Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government

Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com) 128

New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.
This discussion has been archived. No new comments can be posted.

Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password

Comments Filter:
  • by Anonymous Coward

    Which can easily be explained by stupidity.

    This is one of those times.

    • by MightyMartian ( 840721 ) on Wednesday July 11, 2018 @11:41AM (#56929732) Journal

      The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.

      • by dgatwood ( 11270 )

        The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.

        The fact that a NAS support

        • by Anonymous Coward

          It should be somewhere between difficult and impossible to get an FTP server running on a NAS. A web server is superior in every way:

          Web servers can be secured with TLS.
          Web servers provide encrypted password transport even if the connection isn't encrypted (digest auth).
          Web servers support continuing a download where you left off, rather than fetching the entire resource.

          That doesn't quite add up. An FTP server can do all of the things you have listed too.

          FTPS is to FTP what HTTPS is to HTTP, and mostly works the same.
          FTPS protects the command channel and your password using TLS, just as a webserver does.
          FTPS can protect the data channel with SSL as well.

          Both can use the same signed certificates to defer trust of domain name ownership or use self-signed ones if that's good enough.

          The FTP protocol in whole has supported the REST command to restart transfers since the mid 80

          • +1 informative

          • by dgatwood ( 11270 )

            FTPS is to FTP what HTTPS is to HTTP, and mostly works the same.

            FTPS is not nearly as broadly supported as FTP or HTTP, last I checked. In particular, unless things have changed in the last couple of years, Internet Explorer et al do not support FTPS, which makes the protocol basically DOA in a real-world environment.

            You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari. So bas

            • You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari.

              So just another case where Apple does the wrong thing, so what? Those crop up all the time, they aren't an indictment against the protocol.

              The one and only reason not to use FTP (in the form of FTPS) is that users will have to download a client. You could use an actual FTP server locked down to prevent no transfers to transmit a URL to prospective users where they could get such a client, but it's probably easier overall to just not bother, and use a solution that lets them use their browser — even if

              • by dgatwood ( 11270 )

                So just another case where Apple does the wrong thing, so what? Those crop up all the time, they aren't an indictment against the protocol.

                Apple AND Microsoft, in different ways. This is a strong hint that the industry as a whole abandoned the protocol a long time ago.

      • by AHuxley ( 892839 )
        Its not a problem. The US mil likes its contractors so most work is done in plain text. So every contractor gets a fair and equal bid on any US work offered.
        So the entire US gov is wide open internally so all the contractors can bid for and keep working.
        Start adding encryption to every part of the US gov and mil and then contractors feel locked out.
        The contractors contact political leaders and demand access for their products and services.
        So any good encryption within the US gov is removed and contrac
  • by ole_timer ( 4293573 ) on Wednesday July 11, 2018 @11:13AM (#56929562)
    who has netgear equipment anymore? who allows default passwords anymore? wow
    • by Anonymous Coward

      As bad as both of those things mentioned are, the REAL offence is that they are using the horrific unencrypted plain FTP protocol.

      It's a terrible protocol, not just as regard security but even at a functional level it's a completely fucked up protocol that just needs to die.

      I also call bullshit on anyone who claims "major" performance issues using say SSH, which can be highly tuned with the HPN-SSH patches to get wire speed.

    • Re:wow - just wow (Score:4, Interesting)

      by BlueStrat ( 756137 ) on Wednesday July 11, 2018 @11:36AM (#56929704)

      who has netgear equipment anymore? who allows default passwords anymore? wow

      Yes, but let's make this all about the "hacker" and ignore anything to do with holding any US military or politicians responsible for making the breach possible. After all, cases like that of Lauri Love show that the go-to response by the US government for these sorts of situations is "kill the messenger!" whenever government incompetence and corruption are exposed, and this behavior is not limited to Left or Right. It's natural human behavior that's amplified and given power by having a too-powerful central government

      Strat

      • Strat

        -ocaster?

        • Strat

          -ocaster?

