Slashdot Mirror
Australian Police Database Lacked Root Password
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.
Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
A bureaucrat fired for incompetence?
If that happens, then Australia is more different than the USA than I can possibly imagine.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network
Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act
Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary
"At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."
So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.
No, but this sounds like an idea for the next Sims expansion pack.
I hope the crackers were polite enough to give it one....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).
So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The article states they just used SQL injection
The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:
The journalist (Asher Moses) simply got it wrong. It happens.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
No, SOMEONE is always fired when their action causes embarrassment to the nation/their boss/etc.
It most sure as hell IS NOT the person that should be fired.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Here in the UK, they kick them out! ...wait a few years until everybody forgets about them, then but them back at the same level. But if somebody is incompetent enough to get caught repeatedly, we promote them to lord!
IranAir Flight 655 never forget!
0. A government employee may not harm the government, or, through inaction, allow the government to come to harm.
1. A government employee may not harm a politician or, through inaction, allow a politician to come to harm, except where such orders would conflict with the Zeroth Law.
2. A government employee must obey any orders given to it by politicians, except where such orders would conflict with the Zeroth or First Law.
3. A government employee must protect its own existence as long as such protection does not conflict with the Zeroth, First or Second Law.