PBS hack: the HOWTO?

@LulzSec just posted what it claims were the methods used to hack PBS.org.

"PBS.org was not owned by SQL," they write, "PBS.org was owned via a 0day we discovered in mt4 aka MoveableType 4."

Kevin Mitnick, who knows a little about this stuff, responds: "Yeah, they claim it's a bug in mt4... but I doubt they would reveal the vector until much later."

I'd imagine this will become clear soon, after the holiday passes. Background on the incident in this BB post; the mess continued throughout the day today and appears to be ongoing at the time of this blog post.

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: News • security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

manuel piÃ±eiro

sounds like lulzsec is either revealing a member of their group or stealing credit. and kevin is making stuff up so he doesn’t look clueless about what’s going on.

how it all happened was openly disclosed from the moment the first vulnerability was discovered; anyone can read it.
Anonymous

I’m not sure you know who Kevin Mitnick is. Luckily BoingBoing was nice enough to provide a link to his Wiki. Feel free to read it, you know… so you don’t look clueless about what’s going on.
Spinkter

Linux kernels 2.4.21 and 2.6.18. I’m thinking RHEL4, maybe.

Which begs the questions: No upgrade in three years? SELinux not turned on? Not locked down with Bastille? What were they thinking?

Even if there was a zero-day in mt4, they could have taken better measures (hell, *any* measures) to prevent their machines from being rooted so easily.

Negligence enables crime.
- damiro
  
  Negligence enables crime.
  
  It does indeed. It does not necessarily justify it. “Don’t forget to lock your door on the way out. Someone might walk in and splatter paint on your walls, but then, you DID forget to lock your door tonight…You could have invested in the spendy new Super-Bolt Door Security Lock System…” That would suck. But it wouldn’t make it right. Maybe the IT staff could have prevented this breach, but I bet that right now they are answering some tough questions and fearing for their jobs. Poor sons of bitches. Sometimes you have to work with what you have, and sometimes you make mistakes. Maybe they deserve to be fired–I don’t know–but it still doesn’t excuse bad behavior on the part of the paint-splatterers.
  
  Which begs the questions: No upgrade in three years? SELinux not turned on? Not locked down with Bastille? What were they thinking?
  
  I’m about as clueless as “they” are, honestly. I just secure my home network and hope for the best; the Interwebs are an integral part of my life, but I can’t afford to spend much time learning the extremely complicated nuts-and-bolts.
  
  I imagine that “they” were NOT thinking; that their underfunded and most likely ignored IT staff (as SeattlePete described them) was more worried about where to go for drinks tonight than in defending a (to them) out-of-the-blue electronic security breach. They who run the place are most likely older media professionals whose idea of security is to make sure their phone lines are untapped. They need someone like you as Webmaster; unfortunately, they probably can’t afford you.
  
  PBS has never claimed to be on the cutting edge of IT technology. But perhaps now they’ll have to be.
  - Spinkter
    
    Discussions of PBS’s inadequate security do not automatically imply that the break-ins were justified. Better to keep the question of justification in the realm of the theoretical by preventing the break-ins in the first place.
    
    Also, there’s a big difference between securing a home network (most consumer firewall products are good enough), and securing a high-traffic corporate website supposedly run by professionals. These guys should know this stuff; they’re being paid to know all about the extremely complicated nuts-and-bolts.
    
    As for the poor IT guys: Sorry, but I don’t have much sympathy for them. I understand all about how IT is chronically a low priority thing. But, if I were in their position, and I couldn’t get the higher-ups to prioritize and adequately fund the infrastructure, then I’d go get a better job. And, if this sort of thing kept on happening, job after job, then I’d go get a better career. To do otherwise would demonstrate a lack of self-respect.
    - Anonymous
      
      “But, if I were in their position, and I couldn’t get the higher-ups to prioritize and adequately fund the infrastructure, then I’d go get a better job. And, if this sort of thing kept on happening, job after job, then I’d go get a better career. To do otherwise would demonstrate a lack of self-respect.”
      
