Labour’s passwords
June 15th, 2011 at 11:00 am by David FarrarLabour’s security issues go beyond the fact they left their entire server contents available for anyone to see if they went to one of their campaign websites. Their passwords are now in Google.
Whale blogs:
Commenters at Kiwiblog and other sites quickly realised what I did long ago and that was that Google and other bots had archived Labour’s open site extensively. All their data is still in the cache and will be for quite some time.
Doing a simple cache search of the root domain with the word “password” added shows just how bad their security was.
The problem however was much worse than that. Way worse. Remember that Chris Flatt the Labour General Secretary sent out a letter and email to their donors assuring them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.
In the MySQL database files there were also plain txt strings that contained other database passwords along with the user name and passwords of their credit card provider.
Oh dear.
This shows the appalling lack of security not only for the donor and membership details but also with regard to usernames and passwords for other secure areas.
I never accessed those areas, to do so would have been illegal. But given that their systems were open and exposed long enough that Google and 9 other bots were able to cache the entire directory system there is a good chance that Russiam or Nigerian scamsters also were able to obtain access to the database and credit card processing passswords that Labour left exposed. Chris Flatt cannot give any assurances that their donor details including credit cards were safe and secure.
Their credit card passwords have been sitting in Google for several months. Need more be said.
June 15th, 2011 at 11:04 am
Labour has an open door policy then?
Vote:June 15th, 2011 at 11:07 am
Maybe when the inevitable happens and dishonest types who have picked the card details up from google and other bot sites start using them, assuming they haven’t already over the months the info has been lying bare on the web, the banks could look to the Labour party for compensation?
Vote:June 15th, 2011 at 11:09 am
But remember, it is National’s fault for not alerting Labour to security issues with their site!
Vote:June 15th, 2011 at 11:13 am
What on Earth is a “credit card password”?
Vote:June 15th, 2011 at 11:15 am
Could mean their CSC numbers on the backs of the cards.
With those and the credit-card numbers themselves, you could buy all KINDS of porn online.
Vote:June 15th, 2011 at 11:16 am
A password for their credit card processing facility.
Vote:June 15th, 2011 at 11:16 am
A password to, and connection details for, the database that holds the credit card details. I suspect it’s not quite that easy, but hard to say.
Vote:June 15th, 2011 at 11:17 am
Whaleoil also highlights a letter he recieved about this issue from douche master general, Micky Savage. Does anyone know if invoices for legal aid specify the time that the work took place?
If so it would be interesting to see if any of the $158k that Micky billed this year took place whilst engaged in his ridiculous bum fuckery on the Standard.
Of course that would be stealing.
Vote:June 15th, 2011 at 11:24 am
LGF.
Vote:No they don’t.
Invoices to the LSA simply specify the time spent on a job not when the time was spent.
June 15th, 2011 at 11:25 am
Reading Whale’s post, I reckon there’s a chance it’s not as bad as he thinks. Typically a mysql database isn’t accessible from the internet, only from a local server. So I doubt you could log on. But anything’s possible.
Vote:June 15th, 2011 at 11:26 am
The mickey, hes a character alright cheesy.
Vote:June 15th, 2011 at 11:27 am
Doesn’t seem possible to get the cached version from google anymore, has labour talked them into censoring it?
Vote:June 15th, 2011 at 11:35 am
You know this is all National’s fault as well, don’t you.
Vote:June 15th, 2011 at 11:41 am
that Mickey is a hoot, that’s what he is.
Vote:poor Labour .. what a disaster, no wonder Fullmoon King looks so tired .. when is Phil back?
who needs Coro for their gratuious drama?
June 15th, 2011 at 11:42 am
Paull – did he need to log on to the database? I thought he just downloaded the unencrypted database file and read it as text
Vote:June 15th, 2011 at 11:47 am
An open window is no excuse for burgling someones home, a crime is a crime regardless of the circumstances.If you truly believe that hacking a database for percuniary purposes is legitimate then you are a exponent of morons logic.
Vote:June 15th, 2011 at 11:48 am
Alex,
more like a back door policy.
