Australian Teen Alerts Transit Department To Security Hole On Website... Gets Reported To Police
from the not-this-again dept
For years and years, we've been stumped by why website owners try to kill the messenger when someone discovers a hole on their website. It's happened yet again. Down in Australia, a 16-year-old by the name of Joshua Rogers found a security hole in the Metlink website, which is run by the Transport Department in Victoria. The hole appears to be a fairly large one:The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.Rogers did exactly what a good security researcher should do: he contacted the Transport Department. After waiting two weeks without further response, he went to the press. Upon hearing from a reporter, rather than focusing on closing this massive security hole (and figuring out how to properly encrypt credit card numbers), the Transportation Department told the reporter that it was reporting Rogers to the police.
In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Incredible.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, hacking, joshua rogers, security, security holes
Reader Comments
Subscribe: RSS
View by: Time | Thread
If I discovered an exploit, I sure as hell would not report it to the police or to the businesses who are affected by these exploits because I've seen how they treat those people who are reporting these exploits.
I'd be more apt to post the exploits on hacker sites before I reported them to the people running these websites.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Nobody actually cares about getting hacked. That happens to everyone and everything, and is seen more as a natural disaster (regardless of how tech people see the post-mortem analysis of the security hole, nobody else cares). Being seen as insecure? That's not a natural disaster, that's negligence. Someone's actually responsible for that. The case is the same if someone had gone to fix the problem - someone would have been called to account.
Being responsible for something negative is poison to government and corporate bureaucrats alike (as well as organizations), which is why this sort of thing happens. It's why whenever there's a settlement there's no admission of responsibility by the losing party. Until that changes, on a societal level, humiliating an organization (or doing something which might be humiliating) is going to draw retaliation.
Hence this widespread problem.
[ link to this | view in thread ]
"likely he used a SQL injection vulnerability" -- That IS hacking.
Mike's notion that the web-site would rather allow malicious hackers is unsupported by any evidence. It's at least as likely that no other attempts were even made.
The only interest here is meta-view of "teh internets" re-writing trivia: from "TheAge" to "Wired" and now all the way down to bottom-feeder Techdirt. A good question for Mike is why he links to "Wired" and not the original. But think I have the answer:
http://en.wikipedia.org/wiki/Link_farming
Only on Techdirt play Spot The Fan-Bots! Clues: 1) sheer ad-hom yapping like an ankle-biter 2) copy-pasted to either a) paraphrase without new thought b) merely gainsay 3) complaining about prior comments instead of on-topic
12:42:53[n-765-8]
[ link to this | view in thread ]
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
[ link to this | view in thread ]
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Sorry for feeding the troll, and the runon sentence.
[ link to this | view in thread ]
Funny he gets all touchy about someone getting their ass handed to them by a kid though. Its quite telling.
High School is clearly rough for that dude.
[ link to this | view in thread ]
Sorry to make fun of this, but...
Really?
[ link to this | view in thread ]
[ link to this | view in thread ]
New Game
Step 1: Open random post with comments on Techdirt.
Step 2: Find the ootb comment, revealing all hidden comments if need be.
Step 3: Record distance from First that ootb comment appears, including all comments hidden by moderation programming.
Step 4: Repeat.
The point is to see how far you can get before 5 posts have been opened.
--------------------------------------
Yes, using a SQL Injection Vulnerability can be considered hacking. However, here's the bigger issue, and it's not with how this kid spends his time. 5, 10, even 15 years from now, I'd much rather have this kid finding vulnerabilities on websites and reporting them than hearing about how he shanked his roommate for a pack of cigs. I'd much rather live in a world where excellence at computing is celebrated, rather than the world that ootb seems to look forward to. If you want security, fix your damn holes...don't cover them up. Open holes in one site ruin the rest.
Also, Streisand Effect applies to security vulnerabilities too.
[ link to this | view in thread ]
i sai dit on reddit and il say it here
DO NOT HELP THEM....
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
And really, is "one guy found it, maybe others will too, and maybe they won't be as upfront about it" such a difficult concept to grasp?
