Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Police Database Lacked Root Password

Posted by kdawson on from the kick-me dept.

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

28 of 214 comments (clear)

  1. Even if unlocked still breaking and entering by JoshuaZ · · Score: 4, Informative

    In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.

    1. Re:Even if unlocked still breaking and entering by conufsed · · Score: 5, Informative

      Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act

    2. Re:Even if unlocked still breaking and entering by jasonwc · · Score: 4, Informative

      To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

      1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

      2) Entering (Literally entering the physical structure)

      3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

      4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

      5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

      Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

      Jason
      Yale Law School, Class of 2010

    3. Re:Even if unlocked still breaking and entering by Shakrai · · Score: 5, Informative

      Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).

      So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:Even if unlocked still breaking and entering by jasonwc · · Score: 3, Informative

      Both the common law of the United States and that of Australia are derived from English common law. In fact, when the United States became an independent nation, we incorporated all of the common law of England up to that point. As burglary is a very old offense, which can be traced back hundreds of years if not more, there is likely to be a great deal of similarity between the common law of Australia, the United States, and the United Kingdom with regard to the definition of burglary.

      However, I still don't see the point of these pedantic comments. I thought it was obvious from my post that I was referring to the common-law definition of burglary in the United States. If I was at all unclear, my later post should have removed all doubt as I stated explicitly that the post referred to the law of the United States, not Australia.

  2. According to TFA by thatkid_2002 · · Score: 3, Informative
    TFA says that the computer was being used as a part of a (somewhat poorly executed) Sting.

    It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.

    TFS is very poorly written... it is not worthy of being a "Summary".

  3. Re:It's still breaking and entering by gandhi_2 · · Score: 2, Informative

    IIRC, breaking means breaking the plane of entry. Not physically damaging anything.

    --
    THL phish sticks
  4. Brag about it and get snapped! by Slotty · · Score: 5, Informative
    They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

    The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

    1. Re:Brag about it and get snapped! by Anonymous Coward · · Score: 1, Informative

      From the local news, it reads as if the crack was in response to the police boasting that they had the crackers under control.

  5. Criminal Intent ! by redelm · · Score: 4, Informative

    One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

    Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

    The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

    1. Re:Criminal Intent ! by Caity · · Score: 2, Informative

      Since this all happened in Victoria, the relevant offence is Unauthorised access, modification or impairment with intent to commit serious offence
      and/or Unauthorised modification of data to cause impairment

      According to that, the state of being "unauthorised" refers to entitlement, ie legal entitlement, rather than any sense of software authorisation (which a few people have rather misguidedly suggested is a valid interpretation).

  6. Re:It's still breaking and entering by rm999 · · Score: 2, Informative

    I think the difference is obvious. Would you "break" into someone's house and try to convince the judge you didn't literally break anything when you are being charged with breaking and entering? I hope not.

    I meant the name should not be taken literally, but obviously the law itself should.

  7. Re:It's still breaking and entering by rm999 · · Score: 5, Informative

    Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary

    "At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

    So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

  8. Re:a legit hack by rivetgeek · · Score: 4, Informative

    Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.

  9. Re:Grammar nazi alert by Anonymous Coward · · Score: 0, Informative

    There's also a contraction for "have" that the writer could've used.

  10. Re:It's still breaking and entering by Anonymous Coward · · Score: 1, Informative

    Security guard here. At least in Canada, it's breaking and entering if you trespass with intent to commit a crime or commit a crime in the process of entering. Smash a window to get in? B+E. Walk in the unlocked door to steal something? B+E. Walk in to stand around for a while and leave? Trespassing. Not sure how that relates to computer-related legalities, but there you go.

  11. Re:It's still breaking and entering by gandhi_2 · · Score: 2, Informative
    This, I'm sure depends on what jurisdiction you are in. But...I guess we can all quote websites, right?
    From lawguru.com

    Forcible entry is distinguishable from the broader crime of "breaking and entering" which might not include any actual damage from the force used to "break" a way in, such as when one opens an unlocked door to private premises without license to do so, or tampers with a locking mechanism and later takes advantage of the defect. As such, one can assume that the "breaking" refers to breaking the plane of entry; that is, crossing the threshold of a door, window or other entryway into a building.

    --
    THL phish sticks
  12. Four Corners by Mr_Plattz · · Score: 2, Informative

    I'd just like to point out that on Monday night EST, Four Corners one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.

    1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
    2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
    3. Essentially it was about Australian Federal Police (AFP) who were on the TV show, quite literally laughing at the hackers.

