Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
It's funny.  Laugh. The Media Australia Government Your Rights Online

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL 271

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."
This discussion has been archived. No new comments can be posted.

Newspaper "Hacks Into" Aussie Gov't Website By Guessing URL

Comments Filter:
  • To just Google what they wanted to know? Google even has a "url" specifier!
    • Re: (Score:3, Informative)

      by miggyb ( 1537903 )
      Google is already a dangerous [johnbokma.com] hacker [google.com] tool.
  • Was it... (Score:5, Funny)

    by The Wild Norseman ( 1404891 ) <tw@norseman.gmail@com> on Tuesday February 23, 2010 @11:01AM (#31245196)
  • by eldavojohn ( 898314 ) * <eldavojohnNO@SPAMgmail.com> on Tuesday February 23, 2010 @11:04AM (#31245226) Journal
    NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct?
    NSW Server: *nods solemnly*
    NSW Lawyer: I see ... and just exactly how many times were you violated?
    NSW Server: *pauses and swallows loudly* Three ... three thousand seven hudred and twenty seven.
    *crowd gasps*
    NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from.
    NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port.
    *sounds of disgust ripple through the crowd*
    NSW Lawyer: And what did he say to you when this was happening?
    NSW Server: GET.
    NSW Lawyer: 'GET' what?
    NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document.
    NSW Lawyer: And did you get it for him?
    NSW Server: No it didn't exist! They just weren't there!
    NSW Lawyer: And what did you say exactly!
    NSW Server: 404! 404, goddammit, 404 ... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!!
    NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or ... your child's server?! Huh?
    NSW Judge: *nods approvingly*
    NSW Lawyer: I rest my case.
  • by 140Mandak262Jamuna ( 970587 ) on Tuesday February 23, 2010 @11:06AM (#31245246) Journal
    Dear NSW Transportation Dept Employee,

    We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.

    Signed

    Assistant to the Minister D Umbi Diot

    • This is modded funny, and it is, but it's also most likely true. Having been in the same situation with a prominent UK gov site I can confirm that it was frequently the practise to put unpublished URLs live without authentication so that the high-ups could access them (we had dev and test environments but their firewalls were locked down and their IT guys wouldn't open them up, they were loathe to open them even for the people who needed them for development and testing!).

      Eventually after the URLs escaped a

  • by Hognoxious ( 631665 ) on Tuesday February 23, 2010 @11:06AM (#31245252) Homepage Journal

    Wasn't there a story like this about ten years ago, but it was something concerning grades or test scores on a college website?

    • by Yvanhoe ( 564877 ) on Tuesday February 23, 2010 @11:17AM (#31245380) Journal
      Yeah, at this time we were supposing governments would be a bit more cautious than schools.
  • Lock, what lock? (Score:4, Insightful)

    by noidentity ( 188756 ) on Tuesday February 23, 2010 @11:06AM (#31245254)

    The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

    There, fixed that for you, Mr. Minister.

    • by Obyron ( 615547 )
      Even that doesn't work. At least in most of the US, you can still be considered "breaking and entering" even if the door is ajar, and you push it open. It's going into a place where you're not permitted for the purpose of committing a felony. The analogy here is more like being told there's a really juicy part in a book, so you flip through until you find the page. The author tries to sue you for circumventing his copyright protection, which was not putting a number on the page.
      • Exactly, logic says if you don't want it read by the public, don't host it on a public webserver. There are plenty of analogies here, but you're right, there was no lock or even a partially closed door. This doesn't equate well to the physical world unless you want to say they were invited into the room with no door on it, a room filled with artworks, and under a few of the paintings is a small sign with fine print that says 'please don't look at this painting'. Some of us are getting used to standards in w

      • FTA:
        - We got a tip on Friday that you could read the government's transport plan by accessing a website called, unsurprisingly, nswtransportblueprint.com.au.

        - Even we did not need help to type in those letters. No password was requested or offered.

        - Instead we were confronted with a dream menu for any reporter: rail services, cycleways, walking and cycling, bus services, paying and road network.

        So the analogy here is being told there's a really juicy book in a library at this specific location, but the book

    • by RoFLKOPTr ( 1294290 ) on Tuesday February 23, 2010 @11:21AM (#31245430)

      The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and kindly accept the highly confidential documents that the receptionist hands to you.'

      There, fixed that for you, Mr. Minister.

      There, fixed that for you.

      • Re: (Score:3, Insightful)

        by cowbutt ( 21077 )

        The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to a single attempt to turn the doorknob of an insecure office and kindly accept the 3,727 highly confidential documents that the receptionist hands to you.'

