52 comments

[ 2.5 ms ] story [ 95.1 ms ] thread
The post is kind of confusing. Are they suggesting someone called in a bomb threat to clear out their building, giving intruders some time to get in and grab an admin's phpBB database backup without worrying about incident responders?

If so, sounds like some pretty dedicated attackers.

(comment deleted)
Yeah, it sounds like someone was aware of an old copy (2010-03-03) of a database backup sitting on some "personal" server?

Was it the https://forum.linode.com forum? It looks like it does run on PHPBB...

In theory, it sounds like the goal of the SWAT was to clear the building of employees, and break into the target server, while no one would be sitting at an office workstation, and thus rendered incapable of disrupting the attack. It sounds like all that effort actually worked.

So then, after everyone returned to the office, staff discovered the intrusion, and they performed a password reset for anyone who hasn't changed their forum password since 2010.

But! Were the forum credentials valuable? Do people do things like mine bitcoins with their hosting? Is the PHPBB MySQL database isolated from all other user credentials, or is there overlap?

The only credentials that were accessible were hashed forum passwords from the time of the restore (all of which have been revoked), and forum accounts are not linked to any other Linode systems.
"SWATing" is a common "prank" skids pull. Good money says the attacker did it for the same reason they stole the db (they can), you guys are hugely over-thinking this.
Yeah, I think Brian Krebs was also SWAT'd.
Indeed, it was a clever trick.

But in no way was the attack "serious", just for the lols, I know the attacker and swatting is just another way to get lols.

It was RyanC again, no?
Hello RyanC,

It's Scott Thomas.

I'm gay.

gaygaygay

(comment deleted)
Is this saying someone swatted the Linode offices to steal a phpBB user database? If so, that's a bizarrely dedicated effort
I believe when they refer to "the incident", they don't mean the immediate one with the SWAT members, but the previous year's hacking incident, https://blog.linode.com/2013/04/16/security-incident-update/
See I thought so at first too, but the phrasing of "Not so coincidentally" plus the below phrase is in the future-perfect seems to intimate that the two are related

    We will be discussing new security policies to address scenarios like this.
Tangentially, that's the future continuous ("We will be discussing..."), not the future perfect (which would be, e.g., "We will have been discussing...").
Ah, thanks for the correction. It's been 5 years since I muddled by way through the land of a tenses
I've read the article twice and still don't understand what the story is or what is being implied. Are they saying that whoever hacked into their database had the office SWAT'ted as part of the attack? Can anyone with more knowledge of this describe why having the office vacated would benefit the attacker?

For being a blog post that is supposed to illustrate their new transparency regarding security issues, it sure seems cryptic.

"Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."

That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.

....I'm very confused.

Edit: Or the attacker used the SWAT visit to prevent Linode from stopping the server compromise? I guess that makes some sense, although it seems like an awfully large precaution to take for a phpbb forum. I know of attacks on financial networks and banks where one attack (ie, DDoS on public website) was used to distract from the "real" attack on the money wire system or whatever. But to SWAT someone to distract from compromising a FORUM? Doesn't add up to me; the forum hack is basically just a prank, but the SWAT team visit is hugely more serious.

I'm just confused at how having the Linode staff out of the office would have allowed the attack to go forward whereas having them in the office would have prevented the attack? Is there a Linode staff member who would have been watching in real-time for database connections to the server in question?

Perhaps the SWAT had nothing to do with making the attack easier, but was rather just something the attack did coincidentally as some kind of message or prank and has since taken credit for.

> "Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."

> That either means that the attacker used the data on the compromised server to SWAT them, OR that the SWAT team used their physical access to access the server. Anything else would make the SWAT visit and the server compromise a coincidence, and they make it clear that it is not.

Or that whomever just recently found the old data decided to post it at the same time as SWAT'ing Linode, to make it harder for them to do damage control, hoping everyone would be up in arms, complaining about how Linode doesn't communicate, they have no transparency, etc.

Sometimes the means of remote access do require visibly moving the mouse and opening windows and the like on a target, though. SWATing is easy to do and keeps pesky staff from noticing.
(comment deleted)
This article implies that the access of the old server was linked to the SWAT raid.

