Australian Police Database Lacked Root Password

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

Even if unlocked still breaking and entering

[JoshuaZ]

In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.

Re:Even if unlocked still breaking and entering

[conufsed]

Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act

Re:Even if unlocked still breaking and entering

[jasonwc]

To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

2) Entering (Literally entering the physical structure)

3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

Jason
Yale Law School, Class of 2010

Re:Even if unlocked still breaking and entering

[Shakrai]

Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).

So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

Brag about it and get snapped!

[Slotty]

They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

Criminal Intent !

[redelm]

One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

Re:It's still breaking and entering

[rm999]

Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary

"At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

Re:a legit hack

[rivetgeek]

Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.

no injection necessary

[Capsaicin]

The article states they just used SQL injection

The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

The journalist (Asher Moses) simply got it wrong. It happens.

No root password - beyond the hyerbole

[mccalli]

OK Slashdot, calm down...

I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.

So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.

The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.

It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.

Cheers,
Ian