Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Posted by Soulskill on from the security-through-hurf-durf dept.

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

12 of 271 comments (clear)

  1. Re:Wouldn't it have been easier by miggyb · · Score: 3, Informative

    Google is already a dangerous hacker tool.

    --
    This signature serves no purpose other than to help you see which posts were made by me.
  2. Bang the Table???? by 140Mandak262Jamuna · · Score: 2, Informative
    The article mentions the hosting company is called Bang the table. Where have I heard that before?

    Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Re:Really? by digitalchinky · · Score: 3, Informative

    There are some terribly bright and technically minded people in government, particularly in the intelligence gathering fields (secret 3 letter agencies) - unfortunately they are not usually in positions of power or within ear shot of anyone that might easily comprehend what they are actually saying. I guess it's the same old problem everywhere - if 'Government' knew what they actually had behind their own closed doors, they'd be shocked, maybe even outraged :-)

    I spent a lot of years working for the defence signals directorate (Same as the NSA's, different acronym) - safe to say that those up at the top take about 5 to 10 years to actually understand what their underlings have been saying for the aforementioned 5 to 10 years. Ops Normal.

    The main problem is, as others have more eloquently said, right up at the top you get the boss saying "Just make it f'ing happen already" Be damned if they care about security. Thus the stunningly illogical knee jerk reaction to shut the barn door after the quadrupeds have already legged it, oh, and death sentences to the idiots that forged the door hinges, because we need to punish the wrong people in spectacular fashion to prove a point that nobody will ever understand.

  4. Re:Library analogy by nedlohs · · Score: 3, Informative

    Nothing like that at all.

    They were told the url by someone.

    They entered it into their browser and got a everyday normal web page.

    They clicked on the menu items and printed out the pages.

    No guessing involved. No typing (other than the initial url) involved.

    The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.

    If they were slightly technical they might have done:

    wget -m http://nswtransportblueprint.com.au/

    but that would be *more* typing...

  5. Re:Was it... by tomhudson · · Score: 3, Informative
    It was : http://nswtransportblueprint.com.au/project

    And it's not open any more - nswtransportblueprint.com.au is now completely off-line.

    So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.

  6. Re:Answer: by tomhudson · · Score: 2, Informative

    Sorry, but your argument fails almost immediately.

    The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.

  7. Re:Wouldn't it have been easier by schon · · Score: 5, Informative

    Sorry, but the submitter got at wrong.

    No, you did.

    A secret URL is essentially a password

    Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.

    A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.

  8. Re:Entropy by tomhudson · · Score: 3, Informative
    RTFA.

    They were given this url http://nswtransportblueprint.com.au/

    They went there.

    They hit Print

    They followed the pretty linkies

    They hit Print some more

    They wrote a story about it.

    No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?

    There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.

  9. Re:Wouldn't it have been easier by Anonymous Coward · · Score: 1, Informative

    A string anybody can guess with enough persistence? Why even bother with the "correction"? Passwords have the same weakness as "unlisted numbers" and "secret URLs". They mitigate it by using enormous key spaces. URL key spaces are of comparable size to password key spaces. The problem is using a crap secret, not merely keeping a secret.

  10. Re:Lock, what lock? by Ltap · · Score: 2, Informative

    The summary is actually misleading. They act like the newspaper bruteforced it - in reality, someone else found it first and just gave them the link. The "3,727 requests from different IPs" weren't some kind of botnet, they were just 3,727 people all accessing the blueprints that some guy found. That doesn't say that the newspaper was doing anything nefarious - just that the plans were absurdly, childishly easy to find.

    --
    Yet Another Tech Blog
    (but so much more, including game and movie reviews)
    http://yanteb.peasantoid.org
  11. Re:Answer: by tomhudson · · Score: 2, Informative

    Sorry, but your argument fails immediately.

    RTFA. Nobody leaked the URL to reporters. Reporters guessed URL's until they hit on one.

    But I guess the moderators are in wishful thinking mode today, so you got an up-mod for a non sequitur.

    Also, you should probably learn to do a better job identifying who the enemy is. Jumping down my throat for pointing out unfortunate realities of the current legal landscape isn't helping you.

    You are sooo full of crap. Instead of reading the comments and telling me to RTFA, go RTFA yourself, like I did. They didn't have to guess a url. They were given the base url, and that was ALL that anyone needed to get access to every other page, same as http://slashdot.org/ gives you access to this sites contents. Don't you know how the web works yet?

  12. Re:Entropy by canajin56 · · Score: 2, Informative

    You're making the mistake of believing the Slashdot summary, instead of reading TFA. There was no trial and error involved. They were given a tip that a public government website had information they might find useful. The 3,727 "attempts" that Slashdot reports are 3,727 "hits on the firewall" according to TFA. All of those "hits" were allowed through. They didn't do a dictionary attack on an existing website hoping to find secret subdirectories that weren't linked to. They just followed links inside the main page, to various subpages. The government asserts that typing in a URL was a hack attempt, and each time they clicked a link it was also a hack attempt, some of which led to "classified" information. To repeat, it wasn't 3,726 404 errors, followed by "YES, VALID URL!" it was 3727 total scrips html pages images and css files as they browsed through a link somebody emailed them.

    --
    ASCII stupid question, get a stupid ANSI