Feeds

Helpful hacker faces Aussie Feds

No good deed goes unpunished

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A young computer enthusiast compromised an Australian Government Web site over night using a simple CGI script, and then notified 17,000 businesses that their banking details were unprotected, the Sydney Morning Herald reports.

The lad accessed the government's GST Assist site with a script which automatically logged in to each account and generated an e-mail message to warn the account owners.

He sent each customer their account information with a message saying: "The website http://www.gstassist.gov.au/ has a serious security flaw which permits access to your private details..."

One of the account holders sent his copy of the message, signed "K 2", to The Register.

Meanwhile, the Australian Federal Police tracked down a suspect and shut down the site. The Feds were still interviewing the suspect, said to be a teenager, late Wednesday afternoon.

Then on Thursday morning, a young lad calling himself Kelly rang up a Sydney radio station and said he had been registering an account for himself on the GST Office Web site when he discovered how easily the login procedure could be manipulated.

"I found it quite shocking [so] I sent e-mails warning people that it could be done," Kelly said.

It "didn't require any hacking. You just plug in some numbers to a CGI script," Kelly explained. The system, he said, was "wide open; anyone could just type in the numbers and get someone's details," using a "normal access procedure."

The entire database could be accessed simply by changing a number in the URL which a customer would use to gain access to his account thus: http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXX. Kelly's script merely substituted numbers, from one to 27,000, for X automatically.

Asked why he sent the e-mail messages to the customers rather than report the defect to the government, Kelly replied, "I was concerned; I didn't want it to be covered up."

Kelly said he wrote a very simple script which, after automatically trying each number, would generate an e-mail warning to the account holder. He said he didn't download, or even view, the information for himself. The script would "grab [the information] off the Web page, put it into an e-mail, and [not] record it. It works totally in memory," he said.

But GST project manager Glenn Carlos claimed that a sophisticated program had been used to crack the database's security.

He said the intruder had cracked the "security fields" that were designed to keep private details from view by the general public.

As for why the details were kept in plain text in an unprotected directory, Carlos said that the ever-present need for speed was to blame.

"The GST office....rapidly moved to the point where people could access the information so we were looking for the most rapid system. If we had more time I probably would have spent three or four more weeks going through security but I'm not even sure that would have been valid," he explained.

GST Office general manager Jim Hagan said that the Web site had been shut down temporarily while an investigation was being carried out. "At the moment we haven't found any evidence of [a security breach] and we are still confident that the security is okay," he told ABC radio.

Only time will tell whether the government's natural compulsion to maintain an illusion of competence and control over the Mysteries of Technology will result in young Kelly being made a scapegoat, or whether he might emerge as the courageous and responsible fellow he is. ®

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.