The post is kind of confusing. Are they suggesting someone called in a bomb threat to clear out their building, giving intruders some time to get in and grab an admin's phpBB database backup without worrying about incident responders?
If so, sounds like some pretty dedicated attackers.
In theory, it sounds like the goal of the SWAT was to clear the building of employees, and break into the target server, while no one would be sitting at an office workstation, and thus rendered incapable of disrupting the attack. It sounds like all that effort actually worked.
So then, after everyone returned to the office, staff discovered the intrusion, and they performed a password reset for anyone who hasn't changed their forum password since 2010.
But! Were the forum credentials valuable? Do people do things like mine bitcoins with their hosting? Is the PHPBB MySQL database isolated from all other user credentials, or is there overlap?
The only credentials that were accessible were hashed forum passwords from the time of the restore (all of which have been revoked), and forum accounts are not linked to any other Linode systems.
"SWATing" is a common "prank" skids pull. Good money says the attacker did it for the same reason they stole the db (they can), you guys are hugely over-thinking this.
See I thought so at first too, but the phrasing of "Not so coincidentally" plus the below phrase is in the future-perfect seems to intimate that the two are related
We will be discussing new security policies to address scenarios like this.
Tangentially, that's the future continuous ("We will be discussing..."), not the future perfect (which would be, e.g., "We will have been discussing...").
I've read the article twice and still don't understand what the story is or what is being implied. Are they saying that whoever hacked into their database had the office SWAT'ted as part of the attack? Can anyone with more knowledge of this describe why having the office vacated would benefit the attacker?
For being a blog post that is supposed to illustrate their new transparency regarding security issues, it sure seems cryptic.
"Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."
That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.
....I'm very confused.
Edit: Or the attacker used the SWAT visit to prevent Linode from stopping the server compromise? I guess that makes some sense, although it seems like an awfully large precaution to take for a phpbb forum. I know of attacks on financial networks and banks where one attack (ie, DDoS on public website) was used to distract from the "real" attack on the money wire system or whatever. But to SWAT someone to distract from compromising a FORUM? Doesn't add up to me; the forum hack is basically just a prank, but the SWAT team visit is hugely more serious.
I'm just confused at how having the Linode staff out of the office would have allowed the attack to go forward whereas having them in the office would have prevented the attack? Is there a Linode staff member who would have been watching in real-time for database connections to the server in question?
Perhaps the SWAT had nothing to do with making the attack easier, but was rather just something the attack did coincidentally as some kind of message or prank and has since taken credit for.
> "Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."
> That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.
Or that whomever just recently found the old data decided to post it at the same time as SWAT'ing Linode, to make it harder for them to do damage control, hoping everyone would be up in arms, complaining about how Linode doesn't communicate, they have no transparency, etc.
Sometimes the means of remote access do require visibly moving the mouse and opening windows and the like on a target, though. SWATing is easy to do and keeps pesky staff from noticing.
Do you seriously don't know what "swatting" means? Somebody called SWAT on them, while he hacked into that machine. Nowhere was said that a SWAT operative was the hacker.
IIRC, the term swatting stems from the eighties, perhaps even earlier by phreakers and such. It could be that it's more popular now, since there are more hackers/douchebags on the internet now than there were then.
I know what swatting means but they didn't say they were 'swatted' in the post, only that SWAT turned up. Reading it that they were swatted makes more sense but the post was ambiguous and it seemed to make more sense the other way.
As far as I can tell the passwords for phpbb are hashed with md5. Could someone correct me if I'm wrong? And if this is the case, this is a much larger issue, and warrants more of a response than simply reseting the password and burying it in a blog post about something else.
I'm suspecting the attacker infiltrated the server and left a note on the server for the admins to read. The note might have mentioned that an explosive is in the building. Upon reporting the breach (along with the note) to the authorities SWAT was called out as a precautionary measure even though they were all suspecting a hoax.
Tough to brag about how tight a ship you're running immediately after disclosing that server contained forum credentials was accessed. But good on them for the disclosure.
The Special Tactics team of Linode came up with this idea of publishing about a data breach in the most non-obvious manner by embedding it deep inside a totally unrelated post.
The folks at Linode either know or believe that it was the same people behind both the swatting and download of the old server. The server sounds like it belonged to someone on the Linode staff, and had a forgotten backup of some older data. It's lame, but it happens.
This part is nice:
> "We know how important transparency is and how we’ve needed to do a better job with it in the past, and well … this is the story."
It sounds like they might've taken some criticism of their past handling of events to heart. If this post is indicative of how they'll be handling future incidents ... good. It's timely, it gets right to the point of what happened and who was affected and how they responded, and it doesn't seem to be trying to conceal anything.
Hmm, I'm from Europe and when I read SWAT I think of highly trained and fit special forces.
