Labour Leaks – The Password Issue

WhaleleaksLabour have gone all in on their attacks on me and my alleged puppet masters in National. They forgot though that Trevor Mallard mounted a months worth of attacks on me for being in the pocket of Don Brash and ACT. So it is clear they are not “on message” as they say in the beltway.

After I posted my video that showed how easy it was to obtain data from their wide open site the IT community unanimously delivered their verdict that Labour and no one else was to blame for their woeful breach of people’s privacy.

Commenters at Kiwiblog and other sites quickly realised what I did long ago and that was that Google and other bots had archived Labour’s open site extensively. All their data is still in the cache and will be for quite some time.

Doing a simple cache search of the root domain with the word “password” added shows just how bad their security was.

DB passwords in the open with Labour

The problem however was much worse than that. Way worse. Remember that Chris Flatt the Labour General Secretary sent out a letter and email to their donors assuring them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.

In the MySQL database files there were also plain txt strings that contained other database passwords along with the user name and passwords of their credit card provider.

$db_url = ‘mysqli://labour_admin:[email protected]/labour_production’;

which equates to $db_url = ‘mysqli://username:[email protected]/databasename’;

Their credit card provider admin details were:

“Flo2Cash_Donate\”;s:9:\”user_name\”;s:8:\”nzlabour\”;s:8:\”password\”;N;s:9:\”signature\”;N;s:8:\”url_site\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”;s:7:\”url_api\”;N;s:9:\”url_recur\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”

This shows the appalling lack of security not only for the donor and membership details but also with regard to usernames and passwords for other secure areas.

I never accessed those areas, to do so would have been illegal. But given that their systems were open and exposed long enough that Google and 9 other bots were able to cache the entire directory system there is a good chance that Russian or Nigerian scamsters also were able to obtain access to the database and credit card processing passswords that Labour left exposed. Chris Flatt cannot give any assurances that their donor details including credit cards were safe and secure.

I know that Labour have been warned about the details of this post so presumably their IT muppets have now changed these details.

On a final note regarding Labour’s woeful use of technology I note that John Pagani and the muppets at The Standard have been relying on ip address information. I am assuming that this information was provided by the same IT muppets that secured their site so well. Probably not really that useful then is it?

Heads really do have to roll. Pity Labour will as usual pick on some low level worker and rinse them instead of taking out the ones really responsible like Phil Goff, or Andrew Little or Chris Flatt or Moira Coatsworth. Their lacklustre leadership is what has led to this balls up not some poor IT worker doing his best with the pitiful resources their leadership have procured through their lack of donations. A properly performing political party can fund things like this appropriately, labour are clearly broken-arsed and getting poorer.

 


THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

  • becn

    Looks like Google have purged their cache. Just as well you took screenshots. And that how-i-did-it video is priceless (for lols as well as discrediting hacking aqusations).

    • berend

      Other search engines still have it: http://nz.search.yahoo.com/search;_ylt=A0oGkmTl8PdNGyQApKbzZgx.;_ylc=X1MDMjExNDc0MjAwMwRfcgMyBGFvAzEEZnIDc2l0ZWV4cGxvcmVyBGhvc3RwdmlkA29yWkVTRW9Ha3lsOGV1ZVhTeUZaUEE2WHkxbWw0MDMzOE9VQUNqUk8Ebl9ncHMDMARuX3ZwcwMwBG9yaWdpbgNzcnAEcXVlcnkDc2l0ZTouaGVhbHRoeWhvbWVzaGVhbHRoeWtpd2lzLm9yZy5uegRzYW8DMQR2dGVzdGlkAw–?p=site%3A.healthyhomeshealthykiwis.org.nz&fr2=sb-top&fr=siteexplorer&rd=r1

  • monty

    Ouch

    Goff needs to explain Labour’s incompetance.

