Australian Police Database Lacked Root Password 214
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
Even if unlocked still breaking and entering (Score:5, Informative)
According to TFA (Score:3, Informative)
It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.
TFS is very poorly written... it is not worthy of being a "Summary".
Re:It's still breaking and entering (Score:3, Informative)
Brag about it and get snapped! (Score:5, Informative)
The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network
Criminal Intent ! (Score:5, Informative)
One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.
Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.
The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.
Re:Even if unlocked still breaking and entering (Score:5, Informative)
Re:It's still breaking and entering (Score:3, Informative)
I think the difference is obvious. Would you "break" into someone's house and try to convince the judge you didn't literally break anything when you are being charged with breaking and entering? I hope not.
I meant the name should not be taken literally, but obviously the law itself should.
Re:It's still breaking and entering (Score:5, Informative)
Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary [thefreedictionary.com]
"At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."
So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.
Re:Brag about it and get snapped! (Score:1, Informative)
Re:a legit hack (Score:4, Informative)
Re:Even if unlocked still breaking and entering (Score:5, Informative)
1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)
2) Entering (Literally entering the physical structure)
3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)
4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)
5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)
Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.
Jason
Yale Law School, Class of 2010
Re:Grammar nazi alert (Score:0, Informative)
There's also a contraction for "have" that the writer could've used.
Re:It's still breaking and entering (Score:1, Informative)
Security guard here. At least in Canada, it's breaking and entering if you trespass with intent to commit a crime or commit a crime in the process of entering. Smash a window to get in? B+E. Walk in the unlocked door to steal something? B+E. Walk in to stand around for a while and leave? Trespassing. Not sure how that relates to computer-related legalities, but there you go.
Re:It's still breaking and entering (Score:3, Informative)
From lawguru.com [lawguru.com]
Forcible entry is distinguishable from the broader crime of "breaking and entering" which might not include any actual damage from the force used to "break" a way in, such as when one opens an unlocked door to private premises without license to do so, or tampers with a locking mechanism and later takes advantage of the defect. As such, one can assume that the "breaking" refers to breaking the plane of entry; that is, crossing the threshold of a door, window or other entryway into a building.
Four Corners (Score:2, Informative)
I'd just like to point out that on Monday night EST, Four Corners [abc.net.au] one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.
1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
3. Essentially it was about Australian Federal Police (AFP) who were on the TV show, quite literally laughing at the hackers.
Now, I agree with the first point. I do not have time or appreciation for hackers black mailing then botnet'ting a company to Bankruptcy.
But I do want to make the point: Dumb people get what they deserve (point 2), and dumb organizations who instigate other organization that are much smarter than themselves also get what they deserve. I think "pie in the face" in an understatement in this instance.
I think the only good news in this Article was that the database didn't contain the Tax numbers or Criminal Records of every Australian. I have the highest respect for AFP and the Australia Police Service.
Re:Even if unlocked still breaking and entering (Score:5, Informative)
Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).
So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.
Re:Even if unlocked still breaking and entering (Score:4, Informative)
However, I still don't see the point of these pedantic comments. I thought it was obvious from my post that I was referring to the common-law definition of burglary in the United States. If I was at all unclear, my later post should have removed all doubt as I stated explicitly that the post referred to the law of the United States, not Australia.
Journalistic Beat-Up? (Score:3, Informative)
Does the idea of a recursive honeypot sound entirely ridiculous?
It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.
[my emphasis]
Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and they broke into a machine with poor security, it's probably not in their job description to fix up the victim's mysql password. So no, I doubt if anyone (in the AFP) will be sacked here.
no injection necessary (Score:5, Informative)
The article states they just used SQL injection
The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:
The journalist (Asher Moses) simply got it wrong. It happens.
Re:no injection necessary (Score:3, Informative)
Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.
It appears to be what he (or someone claiming to be him) is saying, or am I misreading him. For your benefit, I'll quote his comment in its entirety:
@killjoy - you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed. Also, according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se.
