bash.org]
The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.
In general, I'm certainly of the opinion that Americans (being one myself) are a rather pompous lot of ignoramuses ... but, when it comes to security, I think we're ahead of most of the world.
I worked for multiple years on an IT project for a branch of the Australian military (in the US and Oz), and I have to say that their idea of security is a total joke. Sorry, Aussies. You guys rock in almost every other area, but security (especially computing) is just not taken seriously.
So, this really doesn't come as much of a surprise to me.
Dear Neo, I am amazed over the fact that it took you only 40 minutes to figure out an empty password. Now, can you please give me the password to the Matrix while you're at it? Been looking for it for a while but haven't tried logging in using an empty password yet.
NEIL GAUGHAN (national manager hi-tech operations for AFP): G'day gents how we going?
AFP OFFICER: Morning Sir, how you going.
NEIL GAUGHAN: Good thanks.
AFP OFFICER: What we're gonna do is we're just gonna make a telephone call and we're going to post a message on this forum just letting these people now who are partaking that law enforcement has been watching them and that action will be taken.
NEIL GAUGHAN: Excellent, great let's go.
ANDREW FOWLER (ABC reporter): In the case of root-you.org, the Federal Police decided the best result was to effectively blow up the site by posting a notice that it was under law enforcement control.
TIM DAVIS, FEDERAL AGENT: Mate are you right to post that message on the forum.
MAN (on phone): Yep.
TIM DAVIS, FEDERAL AGENT: Well if you can do that now that'd be great.
In theory, there's no difference between theory and practice; in practice there is.
OK Slashdot, calm down...
I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.
So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.
The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.
It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.
Cheers,
Ian
Thus, many judges don't even password protect their PCs
I think you may be mis-using the word "judges". Australian judges wear horse-hair wigs and wouldn't know a PC if they tripped over it. They have typists and stenographers to do that newfangled stuff.
My experience from working in Police IT in a Police Force in Australia in revealed.. interesting practices,
(I wont relate the story of one squad having a roof bbq in front of mWave antennas.)
The various departments in the Crime dept. maintained their own databases of varying kinds, mostly access and excel.
Members tended to do two things:
dump stuff for analysis and manipulation
or keep personal/CI/ close hold or squad specific data and share it with other squad members.
I'm sure some bright spark has installed mysql to do precisely this
squads and members guard their own data jealously and regard it as assets and leverage.it accordingly
mainframe DB's (DB2/CICS/|IMS) had assigned DBA's and access to this data was audited
and acess to PI on the mainframe systems (and connections to RTA/power and gas Utility dbs police used to cross-check addresses)
was beginning to be policed and improper access sanctioned.
I know that a seven year audit trail of access to one mainframe db was kept and that traffic analysis on access patterns/logins.
would likely have been an obvious tool in tracing leaks.
As there have been recent convictions for acess to mainframe hosted PI by police members/civilan staff and also by
Federal public servants in tax and social services.. this probably accelerated the drawing in and
establishment of myriad data islands in an unmanaged or oversighted environment.
Facebook is a woodpecker tapping on the skull of Humanity, Forever.
There is now a severe legal cloud hanging over whatever they purported to collect.
The spokeswoman is an idiot - standalone systems, especially honeypots are isolated with an airgap and designed to be accessed. A more correct comment would be 'We are cross that evidential logs have been compromised".
"The AFP has identified a person whom [sic] has attempted to access the stand-alone computer system and we are currently working with our law enforcement partners regarding this matter," the spokeswoman said."
Any rational juror should question that oxymoron. Good luck proving the chain of evidence, after competency and professionalism is all in tatters.
Can you be charged with breaking and entering a house that has the door left wide open?
Who cares? That has about as much to do with this story as theft does with copyright violations.
No, they setup and "provided a service" for anyone.
If "reasonable" effort hasn't been taken to secure the service, then how can that be illegal access? Someone else compared this to walking into an open door of a home. That's incorrect. It is more like walking inside a shopping mall and walking into an open store - aren't police buildings public?
