{"id":12329,"date":"2017-12-11T13:58:42","date_gmt":"2017-12-11T13:58:42","guid":{"rendered":"https:\/\/informnapalm.org\/en\/?p=12329"},"modified":"2017-12-11T13:58:42","modified_gmt":"2017-12-11T13:58:42","slug":"activists-publish-results-fuckresponsibledisclosure-campaign","status":"publish","type":"post","link":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/","title":{"rendered":"Activists Publish Results of #FuckResponsibleDisclosure Campaign"},"content":{"rendered":"

Sean Brian Townsend<\/a> is an independent computer security researcher, a member and the speaker of Ukrainian Cyber Alliance<\/a>. His article discusses the results of the #FuckResponsibleDisclosure campaign. Publications in our opinion and civil society sections are not edited by InformNapalm and represent personal views of their authors.<\/strong><\/p>\n

Is it difficult to hack Ukraine? How UCA tested Ukrainian government IT systems<\/h2>\n

As a fashionable conversation subject in Ukraine, cybersecurity has now become equal to the fight against corruption. Ukrainian Cyber Alliance and independent researchers spent several weeks looking for vulnerable government systems. Is it possible to hack a website using Google? Do Russian hackers exist, or are they just a myth? How do bureaucrats respond when notified about vulnerabilities? How does the law enforcement participate in this?<\/em><\/p>\n

I have good news and bad news for you. The good news is that the efforts of UCA and volunteers resulted in many of the existing holes, including those in critical infrastructure and military systems, being patched. The bad news is not the fact of the existence of vulnerabilities in police, military, or water supply systems itself, but the general absence of defensive capabilities in Ukrainian cyberspace, even after four years of the war and hundreds of targeted and destructive cyberattacks.<\/p>\n

We repeatedly encounter Russian hackers and see the lack of preparedness of government institutions against their attacks. For instance, in December 2016, when reading hacked communications of pro-Russia hackers, we discovered that a mail server of the Ukrainian Interior Ministry was fully compromised<\/a>. We immediately reported this to the Ministry, Cyberpolice, and SBU (Security Service of Ukraine).<\/p>\n

Since we conduct similar activities in Russia and the occupied territories, we were not surprised. We are not \u201cthe cyber-apocalypse witnesses\u201d and understand that with sufficient time, money, and just a bit of luck anything can be hacked. What did surprise us was the complete lack of any response. Apparently, in the Ministry, they decided that it was just a coincidence, and there would be no new attacks.<\/p>\n

This kind of reaction was not unique. Later, we would encounter it many more times, even though it\u2019s the worst kind of all. We are often forced to provide copies of internal documents just to demonstrate the vulnerabilities, because bureaucrats deny that their systems have been broken into. In the case of the mail server, the confirmation came in SBU\u2019s response to the reporter of InternetUA<\/a>.<\/p>\n

<\/p>\n

The claim that none of the documents are secret is the most popular excuse. But we have no interest in secrets or even the ability to play with the valves in the water mains of Rivne and Kirovohrad. We just want to know if we can get from the outside to what is stored inside. I already told the story about how we hacked Orenburg Oblast<\/a>. It started with a password to the website of a local veterinary hospital, and it ended with the full penetration of the data center of the regional government \u2013 all websites, all email, all document storage, including government communications and even an FSB (Russian security service) rack.<\/p>\n

The classification of the documents doesn\u2019t matter. You just need to find a tiny crack, and then you get inside and reach much more important targets.<\/p>\n

Still, this idea was very difficult to explain to the officials of State Enterprise Energoatom and Kherson Oblast Rada who left several of their properties wide open on the Internet. There was no need to hack anything, we just had to find systems with public shares. Energoatom had four<\/strong> such systems. I can understand the concerns of the press office of the Ukrainian nuclear energy company, since even a rumor that nuclear power stations could be penetrated by hackers can cause panic. But this is the reality. It doesn\u2019t matter whether it\u2019s a contractor or a small department, secret or public documents, inside the enterprise network or on a careless employee\u2019s flash drive \u2013 a leak is a leak<\/a>.<\/p>\n

<\/p>\n

We didn\u2019t need to use any proper hacking tools. Only search, sometimes as simply as using Google. With access to the internal network (through a flash drive or directly \u2013 one of the systems allowed direct access into the internal network) sooner or later we would reach all parts of it. This is exactly how we were able to obtain full access to the SCADA system of one of Russian power stations. This is exactly how Russian hackers were able to briefly take down Prykarpattyaoblenergo (regional energy distribution company) and Severnaya transmission station in Kyiv. But in the case of Rivne and Kirovohrad water supply systems, hacking wasn\u2019t even needed. Everything was publicly accessible, all customer lists, IP addresses, usernames and passwords, VPN keys, and everything else necessary to conduct a small terror attack<\/strong>.<\/p>\n