Now the guys on the photo look like your "off the shelf" cops that couldn't sprint 100 meters without coughing heavily.
Is this a consequence of every small town police now having a SWAT team? Or were SWAT teams always composed of "average joes" and the highly trained special forces just a product of Hollywood?
As a result, it's not at all uncommon to send a team of local policemen in assault gear to arrest a drug dealer or other minor criminal, or anyone accused anonymously of something horrid -- that's the basis of swatting. Hopefully they get the right house, and don't shoot anyone else or their pets, but it typically isn't a big deal even when the cops screw up.
So... Lots of funny, if misinformed comments. To lead off, I am no pig. I have lots and lots of experience with them, I am related to a couple, and I have been very intensely monitoring them for quite some time. I am confident in my assessments and assertions, but they remain only that. What's more, I consider the majority of pigs undertrained, weak minded sheep. I also use the term "pig", instead of the harsher terms they tend to deserve. All of this adds up to a massive bias on my part, so do not forget that when you are typing your pro-pig hell rant.
Most US police forces lack the discipline and capability to field a Special Weapons And Tactics team. Instead, they have Volunteers. These are regular beat cops who sat through a few training courses and maybe ran a few smash and grab walk troughs at some point. They keep a flack vest, helmet and carbine AR in their trunk. Most SWAT calls are just beat pigs dealing with something over there head, which can be anything from a person who knows their rights to an actuall increased threat scenario. Real SWAT teams are the picture of tactical efficiency and reserve. Most footage [i completely discount all cinematic SWAT silliness] you will see has yelling and gun pointing and one cute video of a fat, crazy drunk getting zipped up by a SWAT bro with an MP5 [never take a breech loader to an automatic fight]. This discounts all of the rigorous training, both physical and mental, that these operators go through in the short window they are allowed to be in an actual SWAT team. I cannot vouchsafe the conduct of all SWAT, but my anecdotal experience was awesome.
I will leave off most the detail, but here is my short story. This was the first time I interacted with SWAT. It will not be the last, I fear. I was in a place I probably should have avoided, when I decided to step out for a jack. I was laughing at a lame joke my friends girlfriend had made [i was/am that guy] as I opened the front door. When I swung my head forward, I was greeted by 6 or 7 homeboys in black tac gear. They were setting to take the door. The point man [guy in front] leveled his hellasweet HK USP .45 at my face and politely asked me to, "please hold the door". I remember being able to see down the barrel of his shooter. He had one in the chamber. I graciously swung the door wide and bowed fairly low, like some drug addled varlet. Point guys swept by as number 2 gently spun me and zip tied my wrists. He kind of whispered "don't be stupid". I do not know what he meant, but I had been a military sycophant for a long time so I knew the drill and sank to my knees. They were done in seconds. 2 of them helped me up gently and ushered me to the couch. They left quietly and broke nothing. I cannot say the same for the overweight, callous detectives that spent 4+ hours figuring out that they had taken a house with no evidence and only one of their targeted suspects [he was released because he had no ID on him]?
I have had many experiences with many levels of LEO and none has ever instilled the respect and admiration I have for a true SWAT team.
No constables. No kings. Self police is self rule.
52 comments
[ 2.5 ms ] story [ 95.1 ms ] threadIf so, sounds like some pretty dedicated attackers.
Was it the https://forum.linode.com forum? It looks like it does run on PHPBB...
In theory, it sounds like the goal of the SWAT was to clear the building of employees, and break into the target server, while no one would be sitting at an office workstation, and thus rendered incapable of disrupting the attack. It sounds like all that effort actually worked.
So then, after everyone returned to the office, staff discovered the intrusion, and they performed a password reset for anyone who hasn't changed their forum password since 2010.
But! Were the forum credentials valuable? Do people do things like mine bitcoins with their hosting? Is the PHPBB MySQL database isolated from all other user credentials, or is there overlap?
But in no way was the attack "serious", just for the lols, I know the attacker and swatting is just another way to get lols.
It's Scott Thomas.
I'm gay.
gaygaygay
For being a blog post that is supposed to illustrate their new transparency regarding security issues, it sure seems cryptic.
That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.
....I'm very confused.
Edit: Or the attacker used the SWAT visit to prevent Linode from stopping the server compromise? I guess that makes some sense, although it seems like an awfully large precaution to take for a phpbb forum. I know of attacks on financial networks and banks where one attack (ie, DDoS on public website) was used to distract from the "real" attack on the money wire system or whatever. But to SWAT someone to distract from compromising a FORUM? Doesn't add up to me; the forum hack is basically just a prank, but the SWAT team visit is hugely more serious.
Perhaps the SWAT had nothing to do with making the attack easier, but was rather just something the attack did coincidentally as some kind of message or prank and has since taken credit for.
> That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.
