Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Police Database Lacked Root Password

Posted by kdawson on from the kick-me dept.

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

12 of 214 comments (clear)

  1. Even if unlocked still breaking and entering by JoshuaZ · · Score: 4, Informative

    In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.

    1. Re:Even if unlocked still breaking and entering by conufsed · · Score: 5, Informative

      Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act

    2. Re:Even if unlocked still breaking and entering by jasonwc · · Score: 4, Informative

      To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

      1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

      2) Entering (Literally entering the physical structure)

      3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

      4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

      5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

      Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

      Jason
      Yale Law School, Class of 2010

    3. Re:Even if unlocked still breaking and entering by Shakrai · · Score: 5, Informative

      Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).

      So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:Even if unlocked still breaking and entering by jasonwc · · Score: 3, Informative

      Both the common law of the United States and that of Australia are derived from English common law. In fact, when the United States became an independent nation, we incorporated all of the common law of England up to that point. As burglary is a very old offense, which can be traced back hundreds of years if not more, there is likely to be a great deal of similarity between the common law of Australia, the United States, and the United Kingdom with regard to the definition of burglary.

      However, I still don't see the point of these pedantic comments. I thought it was obvious from my post that I was referring to the common-law definition of burglary in the United States. If I was at all unclear, my later post should have removed all doubt as I stated explicitly that the post referred to the law of the United States, not Australia.

  2. According to TFA by thatkid_2002 · · Score: 3, Informative
    TFA says that the computer was being used as a part of a (somewhat poorly executed) Sting.

    It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.

    TFS is very poorly written... it is not worthy of being a "Summary".

  3. Brag about it and get snapped! by Slotty · · Score: 5, Informative
    They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

    The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

  4. Criminal Intent ! by redelm · · Score: 4, Informative

    One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

    Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

    The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

  5. Re:It's still breaking and entering by rm999 · · Score: 5, Informative

    Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary

    "At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

    So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

  6. Re:a legit hack by rivetgeek · · Score: 4, Informative

    Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.

  7. no injection necessary by Capsaicin · · Score: 5, Informative

    The article states they just used SQL injection

    The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

    ... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

    The journalist (Asher Moses) simply got it wrong. It happens.

    --
    Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
  8. No root password - beyond the hyerbole by mccalli · · Score: 4, Informative

    OK Slashdot, calm down...

    I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.

    So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.

    The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.

    It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.

    Cheers,
    Ian