You can rest easy \u2013 these specific cases immediately drew the attention of SBU. However, Kyivenergoremont (Kyiv city power system repair company) and State Service of Financial Monitoring still believe that they have no problems. And seeing which systems are accessible to the public or have already been visited by other hackers is outright depressing. Interior Ministry Academy (passwords for the website and the internal network, traces of repeated hacks, database of police officers), a server of the Kyiv Oblast National Police press service (documents, usernames and passwords, access to the internal network), Kirovohrad water supply (access to critical infrastructure), Energoatom, Kyivenergoremont, Judicial service of Ukraine, National Agency on Corruption Prevention, Interior Ministry reports (including special divisions), Kirovohrad Employment Center, Nikopol Pension Fund, etc.<\/p>\n

Many people simply can\u2019t comprehend that all information has its value. Lviv military recruitment office published the list of fifteen thousand people believed to be avoiding enlistment<\/a> (in other words, the office just could not find them at their registered addresses). It did so on its own initiative. And not just using a public share or an FTP server, but on Facebook. Which means no one there had any idea that this is personal data protected by the law. And we also found the systems of the regional recruitment office of Zakarpattia Oblast with the database of recruits, orders, communications with the regional government and the Ministry of Defense, plans, lists, unit assignments, basically everything! This is no longer an excusable mistake, but something that should involve military prosecutors, since this is classified information, not just personal data.<\/p>\n

<\/p>\n

In other words, Russian hackers wouldn\u2019t even need to make an effort. Just come and take it.<\/p>\n

The next two examples are Chernihiv and Donetsk regional administrations. In Chernihiv, they made drive shares public. After our post, they blocked access to the drives, but one of our volunteers immediately found a vulnerability on their website that allowed full access to the site and the presumably inaccessible drives. Basic rules say that public services must be completely separate from the local network. But bureaucrats can ignore those rules, right?<\/p>\n

<\/p>\n

 <\/p>\n

And the situation in Donetsk administration was even more interesting. The same volunteer found a remote control package there (WSO2 web shell) installed by other hackers. They didn\u2019t just break into the website, but also obtained administrator rights on the server, stole all passwords of the real administrators and went deeper into the internal network. I want to point out here that this is not a regular regional administration, but a civil-military administration in the ATO zone. And the hackers visited there from Samara, which is a city in Russia, the same Russia we\u2019re at war with. Even after our post about the hack, the site stayed like that for another week. Then either the administrators decided to pretend that nothing ever happened, or the hackers saw our post and cleaned the server, but in the end the server was reinstalled. The administration press service reported \u201ctemporary technical issues\u201d. But when Russian hackers get inside the regional administration\u2019s network in the ATO zone, these are not \u201ctechnical issues\u201d, but espionage activities by an enemy country.<\/p>\n

Even if the administration\u2019s IT reinstalled the server, this is absolutely not enough. The Russians could have gained access to other systems on the network. Locking down and reinstalling the compromised system is just the beginning. The next step is to check the whole network. In case you\u2019ve forgotten, I\u2019ll remind you what ANNA News and \u201cLPR People\u2019s Militia<\/a>\u201d went through. Their IT staff kept updating their server to the latest versions, tried to protect the hacked and now restored server, but we would come back using well-hidden entry points and hack them again. After the fourth hack, \u201cLPR People\u2019s Militia\u201d took down their website and never brought it back again. All useful information was taken by us and handed over to Myrotvorets Center a year ago.<\/p>\n

Where has CERT gone?<\/h2>\n

So, how does the government respond to this? It almost never does. Yes, the vulnerabilities get patched, sometimes SBU would conduct an investigation or a training. According to Kyiv Police, Cyberpolice helped them reinstall and protect their computers \u2013 apparently, none of their own people was capable of setting up Windows so that the systems wouldn\u2019t end up wide open on the Internet. But in general law enforcement does what it\u2019s supposed to do: prevent crime and catch criminals. As for the people responsible for computer security, there\u2019s no one there. In principle, each incident has to be reported by the affected organization first, then it should be referred to the State Service of Special Communication and Information Protection, and then the Service would tell you all the stories I\u2019m telling you right now, along with its recommendations. I don\u2019t know what exactly the Service is busy with, but they\u2019ve done nothing and not responded to any of the described incidents or attacks.<\/p>\n

