[AusNOG] Hacked site reports boy to police | theage.com.au

Patrick Webster patrick at aushack.com
Wed Jan 8 23:30:37 EST 2014


I hope for his sake it is quickly realised he is just trying to help them
and that will be the end of it.

There was enough fuss about my FSS incident by changing a bloody number in
a URL. Sounds like he went a little further than just changing a number.

I read it as SQL injection which is harder to brush off as a simple URL
typo. The today tonight (?) video of him appears to show him playing around
with a JSON interface. But that could just be for show. I hope it isn't as
silly as +Indexes.

But regardless, police and Melbourne Transport or whatever they are called
should look at intent, and intent alone.

All these accidental cracker stories are getting tiring. Why is there never
a focus on how stupid of a mistake the corporation made? It is getting to
the point where the layman is starting to understand there are good
samaritans and they aren't to blame.

It is time law enforcement caught up with the Australian community
acceptable standards.
 On 8 Jan 2014 23:20, "Tim March" <march.tim at gmail.com> wrote:

>
> Anyone know what the actual "hack" was? A couple of links I found
> implied he "found an old database while browsing," which just sounds
> like they had +Indexes and Google found it.
>
> FWIW I found a directory indexing issue in $GovAUAgency a couple of
> years back with db dumps, credentials, admin scripts, SSH keys, bash
> logs (lock, stock, the lot...) and tried to notify their infrastructure
> provider. It was a nightmare. I ended up talking Ralph
> Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the phone...
>
>         "open your browser... now go to Google... Now search for
> 'site:$GovAUAgency filetype:sql'"
>
>         "What is it?"
>
>         "Umm... Show that to your security punters"
>
>         "My tummy feels funny *mouth breathing*"
>
>
> ... The site was like it for months afterwards.
>
> TL;DR; If the kid was Google hacking, responsibly disclosed and they
> called the Fuzz that's pretty poor form.
>
>
>
> T.
>
> On 8/01/14 10:35 PM, Damian Guppy wrote:
> > Oh Good. Now watch as prosecutors press the courts to enhance the
> > charges so he can be tried as an adult and sentenced to more time behind
> > bars than the latest murder.
> >
> > --Damian
> >
> >
> > On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster <patrick at aushack.com
> > <mailto:patrick at aushack.com>> wrote:
> >
> >
> http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
> >
> >
> >     _______________________________________________
> >     AusNOG mailing list
> >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> >     http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
>
> --
> PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140108/69e18bdb/attachment.html>


More information about the AusNOG mailing list