Feeds

Helpful hacker faces Aussie Feds

No good deed goes unpunished

  • alert
  • submit to reddit

Remote control for virtualized desktops

A young computer enthusiast compromised an Australian Government Web site over night using a simple CGI script, and then notified 17,000 businesses that their banking details were unprotected, the Sydney Morning Herald reports.

The lad accessed the government's GST Assist site with a script which automatically logged in to each account and generated an e-mail message to warn the account owners.

He sent each customer their account information with a message saying: "The website http://www.gstassist.gov.au/ has a serious security flaw which permits access to your private details..."

One of the account holders sent his copy of the message, signed "K 2", to The Register.

Meanwhile, the Australian Federal Police tracked down a suspect and shut down the site. The Feds were still interviewing the suspect, said to be a teenager, late Wednesday afternoon.

Then on Thursday morning, a young lad calling himself Kelly rang up a Sydney radio station and said he had been registering an account for himself on the GST Office Web site when he discovered how easily the login procedure could be manipulated.

"I found it quite shocking [so] I sent e-mails warning people that it could be done," Kelly said.

It "didn't require any hacking. You just plug in some numbers to a CGI script," Kelly explained. The system, he said, was "wide open; anyone could just type in the numbers and get someone's details," using a "normal access procedure."

The entire database could be accessed simply by changing a number in the URL which a customer would use to gain access to his account thus: http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXX. Kelly's script merely substituted numbers, from one to 27,000, for X automatically.

Asked why he sent the e-mail messages to the customers rather than report the defect to the government, Kelly replied, "I was concerned; I didn't want it to be covered up."

Kelly said he wrote a very simple script which, after automatically trying each number, would generate an e-mail warning to the account holder. He said he didn't download, or even view, the information for himself. The script would "grab [the information] off the Web page, put it into an e-mail, and [not] record it. It works totally in memory," he said.

But GST project manager Glenn Carlos claimed that a sophisticated program had been used to crack the database's security.

He said the intruder had cracked the "security fields" that were designed to keep private details from view by the general public.

As for why the details were kept in plain text in an unprotected directory, Carlos said that the ever-present need for speed was to blame.

"The GST office....rapidly moved to the point where people could access the information so we were looking for the most rapid system. If we had more time I probably would have spent three or four more weeks going through security but I'm not even sure that would have been valid," he explained.

GST Office general manager Jim Hagan said that the Web site had been shut down temporarily while an investigation was being carried out. "At the moment we haven't found any evidence of [a security breach] and we are still confident that the security is okay," he told ABC radio.

Only time will tell whether the government's natural compulsion to maintain an illusion of competence and control over the Mysteries of Technology will result in young Kelly being made a scapegoat, or whether he might emerge as the courageous and responsible fellow he is. ®

Remote control for virtualized desktops

More from The Register

next story
BIG FAT Lies: Porky Pies about obesity
What really shortens lives? Reading this sort of crap in the papers
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.