Slashdot Mirror
Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL
thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
To just Google what they wanted to know? Google even has a "url" specifier!
This issue is a bit more complicated than you think.
http://www.australia.gov.au/backdoor ?
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct? ... and just exactly how many times were you violated? ... three thousand seven hudred and twenty seven. ... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!! ... your child's server?! Huh?
NSW Server: *nods solemnly*
NSW Lawyer: I see
NSW Server: *pauses and swallows loudly* Three
*crowd gasps*
NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
*sounds of disgust ripple through the crowd*
NSW Lawyer: And what did he say to you when this was happening?
NSW Server: GET.
NSW Lawyer: 'GET' what?
NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
NSW Lawyer: And did you get it for him?
NSW Server: No it didn't exist! They just weren't there!
NSW Lawyer: And what did you say exactly!
NSW Server: 404! 404, goddammit, 404
NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or
NSW Judge: *nods approvingly*
NSW Lawyer: I rest my case.
My work here is dung.
We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.
Signed
Assistant to the Minister D Umbi Diot
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
There, fixed that for you, Mr. Minister.
This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.
However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.
Are there no IT Pros that work for the government?
I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"
"Bang the Table".
Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Then dont put your UNLOCKED door in my house! This is the internets
Whenever I get a package of plain M&Ms, I make it my duty to continue the strength and robustness of the candy as a species. To this end, I hold M&M duels. Taking two candies between my thumb and forefinger, I apply pressure, squeezing them together until one of them breaks and splinters. That is the “loser,” and I eat the inferior one immediately. The winner gets to go another round. I have found that, in general, the brown and red M&Ms are tougher, and the newer blue ones are genetically inferior. I have hypothesized that the blue M&Ms as a race cannot survive long in the intense theater of competition that is the modern candy and snack-food world. Occasionally I will get a mutation, a candy that is misshapen, or pointier, or flatter than the rest. Almost invariably this proves to be a weakness, but on very rare occasions it gives the candy extra strength. In this way, the species continues to adapt to its environment. When I reach the end of the pack, I am left with one M&M, the strongest of the herd. Since it would make no sense to eat this one as well, I pack it neatly in an envelope and send it to M&M Mars, A Division of Mars, Inc., Hackettstown, NJ 17840-1503 U.S.A., along with a 3×5 card reading, “Please use this M&M for breeding purposes.” This week they wrote back to thank me, and sent me a coupon for a free 1/2 pound bag of plain M&Ms. I consider this “grant money.” I have set aside the weekend for a grand tournament. From a field of hundreds, we will discover the True Champion. There can be only one.
Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?
Living With a Nerd
Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
User-agent: * /highly_confidential_documents/
Disallow:
Hack-delay: >9000
These reporters will learn not to meddle in government affairs when they're behind bars for the next 50+ years for computer offenses. Security is for chumps. Real security is sleeping well at night knowing that everyone else cowers in fear of your wrath. Not many reporters are willing to bet their lives on a story, and those that are willing will be made examples to the rest. Either the story dies or you do - Your choice!
There is no changes or password cracking involved. More like "accidentally" viewing a website that is not supposed to be public.
This reminds me of similar case of a story where an employee were able to look at files that he is not suppose to see with his account, thanks to a mistake by a sysadmin, and the boss accuse him of hacking.
New Economic Perspectives
We do a very poor job, globally, of distinguishing between electronic trespass and electronic breaking and entering. In the rush to criminalize computer use deigned anti-social, bedrock concepts such as the above were not well-translated to electronic paradigms. As such, bizarrely disproportionate legal sanctions are often applied to those convicted of these acts, and with little reason beyond knee-jerk technophobia.
There is no technical difference between a password in the URL and a password in the rest of the HTTP header. Neither is a particularly good access control, but as long as the URL is not easily derived from another URL or published in any way, they are actual access control methods. We don't use secret URLs because there are many ways a URL can easily leak and become public knowledge (e.g. through the HTTP Referer header). Secret URL components are however used frequently for session control when cookies are unavailable. Would you not consider using a leaked session-URL an attack?
'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'
Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"
The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.
Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.
Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!
Life takes interesting turns, but the most interest is when you're off the beaten path.
I'd like you to consider that web-address "off-limits," as a favor to me.
