DefDog: FBI Hacked Again… UPDATE Neal Rauhauser

0Shares

FBI Hacked, Again! Hacker Leaks Data After Agency Failed to Patch Its Site

It seems like the FBI has been hacked, once again! A hacker, using Twitter handle CyberZeist, has claimed to have hacked the FBI's website (fbi.gov) and leaked personal account information of several FBI agents publically.

CyberZeist had initially exposed the flaw on 22 December, giving the FBI time to patch the vulnerability in its website's code before making the data public. The hacker exploited a zero-day vulnerability in the Plone CMS, an Open Source Content Management software used by FBI to host its website, and leaked personal data of 155 FBI officials to Pastebin, including their names, passwords, and email accounts.

UPDATE

The FBI site intrusion involving the Plone CMS is both funny and alarming in equal measure. Such sites contain the public facing information of the agency and a few hundred accounts of the people involved in its updating. I'm former Infragard, from what I know of the FBI they are very strict about password discipline, and the intruder got nothing more than a roster of agency employees who do PR.

The hit on fbi.gov is the equivalent of the scene in Eight Mile where Eminem's character tags a police cruiser with a paintball gun. If you're old enough to dislike rap and haven't seen it, think of Joe Medicine Crow singing his honor song while riding away with the Schutzstaffel battalion's horses.

The bigger issue is the effect this has on those using Plone to power their web sites. Plone and industry leader WordPress were both created in 2003. During that time WordPress had 934 entries in the Common Vulnerabilities and Exposures (CVE) database. Plone had just 62. The tool corporations trust as the foundation for providing customer health care and financial data has a deadly flaw, and the Plone team has not yet identified it, much less repaired it.