[AusNOG] Hacked site reports boy to police | theage.com.au

Thu Jan 9 10:47:57 EST 2014

It is actually kind of scary how many web development firms websites are
vulnerable to SQL injections / remote function includes. These are the
people building many businesses websites, and they themselves cant even
secure their own systems. The worst offenders are those shops that only use
their own 'in house' CMS for whatever silly reason (they always produce
worse websites than a simple WordPress install with a couple addons, whats
the point then?).

Plus relying on prosecuting the hackers is false security anyway, even in
the rare circumstances that you do find the perpetrator, if you are a
private business you can prosecute all you want but it isn't going to save
your business if you just got owned like Distribute.IT did.

--Damian

On Thu, Jan 9, 2014 at 6:51 AM, Robert Hudson <hudrob at gmail.com> wrote:

> I had a similar response ("my tummy feels funny", followed by months of
> inactivity) when I informed Queensland Police of a flaw in their CMS (a
> commonly used one amongst government departments at that time) that allowed
> the injection of data into their website - basically, you could craft a URL
> to reference an externally hosted text file, and the site would build a
> media release based on it. Essentially, the site worked as such: hytps://
> police.qld.gov.au/media-releases/document_source=file.txt - where
> file.txt could be an externally hosted file of your choosing.  Using some
> obfuscation, you could easily make the location of file.txt look legit.
>
> I tried telling them about the problem, they didn't get it. So I sent them
> a crafted URL with a story that I'd been promoted to be the head of police
> in Qld. That at least got their attention.  To their credit, they didn't
> try to pursue any sort of charges against me, just finally said "Right,
> thanks, leave this with us, we'll tell the others who are using it too".
> And within a few months, it was fixed, and about a year later the CMS was
> no longer in use there or at Brisbane City Council.
>  On 08/01/2014 8:20 PM, "Tim March" <march.tim at gmail.com> wrote:
>
>>
>> Anyone know what the actual "hack" was? A couple of links I found
>> implied he "found an old database while browsing," which just sounds
>> like they had +Indexes and Google found it.
>>
>> FWIW I found a directory indexing issue in $GovAUAgency a couple of
>> years back with db dumps, credentials, admin scripts, SSH keys, bash
>> logs (lock, stock, the lot...) and tried to notify their infrastructure
>> provider. It was a nightmare. I ended up talking Ralph
>> Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the phone...
>>
>>         "open your browser... now go to Google... Now search for
>> 'site:$GovAUAgency filetype:sql'"
>>
>>         "What is it?"
>>
>>         "Umm... Show that to your security punters"
>>
>>         "My tummy feels funny *mouth breathing*"
>>
>>
>> ... The site was like it for months afterwards.
>>
>> TL;DR; If the kid was Google hacking, responsibly disclosed and they
>> called the Fuzz that's pretty poor form.
>>
>>
>>
>> T.
>>
>> On 8/01/14 10:35 PM, Damian Guppy wrote:
>> > Oh Good. Now watch as prosecutors press the courts to enhance the
>> > charges so he can be tried as an adult and sentenced to more time behind
>> > bars than the latest murder.
>> >
>> > --Damian
>> >
>> >
>> > On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster <patrick at aushack.com
>> > <mailto:patrick at aushack.com>> wrote:
>> >
>> >
>> http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
>> >
>> >
>> >     _______________________________________________
>> >     AusNOG mailing list
>> >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> >     http://lists.ausnog.net/mailman/listinfo/ausnog
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > AusNOG mailing list
>> > AusNOG at lists.ausnog.net
>> > http://lists.ausnog.net/mailman/listinfo/ausnog
>> >
>>
>> --
>> PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140109/17f8a08f/attachment.html>