Australian Police Database Lacked Root Password 214
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
mmmm........ (Score:5, Funny)
Comment removed (Score:5, Insightful)
Re:mmmm........ (Score:5, Insightful)
Incompetence? You're right; employees typically aren't fired for that, but causing major embarrassment is always grounds for termination.
Comment removed (Score:5, Insightful)
Re:mmmm........ (Score:5, Insightful)
It most sure as hell IS NOT the person that should be fired.
Re: (Score:2)
Well, example from Slovakia (part of EU): When (not if, when) the minister causes too much trouble (like say stealing so much that it is impossible to cover it up) he gets kicked out. But hey, his comrades wont let him fall on the street. He gets a new job as a member of parliament - usually position with much less work but better pay.
Now, I just wonder where is the motivation for a minister to do a good work (for the citizens).
Re:mmmm........ (Score:5, Funny)
Here in the UK, they kick them out! ...wait a few years until everybody forgets about them, then but them back at the same level. But if somebody is incompetent enough to get caught repeatedly, we promote them to lord!
Re: (Score:3, Insightful)
I hear the call of he who shall not be named... Lord Mandels... *guurk*
Re:mmmm........ (Score:4, Insightful)
Is president of the United States considered a government employee? Cuz... that totally messes up your comment if so.
Re: (Score:2)
Re:mmmm........ (Score:5, Funny)
1. A government employee may not harm a politician or, through inaction, allow a politician to come to harm, except where such orders would conflict with the Zeroth Law.
2. A government employee must obey any orders given to it by politicians, except where such orders would conflict with the Zeroth or First Law.
3. A government employee must protect its own existence as long as such protection does not conflict with the Zeroth, First or Second Law.
Re: (Score:2)
Woah! No so fast there Tex. Nobody'll get fired. Not even a reprimand. Incident reports will have to be submitted and if it is considered really, really bad, a 'problem' ticket will be requested. But that's it.
Australian government ... Vogons aren't even in the same class.
Re: (Score:2)
Oh, bureaucrats have been fired for incompetence in the US. Just not the politically connected ones. What I wonder is, if their IT staff is that incompetent, are the police officers as bad? It only takes one idiot to tarnish and entire organization.
Re: (Score:2)
Re:mmmm........ (Score:5, Funny)
Re: (Score:2)
Um, yes, you can. Breaking doesn't mean you broke something physically. It means breaking the plane of entrance into a structure.
Re: (Score:3, Informative)
Wrong. You must physically disable a security system. Otherwise,what is trespassing?
a legit hack (Score:5, Insightful)
They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.
Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.
Didn't have a password? (Score:5, Funny)
I hope the crackers were polite enough to give it one....
Re: (Score:2)
reminds me of that old gameshow (dating myself here)
[whispers] and the password is ... dumbass
Re:a legit hack (Score:4, Informative)
Re:a legit hack (Score:4, Insightful)
And? A hack doesn't have to be "hard" to be a hack. As the word is popularly used today, breaking into a computer through nonobvious (to the average person) means is hacking.
Re: (Score:3, Insightful)
By your definition, visiting the FTP server I found running on your PC is hacking. Last month I opened a browser and typed "ftp://ftp.mozilla.org/" to look for an older version of Firefox. I didn't know if such a thing existed, I was just guessing. This is probably hacking, too.
no injection necessary (Score:5, Informative)
The article states they just used SQL injection
The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:
The journalist (Asher Moses) simply got it wrong. It happens.
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.
It appears to be what he (or someone claiming to be him) is saying, or am I misreading him. For your benefit, I'll quote his comment in its entirety:
@killjoy - you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed. Also, according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se.
@k@icolo - you'll be surprised, its just human nature. It could easily have happened to security folks (such as us) as well - especially if we're not vigilant.
@Luke | Melbourne - the point of the 4corners exercise was to demonstrate what would happen in the scenario where a wireless AP was not encrypting traffic - you may be using WPA2 but a lot of people aren't, nor would they know how to enable it.
Posted By: Shaon Diwakar | HackLabs - August 18, 2009, 10:00PM
How do you read that?
Note also that he indicates that this was not an AFP machine, or a machine normally administered by the AFP, but a machine "comandeered" (which on reflection probably m
Re: (Score:2)
How do you inject an include? To do that wouldn't that mean the programmer not only didn't parse his input for SQL, but also chose to blindly execute code coming from the database?
