Australian Police Database Lacked Root Password
Date: 8/20/2009 6:46 am
Rating: 0 Rate [ | ]
Hackers break into police computer as sting backfires
Some of the material posted by the hacker who broke into the police computer. Photo: Photo illustration
Asher MosesAugust 18, 2009
Exclusive: An Australian Federal Police boast, on the ABC's Four Corners program, about officers breaking up an underground hacker forum, has backfired after hackers broke into a federal police computer system.
Security consultants say police appear to have been using the computer as a honeypot to collect information on members of the forum but the scheme came undone after the officers forgot to set a password.
Last Wednesday, federal police officers in co-operation with Victoria Police executed a search warrant on premises in Brighton, Melbourne, connected to the administrator of an underground hacking forum, r00t-y0u.org, which had about 5000 members.
Many details of the investigation were revealed for the first time on Four Corners last night.
After the raid, the federal police covertly assumed control of the forum and began using it to gather evidence about members.
"We can operate in a covert activity here fairly seamlessly with no harm to our members with continual and actual significant penetration," Neil Gaughan, national manager of the federal police's High Tech Crimes Operation, told Four Corners.
However, what the federal police did not know was that hackers had already cottoned on to their plan.
Police were monitoring the forum by logging into the account of the administrator they had raided, but this aroused suspicion among members who knew the raid had taken place.
A hacker broke into the federal police's computer system and, according to a source close to the investigation, accessed both police evidence and intelligence about federal police systems such as its IP addresses.
A spokeswoman for the federal police confirmed that the hacker broke into a computer system used in its investigation but denied that any evidence was compromised, saying the computer was not connected to other federal police systems.
"The AFP has identified a person whom [sic] has attempted to access the stand-alone computer system and we are currently working with our law enforcement partners regarding this matter," the spokeswoman said.
The hacker appears to have been provoked by a message published on the r00t-y0u.org site by the federal police, warning members they were under surveillance and that "all member IP addresses have been logged", with some arrests having already been made.
In two provocative messages published on anonymous document-sharing site pastebin.com, the hacker slammed the federal police for "making it sound like they can bust 'hackers', when all they have done is busted a COUPLE script kiddies". "Script kiddies" is hacker parlance for novice hackers.
The second of these messages contained several links to screenshots allegedly proving that the writer had access to the federal police's server.
These included shots of files containing fake IDs and stolen credit card numbers, as well as the federal police's server information.
The hacker then defaced the r00t-y0u.org website with the same message it had posted on the anonymous document-sharing site.
The federal police spokeswoman said: "The information posted on the http://pastebin.com website is information contained on a stand-alone [federal police] system designed specifically to be used in investigations such as this.
"The information consists of directory file names of previously compromised credentials. No information or files exist that have, or could have, been compromised."
The hacker wrote "I couldn't stop laughing" on seeing that the federal police's server was running Windows, which is known among hacker communities for being insecure. Police had also "left the MYSQL password blank".
"These dipshits are using an automatic digital forensics and incident response tool," the hacker wrote.
"All of this [hacking] had been done within 30-40 minutes. Could of been faster if I didn't stop to laugh so much."
Shaon Diwakar, a security consultant at Hack Labs in Sydney, explained how the hack occurred.
"The attacker has discovered that the server didn't have a password for its database application and he has logged on ... and, using a technique called SQL injection, he created a PHP file on the disk and browsed through that PHP file to get complete control of that particular server," he said.
Diwakar said the hacker would have had access to anything that was stored on the computer.
"When they took this action they should have known that they would have been a big target, so they should have taken more precautions," he said.
The federal police said it had yet to charge anyone over the r00t-y0u.org forum bust, but "numerous items" were seized and the investigation was ongoing.
It declined to comment further on the case.