At this point, the only recourse for white hat hackers is to anonymously make vulnerabilities public knowledge. It's a shame that the companies won't get a grace period to fix their vulnerabilities while few black hats are aware of them, but at this point they've made it clear they don't want one.
At least by publicizing the vulnerabilities they won't end up being silently exploited for years.
[ link to this | view in thread ]
I agree with #1 and #14 over the issues. No longer report to those that would benefit from a more secure site. Instead report it to the hackers who will force them to deal with it when their customers start raising hell about shit missing.
[ link to this | view in thread ]
~ ~ ~
Alternatively, if you this kid's behavior is OK, what's your home address? I'd like to spend some time trying to break in without your permission in the next week or so. Don't worry I probably won't really break in - break in, I'm just curious as to how secure your house is...see if I can jimmy the locks and such. I will definitely probably maybe tell you about any vulnerabilities I find. I'm pretty good at this. I don't have like any certification for this and I don't work for any sort of organization that might legitimize this or anything; it's just kind of a hobby of mine when I get bored. So, we cool?
If we are going to allow hobbyist pen testers to operate, and maybe that's a good idea, it needs to be regulated.
[ link to this | view in thread ]
The 3rd option
According to Mike Rogers, If no one knows about it, it doesn't exist.Besides it may be a good thing to have a back door.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
'Victim blaming'? Really? The kid was pointing out that the website had a massive security issue, one that made available a ton of personal data on everyone listed on it, and since contacting the department itself got him nothing, he went to the press to force them to address the issue and fix it.
This(which again only happened because they refused to listen to him when he contacted them directly about the problem) left them with a bunch of work to do and egg on their face, but rather than do the sane thing and thank him for pointing out a security problem they had, one that would have led to massive problem if someone less ethical stumbled across it, they blame him for their embarrassment.
[ link to this | view in thread ]
Re: safe as houses
My house contains no such database of other peoples' credit card numbers. If my home is breached, you will sleep soundly.
Metlink's database for comparison: "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site".
Hence, all australians wake in fright.
[ link to this | view in thread ]
Re: Re:
The thing about metlink is... locals can either catch *their* trains, or no trains.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Rogers: Excuse me sir, but I noticed a security flaw on your website that I thought you might want to be aware of...
Webmaster: WHAT??!!! You little shit, how dare you call my baby ugly! I'm calling the cops.
[ link to this | view in thread ]
DeadDrop
I know who you are. I know what you have. If you are looking for a security hole, you have one. If you are looking for a scapegoat, I can tell you I'm not him. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you plug your security hole now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will Barbra Streisand you.
This message was brought to you by SecureDrop
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: DeadDrop
[ link to this | view in thread ]
Bobby Tables
This way I have protected the data from crackers and the site operators would have no clue I did it. Seems like a better alternative than being prosecuted for being a nice guy.
http://xkcd.com/327/
[ link to this | view in thread ]
this isn't the same thing, but i once discovered that find-a-grave had six famous people as being buried in the wrong cemetery. i had an account with them at that time and occasionally submitted a gravestone pic for the site.
the graves were actually in the old city cemetery, which wasn't very large, but find-a-grave had them listed in a large commercial cemetery nearby. i knew that people wanting to find those famous graves would waste a lot of time in that huge cemetery and never find the graves, so i went to a lot of trouble to show that they were in the other cemetery. i knew they would be skeptical, so i made it perfectly obvious.
i was never able to log into my account again. all my pics were still in their possession but most no longer showed on the site. i have no idea what happened there. what is it with website owners?
[ link to this | view in thread ]
Re: Re: DeadDrop
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Wear it with pride
[ link to this | view in thread ]
Wash ya mouth out boyo
[ link to this | view in thread ]
Though Metlink might have bit off more than they can chew under the Federal Privacy Act now.. More so since they are government contractors (for Govt Public Transport sector in Victoria)and can be criminally charged (Directors of companies are liable) because they had full foreknowledge and refused to act.
