On the 31st of July 2011, the system administrator of Brooks-Jeffrey Marketing (BJM) was working on his newly upgraded servers. At exactly the same time a hacker was slowly sniffing his way through the same systems and picking up everything in his tracks. The hacker had rooted the system so deeply that he was able to report to the system administrator that everything was normal.
BJM was not randomly attacked. The hackers chose their target because the servers contained the databases of 78 different law enforcement agencies scattered across America.
BJM is one of many victims of the ongoing AntiSec cyber security operation headed by the two notorious hacking groups Anonymous and LulzSec, who teamed up to attack large organizations and major governments all over the world.
The armies of Operation AntiSec have a good track record. They recently smashed the cyber fortress of the US Department of Defence. Now they have humiliated the local law enforcement agencies across all of America. In the past they brought PayPal down to it’s knees and have recently infiltrated the NATO and the UN Security Forces.
Their hit-list – and their army, is just getting bigger and bigger with no end in sight. In this last hack they announced:
“GIVE UP. You are losing the cyberwar, and the attacks against the governments, militaries, and corporations of the world will continue to escalate. Hackers, join us to make 2011 the year of leaks and revolutions.”
What was stolen
In all, 10GB of sensitive information was stolen from approximately 78 different law enforcement agencies.
This is a quick breakdown of the information they released:
- Private emails from 300 accounts
- Over 7000 passwords, addresses, phones and social security numbers
- Other server passwords for ftp/ssh, email, cpanel and protected directories
- Source code and backups from the core servers
The Missouri Sheriff’s Association who was worst hit tried, as usual, to downplay the hack. Their director Mick Covington said:
“the most the hackers got from their organization were email addresses and there were no critical details like names, social security numbers or other personal information details on their server.”
Whilst this was being said, Anonymous were using the stolen credit cards to make donations to the ACLU and Bradley Mining Support Network.
How they did it
The hacker got in by cleverly exploiting several classic vulnerabilities in the PHP driven website of the core server. The sections below outline the most prominent of these vulnerabilities, one of which I suspect is a backdoor planted by the hackers themselves. This backdoor is significant because it allowed the hackers to keep coming back for more even though the servers were upgraded multiple times in an effort to ward off the hackers.
In the code below we see a classic ‘ OR ‘a’=’a injection. The user-supplied data taken from $_GET[‘username’] is not validated for SQL Injection attacks. This allows the hacker to use $username and $password to manipulate the SQL query.
Shell Injection attacks were discovered eons ago – long before SQL Injections existed, yet they remain scattered around bad source code like old war mines. When trampled upon they cause much damage.
In the screen shot above the variable $query which could have unvalidated user-input could also be used to inject shell commands directly to the server with dramatic effects.
Source Code Injection
This Souce Code Injection is one of a kind. I have never seen something like this before. These lines of code actually allow a hacker to append his own files into the server script. This type of security flaw is so unlikely that this could actually be the backdoor that AntiSec were boasting about in their press release.
The server was heavily fortified with industry standard encryption, and long passwords and secret keys, yet the hacker managed to decrypt every password and unlock every vault. They did this by scavenging the code for lost keys.
They found plenty.
The code above holds the key to SQL Databases Administration privileges, and in the one below the password is shown just below a warning about hardcoding passwords.
A chain is as strong as its weakest link. RSA encryption is said to be uncrackable, unless you own the private keys. Private keys are ideally not placed on a public server, and if they are they should be encrypted with another key, stored on another server. In this case, the RSA keys were stolen with a simple shell command.
Now that the hacker had all the keys, he could take a quick dump – of the mySQL server of course.
The hacker now has the entire database and hoards of usernames and passwords. This might seem like the end, but there is much more to come. In his logs, the hacker reveals how he reads the IP addresses of servers for the different jails across America that were connected to this rooted server.
What starts out as a website defacement quickly becomes a security breach of terrorising proportions. The hacker now knows the IP address of the other jails, but he also uncovers source code that works with the jail database. The code below, for example sets the release date for an inmate.
The hacker now moves to the next server in line and methodically repeats the whole process again.
First Dump, then Wipe
Once the hacker has slurped every bit of information off the servers he proceeds to do some cleanup. He destroys all the data on all over the servers using the rm -rf command. With this command he is literally deleting all of the 78 law enforcement websites.
The BJMs servers were plagued with the worst security issues. A “script kiddie” could have managed to break in if he was determined enough. In this case the hacker was certainly very skilled. He executed every command with precision and for maximum damage. He did not linger too long, raped the servers completely and wiped all evidence before he left. This is the job of a specialist.
Operation AntiSec is starting to show just how vulnerable the web really is. Simple programming errors that are hard to detect can lead to a complete system compromise. In this particular case the hacker enjoyed picking at the so called “low hanging fruit”. A web vulnerability scan and good code review on troubled areas could have easily avoided such a devastating high-profile breach.