Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Posted by Soulskill on from the security-through-hurf-durf dept.

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

33 of 271 comments (clear)

  1. Was it... by The+Wild+Norseman · · Score: 5, Funny

    http://www.australia.gov.au/backdoor ?

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
    1. Re:Was it... by tomhudson · · Score: 3, Informative
      It was : http://nswtransportblueprint.com.au/project

      And it's not open any more - nswtransportblueprint.com.au is now completely off-line.

      So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.

    2. Re:Was it... by Anonymous Coward · · Score: 5, Funny

      reminds me of the time i hacked my friend's fridge for a can of beer when he was out of the room for a moment

  2. Two Robots in Front of a Judge by eldavojohn · · Score: 5, Funny

    NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct?
    NSW Server: *nods solemnly*
    NSW Lawyer: I see ... and just exactly how many times were you violated?
    NSW Server: *pauses and swallows loudly* Three ... three thousand seven hudred and twenty seven.
    *crowd gasps*
    NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
    NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
    *sounds of disgust ripple through the crowd*
    NSW Lawyer: And what did he say to you when this was happening?
    NSW Server: GET.
    NSW Lawyer: 'GET' what?
    NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
    NSW Lawyer: And did you get it for him?
    NSW Server: No it didn't exist! They just weren't there!
    NSW Lawyer: And what did you say exactly!
    NSW Server: 404! 404, goddammit, 404 ... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!!
    NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or ... your child's server?! Huh?
    NSW Judge: *nods approvingly*
    NSW Lawyer: I rest my case.

    --
    My work here is dung.
    1. Re:Two Robots in Front of a Judge by kalirion · · Score: 3, Insightful

      If you put a billboard in a back alley, is it "private look only" just because you don't advertise its existence with a billboard on a major highway?

    2. Re:Two Robots in Front of a Judge by HungryHobo · · Score: 5, Insightful

      It's like getting an unlisted telephone number and using your secret plans as your answering machine message.
      Nothing like entering without permission.

  3. Re:Wouldn't it have been easier by miggyb · · Score: 3, Informative

    Google is already a dangerous hacker tool.

    --
    This signature serves no purpose other than to help you see which posts were made by me.
  4. Urgent notification to all: by 140Mandak262Jamuna · · Score: 5, Funny
    Dear NSW Transportation Dept Employee,

    We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.

    Signed

    Assistant to the Minister D Umbi Diot

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Lock, what lock? by noidentity · · Score: 4, Insightful

    The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

    There, fixed that for you, Mr. Minister.

    1. Re:Lock, what lock? by RoFLKOPTr · · Score: 5, Insightful

      The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and kindly accept the highly confidential documents that the receptionist hands to you.'

      There, fixed that for you, Mr. Minister.

      There, fixed that for you.

    2. Re:Lock, what lock? by TexasTroy · · Score: 4, Insightful

      Incorrect. Burglary can still occur if you do not lock the door to your house. The problem here is that the govt posted material on something akin to an unfinished public street that is not (yet) on any my map and then complaining that someone drove onto it because they (the govt) didn't put up a sign/gate to keep people off of it.

  6. Reminds me of... by courteaudotbiz · · Score: 4, Interesting

    This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

    However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.

  7. Really? by Monkeedude1212 · · Score: 4, Insightful

    Are there no IT Pros that work for the government?

    I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"

    1. Re:Really? by WrongSizeGlass · · Score: 4, Funny

      Are there no IT Pros that work for the government?

      Sadly, no ... they're all working for school districts in southern Pennsylvania.

    2. Re:Really? by digitalchinky · · Score: 3, Informative

      There are some terribly bright and technically minded people in government, particularly in the intelligence gathering fields (secret 3 letter agencies) - unfortunately they are not usually in positions of power or within ear shot of anyone that might easily comprehend what they are actually saying. I guess it's the same old problem everywhere - if 'Government' knew what they actually had behind their own closed doors, they'd be shocked, maybe even outraged :-)

      I spent a lot of years working for the defence signals directorate (Same as the NSA's, different acronym) - safe to say that those up at the top take about 5 to 10 years to actually understand what their underlings have been saying for the aforementioned 5 to 10 years. Ops Normal.