(Sorry everyone, just couldn’t resist some base silliness today)
Vote:June 15th, 2011 at 11:49 am
I used to feel sorry for Labour about this. Then I remmebered Hollow Men
Vote:June 15th, 2011 at 11:51 am
Oh jeez KevinH. If you are standing on the street holding some sort of document up in front of you, and I come along and take a photo of your document, can you complain that I stole it? That’s the analogy, you still have the document and I have a copy of it.
Vote:June 15th, 2011 at 11:55 am
I have been looking on at this whole sorry saga, and am quite aghast at the sheer sloppiness and absence of security. I work in an IT related area, and this is the IT equivalent of walking around in public with your fly down, no underwear and half a roll of dunny paper trailing out the back of your pants.
If I did something like this with the Trust site I’d expect to be fired, and I am not even paid for that. I am very glad I have not been a Labour Party donor, at least not in the last few years
Regards
Vote:Peter J
see http://www.sensiblesentencing.org.nz
June 15th, 2011 at 12:03 pm
When I set up a credit card facility on my web site, the payments provider needed to know if I intended to store credit card information. If I did, then I needed to give the payments provider a written undertaking that the data would be stored securely, which from memory meant the data must be at minimum encrypted, before they would grant me access to their service.
I would imagine Labour would have made the same undertaking at some point, and we now know that it was, or at least became, false. This might cost them their merchant status, which would surely be significant for funds raising.
Vote:June 15th, 2011 at 12:05 pm
KevinH
If you truly believe that hacking a database for percuniary purposes is legitimate then you are a exponent of morons logic.
What does this have to do with what has happened here, Kev? About nothing. No hacking occurred, no pecuniary advantage has been derived to anyone’s knowledge, and actually what has happened does appear to be legal.
0 for 3, KevinH.
Vote:June 15th, 2011 at 12:06 pm
Kevinh – hacking? Are you serious? All he did was browse publicly available web content, which is what you are doing right now. Are you “hacking” kiwiblog?
Vote:June 15th, 2011 at 12:08 pm
There’s not a lot that can be done with the Flo2Cash (credit card processor) username/password – the online merchant facility doesn’t allow you to view cards, the worse you could do is issue refunds.
Vote:June 15th, 2011 at 12:12 pm
All this is fantastic, you just couldn’t make this shit up if you tried.
Vote:June 15th, 2011 at 12:29 pm
That Labour expects National to inform them of vulnerabilities that could damage them takes the cake.
I don’t recall Trevor Mallard pulling Don Brash aside quietly in 2006 and saying “listen Don, there are some awful rumours going around about your private life. I suggest you be prudent and wise here because I don’t want to see this blow up in your face”
Vote:June 15th, 2011 at 12:30 pm
It’s starting to feel like watching a totally outclassed sports team being thrashed 100-0 with full time rapidly approaching.
Vote:Even though you support the stronger team, you start to feel really bad for the losers and hope they at least get a penalty just for some points on the board.
June 15th, 2011 at 12:31 pm
nate – one would wonder if they left any dirs world writeable, that is the ability to upload files to their site. If they did well one could have some fun with SQL.
Vote:June 15th, 2011 at 12:33 pm
That search linked to seems to have been cleared…
And yeah, I take it it’s not the *users* card details, but what you might call Labour’s card processing authority. Also a problem for Labour, but it would make their statement as quoted not untrue.
Not wishing to defend, etc etc.
Vote:June 15th, 2011 at 12:35 pm
It’s starting to feel like watching a totally outclassed sports team being thrashed 100-0 with full time rapidly approaching. Even though you support the stronger team, you start to feel really bad for the losers and hope they at least get a penalty just for some points on the board.
Yes. But then recall Labour brought in the EFA. Nothing that organisation ever does again will allow me to forgive them for that. When you use the levers of power to tilt democracy itself in your favour and against your opponents for the sake of another 3 years, then you forfit any right to sympathy.
Vote:June 15th, 2011 at 12:36 pm
@ ben 12:03 I think you have something that Whale should follow up on, I can’t believe the initial setup was that sloppy ( surely not ). Which implies a change in setup & that opens up liability issues ??.
Vote:June 15th, 2011 at 12:47 pm
The only sensible response to all of this, from an IT security point of view, is basically “nuke the site from orbit”.