        There, fixed that for you, Mr. Minister.

        There, fixed that for you.

        Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.

        • Re: (Score:3, Informative)

          by Ltap ( 1572175 )
          The summary is actually misleading. They act like the newspaper bruteforced it - in reality, someone else found it first and just gave them the link. The "3,727 requests from different IPs" weren't some kind of botnet, they were just 3,727 people all accessing the blueprints that some guy found. That doesn't say that the newspaper was doing anything nefarious - just that the plans were absurdly, childishly easy to find.
    • by TexasTroy ( 1701144 ) on Tuesday February 23, 2010 @11:25AM (#31245504)
      Incorrect. Burglary can still occur if you do not lock the door to your house. The problem here is that the govt posted material on something akin to an unfinished public street that is not (yet) on any my map and then complaining that someone drove onto it because they (the govt) didn't put up a sign/gate to keep people off of it.
      • No analogy needed (Score:3, Interesting)

        by TWX ( 665546 )
        There's no need for analogies for what the government did. They flatly [i]published[/i] something, didn't bother to tell anyone they published it or where they published it, and got mad when someone found their published work, read it, and presumably reported what they read and helped others to find that publication. I've always looked at posting to a website as publishing in the loosest of senses. It's certainly vanity publishing in the vast, vast majority of cases, but the entire point of putting somet
    • that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and make copies of highly confidential documents.

      Makes you wonder if the reporter had typed in "http://nswtransportblueprint.com.au/project" on the first try instead of the 3,727th try, would the government have been okay with that? If a reporter were outside an unlocked government door, pawing it 3,727 times before successfully opening it, that would be pretty strange, but doesn't change anything.

      • I RTFA, it was the first try. They were tipped off, entered this address: http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au] there was no login or any other user verification, so they then clicked on all the links, downloading each page as it was served to them.

        In other words, (again I RTFA) the site was supposed to go public a few days later - they just got there early and scooped everyone else, being the evil ink-stained wretches that they are :-)

    • Re: (Score:3, Insightful)

      by elrous0 ( 869638 ) *
      Actually, it's more like "I hid the document in what I thought was a secret spot, in a public park. Someone discovered it there and started talking about it with their friends."
    • It's like getting an unlisted telephone number and using your secret plans as your answering machine message.

      Nothing about attempts to turn the doorknobof an insecure office and make copies of highly confidential documents

  • Reminds me of... (Score:5, Interesting)

    by courteaudotbiz ( 1191083 ) on Tuesday February 23, 2010 @11:07AM (#31245270) Homepage
    This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

    However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.
  • Really? (Score:5, Insightful)

    by Monkeedude1212 ( 1560403 ) on Tuesday February 23, 2010 @11:07AM (#31245276) Journal

    Are there no IT Pros that work for the government?

    I read stories like this and I think "Theres no way they could be monitoring my traffic, they can't even set up basic login authentication for their websites"

    • Re:Really? (Score:5, Funny)

      by WrongSizeGlass ( 838941 ) on Tuesday February 23, 2010 @11:29AM (#31245526)

      Are there no IT Pros that work for the government?

      Sadly, no ... they're all working for school districts in southern Pennsylvania.

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Tuesday February 23, 2010 @11:39AM (#31245666)
      Comment removed based on user account deletion
      • Exactly right, it doesn't matter how much you argue as a peon, if the directors don't like having to remember passwords then you're stuck. Add to that the fact that governments are massive, sprawling entities, where no one department has clear visibility of what others are doing, and you end up in the situation where the highly skilled IT department is bypassed by the clueless manager who gets in a clueless contractor to throw up a website.
    • Someone has secured the site, or deleted it. The link no longer works, and here I was going to look for a robots.txt file. Rats! Foiled again!. Not even a login prompt. It may be:[Agent86 voice] "they used the old use the /. effect to bring the server crashing down and thereby securing it from all those pesky hackers" trick.[/Agent86 voice]

      Curiously, they specifically make it sound like all 3,727 page hits were from the hacks at the Herald, but clearly state the "some of them" came from the Herald. So, w

  • by hey! ( 33014 ) on Tuesday February 23, 2010 @11:08AM (#31245290) Homepage Journal

    "Bang the Table".

    Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.

  • Question: (Score:5, Interesting)

    by Pojut ( 1027544 ) on Tuesday February 23, 2010 @11:17AM (#31245376) Homepage

    Is it even legally possible to bring up criminal charges, considering the URL was completely unsecured?