  • lulu

    Here is the email that Chris Flatt should send out. For him to send it and for it to be effective he and the party faithful would have to take responsibility and we know the left don’t take responsiblity so it is not going to happen. This is roughly what he should say:
    We fucked up. We don’t know who has your credit card details but as a result of our incompetence your credit card details could be in the hands of any number of organisations around the world set up to exploit this sort of security breach. WO is the least of your problems.
    Cancel your credit card.
    Regards Chris

  • abjv

    “This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.”

    I don’t recall Apache configuration settings being available to everyone. I recall (years back now) having to be logged onto a server (via telnet) to get at the settings, and it had to be done via “su root”. I recall the settings were in a config file and I had to work through the wonders of ‘vi’ to make the change. Technology should have moved on, but still probably not something one does accidentally by random keyhits.

    The next question the boffins at Labour (is that an oxymoron?) have to work out: who turned the flag on, and who decided the internet was a good place to put the donor list and the credit card backups? It was probably an ‘inside’ job. Was it incompetence, lack of training/supervision, vandalism or sabotage?

    • berend

      abjv, the actual details are slightly more complex: Labour is using the Ubuntu distribution, Ubuntu 8.04 Hardy Heron to be precise. If you install Apache, it creates a default web site for you in /var/www. Out of the box you can browse this site.

      You can enable or disable this site. From The Standard, which banned me in the space of a few hours, I extracted the confession of lprent that this was not disabled. He calls this default site 000-default, but that is actually a symlink, i.e. /etc/apache2/sites-enabled/000-default links to /etc/apache2/sites-available/default.

      Side note: according to lprent: “But it looks to me from the video that a virtual web server(s) got removed and exposed the 000-defaults.” That is actually irrelevant, anyone adding this server’s ip to a random name in their /etc/hosts/ could access this directory.

      The presence of this browsing allowed flag is not a security hole in itself, who cares if you can browse open source files?

      But it is in the next step where they failed. What Labour did was to add websites under /var/www, but not disable this default web site. This is starting to become sloppy.

      And next they put backups here. That is malpractice.

      So we had a cascading issues of failures to understand the technology that was being used. Given the vehemence at The Standard I actually suspect it wasn’t a low-level flunky who screwed up here, but a techie who has been doing their stuff for years, such as lprent. Someone who has some grasp of what he is doing, but isn’t completely in control.

      • adolffiinkensein

        Skewered in one.

      • abjv

        Fair call. I haven’t been near unix/apache for years. Regardless, it is still a stuffup; not understanding the technology? It still comes back to ‘inside job’ yes, but incompetence? junior not supervised? vandalism? or sabotage?

        If I had to guess, I’d agree with your self-trained techie who has been floating around this space for years without any great career advance, who didn’t really understand what they were doing, and possibly a volunteer.

  • cadwallader

    Labour only has about $11,000 in the kitty. That would hardly pay for a week’s worth of chardonnay for Pagani and mates. Sad aren’t they?

    • thor42

      That’s true at the moment, but I imagine that closer to the election, their union and teacher bedmates will chip in a fair bit of dosh. Unfortunately……

  • Pingback: Labour’s passwords | Kiwiblog()

  • peterwn

    Phil’s responsibility is only ensuring that butts are kicked. Party leaders should not interfere in the daily running of the party machine. The one ultimately responsible is Chris Flatt, and he is probably too well politically dug in to be easily ‘touched’.

  • kisekiman

    Best comment over at the Standard so far:

    Jeremy Harris 21
    14 June 2011 at 12:56 pm
    I’m loving this, Labour couldn’t run a piss up in a brewery and the LWNJs are still defending them.

    Publishing your donor’s personal info online? It’s as stupid as talking about your new girlfriend on your facebook status….. when your wife is on your friend list.

  • Pingback: 452 records leak in NZ Labour hack | Credit Wise Info()

  • Pingback: Scaremongering on credit cards « The Standard()

  • Pingback: Who else has got the number? « Homepaddock()

41%