FBI Breached: “Lazy” Security and an Outdated Operating System
The FBI’s website has apparently recently been breached by a security cracker going by the twitter handle @CyberZeist. CyberZeist has made claims to breaching and cracking the security of the FBI.gov whilst attaining sensitive information. The security cracker had also apparently exposed the zero day exploit in their Plone CMS Software used to host the FBI website content, on December 22nd of 2016. The flaw was located in a Python module used by Plone. CyberZeist also dumped 155 credentials which were stolen on the pastebin.
— CyberZeist (@cyberzeist2) December 22, 2016
According to the security cracker, the National Intellectual Property Rights Coordination Center and the European Union Agency for Network and Information Security are also able to be breached. As we can see on December 31st the FBI site was indeed down.
— CyberZeist (@cyberzeist2) December 31, 2016
However seeing as the website appeared to have been hosted in a Virtual Machine, he was unable to gain “root” access. However CyberZeist did manage to gain access about the underlying server information. The server itself was running on an operating system known as FreeBSD, another Free, Libre, and Open Source Operating System related to GNU/Linux as they are both based on UNIX. In theory FreeBSD is more secure than GNU/Linux, however they were running a pretty old version of FreeBSD 6.3. FreeBSD is now on version 11 and 10.3. FreeBSD 6.3 officially became “end-of-life” and unsupported completely by the FreeBSD community on January 31, 2010. This would be the equivalent of still using Windows XP or Windows Server 2003 in 2016.
CyberZeist has also stated that the exploit is publicly available for sale on the dark net as well, however will not disclose any details until it is available for purchase.
— CyberZeist (@cyberzeist2) December 27, 2016
CyberZeist had also stated that the FBI’s webmaster has an extremely lazy attitude — they stored the backup files in the same folder where the site data’s root folder was. What this means is that if someone had cracked the site server, not even as a root user, but merely as a user with privileges to edit the www files, he or she could have complete access to everything the FBI had hosted, and potentially destroyed chances of there being a backup to be restored.
This is definitely a tremendous embarrassment for the FBI who is supposed to be an expert in cyber security, seeing as they had broken a few things taught in “IT 101” such as 1) Keep your software stack up to date by updating at least once a month 2) Store your backups elsewhere 3) Keep up to date on all Common Vulnerabilities and Exploits (CVE) out there as they are released. I know these are lessons we have to take completely to heart at Being Libertarian seeing as I have to design, maintain, and implement all of the infrastructure we use. The most embarrassing part is, a decent systems administrator should have a migration plan designed when you know your software stack is about to be end of life and that you can completely automate security updates.
CyberZeist also released his statements on the incident in a Pastebin:
I am being contacted by many media agencies with weird questions related to the recent FBI hack released on 1st January 2017 – http://pastebin.com/5vwz6Wj4
This statement is a justification for all those questions.
Many news outlets are asking me questions like my primary goal was to degrade the image of the organization behind Plone CMS development as it is considered as the most secured CMS till date with no vulnerability at all. This question is totally irrelevant as I have been in hacking scene since 2011 working under “Anonymous” umbrella and I hack the targets purely out of my own motivation. So, I am not influenced by any organization that wants to degrade the Image of Plone Organization.I just leaked out the details that I received after using the attack vector. I am not aware of any technical details of how Plone works internally. So please, do not ask me the technical details related to the inner workings of this CMS, you can test and see for yourself once I release the 0day vector.
Also, stating that Plone CMS and its derivatives (currently used by FBI) are 100% hack proof is false as they had a few vulnerabilities in the past –
(these may be old, but the current 0day is closely related to them. The 0day I was given to test out was specifically for Local File Inclusion and Path Traversal exploits)
Regarding Plone 0day validity:
Secondly, I am being asked to release the 0day Plone CMS vulnerability to prove its credibility and validity. First of all, as I have already stated that I am not the one who discovered this 0day myself. I was contacted by a 0day vendor with handle “lo4fer” over tor network who asked me to test out the 0day on active websites using Plone and its DERIVATIVES. The FBI hack was done to test out the vulnerability. So I cannot disclose the 0day vector myself unless this exploit is not being actively sold or is rendered obsolete. Thus I will release the 0day myself via twitter and few selected security news portals once this 0day is not on sale or is rendered obsolete. So please wait for few days, once this 0day is obsolete, I will release the 0day as a proof of validity. I cannot break the negotiation code and release the 0day myself at this point as the vendor shared the 0day in exchange of my real identity as a token while handing the 0day vector to me.
PS: Please stop blaming the people who are not involved in this hack, I alone have the sole responsibility to prove the validity of this 0day and NOT ANYONE ELSE!!!!
Lastly, I want to add that I could have released this leak only under my name and not under the name of ANONYMOUS. This was done to revive the lost image of Anonymous which has gone silent since last few years. And I am grateful that I received good amount of support from the Anonymous Family as the mainstream media declined to even publish the hacks in first place.
Let’s also remember that the FBI among others were claiming Russia to be behind the DNC and Hillary Clinton breaches (both of which are not true). Well how exactly are we supposed to believe what they say regarding cyber security when they can’t even abide by common sense in the IT world?