Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Police Database Lacked Root Password

Posted by kdawson on from the kick-me dept.

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

26 of 214 comments (clear)

  1. mmmm........ by gcnaddict · · Score: 4, Funny

    That's the smell of someone being fired.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    1. Re:mmmm........ by jcr · · Score: 5, Insightful

      A bureaucrat fired for incompetence?

      If that happens, then Australia is more different than the USA than I can possibly imagine.

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
    2. Re:mmmm........ by gcnaddict · · Score: 4, Insightful

      Government employees are always fired when their actions (or inaction) embarrass the nation.

      Incompetence? You're right; employees typically aren't fired for that, but causing major embarrassment is always grounds for termination.

      --
      Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    3. Re:mmmm........ by Shakrai · · Score: 4, Insightful

      Government employees are always fired when their actions (or inaction) embarrass their political masters

      Fixed that for you :)

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:mmmm........ by actionbastard · · Score: 4, Funny

      That's some really fine police work there Lou.

      --
      Sig this!
    5. Re:mmmm........ by Mr.+Freeman · · Score: 5, Insightful

      No, SOMEONE is always fired when their action causes embarrassment to the nation/their boss/etc.

      It most sure as hell IS NOT the person that should be fired.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    6. Re:mmmm........ by RiotingPacifist · · Score: 5, Funny

      Here in the UK, they kick them out! ...wait a few years until everybody forgets about them, then but them back at the same level. But if somebody is incompetent enough to get caught repeatedly, we promote them to lord!

      --
      IranAir Flight 655 never forget!
    7. Re:mmmm........ by Mat'nik · · Score: 5, Funny

      0. A government employee may not harm the government, or, through inaction, allow the government to come to harm.
      1. A government employee may not harm a politician or, through inaction, allow a politician to come to harm, except where such orders would conflict with the Zeroth Law.
      2. A government employee must obey any orders given to it by politicians, except where such orders would conflict with the Zeroth or First Law.
      3. A government employee must protect its own existence as long as such protection does not conflict with the Zeroth, First or Second Law.

  2. a legit hack by Lord+Ender · · Score: 5, Insightful

    They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.

    Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:a legit hack by rivetgeek · · Score: 4, Informative

      Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.

  3. Even if unlocked still breaking and entering by JoshuaZ · · Score: 4, Informative

    In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.

    1. Re:Even if unlocked still breaking and entering by conufsed · · Score: 5, Informative

      Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act

    2. Re:Even if unlocked still breaking and entering by jasonwc · · Score: 4, Informative

      To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

      1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

      2) Entering (Literally entering the physical structure)

      3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

      4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

      5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

      Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

      Jason
      Yale Law School, Class of 2010

    3. Re:Even if unlocked still breaking and entering by Shakrai · · Score: 5, Informative

      Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).

      So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  4. It's still breaking and entering by rm999 · · Score: 4, Interesting

    "Can you be charged with breaking and entering a house that has the door left wide open?"

    Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.

    1. Re:It's still breaking and entering by zippthorne · · Score: 4, Insightful

      I should hope that the law is literal. "Don't be so literal" is not the kind of argument you want to hear from the prosecution at any phase of a trial. Especially sentencing. Assault and Battery are sure as damn different things, and separably chargeable.

      --
      Can you be Even More Awesome?!
    2. Re:It's still breaking and entering by rm999 · · Score: 5, Informative

      Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary

      "At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

      So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

    3. Re:It's still breaking and entering by Metasquares · · Score: 5, Funny

      No, but this sounds like an idea for the next Sims expansion pack.

  5. Brag about it and get snapped! by Slotty · · Score: 5, Informative
    They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

    The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

    1. Re:Brag about it and get snapped! by Beardo+the+Bearded · · Score: 4, Insightful

      Well, they would say that, wouldn't they?

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  6. Criminal Intent ! by redelm · · Score: 4, Informative

    One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

    Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

    The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

  7. In seeing this from the dark side... by shacky003 · · Score: 4, Insightful

    The OP is asking about being charged with anything just because the "door" wasn't on the "house" to keep them out...

    That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
    Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
    effect that you still stole the bike, even if there was no lock securing it..

    It might be an interesting place to live if everything could be played with/used/stolen
    as long as it wasn't secured..

    As always, I may know nothing about anything, ever - and don't smoke crack.

  8. Didn't have a password? by billstewart · · Score: 5, Funny

    I hope the crackers were polite enough to give it one....

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  9. no injection necessary by Capsaicin · · Score: 5, Informative

    The article states they just used SQL injection

    The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

    ... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

    The journalist (Asher Moses) simply got it wrong. It happens.

    --
    Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
  10. AU judges often don't have passwords on their PCs by wheels4me · · Score: 4, Interesting

    The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.

  11. No root password - beyond the hyerbole by mccalli · · Score: 4, Informative

    OK Slashdot, calm down...

    I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.

    So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here.

    The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.

    It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.

    Cheers,
    Ian