[AusNOG] Hacked site reports boy to police | theage.com.au

Keith Anderson keitha at apcs.com.au
Thu Jan 9 08:21:49 EST 2014 

Indexing and .gov.au seem to be all over the place. 

http://education.qld.gov.au/corporate/hr/ap/

http://www.climatechangeinaustralia.gov.au/documents/resources/

the list just went on and on.



Keith Anderson
Managing Director | APCS / WIP
Australia Power Control Systems

C/o Coffs Harbour Media Centre
2 Peterson Road,
Coffs Harbour NSW 2450

T: 1300 3000 56 | F: 1300-765-427
E: keitha at apcs.com.au






On 08/01/2014, at 11:30 PM, Patrick Webster wrote:

> I hope for his sake it is quickly realised he is just trying to help them and that will be the end of it.
> 
> There was enough fuss about my FSS incident by changing a bloody number in a URL. Sounds like he went a little further than just changing a number.
> 
> I read it as SQL injection which is harder to brush off as a simple URL typo. The today tonight (?) video of him appears to show him playing around with a JSON interface. But that could just be for show. I hope it isn't as silly as +Indexes.
> 
> But regardless, police and Melbourne Transport or whatever they are called should look at intent, and intent alone.
> 
> All these accidental cracker stories are getting tiring. Why is there never a focus on how stupid of a mistake the corporation made? It is getting to the point where the layman is starting to understand there are good samaritans and they aren't to blame.
> 
> It is time law enforcement caught up with the Australian community acceptable standards.
> On 8 Jan 2014 23:20, "Tim March" <march.tim at gmail.com> wrote:
> 
> Anyone know what the actual "hack" was? A couple of links I found
> implied he "found an old database while browsing," which just sounds
> like they had +Indexes and Google found it.
> 
> FWIW I found a directory indexing issue in $GovAUAgency a couple of
> years back with db dumps, credentials, admin scripts, SSH keys, bash
> logs (lock, stock, the lot...) and tried to notify their infrastructure
> provider. It was a nightmare. I ended up talking Ralph
> Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the phone...
> 
>         "open your browser... now go to Google... Now search for
> 'site:$GovAUAgency filetype:sql'"
> 
>         "What is it?"
> 
>         "Umm... Show that to your security punters"
> 
>         "My tummy feels funny *mouth breathing*"
> 
> 
> ... The site was like it for months afterwards.
> 
> TL;DR; If the kid was Google hacking, responsibly disclosed and they
> called the Fuzz that's pretty poor form.
> 
> 
> 
> T.
> 
> On 8/01/14 10:35 PM, Damian Guppy wrote:
> > Oh Good. Now watch as prosecutors press the courts to enhance the
> > charges so he can be tried as an adult and sentenced to more time behind
> > bars than the latest murder.
> >
> > --Damian
> >
> >
> > On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster <patrick at aushack.com
> > <mailto:patrick at aushack.com>> wrote:
> >
> >     http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
> >
> >
> >     _______________________________________________
> >     AusNOG mailing list
> >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> >     http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> 
> --
> PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140109/180a2fd4/attachment.html>

More information about the AusNOG mailing list