Feeds

Helpful hacker faces Aussie Feds

No good deed goes unpunished

  • alert
  • submit to reddit

New hybrid storage solutions

A young computer enthusiast compromised an Australian Government Web site over night using a simple CGI script, and then notified 17,000 businesses that their banking details were unprotected, the Sydney Morning Herald reports.

The lad accessed the government's GST Assist site with a script which automatically logged in to each account and generated an e-mail message to warn the account owners.

He sent each customer their account information with a message saying: "The website http://www.gstassist.gov.au/ has a serious security flaw which permits access to your private details..."

One of the account holders sent his copy of the message, signed "K 2", to The Register.

Meanwhile, the Australian Federal Police tracked down a suspect and shut down the site. The Feds were still interviewing the suspect, said to be a teenager, late Wednesday afternoon.

Then on Thursday morning, a young lad calling himself Kelly rang up a Sydney radio station and said he had been registering an account for himself on the GST Office Web site when he discovered how easily the login procedure could be manipulated.

"I found it quite shocking [so] I sent e-mails warning people that it could be done," Kelly said.

It "didn't require any hacking. You just plug in some numbers to a CGI script," Kelly explained. The system, he said, was "wide open; anyone could just type in the numbers and get someone's details," using a "normal access procedure."

The entire database could be accessed simply by changing a number in the URL which a customer would use to gain access to his account thus: http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXX. Kelly's script merely substituted numbers, from one to 27,000, for X automatically.

Asked why he sent the e-mail messages to the customers rather than report the defect to the government, Kelly replied, "I was concerned; I didn't want it to be covered up."

Kelly said he wrote a very simple script which, after automatically trying each number, would generate an e-mail warning to the account holder. He said he didn't download, or even view, the information for himself. The script would "grab [the information] off the Web page, put it into an e-mail, and [not] record it. It works totally in memory," he said.

But GST project manager Glenn Carlos claimed that a sophisticated program had been used to crack the database's security.

He said the intruder had cracked the "security fields" that were designed to keep private details from view by the general public.

As for why the details were kept in plain text in an unprotected directory, Carlos said that the ever-present need for speed was to blame.

"The GST office....rapidly moved to the point where people could access the information so we were looking for the most rapid system. If we had more time I probably would have spent three or four more weeks going through security but I'm not even sure that would have been valid," he explained.

GST Office general manager Jim Hagan said that the Web site had been shut down temporarily while an investigation was being carried out. "At the moment we haven't found any evidence of [a security breach] and we are still confident that the security is okay," he told ABC radio.

Only time will tell whether the government's natural compulsion to maintain an illusion of competence and control over the Mysteries of Technology will result in young Kelly being made a scapegoat, or whether he might emerge as the courageous and responsible fellow he is. ®

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.