Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com) 128
New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.
Never attribute to malice (Score:1)
Which can easily be explained by stupidity.
This is one of those times.
Re: (Score:3)
Re:Never attribute to malice (Score:4, Insightful)
Re: (Score:3)
No offence to the military.. But they are not generally staffed with the cream of the crop down where things are getting fixed.
The standard joke for Military Aircraft goes like this.. They are designed by PHD's, Flown by college graduates, and maintained by high school dropouts.
I can tell you that the intelligence of your average flight line maintainer isn't going to be anything to write home about. Some of them can think, but most just blindly follow the diagnostic trees provided by the PHD's who built t
Re: (Score:2)
Re: (Score:2, Interesting)
I'm insulted.
Unlike you, I was a high school graduate who joined the Navy in 1965.
I went to 10 months, 8 hour days of school at NAS Memphis studying electronics.
After being in the field a year, I went back to NAS Memphis for another 10 months, 8 hour days of advanced training.
From NAS Jax, I went to schools at NAS Key West on radars, altimeters, magnetometers, airborne anti-submarine computers, radios, sonobouys, sonar transponders, and a bunch of other shit.
I did 9 years, serving alongside some very smart,
Re: (Score:3, Funny)
They didn't have NAS back in 1965. It was the early 1980s before any such concept was even developed. Don't be lying to us.
Re: (Score:2)
I will sing you the Navy Hymn: "Him, him, fuck him."
NAS Jax [wikipedia.org] (for instance):
On October 15, 1940, Naval Air Station Jacksonville was officially commissioned, and became the first part of the Jacksonville Navy complex that would eventually include NAS Cecil Field and Naval Station Mayport, as well as numerous naval auxiliary air stations and outlying fields in northeast Florida.
Re: (Score:2)
Thanks.
Re: (Score:2)
I appreciate your civility.
My use of jargon without explanation contributed.
Re: (Score:3)
You obviously are one of the ones who can think... I've run into flight line personnel who when though all the same schools you claim and came out not knowing how to measure current coming from a DC power supply on the test bench. I'm talking about folks who did the schools and completed their enlistments fixing airplanes. I've also been responsible for producing automated test equipment for squadrons to test avionics with. I can attest with assurance that if something requires a bit of thought and unde
Re: (Score:2)
I can only speak of the world I lived in.
Incompetent people washed out of school. Only 10% of us made it all the way through, both times.
Those were the only personnel on the flight deck or on the tarmac.
I never met anyone of any skill who was not fully qualified, whether they were loading ordinance, fixing engines or avionics, electrical systems, or dragging aircraft around or fighting fires or serving chow or keeping the fucking ship clean.
The only goofballs I ever met were rookie ensigns and they were gre
Re: (Score:2)
"Incompetent people washed out of school. Only 10% of us made it all the way through, both times."
That was then, this is now.
Re: (Score:2)
Re: (Score:2)
Re: Never attribute to malice (Score:2)
Some of them can think, but most just blindly follow the diagnostic trees provided by the PHD's who built the system they are maintaining.
That's got nothing to do with the military; it's the aerospace industry in general. Maintenance has to be done as per approved manufacturer defined procedures, otherwise you're in violation of all sorts of airworthiness policies. The days when you could slap together a temporary fix with duct tape and bubblegum are long gone.
There's still some thought involved in actually knowing the systems and being able to figure out which parts of the "diagnostics trees" are worth following in any given circumstance (
Re: (Score:2)
I said "blindly" following the diagnostic tree. Such trees MUST assume single faults or they would be impossible to write. Multiple faults can send the fault isolation down the wrong path and lead to ineffective repairs. In such cases I've seen multiple attempts to "fix" the issue multiple times using exactly the same repair as if doing the same thing twice in a row will fix it the second time. Forget looking at that connector you just removed, twice now...
Sometimes, the source of the issue is blatantly
Re: (Score:2)
Because they don't want it to cost nearly 2 Trillion a year, which it might if they contracted for custom routers that were not available commercially.
Re:Never attribute to malice (Score:5, Informative)
The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.
Re: (Score:2)
The fact that a NAS support
Re: (Score:1)
It should be somewhere between difficult and impossible to get an FTP server running on a NAS. A web server is superior in every way:
Web servers can be secured with TLS.
Web servers provide encrypted password transport even if the connection isn't encrypted (digest auth).