Re: (Score:2, Informative)
Imagine you have a script that just includes a user's profile data (user.php) from a flat file (stupid i know but its an example), by entering in a remote file to a field, it might be sanitized, however in a sql injection you could over right "user.php" with http://www.evilsite.com/evilscript.php [evilsite.com]
Myspace ran into this issue
Journalistic Beat-Up? (Score:3, Informative)
Does the idea of a recursive honeypot sound entirely ridiculous?
It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.
[my emphasis]
Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and th
Re: (Score:3, Interesting)
If I'm reading that correctly, and they broke into a machine with poor security.
On reflection I'm not reading it correctly. What this probably means is they arrested the owner, took over the physical box, and just left it running to see who was using it. But the point stands. Not their responsibility to fix up the villain's poor security. Indeed, if this what happened, one might imagine that miminal-to-no inteferrence with how the box was running would be an operational imperative.
Re: (Score:2)
Added to this, from what I understand, all Australia government systems required to be secure for national security reasons are air-gapped and no wireless. I would assume that extends to all systems that need to be really secure. Do need the internet for that service, then don't connect it to the internet.
As for honey pots, piggy back them onto tasty web IP ranges, develop a well know reputation for doing so and hopefully doing it successful and you will cut back on incursions. Not one or two honey pots
Even if unlocked still breaking and entering (Score:5, Informative)
Re:Even if unlocked still breaking and entering (Score:5, Informative)
Comment removed (Score:5, Informative)
Re: (Score:3, Funny)
After they started monitoring my internet connection (or rather, the internet connection I happen to use), my reaction was to stop checking my email. Obviously, email is pretty important, so not checking your email can have serious personal consequences. You might miss friends trying to get in touch or business opportunities.
Well, the cops didn't want that, so their reaction was to start
Re: (Score:2, Insightful)
How can I know the felony is worth it if I can't look at his porn stash first!
Re:Even if unlocked still breaking and entering (Score:5, Informative)
1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)
2) Entering (Literally entering the physical structure)
3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)
4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)
5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)
Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.
Jason
Yale Law School, Class of 2010
Re: (Score:2, Funny)
Re:Even if unlocked still breaking and entering (Score:4, Funny)
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Six states of Australian's also known as Her Majesty's Penal Colony :-)
Committing offense
Charged with offense
Awaiting trial
Convicted
Doing Time
On Parole
Re: (Score:2)
Wait... Australia has STATES? We must be WAY behind in getting those stars on the flag
Yep, we've earned our stripes too.
By the way, we've bought the rights to the Star Spangled Banner. RIAA agents on their way to your ball games this very moment.
Some Yank owns the rights to Waltzing Mathilda, so it's only fair. RIAA might want to come to our barbecues, as we might sing it in a highly public way after a few beers. But they're nothing you can't fix with a backhoe, drunk or sober.
Re:Even if unlocked still breaking and entering (Score:4, Informative)
However, I still don't see the point of these pedantic comments. I thought it was obvious from my post that I was referring to the common-law definition of burglary in the United States. If I was at all unclear, my later post should have removed all doubt as I stated explicitly that the post referred to the law of the United States, not Australia.
Re: (Score:2)
But you are of course replying to a story about Australian Federal Police, so it would be reasonable to assume that you are stating Australian Law.
Re: (Score:2)
Does it make sense?
No, since most crimes require intent. Unless _negligently_ entering someone elses mailbox is also a crime, no crime was committed here.
Re: (Score:2)
What if you are on a generic police site, and just land in there by randomly clicking on five links on the page? It is still "breaking and entering".
What if you walk down the street, and fall into an open sewer, just to find out that it is a secret underground tunnel to a high-security government building, and there is no way to climb out, other than walking down the tunnel into the secret building?
What if you are blind, and walk trough the open backdoor of a police headquarter's stolen goods storage room?
O
Re: (Score:2)
The distinction is usually intent. If you accidentally walk into a secret bunker with no intent, then that's not breaking and entering or burglary.