      Life must be good in the land of make-believe.
- Chloramphenicol
  
  More like RHEL3. IIRC, even RHEL4 is on the 2.6 line, so if they’re still running a 2.4 build it has to predate the release of 4. I don’t think that SELinux is an option on RHEL3 (though I could be wrong).
  
  Now, personally, I have issues with SELinux in that people tend to think of it as a be-all-end-all and, well, to be honest, it’s a royal PitA to keep all of the necessary bols straight system to system. Then again, if you build correctly and document properly, that’s not a problem. At least it’s not one that can’t be corrected…
  
  I’m not entirely sure that it would have helped in this case. It really depends on exactly what sort of exploit they found. SELinux will help prevent someone from owning the system as a whole, but if there’s a vulnerability in the CMS itself, well, simply defacing the website or pulling up the back-end databases is fairly trivial. After all, even with SELinux enabled you have to be sure to allow HTTPD to communicate across the network if your database isn’t on the same server.
Anonymous

PBS uses Movable Type?! I just lost a lot of respect for them.
- Mike K
  
  They’ve used it for about 8 years. It’s a good platform if you’re publishing. Much better as a CMS than WordPress. Blog software, that’s questionable, but it’s a good CMS without spending tens of thousands on a good system.
  - Antinous / Moderator
    
    Blog software, that’s questionable
    
    We use Movable Type. For not much longer. And I assure you that it’s composed of infected smegma scraped from underneath Satan’s foreskin. There are actions that I do dozens or hundreds of times per day that take five steps instead of hitting one button. It’s structured like a web spun by a spider on acid.
    - mistersquid
      
      What softwares is BoingBoing considering to replace MT?
      - Antinous / Moderator
        
        You’d have to ask Rob or Dean. I’ll just wake up one morning and discover a whole new interface.
  - kstop
    
    My guess is one of two scenarios. Either the admins wanted MT4 on a private network but were overruled by mgmt (in which case their mgmt should be held accountable), or they just stuck it on a public-facing server because it was easier to set up (in which case it is absolutely the admins’ fault).
    
    I work in a comparable organization, also using MT4 for blogging and light CMS duties, and PHP for some applications. Most of the attack attempts we’ve seen over the years have been similar shell upload exploits thanks to 3rd-party code. While you can never be 100% safe, you can do a lot to lock down your systems without expenses beyond admin time.
- SeattlePete
  
  “I just lost a lot of respect for them.”
  
  For PBS or for their underfunded and most-likely ignored IT staff?
  
  I really wonder how Frontline will respond to this. Will they have the balls to say that they run a workplace where IT is 3rd or 4th banana when it comes to editorial or managerial input? On what is essentially an IT story?
  
  “Hey everyone…lets run a story where we call out /b/tards as lame-os living in their moms basement…nothing bad will happen! And if it does, we’ll just page Bob at 2am to restore from back-up.”
  
  http://www.thewebsiteisdown.com/
  
  seriously. for reals. my life. kill me.
bardfinn

What’s ridiculous is that they’re not using webserver appliances that can be physically (or via dedicated commline) rebooted from read-only physical media, sneakernetted from non-internet-connected machines by cartridge systems or pimply-faced youth. Seriously, all it freaking takes is USB sticks with read-write switches.

Webmasters of production systems: have a plan in place that boots every machine with the same or a similar OS with entirely different SSL certificates and passwords. It’s not bloody hard, and takes three man-hours to bring into play for even medium-large nets (150-200 blades).
- Anonymous
  
  Maybe we all should’ve donated more during those telethons. Obviously with the government cuts for public broadcasting they couldn’t afford a good Tech/Admin.
voiceinthedistance

“it’s composed of infected smegma scraped from underneath Satan’s foreskin”

Yes, but do you like it or not, Antinous?