Alleged Hacker V& In DOE, HHS Breaches

This son of a Baptist minister was arrested at his home in Suffolk. It is yet to be determined if he will be extradited to the US to face the charges that were unsealed October 28 in Virginia.

From Justice.gov:

According to the criminal complaint filed in Virginia, between approximately October 2012 and August 2013, Love and his conspirators accessed without authorization protected computers belonging to the U.S. Department of Energy (DOE), U.S. Department of Health and Human Services (HHS), U.S. Sentencing Commission, and Regional Computer Forensics Laboratory.  Love and his conspirators gained unauthorized access to the protected computers by exploiting a known vulnerability in Adobe ColdFusion, a software program that is designed to build and administer websites and databases.  The vulnerability, which has since been corrected, allowed Love and his conspirators to access protected areas of the victims’ computer servers without proper login credentials—in other words, to bypass security on the protected computers.

Coldfusion? Seriously?

Kudos to the police for rounding up this wiley hacker type before he could cause real damage…Coldfusion?

OK, let us reflect on this for a moment. He was (allegedly) able to gain access to the aforementioned sites with a vulnerability that, in all likelihood, would be have been well publicized. A quick search on Secunia returned 55 results alone. A further check for exploits in contained in the Metasploit framework returned a gem. Not saying that this was how he got in but, I’d say this would constitute an educated guess. Based simply on the fact that this harkens from 2009 I’d be willing to speculate that it had been some time since patches had been applied (if in fact this was how he got in). 

This begs the question, what was the state of security with these systems that he could have (allegedly) breezed into them with apparent ease?

While he may seem to be the poster child for the hacker meme, it remains to be seen if he is in fact guilty. Due process and all that.

I’m more concerned with the situation that led to him (allegedly) being able to breach these systems and then leverage his privilege and pivot and attack other systems.

Who was minding the store?

Make sure to have a solid security layer in place to deal with these types of attacks before you have to read about it in the papers. 

Remember to patch your systems regularly.

No, really.

(Image used under CC from Abscond)