Moreover, CERT-UA, a division of the Service, was the primary target of our campaign. And they don\u2019t respond to any incidents, not just the ones we reported. Everyone likes to talk about Russian hackers, how scary they are, about the coming cyber-apocalypse, and the need to increase the pace of the development of the improvement of cybersecurity. Or some other such bureaucratese. Still, after dozens of cyberattacks against Ukraine there\u2019s not a single proper incident report. Of course, we can bring professional experts from the United States, and Cisco Talos can read some logs and publish a technical report about NotPetya, and we can translate reports authored by Microsoft and Eset, but who conducted that attack? Why? What should be done to avoid it in the future? How did it become possible? No response.<\/p>\n

If you conduct a paper audit (as required by the law about the fundamentals of cybersecurity 2126a), you will have paper security. To create a private-government partnership, a partner is required, but it has been absent. We report a hole you can drive a truck through but only hear the same stories in response: nothing happened, it happened, but with our subsidiary, well, it happened with us, but had no negative effects, and if there were negative effects, we\u2019ll just ignore questions or lie outright in a press release. What kind of consequences are you still waiting for, after Medoc and everything else? Cybersecurity in Ukraine is the responsibility of everyone and no one.<\/strong><\/p>\n

The Ministry of Emergency Situations publishes the plans of the layout of government communication lines. What, no one ever sets fires to manholes in our country? In Kyiv, this happens pretty regularly. Kyivstar publishes the project of a cellular network (here we should tip our hats to their security service: they responded to our Facebook post in less than two minutes<\/strong> \u2013 government services are very far behind, with average response time of a day or more). The Ministry of Healthcare \u2013 a vulnerability in the website. Once, CERT conducted a scan of vulnerabilities of government websites (or maybe some activists got under their skins and forced them to publish the advisory), and their list marked the website of the Expert Criminology Science and Research Center as vulnerable. It remained like that for a year, until we spoke about it in a TV interview. Then a representative of the center contacted me in a direct message and promised that they pay close attention to security. It was a very nice conversation, thank you.<\/p>\n

In direct messages, all officials are nice and kind, and sometimes they thank us in comments to our posts. Amazingly, the deputy head of Kherson regional administration even wrote her own Facebook post. What can I tell you about that? Gratitude is of course welcome, but fixed vulnerabilities are not only welcome, but also helpful, and not just to us, but to everyone. In the end, we don\u2019t need your gratitude, we only need you to do your jobs properly. For example, when we hacked the website of Astrakhan regional council<\/a>, the council speaker screamed into the TV cameras, \u201cwe\u2019re gonna fire everyone!\u201d So, better start correcting your mistakes now, before you have to deal with consequences. And it can\u2019t be done without a public discussion.<\/p>\n

Your websites are full of \u201cnews\u201d about your conferences, meetings, legislative initiatives, and other unreadable junk, but there\u2019s nothing about your mistakes and what you did to correct them. Don\u2019t pretend that you\u2019re invincible, anyone can be hacked, but if you work on correcting your mistakes, we\u2019ll see that you care, that you can make progress. And it also serves as a warning to everyone else. Otherwise, nothing will change.<\/strong><\/p>\n

What should be done? On punishing the innocent and rewarding the bystanders<\/h2>\n

No volunteers, hackers, experts, high wages, or strict penalties will help by themselves. We caught Zaporizhstal, and a supermarket chain, and a Kyiv utility company that published all its accounting and some kind of key in a folder called \u201cBANK\u201d, probably giving access to their current account. For some reason, we learn that Cyberberkut used documents the Russians stole in the Ministry of Ecology in its attack against Energoatom in a Facebook post, and that only because Energoatom wanted to avoid taking responsibility for it. Why is the Ministry silent? Or maybe you think there\u2019s nothing interesting there? I can assure you that the reports of the inventory commission about the state of nuclear facilities made for such an interesting read that the nuclear people\u2019s press service would have jumped out of their skins at my mention of that if that had been possible on Facebook. (By the way, nuclear safety in our country is in a pretty good shape. Some small incidents do happen, but they don\u2019t have any consequences.)<\/p>\n

In the Ukrainian part of the Internet, useful information can be easily dredged up. We found a notary public with all their keys that give access to registries. In August, something happened to the website of the Foreign Intelligence Service. It ran WordPress (Google remembers everything). A taxi company published logs of all its trips.<\/p>\n

Endless boilerplate replies, weak excuses, blame games and apologies on Facebook do not provide any protection. A dozen different cybercenters (we have cybercenters everywhere, they\u2019ll soon start popping up at local housing offices) with their empty rhetoric whose only tangible result is the disappearance of government money. Instructions and rules for underwater combat with aliens are being produced by the ton, while Russian hackers are free to run around Ukrainian networks, including civil, military, and critical infrastructure.<\/p>\n

