Feeds

Helpful hacker faces Aussie Feds

No good deed goes unpunished

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

A young computer enthusiast compromised an Australian Government Web site over night using a simple CGI script, and then notified 17,000 businesses that their banking details were unprotected, the Sydney Morning Herald reports.

The lad accessed the government's GST Assist site with a script which automatically logged in to each account and generated an e-mail message to warn the account owners.

He sent each customer their account information with a message saying: "The website http://www.gstassist.gov.au/ has a serious security flaw which permits access to your private details..."

One of the account holders sent his copy of the message, signed "K 2", to The Register.

Meanwhile, the Australian Federal Police tracked down a suspect and shut down the site. The Feds were still interviewing the suspect, said to be a teenager, late Wednesday afternoon.

Then on Thursday morning, a young lad calling himself Kelly rang up a Sydney radio station and said he had been registering an account for himself on the GST Office Web site when he discovered how easily the login procedure could be manipulated.

"I found it quite shocking [so] I sent e-mails warning people that it could be done," Kelly said.

It "didn't require any hacking. You just plug in some numbers to a CGI script," Kelly explained. The system, he said, was "wide open; anyone could just type in the numbers and get someone's details," using a "normal access procedure."

The entire database could be accessed simply by changing a number in the URL which a customer would use to gain access to his account thus: http://www.abr.business.gov.au/asp/abndetail.asp?ABN=XXXXX. Kelly's script merely substituted numbers, from one to 27,000, for X automatically.

Asked why he sent the e-mail messages to the customers rather than report the defect to the government, Kelly replied, "I was concerned; I didn't want it to be covered up."

Kelly said he wrote a very simple script which, after automatically trying each number, would generate an e-mail warning to the account holder. He said he didn't download, or even view, the information for himself. The script would "grab [the information] off the Web page, put it into an e-mail, and [not] record it. It works totally in memory," he said.

But GST project manager Glenn Carlos claimed that a sophisticated program had been used to crack the database's security.

He said the intruder had cracked the "security fields" that were designed to keep private details from view by the general public.

As for why the details were kept in plain text in an unprotected directory, Carlos said that the ever-present need for speed was to blame.

"The GST office....rapidly moved to the point where people could access the information so we were looking for the most rapid system. If we had more time I probably would have spent three or four more weeks going through security but I'm not even sure that would have been valid," he explained.

GST Office general manager Jim Hagan said that the Web site had been shut down temporarily while an investigation was being carried out. "At the moment we haven't found any evidence of [a security breach] and we are still confident that the security is okay," he told ABC radio.

Only time will tell whether the government's natural compulsion to maintain an illusion of competence and control over the Mysteries of Technology will result in young Kelly being made a scapegoat, or whether he might emerge as the courageous and responsible fellow he is. ®

3 Big data security analytics techniques

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.