    Now, I agree with the first point. I do not have time or appreciation for hackers black mailing then botnet'ting a company to Bankruptcy.

    But I do want to make the point: Dumb people get what they deserve (point 2), and dumb organizations who instigate other organization that are much smarter than themselves also get what they deserve. I think "pie in the face" in an understatement in this instance.

    I think the only good news in this Article was that the database didn't contain the Tax numbers or Criminal Records of every Australian. I have the highest respect for AFP and the Australia Police Service.

  13. Journalistic Beat-Up? by Capsaicin · · Score: 2, Informative

    Does the idea of a recursive honeypot sound entirely ridiculous?

    It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.

    ... according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se

    [my emphasis]

    Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and they broke into a machine with poor security, it's probably not in their job description to fix up the victim's mysql password. So no, I doubt if anyone (in the AFP) will be sacked here.

    --
    Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
  14. no injection necessary by Capsaicin · · Score: 5, Informative

    The article states they just used SQL injection

    The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

    ... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

    The journalist (Asher Moses) simply got it wrong. It happens.

    --
    Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
    1. Re:no injection necessary by Capsaicin · · Score: 2, Informative

      Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.

      It appears to be what he (or someone claiming to be him) is saying, or am I misreading him. For your benefit, I'll quote his comment in its entirety:

      @killjoy - you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed. Also, according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se.
      @k@icolo - you'll be surprised, its just human nature. It could easily have happened to security folks (such as us) as well - especially if we're not vigilant.
      @Luke | Melbourne - the point of the 4corners exercise was to demonstrate what would happen in the scenario where a wireless AP was not encrypting traffic - you may be using WPA2 but a lot of people aren't, nor would they know how to enable it.
      Posted By: Shaon Diwakar | HackLabs - August 18, 2009, 10:00PM

      How do you read that?

      Note also that he indicates that this was not an AFP machine, or a machine normally administered by the AFP, but a machine "comandeered" (which on reflection probably means confiscated rather than cracked) by the AFP.

      --
      Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
  15. Re:a legit hack by Anonymous Coward · · Score: 1, Informative

    ...breaking into a computer through nonobvious (to the average person) means is cracking.

  16. Re:a legit hack by rivetgeek · · Score: 2, Informative

    Most coders don't sanitize code coming from a trusted source. They sanitize input from users, but something like a SQL injection is generally an effect of improper user-san anyway.

    Imagine you have a script that just includes a user's profile data (user.php) from a flat file (stupid i know but its an example), by entering in a remote file to a field, it might be sanitized, however in a sql injection you could over right "user.php" with http://www.evilsite.com/evilscript.php

    Myspace ran into this issue when they launched their mobile service. The mobile service wasn't properly stripping out javascript and the main site didn't sanitize already input data, under the assumption that sanitization had already happened. As a result, you could enter javascript into the mobile client and it would be executed on any web browser.

  17. No root password - beyond the hyerbole by mccalli · · Score: 4, Informative

    OK Slashdot, calm down...

    I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.

    So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.

    The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.

    It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.

    Cheers,
    Ian

    1. Re:No root password - beyond the hyerbole by Dr.Syshalt · · Score: 2, Informative

      So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.

      MySQL root password reset requires you to have an OS root access. With MySQL having no root password you can access the DB from any local user. There is a difference between having a, let's say, PHP shell on the server and having a root shell. Depending on OS and your skills you can escalate from wwwuser to root, but it's mostly a far from a trivial task.

  18. Re:mmmm........ by PRMan · · Score: 2, Informative

    Breaking and entering is the crime of entering a residence or other enclosed property without authorization and some element of force.

    Wrong. You must physically disable a security system. Otherwise,what is trespassing?

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  19. Breaking and Entering? by EmagGeek · · Score: 2, Informative
    Okay, let's get something straight..

    If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.

    If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the property with the intent to commit a crime (any crime) is burglary.

    If you enter that property with the intent to commit a crime, say, theft, and you succeed, you have not only committed the felony of burglary, but you have also committed theft by taking and possession of stolen property, which are completely independent charges, carrying their own sentences.

    How these are analogues to the computer world, well, I don't know. I am sure it depends on the jurisdiction. There are laws on the books in some places regarding unauthorized access, regardless of intent.

    Bottom line is, kids, you cannot assume a lack of security equals an invitation to snoop around.

  20. Re:mmmm........ by quotationspage · · Score: 2, Informative

    "If you want to tell people the truth, make them laugh, otherwise they'll kill you." --Oscar Wilde

    --
    check nagaiah portfolio to buy or sell financial assets in bombay stock exchange