<\/p>\n

So, what should we do about cybersecurity? We should simplify, not complicate laws and instructions. Eliminate useless organizations. Take down useless websites never visited by anyone. It\u2019s easier to make a reference list of district administrations than support hundreds of junk websites. Fire useless people who not only can\u2019t do their job, but actually sabotage their employers. Start with the basics. Remove public access from SMB shares and FTP servers, disconnect public resources from internal networks, use proper passwords and two factor authentication, never click on random links. And, most importantly, if something happens, talk about it honestly, notify the Service of Special Communication, try and figure out what happened, how it happened, and who benefited from it. When you try to hide the truth, you hurt both yourselves and your country.<\/p>\n

Formal replies and blame games won\u2019t help defend against a large scale coordinated cyberattack. Of course, we won\u2019t die, but we\u2019ll have to go back to abacuses and candles. And don\u2019t think that you\u2019re surrounded by idiots, while you have the best IT staff, great policies and everything else. Anyone can be hacked, it\u2019s just a matter of time, money, and motivation.<\/p>\n","protected":false},"excerpt":{"rendered":"

Sean Brian Townsend is an independent computer security researcher, a member and the speaker of Ukrainian Cyber…<\/p>\n","protected":false},"author":106,"featured_media":12332,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[528,641,532],"tags":[253,3620,760,219],"class_list":["post-12329","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-uca","category-world","tag-cyber-warfare","tag-fuckresponsibledisclosure","tag-uca","tag-ukraine"],"acf":[],"yoast_head":"\nActivists Publish Results of #FuckResponsibleDisclosure Campaign<\/title>\n<meta name=\"description\" content=\"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Activists Publish Results of #FuckResponsibleDisclosure Campaign\" \/>\n<meta property=\"og:description\" content=\"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"InformNapalm.org (English)\" \/>\n<meta property=\"article:published_time\" content=\"2017-12-11T13:58:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"642\" \/>\n\t<meta property=\"og:image:height\" content=\"336\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"vasgri\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"vasgri\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\"},\"author\":{\"name\":\"vasgri\",\"@id\":\"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf\"},\"headline\":\"Activists Publish Results of #FuckResponsibleDisclosure Campaign\",\"datePublished\":\"2017-12-11T13:58:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\"},\"wordCount\":2780,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg\",\"keywords\":[\"cyber warfare\",\"FuckResponsibleDisclosure\",\"UCA\",\"Ukraine\"],\"articleSection\":[\"News\",\"UCA\",\"World\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\",\"url\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\",\"name\":\"Activists Publish Results of #FuckResponsibleDisclosure Campaign\",\"isPartOf\":{\"@id\":\"https:\/\/informnapalm.org\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg\",\"datePublished\":\"2017-12-11T13:58:42+00:00\",\"author\":{\"@id\":\"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf\"},\"description\":\"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.\",\"breadcrumb\":{\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage\",\"url\":\"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg\",\"contentUrl\":\"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg\",\"width\":642,\"height\":336,\"caption\":\"Workplace violence concept\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/informnapalm.org\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Activists Publish Results of #FuckResponsibleDisclosure Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/informnapalm.org\/en\/#website\",\"url\":\"https:\/\/informnapalm.org\/en\/\",\"name\":\"InformNapalm.org (English)\",\"description\":\"Latest News from Ukraine\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/informnapalm.org\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf\",\"name\":\"vasgri\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/informnapalm.org\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5851afa9a0b73acb616f1433ce0c88213f283b6c8f0d65289e0763ccd1703343?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5851afa9a0b73acb616f1433ce0c88213f283b6c8f0d65289e0763ccd1703343?s=96&d=mm&r=g\",\"caption\":\"vasgri\"},\"url\":\"https:\/\/informnapalm.org\/en\/author\/vasgri\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Activists Publish Results of #FuckResponsibleDisclosure Campaign","description":"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Activists Publish Results of #FuckResponsibleDisclosure Campaign","og_description":"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.","og_url":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/","og_site_name":"InformNapalm.org (English)","article_published_time":"2017-12-11T13:58:42+00:00","og_image":[{"width":642,"height":336,"url":"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg","type":"image\/jpeg"}],"author":"vasgri","twitter_misc":{"Written by":"vasgri","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#article","isPartOf":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/"},"author":{"name":"vasgri","@id":"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf"},"headline":"Activists Publish Results of #FuckResponsibleDisclosure Campaign","datePublished":"2017-12-11T13:58:42+00:00","mainEntityOfPage":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/"},"wordCount":2780,"commentCount":0,"image":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg","keywords":["cyber warfare","FuckResponsibleDisclosure","UCA","Ukraine"],"articleSection":["News","UCA","World"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/","url":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/","name":"Activists Publish Results of #FuckResponsibleDisclosure Campaign","isPartOf":{"@id":"https:\/\/informnapalm.