Slashdot Mirror
Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com)
New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.
who has netgear equipment anymore? who allows default passwords anymore? wow
nothing to see here - move along
Lowest bidder perhaps?
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Netgear routers is one thing - using them as NAS servers for sensitive data is a whole other special kind of stupid.
A Netgear consumer router is being used as a firewall for networks containing military secrets? Not what I would have expected, I usually use more robust firewalls on network I maintain. A default password was left in place for a router on a secure network....FTP configuration from outside was left enabled on router...Against most acceptable security practices for any network The USAF didn't do regular nmap scans and pentests of their networks from various points around the world that would have found this opening...They didn't regularly check sites like Shodan to see what shows for their networks... I do these regularly for networks I maintain...
Exactly.
My point is that "classified" makes for good headlines, but there was likely little to no real damage done.
The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.
The world's burning. Moped Jesus spotted on I50. Details at 11.
No offence to the military.. But they are not generally staffed with the cream of the crop down where things are getting fixed.
The standard joke for Military Aircraft goes like this.. They are designed by PHD's, Flown by college graduates, and maintained by high school dropouts.
I can tell you that the intelligence of your average flight line maintainer isn't going to be anything to write home about. Some of them can think, but most just blindly follow the diagnostic trees provided by the PHD's who built the system they are maintaining. And yes, I've dealt with this personally.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password
Should read Hacker Steals military docs because she's a sleazeball
The lack of a proper password helped her commit the crime, it didn't compel it, she could of instead just told the authorities about the screwup
Nullius in verba
They have a manual that describes tactics for the deployment of COMMENTS? Slashdot could really use that...
They didn't have NAS back in 1965. It was the early 1980s before any such concept was even developed. Don't be lying to us.
You obviously are one of the ones who can think... I've run into flight line personnel who when though all the same schools you claim and came out not knowing how to measure current coming from a DC power supply on the test bench. I'm talking about folks who did the schools and completed their enlistments fixing airplanes. I've also been responsible for producing automated test equipment for squadrons to test avionics with. I can attest with assurance that if something requires a bit of thought and understanding by the flight line, they are unlikely to figure it out.
I've seen many cases where the fault trees clearly would have worked if followed and times where lacking understanding of what the callout was actually saying (say a short to ground fault) caused a pile of unnecessary stuff to get done when a bit of looking at the blackened traces and bent pins would have been in order. There truly are some idiots on the flight line who don't engage the brain and don't have enough experience to fix much of anything, though they've had all the necessary training to be qualified to throw black boxes at the aircraft until it happened to work.
I've also seen the good folks who actually understood what they where working on who could just about diagnose the problem by just standing next to the aircraft and watching the BIT run. I've seen these types tell me exactly what two connectors to pull off and which pins to check when specific failures happened.... Loved working with and training these guys/gals who had a clue and engaged their brains, but they where the exceptions.
Face it, military pay isn't all that competitive and the good technical folks out there are unlikely to accept the working conditions and risks that come with the job if industry is paying more for only 40 hours/week and little risk of not being home in your bed at night. It's not surprising that military maintenance people are not always top in their fields.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
FTPS is not nearly as broadly supported as FTP or HTTP, last I checked. In particular, unless things have changed in the last couple of years, Internet Explorer et al do not support FTPS, which makes the protocol basically DOA in a real-world environment.
You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari. So basically, between that and the lack of FTPS in Internet Explorer, FTP is an absolute train wreck of half-supported functionality. By contrast, both TLS and download continuation work out-of-the-box with HTTP/HTTPS in all major browsers.
Web servers also support digest authentication, which keeps the password secure against all but an exact replay of the request, even over unencrypted channels. AFAIK, there's nothing equivalent in FTP, unless you count Kerberos (shudder), which is even less broadly supported than FTPS.
Another big difference is that people naturally assume that anything you put on a web server can be seen by anybody. The password authentication inherent in FTP creates a false sense of security, which makes the non-TLS version even more problematic than it otherwise might be.
Check out my sci-fi/humor trilogy at PatriotsBooks.