I once worked for a 3rd Party Energy Marketer, ie they sell you Gas/Electric "supply" and you pay your local utility for "delivery". So in the company's quest to find "good" customers, I took the liberty of writing a small program that started with a base 15 digit number and just incremented the number by one each time and tried to login to the ConEd NY website with that account number. Once I found an account that I could login, I had the account holder's name, address, payment history and usage history and could discover if it was an account worth our enrollment department contacting to try to sign up or if we should flag their account number as a "never sign this person up, ever" account. ConEd tracked down the IP/source of the millions of requests and asked us politely to stop, but the hole still exists ~5 years later and if I had some more free time, I'd continue to use my little program and run a junk mail campaign on my spare time. I don't know what this has to do with the story other than that I bet just changing query string parameters and seeing what happens is probably the easiest, most common "attack", even by people who don't mean to be attacking.
The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'
Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.
Can you be Even More Awesome?!
Why, yes, yes it is.
First of all, define "completely unsecured". I'm pretty sure I know your definition, and if I had to vote I'd support it; but I'm also pretty sure I know their definition and it has a frightening amount of support. They will argue, and the courts might accept, that the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges.
This is a matter of technical knowledge. To a person who only knows how to follow links, limiting circulation of links can seem like "security". You can point out that it's easy to learn the skills to circumvent that, but think how that looks to someone who isn't very computer literate. "Sure, you can learn how to get around it - just like a thief can learn how to bypass a typical 5-pin lock. The skill to bump a lock isn't very hard to learn either."
The point is, as long as the typical level of knowledge doesn't include ways to find a non-published URL, the perceived threat will be in those who have the knowledge - not in those whose idea of "security" allows that knowledge to be used. I've seen Fortune 500 companies ban dsektop search tools rather than tell their employees not to "hide" sensitive documents on unlocked directories of shared drives. You really think the courts and laws are so far ahead of that knowledge curve?
Ultimately what's missing is a universal legal standard that presumes information is public if it is deliberately placed on a web-accessible file system without at least a prescribed level of protection. How strong that prescribed level of protection should be is open to debate. I don't need fool-proof security on my house to charge you with trespassing - a closed door is more than enough.
The exact standard isn't important. What's important is, the standard should exist, should be universal, and should be known to all parties.
'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'
A more correct simile would be like driving around to the addresses of 3,727 public parks until they find the one that contains documents.
No matter what the vendor/contractor/"expert" told you, an unanounced valid URL is NOT a firewall.
No, it's not. It's more like calling 3727 telephone numbers until you find one that is connected.
Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of /. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.
SJW: Someone who has run out of real oppression, and has to fake it.
Our local media is full of news regarding Gov't Tax office, it has been hacked by just incrementing id's in URL (without any authorization), so total of 7 million declarations have been downloaded. Attacker is publishing downloaded data on Goverment owned institutions, revealing income of most-paid employees. http://latviantelecoms.blogspot.com/2010/02/cyberactivists-obtain-latvian-state.html
If I hide my wristwatch in a crowded shopping mall with the intent of retrieving it after lunch, and someone else finds and takes it, has that person stole my watch?
If an unemployed blogger had done this he would get many years in prison (perhaps, I'm American so maybe this does not apply in Australia). Not only that, but the "newspaper" involved here would pay no attention to the blogger's rights and report the story the way the government prosecutors wished it to be written. The editor of this paper is laughing about the "controversy" and enjoying the attention as he is part of the club who run the country.
Why do "Al Qaeda" bulletins allegedly authored by Osama Bin Laden sound as if they were authored by Oliver North?
Someone has secured the site, or deleted it. The link no longer works, and here I was going to look for a robots.txt file. Rats! Foiled again!. Not even a login prompt. It may be:[Agent86 voice] "they used the old use the /. effect to bring the server crashing down and thereby securing it from all those pesky hackers" trick.[/Agent86 voice]
Curiously, they specifically make it sound like all 3,727 page hits were from the hacks at the Herald, but clearly state the "some of them" came from the Herald. So, what is the actual number from the Herald hacks? Hmmm... I'd buy that for a dollar!
Daniel Cuthbert, who "hacked" the DEC charity website by using '../' in the URL. Convicted 2005.
http://www.samizdata.net/blog/archives/008118.html
Agrajag: "Oh no, not again!"
...now all you need to do is build a fence and connect it to either end.
I'd almost want to plead guilty if in return the government would plead stupid.
Shh.
"This is akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents..."
Clearly, if an office is making 4k hits trying to guess a single URL, it must be hacking! But wait, there's more...
Mr Campbell says there were about 3,727 unauthorised hits on the website, some of them from a computer belonging to a "Sydney media organisation".
Erm, that is to say, clearly if an undisclosed subset of 4k hits come from a newspaper office, then it must, uh, be a hacking attempt.
Right-o. Carry on then.
