Immutable Security

The Age reports that computer criminals from an underground hacker forum broke into Australian Federal Police computer systems after the police infiltrated their group. And, according to The Age, it was all because the cops forgot to set a MySQL database password.

We may need to pass around the clue stick to everyone here. If the compromise was real, the police should have known better than to leave a database exposed to the Internet and unprotected with a password. The alleged criminals need to understand that drawing more attention to yourself after you already know your under investigation is not the brightest thing to do.

Surely, the system could have been secured. It’s doubtful that it needed to be on the Internet in the first place. Or maybe, as some speculate in the article, it really was a honeypot designed to lure the not-so-bright (alleged) criminal into a trap. Maybe the police are a bit brighter than the bad guys give them credit for.

Let’s assume for the moment that this was an honest security blunder. It’s certainly the type of thing that happens every day. What’s the security lesson here and how could this have been prevented? In this particular case, two things come to mind:

1. MySQL could listen on localhost or use a socket, by default.
2. MySQL could require a decent password or heck, a password at all, to run. No password and the process aborts. For those that really want to live dangerously, they could pass a –stupid flag to run without a password.

Many security problems are preventable. Whether or not this was a honeypot, this can be used as a lesson for developers. Run secure by default and make the user choose to be insecure.

For some time now I have had problems with Yahoo! accepting mail from the domains I manage and marking the messages as spam. They continued to blackhole me depite having never been an open relay, having a valid PTR record, having a valid SPF record, not sending any spam or mailing list e-mail, sending to and from only a few select people and having nothing in the message body that could possibly be considered spammy. Only Yahoo! has problems with the server. Everyone else seems to think I’m an OK guy.

Several attempts to resolve the situation fell on deaf ears.  Several times I dutifully filled out the forms and provided all the details requested. I even requested to not receive a scripted response, hoping a human being worked somewhere at Yahoo!. The experience led me to conclude one of two things: either they really don’t care at all about letting you know how your mail server offends them or the place is so (in)efficient that the machines have risen and killed off all the humans, only to run Yahoo! all by themselves.

It seems that I have now appeased the Yahoo! mail gods. Yesterday, I implemeted Domain Keys using the excellent guide over at Brandon Checketts’ site.  Yahoo! now considers me worthy of sending mail to their underlings. I can only hope that I continue to please the Yahoo! gods, for they are all powerful.