- Identify every machine that’s ever been on the same network as the insecure server
- Image the hard disks of those machines
- Format the hard drives of all machines and reinstall from known trusted sources
- Perform forensic analysis on the hard-disk images to try and identify the absolute worst-case scenario (e.g. “the bad guys have the passwords to everything and know every credit card number we’ve ever had”) for ass-covering
Given that this is the only sensible option it is of course never going to happen.
Vote:June 15th, 2011 at 12:47 pm
At the very minimum, Labour need to contact all their donors and admit that their credit card details may have been compromised. There is enough uncertainty and incompetence to suggest that their credit card database might well be in the hands of organised crime (who trawl the internet specifically looking for credit card information) that they need to take this action. They must advise their donors to contact their banks, replace their cards, and examine their statements for evidence of mis-use. If Labour don’t do this then they are acting criminally with their own supporters.
In an ideal world, Labour wouldn’t just issue the above advice, but would offer to compensate their donors for all expenses involved in replacing their cards.
Vote:June 15th, 2011 at 12:50 pm
This is serious. The labour Party will have to contact google and have this dealt with. It is a pity that this security breach got publicity. Slater should have told the labour party privately about this.
Vote:June 15th, 2011 at 12:51 pm
PauL – “Typically a mysql database isn’t accessible from the internet, only from a local server. So I doubt you could log on. But anything’s possible.”
But this is not typical. Labour had all sorts of things on a server visible to the internet which should just not have been there.
Presumably Labour’s IT people, the company operating the credit card server and the credit card companies have now conducted an urgent review to determine whether any card numbers could have actually escaped.
Vote:June 15th, 2011 at 12:56 pm
An open window is no excuse for burgling someones home, a crime is a crime regardless of the circumstances.If you truly believe that hacking a database for percuniary purposes is legitimate then you are a exponent of morons logic.
So what you are saying is that whenever someone reads anything published on the Internet – they are stealing. So in your mind, if I read an article at the NZ Herald web site, then talk about it – I’ve stolen too.
This is not a case of stealing, this is a case of complete dumbfuckery on the behalf of the Labour party. They effectively published this data for the world to see.
Vote:June 15th, 2011 at 1:08 pm
nate (5) Says:
June 15th, 2011 at 12:08 pm
There’s not a lot that can be done with the Flo2Cash (credit card processor) username/password – the online merchant facility doesn’t allow you to view cards, the worse you could do is issue refunds
If Nate is correct it would have been hilarious if someone had used the info to process credits and given back all of Labours donations to the donors!!!!
Vote:June 15th, 2011 at 1:09 pm
SHG
Given that this is the only sensible option it is of course never going to happen.
More to the point, it would cost money, and I imagine Labour really doesn’t have any of that now.
Vote:June 15th, 2011 at 1:09 pm
tvb..rubbish!
The labour party is getting it’s comeuppance and overdue it is too.
9 years of lying, rorting and perverting the course of justice, not to mention passing laws to tilt the playing field in your favour, is bound to come home and bite you on the arse sooner or later.
I for one am glad to see it.
My only regret is that the democracy suffers when there is no strong opposition.
Hopefully a true Labour party with actual standards and morals will arise from the ashes. (I am not holding my breath)
Vote:June 15th, 2011 at 1:14 pm
Ok, so it appears to me Labour is permanently finished as an opposition party in New Zealand. A new party will have to arise in its place. What’s a good name?
Progressive.
Democratic.
“Labor”.
Liberal. Or New Liberal.
I suppose Conservative or Republican is out, even though read literally both labels would be apt.
New Labour is old news.
The Secure Party? “We love encryption!”
Vote:June 15th, 2011 at 1:14 pm
I would imagine that the same people who are now having their credit cards replaced by their banks at their own expense will be slightly less than forthcoming next time the hat gets passed around. The sheer inconvenience of using new cards will be a constant reminder of the incompetence of their political party of choice.
Labour: short on ideas, talent, vision & now funding….roll on November.
Vote:June 15th, 2011 at 1:20 pm
KevinH 11:47am. Except ofcourse that the contents were left on the footpath, where anyone could copy them. Aint schadenfreude a bitch?
cheers
David Prosser
Vote:June 15th, 2011 at 1:21 pm
Guys, I wouldn’t be so quick to say Labour is finished.
Remember all those National Party supporters supposedly in favour of private enterprise, lower tax burden and less government?
What happened?
1. John Key misled the electorate, and made us an ETS follower. This at a huge cost to our industry and our tax payers, and a windfall for a few foresters.
