Slashdot Mirror
Australian Police Database Lacked Root Password
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
That's the smell of someone being fired.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.
Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.
"Can you be charged with breaking and entering a house that has the door left wide open?"
Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.
It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.
TFS is very poorly written... it is not worthy of being a "Summary".
The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network
One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.
Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.
The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.
The OP is asking about being charged with anything just because the "door" wasn't on the "house" to keep them out...
That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
effect that you still stole the bike, even if there was no lock securing it..
It might be an interesting place to live if everything could be played with/used/stolen
as long as it wasn't secured..
As always, I may know nothing about anything, ever - and don't smoke crack.
We don't need to secure anything...we've got a...
(Tympanic BOOM-BOOM-BOOM)
A FIREWALL!
I hope the crackers were polite enough to give it one....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Let's get a better analogy:
"If you broke a window (pun intended), entered the house, saw safe on the floor, turned the handle and it was unlocked, would you be breaking and entering?"
I'd just like to point out that on Monday night EST, Four Corners one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.
1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
3. Essentially it was about Australian Federal Police (AFP) who were on the TV show, quite literally laughing at the hackers.
Now, I agree with the first point. I do not have time or appreciation for hackers black mailing then botnet'ting a company to Bankruptcy.
But I do want to make the point: Dumb people get what they deserve (point 2), and dumb organizations who instigate other organization that are much smarter than themselves also get what they deserve. I think "pie in the face" in an understatement in this instance.
I think the only good news in this Article was that the database didn't contain the Tax numbers or Criminal Records of every Australian. I have the highest respect for AFP and the Australia Police Service.
Does the idea of a recursive honeypot sound entirely ridiculous?
It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.
[my emphasis]
Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and they broke into a machine with poor security, it's probably not in their job description to fix up the victim's mysql password. So no, I doubt if anyone (in the AFP) will be sacked here.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
The article states they just used SQL injection
The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:
The journalist (Asher Moses) simply got it wrong. It happens.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.
OK Slashdot, calm down...
I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.
So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.
The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.
It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.
Cheers,
Ian
If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.
If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the property with the intent to commit a crime (any crime) is burglary.
If you enter that property with the intent to commit a crime, say, theft, and you succeed, you have not only committed the felony of burglary, but you have also committed theft by taking and possession of stolen property, which are completely independent charges, carrying their own sentences.
How these are analogues to the computer world, well, I don't know. I am sure it depends on the jurisdiction. There are laws on the books in some places regarding unauthorized access, regardless of intent.
Bottom line is, kids, you cannot assume a lack of security equals an invitation to snoop around.