    • by garcia ( 6573 )

      Bring up? Sure. Successfully prosecute? That's up for debate.

    • Re:Question: (Score:4, Insightful)

      by OzPeter ( 195038 ) on Tuesday February 23, 2010 @11:33AM (#31245580)

      Its always possible to bring up charges .. whether they are warranted or provable is a totally different thing

    • Why, yes, yes it is.

      First of all, define "completely unsecured". I'm pretty sure I know your definition, and if I had to vote I'd support it; but I'm also pretty sure I know their definition and it has a frightening amount of support. They will argue, and the courts might accept, that the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges.

      This is a matter of technical knowledge. To a person who only knows how to f

      • the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges

        That will be a scary day indeed.

        All I will need to do is make a popular mis-spelling, claim my site was meant to be secured, and any and all visitors are intruders seeking to steal my private data, and then sue everyone listed in the logs.

        slashhdot.org! Why they accessed my secret files!

      • Re: (Score:3, Informative)

        by tomhudson ( 43916 )

        Sorry, but your argument fails almost immediately.

        The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.

    • A couple years ago I was searching for the name of an old friend from college. I got a few Google hits for his full name and followed one of them. It led to a page on a radio station website that had lots of confidential information including birth date, email address, home address, business phone/address, salary, *and* password information. I alerted the radio station immediately. The first response from them was accusatory, asking what I was doing hacking their site. I sent back an email to the person w

    • Daniel Cuthbert, who "hacked" the DEC charity website by using '../' in the URL. Convicted 2005.

      http://www.samizdata.net/blog/archives/008118.html

    • by Hatta ( 162192 )

      It's Australia. They sent a man to prison for having a few naked drawing of Simpsons characters. I think they can find a way to charge anyone for just about anything they don't like.

  • Bang the Table???? (Score:3, Informative)

    by 140Mandak262Jamuna ( 970587 ) on Tuesday February 23, 2010 @11:20AM (#31245408) Journal
    The article mentions the hosting company is called Bang the table. Where have I heard that before?

    Yup, recently someone in pandasthumb.org quoted someone famous saying, "If the law is on your side, bang on the law, If facts are on your side, bang on the facts, if neither, bang on the table".

  • These reporters will learn not to meddle in government affairs when they're behind bars for the next 50+ years for computer offenses. Security is for chumps. Real security is sleeping well at night knowing that everyone else cowers in fear of your wrath. Not many reporters are willing to bet their lives on a story, and those that are willing will be made examples to the rest. Either the story dies or you do - Your choice!
  • by vlm ( 69642 ) on Tuesday February 23, 2010 @11:24AM (#31245490)

    'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.'

    Much more like checking 3727 shelves in the public library looking for a copy of "internet security for dummies"

    The funny part is both sides are fairly non-technical, meaning some "journalist" probably typed in all 3727 URLs.

    • Re:Library analogy (Score:4, Informative)

      by nedlohs ( 1335013 ) on Tuesday February 23, 2010 @11:53AM (#31245944)

      Nothing like that at all.

      They were told the url by someone.

      They entered it into their browser and got a everyday normal web page.

      They clicked on the menu items and printed out the pages.

      No guessing involved. No typing (other than the initial url) involved.

      The 3727 is probably the number of request logs on the web server from them, counting all the images/css/js/etc files to make it look larger.

      If they were slightly technical they might have done:

      wget -m http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

      but that would be *more* typing...

    • Re: (Score:3, Interesting)

      by tomhudson ( 43916 )

      No, the url was "published" in the legal sense - they were given it by someone.

      No hacking involved.

      They weren't the only ones to whom the url was "published", since several others also were grabbing the files at the same time. And the way they grabbed the files? Clicked on the menu and followed the links, then "Print".

      The url in question? http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

      No secret directories, no login required, no hidden subdomain, no .hosts file to exclude them, nothing. It was supposed to b

    • by Ltap ( 1572175 )
      They didn't - not every request was from the Herald, and I'm guessing only half a dozen were.
  • Entropy (Score:4, Interesting)

    by michaelmalak ( 91262 ) <michael@michaelmalak.com> on Tuesday February 23, 2010 @11:34AM (#31245588) Homepage
    Security by obscurity at its finest.

    At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST [nist.gov], that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

    • by samkass ( 174571 )

      That's an interesting point. The same point could be made about other "mathematically" obscure things such as an IPv6 address. If all information was available online but some of it was password protected, what's the difference between guessing URLs and guessing passwords?

      To answer my own question: the expectation of privacy. A password implies the expectation of privacy, while posting something that anyone can access with the right URL does not have the same implication to me.

