Immutable Security

The Age reports that computer criminals from an underground hacker forum broke into Australian Federal Police computer systems after the police infiltrated their group. And, according to The Age, it was all because the cops forgot to set a MySQL database password.

We may need to pass around the clue stick to everyone here. If the compromise was real, the police should have known better than to leave a database exposed to the Internet and unprotected with a password. The alleged criminals need to understand that drawing more attention to yourself after you already know your under investigation is not the brightest thing to do.

Surely, the system could have been secured. It’s doubtful that it needed to be on the Internet in the first place. Or maybe, as some speculate in the article, it really was a honeypot designed to lure the not-so-bright (alleged) criminal into a trap. Maybe the police are a bit brighter than the bad guys give them credit for.

Let’s assume for the moment that this was an honest security blunder. It’s certainly the type of thing that happens every day. What’s the security lesson here and how could this have been prevented? In this particular case, two things come to mind:

1. MySQL could listen on localhost or use a socket, by default.
2. MySQL could require a decent password or heck, a password at all, to run. No password and the process aborts. For those that really want to live dangerously, they could pass a –stupid flag to run without a password.

Many security problems are preventable. Whether or not this was a honeypot, this can be used as a lesson for developers. Run secure by default and make the user choose to be insecure.