Slashdot Mirror
Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com)
New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.
* Sold separately. Tank not included.
Which can easily be explained by stupidity.
This is one of those times.
who has netgear equipment anymore? who allows default passwords anymore? wow
nothing to see here - move along
Yeah!
They were using Netgear routers with USB-attached drives as FTP servers instead of ... real server hardware? Something seems missing here.
It was stupid to host it with a default FTP password, but the data itself doesn't actually appear all that sensitive. Survival, repair, and operation manuals are officially classified, but a lot of the info is in the public domain as well.
Just because something is officially classified doesn't mean it isn't also an open secret.
A Netgear consumer router is being used as a firewall for networks containing military secrets? Not what I would have expected, I usually use more robust firewalls on network I maintain. A default password was left in place for a router on a secure network....FTP configuration from outside was left enabled on router...Against most acceptable security practices for any network The USAF didn't do regular nmap scans and pentests of their networks from various points around the world that would have found this opening...They didn't regularly check sites like Shodan to see what shows for their networks... I do these regularly for networks I maintain...
they should have used the military-industrial complex to acquire routers. now there's a bunch of american workers unemployed. blame the government.
Someone(s) need to be fired. ftp has been on the TURN IT OFF LAST YEAR list for something like 10 years. (And I'm speaking as a sr. Linux sysadmin).
... the information is so WWII.
Tanks?
The predator thing is intriguing, though.
More importantly, the military dropped the ball by being negligent.
It little behooves the best of us to comment on the rest of us.
NOT!
I worked at a company where the CFO insisted on having his own wireless access point in his office and refused to allow any kind of network encryption. He didn't even change the default SSID, just plugged the router into the wall, no keys, no passwords, nothing. His office was on the 5th floor and we where less than a block away from a MAJOR technical college's dorms so you can bet the students where more than able to connect any time.
The router was found by the network security folks and the port turned off at the switch, but the CFO pitched a fit when it stopped working and moving it to another drop didn't fix it. Had the network guys in his office being called on the carpet. Even after the risks where explained, he didn't care and demanded it be turned back on. So he got it back and the rest of us enjoyed free WiFi on our smart devices as it worked great from the coffee machine.
Stupid stuff happens everywhere.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Dang. I sure hope no one figures out how to implement such comment deployments here at slashdot!
I have no special gift, I am only passionately curious. --Albert Einstein
Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password
Should read Hacker Steals military docs because she's a sleazeball
The lack of a proper password helped her commit the crime, it didn't compel it, she could of instead just told the authorities about the screwup
Nullius in verba
Well, Trump said he'd run the government like a business. He just didn't mention that the business was Equifax.
You are welcome on my lawn.
In reality, every evil oerson ever went "Whoops! Stoopid me! So clumsy! .... (3 seconds later) ... Whoops, I did it again!".
And people like you gobble it up *every single time*.
Which is why you still believe you "vote" when picking one of the same two evil parties again, every four years, just because it was the other one's turn to "Whoops!" do it again.
You talk yourself into it just being stupidity. All because you just can't handle the malice of reality. And you never will.
Too bad I still have a conscience, and so can't (ab)use it to my advantage.
they used a default ftp password to pivot to a workstation that they then used to get the manuals...
nothing to see here - move along
You are correct sir. Still lots of stupid admins out there.
Plain FTP should have died with telnet around 1997.
Plain FTP isn't firewall friendly. sftp is.
I can't believe that plain FTP setup is still being taught without stressing that it shouldn't be used outside lab environments. Redhat is part of this problem, but there are lots of others, cough, microsoft, is one.
Redhat does so many things really well.
https://mywiki.wooledge.org/Ft...
Seriously, who use's FTP still?
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
dale gribble aka Rusty Shackleford did it
pyle! why did you just get what the guy at best buy said was the best?
Taxation is theft, and so are your FTP accounts.
... I was hoping to find the password here, so I can fix my Abraham tank myself :(
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
He/She is probably anti-Trump. Go antifa!! /s
then msmash doesn't get to claim "IT WUZ HAXX0RZ!" and that'd fail to bring teh 1337, so "haxx0rz!" it is.
And so we learn typing a default password == haxx0rin!
So it is not like leaving the default pass in place was much less secure.
Really, once it was an FTP server not an sFTP server, you may as well have printed the stuff out and left it in a duffel bag on the sidewalk in front of the local shopping mall.
Security getting into the base? Good stuff.
But once youre in, I couldve walked around with a thumb drive easily copying files. There are rules to mitigate this, but the personnel don't follow them too strictly.
Whenever I hear about military files getting stolen, I think about this.
It's amazing mgmt isnt held accountable.
millions in damages for having to change all the passwords again ?
Those files were probably pulled by the "hacker" from some government employee's home setup or a more likely some government contractor company who was doing something they shouldn't have been with those files in the first place (i.e. making them available to employees via FTP).
I doubt these were pulled from an actual military site as the D.O.D networks have been blocking FTP for quite some time now.
Sadly, it only takes one stupid person to "F" things up for a whole lot of people.
Consumer grade gear and poor admin skills are common, especially at smaller companies.
IT is overhead, overhead eats profits. Exec's and boards will never spend what's needed for the latest gear or the best trained or experienced staff.
At least they haven't done so in the last 20 years of my IT career.