A person on a discussion forum was being a general dick, skirting the line where you could say he was definitely being obnoxious but pulling back and acting hurt when anyone would address his dickishness.
So I noticed he posted images through a Photobucket account all the time. I took the URL of one image and simply removed the 'this_image.jpg' part of it.
Photobucket itself changed the URL and showed he his contents... and it turned out he liked collecting some racist imagery. I don't just mean historical photos, I mean stuff with text added and stuff Photoshopped to appeal to his fellow racists.
I made sure I took plenty of screenshots first. I then sent personal messages to those he had rubbed the wrong way, supplying them with the screenshots.
The next time he tried playing internet tough guy, out came screenshots. He made a big song and dance about how HE was being oppressed and how he was going to sue everyone. He accused everyone of hacking him, which is where I stepped in. I told him that I was the one that had saw his Photobucket was wide open for anyone to view (I didn't tell him about passwording it... some people just need to learn the risks). I told him that if I wanted to be nasty, I could have sent him a personal message with an image attatched that would reveal his IP address to me when opened... and he left the forum. I guess the fear of even considering the prospect of his face and location emailed to his ideological targets called his bluff.
He turned up some time later as an alt. Someone else recognized the style, and sure enough he was linking to images on Photobucket. The same account. Still not password protected.
Good times followed.
Looking at the actual webpage, it appears there is a login now. Considering the previous gaping security hole I wonder how much fun you could have with the Login URL.
http://nswtransport.com/login?return_to=%2F
I wonder if it would return
http://nswtransport.com/login?return_to=..%2F..%2F..%2Fetc%2Fpasswd
I am Bennett Haselton! I am Bennett Haselton!
Funny really, seeing as they didn't turn off the DNS for http://nswtransport.com which resolved to the same server
These reporters will learn not to meddle in government affairs when they're behind bars for the next 50+ years for computer offenses.
Security is for chumps. Real security is sleeping well at night knowing that everyone else cowers in fear of your wrath.
Not many reporters are willing to bet their lives on a story, and those that are willing will be made examples to the rest.
Either the story dies or you do - Your choice!
"The more you tighten your grip, Tarkin, the more star systems will slip through your fingers."
Sorry, had to slip in a Star Wars quote somewhere. :)
The fact that the DNS server resolved the URL to an ip address is proof that this or was going to be a public site. Fer cryin' out loud, if you want obscurity don't create DNS records that point to your server. Sheesh!
Meddle thou not in the affairs of Dragons, for thou art crunchy and with most anything.
Numbers can be wonderful fun. They can mean many things, and not qualifying them can be very effective when you want to mislead....
The number of "violations" being bandied about is probably actually the number of individual GET requests by the web-browser(s) against the web server.
On a media-rich web-site, (which this probably was, since nobody want to actually read anymore), one could probably rack up that many GET requests simply by loading a couple dozen logical pages. (Since every href results in yet another GET...)
Also, they used the browser to print the web-pages. Depending on the web-browser and the cache-ability of the documents already viewed, the browser may have had to GET all of the pieces AGAIN just to print the document!
This is not news. Microsoft site managers have always depended on 'unlisted number' type of fake security. They also have always tried to bully or threaten any that point out, accidentally or on purpose, that the Microsoft emperor has no clothes. That's not new either. Look around. Dig a little. You'll find this method of cover up for gross incompetence common at sites with Microsoft infestations.
The self described "hacks" ((newspaper term)) claim that they are not really computer savy. OK , take that at face value. I think that the NSW blokes and theit IT provider should be sent to Silicone Pines: http://www.satirewire.com/features/siliconpines/acf.shtml
There's no need for analogies for what the government did. They flatly [i]published[/i] something, didn't bother to tell anyone they published it or where they published it, and got mad when someone found their published work, read it, and presumably reported what they read and helped others to find that publication. I've always looked at posting to a website as publishing in the loosest of senses. It's certainly vanity publishing in the vast, vast majority of cases, but the entire point of putting something on to the Internet without any sort of real security is so that people can find it. If a person or organization doesn't want something read potentially by all, they simply have to not upload it to a public server.
Do not look into laser with remaining eye.
You are not supposed to open a box with a combination lock because the owner, by installing that lock, has indicated his intent not to allow unauthorized persons access. It could be a cheapo lock with an easy to guess combo. Or it could be something expensive and pick proof. In the eyes of the law it doesn't matter. Common sense may suggest investing in something better than the cheapest lock, but the law doesn't care.
