

An old system and a SWAT team - TheSwordsman
https://blog.linode.com/2014/01/19/an-old-system-and-a-swat-team/

======
thaumaturgy
Guys, c'mon, it's not that complicated.

The folks at Linode either know or believe that it was the same people behind
both the swatting and download of the old server. The server sounds like it
belonged to someone on the Linode staff, and had a forgotten backup of some
older data. It's lame, but it happens.

This part is nice:

> "We know how important transparency is and how we’ve needed to do a better
> job with it in the past, and well … this is the story."

It sounds like they might've taken some criticism of their past handling of
events to heart. If this post is indicative of how they'll be handling future
incidents ... good. It's timely, it gets right to the point of what happened
and who was affected and how they responded, and it doesn't seem to be trying
to conceal anything.

------
brandon272
I've read the article twice and still don't understand what the story is or
what is being implied. Are they saying that whoever hacked into their database
had the office SWAT'ted as part of the attack? Can anyone with more knowledge
of this describe why having the office vacated would benefit the attacker?

For being a blog post that is supposed to illustrate their new transparency
regarding security issues, it sure seems cryptic.

~~~
Lazare
"Not so coincidentally, an old personal server had a database accessed using
old forum credentials obtained from the incident last year."

That either means that the attacker used the data on the compromised server to
SWAT them, _OR_ that the SWAT team used their physical access to access the
server. Anything else would make the SWAT visit and the server compromise a
coincidence, and they make it clear that it is _not_.

....I'm very confused.

Edit: Or the attacker used the SWAT visit to prevent Linode from stopping the
server compromise? I guess that makes _some_ sense, although it seems like an
awfully large precaution to take for a phpbb forum. I know of attacks on
financial networks and banks where one attack (ie, DDoS on public website) was
used to distract from the "real" attack on the money wire system or whatever.
But to SWAT someone to distract from compromising a _FORUM_? Doesn't add up to
me; the forum hack is basically just a prank, but the SWAT team visit is
hugely more serious.

~~~
Brian-Puccio
> "Not so coincidentally, an old personal server had a database accessed using
> old forum credentials obtained from the incident last year."

> That either means that the attacker used the data on the compromised server
> to SWAT them, OR that the SWAT team used their physical access to access the
> server. Anything else would make the SWAT visit and the server compromise a
> coincidence, and they make it clear that it is not.

Or that whomever just recently found the old data decided to post it at the
same time as SWAT'ing Linode, to make it harder for them to do damage control,
hoping everyone would be up in arms, complaining about how Linode doesn't
communicate, they have no transparency, etc.

~~~
lnanek2
Sometimes the means of remote access do require visibly moving the mouse and
opening windows and the like on a target, though. SWATing is easy to do and
keeps pesky staff from noticing.

------
meowface
The post is kind of confusing. Are they suggesting someone called in a bomb
threat to clear out their building, giving intruders some time to get in and
grab an admin's phpBB database backup without worrying about incident
responders?

If so, sounds like some pretty dedicated attackers.

~~~
downer85
Yeah, it sounds like someone was aware of an old copy (2010-03-03) of a
database backup sitting on some "personal" server?

Was it the [https://forum.linode.com](https://forum.linode.com) forum? It
looks like it does run on PHPBB...

In theory, it sounds like the goal of the SWAT was to clear the building of
employees, and break into the target server, while no one would be sitting at
an office workstation, and thus rendered incapable of disrupting the attack.
It sounds like all that effort actually worked.

So then, after everyone returned to the office, staff discovered the
intrusion, and they performed a password reset for anyone who hasn't changed
their forum password since 2010.

But! Were the forum credentials valuable? Do people do things like mine
bitcoins with their hosting? Is the PHPBB MySQL database isolated from all
other user credentials, or is there overlap?

~~~
wcummings
"SWATing" is a common "prank" skids pull. Good money says the attacker did it
for the same reason they stole the db (they can), you guys are hugely over-
thinking this.

~~~
shitlord
Yeah, I think Brian Krebs was also SWAT'd.

------
kybernetyk
Hmm, I'm from Europe and when I read SWAT I think of highly trained and fit
special forces.

Now the guys on the photo look like your "off the shelf" cops that couldn't
sprint 100 meters without coughing heavily.

Is this a consequence of every small town police now having a SWAT team? Or
were SWAT teams always composed of "average joes" and the highly trained
special forces just a product of Hollywood?

Genuinely curious.

~~~
gamache
It turns out that out-of-shape cops are make fairly effective killing machines
when you outfit them with automatic rifles and body armor.

And, since the US Defense Department can donate excess hardware to police
forces, most of the gear comes at a very heavy discount (because it's already
been paid for by tax dollars).
[http://www.theguardian.com/commentisfree/2013/oct/07/militar...](http://www.theguardian.com/commentisfree/2013/oct/07/militarization-
local-police-america)

As a result, it's not at all uncommon to send a team of local policemen in
assault gear to arrest a drug dealer or other minor criminal, or anyone
accused anonymously of something horrid -- that's the basis of swatting.
Hopefully they get the right house, and don't shoot anyone else or their pets,
but it typically isn't a big deal even when the cops screw up.