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage"},"image":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg","datePublished":"2017-12-11T13:58:42+00:00","author":{"@id":"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf"},"description":"Sean Brian Townsend is independent computer security researcher, member and speaker of UCA discusses the results of the #FuckResponsibleDisclosure campaign.","breadcrumb":{"@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#primaryimage","url":"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg","contentUrl":"https:\/\/informnapalm.org\/en\/wp-content\/uploads\/sites\/14\/2017\/12\/o-CYBER-WAR-facebook-642x336.jpg","width":642,"height":336,"caption":"Workplace violence concept"},{"@type":"BreadcrumbList","@id":"https:\/\/informnapalm.org\/en\/activists-publish-results-fuckresponsibledisclosure-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/informnapalm.org\/en\/"},{"@type":"ListItem","position":2,"name":"Activists Publish Results of #FuckResponsibleDisclosure Campaign"}]},{"@type":"WebSite","@id":"https:\/\/informnapalm.org\/en\/#website","url":"https:\/\/informnapalm.org\/en\/","name":"InformNapalm.org (English)","description":"Latest News from Ukraine","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/informnapalm.org\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/informnapalm.org\/en\/#\/schema\/person\/d9ac22904157eeb67f0b60921e87d8bf","name":"vasgri","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/informnapalm.org\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/5851afa9a0b73acb616f1433ce0c88213f283b6c8f0d65289e0763ccd1703343?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5851afa9a0b73acb616f1433ce0c88213f283b6c8f0d65289e0763ccd1703343?s=96&d=mm&r=g","caption":"vasgri"},"url":"https:\/\/informnapalm.org\/en\/author\/vasgri\/"}]}},"post_src":"<strong><a href=\"https:\/\/www.facebook.com\/ruheight\" target=\"_blank\" rel=\"noopener\">Sean Brian Townsend<\/a> is an independent computer security researcher, a member and the speaker of <a href=\"https:\/\/uk.wikipedia.org\/wiki\/%D0%A3%D0%BA%D1%80%D0%B0%D1%97%D0%BD%D1%81%D1%8C%D0%BA%D0%B8%D0%B9_%D0%BA%D1%96%D0%B1%D0%B5%D1%80%D0%B0%D0%BB%D1%8C%D1%8F%D0%BD%D1%81\">Ukrainian Cyber Alliance<\/a>. His article discusses the results of the #FuckResponsibleDisclosure campaign. Publications in our opinion and civil society sections are not edited by InformNapalm and represent personal views of their authors.<\/strong>\r\n<h2>Is it difficult to hack Ukraine? How UCA tested Ukrainian government IT systems<\/h2>\r\n<em>As a fashionable conversation subject in Ukraine, cybersecurity has now become equal to the fight against corruption. Ukrainian Cyber Alliance and independent researchers spent several weeks looking for vulnerable government systems. Is it possible to hack a website using Google? Do Russian hackers exist, or are they just a myth? How do bureaucrats respond when notified about vulnerabilities? How does the law enforcement participate in this?<\/em>\r\n\r\nI have good news and bad news for you. The good news is that the efforts of UCA and volunteers resulted in many of the existing holes, including those in critical infrastructure and military systems, being patched. The bad news is not the fact of the existence of vulnerabilities in police, military, or water supply systems itself, but the general absence of defensive capabilities in Ukrainian cyberspace, even after four years of the war and hundreds of targeted and destructive cyberattacks.\r\n\r\nWe repeatedly encounter Russian hackers and see the lack of preparedness of government institutions against their attacks. For instance, in December 2016, when reading hacked communications of pro-Russia hackers, we discovered that a <a href=\"https:\/\/www.facebook.com\/photo.php?fbid=357282398053458&set=a.130395897408777.1073741828.100013151020465&type=3&theater\">mail server of the Ukrainian Interior Ministry was fully compromised<\/a>. We immediately reported this to the Ministry, Cyberpolice, and SBU (Security Service of Ukraine).\r\n\r\nSince we conduct similar activities in Russia and the occupied territories, we were not surprised. We are not \u201cthe cyber-apocalypse witnesses\u201d and understand that with sufficient time, money, and just a bit of luck anything can be hacked. What did surprise us was the complete lack of any response. Apparently, in the Ministry, they decided that it was just a coincidence, and there would be no new attacks.\r\n\r\nThis kind of reaction was not unique. Later, we would encounter it many more times, even though it\u2019s the worst kind of all. We are often forced to provide copies of internal documents just to demonstrate the vulnerabilities, because bureaucrats deny that their systems have been broken into. In the case of the mail server, the confirmation came in <a href=\"http:\/\/internetua.com\/sbu-podtverdila--csto-u-separatistov-bil-dostup-k-pocstovomu-serveru-mvd\">SBU\u2019s response to the reporter of InternetUA<\/a>.