Re: (Score:2)
Re: (Score:2)
Burglary is legally defined in most states as "entering of a premsis with the intent to commit a felony"
Re: (Score:2)
NO, but you can be charged with trespassing and if you take anything, burglary. If the door was closed but not locked it would be breaking and entering. IANAL, but I just asked one...
It's still breaking and entering (Score:5, Interesting)
"Can you be charged with breaking and entering a house that has the door left wide open?"
Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.
Re: (Score:3, Informative)
Re:It's still breaking and entering (Score:5, Informative)
Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary [thefreedictionary.com]
"At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."
So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.
Re: (Score:3, Informative)
From lawguru.com [lawguru.com]
Forcible entry is distinguishable from the broader crime of "breaking and entering" which might not include any actual damage from the force used to "break" a way in, such as when one opens an unlocked door to private premises without license to do so, or tampers with a locking mechanism and later takes advantage of the defect. As such, one can assume that the "breaking" refers to breaking the plane of entry; that is, crossing the threshold of a door, window or other entryway into a building.
Re: (Score:2)
Depends on the jurisdiction. For example, in my state of Aus, last time I looked (a while ago, it may have changed),
Hence "breaking and entering", "entering wi
Re: (Score:2)
Re:It's still breaking and entering (Score:5, Insightful)
I should hope that the law is literal. "Don't be so literal" is not the kind of argument you want to hear from the prosecution at any phase of a trial. Especially sentencing. Assault and Battery are sure as damn different things, and separably chargeable.
Re: (Score:3, Informative)
I think the difference is obvious. Would you "break" into someone's house and try to convince the judge you didn't literally break anything when you are being charged with breaking and entering? I hope not.
I meant the name should not be taken literally, but obviously the law itself should.
Re: (Score:2, Funny)
I understand how one can charge a battery, but how does one charge an assault? Let alone why you'd have to charge them separately... ...
Re: (Score:2)
Okay.. So do I go to Virtual Prison? Drop the Virtual Soap? Put on Virtual Lipstick?
Just curious... :)
Re:It's still breaking and entering (Score:5, Funny)
Re: (Score:2, Funny)
please dont give ea ideas T_T
According to TFA (Score:3, Informative)
It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.
TFS is very poorly written... it is not worthy of being a "Summary".
Re: (Score:3, Funny)
They spoke of the Russian DDoS on the Gamboling people in the north, then they jumped around a bit listening to police officers talk a little too quietly (almost mumbling) about IT stuff (which had me cringing the entire time). Then they showed us a 20year old who looked like a try hard metalhead who was apparantly this 'leet hacker' in control of 56,000
Fina
police blow credibility (Score:2)
NEIL GAUGHAN (national manager hi-tech operations for AFP): G'day gents how we going?
AFP OFFICER: Morning Sir, how you going.
NEIL GAUGHAN: Good thanks.
AFP OFFICER: What we're gonna do is we're just gonna make a telephone call and we're goi
Re: (Score:2)
The officers might not be allowed to post official police notices on the internet, so they get someone else with that job responsibility to do it.
It also shifts responsibility to someone else.
well... (Score:2)
Brag about it and get snapped! (Score:5, Informative)
The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network
Re:Brag about it and get snapped! (Score:5, Insightful)
Well, they would say that, wouldn't they?
Re: (Score:2)
Four Corners is dedicated to cyber crime?
Re: (Score:2)
So yeah, this ain't too bad if this is a starting salary.
Re: (Score:2)
It's probably an entry-level position. Apparently the NSW police pay around $75-80K per year, but I'm not sure what the upper limit is.
Criminal Intent ! (Score:5, Informative)
One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.
Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.
The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.
Re: (Score:2, Informative)
Since this all happened in Victoria, the relevant offence is Unauthorised access, modification or impairment with intent to commit serious offence [austlii.edu.au]
and/or Unauthorised modification of data to cause impairment [austlii.edu.au]
According to that, the state of being "unauthorised" [austlii.edu.au] refers to entitlement, ie legal entitlement, rather than any sense of software authorisation (which a few people have rather misguidedly suggested is a valid interpretation).
In seeing this from the dark side... (Score:4, Insightful)
That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
effect that you still stole the bike, even if there was no lock securing it..
It might be an interesting place to live if everything could be played with/used/stolen
as long as it wasn't secured..
As always, I may know nothing about anything, ever - and don't smoke crack.
