Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

Re:Wouldn't it have been easier

[miggyb]

Google is already a dangerous [johnbokma.com] hacker [google.com] tool.

Bang the Table????

[140Mandak262Jamuna]

The article mentions the hosting company is called Bang the table. Where have I heard that before?

Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Library analogy

[nedlohs]

Nothing like that at all.

They were told the url by someone.

They entered it into their browser and got a everyday normal web page.

They clicked on the menu items and printed out the pages.

No guessing involved. No typing (other than the initial url) involved.

The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.

If they were slightly technical they might have done:

wget -m http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

but that would be *more* typing...

Re:Was it...

[tomhudson]

It was : http://nswtransportblueprint.com.au/project [nswtranspo...int.com.au]

And it's not open any more - nswtransportblueprint.com.au is now completely off-line.

So they went from Security through Obscurity to Streisand Effect to Slashdot Effect ... but now that their server has melted, at least nobody can "hack" it, so I guess they're happy campers.

Re:Answer:

[tomhudson]

Sorry, but your argument fails almost immediately.

The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.

Re:Wouldn't it have been easier

[schon]

Sorry, but the submitter got at wrong.

No, you did.

A secret URL is essentially a password

Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.

A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.

Re:Entropy

[tomhudson]

RTFA.

They were given this url http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

They went there.

They hit Print

They followed the pretty linkies

They hit Print some more

They wrote a story about it.

No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?

There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.

Re:Wouldn't it have been easier

[Anonymous Coward]

A string anybody can guess with enough persistence? Why even bother with the "correction"? Passwords have the same weakness as "unlisted numbers" and "secret URLs". They mitigate it by using enormous key spaces. URL key spaces are of comparable size to password key spaces. The problem is using a crap secret, not merely keeping a secret.

Re:Lock, what lock?

[Ltap]

The summary is actually misleading. They act like the newspaper bruteforced it - in reality, someone else found it first and just gave them the link. The "3,727 requests from different IPs" weren't some kind of botnet, they were just 3,727 people all accessing the blueprints that some guy found. That doesn't say that the newspaper was doing anything nefarious - just that the plans were absurdly, childishly easy to find.

Re:Answer:

[tomhudson]

Sorry, but your argument fails immediately.

RTFA. Nobody leaked the URL to reporters. Reporters guessed URL's until they hit on one.

But I guess the moderators are in wishful thinking mode today, so you got an up-mod for a non sequitur.

Also, you should probably learn to do a better job identifying who the enemy is. Jumping down my throat for pointing out unfortunate realities of the current legal landscape isn't helping you.

You are sooo full of crap. Instead of reading the comments and telling me to RTFA, go RTFA yourself, like I did. They didn't have to guess a url. They were given the base url, and that was ALL that anyone needed to get access to every other page, same as http://slashdot.org/ [slashdot.org] gives you access to this sites contents. Don't you know how the web works yet?

Re:Entropy

[canajin56]

You're making the mistake of believing the Slashdot summary, instead of reading TFA. There was no trial and error involved. They were given a tip that a public government website had information they might find useful. The 3,727 "attempts" that Slashdot reports are 3,727 "hits on the firewall" according to TFA. All of those "hits" were allowed through. They didn't do a dictionary attack on an existing website hoping to find secret subdirectories that weren't linked to. They just followed links inside the main page, to various subpages. The government asserts that typing in a URL was a hack attempt, and each time they clicked a link it was also a hack attempt, some of which led to "classified" information. To repeat, it wasn't 3,726 404 errors, followed by "YES, VALID URL!" it was 3727 total scrips html pages images and css files as they browsed through a link somebody emailed them.