Web servers support continuing a download where you left off, rather than fetching the entire resource.
That doesn't quite add up. An FTP server can do all of the things you have listed too.
FTPS is to FTP what HTTPS is to HTTP, and mostly works the same.
FTPS protects the command channel and your password using TLS, just as a webserver does.
FTPS can protect the data channel with SSL as well.
Both can use the same signed certificates to defer trust of domain name ownership or use self-signed ones if that's good enough.
The FTP protocol in whole has supported the REST command to restart transfers since the mid 80
Re: (Score:2)
+1 informative
Re: (Score:3)
FTPS is not nearly as broadly supported as FTP or HTTP, last I checked. In particular, unless things have changed in the last couple of years, Internet Explorer et al do not support FTPS, which makes the protocol basically DOA in a real-world environment.
You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari. So bas
Re: (Score:2)
You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari.
So just another case where Apple does the wrong thing, so what? Those crop up all the time, they aren't an indictment against the protocol.
The one and only reason not to use FTP (in the form of FTPS) is that users will have to download a client. You could use an actual FTP server locked down to prevent no transfers to transmit a URL to prospective users where they could get such a client, but it's probably easier overall to just not bother, and use a solution that lets them use their browser — even if
Re: (Score:2)
Apple AND Microsoft, in different ways. This is a strong hint that the industry as a whole abandoned the protocol a long time ago.
Re: (Score:2)
So the entire US gov is wide open internally so all the contractors can bid for and keep working.
Start adding encryption to every part of the US gov and mil and then contractors feel locked out.
The contractors contact political leaders and demand access for their products and services.
So any good encryption within the US gov is removed and contrac
wow - just wow (Score:3)
Re: wow - just wow (Score:1)
As bad as both of those things mentioned are, the REAL offence is that they are using the horrific unencrypted plain FTP protocol.
It's a terrible protocol, not just as regard security but even at a functional level it's a completely fucked up protocol that just needs to die.
I also call bullshit on anyone who claims "major" performance issues using say SSH, which can be highly tuned with the HPN-SSH patches to get wire speed.
Re:wow - just wow (Score:4, Interesting)
who has netgear equipment anymore? who allows default passwords anymore? wow
Yes, but let's make this all about the "hacker" and ignore anything to do with holding any US military or politicians responsible for making the breach possible. After all, cases like that of Lauri Love show that the go-to response by the US government for these sorts of situations is "kill the messenger!" whenever government incompetence and corruption are exposed, and this behavior is not limited to Left or Right. It's natural human behavior that's amplified and given power by having a too-powerful central government
Strat
Re: (Score:2)
Strat
-ocaster?
Re: (Score:2)
Yes, although I don't own and play *only* Stratocasters they are my usual "go-to" instrument. Also, the "Blue" in "BlueStrat" is not referring to a color, as any guitar I pick up is automatically "blue". ;-)
You'll also notice, looking at my posting history, that my posts happen at wildly random times, often at oh-dark-thirty local time. The life of a working musician. It doesn't get any easier with age, either!
Strat
Re: (Score:2)
I remember those days ..play 'til 3am, get up for work at 7:30am, Wed and Thurs.. by Saturday night, I was a zombie. Fortunately that gig was only once every 4 to 6 weeks. That was years ago, I couldn't do that now, I'm definitely too old. Strats are great, mine is aztec gold, but I have a collection of all types.
Re: (Score:2)
Well met, fellow string-slinger! I'm older now, too. I play mostly festivals, fairs, casinos, and similar types of gigs where the bookings can be spread out and planned to minimize stress, which helps tremendously. It does often mean medium-long trips and odd times for my comings and goings. It's still a hell of a lot of work and energy expenditure for someone north of 60 and not in the greatest of health. But after all, "players play".
Play on!
Strat
Re: (Score:2)
... ignore anything to do with holding any US military or politicians responsible for making the breach possible.
Do the attempts at making everything Trump's fault never end? How is it a politician's fault, ANY politician's fault, if some military IT person forgot to change a password on an unused protocol before attaching a router to the network? How is not not the fault of the person attaching the router to the net, AND the Captain whose computer was broken into using that access?
There is a later comment about "comment deployment". It's not /. fault for that one, although an editor should have caught that. The en
Re: (Score:1)
No, it isn't. Anonymous FTP doesn't provide support for partial retransmission, which makes it an absolutely awful way to share data with a lot of people, unless the data is very small (in which case you should probably just paste it into an email).