\r\n\r\n<img src=\"https:\/\/informnapalm.org\/blog\/wp-content\/uploads\/sites\/24\/2017\/12\/a-mvd-300x239.jpg\" \/>\r\n\r\nThe claim that none of the documents are secret is the most popular excuse. But we have no interest in secrets or even the ability to play with the valves in the water mains of Rivne and Kirovohrad. We just want to know if we can get from the outside to what is stored inside. I already told the story about <a href=\"https:\/\/www.facebook.com\/ruheight\/posts\/368726960242335\">how we hacked Orenburg Oblast<\/a>. It started with a password to the website of a local veterinary hospital, and it ended with the full penetration of the data center of the regional government \u2013 all websites, all email, all document storage, including government communications and even an FSB (Russian security service) rack.\r\n\r\nThe classification of the documents doesn\u2019t matter. You just need to find a tiny crack, and then you get inside and reach much more important targets.\r\n\r\nStill, this idea was very difficult to explain to the officials of State Enterprise Energoatom and Kherson Oblast Rada who left several of their properties wide open on the Internet. There was no need to hack anything, we just had to find systems with public shares. Energoatom had <strong>four<\/strong> such systems. I can understand the concerns of the press office of the Ukrainian nuclear energy company, since even a rumor that nuclear power stations could be penetrated by hackers can cause panic. But this is the reality. It doesn\u2019t matter whether it\u2019s a contractor or a small department, secret or public documents, inside the enterprise network or on a careless employee\u2019s flash drive \u2013 <a href=\"https:\/\/www.facebook.com\/ruheight\/posts\/370060293442335?pnref=story\">a leak is a leak<\/a>.\r\n\r\n<img src=\"https:\/\/informnapalm.org\/blog\/wp-content\/uploads\/sites\/24\/2017\/12\/24173149_370363463412018_3024316245763973410_o-212x300.jpg\" \/>\r\n\r\nWe didn\u2019t need to use any proper hacking tools. Only search, sometimes as simply as using Google. With access to the internal network (through a flash drive or directly \u2013 one of the systems allowed direct access into the internal network) sooner or later we would reach all parts of it. This is exactly how we were able to obtain full access to the SCADA system of one of Russian power stations. This is exactly how Russian hackers were able to briefly take down Prykarpattyaoblenergo (regional energy distribution company) and Severnaya transmission station in Kyiv. But in the case of Rivne and Kirovohrad water supply systems, hacking wasn\u2019t even needed. Everything was publicly accessible, all customer lists, IP addresses, usernames and passwords, VPN keys, and everything else necessary to conduct a small <strong>terror attack<\/strong>.\r\n\r\nYou can rest easy \u2013 these specific cases immediately drew the attention of SBU. However, Kyivenergoremont (Kyiv city power system repair company) and State Service of Financial Monitoring still believe that they have no problems. And seeing which systems are accessible to the public or have already been visited by other hackers is outright depressing. Interior Ministry Academy (passwords for the website and the internal network, traces of repeated hacks, database of police officers), a server of the Kyiv Oblast National Police press service (documents, usernames and passwords, access to the internal network), Kirovohrad water supply (access to critical infrastructure), Energoatom, Kyivenergoremont, Judicial service of Ukraine, National Agency on Corruption Prevention, Interior Ministry reports (including special divisions), Kirovohrad Employment Center, Nikopol Pension Fund, etc.\r\n\r\nMany people simply can\u2019t comprehend that all information has its value. Lviv military recruitment office <a href=\"https:\/\/zaxid.net\/lvivskiy_viyskkomat_opublikuvav_povni_spiski_tih_hto_uhilyayetsya_vid_prizovu_n1442216\">published the list of fifteen thousand people believed to be avoiding enlistment<\/a> (in other words, the office just could not find them at their registered addresses). It did so on its own initiative. And not just using a public share or an FTP server, but on Facebook. Which means no one there had any idea that this is personal data protected by the law. And we also found the systems of the regional recruitment office of Zakarpattia Oblast with the database of recruits, orders, communications with the regional government and the Ministry of Defense, plans, lists, unit assignments, basically everything! This is no longer an excusable mistake, but something that should involve military prosecutors, since this is classified information, not just personal data.\r\n\r\n<img src=\"https:\/\/informnapalm.org\/blog\/wp-content\/uploads\/sites\/24\/2017\/12\/ovk-1-300x272.png\" \/>\r\n\r\nIn other words, Russian hackers wouldn\u2019t even need to make an effort. Just come and take it.\r\n\r\nThe next two examples are Chernihiv and Donetsk regional administrations. In Chernihiv, they made drive shares public. After our post, they blocked access to the drives, but one of our volunteers immediately found a vulnerability on their website that allowed full access to the site and the presumably inaccessible drives. Basic rules say that public services must be completely separate from the local network. But bureaucrats can ignore those rules, right?