2. Family values? Correcting your kid with a light smack to avoid bigger problems down the track is still an offence.
3. Lower tax? All National did was shift the money, it was budget NEUTRAL.
4. It’s bailing out finance companies and insurance companies left right and center.
5. Less government? Let’s not even get started. Government is bigger than ever.
6. Overseas borrowing? $1 billion a month or more.
This country is led to the brink by an excellent salesman. Does that lead the National Party supporters to abandon the party?
Vote:June 15th, 2011 at 1:21 pm
tvb said
You think so tvb? Did anyone from Labour tell Don Brash that they had his e-mails before they started quoting from them in the House? Did Kees Keizer tell Bill English he was going to secretly record him at a party?
Vote:June 15th, 2011 at 1:25 pm
Berend, I’m sure political opposition in New Zealand is not finished. But I’m pretty sure there is an opportunity for a party other than Labour to step up to fill the vacuum Labour has created.
Vote:June 15th, 2011 at 1:41 pm
Guys, I wouldn’t be so quick to say Labour is finished.
Remember all those National Party supporters supposedly in favour of private enterprise, lower tax burden and less government?
….
This country is led to the brink by an excellent salesman. Does that lead the National Party supporters to abandon the party?
What makes you think those ones are going to vote Labour?
If anything they will trend to a party on the right (although that doesn’t seem to be happening….).
Vote:June 15th, 2011 at 1:44 pm
If you want the appropriate analogy – go to Whale’s blog where he has a sign in full view saying something like “PRIVATE SIGN — DO NOT READ” . That sums it up perfectly. And it highlights the sheer bloody stupidity of Labour’s moaning and bitching that someone “invaded” their space. If names and credit card numbers are shown then Labour needs to replace every single card and meet the total cost.
Vote:June 15th, 2011 at 1:54 pm
Best comment over at the Standard:
Jeremy Harris 21
14 June 2011 at 12:56 pm
I’m loving this, Labour couldn’t run a piss up in a brewery and the LWNJs are still defending them.
Publishing your donor’s personal info online? It’s as stupid as talking about your new girlfriend on your facebook status….. when your wife is on your friend list.
Vote:June 15th, 2011 at 2:00 pm
New campaign slogan?
“Let’s put our supporters credit card numbers on the web.
Let’s not”.
Vote:June 15th, 2011 at 2:00 pm
“Stop I.T. Incompetence”
Vote:June 15th, 2011 at 2:11 pm
Telling the Labour Party privately refers to potential victims about credit card details. The reason for doing it privately is so the information about these details being compromised, is not made public. Well that has happened, including on how to get the information and an “open” invitation for Nigerian fraudsters to get the information. That is bad. This is not about the Labour Party it is about the potential victims having their credit card details compromised.
Vote:June 15th, 2011 at 2:25 pm
tvb>The labour Party will have to contact google and have this dealt with.
The issue isn’t just Google. I dealt with a vaguely similar case years ago when my Aussie government employer happened to have been logging electronic job applications in to a publicly accessible file on the web server before passing them to the secure back end. The first we knew about it was when a member of the public rang up to complain that they’d Googled their name and found their job application and CV. Looking at the logs and resolving IP addresses, we found something over 100 search engines crawling the site. All of these will have cached the details of Labour’s donors.
Labour are going to have to attempt to contact all sorts of odd foreign search engines and persuade them to flush their cache. Actually, they probabbly won’t. They’ll just pretend that there is one search engine called Google and the rest don’t matter.
Vote:June 15th, 2011 at 2:44 pm
Just checked. Still cached in many search engines.
Vote:June 15th, 2011 at 2:50 pm
So, I think people are over reacting.
They had a backup of all their configuration information publicly available. That backup included the username, password and uri for the sql database of their credit card provider. What isn’t clear is:
a) could you actually use that info to log on, or was there some other security (based on IP or otherwise) that would prevent Joe average from logging on
b) if you actually did log on, what would you see? Does it have a list of credit card numbers that it will give you, or does it just let you create new transactions.
In short, I don’t think this is quite the smoking gun that some here think.
Vote:June 15th, 2011 at 3:21 pm
PaulL, you raise a fair point. FWIW I think one reason nobody is disclosing the actual cc numbers, or admitted trying to use the sql login, is that such use would be a breach of the Crimes Act. Slater said this, I think, in his video.