~~~
blumkvist
The idea of putting regular policemen in special attack forces seems like a
disaster waiting to happen to me.

------
gedrap
I was amazed at how many people think that 'SWAT evacuated the building to get
the access to the PHPBB dump'. Seriously, people, it's not Hollywood.

------
aroch
Is this saying someone swatted the Linode offices to steal a phpBB user
database? If so, that's a bizarrely dedicated effort

~~~
mcpherrinm
I believe when they refer to "the incident", they don't mean the immediate one
with the SWAT members, but the previous year's hacking incident,
[https://blog.linode.com/2013/04/16/security-incident-
update/](https://blog.linode.com/2013/04/16/security-incident-update/)

~~~
aroch
See I thought so at first too, but the phrasing of "Not so coincidentally"
plus the below phrase is in the future-perfect seems to intimate that the two
are related

    
    
        We will be discussing new security policies to address scenarios like this.

~~~
dragonwriter
Tangentially, that's the future continuous ("We will be discussing..."), not
the future perfect (which would be, e.g., "We will have been discussing...").

~~~
aroch
Ah, thanks for the correction. It's been 5 years since I muddled by way
through the land of a tenses

------
zakelfassi
World's most confusing article. SWAT effect I might say.

------
tangoalpha
The Special Tactics team of Linode came up with this idea of publishing about
a data breach in the most non-obvious manner by embedding it deep inside a
totally unrelated post.

~~~
dangrossman
There's no "deep" part of a 3-paragraph post that fits on less than one
screen.

------
dantiberian
This article implies that the access of the old server was linked to the SWAT
raid.

"Not so coincidentally, an old personal server had a database accessed using
old forum credentials obtained from the incident last year."

It is a little odd how they praise the SWAT team in the first paragraph, then
imply they hacked into a server in the second paragraph.

~~~
superpatosainz
Do you seriously don't know what "swatting" means? Somebody called SWAT on
them, while he hacked into that machine. Nowhere was said that a SWAT
operative was the hacker.

~~~
gregory144
I don't think "swatting" is a common enough term to assume that everyone knows
what it means. I certainly didn't.

~~~
paulhauggis
exactly. How of often does it actually happen?

~~~
lbotos
I don't have stats for you, but it's been written about before:

[http://www.theverge.com/2013/4/23/4253014/swatting-911-prank...](http://www.theverge.com/2013/4/23/4253014/swatting-911-prank-
wont-stop-hackers-celebrities)

also:

[http://www.fbi.gov/news/stories/2013/september/the-crime-
of-...](http://www.fbi.gov/news/stories/2013/september/the-crime-of-swatting-
fake-9-1-1-calls-have-real-consequences/the-crime-of-swatting-
fake-9-1-1-calls-have-real-consequences)

Seem's to be a relatively new thing in the ever-escalating war for the
"lulz"...

~~~
tinco
IIRC, the term swatting stems from the eighties, perhaps even earlier by
phreakers and such. It could be that it's more popular now, since there are
more hackers/douchebags on the internet now than there were then.

------
14th
That was nice of the SWAT team to search their building for them, good thing
they didn't put in an NSA backdoor or anything.

------
BCM43
As far as I can tell the passwords for phpbb are hashed with md5. Could
someone correct me if I'm wrong? And if this is the case, this is a much
larger issue, and warrants more of a response than simply reseting the
password and burying it in a blog post about something else.

[http://sources.debian.net/src/phpbb3/3.0.12-1/includes/funct...](http://sources.debian.net/src/phpbb3/3.0.12-1/includes/functions.php?hl=459#L459)

~~~
zevyoura
According to this[0] they're hashed using the "Portable PHP Password Hashing
Framework"[1].

[0]
[https://www.phpbb.com/community/viewtopic.php?f=46&t=1813965](https://www.phpbb.com/community/viewtopic.php?f=46&t=1813965)
[1] [http://www.openwall.com/phpass/](http://www.openwall.com/phpass/)

------
eli
Tough to brag about how tight a ship you're running immediately after
disclosing that server contained forum credentials was accessed. But good on
them for the disclosure.

------
adaml_623
So how do you recover from the security breach of having a group of strangers
have unsupervised physical access to your computers for an hour?

------
jjoe
I'm suspecting the attacker infiltrated the server and left a note on the
server for the admins to read. The note might have mentioned that an ex _plo_
sive is in the building. Upon reporting the breach (along with the note) to
the authorities SWAT was called out as a precautionary measure even though
they were all suspecting a hoax.

------
_sabe_
Why do you need a SWAT team when there's a bomb-threat? Are they going to
shoot at the bomb with their guns?

~~~
btgeekboy
Consider this scenario: Perpetrator calls in a bomb threat. People evacuate.
Perp goes inside to do [something illegal].

At that point, a bomb sniffing dog is not going to be terribly useful, but
firearms will be.

