And so it will come down ... or the Hole as a means of protection

Based on " And so it will come down ... or as the data of 14 million Russians were in my hands " ...

The article you are reading now is not at all the answer to the above-mentioned post. It will rather be an attempt to show what is already being done now, and what can be done in the field of information security in general, if we slightly deviate from the generally accepted canons when protecting systems.

And in order to put all the dots on E, I’m not at all trying to assess or somehow whitewash the "responsible" persons, on one side, on the other.

I’ll rather just try to explain another (perhaps new for some readers) conceptual approach with examples, including those related to that article.

By the way, the fact that not everything is in it or most likely not everything is entirely true, the “real hacker” can be seen with the naked eye.

For example, after reading “ Drew a base weighing 5 GB ... how long did it swing. Do you think someone noticed? " I just grinned and continued reading (for IMHO some exaggeration is allowed in such articles).

Although the author himself acknowledged that he is a little liar update at the end of the article.

Of course, I have no base, for 3 days I emulated downloading ...

Now why is this obvious / likely (even without taking other typical constraints into account):

1. If you walk to the server, you will immediately see a bunch of nginx / 1.1.9 * PHP / 5.3.10 (most likely fpm, but not the essence, in practice, it will also behave when proxying to Apache).
2. If we recall the fact that you can dump only from injections, then you can roughly assume how it will get to the presentation layer and / or the html page formation layer.
3. And if we recall how normally nginx and the same puff-fpm communicate (which sends the header with the first byte after the first flush from the buffer), then we can recall options like fastcgi_read_timeout (which by default is 60s and change it for special location / cases), preread_timeout and others like it, and also max_execution_time (default 30s), request_terminate_timeout , etc. etc.

If you drag it incrementally (aka in chunks), then you can assume how much time you really need to drag off a five-gigabyte database from the server, which by the way is not intended for such operations, with chunks wrapped in html from the top page.
Recall that our hacker is not a stupid person and must hide behind the proxy / vpn / favorite substitute, and the whole action becomes even more doubtful.

That is not a fact, but still very doubtful. Although ... let it be a "hint" as a pretense to NoraQ when they come with a soldering iron in case of unforeseen issues.

Well, yes, the article is not about that, so let's say ...
So we come to the most important thing.
To the answer to the question "Do you think someone noticed?" .

I'll try with another question: Why did you immediately decide that no one noticed?
How did you decide that you were given “data” from a real data bank?
And finally, can it be that someone, somewhere, left something "ajar" on purpose?

Notice, I'm not saying that it is. That is just thinking out loud.

However, in the world of information security, there really exist techniques of deliberate traps set up for uninvited guests. And they are often used in practice.

There are a lot of names and they depend on the application in a particular case, but English-speaking colleagues often heard generalized abbreviations IPF (from intentional pseudo flaws) and ITD (from intentional trap doors), meaning the same thing, namely, deliberately left pseudo-flaws or special defense holes that play the role of a trap for the attacker.

In addition to several obvious flaws, a security system that allows such “pranks” has many advantages:

• allows the security administrator to monitor the behavior of the attacker, collect and analyze the means and methods of attack;
• helps to identify potential risks, as well as existing security holes in the system;
• allows the defending side to direct the attacker's actions in the right direction, divert the attack to the required less "secret" level, give a less valuable "resource", etc. (thereby moving the attack vector away from the real system);
• often distracts the invader from searching for real (existing) vulnerabilities;
• allows you to control the process of protection, for example, to carry out a controlled "dumping" of information ("feed" to the competitors deliberately false or uninteresting information);
• and last but not least, it allows the safety officer to keep himself in good shape (advanced training, skills, abilities, etc.)

You just need to remember that opening access to the attacker increases the risk level. However, taking into account the above, the possible risks more than overlap with the benefits obtained.