          Yes, although I don't own and play *only* Stratocasters they are my usual "go-to" instrument. Also, the "Blue" in "BlueStrat" is not referring to a color, as any guitar I pick up is automatically "blue". ;-)

          You'll also notice, looking at my posting history, that my posts happen at wildly random times, often at oh-dark-thirty local time. The life of a working musician. It doesn't get any easier with age, either!

          Strat

          • I remember those days ..play 'til 3am, get up for work at 7:30am, Wed and Thurs.. by Saturday night, I was a zombie. Fortunately that gig was only once every 4 to 6 weeks. That was years ago, I couldn't do that now, I'm definitely too old. Strats are great, mine is aztec gold, but I have a collection of all types.

            • Well met, fellow string-slinger! I'm older now, too. I play mostly festivals, fairs, casinos, and similar types of gigs where the bookings can be spread out and planned to minimize stress, which helps tremendously. It does often mean medium-long trips and odd times for my comings and goings. It's still a hell of a lot of work and energy expenditure for someone north of 60 and not in the greatest of health. But after all, "players play".

              Play on!

              Strat

      • ... ignore anything to do with holding any US military or politicians responsible for making the breach possible.

        Do the attempts at making everything Trump's fault never end? How is it a politician's fault, ANY politician's fault, if some military IT person forgot to change a password on an unused protocol before attaching a router to the network? How is not not the fault of the person attaching the router to the net, AND the Captain whose computer was broken into using that access?

        There is a later comment about "comment deployment". It's not /. fault for that one, although an editor should have caught that. The en

        • by dgatwood ( 11270 )

          Yes, FTP is an old protocol. It is insecure. BUT, simple tools are often the correct tools. Do you have data you need to share with a lot of people? Anonymous FTP is a good way to do that.

          No, it isn't. Anonymous FTP doesn't provide support for partial retransmission, which makes it an absolutely awful way to share data with a lot of people, unless the data is very small (in which case you should probably just paste it into an email).

          It is far better to turn on directory listings in a web server and drop th

          • Anonymous FTP doesn't provide support for partial retransmission

            What? Since when [stackoverflow.com]? You have to be a schmuck to support resuming anonymous uploads, but you can even do that [proftpd.org]!

            You get the same overall behavior as FTP, but you gain the ability to pause downloads, the ability to secure those downloads if you want to (with TLS), the ability to have passwords that are not sent in the clear, etc.

            You can do all of that with FTP, too. FTP already permits resuming downloads, FTPS [wikipedia.org] is already FTP with TLS, and already protects your password.

            It's probably still smarter to use a web interface, but not because FTP can't be secured. It's only because users will have to download a secure FTP client, and they already have a web browser.

            • by dgatwood ( 11270 )

              To be pedantic, FTPS is not really FTP. If you really want to support an FTPS-only solution, go for it, but since it isn't broadly supported, there's no reason to bother. And the unencrypted protocol is generally a bad idea by its very nature (authentication in the clear).

              • To be pedantic, FTPS is not really FTP.

                To be pedantic, FTPS is exactly FTP with TLS and SSL. It is so much that, that you can actually connect with just FTP and then elevate to FTPS.

          • unless the data is very small (in which case you should probably just paste it into an email).

            You see, you assume you know the problem that FTP is solving, and you really don't. I have no intention of forcing people to send me an email asking for some data, nor do I intend on wasting my time sending them emails with all the data they want. You can come to my FTP site at any time, night or day, and get the data you want immediately, and you don't have to wait for me to see your email and have time to respond. Isn't that a Good Thing?

            I don't really care whether or not FTP supports "partial retransmis

            • by dgatwood ( 11270 )

              You see, you assume you know the problem that FTP is solving, and you really don't. I have no intention of forcing people to send me an email asking for some data, nor do I intend on wasting my time sending them emails with all the data they want. You can come to my FTP site at any time, night or day, and get the data you want immediately, and you don't have to wait for me to see your email and have time to respond. Isn't that a Good Thing?

              You can come to my website and get the same thing, and it is secured

              • by pnutjam ( 523990 )
                Your responding to someone who thinks a network installation of an OS is esoteric. I just installed OpenSUSE 15.0 via a pxe boot and http server, could have used an ftp site, but ugh... I install Windows similarly all the time also.

                but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.
                • Your responding to someone who thinks a network installation of an OS is esoteric.

