"Hacking" is STILL Just User Negligence
FOREWORD: In the immortal words of Hank Green, "Hnnnghmmmmurrrgggggghh... Let's do this." Yesterday I published an article with an erroneous fact. This is not usually a big deal, because you can retract, edit, amend, etc. The problem was that I had presumed some of the donor documents I'd uncovered on the BC Liberals' website were private donor data (a really big deal), when in fact, they were actually just public disclosure. I also made an effort to distribute the article quite widely, meaning that lots of important people got to see me make my error. Good times.
Today however, I have come out from under my security blanket (a blanket design which I have just now conceived of as being covered in acronyms like "TLS", "SSH", and "PGP", and which I plan on marketing to ThinkGeek immediately), to write the article I originally intended to write.
Let's recap: On Monday, Province journalist Mike Smyth reported that a seemingly private document was freely available on the BC Liberals' public website; a document containing the e-mail addresses and postal codes of about 100 people who took part in a Liberal public-outreach effort.
What makes this story so engaging (and enraging) for me, as an IT pro, is the subsequent accusation by the BC Liberals that they had been the victims of a "targeted hack" by the BC NDP. Web servers, by their very nature, are predominantly public-facing systems which serve documents to everyone indiscriminately. It's the job of a website's administrator to leverage the features of web server software, and make certain that the public doesn't see documents or information that they're not supposed to.
The story developed a step further today, when Smyth divulged the identity of his source (with her consent, of course) as independent MLA Vicki Huntington. Once again, the infamous WordPress uploads directory was referenced, with Smyth and Huntington saying that when they went to the directory, the file was just sitting there.
The 403 error message that we see at the directory now tells us that the web server software is Apache. As someone who has worked with this server software for more than a decade, I have a pretty clear suspicion of what originally happened.
As I stated yesterday, the uploads directory of (blogging software) WordPress is a pretty common permissions headache for many admins. Instead of setting ownership and permissions properly, many impatient admins just set the directory to "777" – UNIX speak for "anyone can read, write, or execute this".
This would have been bad enough on its own, but it wouldn't have been enough to cause what Huntington and Smyth described. Unless you also consider Apache's indexing directives.
Apache indexing is another one of those things that should be turned off for security, but which is usually left on for user convenience. With this directive turned on, when a user requests a directory with no default document (eg: index.htm, default.aspx) Apache very helpfully generates a list of the files therein. It looks like this:
If an admin were to disable the indexing directive, or if they set the permissions to something other than 777 (depending on the directory ownership), you would see the same 403 error we see on the BC Liberals website now:
So why would anyone leave a directory on a webserver with weak permissions and indexing turned on? It could be that the administrator wasn't well-versed in basic Apache security. It's also possible that users demanded to be able to us the directory as a file-sharing dump, and be able see a listing of files, for their convenience. IT admins often feel compelled to oblige user requests over their better judgement (particularly when that user is your boss).
It is by far the simplest explanation, and almost certainly exactly how this went down. This also means that the Premier openly accused the opposition party of a crime, when in fact the leak was due to a misconfiguration of her party's own website.
Let me end on a bit of a tangent, one which I've extolled before: "hacking" is a layterm. It doesn't really mean anything. Ripping a DVD is hacking. Unlocking a cellphone at a mall kiosk is hacking. Wearing a t-shirt with "Security" printed on it, in the hopes that people will let you come and go as you please, is hacking. All of these are terribly inelegant forms of "hacking".
Going to a public website and clicking a hyperlink to access a document is NOT hacking. That's just how the web works.
Best of luck with the spin on this one, Christy.
"Computer hacker" image by Joe Prachatree via Shutterstock