"Not so coincidentally, an old personal server had a database accessed using old forum credentials obtained from the incident last year."

It is a little odd how they praise the SWAT team in the first paragraph, then imply they hacked into a server in the second paragraph.

Do you seriously don't know what "swatting" means? Somebody called SWAT on them, while he hacked into that machine. Nowhere was said that a SWAT operative was the hacker.
I don't think "swatting" is a common enough term to assume that everyone knows what it means. I certainly didn't.
exactly. How of often does it actually happen?
I don't have stats for you, but it's been written about before:

http://www.theverge.com/2013/4/23/4253014/swatting-911-prank...

also:

http://www.fbi.gov/news/stories/2013/september/the-crime-of-...

Seem's to be a relatively new thing in the ever-escalating war for the "lulz"...

IIRC, the term swatting stems from the eighties, perhaps even earlier by phreakers and such. It could be that it's more popular now, since there are more hackers/douchebags on the internet now than there were then.
I know what swatting means but they didn't say they were 'swatted' in the post, only that SWAT turned up. Reading it that they were swatted makes more sense but the post was ambiguous and it seemed to make more sense the other way.
That was nice of the SWAT team to search their building for them, good thing they didn't put in an NSA backdoor or anything.
As far as I can tell the passwords for phpbb are hashed with md5. Could someone correct me if I'm wrong? And if this is the case, this is a much larger issue, and warrants more of a response than simply reseting the password and burying it in a blog post about something else.

http://sources.debian.net/src/phpbb3/3.0.12-1/includes/funct...

World's most confusing article. SWAT effect I might say.
I was amazed at how many people think that 'SWAT evacuated the building to get the access to the PHPBB dump'. Seriously, people, it's not Hollywood.
I'm suspecting the attacker infiltrated the server and left a note on the server for the admins to read. The note might have mentioned that an explosive is in the building. Upon reporting the breach (along with the note) to the authorities SWAT was called out as a precautionary measure even though they were all suspecting a hoax.
Tough to brag about how tight a ship you're running immediately after disclosing that server contained forum credentials was accessed. But good on them for the disclosure.
The Special Tactics team of Linode came up with this idea of publishing about a data breach in the most non-obvious manner by embedding it deep inside a totally unrelated post.
There's no "deep" part of a 3-paragraph post that fits on less than one screen.
Guys, c'mon, it's not that complicated.

The folks at Linode either know or believe that it was the same people behind both the swatting and download of the old server. The server sounds like it belonged to someone on the Linode staff, and had a forgotten backup of some older data. It's lame, but it happens.

This part is nice:

> "We know how important transparency is and how we’ve needed to do a better job with it in the past, and well … this is the story."

It sounds like they might've taken some criticism of their past handling of events to heart. If this post is indicative of how they'll be handling future incidents ... good. It's timely, it gets right to the point of what happened and who was affected and how they responded, and it doesn't seem to be trying to conceal anything.

Why do you need a SWAT team when there's a bomb-threat? Are they going to shoot at the bomb with their guns?
Consider this scenario: Perpetrator calls in a bomb threat. People evacuate. Perp goes inside to do [something illegal].

At that point, a bomb sniffing dog is not going to be terribly useful, but firearms will be.

Hmm, I'm from Europe and when I read SWAT I think of highly trained and fit special forces.

Now the guys on the photo look like your "off the shelf" cops that couldn't sprint 100 meters without coughing heavily.

Is this a consequence of every small town police now having a SWAT team? Or were SWAT teams always composed of "average joes" and the highly trained special forces just a product of Hollywood?

Genuinely curious.

Me too. The picture looks like a publicity shot for a SWAT based sitcom. I mean, it doesn't 'arf bolster the fat american stereotype.
You've reminded me of a funny quote from Immediate Action or Brazo Two Zero by Andy McNab, autobiographies of a famous British special forces soldier.

"No one runs faster than Mr Heckler and Koch."

(Heckler and Koch are a German gun manufacturer. If you are heavily armed and armoured, you don't really need to run after or away from your enemies.)

