Feeds

Want to know how RIAA.org was hacked?

Elementary, Watson! Mystery solved

  • alert
  • submit to reddit

Security for virtualized datacentres

Two weeks ago the Recording Industry Association of America website was defaced.Twice. Even more embarrassing, the crackers installed pirate music files on the site for download. But how? zone-h.org, a security site-based in Estonia, has uncovered the elementary mistake in RIAA's robot.txt files which gave the crackers their back door. This is our first exposure to Estonian humour. And we like it. The Register is publishing zone-h's entertaining treatment by permission.

Elementary, Watson! American recording industry’s mystery is solved

It was a cold night and thick lay of fog was covering Connecticut Avenue of DC. Streets around were empty as all the pawns rushed into the only pub that was still opened at the time: the Romeo India Alpha Alpha.
Holmes and Watson had been sitting there for a couple of hours discussing all the latest mysteries reported by newspapers.

"There is still one mystery that keeps torturing my mind" Dr. Watson told Mr. Holmes while finishing the third pint of beer. A funny foam ripple was hanging from his chin.

"Which one, my dear Watson? The number of beers that you can drink before you forget your own name?" asked Sherlock Holmes with an ironic grin.

"No, Mr. Holmes. It's something that hit the news a couple of weeks ago. All the IT security world was surprised and laughed about it."

"Interesting, Dr. Watson, please go ahead and ... no, we are not going to order the fourth pint!" said Holmes, grabbing Watson's hand that rose once more to call the waitress.

"Well Mr. Holmes, do you remember that famous recording industry association website that was recently hacked? I guess their office is just a couple of blocks away from here..."

"Sure I remember! Isn't it that website that was defaced twice in a short period of time and was providing illegal mp3 files just because they forgot to remove them after the defacement? Isn't it ironic to fight against piracy, jet not to care for the elementary security of your own website?" said Holmes. "I guess that is one of the most intriguing cases I have ever solved."

"Wait a minute!" Watson stood off his chair with such a big emphasis that the table shook and all the empty mugs fell to the floor. "Did you solve THAT mystery as well? I know you are good Mr. Holmes and I am your greatest admirer, but you can’t be that good!"

"Relax, my reckless friend and sit down," Mr. Holmes gently put his arm around Watson’s shoulders helping him to sit back on the chair. "I am THAT good, I know exactly how it happened and believe me Dr Watson, you'll be amazed to hear the solution to that mystery."

"For the Queen's sake, Holmes! Don't keep me hanging in the darkness any longer. Tell me please, how it happened? Some hi-tech hackers paid by the underground music pirates that used some ultra-sophisticated exploits?"

"No," said Sherlock Holmes, shaking his head. "The answer is far simpler, Dr. Watson. You should have already learned it by now, all the biggest mysteries always have the simplest solutions."

"Please enlighten me, Mr. Holmes, how it happened?"

"Elementary, Watson! Spiders," said Holmes with an evil grin.

"Spiders? Do you mean that an alien music-hating spider came to Earth and took control of that website?" asked amazed Watson.

"Oh no Dr. Watson! There was no sci-fi involved. Let me explain you. Do you know what robots.txt file is used for on websites?"

"Sure I know," proudly declared Watson "it is meant to keep web crawlers and spiders away from certain folders on the server."

"Yes indeed,” Holmes continued ,"but ID does not prevent the hackers from taking the peek at folders that the webmaster wanted to hide from spiders, folders like admin on that very website."

"And?" asked an even more curious Watson.

"This organization must be employing a blind webmaster if he did not figure out that this very passwordless admin module at www.thatsite.org/admin was used to deface the website. There was also no filtering to prevent uploading mp3 files through the PDF upload section. That would also explain how illegal mp3 music files appeared on this anti-piracy site,” explained Holmes smugly.

Watson's chin was hanging low. "I c... ca… can… can’t believe it."

"Believe it or not, but it's the truth. Well, Dr. Watson, it’s late now and my bones are politely suggesting me that it’s bedtime so I’m going home. Have a good night Dr. Watson!"

"Good night Mr. Holmes, after tonight I'll be even more fervent admirer of yours, if that is humanly possible."

"Thank-you my dear old friend," said Holmes. "Oh, and Watson ... two last things..."

"Yes?" said Watson.

"First, tonight when you're home, check your website for a similar mistake and fix it!"

"Sure," said Watson. "...and the second thing?"

"Pay for the beer."

*** told as it is by zone-h crew ***

NOTE ADDED 7 HOURS AFTER THIS NEWS RELEASE

By 06.30 PM CET www.riaa.org patched its problem. Probably zone-h shout was useful?!? We hope that this example will be of good use for everybody. Check your robots.txt file if any, and the permissions you are giving to browse those "hidden sections" of your website.

Mr. Fibbles and SyS64738 www.zone-h.org

© zone-h.org.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.