@k@icolo - you'll be surprised, its just human nature. It could easily have happened to security folks (such as us) as well - especially if we're not vigilant.
@Luke | Melbourne - the point of the 4corners exercise was to demonstrate what would happen in the scenario where a wireless AP was not encrypting traffic - you may be using WPA2 but a lot of people aren't, nor would they know how to enable it.
Posted By: Shaon Diwakar | HackLabs - August 18, 2009, 10:00PM
How do you read that?
Note also that he indicates that this was not an AFP machine, or a machine normally administered by the AFP, but a machine "comandeered" (which on reflection probably means confiscated rather than cracked) by the AFP.
Re:a legit hack (Score:1, Informative)
...breaking into a computer through nonobvious (to the average person) means is cracking.
Re:a legit hack (Score:2, Informative)
Imagine you have a script that just includes a user's profile data (user.php) from a flat file (stupid i know but its an example), by entering in a remote file to a field, it might be sanitized, however in a sql injection you could over right "user.php" with http://www.evilsite.com/evilscript.php [evilsite.com]
Myspace ran into this issue when they launched their mobile service. The mobile service wasn't properly stripping out javascript and the main site didn't sanitize already input data, under the assumption that sanitization had already happened. As a result, you could enter javascript into the mobile client and it would be executed on any web browser.
Re:Criminal Intent ! (Score:2, Informative)
Since this all happened in Victoria, the relevant offence is Unauthorised access, modification or impairment with intent to commit serious offence [austlii.edu.au]
and/or Unauthorised modification of data to cause impairment [austlii.edu.au]
According to that, the state of being "unauthorised" [austlii.edu.au] refers to entitlement, ie legal entitlement, rather than any sense of software authorisation (which a few people have rather misguidedly suggested is a valid interpretation).
No root password - beyond the hyerbole (Score:5, Informative)
I've run databases with no root password as well. It's not as insecure as people are laughing about, and the security problems here stem from sources other than the database. By default, MySQL only allows root access from the local ip of the box. The issue here is that the local security was compromised, hence that protection failed.
So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here [mysql.com].
The article doesn't state they used a root db password either, it shows an SQL injection exploit using the "password for its database application". Doesn't mention that the db password was the root db password.
It's still a bad breach obviously, but the nature of the breach is not as the summary describes it.
Cheers,
Ian
Re:mmmm........ (Score:3, Informative)
Wrong. You must physically disable a security system. Otherwise,what is trespassing?
Breaking and Entering? (Score:2, Informative)
If a door to a house is left wide open, it is not an invitation. You can be charged with criminal trespass for entering the house - no "breaking and entering" (you watch too much TV, really) required.
If you enter that house with the intent to commit a crime, then you've escalated to Burglary, which in my particular state is a first degree felony carrying a 20 year maximum sentence. It does not matter if you were successful in committing your crime. Simply entering the property with the intent to commit a crime (any crime) is burglary.
If you enter that property with the intent to commit a crime, say, theft, and you succeed, you have not only committed the felony of burglary, but you have also committed theft by taking and possession of stolen property, which are completely independent charges, carrying their own sentences.
How these are analogues to the computer world, well, I don't know. I am sure it depends on the jurisdiction. There are laws on the books in some places regarding unauthorized access, regardless of intent.
Bottom line is, kids, you cannot assume a lack of security equals an invitation to snoop around.
Re:No root password - beyond the hyerbole (Score:2, Informative)
So what if they had have set the root password for MySQL? Pointless - with local security destroyed it's a trivial operation to reset the password, and it's described directly on the MySQL site here [mysql.com].
MySQL root password reset requires you to have an OS root access. With MySQL having no root password you can access the DB from any local user. There is a difference between having a, let's say, PHP shell on the server and having a root shell. Depending on OS and your skills you can escalate from wwwuser to root, but it's mostly a far from a trivial task.
Re:mmmm........ (Score:2, Informative)