Well there are two of three possibilities:

1) All Swat teams look like that, Hollywood lied to us

2) This is a bomb defusal unit, they don't need to move fast

3) It's a small town police unit

The usual jokes suggest that a bomb defuser might want to run really fast sometimes.
I assume bomb disposal unit needs to: A) find bomb B) go away from bomb really far C) send robot to defuse the bomb

Unless bomb operates on Holywoodium, they can't outrun the explosion or use it to propel themselves.

It turns out that out-of-shape cops are make fairly effective killing machines when you outfit them with automatic rifles and body armor.

And, since the US Defense Department can donate excess hardware to police forces, most of the gear comes at a very heavy discount (because it's already been paid for by tax dollars). http://www.theguardian.com/commentisfree/2013/oct/07/militar...

As a result, it's not at all uncommon to send a team of local policemen in assault gear to arrest a drug dealer or other minor criminal, or anyone accused anonymously of something horrid -- that's the basis of swatting. Hopefully they get the right house, and don't shoot anyone else or their pets, but it typically isn't a big deal even when the cops screw up.

The idea of putting regular policemen in special attack forces seems like a disaster waiting to happen to me.
So... Lots of funny, if misinformed comments. To lead off, I am no pig. I have lots and lots of experience with them, I am related to a couple, and I have been very intensely monitoring them for quite some time. I am confident in my assessments and assertions, but they remain only that. What's more, I consider the majority of pigs undertrained, weak minded sheep. I also use the term "pig", instead of the harsher terms they tend to deserve. All of this adds up to a massive bias on my part, so do not forget that when you are typing your pro-pig hell rant.

Most US police forces lack the discipline and capability to field a Special Weapons And Tactics team. Instead, they have Volunteers. These are regular beat cops who sat through a few training courses and maybe ran a few smash and grab walk troughs at some point. They keep a flack vest, helmet and carbine AR in their trunk. Most SWAT calls are just beat pigs dealing with something over there head, which can be anything from a person who knows their rights to an actuall increased threat scenario. Real SWAT teams are the picture of tactical efficiency and reserve. Most footage [i completely discount all cinematic SWAT silliness] you will see has yelling and gun pointing and one cute video of a fat, crazy drunk getting zipped up by a SWAT bro with an MP5 [never take a breech loader to an automatic fight]. This discounts all of the rigorous training, both physical and mental, that these operators go through in the short window they are allowed to be in an actual SWAT team. I cannot vouchsafe the conduct of all SWAT, but my anecdotal experience was awesome.

I will leave off most the detail, but here is my short story. This was the first time I interacted with SWAT. It will not be the last, I fear. I was in a place I probably should have avoided, when I decided to step out for a jack. I was laughing at a lame joke my friends girlfriend had made [i was/am that guy] as I opened the front door. When I swung my head forward, I was greeted by 6 or 7 homeboys in black tac gear. They were setting to take the door. The point man [guy in front] leveled his hellasweet HK USP .45 at my face and politely asked me to, "please hold the door". I remember being able to see down the barrel of his shooter. He had one in the chamber. I graciously swung the door wide and bowed fairly low, like some drug addled varlet. Point guys swept by as number 2 gently spun me and zip tied my wrists. He kind of whispered "don't be stupid". I do not know what he meant, but I had been a military sycophant for a long time so I knew the drill and sank to my knees. They were done in seconds. 2 of them helped me up gently and ushered me to the couch. They left quietly and broke nothing. I cannot say the same for the overweight, callous detectives that spent 4+ hours figuring out that they had taken a house with no evidence and only one of their targeted suspects [he was released because he had no ID on him]?

I have had many experiences with many levels of LEO and none has ever instilled the respect and admiration I have for a true SWAT team.

No constables. No kings. Self police is self rule.

>All of this adds up to a massive bias on my part

And yet it's so subtle, I wouldn't have noticed had you not pointed it out.

How dare you shit on my needless disclaimer. I'll have you know I am specially trained in gorilla warfare...
So how do you recover from the security breach of having a group of strangers have unsupervised physical access to your computers for an hour?