Or that whomever just recently found the old data decided to post it at the same time as SWAT'ing Linode, to make it harder for them to do damage control, hoping everyone would be up in arms, complaining about how Linode doesn't communicate, they have no transparency, etc.
"Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."
It is a little odd how they praise the SWAT team in the first paragraph, then imply they hacked into a server in the second paragraph.
http://www.theverge.com/2013/4/23/4253014/swatting-911-prank...
also:
http://www.fbi.gov/news/stories/2013/september/the-crime-of-...
Seem's to be a relatively new thing in the ever-escalating war for the "lulz"...
http://sources.debian.net/src/phpbb3/3.0.12-1/includes/funct...
[0] https://www.phpbb.com/community/viewtopic.php?f=46&t=1813965 [1] http://www.openwall.com/phpass/
The folks at Linode either know or believe that it was the same people behind both the swatting and download of the old server. The server sounds like it belonged to someone on the Linode staff, and had a forgotten backup of some older data. It's lame, but it happens.
This part is nice:
> "We know how important transparency is and how we’ve needed to do a better job with it in the past, and well … this is the story."
It sounds like they might've taken some criticism of their past handling of events to heart. If this post is indicative of how they'll be handling future incidents ... good. It's timely, it gets right to the point of what happened and who was affected and how they responded, and it doesn't seem to be trying to conceal anything.
At that point, a bomb sniffing dog is not going to be terribly useful, but firearms will be.
Now the guys on the photo look like your "off the shelf" cops that couldn't sprint 100 meters without coughing heavily.
Is this a consequence of every small town police now having a SWAT team? Or were SWAT teams always composed of "average joes" and the highly trained special forces just a product of Hollywood?
Genuinely curious.
"No one runs faster than Mr Heckler and Koch."
(Heckler and Koch are a German gun manufacturer. If you are heavily armed and armoured, you don't really need to run after or away from your enemies.)
1) All Swat teams look like that, Hollywood lied to us
2) This is a bomb defusal unit, they don't need to move fast
3) It's a small town police unit
Unless bomb operates on Holywoodium, they can't outrun the explosion or use it to propel themselves.
And, since the US Defense Department can donate excess hardware to police forces, most of the gear comes at a very heavy discount (because it's already been paid for by tax dollars). http://www.theguardian.com/commentisfree/2013/oct/07/militar...
As a result, it's not at all uncommon to send a team of local policemen in assault gear to arrest a drug dealer or other minor criminal, or anyone accused anonymously of something horrid -- that's the basis of swatting. Hopefully they get the right house, and don't shoot anyone else or their pets, but it typically isn't a big deal even when the cops screw up.
Most US police forces lack the discipline and capability to field a Special Weapons And Tactics team. Instead, they have Volunteers. These are regular beat cops who sat through a few training courses and maybe ran a few smash and grab walk troughs at some point. They keep a flack vest, helmet and carbine AR in their trunk. Most SWAT calls are just beat pigs dealing with something over there head, which can be anything from a person who knows their rights to an actuall increased threat scenario. Real SWAT teams are the picture of tactical efficiency and reserve. Most footage [i completely discount all cinematic SWAT silliness] you will see has yelling and gun pointing and one cute video of a fat, crazy drunk getting zipped up by a SWAT bro with an MP5 [never take a breech loader to an automatic fight]. This discounts all of the rigorous training, both physical and mental, that these operators go through in the short window they are allowed to be in an actual SWAT team. I cannot vouchsafe the conduct of all SWAT, but my anecdotal experience was awesome.
I will leave off most the detail, but here is my short story. This was the first time I interacted with SWAT. It will not be the last, I fear. I was in a place I probably should have avoided, when I decided to step out for a jack. I was laughing at a lame joke my friends girlfriend had made [i was/am that guy] as I opened the front door. When I swung my head forward, I was greeted by 6 or 7 homeboys in black tac gear. They were setting to take the door. The point man [guy in front] leveled his hellasweet HK USP .45 at my face and politely asked me to, "please hold the door". I remember being able to see down the barrel of his shooter. He had one in the chamber. I graciously swung the door wide and bowed fairly low, like some drug addled varlet. Point guys swept by as number 2 gently spun me and zip tied my wrists. He kind of whispered "don't be stupid". I do not know what he meant, but I had been a military sycophant for a long time so I knew the drill and sank to my knees. They were done in seconds. 2 of them helped me up gently and ushered me to the couch. They left quietly and broke nothing. I cannot say the same for the overweight, callous detectives that spent 4+ hours figuring out that they had taken a house with no evidence and only one of their targeted suspects [he was released because he had no ID on him]?
I have had many experiences with many levels of LEO and none has ever instilled the respect and admiration I have for a true SWAT team.
No constables. No kings. Self police is self rule.
And yet it's so subtle, I wouldn't have noticed had you not pointed it out.