                  What yanked your chain to make this idiotic statement? I install over the network ALL THE TIME, unless I've got a DVD. I just have never used FTP to do it. Not once.

                  I just installed OpenSUSE 15.0 via a pxe boot and http server, could have used an ftp site,

                  PXE and HTTP is not FTP, and I'm glad what you can do.

                  but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.

                  You created a convenient red flag out of your straw man misinterpretation of what I said, and decided to make this personal. Thanks for the gumball, Popeye.

                  • by pnutjam ( 523990 )
                    As evinced above, http and ftp serve the same purpose. Although, http is a clearly better choice.

                    Note, this page [opensuse.org] has mirrors using both http and ftp.
                    • As evinced above, http and ftp serve the same purpose. Although, http is a clearly better choice.

                      As evinced above, they often serve different purposes, and when that happens FTP can be the better choice. Is it really so far beyond comprehension that different protocols might have different uses that you cannot begin to imagine it even when differences are pointed out?

                      Note, this page has mirrors using both http and ftp.

                      This corrects your ridiculous claim that I find network installs to be "esoteric" exactly how? It proves that FTP has no use at all exactly how?

                    • by pnutjam ( 523990 )
                      Well, if your FTP site has been around for 20 or 30 years, like most of these, I can understand why you keep it around. Otherwise, it's a protocol that should be discouraged.
              • Even better, you can get nice, neat pages that organize the data in interesting ways, charts and graphs that support the data, and links to other websites that provide corroborating info.

                I know what you can get through web pages. I have web pages that do that. I ALSO have FTP for users who don't need ANY of that, they just want the data. You're stuck on form over substance. "Look how pretty my web page is. Isn't my data organized in an interesting way? You can click on a table column and it will sort it for you. And look, I'll plot it for you the way I want to plot it." I'm talking about substance. "Here's a data file ... you can do with it what you want. You want to sort it, go ahead. You

    • by AHuxley ( 892839 )
      The US mil and its contractors.
      • are you guessing or do you know? someone is "not so smart"
        • by AHuxley ( 892839 )
          Large amounts of data has walked before. No encryption, plain text, internet connected. The people interested don't even try to search for projects when they get deep into "secure" US networks. They have the internal network freedom to copy it all out.
          US investigators seem fixated on watching what "bad" people want to do when in US mil/gov/contractor networks.
          Like a search term used could be total bait, real, a fake project, a term a spy had seen.
          So US investigators wait and see what happens as n
          • information can be gained from seeing what they are looking for. there used to be a joke that the Chinese are so persistent looking for our five year plan and the Russians are trying to disrupt it.
            • by AHuxley ( 892839 )
              Re "information can be gained from seeing what they are looking for."
              The US networks are so fast, so open, not encrypted.
              The only way to get caught is to stop and type in a set of terms, questions, project names.
              The massive movement of data from and to a contractor is not see as something thats not "normal" as the entire network is thought to be secure by design.
              That only cleared people and projects could ever be on an internet connected mil/gov network with no encryption.
              Entering strange names and ter
  • They were using Netgear routers with USB-attached drives as FTP servers instead of ... real server hardware? Something seems missing here.
    • Yea, they went with the lowest bidder..

      Actually, this is likely just ignorance coupled with "get the mission done" motives that had some PFC showing up with his home router and a USB drive to put the documents in a conveniently available place so they are easy to find so they could get the work done.

      • I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.

        • by dissy ( 172727 )

          I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.

          Please begin your xmodem transfer now.
          CCC...C...C...

          On an unrelated side note, is it cold in here for anyone else? and where did all the Blind Melon CDs go?

      • pyle! why did you just get what the guy at best buy said was the best?

  • It was stupid to host it with a default FTP password, but the data itself doesn't actually appear all that sensitive. Survival, repair, and operation manuals are officially classified, but a lot of the info is in the public domain as well.

    Just because something is officially classified doesn't mean it isn't also an open secret.

