Multiple FTP servers owned by U.S. government hacked by teenager
A teen hacker using the alias “Fear” managed to gain access to hundreds of FTP servers owned by the U.S. government. The hacker initially gained access to one server, but then discovered that it listed the access credentials to all FTP servers residing on the .us and .gov domains. The .us servers include public data, private data, program source code, and more sensitive data, while the hacker wouldn’t say what’s loaded on the .gov sites.
The FTP servers are used by various United States government departments to upload and download files from the internet have been apparently attacked by a hacker known as “Fear” and has a Twitter handle, @hackinyolife.
“I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc.,” Fear told DataBreaches.net in an exclusive interview.
Fear said he took advantage of careless security at the company Neustar to gain access to a large number of FTP servers. However, Neustar has pushed back, claiming the supposed breach does not match files the hacker claims to have taken.
“We can’t state unequivocally that he did not hack something, but only because it’s impossible to prove something didn’t happen,” said Neustar Senior Vice President Rodney Joffee.
“We have been looking for evidence since the story came out, and haven’t found anything. And we’re good at this, because we take security seriously.”
FTP stands for File Transport Protocol, and servers using this protocol are established to host files on local networks or via the internet. Users typically need a login name and password to gain access to content stored on these servers, which can be made public or set as private. Servers for file transport are often used to upload data to a website and run off of the same types of domain names as websites.
Neustar is in charge of the “.us” top-level domain, a substitute to “.com,” “.edu” and “.org.” By hacking Neustar, Fear gained access to the FTP accounts for every site with an address ending .us. The .us servers include public data, private data, program source code, and more sensitive data, while the hacker wouldn’t say what’s loaded on the .gov sites.
“I hacked into the Neustar FTP, and I dumped their files, and in the files, there were a list of each and every FTP server on a .us, and it had their passwords, users, ftp ip, hostname, and domain,” said Fear in an online chat. Giving more insight on the claim, he went on to say that it was an attack known as a SQL injection — a poorly coded web database that leaks out information.
“It was very simple to gain access to the 1st box that listed all the .us domains, and their ftp server logins,” Fear claims. “I went through each and every one, it was legit. I am pretty sure about every person who does security researching can do this, yes, it may have taken me about 3 hours or 4 hours of looking around, but it is still possible.”
Boasting further, Fear claims that “It only takes 13 hours and 23 minutes and 12 seconds for somebody to finish gathering data on every US citizen.”
He said that many states used poor security practices, using not more than five characters as passwords and failing to encrypt sensitive information.
Fear said that the files he has collected include credit card information, bank transactions, prescription information, Social Security data and more. He has plans to sell the downloaded information for “thousands of dollars in cryptocurrency.”
Apparently, the teen hacker has not left any backdoors to the FTP servers save for Florida, and that backdoor was removed Sunday night. What is surprising and scary that a single teenager was able to access and grab sensitive data from the servers that are run by the U.S. government.