Dutch intelligence agency AIVD hacks internet forums (nrc.nl)
The Dutch intelligence service - AIVD - hacks internet web fora to collect the data of all users. The majority of these people are unknown to the intelligence services and are not specified as targets when the hacking and data-collection process starts.
Apparently what they do is get direct access to the mysql databases backing fora and then just download the entire thing.
38 comments
[ 0.23 ms ] story [ 90.4 ms ] threadaka forums
Although, only the title of this thread is 'internetfora', while the article has separated it into two words.
I'm Dutch myself and I knew that the AIVD tapped a lot, but mining data from forums?!
I wouldn't be surprised to learn that it has become more a sport than a national security measure by these agencies. They have gone cocky, so to speak, thinking that because they are government agencies they are above the law that regular hackers supposedly are not.
Does this really worth the cost, compared to something like making friending bots on social networks and weight analyzing content for keywords ?
I suppose their definition of forum should be considered, here. Do we speak of the canonical form of a forum, like a punBB powered website, or is any website aiming to allow people to chat a forum ?
An example would be the British National Front and BNP (both right wing extremist groups) setting up an animal rights group which mostly campaigns about slaughter methods, especially ritual slaughter.
Some animal rights groups are also extremist. (Digging up corpses; setting incendiary[1] devices which burnt down several large departments stores; setting fires to trucks and truck depots; etc.)
Monitoring these groups makes some kind of sense. So long as police keep that data secure, and it's only used for legitimate law enforcement and isn't used to tarnish reputations or stifle lawful campaigning.
[1] The intent was to cause water damage by triggering sprinkler systems. The fact the sprinkler systems didn't work, allowing the stores to burn down is worrying. This, and IRA bombing campaigns, is one reason that pockets come stitched shut now. The well dressed man / woman will have a stitch ripper to remove these closings, but it's surprising to see how many people have never heard of stitch rippers.
According to the document the Dutch “are looking at marrying the forum data with other social network info, and trying to figure out good ways to mine the data that they have.”
The posts for one individual on one forum are maybe not that interesting. But by connecting this data to the data of his/her other internet activities, you get the total information awareness idea. E.g. Facebook, Gmail, other forums accounts, Whatsapp messages, websites visited etc.
I would assume the same for forcing passwords out of people, something which is still supposed to be illegal in the Netherlands but isn't. The AIVD and MIVD have the right to do this.
I've got one question though: does anyone know what they mean with "They acquire mySQL databases via CNE access." What is CNE?
I think that gathering such large amounts of data, allows you to do very specific sentiment analysis on specific groups of the population, in addition to twitter and facebook having fora access is a big deal.
All these are speculations of course. Our agencies are guided by people and more often than not inadequate people. They might be collecting data just because the NSA does it, with no specific purpose. Data just waiting to be abused by someone in a position of power.
Governments are to serve the people and we cannot blindly trust them with power regardless of how they're formed. As long as people continue to subscribe to scaremongering for terrorism, the terrorists have already won anyway. The surveillance states of late have powers blown way out of proportion. They ought to save lives in face of threats, not save lives for retrieval by automated data systems. I have no problems with the former, but I do very much have problems with the latter.
A lot of forums like phpBB are installed via cPanel and may have default passwords and not be secured fully.
If you have a machine in the ISP, which just means renting 1 machine per ISP, then scan the local IP ranges for open MySQL ports... or more nefariously scan for Memcached as that is hardly ever secured.
Then use the default credentials or the credentials stolen from Memcached to access MySQL.
You're dealing with a known set of forum software, probably phpBB, Vanilla, vBulletin and Invision. So you only need to map out a few schema to be able to make sense of hundreds if not thousands of sites.
Forums are slow moving, even the big ones only have a few thousand to low tens of thousand of posts per day... and your rented machine could easily poll for differences and send it back to HQ.
This is all just speculation of course, but it wouldn't surprise me that this is how it was done.
From the original article:
> “They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government.”
Which implies that they are not scanning traffic constantly but are instead performing a sweep across the fora and gathering all data. Which implies querying the databases on a schedule and pulling info as the full dataset nevers exists in the ephemeral traffic.
> “They acquire MySQL databases via CNE access”
Which states that they exploit something on the network to "acquire" the data from MySQL databases.
Those two things together suggest periodic access to the databases.
And given the previous behaviour from accessing networks and hardware without permission of the companies operating on those networks (the Google dark fibre intercept) it isn't too much of a stretch to imagine a similar scenario that could give them access to these databases without asking first.
And the easiest way to get access to a large volume of forums would be to use a common platform as the attack point: A common deployment (cPanel, Plesk, etc) or a common technology that could give up credentials (memcached).
Of course they could use a vulnerability in MySQL, but I bet that's harder work than just trying default passwords or pulling credentials from the unsecured memory cache.
I believe the Dutch are not being screwed by their government, but simply by inadequate control on its intelligence agencies. The government can fix this.
It is basically to subvert the effective functioning of the democratic system in a subtle but perfectly legal manner, by manipulating the information fed to the public and actively shaping the public mood in the desired manner
PS. A lot of it happens on HN and Reddit.
That's one reason I post under my own name; anonymity wouldn't buy me much anyway. Even in forums where I'm technically anonymous, I don't try hard to preserve any secrecy about my identity. It's more a matter of "There's a culture here of intemperate posts protected by anonymity, so if you notice me posting there, please also understand that I might be responding in kind."
(i) correlating social graphs (ii) correlating likes/dislikes/reviews etc. across different networks. (iii) Lots of data to do (i) and (ii)
And it's still difficult to do for random people on the internet (as opposed to the NSA or serious attackers such as those willing to put in the effort to crawl and analyze the entire linkedin graph.) I believe deanonymization based on just textual analysis is still a little bit of an academic effort.
Anonymity does buy quite a bit - especially on a forum like HN - where there isn't a social graph and the like/dislike information is private.