Hacking 101 by Phineas Fisher

Updated May 25 2016
I located another copy of the video on the Internet, https://tune.pk/video/6528544/hack

Updated May 22, 2016
I noticed Youtube removed Phineas Fisher’s video.  The reason listed, “This video has been removed for violating YouTube’s policy on spam, deceptive practices, and scams”.  I watched the video.  There was no spam, deceptive practices, or scams.  The material was somewhat embarrassing for the Catalan Police Union.  Even so, there’s no short supply of inflammatory and embarrassing videos on Youtube; especially ones involving government officials.  It’s difficult to understand why this particular video received extraordinary attention.Instructional video by Phineas Fisher demonstrating his hack of the Catalan Police Union in 39 minutes.  Anything that could go wrong for the Police did go wrong but here’s the short-list.

1) Police using WordPress, WordPress is amazing blog software but it has a long history of security problems.  Wordpress provides a very rich extensibility framework of plugins written by almost anyone.  These plugins extend many desirable features to WordPress but there is little to no quality control over these plugins and it’s vulnerability Disneyland for bad guys.  Wordpress is great for running your personal blog but probably not the best choice if your a big target like a government agency (or security professional).

Applications DB Account Running w/MySQL Administrative Privileges, best practice is that the DB account used by the application run with the lowest privileges possible while still meeting the needs of the application.  In this case, application designers were unaware or lazy and used an account with administrative privileges.

3) Twitter Password for Police Same as WordPress Account, once the attacker had the WordPress password he was able to sign into Twitter and deface the Police department’s Twitter account.  Best practices is not to use the same account across different web applications.  If you are going to bend this rule then at least don’t use your shared password across sites you think could be hacked, sites that place less emphasis on security, etc.  For example, don’t use the same password you use with your Facebook or Google password with smaller, less known sites, sites that may invest less into security.  At least your cutting your risk with this approach.

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/