\r\n\r\n<img src=\"https:\/\/informnapalm.org\/blog\/wp-content\/uploads\/sites\/24\/2017\/12\/23844853_368538460261185_7845738156274452204_n-300x286.jpg\" \/>\r\n\r\n \r\n\r\nAnd the situation in Donetsk administration was even more interesting. The same volunteer found a remote control package there (WSO2 web shell) installed by other hackers. They didn\u2019t just break into the website, but also obtained administrator rights on the server, stole all passwords of the real administrators and went deeper into the internal network. I want to point out here that this is not a regular regional administration, but a civil-military administration in the ATO zone. And the hackers visited there from Samara, which is a city in Russia, the same Russia we\u2019re at war with. Even after our post about the hack, the site stayed like that for another week. Then either the administrators decided to pretend that nothing ever happened, or the hackers saw our post and cleaned the server, but in the end the server was reinstalled. The administration press service reported \u201ctemporary technical issues\u201d. But when Russian hackers get inside the regional administration\u2019s network in the ATO zone, these are not \u201ctechnical issues\u201d, but espionage activities by an enemy country.\r\n\r\nEven if the administration\u2019s IT reinstalled the server, this is absolutely not enough. The Russians could have gained access to other systems on the network. Locking down and reinstalling the compromised system is just the beginning. The next step is to check the whole network. In case you\u2019ve forgotten, I\u2019ll remind you what ANNA News and \u201c<a href=\"http:\/\/mil-lnr.info\/\">LPR People\u2019s Militia<\/a>\u201d went through. Their IT staff kept updating their server to the latest versions, tried to protect the hacked and now restored server, but we would come back using well-hidden entry points and hack them again. After the fourth hack, \u201cLPR People\u2019s Militia\u201d took down their website and never brought it back again. All useful information was taken by us and handed over to Myrotvorets Center a year ago.\r\n<h2>Where has CERT gone?<\/h2>\r\nSo, how does the government respond to this? It almost never does. Yes, the vulnerabilities get patched, sometimes SBU would conduct an investigation or a training. According to Kyiv Police, Cyberpolice helped them reinstall and protect their computers \u2013 apparently, none of their own people was capable of setting up Windows so that the systems wouldn\u2019t end up wide open on the Internet. But in general law enforcement does what it\u2019s supposed to do: prevent crime and catch criminals. As for the people responsible for computer security, there\u2019s no one there. In principle, each incident has to be reported by the affected organization first, then it should be referred to the State Service of Special Communication and Information Protection, and then the Service would tell you all the stories I\u2019m telling you right now, along with its recommendations. I don\u2019t know what exactly the Service is busy with, but they\u2019ve done nothing and not responded to any of the described incidents or attacks.\r\n\r\nMoreover, CERT-UA, a division of the Service, was the primary target of our campaign. And they don\u2019t respond to any incidents, not just the ones we reported. Everyone likes to talk about Russian hackers, how scary they are, about the coming cyber-apocalypse, and the need to increase the pace of the development of the improvement of cybersecurity. Or some other such bureaucratese. Still, after dozens of cyberattacks against Ukraine there\u2019s not a single proper incident report. Of course, we can bring professional experts from the United States, and Cisco Talos can read some logs and publish a technical report about NotPetya, and we can translate reports authored by Microsoft and Eset, but who conducted that attack? Why? What should be done to avoid it in the future? How did it become possible? No response.\r\n\r\nIf you conduct a paper audit (as required by the law about the fundamentals of cybersecurity 2126a), you will have paper security. To create a private-government partnership, a partner is required, but it has been absent. We report a hole you can drive a truck through but only hear the same stories in response: nothing happened, it happened, but with our subsidiary, well, it happened with us, but had no negative effects, and if there were negative effects, we\u2019ll just ignore questions or lie outright in a press release. What kind of consequences are you still waiting for, after Medoc and everything else? <strong>Cybersecurity in Ukraine is the responsibility of everyone and no one.<\/strong>\r\n\r\nThe Ministry of Emergency Situations publishes the plans of the layout of government communication lines. What, no one ever sets fires to manholes in our country? In Kyiv, this happens pretty regularly. Kyivstar publishes the project of a cellular network (here we should tip our hats to their security service: they responded to our Facebook post <strong>in less than two minutes<\/strong> \u2013 government services are very far behind, with average response time of a day or more). The Ministry of Healthcare \u2013 a vulnerability in the website. Once, CERT conducted a scan of vulnerabilities of government websites (or maybe some activists got under their skins and forced them to publish the advisory), and their list marked the website of the Expert Criminology Science and Research Center as vulnerable. It remained like that for a year, until we spoke about it in a TV interview. Then a representative of the center contacted me in a direct message and promised that they pay close attention to security. It was a very nice conversation, thank you.