back to article The policy that helped Anonymous hack AAPT

Anonymous' theft of data from a dormant AAPT server might not have been possible had the telco used a different host. AAPT has said the Cold Fusion server Anonymous accessed was, essentially, forgotten. In its un-patched state it was therefore easy meat. One question the Anonymous incident therefore raises is just why the …

COMMENTS

This topic is closed for new posts.
  1. Aaron Em
    Thumb Down

    Can't speak for anyone else, but as long as someone's paying for it, we'll keep hosting it. Why not? We've got better ways to spend our time, for which our clients pay, than bothering our paying clients to find out whether or not they want us to keep doing what they're still paying us to do. Clients who'd like us to consult with them on the subject of information security generally go to the trouble of asking our rates for doing so; the rest, in my experience, won't listen, no matter what we suggest.

    1. Matt Bryant Silver badge
      Boffin

      Re: Aaron Em

      Not just hosted VMs, to be honest. Several of the companies we've borged have been unable to tell us how many physical servers and storage devices they have on their own LANs, let alone what they have in outsourced or hosted environments. The worst was a company that had built a new DR datacenter but forgot to stop the payments for the old hosted DR facility for almost a year. It's also quite common to run support contract reviews and find some numpty PM is still forking out for vendor support on test and dev boxes that were decommissioned and returned to the respective vendor or scrapped earlier in the year. Support contracts in the name of some bod in Purchasing seem to be the commonest way for this to happen.

      1. Aaron Em

        Re: Aaron Em

        One thing I'll note, it must be bloody lovely to work for a company that can let that kind of money fall out of its pockets and never even bother to notice it's gone. Here's me, who has only just got a new workstation after using the same receptionist-grade Dell desktop for six bloody years, and then only thanks to an out-of-state client going into receivership with two months' unpaid colocation bills and three shit-hot boxes* still in our racks, and who in God's name are these people, and where do they get their money from?

        ...of course, on reflection, I suppose this may go some way to explaining why your company bought theirs --

        * HP xw8200s, each with dual 3GHz Xeons, 4G RAM of 16G max, and three terabytes of disk on 3ware 9650SE SATA RAID controllers, and I tossed in a spare 250G Maxtor to boot off of. Mine has a Quadro FX 1400, too, which is not bad for free; the other two have got crap video, which fussed the air-conditioning load no end, but too bad for him; if he wanted it that badly, he should've made sure he got hold of it before I did, and it's not like he really needs it to render Twitter and Facebook, anyway.

        1. Matt Bryant Silver badge
          Meh

          Re: Aaron Em

          ".....a company that can let that kind of money fall out of its pockets and never even bother to notice it's gone....." You'd be surprised at how tight they are at the same time on stuff they find easier to track, such as printer paper, coffee in the kitchens and payrises/bonuses.

          1. Aaron Em

            Re: Aaron Em

            I suppose I would be surprised, having had the good fortune of working for an actual, honest-to-God human being for the last decade or so.

            He's probably going to retire soon, though, assuming he can find a buyer for the business, and I don't know what the hell I'm going to do then -- the experience, however valuable, has most likely left me entirely unsuited for putting up with the nonsense I gather inheres in a corporate environment.

            1. Destroy All Monsters Silver badge
              Devil

              When antimatter and dark matter collide!

              Streetwise kids Aaron Em and Matty in the same thread?

              I expected more fireworks.

              1. Aaron Em
                Happy

                Oh, goody! I've got an admirer!

                Always nice to be appreciated.

            2. Tom 13
              Happy

              Re: He's probably going to retire soon

              Simple solution: work with him and a financier to buy the company from him. If it works, you'll never have to worry about your boss again.

  2. Christoph
    Boffin

    It could go the other way

    That policy of removing unused servers is fine until the message to the customer goes astray and doesn't reach the right person in time, and a vital server gets removed and deleted.

    Both policies have problems. Something more detailed and resilient is needed.

    1. Tom 13

      Re: It could go the other way

      Both policies are fine, it's just that punters need to read them and understand their risks.

      If punters can't be arsed to do that, I don't see that vendors with either policy should care what happens to their data.

  3. Nate Amsden

    this is the worst in ec2

    orphaned VMs are way too common, at one company I was at I terminated more than 200 EC2 instances that were orphaned (high turnover and lack of documentation, and no sense of direction were the main drivers). I think that was around $80k/mo in costs. It was like pulling teeth to get anything more than the most trivial stuff approved to purchase, but they didn't bat an eye when we said we need more VMs that will add another $5k/mo to the EC2 bill (actually we never asked we just did it, they never complained well until they started across the board cost cutting). They just didn't pay attention. I'm sure this is an edge case (as to the scale) rather than the norm.

    There was probably a half dozen VMs that I terminated at the time that were dead, and had been dead for months most likely (can't ping etc) but still listed in a RUNNING state, so I imagine still being billed for.

