

Dutch intelligence agency AIVD hacks internet forums - waps
http://www.nrc.nl/nieuws/2013/11/30/dutch-intelligence-agency-aivd-hacks-internet-fora/
The Dutch intelligence service - AIVD - hacks internet web fora to collect the data of all users. The majority of these people are unknown to the intelligence services and are not specified as targets when the hacking and data-collection process starts.<p>Apparently what they do is get direct access to the mysql databases backing fora and then just download the entire thing.
======
brokenparser
What upsets me most is that NRC is withholding information in name of "US
national security". Having a crooked government is bad, but when journalists
rather side with the man than stand up to him (as they're supposed to in a
democratic society), all hope is lost. They don't admit doing this in the
English version of this article, which reads:

    
    
      A spokesperson for the American government stated that
      the publication of classified information is a threat to
      US national security.
    

But the Dutch version does:

    
    
      De Amerikaanse overheid laat in een reactie weten dat
      publicatie van staatsgeheimen de nationale veiligheid
      schaadt. Om die reden publiceert deze krant belangrijke
      technische details niet.
    

Translation:

    
    
      A spokesperson for the American government stated that
      the publication of classified information is a threat to
      US national security. For this reason, the paper won't
      publish important technical details.
    

The Dutch government is conducting illegal activities and its citizens deserve
to know exactly how their government is screwing them.

~~~
buro9
We can guess at the details.

A lot of forums like phpBB are installed via cPanel and may have default
passwords and not be secured fully.

If you have a machine in the ISP, which just means renting 1 machine per ISP,
then scan the local IP ranges for open MySQL ports... or more nefariously scan
for Memcached as that is hardly ever secured.

Then use the default credentials or the credentials stolen from Memcached to
access MySQL.

You're dealing with a known set of forum software, probably phpBB, Vanilla,
vBulletin and Invision. So you only need to map out a few schema to be able to
make sense of hundreds if not thousands of sites.

Forums are slow moving, even the big ones only have a few thousand to low tens
of thousand of posts per day... and your rented machine could easily poll for
differences and send it back to HQ.

This is all just speculation of course, but it wouldn't surprise me that this
is how it was done.

~~~
DangerousPie
You're making some pretty big assumptions there. I don't think there is any
evidence that MySQL databases set up via cPanel (or any other control panel)
have default passwords or are inherently insecure. If this was the case, we
would be seeing websites being hacked left and right, and not just by
intelligence services.

~~~
buro9
I didn't feel like my assumptions were that big.

From the original article:

> “They use sweeps to collect data from all users of web forums. The use of
> these techniques could easily lead to mass surveillance by the government.”

Which implies that they are not scanning traffic constantly but are instead
performing a sweep across the fora and gathering all data. Which implies
querying the databases on a schedule and pulling info as the full dataset
nevers exists in the ephemeral traffic.

> “They acquire MySQL databases via CNE access”

Which states that they exploit something on the network to "acquire" the data
from MySQL databases.

Those two things together suggest periodic access to the databases.

And given the previous behaviour from accessing networks and hardware without
permission of the companies operating on those networks (the Google dark fibre
intercept) it isn't too much of a stretch to imagine a similar scenario that
could give them access to these databases without asking first.

And the easiest way to get access to a large volume of forums would be to use
a common platform as the attack point: A common deployment (cPanel, Plesk,
etc) or a common technology that could give up credentials (memcached).

Of course they could use a vulnerability in MySQL, but I bet that's harder
work than just trying default passwords or pulling credentials from the
unsecured memory cache.

------
lucb1e
If you all remember the fuss about the "terughackwet", a law that would allow
the police to hack people, this is what I meant when I said that the AIVD
(general intelligence agency) and MIVD (military intelligence agency) have had
this power since the beginning of time. This merely proves that they're
actively using their capabilities and that the police doesn't really need it;
they can just ask another agency.

I would assume the same for forcing passwords out of people, something which
is still supposed to be illegal in the Netherlands but isn't. The AIVD and
MIVD have the right to do this.

I've got one question though: does anyone know what they mean with _" They
acquire mySQL databases via CNE access."_ What is CNE?

~~~
ordinary
Computer network exploitation.

~~~
lucb1e
So sniffing traffic?

~~~
roel_v
As I understood it, it's insider-speak for 'hacking'. While theoretically
possible, it's non-trivial to sniff a complete db dump.

~~~
lucb1e
Okay, thanks for the reply!

------
spectrum
This is the most important sentence I think:

According to the document the Dutch “are looking at marrying the forum data
with other social network info, and trying to figure out good ways to mine the
data that they have.”

The posts for one individual on one forum are maybe not that interesting. But
by connecting this data to the data of his/her other internet activities, you
get the total information awareness idea. E.g. Facebook, Gmail, other forums
accounts, Whatsapp messages, websites visited etc.

