gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
75247 Posts in 13180 Topics by 2633 Members - Latest Member: SammyR. July 26, 2017, 06:50:48 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcode
gfx
gfxgfx
 

Author Topic: Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcode  (Read 286 times)

0 Members and 1 Guest are viewing this topic.

http://www.techdirt.com/articles/20140529/06423527389/popular-wiretapping-tool-used-law-enforcement-includes-backdoor-with-hardcoded-password.shtml

Quote
One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That's because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has "a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password." Because, surely, no "bad guys" would ever figure that out. The details are fairly damning.

    Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.

    Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.

As for the root backdoor, it's like the whole thing was created by security amateurs:

    The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there.

    As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.

The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcode
 

gfxgfx
gfx
©2005-2017 WinMXWorld.com. All rights reserved.
SMF 2.0.14 | SMF © 2017, Simple Machines
Page created in 0.026 seconds with 21 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!