      The main problem is, as others have more eloquently said, right up at the top you get the boss saying "Just make it f'ing happen already" Be damned if they care about security. Thus the stunningly illogical knee jerk reaction to shut the barn door after the quadrupeds have already legged it, oh, and death sentences to the idiots that forged the door hinges, because we need to punish the wrong people in spectacular fashion to prove a point that nobody will ever understand.

  8. I love the name of the web hosting outfit: by hey! · · Score: 5, Insightful

    "Bang the Table".

    Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  9. Question: by Pojut · · Score: 4, Interesting

    Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?

    --
    Living With a Nerd
    1. Re:Question: by OzPeter · · Score: 3, Insightful

      Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing

      --
      I am Slashdot. Are you Slashdot as well?
  10. Re:Deja vu again once more by Yvanhoe · · Score: 3, Funny

    Yeah, at this time we were supposing governments would be a bit more cautious than schools.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  11. Library analogy by vlm · · Score: 4, Funny

    'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'

    Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"

    The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Library analogy by nedlohs · · Score: 3, Informative

      Nothing like that at all.

      They were told the url by someone.

      They entered it into their browser and got a everyday normal web page.

      They clicked on the menu items and printed out the pages.

      No guessing involved. No typing (other than the initial url) involved.

      The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.

      If they were slightly technical they might have done:

      wget -m http://nswtransportblueprint.com.au/

      but that would be *more* typing...

  12. Entropy by michaelmalak · · Score: 3, Interesting
    Security by obscurity at its finest.

    At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

    1. Re:Entropy by tomhudson · · Score: 3, Informative
      RTFA.

      They were given this url http://nswtransportblueprint.com.au/

      They went there.

      They hit Print

      They followed the pretty linkies

      They hit Print some more

      They wrote a story about it.

      No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?

      There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.

  13. Window analogy by realsilly · · Score: 3, Interesting

    Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

    Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

    --
    Life takes interesting turns, but the most interest is when you're off the beaten path.
    1. Re:Window analogy by Dunbal · · Score: 3, Interesting

      An unlocked door also doesn't mean you have the right to open it either.

            However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

            No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

            Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

      --
      Seven puppies were harmed during the making of this post.
  14. Re:fuckfuck by Gerzel · · Score: 4, Insightful

    But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.

    Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.

  15. Still not far enough. by zippthorne · · Score: 5, Insightful
    More like,

    The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'

    Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.

    --
    Can you be Even More Awesome?!
  16. Re:tubes from their door to my keyboard by Nadaka · · Score: 4, Insightful

    How about a car analogy?

    This isn't like breaking the window on a Civic and tearing out the stereo system that cost more than the car.

    This isn't like opening the unlocked door on a Prius and and taking someones cd collection they left on the passenger seat.

    This isn't like reaching through the open window of a hummer and snatching a stick of gum.

    This is like getting on a public bus, and using your cell phone to snap pictures of the graffiti on the wall.

  17. Re:Wouldn't it have been easier by SatanicPuppy · · Score: 5, Insightful

    The problem with that analogy is that passwords are by default 2 factor authentication: you need a username and a password.

    That's not really the case with a url. A better analogy would be walking around a building on a public street, and looking in windows. It's legal, but morally suspect.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  18. Proposal for Australia by elrous0 · · Score: 5, Funny

    Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of /. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  19. Re:Wouldn't it have been easier by GizmoToy · · Score: 5, Insightful

    I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".

    If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.

  20. Re:Wouldn't it have been easier by paiute · · Score: 4, Insightful

    A secret URL is essentially a password

    More like an unlisted phone number.

    --
    If Slashdot were chemistry it would look like this:Cadaverine
  21. Re:Wouldn't it have been easier by schon · · Score: 5, Informative

    Sorry, but the submitter got at wrong.

    No, you did.

    A secret URL is essentially a password

    Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.

    A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.