It is far better to turn on directory listings in a web server and drop th
Re: (Score:3)
Anonymous FTP doesn't provide support for partial retransmission
What? Since when [stackoverflow.com]? You have to be a schmuck to support resuming anonymous uploads, but you can even do that [proftpd.org]!
You get the same overall behavior as FTP, but you gain the ability to pause downloads, the ability to secure those downloads if you want to (with TLS), the ability to have passwords that are not sent in the clear, etc.
You can do all of that with FTP, too. FTP already permits resuming downloads, FTPS [wikipedia.org] is already FTP with TLS, and already protects your password.
It's probably still smarter to use a web interface, but not because FTP can't be secured. It's only because users will have to download a secure FTP client, and they already have a web browser.
Re: (Score:2)
To be pedantic, FTPS is not really FTP. If you really want to support an FTPS-only solution, go for it, but since it isn't broadly supported, there's no reason to bother. And the unencrypted protocol is generally a bad idea by its very nature (authentication in the clear).
Re: (Score:2)
To be pedantic, FTPS is not really FTP.
To be pedantic, FTPS is exactly FTP with TLS and SSL. It is so much that, that you can actually connect with just FTP and then elevate to FTPS.
Re: (Score:2)
unless the data is very small (in which case you should probably just paste it into an email).
You see, you assume you know the problem that FTP is solving, and you really don't. I have no intention of forcing people to send me an email asking for some data, nor do I intend on wasting my time sending them emails with all the data they want. You can come to my FTP site at any time, night or day, and get the data you want immediately, and you don't have to wait for me to see your email and have time to respond. Isn't that a Good Thing?
I don't really care whether or not FTP supports "partial retransmis
Re: (Score:2)
You can come to my website and get the same thing, and it is secured
Re: (Score:2)
but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.
Re: (Score:2)
Your responding to someone who thinks a network installation of an OS is esoteric.
What yanked your chain to make this idiotic statement? I install over the network ALL THE TIME, unless I've got a DVD. I just have never used FTP to do it. Not once.
I just installed OpenSUSE 15.0 via a pxe boot and http server, could have used an ftp site,
PXE and HTTP is not FTP, and I'm glad what you can do.
but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.
You created a convenient red flag out of your straw man misinterpretation of what I said, and decided to make this personal. Thanks for the gumball, Popeye.
Re: (Score:2)
Note, this page [opensuse.org] has mirrors using both http and ftp.
Re: (Score:2)
As evinced above, http and ftp serve the same purpose. Although, http is a clearly better choice.
As evinced above, they often serve different purposes, and when that happens FTP can be the better choice. Is it really so far beyond comprehension that different protocols might have different uses that you cannot begin to imagine it even when differences are pointed out?
Note, this page has mirrors using both http and ftp.
This corrects your ridiculous claim that I find network installs to be "esoteric" exactly how? It proves that FTP has no use at all exactly how?
Re: (Score:2)
Wow yourself (Score:2)
Even better, you can get nice, neat pages that organize the data in interesting ways, charts and graphs that support the data, and links to other websites that provide corroborating info.
I know what you can get through web pages. I have web pages that do that. I ALSO have FTP for users who don't need ANY of that, they just want the data. You're stuck on form over substance. "Look how pretty my web page is. Isn't my data organized in an interesting way? You can click on a table column and it will sort it for you. And look, I'll plot it for you the way I want to plot it." I'm talking about substance. "Here's a data file ... you can do with it what you want. You want to sort it, go ahead. You
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
US investigators seem fixated on watching what "bad" people want to do when in US mil/gov/contractor networks.
Like a search term used could be total bait, real, a fake project, a term a spy had seen.
So US investigators wait and see what happens as n
Re: (Score:2)
Re: (Score:2)
The US networks are so fast, so open, not encrypted.
The only way to get caught is to stop and type in a set of terms, questions, project names.
The massive movement of data from and to a contractor is not see as something thats not "normal" as the entire network is thought to be secure by design.
That only cleared people and projects could ever be on an internet connected mil/gov network with no encryption.
Entering strange names and ter
Netgear router as FTP server? (Score:2)
Re: (Score:2)
Yea, they went with the lowest bidder..
Actually, this is likely just ignorance coupled with "get the mission done" motives that had some PFC showing up with his home router and a USB drive to put the documents in a conveniently available place so they are easy to find so they could get the work done.
