14 DAY TRIAL // The Australian Federal Police (AFP) recently took control of an underground hacking forum and started using it to gather evidence of illegal activities. After boasting about their feat on national television and the website's main page, a hacker broke into a police computer system associated with the investigation.
On August 19, AFP officers raided the Brighton home (Melbourne) of an individual suspected to be the administrator of r00t-y0u.org, a 5000-member strong hacking forum. Using the evidence gathered during the raid, the federal police managed to take control of the website and began gathering more evidence against its regular visitors that engaged in illegal activities.
"This underground form has been monitored by law enforcement - every post, private message and all registration information has been captured. All member IP addresses and have been logged and identification processes are now underway. […] Every movement on this forum has been tracked and where there is information to suggest a person has committed a criminal act, referrals will be forwarded to the relevant authority in each jurisdiction," read a warning posted by the authorities on the website's front page.
However, the federal police officials did not stop there with their apparent effort to alert the cybercrooks and went boasting about the sting operation on ABC's Four Corners TV program. This turned out to be a bad decision, as it angered a hacker who decided to teach them a lesson by compromising their own computer systems.
According to The Sydney Morning Herald, a security expert explained that the hacker used SQL injection to obtain a local shell and then browse through the police system used in the investigation. An AFP spokesperson noted that the computer only contained a snapshot of a directory structure and file names, but not the actual files.
In a message of his own, posted on pastebin.com, as well as on the front page of r00t-y0u.org, the attacker explained that the MySQL password on the police system was blank and that he did it because the police was "making it sound like they can bust 'hackers', when all they have done is busted a COUPLE script kiddies." The hacker also noted that "These [expletive] are using an automatic digital forensics and incident response tool. All of this had been done within 30-40 minutes. Could [have] been faster if I didn't stop to laugh so much."
Gunter Ollmann, formerly chief security strategist at IBM Internet Security Systems (ISS) and currently vice-president of research at Damballa, pointed out that "It’s odd that the Ozzie police would have decided to alert patrons of the r00t-y0u.org site that they were now being monitored - instead of running with it for longer and perhaps building a case against the sites users/subscribers." This is exactly what the FBI did during its successful sting operation that involved taking over the DarkMarket carding forum.