  • A few issues... (Score:5, Insightful)

    by chipperdog ( 169552 ) on Wednesday July 11, 2018 @11:20AM (#56929606) Homepage
    A Netgear consumer router is being used as a firewall for networks containing military secrets? Not what I would have expected, I usually use more robust firewalls on network I maintain. A default password was left in place for a router on a secure network....FTP configuration from outside was left enabled on router...Against most acceptable security practices for any network The USAF didn't do regular nmap scans and pentests of their networks from various points around the world that would have found this opening...They didn't regularly check sites like Shodan to see what shows for their networks... I do these regularly for networks I maintain...
    • I'm going to guess that calling them 'military secrets' or 'sensitive military documents' is simply wrong. These are probably really old, outdated or just not that interesting.

  • Someone(s) need to be fired. ftp has been on the TURN IT OFF LAST YEAR list for something like 10 years. (And I'm speaking as a sr. Linux sysadmin).

  • ... the information is so WWII.

    Tanks?

    The predator thing is intriguing, though.

    More importantly, the military dropped the ball by being negligent.

  • NOT!

    I worked at a company where the CFO insisted on having his own wireless access point in his office and refused to allow any kind of network encryption. He didn't even change the default SSID, just plugged the router into the wall, no keys, no passwords, nothing. His office was on the 5th floor and we where less than a block away from a MAJOR technical college's dorms so you can bet the students where more than able to connect any time.

    The router was found by the network security folks and the port tu

  • ...describing comment deployment tactics for improvised explosive device (IED)...

    Dang. I sure hope no one figures out how to implement such comment deployments here at slashdot!

  • compulsion (Score:5, Insightful)

    by bugs2squash ( 1132591 ) on Wednesday July 11, 2018 @11:48AM (#56929788)

    Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password

    Should read Hacker Steals military docs because she's a sleazeball

    The lack of a proper password helped her commit the crime, it didn't compel it, she could of instead just told the authorities about the screwup

  • Into the Breach (Score:2, Insightful)

    by PopeRatzo ( 965947 )

    Well, Trump said he'd run the government like a business. He just didn't mention that the business was Equifax.

  • they used a default ftp password to pivot to a workstation that they then used to get the manuals...
  • Seriously, who use's FTP still?
    • HP corporation still uses it for downloading patches, drivers, documentation, etc

      ftp://ftp.hp.com [hp.com]
    • Seriously, who use's FTP still?

      Anyone who realizes that a simple protocol to do a simple task that doesn't require much security at all is the right protocol. I've had an FTP server for such use in place for more than two decades. Yes, for some things there are better ways, but for this job FTP is perfect.

  • dale gribble aka Rusty Shackleford did it

  • ... I was hoping to find the password here, so I can fix my Abraham tank myself :(

  • Why would this service even have a default password? Just disable the service until a password is set via the admin page.
  • who some 17 years ago cracked USA military computers. He wrote a Perl script and looked for blank and default passwords [wikipedia.org]. Not resetting passwords once is stupid; twice is criminal and the penalty should be a dishonourable discharge and loss of pension -- for those at the top of the military; but I expect that, as usual, they will blame a few lowly techies.

  • steals

    Copying isn't stealing.

    • Then you wouldn't mind if I copied all your personal information and used it, yes? Copied your car keys and title and then sold them to the highest bidder?
      • Copying car keys to steal the car would be theft.

        Copying the title to try to take ownership would be fraud.

        Copying a work of art to sell it as your own would is called infringement.

        These are already illegal without needing to criminalize copying per se.

  • The hacker was able to steal the documents because of the password.
    The hacker stole the documents because the hacker is a piece of shit.
  • I kept running into problematic non-secured systems in the 1990s which turned out to be on military or other sensitive sites

    In one case script kiddies had taken up residence on a NASA computer which was being used for command/control of the original Mars pathfinder/soujurner rover.

    Back then, DISA was pretty good about getting them fixed when notified, but they didn't scan for them.

    NASA learned from the soujourner (and a couple of other) experiences and now has pretty good security practices, including preem

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...