[AusNOG] Hacked site reports boy to police | theage.com.au

Tim March march.tim at gmail.com
Thu Jan 9 10:28:04 EST 2014 

Yup...

Not sure if I've mentioned it here before, but "Google Hacking for
Penetration Testers," albeit a little dated, is a great introductory
reference.

Also check out;

https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf

http://www.exploit-db.com/google-dorks/

FWIW - You'd be absolutely amazed at how much useful info we get from
passive recon (Google dorking / DNS enumeration etc.) when doing
vulnerability assessment work. Spending a couple of hours playing with
them against your respective orgs is free money.



T.

On 9/01/14 8:21 AM, Keith Anderson wrote:
> Indexing and .gov.au seem to be all over the place. 
> 
> http://education.qld.gov.au/corporate/hr/ap/
> 
> http://www.climatechangeinaustralia.gov.au/documents/resources/
> 
> the list just went on and on.
> 
> 
> ****
> *
> 
> *
> Keith Anderson*
> *Managing Director* | APCS <http://www.apcs.com.au/> / WIP
> <http://www.wip.net.au/>
> Australia Power Control Systems
> 
> C/o Coffs Harbour Media Centre
> 2 Peterson Road,
> Coffs Harbour NSW 2450
> 
> *
> ****
> ****
> *
> 
> *T:* 1300 3000 56 | *F:* 1300-765-427
> 
> *
> ********
> *
> 
> *E:* keitha at apcs.com.au <mailto:keitha at apcs.com.au>
> 
> *
> ****
> ****
> **
> ****
> ****
> *
> 
> 
> 
> *****
> **** **
> ********
> 
> On 08/01/2014, at 11:30 PM, Patrick Webster wrote:
> 
>> I hope for his sake it is quickly realised he is just trying to help
>> them and that will be the end of it.
>>
>> There was enough fuss about my FSS incident by changing a bloody
>> number in a URL. Sounds like he went a little further than just
>> changing a number.
>>
>> I read it as SQL injection which is harder to brush off as a simple
>> URL typo. The today tonight (?) video of him appears to show him
>> playing around with a JSON interface. But that could just be for show.
>> I hope it isn't as silly as +Indexes.
>>
>> But regardless, police and Melbourne Transport or whatever they are
>> called should look at intent, and intent alone.
>>
>> All these accidental cracker stories are getting tiring. Why is there
>> never a focus on how stupid of a mistake the corporation made? It is
>> getting to the point where the layman is starting to understand there
>> are good samaritans and they aren't to blame.
>>
>> It is time law enforcement caught up with the Australian community
>> acceptable standards.
>>
>> On 8 Jan 2014 23:20, "Tim March" <march.tim at gmail.com
>> <mailto:march.tim at gmail.com>> wrote:
>>
>>
>>     Anyone know what the actual "hack" was? A couple of links I found
>>     implied he "found an old database while browsing," which just sounds
>>     like they had +Indexes and Google found it.
>>
>>     FWIW I found a directory indexing issue in $GovAUAgency a couple of
>>     years back with db dumps, credentials, admin scripts, SSH keys, bash
>>     logs (lock, stock, the lot...) and tried to notify their
>>     infrastructure
>>     provider. It was a nightmare. I ended up talking Ralph
>>     Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the
>>     phone...
>>
>>             "open your browser... now go to Google... Now search for
>>     'site:$GovAUAgency filetype:sql'"
>>
>>             "What is it?"
>>
>>             "Umm... Show that to your security punters"
>>
>>             "My tummy feels funny *mouth breathing*"
>>
>>
>>     ... The site was like it for months afterwards.
>>
>>     TL;DR; If the kid was Google hacking, responsibly disclosed and they
>>     called the Fuzz that's pretty poor form.
>>
>>
>>
>>     T.
>>
>>     On 8/01/14 10:35 PM, Damian Guppy wrote:
>>     > Oh Good. Now watch as prosecutors press the courts to enhance the
>>     > charges so he can be tried as an adult and sentenced to more
>>     time behind
>>     > bars than the latest murder.
>>     >
>>     > --Damian
>>     >
>>     >
>>     > On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster
>>     <patrick at aushack.com <mailto:patrick at aushack.com>
>>     > <mailto:patrick at aushack.com <mailto:patrick at aushack.com>>> wrote:
>>     >
>>     >    
>>     http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
>>     >
>>     >
>>     >     _______________________________________________
>>     >     AusNOG mailing list
>>     >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>     <mailto:AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>>
>>     >     http://lists.ausnog.net/mailman/listinfo/ausnog
>>     >
>>     >
>>     >
>>     >
>>     > _______________________________________________
>>     > AusNOG mailing list
>>     > AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>     > http://lists.ausnog.net/mailman/listinfo/ausnog
>>     >
>>
>>     --
>>     PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 

-- 
PGP/GNUPG Public Key: http://d3vnu11.com/pub.key

More information about the AusNOG mailing list