They All Fall Down

There was a penetration of a server recently that allowed intruders to take control of dozens of websites and e-mail accounts, SSNs and some credit cards numbers. The server was running GNU/Linux and it was compromised in multiple ways:

  • no filtering of user input in web forms submitted to PHP,
  • using that unfiltered input in shell commands,
  • passwords kept in a database in clear text,
  • allowing root to log in from the web,
  • careless upload script, and
  • everything on one server.

The sheriffs claimed nothing was taken but everything was moved to another server and the attack was repeated and data published. The new server was just a copy of all the vulnerabilities of the first server.

This was a textbook case of how not to secure a server. Putting 58 sites on that server may have been more efficient for the operators but it also made the intrusion more efficient. The intruders could type a single command and do everything/anything as root. I have put a few servers on the web and I know one should pay attention to dozens of details to prevent stuff like this happening. Last year, I put a machine up and I made sure there was nothing on it I could not afford to lose and I backed it up. I made sure there was nothing on it not needed for the task. Was it invulnerable? Probably not, but there were many layers of defence between it and stuff I cared about. These guys used this insecure paper bag to manage prisoners, confidential informants, an e-store and other sensitive documents.

see Anonymous hacks sheriffs’ offices across the U.S

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

16 Responses to They All Fall Down

  1. Contrarian says:

    “The outstanding charges were dropped in fact before filing in the USA legal system”

    You make no sense at all, #oiaohm. Charges are not charges until they are filed and there is nothing that has been filed, so there were no charges. Nothing has been dropped at all and the DoJ efforts with the grand jury hardly show that there is no intent to eventally file charges against Wikileaks.

    The Australian government has no input to this process as far as I know and is not a player.

    “No I am no different to an insurance company that will not pay you for your stolen car because you left the keys in the ignition and the doors unlocked. So now that you car is a write off its you stiff problem.”

    That is another example of your complete misunderstanding of laws and general facts, #oiaohm. Certainly theft of an auto is a crime regardless of whether the keys were obtained or not. It is against the law to take possession of an auto if it is running at the curb just as it is against the law to take it if it is not. Perhaps if you collude the the thief and hand him the keys and say “Take my car!”, there would be some issue. Also if your child took the car to joy ride with friends against your will, the insurance might balk at paying a comprehensive claim. But none of that is analogous to the vandalism exhibited by the hackers who just trash things for the thrill of it all.

  2. oiaohm says:

    “There never has been any charges filed and hence no dropping of any charges.”

    Did I say that the charges were filed for court. No I did not.

    The outstanding charges were dropped in fact before filing in the USA legal system. USA prosecutors ask the Australian government to investigate a stack of possible USA charges with Mirrors in Australian law against Wikileaks. Yes the charges were filed just in Australia first also dropped here with responses from the USA DOJ that they would not be going further and dropping investigation into those charges.

    Yet those possible charges were used to void Wikileaks DNS and Hosting before they had been approved for filing.

    Do you not agree with me that acting before investigation is complete and at least charges are filed is breach of due process and should not happen ever.

    “Wikileaks has threatened to sue PayPal and some credit card companies for shutting off his credit collection access, but that is just talk at this stage. Are you that confused?”
    No I am not confused the case against Visa and Mastercard is currently filed and under way in the EU courts was filed 14 of July 2011. It has gone well past threatened. There is talk about also taking this up in Australian and USA courts as well.

    And the deformation cases were filed after that. So you are not upto date on what is going on Contrarian.

    “Incredible, #oiaohm! A successful thief is not to blame if he was not thwarted by the locks? It must be a real frontier down under! Do you tolerate vandalism because the vandal was successful?”

    No I am no different to an insurance company that will not pay you for your stolen car because you left the keys in the ignition and the doors unlocked. So now that you car is a write off its you stiff problem.

    Please be aware of something someone typing a URL wrong could have killed the servers as well. They were that bad. Vandal required no skill or effect really to take control of those servers because there were no locks at all really.

