Helpful hacker faces Aussie Feds

No good deed goes unpunished

A young computer enthusiast compromised an Australian Government Web site over night using a simple CGI script, and then notified 17,000 businesses that their banking details were unprotected, the Sydney Morning Herald reports.

The lad accessed the government's GST Assist site with a script which automatically logged in to each account and generated an e-mail message to warn the account owners.

He sent each customer their account information with a message saying: "The website http://www.gstassist.gov.au/ has a serious security flaw which permits access to your private details..."

One of the account holders sent his copy of the message, signed "K 2", to The Register.

Meanwhile, the Australian Federal Police tracked down a suspect and shut down the site. The Feds were still interviewing the suspect, said to be a teenager, late Wednesday afternoon.

Then on Thursday morning, a young lad calling himself Kelly rang up a Sydney radio station and said he had been registering an account for himself on the GST Office Web site when he discovered how easily the login procedure could be manipulated.

"I found it quite shocking [so] I sent e-mails warning people that it could be done," Kelly said.

It "didn't require any hacking. You just plug in some numbers to a CGI script," Kelly explained. The system, he said, was "wide open; anyone could just type in the numbers and get someone's details," using a "normal access procedure."

The entire database could be accessed simply by changing a number in the URL which a customer would use to gain access to his account thus: http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXX. Kelly's script merely substituted numbers, from one to 27,000, for X automatically.

Asked why he sent the e-mail messages to the customers rather than report the defect to the government, Kelly replied, "I was concerned; I didn't want it to be covered up."

Kelly said he wrote a very simple script which, after automatically trying each number, would generate an e-mail warning to the account holder. He said he didn't download, or even view, the information for himself. The script would "grab [the information] off the Web page, put it into an e-mail, and [not] record it. It works totally in memory," he said.

But GST project manager Glenn Carlos claimed that a sophisticated program had been used to crack the database's security.

He said the intruder had cracked the "security fields" that were designed to keep private details from view by the general public.

As for why the details were kept in plain text in an unprotected directory, Carlos said that the ever-present need for speed was to blame.

"The GST office....rapidly moved to the point where people could access the information so we were looking for the most rapid system. If we had more time I probably would have spent three or four more weeks going through security but I'm not even sure that would have been valid," he explained.

GST Office general manager Jim Hagan said that the Web site had been shut down temporarily while an investigation was being carried out. "At the moment we haven't found any evidence of [a security breach] and we are still confident that the security is okay," he told ABC radio.

Only time will tell whether the government's natural compulsion to maintain an illusion of competence and control over the Mysteries of Technology will result in young Kelly being made a scapegoat, or whether he might emerge as the courageous and responsible fellow he is. ®

Sponsored: Designing and building an open ITOA architecture