      • Re: (Score:2, Interesting)

        by SatanClauz ( 741416 )
        You answered michaelmalak's question at the same time!

        Obscurity becomes security when you have no reason for expectation of privacy :)

    • Re:Entropy (Score:4, Informative)

      by tomhudson ( 43916 ) <barbara DOT huds ... a-hudson DOT com> on Tuesday February 23, 2010 @12:25PM (#31246478) Journal
      RTFA.

      They were given this url http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au]

      They went there.

      They hit Print

      They followed the pretty linkies

      They hit Print some more

      They wrote a story about it.

      No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No .hosts entry. How is that "hacking"?

      There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers' /dev/urandom, that is being probed.

    • by eth1 ( 94901 )

      3000 "accesses" probably just means they looked at 30 pages with 100 images, scripts, and other elements that were all downloaded via separate requests/connections. But 3,727 is a better number to use when you're trying spin the journalists into villains.

    • Re: (Score:3, Informative)

      by canajin56 ( 660655 )
      You're making the mistake of believing the Slashdot summary, instead of reading TFA. There was no trial and error involved. They were given a tip that a public government website had information they might find useful. The 3,727 "attempts" that Slashdot reports are 3,727 "hits on the firewall" according to TFA. All of those "hits" were allowed through. They didn't do a dictionary attack on an existing website hoping to find secret subdirectories that weren't linked to. They just followed links inside
  • Window analogy (Score:4, Interesting)

    by realsilly ( 186931 ) on Tuesday February 23, 2010 @11:36AM (#31245620)

    Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

    Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

    • Re:Window analogy (Score:4, Interesting)

      by Dunbal ( 464142 ) * on Tuesday February 23, 2010 @11:50AM (#31245868)

      An unlocked door also doesn't mean you have the right to open it either.

            However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

            No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

            Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

      • "The internet by definition is PUBLIC. That is the PURPOSE of the internet."

        That being said, then all websites on the web should be deemed public by default, but as we know that is not true. A city is road is public, but the car you drive on it is yours and is private. The poorly secured website that is a private webpage on that public internet highway. The information was not put out there for the public, there was an effort made by the entrant to purposefully look for info. Therefore, no matter how il

        • by Dunbal ( 464142 ) *

          That being said, then all websites on the web should be deemed public by default,

          What are you, a lawyer? Your view opens the door to endless litigation. Websites on the web ARE public, just as are IP addresses. You can't prevent someone from going to a web-site. However you CAN secure your website from unauthorized access. In the case you propose, it would be a "crime" to commit a typo and end up on the "wrong" page. In my case, just visiting the page won't get you the information I d

    • by Ltap ( 1572175 )
      Better than a "Windows" analogy - just because a computer has ports and they are open does not mean that by sending a few trojans its way and looking at some porn on another guy's computer means that you aren't totally exploiting user stupidity.
  • I'd like you to consider that web-address "off-limits," as a favor to me.

  • by elrous0 ( 869638 ) * on Tuesday February 23, 2010 @11:54AM (#31245980)
    Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of /. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.
  • If an unemployed blogger had done this he would get many years in prison (perhaps, I'm American so maybe this does not apply in Australia). Not only that, but the "newspaper" involved here would pay no attention to the blogger's rights and report the story the way the government prosecutors wished it to be written. The editor of this paper is laughing about the "controversy" and enjoying the attention as he is part of the club who run the country.
  • I'd almost want to plead guilty if in return the government would plead stupid.
  • "This is akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents..."

    Clearly, if an office is making 4k hits trying to guess a single URL, it must be hacking! But wait, there's more...

    Mr Campbell says there were about 3,727 unauthorised hits on the website, some of them from a computer belonging to a "Sydney media organisation".

    Erm, that is to say, clearly if an undisclosed subset of 4k hits come from a newspaper office, then it must, uh, be a hacking attempt.

    Right-o. Carry on then.

  • Looking at the actual webpage, it appears there is a login now. Considering the previous gaping security hole I wonder how much fun you could have with the Login URL.

    http://nswtransport.com/login?return_to=%2F [nswtransport.com]

    I wonder if it would return

    http://nswtransport.com/login?return_to=..%2F..%2F..%2Fetc%2Fpasswd [nswtransport.com]
  • by cybereal ( 621599 ) on Tuesday February 23, 2010 @08:46PM (#31254144) Homepage

    In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.

    So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.

    If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?

    Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?

    Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?

    Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?

    I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...

"It's like deja vu all over again." -- Yogi Berra

Working...