<div dir="ltr">It is actually kind of scary how many web development firms websites are vulnerable to SQL injections / remote function includes. These are the people building many businesses websites, and they themselves cant even secure their own systems. The worst offenders are those shops that only use their own 'in house' CMS for whatever silly reason (they always produce worse websites than a simple WordPress install with a couple addons, whats the point then?). <div>
<br></div><div>Plus relying on prosecuting the hackers is false security anyway, even in the rare circumstances that you do find the perpetrator, if you are a private business you can prosecute all you want but it isn't going to save your business if you just got owned like Distribute.IT did. </div>
<div><br></div><div>--Damian</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 9, 2014 at 6:51 AM, Robert Hudson <span dir="ltr"><<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">I had a similar response ("my tummy feels funny", followed by months of inactivity) when I informed Queensland Police of a flaw in their CMS (a commonly used one amongst government departments at that time) that allowed the injection of data into their website - basically, you could craft a URL to reference an externally hosted text file, and the site would build a media release based on it. Essentially, the site worked as such: hytps://<a href="http://police.qld.gov.au/media-releases/document_source=file.txt" target="_blank">police.qld.gov.au/media-releases/document_source=file.txt</a> - where file.txt could be an externally hosted file of your choosing. Using some obfuscation, you could easily make the location of file.txt look legit.</p>
<p dir="ltr">I tried telling them about the problem, they didn't get it. So I sent them a crafted URL with a story that I'd been promoted to be the head of police in Qld. That at least got their attention. To their credit, they didn't try to pursue any sort of charges against me, just finally said "Right, thanks, leave this with us, we'll tell the others who are using it too". And within a few months, it was fixed, and about a year later the CMS was no longer in use there or at Brisbane City Council.</p>
<div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On 08/01/2014 8:20 PM, "Tim March" <<a href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Anyone know what the actual "hack" was? A couple of links I found<br>
implied he "found an old database while browsing," which just sounds<br>
like they had +Indexes and Google found it.<br>
<br>
FWIW I found a directory indexing issue in $GovAUAgency a couple of<br>
years back with db dumps, credentials, admin scripts, SSH keys, bash<br>
logs (lock, stock, the lot...) and tried to notify their infrastructure<br>
provider. It was a nightmare. I ended up talking Ralph<br>
Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the phone...<br>
<br>
"open your browser... now go to Google... Now search for<br>
'site:$GovAUAgency filetype:sql'"<br>
<br>
"What is it?"<br>
<br>
"Umm... Show that to your security punters"<br>
<br>
"My tummy feels funny *mouth breathing*"<br>
<br>
<br>
... The site was like it for months afterwards.<br>
<br>
TL;DR; If the kid was Google hacking, responsibly disclosed and they<br>
called the Fuzz that's pretty poor form.<br>
<br>
<br>
<br>
T.<br>
<br>
On 8/01/14 10:35 PM, Damian Guppy wrote:<br>
> Oh Good. Now watch as prosecutors press the courts to enhance the<br>
> charges so he can be tried as an adult and sentenced to more time behind<br>
> bars than the latest murder.<br>
><br>
> --Damian<br>
><br>
><br>
> On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster <<a href="mailto:patrick@aushack.com" target="_blank">patrick@aushack.com</a><br>
> <mailto:<a href="mailto:patrick@aushack.com" target="_blank">patrick@aushack.com</a>>> wrote:<br>
><br>
> <a href="http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html" target="_blank">http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html</a><br>
><br>
><br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a> <mailto:<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>><br>
> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
><br>
<br>
--<br>
PGP/GNUPG Public Key: <a href="http://d3vnu11.com/pub.key" target="_blank">http://d3vnu11.com/pub.key</a><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>
</div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>