Once, an acquaintance of CIO told me, folding his fingers like on the picture (here is the picture): "You can’t just take and to become a good beaver, never having been in the shoes of an intruder. "The context of the conversation and the tone in which it was said clearly told me that he was still a“ hacker ”in his youth ...

Well, it may be good (if in moderation), only he was not quite right - there is such a method in fact - nothing enhances the skills like an interactive ITD with dozens of good pentesters and others (homegrown and not) attacking of all stripes. Very informative, I tell you ...

Again, this is just an indescribable feeling when you feed a hint of a terrible "vulnerability" to an intruder, with a theoretical possibility of elevating privileges to the root (and you see it "I am cool!"), Forcing him to abandon the search for XSS and similar boring vulnerabilities, forget all and plunge headlong into the trap prepared for him.

Let's return to the article about the "holes" in the FRDO ...

The ITD is not really limited to the “games” with the attacker. For example here, if you read the objectives " Formation and maintenance of the FEDD on education and (or) on qualifications, documents on training ", then you can find the following there:

Elimination of the turnover of forged state documents on education

What other way can one deal so effectively with the circulation of forged documents, except, using IPF / ITD, to collect a database of possible candidates for sawing firewood in some cold and especially remote corner of Russia?

Not pentesters, not at all ... And for example, people who are trying in vain to exploit the injection to insert new documents.

I, in the place of the “realizer” (or organizer) of the offer, would probably use the appropriate opportunity and opportunity, and I would do just that.

What is not a suitable tool for such purposes? And with some experience, this can be quite easy and, most importantly, imperceptibly implemented.

But enough here conspiracy studies, the rest habrazhiteli, with their inherent rich imagination, certainly "thought out" in the comments. It may even be possible to see a ready PoC or something else, which your humble servant lacks intelligence-mind for.

I, as examples of the “implementation” of ITD, wanted to tell here about my own experience both as a pentester who once fell for this bait (or maybe not once, is not a fact), and as a safeguard who already organized such systems (for the sake of interest and enterprise-level).
With sea battle and madame With attack logs, monitoring protocols and all matters.
But ... The article has already grown. Yes, and I think as an introduction this will be enough for now.
I'll try to drop it later, if article will gain the necessary number of advantages interesting.
Time, always time ... be it amiss ...

Well, once again, when you find a "security hole," think about the fact that maybe that joke still has its share of truth, and it (your hole) did suddenly and in fact be completely safe. Just as a subtle thought in the back ...

Well, again, returning to the topic of the FRDO ...

[UPD] For those who are in the tank ...
The article is not about what was there. And about the fact that in theory it is possible (in an ideal world if you want) ...
Those. then all the lyrics, but with reference to a specific incident, for example, I can not exclude such a scenario.
And you do not need about the fact that it is so difficult, expensive (and in general no one needs a fig), okay? ...

Here is a specific cheap working version (the simplest for the knee):

• set a filter that detects attempts to sql-injection;
• we forward requests from it (yes though by means of nginx) in "sandbox";
• there we write the simplest trigger for changes in the table (with a sink to the log);
• We write a log handler (parsing, adder over IP, design in a beautiful plate);
• analysis of the log once a day on the soap to fellow Major.

The question was not whether it was true or not, but in theory it could be, but it didn’t even occur to our home-grown hacker. And he just hung it on the wall.
I myself am far from white and certainly not fluffy, but this is not how it is done , from the word at all!
[/ UPD]

And please, that's just not necessary here about the fact that "They are all stupid / lazy / clumsy." True, do not ... It is, firstly, not at all about that.

And secondly, there are also many wonderful, intelligent and committed people. Fortunately, they are not only in fashionable start-ups, in highly paid positions in large concerns, enterprises, etc. Communicated - we know.

Well, there are a lot of similar professionals around who do not belong to those specific structures, but sometimes are willing to help (both for interest and for an idea, etc.).

The answer to the question “Why did they eventually be patched up” can be: well, the hype is the same. And ... Are you sure that everything is closed? And what is forever? ...