A URL is not a secret, given its common use. So it doesn't have the same legal standing as a combination or uid/password. Particularly if that URL has any meaning associated with the likely contents of the site. I would expect anyone searching for information on transportation in New South Wales to consider nswtransportblueprint.com.au to be a perfectly reasonable place to look for public information. So a reasonable person could assume that the site's owner had no intention of securing it. Hiding it at Goatse.cx would have been another matter. But then I don't know much about New South Wales government, so perhaps I'm wrong.
Have gnu, will travel.
Contents of aussiegovernmentdomain.com/robots.txt
/very/secret/catalog123
User-Agent: *
Disallow:
I noticed a few people reacting to the 3,727, as if it was some sort of brute-force attack to get a URL.
If that was 3,727 requests to the http server, I think that wouldn't be very much. That is, reading a web page with graphical elements would, I would think, involve a dozen or so http requests -- more if there were lots of little icons and what not. Two journalists looking at a dozen such web pages a few times each would run up that number pretty quickly. (Can someone with more networking experience than I have check my thinking?)
And, of course, a decent firewall logs all requests, including legitimate requests.
So, I would guess that this is just the politician grabbing a number that sounds large to him, and ascribing significance it doesn't have.
The web works differently. One computer asks another for an index of available material. The other computer, by default, complies with the request and hands over a copy of the index. The first computer asks for a copy of the material listed in the index, and the second, again by default, complies with that request. This is not at all the same as walking into a house with an open door and removing actual property. Computers on a network will always do what they are asked to do. They are designed to do exactly that. When they do it, they are working exactly as they are supposed to work. This is not at all analogous with our traditional understanding of the way houses work. It's way past time people understood that.
Athy, athier, athiest.
...who published said highly confidential documents to a public webserver? This story should be about them getting fired, not about "hackers".
All they need do to persecute Sydney Morning Herald is to put this on their main page: http://simpsons-xxx.com/thesimpsonsporn01.jpg
NSFNSW
= Fail
The Sydney Morning Herald, a local newspaper? Well, yes, I guess so, in exactly the same way that the New York Times or Washington Post is.
In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.
So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.
If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?
Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?
Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?
Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?
I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...
I read the script, and I think it would help my character's motivation if he was on fire. -Bender
But that will never happen, lets ignore the fact that the Australian government couldn't intimidate a kitten, let alone an Australian and think about that statement for a while.
You will not sleep well at all if everyone fears you, you are a threat to them and people like to remove threats to them so that they can live without fear. Fear you see is a very powerful motivator and extremely chaotic (it will never work like you expect it to). In actual fact you will sleep very restlessly out of the fear of an uprising or the fear that your own subordinates deciding to top you and take your place.
Those who rule by fear are also ruled fear or if you would prefer, live by the sword, die by the sword.
Calling someone a "hater" only means you can not rationally rebut their argument.
I remember my first hack.
I was relatively young, maybe 13. It was when HOTMAIL was the thing. I had just entered seventh grade and changed into 'high school'. We had IT lessons in school and everybody was taught how to open up a hotmail account (it was the only commonly known free e-mail service back then).
I thought it was fun to change a character at the end of a hash (IIRC, this is years ago) and your account to someone else's account name in the URL when you were logged into your account.
This changed the inbox view to that other person's view. You could use it as if you had logged in as them. It was fun for maybe 10 minutes. Then my attention went elsewhere. I don't think I ever told an adult about it.
Was this a hack or not?
Please elaborate.
anyone who is foolish enough to put important documents in www.mysite.com/secretstuff deserves to have their "secret" stuff discovered.
In my state, if an area is not obviously private land, you have to post a "No Trespassing" sign. (Similarly, a business/gov't agency would have to mark an area "Restricted" or "Employees Only".
If no sign is posted, and the police are called, the police inform you you're trespassing, give you a little paper to this effect, and if you come back, you're arrested. But if the property owner tells you to leave, and you do, you have committed no trespass.
I see this access of the Australian Government's documents analogous to a hiker who was exploring public land, and wandered into a private field. Without a fence, or a posted sign, they had no way to know they were trespassing, and any charges to that effect would be easily overturned.
Without saying who I believe is actually right in this case, I can't help but wonder how is different to brute force
http(s)://hostname/secret
and
http(s)://username:pasword@hostname/
since basically secret could equal user:password? In the second case, you know the secret has at least one known character.
It is amazing the newspaper was poking around for two days to research a story and the Aussie gov't didn't notice--that is scary. And, the newspaper going in their backoffice to do research is pretty brassy and brash. Would think that would be illegal, as they don't own the website or have permissions. What if there is private information about the private citizens they were accessing? Yet, they thought it was okay to keep going back in there...Sickening, no honor, no boundaries.