Why would this service even have a default password? Just disable the service until a password is set via the admin page.
who some 17 years ago cracked USA military computers. He wrote a Perl script and looked for blank and default passwords. Not resetting passwords once is stupid; twice is criminal and the penalty should be a dishonourable discharge and loss of pension -- for those at the top of the military; but I expect that, as usual, they will blame a few lowly techies.
Considering those drones are only used to murder people in countries that never attacked us, the blood-drenched Pentagon must hate it when karma bites them back.
>>They say
then this...
>>the hacker was selling the data for a price between $150 and $200
torrent that shit or it didn't happen newfags
Copying isn't stealing.
Wonder what the public key field is for?
now that's way too sloppy. whoever left such loophole ought to be fired by now (Latest Entertainment news in Nigeria)[http://www.naijadailyfeed.com]
I love to blog http://www.naijadailyfeed.com
wow that's way too sloppy. whoever left such loophole ought to be fired by now http://www.naijadailyfeed.com/
I love to blog http://www.naijadailyfeed.com
I bet you never even read the spec.
Not even skimmed it.
I bet you believe WebSockets and other inner-platform effect idiocies like modern "browsers" (aka shitty OSes on top of OSes) are the shit, and don't understand ports or protocols.
The hacker was able to steal the documents because of the password.
The hacker stole the documents because the hacker is a piece of shit.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
DOD get with the program! Migrate to Linux ASAP! GNU Linux/Open Source has Security Standards that would keep the DOD up to date in I.T.
There is new standards in the world of Open Source for advanced FTP.
Even better, you can get nice, neat pages that organize the data in interesting ways, charts and graphs that support the data, and links to other websites that provide corroborating info.
I know what you can get through web pages. I have web pages that do that. I ALSO have FTP for users who don't need ANY of that, they just want the data. You're stuck on form over substance. "Look how pretty my web page is. Isn't my data organized in an interesting way? You can click on a table column and it will sort it for you. And look, I'll plot it for you the way I want to plot it." I'm talking about substance. "Here's a data file ... you can do with it what you want. You want to sort it, go ahead. You want to plot it? Be my guest."
I'm fighting this problem with an outfit that has gone whole hog into fancy THREDS servers for their data. I need to get their data for production use here. That means "automated", in case you don't understand what that is. You can't do that using wget, because the link for the data is hidden under three levels of other web links. I had to get the top level HTML, parse the links for the next level, get that HTML, parse the links, wash, rinse repeat. And THEN they changed the structure. Oh, the web pages were beautiful. Drop down menus to select the date range, a map to draw a bounding box to pick which sensor you wanted, plots of summary data. All great -- for interactive, transient users. I could spend ten minutes drilling down to finally reach the raw data I needed, but automating it was impossible.
This fancy server replaced a simple FTP server that allowed one call to ncftp in a cron script to download exactly what was wanted. I didn't need to log in, it was anonymous FTP. I didn't care if I couldn't restart a transfer mid-file. If it failed, I just did it again. No, I mean the script did it again for me. I didn't even care if someone could packet sniff and copy the data in transit. Yes, because it wasn't TLS or SSL protected, a MITM could try injecting bogus data or malware, but over the decades of doing this that never once happened. Injecting malware would be useless -- if the data wasn't in the format that my software expected it would whine about it to me, not try to execute it to see what it was.
For THIS USE, to solve THIS PROBLEM, FTP is the CLEAR winner for "better".
I guess you also missed the fact that I also run web servers to access the same, and different, data. I know all about the wonderful things you are lecturing me about, and I know when it is correct to do that and when it is correct to have just a simple interface for simple things.
That's because your user ID is about 40,000 too high to remember it.
Oh, now it's a personal attack based on /. UID. Here's a free clue for the moron: UID is based on when someone joins slashdot, not when someone started using computers.
You want a history? My first Linux was slackware 0.9 on 35 (I think it was) 3.5" floppies, and I was doing VMS/Ultrix/SunOS for a very long time before that. I used to install network nodes using vampire taps for the MAU, and thought it was great when 10base2 came out. My first web server was a CERN server, back when Mosaic was new. I also had gopher and WAIS servers in operation when they were new, and had to deal with the idiots running veronica before I had to deal with the ones doing unrestricted web crawling. In all that time, I have never used FTP to install an OS, because FTP isn't about installing an OS, it's a FILE TRANSFER PROTOCOL. When I needed to install an OS, it was from a tape, or more recently from a DVD. When it's a net install image on the DVD, it's from a web server, not FTP.
Tell me again how my UID is too high to know the past.
If showing the directory listing via HTTP is insecure, then it is just as insecure to show it over FTP.
You really don't understand the difference between how an FTP server wo
I kept running into problematic non-secured systems in the 1990s which turned out to be on military or other sensitive sites
In one case script kiddies had taken up residence on a NASA computer which was being used for command/control of the original Mars pathfinder/soujurner rover.
Back then, DISA was pretty good about getting them fixed when notified, but they didn't scan for them.
NASA learned from the soujourner (and a couple of other) experiences and now has pretty good security practices, including preemptive scanning for vulnerabilities inside their networks.
Fast forward 20+ years and the same problems keep cropping up with minor variations in the US MIlitary network - and DISA _STILL_ isn't scanning for anything, on top of that, they stopped being approachable by 3rd parties about problems not long after 9/11 (which has made reporting detected infestations nearly impossible)