\r\n\r\nIn direct messages, all officials are nice and kind, and sometimes they thank us in comments to our posts. Amazingly, the deputy head of Kherson regional administration even wrote her own Facebook post. What can I tell you about that? Gratitude is of course welcome, but fixed vulnerabilities are not only welcome, but also helpful, and not just to us, but to everyone. In the end, we don\u2019t need your gratitude, we only need you to do your jobs properly. For example, when we <a href=\"http:\/\/www.ntv.ru\/novosti\/1231281\/\">hacked the website of Astrakhan regional council<\/a>, the council speaker screamed into the TV cameras, \u201cwe\u2019re gonna fire everyone!\u201d So, better start correcting your mistakes now, before you have to deal with consequences. And it can\u2019t be done without a public discussion.\r\n\r\nYour websites are full of \u201cnews\u201d about your conferences, meetings, legislative initiatives, and other unreadable junk, but there\u2019s nothing about your mistakes and what you did to correct them. Don\u2019t pretend that you\u2019re invincible, anyone can be hacked, but if you work on correcting your mistakes, we\u2019ll see that you care, that you can make progress. And it also serves as a warning to everyone else. <strong>Otherwise, nothing will change.<\/strong>\r\n<h2>What should be done? On punishing the innocent and rewarding the bystanders<\/h2>\r\nNo volunteers, hackers, experts, high wages, or strict penalties will help by themselves. We caught Zaporizhstal, and a supermarket chain, and a Kyiv utility company that published all its accounting and some kind of key in a folder called \u201cBANK\u201d, probably giving access to their current account. For some reason, we learn that Cyberberkut used documents the Russians stole in the Ministry of Ecology in its attack against Energoatom in a Facebook post, and that only because Energoatom wanted to avoid taking responsibility for it. Why is the Ministry silent? Or maybe you think there\u2019s nothing interesting there? I can assure you that the reports of the inventory commission about the state of nuclear facilities made for such an interesting read that the nuclear people\u2019s press service would have jumped out of their skins at my mention of that if that had been possible on Facebook. (By the way, nuclear safety in our country is in a pretty good shape. Some small incidents do happen, but they don\u2019t have any consequences.)\r\n\r\nIn the Ukrainian part of the Internet, useful information can be easily dredged up. We found a notary public with all their keys that give access to registries. In August, something happened to the website of the Foreign Intelligence Service. It ran WordPress (Google remembers everything). A taxi company published logs of all its trips.\r\n\r\nEndless boilerplate replies, weak excuses, blame games and apologies on Facebook do not provide any protection. A dozen different cybercenters (we have cybercenters everywhere, they\u2019ll soon start popping up at local housing offices) with their empty rhetoric whose only tangible result is the disappearance of government money. Instructions and rules for underwater combat with aliens are being produced by the ton, while Russian hackers are free to run around Ukrainian networks, including civil, military, and critical infrastructure.\r\n\r\n<img src=\"https:\/\/informnapalm.org\/blog\/wp-content\/uploads\/sites\/24\/2017\/12\/certs-300x210.png\" \/>\r\n\r\nSo, what should we do about cybersecurity? We should simplify, not complicate laws and instructions. Eliminate useless organizations. Take down useless websites never visited by anyone. It\u2019s easier to make a reference list of district administrations than support hundreds of junk websites. Fire useless people who not only can\u2019t do their job, but actually sabotage their employers. Start with the basics. Remove public access from SMB shares and FTP servers, disconnect public resources from internal networks, use proper passwords and two factor authentication, never click on random links. And, most importantly, if something happens, talk about it honestly, notify the Service of Special Communication, try and figure out what happened, how it happened, and who benefited from it. When you try to hide the truth, you hurt both yourselves and your country.\r\n\r\nFormal replies and blame games won\u2019t help defend against a large scale coordinated cyberattack. Of course, we won\u2019t die, but we\u2019ll have to go back to abacuses and candles. And don\u2019t think that you\u2019re surrounded by idiots, while you have the best IT staff, great policies and everything else. Anyone can be hacked, it\u2019s just a matter of time, money, and motivation.","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/posts\/12329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/comments?post=12329"}],"version-history":[{"count":6,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/posts\/12329\/revisions"}],"predecessor-version":[{"id":12337,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/posts\/12329\/revisions\/12337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/media\/12332"}],"wp:attachment":[{"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/media?parent=12329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/categories?post=12329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/informnapalm.org\/en\/wp-json\/wp\/v2\/tags?post=12329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}