Wednesday, July 25, 2007

T1me 0ut for Fox News

An IT administrator neglected to turn off directory browsing on a portion of the Fox News web site, and this was all one curious hacker needed to penetrate a server. On Monday a blog post disclosed that the author had looked through files on the Fox News web server until they found a readable shell script. This script happened to contain a username and password ("T1me 0ut") used for FTP access to a server.

After the hacker successfully used the credentials to log in, he shared the news with anyone who happened to read his blog. When the blog entry was discussed on Slashdot, his audience grew substantially and the incident gained national attention.

Besides the obvious security oversight, Fox News may also be guilty of lying to the public. In this article posted by Fox News, they claim "this password, however, was long disabled." Unless the screenshots (originally appearing along with the blog entry) of FTP directory listing from their server were faked, the password was obviously still active.

Fox News goes on to state that no "user information [...] or other personal data were ever compromised." This claim has also been contested by hackers who report they were able to download files containing names, email addresses, and telephone numbers of over 1.5 million users.

Why Fox News would choose to make false claims about the incident is uncertain, especially if no truly sensitive personal information was disclosed. What is certain is that a few people in their organization do deserve a time out for bad behavior.

1 comment:

Bryan Fish said...

One of my favorite lies often told by organizations after a security breach goes something like "we have taken steps to recover the compromised data." I suppose to the general public that sounds good, but how exactly does one "recover" bits?