    Contrarian now I have to place a line in sand somewhere. If you visited one of those sites and it crashed just because you visited should I now charge you and send you to jail? Due to you just by mistake running into one of those defects. Server that defective its very hard to draw line to make sure you don’t hit a non gulity person. I am happier letting a few gulity go then put one non gulity behind bars because a system admin was no doing their job.

    Reason you know the few gulity will try again in future but against competent system admins so at some point they will be caught. The ones I don’t catch today I will catch latter basically. Hunters like me are very much fisherman.

    The Grand Jury in the USA has turned into a complete laughing stock case. http://www.marinecorpstimes.com/news/2011/06/ap-wikileaks-grand-jury-man-wont-testify-061511/ Yes the day latter than the one you had Robert Pogson.

    Basically no body is testifying everyone is going the 5th. There is no evidence. Its complete Legal Joke.

    DoJ was and is 100 percent determined to charge Wikileaks with something that they have gone to a grand jury with no evidence of any wrong doing.

    Reason if they fail to be able to charge Wikileaks without something could be a complete disaster. Just think of the list of parties that have done things wrong in breach of due process that are gulity of crimes now because of over heavy response they should have never done.

    Yes the grand jury is DoJ last hope to save many peoples tails out the fire. So far olds of the grand jury finding something are slim to none.

    You are not meant to go before a grand jury without some evidence of wrong doing. Yes USA law is being broken.

  3. There is a grand jury calling witnesses about Wikileaks so charges may be imminent.

  4. Contrarian says:

    “The problem there all outstanding charges against Wikileaks has been dropped in the USA due to no evidence to support the charges”

    Not a bit of truth there, #oiaohm. There never has been any charges filed and hence no dropping of any charges. Prosecution is going forward on the treason charges against the Army private. If any sort of collusion is uncovered in that case, you can bet that Julian Assange will be in the box, too.

    “In fact Wikileaks is sueing many USA papers and tv companies for deformation”

    That is a complete fabrication on your part, #oiaohm. How long are you going to abuse the truth? Wikileaks has threatened to sue PayPal and some credit card companies for shutting off his credit collection access, but that is just talk at this stage. Are you that confused?

    “we don’t blame the crackers when system is this weak. We blame the admins for setting up something that weak.”

    Incredible, #oiaohm! A successful thief is not to blame if he was not thwarted by the locks? It must be a real frontier down under! Do you tolerate vandalism because the vandal was successful?

  5. oiaohm says:

    Contrarian
    “Well we all know how poorly you interpret US law, #oiaohm. Just give it up.”

    The problem there all outstanding charges against Wikileaks has been dropped in the USA due to no evidence to support the charges. Not by me by the USA prosecutors. Of course this has got no TV air time.

    In fact Wikileaks is sueing many USA papers and tv companies for deformation. Simple fact here shut up. Unless you like the idea of being in court charged with deformation. For the simple fact by USA law Wikileaks has done nothing wrong. Already many of those cases have been settled out of court.

    Also it don’t stop there. Mastercard and others are also finding themselves in trouble. Basically they believed Wikileaks was guilty and acted without charges being done. A true kangaroo court.

    What Wikileaks proved is you do nothing legally wrong yet you can have all your bank account suspended just because someone suspects that you might have. Have you domain name and hosting taken as well.

    So we had a complete out break of cyber attacks trigger by false charges. Massive increase in attacks disruptions and everything else. Because people forget innocent until proven guilty and acted before the guilty charge was given.

    This was complete media and bank incompetence that makes my reading of USA documents wrong look like a joke. Forgot a key point of the law is something that should not happen.

    Have you not noticed the wikileaks.org is back on line from a USA DNS registrar. Yes this happened straight after the USA cases were dropped.