I have to wonder just how clever these small-time fraudsters and crooks actually are.
Most of them are young men with little life experience, big egos and something to prove. Thus the puerile bragging and bravado coming out of the little scumbags in the media. If they're not script kiddies, they're not that much better; they're just greedy, arrogant, loud-mouthed little thieves, and the police will nail them as low-hanging fruit.
The Feds on the other hand, are people you DON'T want to needlessly antagonise. It'll be interesting to see if our little piece-of-shit fraudster friends are actually as smart as they think they are.
No. You should hire a timpanist to follow you around and play when you want the sound. Don't be using technology to put a starving musician out of work :-)
Your "fair share" is NOT in my wallet.
it is no walls, roof or indication that this is actually a private property.
Your house, even with no doors is still your private area.
That patch of land over there may be common land, public owned or private land.
If it private land it must have fencing or some form of solid demarcation and to make it stick a "No trespassing" sign.
This is like there is no fence, no demarcation and no "no trespassing sign". Is playing football with your friends (something you do on grass) on that bit of private land with no indication you shouldn't be playing footie there be considered breaking and entering?
If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.
If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the property with the intent to commit a crime (any crime) is burglary.
If you enter that property with the intent to commit a crime, say, theft, and you succeed, you have not only committed the felony of burglary, but you have also committed theft by taking and possession of stolen property, which are completely independent charges, carrying their own sentences.
How these are analogues to the computer world, well, I don't know. I am sure it depends on the jurisdiction. There are laws on the books in some places regarding unauthorized access, regardless of intent.
Bottom line is, kids, you cannot assume a lack of security equals an invitation to snoop around.
Yeah, but then you'd have a percussionist following you around. And percussionists are practically drummers.
Well there ya go, put people in charge that have no backgrounds in IT and let them call the shots, because they NEED to tell people what to do, we call this micromanaging. Just because it is easier to remember your dogs name, or to leave a password blank, does not mean you get to tell the network admin to make it so. His job is to enforce security, if put blinders on him or limit his power by overruling him, then don't expect for anything to be secure!!!
In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary
Breaking is the act of forcing open a way onto secured property, and entering is the act of actually going onto it / inside.
Please help metamoderate.
Apology accepted, Captain....
Information wants to be beer.
'No root password' actually sounds like a good thing. In a default Ubuntu installation, there is no root password. You have to login to a normal a/c, and then use sudo for administrative tasks. SSH is usually configured not to allow direct root logins; you have to login as a normal user, and then su into root.
What the OP probably meant was that the root a/c had password-less login enabled, which of course is an unthinkable configuration for an important server connected to the internet.
First they ignore you. Then they laugh at you. Then they fight you. Then you win. -Gandhi
As a polite person I initially edited the /etc/motd file on one of my early servers to say, "Welcome to blah blah blah..." A friend pointed out that if you wish to protect a system, it is best to have the motd say, "For authorized use only...go away" so that if someone gains access, they have been informed they are not welcome. Now in this case, they just weren't paying attention. I have read a number of books about mysql, all of which tell you IN UPPER CASE to set the root password on mysql right away after installation. The developer who put that system together must have been pretty new to mysql. The hackers show no mercy.
Lovely speech, hereby resumed for the sake of any incautious reader: impossible to reason with you unless there's a gun on your head (and even that is not guaranteed).
Since I don't have any intention of doing that to anyone, go skin another cat in peace. With some luck you'll get to your senses before being arrested.
Now back to the topic, the technician who installed a database for police records and did not set something as basic as a root password may have to accept his destiny as a fair stock clerk, or he could provide itinerant speeches of how important it is to be more careful.
The responsible for choosing that technician should at least lose his bonus.
Not punishing such lack of responsibility only favors more sloppiness.
Michael Vick paid for his crime and is about to get back to his life. I hope he learned the lesson and I wish him welcome back in that case. I'd love to see him advocating against cruelty to animals.
http://dilbert.com/2010-12-13