Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Posted by Soulskill on from the security-through-hurf-durf dept.

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

5 of 271 comments (clear)

  1. Reminds me of... by courteaudotbiz · · Score: 4, Interesting

    This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

    However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.

  2. Question: by Pojut · · Score: 4, Interesting

    Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?

    --
    Living With a Nerd
  3. Entropy by michaelmalak · · Score: 3, Interesting
    Security by obscurity at its finest.

    At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

  4. Window analogy by realsilly · · Score: 3, Interesting

    Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

    Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

    --
    Life takes interesting turns, but the most interest is when you're off the beaten path.
    1. Re:Window analogy by Dunbal · · Score: 3, Interesting

      An unlocked door also doesn't mean you have the right to open it either.

            However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

            No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

            Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

      --
      Seven puppies were harmed during the making of this post.