    Contrarian incompetence is incompetence. Most of US from the Linux world want to see those Linux admins taken to court and held to account for setting up something so weak. This is the difference we don’t blame the crackers when system is this weak. We blame the admins for setting up something that weak. Heck it made windows default install look secure. Yes it that bad.

    Sadly neglected means someone has not done their job and should be punished. Same with a windows server being infected that was not setup right as well. Same PHP files on a windows server we would also want the person who put them there hide as well.

    These are not core OS faults but incompetence in setup. We will treat that exactly the same no matter the OS.

  6. Contrarian says:

    “This was a case of a GNU/Linux server sadly neglected”

    Well, I am nothing if not fair, #pogson. I think hackers who despoil Unix and Linux servers are vermin just as those who prey on Windows servers. All should be tortured until they become senseless and then they can be disposed of as efficiently as necessary.

  7. Richard Chapman says:

    “This was a case of a GNU/Linux server sadly neglected.”

    Unfortunately the element of neglect will always be with us in all systems (all systems, not just OSs) to one degree or another. Some systems are better designed than others and discourage neglect.

  8. This was a case of a GNU/Linux server sadly neglected. The same thing could have happened with that other OS, and in more ways, thanks to the needless feature-bloat.

  9. Richard Chapman says:

    “Hackers who set out to deliberately spoil someone’s data or worse are vermin who do not deserve humane treatment.”

    Yeah, not to mention savagely ripping holes in Microsoft’s security… Oh wait, no one makes holes in Microsoft’s security, they simply waltz through the gaping ones put there by Microsoft themselves.

  10. Contrarian says:

    “Even by USA law he is not guilty of anything”

    Well we all know how poorly you interpret US law, #oiaohm. Just give it up.

  11. oiaohm says:

    “Well, he published information that the USofA considered confidential”

    Contrarian since Wikileaks was not an active party in the leak. Even by USA law he is not guilty of anything. USA presumed he was an active party. That was the only way he could be gulity.

    Since documents lose there confidential status once they leak to a person who is not authorized. 100 percent sure the USA docs lost confidential status once in non usa cit hands that has not signed a contract to keep them confidential. Yes legally he never published confidential documents because they ceased to be that stats once they were in his hands.

    This is a clear point people keep on forgetting. The law is mean. Once the information is leaked who ever gets it after that is not gulity of anything if they did not directly go after that information. This is why data secuirty has to be proactive.

    Yes the big thing where the USA case against Wikileaks went splat is not once did Wikileaks ask for particular documents or particular information or even information from particular areas. Wikileaks was simply willing to take what ever.

    The senders directly choose what to send without any pressure to send particular stuff.

    Most documents published by Wikileaks are in fact censored. Where operational key data has been attempted to be deleted. Responsibility to remove that information is in fact not wikileaks. Again its the sender responsibility to censor. If wikileaks does censor is legally just a public service. There is no legal requirement in any country to censor leaked Documents. So the USA should be thankful for small mercies.

    What Wikileaks provided was no different to a mail box to send the leaks to. The sender is the legally gulity party.

    The person who was authorized is gulity of a felony. Only way wikileaks can be gulity is proven direct involvement in the crime. Aiding the crime. No evidence of direct assistance exists.

    The bad part is what Wikileaks did is protected under the USA right to free speech. So in a USA court the case is stuffed.

    Issue here same assessment was done under Australian law as well. Any active assistance in the data theft would have seen the head of wikileaks back here in Australia and he would be serving out a 15 year jail sentence. Wikileaks has no case to Answer in Australia or USA. This is legal fact. Head of Wikileaks no longer has any outstanding charges in the USA by the way. The USA has wised up to the fact he cannot be prosecuted.

    Only reason why Wikileaks is avoiding the USA is how long they can hold people without officially charging them and processing them.

    “spectator sport” Yes nice spectator sport until a day comes that you lose your job because your network admin did not secure the network so the company you were working for is now out of business.

    Simple fact Contrarian this time you are using out of date information and incorrect understanding of law.