    Despite the high level of certainty it was still scary to hit the magic button and turn 200 systems off, I still feared there was something out there that was using one/more of them but in the end nobody noticed.

    The worst part though for EC2 is unlike your own hosted stuff, for the most part you can't just turn a VM off and wait for someone to bitch to you and then turn it back on (BOFH). Once you turn them off, with very rare exception they are gone for good (at the very least the IP addresses etc). I was shutting down a pair of Zeus load balancers in EC2 a few days ago that use elastic ip to keep high availability (migrated the last of our shit out a month ago). Zeus has the ability to self terminate, but apparently when that happened it released the elastic ip back to the cloud and the backup zeus couldn't get access to it anymore so we had to go kill it manually. Stupid thing..

    At least with internal virtualization you can easily shut stuff off, wait for complaints, or dramatically bring down the CPU/memory resources of VMs that seem to have gone idle with little effort. My VMs for the most part have maybe 5-15GB of written disk space/VM, so disk space isn't much of a concern, not a lot of waste.

  4. Anonymous Coward
    Anonymous Coward

    Lost servers on a LAN ARE a big deal. One still gets credentials from them, and they're also great for passive attacks like traffic-sniffing, not to mention persistent access to the LAN.

    Also, more likely to be vulnerable to priv esc.

  5. Anonymous Coward
    Anonymous Coward

    "in the end nobody noticed."

    Have you done quarter end processing? Year end processing?

    You'll probably be OK anyway, but...

  6. Anonymous Coward
    Anonymous Coward

    I think this is a silly complaint that misses the point.

    It doesn't matter whether your provider decommissions servers automatically for you after a certain number of months, or leaves them running indefinitely; what really matters is whether it's your responsibility or theirs to keep the security patches up to date. As far as I know, with pretty much all hosting in the world, it's yours, not theirs; some SaaS services (e.g. blog hosting platforms) take responsibility for upgrading the platform software, but if you're running your own servers with whatever-choice-of-software-you-want-to-install, it's up to you to make sure it gets patched. Three months running unpatched software is just as deadly as N years given the prevalance of 1-day attacks , so I don't think automatic decommissioning is any real security improvement.

  7. joe 4

    melbourneit=fucking clownshoes

    as a "customer" of these clownshoes motherfuckers for over 5 years, 9 domains, well and truly 20 serious cockups attributable directly to their "e-specialists", and particularly over the last fortnight where a CNAME entry took everything, our domain, all our email, and everything else for over 4 days, i have no conclusion but that these guys have no fucking idea what they are doing despite claiming to be australia's largest hosting site. the only barrier to us moving to another provider is the inconvenience and inevitable incompatibility of whatever the fuck email format they are using to a provider that knows what they're doing. any tips from moving to melbit to anywhere else would be appreciated

  8. Wombling_Free
    Facepalm

    They've been like that forever

    Something to do with having a monopoly on .au eh?

    Ever wondered why more and more Australian businesses are .com?

    Dealing with those fucktards actually made me think godaddy looked professional. At least they are cheap, and haven't ever gone snafu on me.

    1. Anonymous Coward
      Anonymous Coward

      Re: They've been like that forever

      "Dealing with those fucktards actually made me think godaddy looked professional. At least they are cheap, and haven't ever gone snafu on me."

      Heresy! Godaddy is the antichrist.

  9. dhcp pump
    Mushroom

    El Reg a bit slow

    El Reg ,no mention of the fact that these hosting servers were also hosting cough SIO and Police Records .

    Security 542 ( & 101) for the feds is required .

    Although self righteous ,those anon crowd are making a point with the pathetic security of the publics

    information.

    Most of the public service dont understand how the could works ...

    Sack em .

    1. Matt Bryant Silver badge
      Boffin

      Re: El Reg a bit slow

      ".....no mention of the fact that these hosting servers were also hosting cough SIO and Police Records...." And there is no proof that those public services were compromised. For all you know they could have had completely different networks, systems and security rules for the public services that made hacking into them from the other customers' systems unlikely. Indeed, it is more likely they weren't because we know from previous Anon activity that they love screaming about any "success" to stroke their egos, and actually being able to hack the public services would have been too much for them to resist crowing about.

      1. dhcp pump
        Flame

        Re: El Reg a bit slow

        http://www.theregister.co.uk/2012/08/12/anonymous_data_digging_downunder/

        Must have the dirt first and then the tools first before you digg.

        And what disclosure policy do you think they have ? ,its not like the public domain,and

        its all after the fact by a lead time of 30 days at a minimum,if at all.

        Much like the LTPT and the private keys previously lifted from the company that generated

        and protected the keys,how many sites and secure areas do you think that affected ?,and

        the question again is what was the disclosure period ?.

This topic is closed for new posts.

Other stories you might like