A lot of forums like phpBB are installed via cPanel and may have default passwords and not be secured fully.
If you have a machine in the ISP, which just means renting 1 machine per ISP, then scan the local IP ranges for open MySQL ports... or more nefariously scan for Memcached as that is hardly ever secured.
Then use the default credentials or the credentials stolen from Memcached to access MySQL.
You're dealing with a known set of forum software, probably phpBB, Vanilla, vBulletin and Invision. So you only need to map out a few schema to be able to make sense of hundreds if not thousands of sites.
Forums are slow moving, even the big ones only have a few thousand to low tens of thousand of posts per day... and your rented machine could easily poll for differences and send it back to HQ.
This is all just speculation of course, but it wouldn't surprise me that this is how it was done.
You're making some pretty big assumptions there. I don't think there is any evidence that MySQL databases set up via cPanel (or any other control panel) have default passwords or are inherently insecure. If this was the case, we would be seeing websites being hacked left and right, and not just by intelligence services.
> “They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government.”
Which implies that they are not scanning traffic constantly but are instead performing a sweep across the fora and gathering all data. Which implies querying the databases on a schedule and pulling info as the full dataset nevers exists in the ephemeral traffic.
> “They acquire MySQL databases via CNE access”
Which states that they exploit something on the network to "acquire" the data from MySQL databases.
Those two things together suggest periodic access to the databases.
And given the previous behaviour from accessing networks and hardware without permission of the companies operating on those networks (the Google dark fibre intercept) it isn't too much of a stretch to imagine a similar scenario that could give them access to these databases without asking first.
And the easiest way to get access to a large volume of forums would be to use a common platform as the attack point: A common deployment (cPanel, Plesk, etc) or a common technology that could give up credentials (memcached).
Of course they could use a vulnerability in MySQL, but I bet that's harder work than just trying default passwords or pulling credentials from the unsecured memory cache.
A lot of forums like phpBB are installed via cPanel and may have default passwords and not be secured fully.
If you have a machine in the ISP, which just means renting 1 machine per ISP, then scan the local IP ranges for open MySQL ports... or more nefariously scan for Memcached as that is hardly ever secured.
Then use the default credentials or the credentials stolen from Memcached to access MySQL.
You're dealing with a known set of forum software, probably phpBB, Vanilla, vBulletin and Invision. So you only need to map out a few schema to be able to make sense of hundreds if not thousands of sites.
Forums are slow moving, even the big ones only have a few thousand to low tens of thousand of posts per day... and your rented machine could easily poll for differences and send it back to HQ.
This is all just speculation of course, but it wouldn't surprise me that this is how it was done.