    Yes I made a mistake reading documents in the wrong country interp. You are simply making up stuff because you don’t understand the law at play at all.

    White Hacker normally do law degrees at some point. Just so we are sure what we are doing is legal.

  12. Contrarian says:

    “Relying on government …”

    I wouldn’t rely on them for IT security either. That is easy enough to achieve with care and adherence to principles if enhanced security is necessary. What I am relying on government for is an elevated visciousness in prosecuting those who are detected performing this sort of vandalism or criminal act, i.e. revenge. Hackers who set out to deliberately spoil someone’s data or worse are vermin who do not deserve humane treatment. If they successfully irritate the police and military with their actions, they will doubtless get some payback.

  13. bilbophile says:

    Relying on government for your own IT security is like relying on police to avoid car accidents. Worse actually since most accidents occur without intent.

  14. Contrarian says:

    “Really people like you annoy me”

    Well, you annoy me, #oiaohm. Your clumsy posts and fictitious references continually detract from the forum here. That doesn’t make us even, though, you are still far more of a negative than your annoyance can correct.

    “I am technically a White Hacker.”

    Sure you are.

    “WikiLeak guy technically did nothing wrong.”

    Well, he published information that the USofA considered confidential and that is probably a felony in the US if they get him into court. I think the various governments involved are marking time right now. If he can be extradited to the US, he will be after the others are through with him.

    “Just going after the Black and Grey hackers is a waste of time”

    Well, it is a spectator sport after all and if the cops get a little chaffed over their antics, the action might be more interesting to watch.

  15. oiaohm says:

    Contrarian Really people like you annoy me. I am technically a White Hacker. I know all the methods to hack a server but I don’t use it without formal contract to test servers.

    There exists many test suites that would have found the flaws these servers were suffering from.

    Being hacked because you either have not paid a White Hacker like me to audit your system or your system admin has not run basic checks is incompetence.

    WikiLeak guy technically did nothing wrong. Reason the Private should not been able to leak the information in the first place. Once its out in the open how was WikiLeaks to know if he was the only party to receive it. For operational safety you are better to know the information has leaked than not to know. Going after the head of WikiLeaks is a waste of money and resources that should be better spent fixing up secuirty and other issues.

    The problem here us White hackers exist to hunt down the other and prevent the others from causing problems. Just going after the Black and Grey hackers is a waste of time. Since people running crappy setups will not be held to account.

    The worst I found when auditing before deployment was that I could download the full database from the external facing side straight from the database and the database had a blank master password. Mistakes happen auditing before deployment is about finding and fixing those.

    Basically the ones who loses the information should be charged if they have not doing the reasonable level of steps to make sure their data is secure.

    “no filtering of user input in web forms submitted to PHP” Items like this are basics.

    “passwords kept in a database in clear text” Another basic never todo.

    Admins and auditors of those should be taken for aiding and betting the breach. If there was no paid Auditors the bosses should be held to account.

    Lets at least make it tricky to break in with some odds they will be caught fairly quicky.

  16. Contrarian says:

    I would like to see more of this group’s focus on civil and military authorities. I suspect that, in the long run, such twisting of the tiger’s tail will lead to their undoing. Hacking is mostly just vandalism. It may be cloaked in some guise of social justice, as WikiLeaks pretends to do, and presented as some sort of quirky genius being expressed by the introverted nerds of the world who seek revenge for being scorned. But it is still a largely antisocial activity that seeks to ruin the quiet enjoyment of one’s surroundings.

    If the hackers can, as a group, get the law enforcement community irritated enough, behind the scenes punishments will be levied on anyone caught in the act, and plenty of people are caught every day.

    The WikiLeak guy is on the spot for anything that the US and European governments want to throw at him and the private who leaked the cables has been in solitary at Leavenworth ever since. The members of this hacking community may find themselves in Guatanamo Bay one of these days being encouraged to rat out their friends. No one will shed a tear.

Leave a Reply