~~~
Cthulhu_
It definitely is a dragnet kinda approach; let's just collect all the data,
chuck it into a big database and see if we find any connections with _insert
random justification here_.

~~~
disgruntledphd2
Also known as the "Big Data" approach. Hopefully, they at least understand
that there should be differential costs to false positives and negatives.

------
atmosx
Everyone likes to think that the forum targeted are by _terrorists_ related to
middle east, Syria, etc.

I think that gathering such large amounts of data, allows you to do very
specific sentiment analysis on specific groups of the population, in addition
to twitter and facebook having _fora_ access is a big deal.

All these are speculations of course. Our agencies are guided by people and
more often than not inadequate people. They might be collecting data just
because the NSA does it, with no specific purpose. Data just waiting to be
abused by someone in a position of power.

------
mattgibson
I just read that as 'regularly hacks Interflora' and was momentarily amazed at
how seriously they take their tulips.

------
oelmekki
To make a comment not regarding moral and civilizational impact, I'm wondering
what kind of value targeting forums can have.

Does this really worth the cost, compared to something like making friending
bots on social networks and weight analyzing content for keywords ?

I suppose their definition of forum should be considered, here. Do we speak of
the canonical form of a forum, like a punBB powered website, or is any website
aiming to allow people to chat a forum ?

~~~
DanBC
Some extremist groups set up separate single issue groups to introduce people
to extremist ideas.

An example would be the British National Front and BNP (both right wing
extremist groups) setting up an animal rights group which mostly campaigns
about slaughter methods, especially ritual slaughter.

Some animal rights groups are also extremist. (Digging up corpses; setting
incendiary[1] devices which burnt down several large departments stores;
setting fires to trucks and truck depots; etc.)

Monitoring these groups makes some kind of sense. So long as police keep that
data secure, and it's only used for legitimate law enforcement and isn't used
to tarnish reputations or stifle lawful campaigning.

[1] The intent was to cause water damage by triggering sprinkler systems. The
fact the sprinkler systems didn't work, allowing the stores to burn down is
worrying. This, and IRA bombing campaigns, is one reason that pockets come
stitched shut now. The well dressed man / woman will have a stitch ripper to
remove these closings, but it's surprising to see how many people have never
heard of stitch rippers.

~~~
berkes
Do you have source to back up the claim that pockets come stitched because of
bombing-threats? My wife is certified seamstress and swears that pockets on
higher-range clothing has always been stitched close, because that keeps their
model in better shape. But there might be more to it, so I am curious to what
makes you say this.

------
joelhaasnoot
Not surprised - part of a university project for a class I took a few years
back built a scraper for forums/Facebook/Twitter. The assumption there was
that agencies would get access tokens from Twitter - but this is much
easier...

------
CurtMonash
Recall that de-anonymization analysis is pretty effective these days. Even if
you post under a made-up user name, there's a pretty good chance they can
figure out who you are.

That's one reason I post under my own name; anonymity wouldn't buy me much
anyway. Even in forums where I'm technically anonymous, I don't try hard to
preserve any secrecy about my identity. It's more a matter of "There's a
culture here of intemperate posts protected by anonymity, so if you notice me
posting there, please also understand that I might be responding in kind."

~~~
wsxcde
Deanonymization that works well relies on:

(i) correlating social graphs (ii) correlating likes/dislikes/reviews etc.
across different networks. (iii) Lots of data to do (i) and (ii)

And it's still difficult to do for random people on the internet (as opposed
to the NSA or serious attackers such as those willing to put in the effort to
crawl and analyze the entire linkedin graph.) I believe deanonymization based
on just textual analysis is still a little bit of an academic effort.

Anonymity does buy quite a bit - especially on a forum like HN - where there
isn't a social graph and the like/dislike information is private.

------
vfclists
The main purpose of monitoring communicatins is to monitor public sentiment
and guide it or sway it. It is not for security purposes, being able to
manipulate the populace is the primary goal.

It is basically to subvert the effective functioning of the democratic system
in a subtle but perfectly legal manner, by manipulating the information fed to
the public and actively shaping the public mood in the desired manner

PS. A lot of it happens on HN and Reddit.

------
snitko
Keep paying them to do that. Taxes are a good thing, after all: governments
also build roads and help the poor - which no one else can do.

------
woutervdb
...wow. That's pretty creepy.

I'm Dutch myself and I knew that the AIVD tapped a lot, but mining data from
forums?!

~~~
Svip
And yet strangely, I'm not surprised. There seems to be a race by intelligence
agencies to collect as much data as possible in recent years (well, the past
decade). And while in the West, the Americans is leading the pack, the others
aren't shining away without a fight.

I wouldn't be surprised to learn that it has become more a sport than a
national security measure by these agencies. They have gone cocky, so to
speak, thinking that because they are government agencies they are above the
law that regular hackers supposedly are not.

~~~
pekk
How do we quantify who is "leading the pack"? This would assume we have
representative coverage of different countries' activities and that is
certainly not true.

------
coldcode
[XXX] intelligence agency routinely hacks [YYY]; generally to make good with
the NSA. From now on we can just report what XXX and YYY are and dispense with
the details.

------
dzhiurgis
fora is a plural form of forum

aka forums

~~~
Svip
True, in English it would be 'forums'. In fact it would be 'internet forums'
in two words, but this is clearly written as it is in Dutch, where it would be
«internetfora».

Although, only the title of this thread is 'internetfora', while the article
has separated it into two words.

~~~
rgj
The article heading now says 'internet forums'.

------
timbro
Are we talking about "internet fora" like HN?