Re: (Score:3)
I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.
Re: (Score:2)
I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.
Please begin your xmodem transfer now.
CCC...C...C...
On an unrelated side note, is it cold in here for anyone else? and where did all the Blind Melon CDs go?
pyle! why did you just get what the guy at best bu (Score:2)
pyle! why did you just get what the guy at best buy said was the best?
The data itself... (Score:2)
It was stupid to host it with a default FTP password, but the data itself doesn't actually appear all that sensitive. Survival, repair, and operation manuals are officially classified, but a lot of the info is in the public domain as well.
Just because something is officially classified doesn't mean it isn't also an open secret.
Re: (Score:3)
Exactly.
My point is that "classified" makes for good headlines, but there was likely little to no real damage done.
Re:The data itself... (Score:5, Funny)
A few issues... (Score:5, Insightful)
Re: (Score:2)
I'm going to guess that calling them 'military secrets' or 'sensitive military documents' is simply wrong. These are probably really old, outdated or just not that interesting.
FTP? Not SFTP? (Score:2)
Someone(s) need to be fired. ftp has been on the TURN IT OFF LAST YEAR list for something like 10 years. (And I'm speaking as a sr. Linux sysadmin).
The low cost is because ... (Score:2)
... the information is so WWII.
Tanks?
The predator thing is intriguing, though.
More importantly, the military dropped the ball by being negligent.
Re: (Score:2)
This breach has nothing to do with the crappiness or non-crappiness of the router.
It's about enabling a protocol without changing the default password.
This NEVER happens in industry.... (Score:2)
NOT!
I worked at a company where the CFO insisted on having his own wireless access point in his office and refused to allow any kind of network encryption. He didn't even change the default SSID, just plugged the router into the wall, no keys, no passwords, nothing. His office was on the 5th floor and we where less than a block away from a MAJOR technical college's dorms so you can bet the students where more than able to connect any time.
The router was found by the network security folks and the port tu
comment deployment tactics (Score:2)
Dang. I sure hope no one figures out how to implement such comment deployments here at slashdot!
compulsion (Score:5, Insightful)
Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password
Should read Hacker Steals military docs because she's a sleazeball
The lack of a proper password helped her commit the crime, it didn't compel it, she could of instead just told the authorities about the screwup
Into the Breach (Score:2, Insightful)
Well, Trump said he'd run the government like a business. He just didn't mention that the business was Equifax.
read the story before commenting (Score:2)
Just the fact it was FTP says it all (Score:2)
Re: (Score:2)
ftp://ftp.hp.com [hp.com]
Re: (Score:2)
Seriously, who use's FTP still?
Anyone who realizes that a simple protocol to do a simple task that doesn't require much security at all is the right protocol. I've had an FTP server for such use in place for more than two decades. Yes, for some things there are better ways, but for this job FTP is perfect.
dale gribble aka Rusty Shackleford did it (Score:2)
dale gribble aka Rusty Shackleford did it
Re: (Score:2)
Who is this Dale Gribble you speak of?
I'm disappointed ... (Score:2)
... I was hoping to find the password here, so I can fix my Abraham tank myself :(
Why even have a default password? (Score:2)
They did not learn from Gary McKinnon (Score:2)
who some 17 years ago cracked USA military computers. He wrote a Perl script and looked for blank and default passwords [wikipedia.org]. Not resetting passwords once is stupid; twice is criminal and the penalty should be a dishonourable discharge and loss of pension -- for those at the top of the military; but I expect that, as usual, they will blame a few lowly techies.
"Steals" (Score:2)
Copying isn't stealing.
Re: (Score:2)
Re: (Score:2)
Copying car keys to steal the car would be theft.
Copying the title to try to take ownership would be fraud.
Copying a work of art to sell it as your own would is called infringement.
These are already illegal without needing to criminalize copying per se.
Noooo (Score:2)
The hacker stole the documents because the hacker is a piece of shit.
FFS, 20+ years of Insecure setups (Score:2)
I kept running into problematic non-secured systems in the 1990s which turned out to be on military or other sensitive sites
In one case script kiddies had taken up residence on a NASA computer which was being used for command/control of the original Mars pathfinder/soujurner rover.
Back then, DISA was pretty good about getting them fixed when notified, but they didn't scan for them.
NASA learned from the soujourner (and a couple of other) experiences and now has pretty good security practices, including preem