Presumptions are dangerous... (Score:2)
One of the things which I've always wondered is how hackers know they've broken into the real-deal versus a honeypot.
Re: (Score:2)
Typical bureaucratic concept of network security (Score:4, Funny)
We don't need to secure anything...we've got a...
(Tympanic BOOM-BOOM-BOOM)
A FIREWALL!
Re:Typical bureaucratic concept of network securit (Score:2)
I think I need a timpani recording on my phone, to play on demand.
Re: (Score:2)
Yeah, but then you'd have a percussionist following you around. And percussionists are practically drummers.
TERRIBLE analogy (Score:3, Insightful)
Let's get a better analogy:
"If you broke a window (pun intended), entered the house, saw safe on the floor, turned the handle and it was unlocked, would you be breaking and entering?"
Re: (Score:2)
Entering someone's property without being invited is trespassing.
Entering someone's house without being invited is usually breaking and entering.
Gaining access to the contents of something like a safe or a drawer would establish intent for theft, since that's pretty much the only reason you'd be entering a safe or drawer anyway, or at least, that's what the expensive lawyers would be paid to prove.
So you have trespassing, and breaking and entering in the least.
Now, this being a computer situation, I don't t
Four Corners (Score:2, Informative)
I'd just like to point out that on Monday night EST, Four Corners [abc.net.au] one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.
1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
3. Essentially it was about Australian F
Re: (Score:2)
If there is any justice in the world, you will end up with impaired mental faculties in your old age and some scammer will take you for everything you own.
They don't need to be any more competent (Score:2)
Where the majority of the "Dancing with the Stars," generation are concerned these days, that's about the level of competence that the police need to get the job done. People who know how to access MySQL databases at all probably aren't a large group, relative to the general population.
Re: (Score:2)
I'd be worried if their "is it secure?" test was along the lines of "is it safe from an untrained tween with an internet browser?"
"SQL Injection" (Score:2)
According to the article they also used "SQL injection" except they described it wrong.
The person made a .php file through MySQL calls, but they referred to that as SQL injection.
Interesting (Score:2)
I've got a few of systems like that on my networks, except I call them honeypots.
AU judges often don't have passwords on their PCs (Score:4, Interesting)
Re: (Score:2)
Thus, many judges don't even password protect their PCs
I think you may be mis-using the word "judges". Australian judges wear horse-hair wigs and wouldn't know a PC if they tripped over it. They have typists and stenographers to do that newfangled stuff.
No root password - beyond the hyerbole (Score:5, Informative)
I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.
So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here [mysql.com].
The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.
It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.
Cheers,
Ian
Breaking and enetering? (Score:2)
Can you be charged with breaking and entering a house that has the door left wide open?
Who cares? That has about as much to do with this story as theft does with copyright violations.
Breaking and Entering? (Score:2, Informative)
If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.
If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the
Proof again! (Score:2)
Well there ya go, put people in charge that have no backgrounds in IT and let them call the shots, because they NEED to tell people what to do, we call this micromanaging. Just because it is easier to remember your dogs name, or to leave a password blank, does not mean you get to tell the network admin to make it so. His job is to enforce security, if put blinders on him or limit his power by overruling him, then don't expect for anything to be secure!!!
Re: (Score:2, Funny)
What is it that they could of had?
could of halved. Sheesh.
Re: (Score:2)
Collecting info in real time for later use in court.
The Australians wanted to do a "Special Agent J. Keith Mularski" and run the forum for a few years, but something did not work out.
http://www.wired.com/threatlevel/2008/10/darkmarket-post/ [wired.com]
"... online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years.."
Someth
Re: (Score:2)
It wasn't a major system, it was a confiscated hacking forum running as a honeypot. I don't even think it was running on an AFP network. TFS is pathetic.
Re: (Score:2)
If seen, would just look like any other PC recording a forum in real time been used by ????.
The real trick for the feds to become admins.
What they mirrored off the forum with is really just a cute detail.
Re: (Score:2)
"Police were monitoring the forum by logging into the account of the administrator they had raided, but this aroused suspicion among members who knew the raid had taken place."
Real world meets virtual world...
Best to use the real account while they could vs. to try and hack.
The feds did not show their toolkits and they still got to look around.
Re: (Score:2)