Vote:June 15th, 2011 at 4:36 pm
ben
…..”such use would be a breach of the Crimes Act.”……
I doubt that any prospective Nigerian fraudster is going to be greatly concerned about what our legislation forbids.
Vote:June 15th, 2011 at 5:50 pm
Nasska, right, exactly, but the point is that even if 100 kiwis got the login and gave it a go and got access to the database, or even if they didn’t, they have a very good reason not to tell anyone. So absence of evidence here isn’t evidence of absence, as PaulL may be thinking.
Vote:June 15th, 2011 at 6:17 pm
ben >FWIW I think one reason nobody is disclosing the actual cc numbers, or admitted trying to use the sql login, is that such use would be a breach of the Crimes Act.
A valid concern. AusCert is an Australia New Zealand computer organisation based in the University of Queensland and sponsored by the government as a center of excellence in IT security. They run an annual conference which I’ve been to a couple of times. It is corporate rather than hacker.
At this years conference an attendee demonstrated a vulnerability in FaceBook that allowed people to access photographs without authorisation. A journalist was at the session, reported the vulnerability, and had copies of a couple of “hacked” photos. The Queensland Police actually arrested the journalist. Incredible! Apparently the way to deal with security vulnerabilities is make talking about them illegal. That way everyone will be safe.
http://www.smh.com.au/technology/technology-news/grubbs-story-privacy-news-and-the-strong-arm-of-the-law-20110518-1esn9.html
Vote:June 15th, 2011 at 6:18 pm
djg (64) Says:
June 15th, 2011 at 1:08 pm
nate (5) Says:
June 15th, 2011 at 12:08 pm
There’s not a lot that can be done with the Flo2Cash (credit card processor) username/password – the online merchant facility doesn’t allow you to view cards, the worse you could do is issue refunds
If Nate is correct it would have been hilarious if someone had used the info to process credits and given back all of Labours donations to the donors!!!!
Yep well there’s some $850,000 that Clark stole and when thats done perhaps someone should visit NZ First and get our $158k back into the public purse.
Vote:June 15th, 2011 at 6:25 pm
davidp – that is extraordinary. Still I suppose the trick is to know that what you’re presenting is illegal and so present it in a way that does not result in breach, like by saying a friend did the hacking and sent you the screenshots, or by not showing the hacked photos, or whatever the hooks in the law are. I suppose the police will arrest you anyway, and you’ll have to go to the trouble of explaining this to a judge, but it will at least keep you out of jail.
Vote:June 15th, 2011 at 7:22 pm
Will Labour have enough money left to contest the Election?
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10732419
Vote:June 15th, 2011 at 8:11 pm
Doug, it is somewhat ironic that according to the whale, the total amount received by the labour party in donations, is the same amount you see in the Fred Hollows donation ad on Kiwiblogs sidebar.
Vote:June 15th, 2011 at 9:17 pm
My argument wasn’t that nobody has said they have credit cards, therefore it didn’t happen. My argument was more that it’s unlikely that you could access credit card numbers using these details. The whole point of using an external credit card processing agency is that you never hold the credit card details, and I’m pretty sure that they won’t give you those details – if they did so, they’d be creating a hole in their own security and their business model. I don’t know that for sure, I haven’t tried. But my experience tells me it’s unlikely.
Having said that, I would perhaps have also said it was unlikely that someone would change their web site such that the URL name returned a directory listing, and it could stay like that for 3 months without anyone noticing. My web site gets about 2 hits a day (if that), and I think someone would tell me within 3 months. I’d hope I’d notice myself.
Vote:June 16th, 2011 at 9:46 am
Wow, don’t let the facts get in the way of your agenda there DPF. That’s labours auth token for their credit card provider. They have NO access to any numbers, they’re all processed remotely. That’s actually part of PCS compliance, which you should know about given your affiliation with INNZ and various other internet groups. Those tokens will now have been changed. Wow, you and slater are just pathetic over this.
The amount of people pretending to know what the fuck they’re talking about when they know NOTHING about web security, how sites are built, CC processing, authentication is just staggering.
Worst part is this is the sort of thing you’re normally good at pulling other people up on….
Vote: