The FOP Breach: Reading Between the Lines

As details emerge, there are lessons for us all to heed

By Elijah Woodward  |   Feb 4, 2016

Thomas White has recently taken to posting some more information about the FOP Breach. Mainly taking quotes from FOP President Chuck Canterbury and using them against Mr. Canterbury.

Mr. White has posted some of these quotes, along with responses, and these are leading us to some early clues as to how the breach may have happened. I’ve pulled a number of them from his site, and he refers to them as “myths.”

“Myth 4: A 0-day was used”

A “0-day” is the term given to bugs/vulnerabilities that have never been seen previously in the public. Therefore, the software companies that need to fix them, or your antivirus who needs to catch these nasties, have exactly 0-days to work on catching them. The scary part about computer viruses and bugs today is the fact that it still takes a significant amount of time to fix them once they’re identified.

But no worries, there’s a market for these as well.

Some security researchers spend all day looking for these sorts of flaws in omnipresent products like Flash and Java. Once these are discovered, there are a number of options you can take next:

  1. Disclose it to the vendor so they can fix it
  2. Use it for your purposes
  3. Sell it for big bucks to various governments, antivirus companies, underground websites, or known traffickers in such things

In essence, what Mr. White is saying here is that no, this was not some previously unknown, ultra secret attack. This one was well known.

“Myth 3: The attack was sophisticated.”

Mr. White goes on to explain that this was not a sophisticated attack, and references something known as the OWASP Top 10. OWASP (Open Web Application Security Project) is a well known security project that focuses on making the web safer. They have a top 10 list of things you should be checking in your organization.

Yes, it’s getting really geeky right now, but I want to draw your attention to item A1 – Injection.

Any time you go to log in to a website, it has to check what you’re telling it against the stack of information already piled up inside the database. This uses a variety of languages, but the neat (and scary) part is instead of entering your username, you can type in strings of code that will cause the database to do funny things–like cough up an entire list of all known usernames and password.

Warning: The following is an example. DO NOT use this on a website not your own. It’s the equivalent of jiggling keys in doors to see if you can break in to a house. It just might work, and that would be illegal.

For example, typing in “SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1” in the “username” field would tell the website, “Please give me all Usernames, Names, and Passwords from your list of Users. Thank you!”

This is a commonly known vulnerability (it’s #1 on the OWASP list), and you can even find lists of common SQL commands that you can use to see if your site is vulnerable.

Jeremy Hammond, who was involved in a previous FOP breach in Arizona, was also known for using SQL Injection attacks.

“Myth 6: A Pseudo-encryption key is used”

This comes from a quote last week when Mr. Canterbury said, “They were able to feed our system a pseudo-encryption key that the system should not have accepted but did because of software errors.”

Mr. White starts off his response with the statement, “What the actual fuck is a pseudo-encryption key?”

I hate to say it, but we lost credibility with this statement. This is one of those times when it would have been better for the FOP to say nothing, because when we demonstrate this level of ignorance, the sharks smell blood in the water.

Furthermore, Mr. Canterbury’s statement also sounds like an SQL Injection attack. If that’s true, it would mean the FOP site was felled by a well-known, well-documented vulnerability that’s easily avoidable through proper patching and maintenance of a website.

So How do I Avoid This?

The best way to avoid this sort of thing is to use the most up-to-date version of the software that’s running your databases and website. Talk to your IT guy and ask them the following questions:

  1. What do we use to run our website?
    a. Their response will sound like made-up gibberish, that’s okay. Drupal is a real word, trust me.
  2. What version are we running?
  3. What’s the most recent version available?

If their response to 2 and 3 aren’t the same, ask why. If they try to use more gibberish and make you feel stupid, shame on them. Demand a better explanation. If it means stuff would break and stop working, you need to seriously consider doing something because of out-of-date systems are a huuuuge vulnerability. Yes, that’s expensive. But it’s not nearly as expensive as a breach and a headline.

The following two tabs change content below.
Elijah Woodward
Elijah Woodward is the owner of SavageCyberSpace.com, a security consulting company focusing on information and cyber security as well as physical security. He has 10 years of law enforcement experience working in patrol, motors, and community resources. He is a member of the FBI’s InfraGard program, and the High Technology Crime Investigator’s Association. Elijah believes that law enforcement is in a prime position to address the issues of cyber crime and fraud, and it will be cops at the local level who will have the greatest impact on these new crimes as they continue to plague our communities. Reach him at [email protected]