In March this all changes to even more detrimental affect towards Companies who knowingly do NOT secure there information that comes under the new Australian Privacy Principles.
Would suck to be a Director of Metlink at moment ;)
Also on an interesting note Victoria is the state where the first ever Australian so called 'hacking' cases were done on the pushing by the US Secret Service and FBI way back in late 80's and early 90's with NO major punishments or any other major detriment to the teenage defendants.
[ link to this | view in thread ]
[ link to this | view in thread ]
PTV does not have the most enviable reputation for IT
Consider for example, they have a serious infrastructure problem with their current ticketing system and their solution is based in enforcement. Basically, if you ticket is not validated, you are considered guilty, unless you can categorically prove that the equipment has not worked. This you can only really do by testing and also seeing the actual transactions sent by the validating devices. Since you can't test the devices and it can take a month or more to see your own transactions, you are stuck with the "on the spot" fines. The reputation that the ticket inspectors have is probably lower than used car salesmen and lawyers.
I have seen all the validators on a single tram just turn off and it take some time for them to come on line again. If you get on while these machines are off line, and then the inspectors decide to check your tickets, they will generally fine you even if they have observed the problem occurring.
[ link to this | view in thread ]
Re:
I would also recommend any organisation within Australia (this covers ALL now not just government) or wanting to do business with Australia to read, analyse, and implement the new Australian Privacy Principles (APP's)that come into effect on March 2014.
Also you might note that Notification of Data breaches are now mandatory (not just voluntary under the old guide)
[ link to this | view in thread ]
Re:
http://ptv.vic.gov.au/tickets/myki
It's part of Public Transport Victoria
also for a nice laughable read now.. read there privacy policy http://ptv.vic.gov.au/privacy/#myki [my favourite part is where they state "PTV and its agents will take all reasonable measures to secure personal information." )
oh and the Contact details at bottom are TO USE!
[ link to this | view in thread ]
Doubt he gets charged
http://www.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
I seriously doubt anyones going to press charges at the end of the day. Its not the first time or the last this will happen. Our media (the part not owned my Rupert Murdoch) at least makes sure the people responsible end up with egg on their face and dont want to risk the embarrassment of more details coming out due to legal action
[ link to this | view in thread ]
1. Sub-contract for a website that is built at several times the going rate;
2. When a security hole is found (composite explanation with minor local variances):
(a) Accuse the world of hacking the website;
(b) Report the hack to the police;
(c) Close down the website for 'maintenance';
(d) Never re-open the website.
[ link to this | view in thread ]
While they Shoot the canary
Someone is probably hammering their site without them knowing about it. (not that they knew before).
What is scary is that this will have a chilling effect on people who might actually help.
Part of me wants to see that whole site collapse, but then they will just blame the kid again.
[ link to this | view in thread ]
Re:
... now this I like. CC companies would be the perfect foil.
[ link to this | view in thread ]
Re: Sorry to make fun of this, but...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Bureaucrats and Engineers
To an engineer, the objective is to build the best whatever possible. When someone points out a flaw, that person is a hero because then the engineer can fix the problem and make their product better.
To a bureaucrat, the objective is to cover his ass. Problems don't exist until someone reports them; In effect, the person reporting the problem didn't discover it, they created it where it did not exist before. And worse, the person it is reported to is now an accomplice to creating the problem unless they bury it so deep it will never be heard from again.
Given that very few engineers are the heads of companies, you get the absurdity playing itself out over and over, where companies go on the attack against anyone who points out a problem in one of their products or systems.
[ link to this | view in thread ]
Re: Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Doubt he gets charged
[ link to this | view in thread ]
not reporting exploits
[ link to this | view in thread ]
Re:
Why wouldn't the Stick your fingers in your ears and go 'la la la' approach work?
[ link to this | view in thread ]
Re: Wash ya mouth out boyo
[ link to this | view in thread ]
Re:
Fact: those don't attempt to find "vulnerabilities" on web-sites are unlikely to be reported to police. It's almost as though they're telling budding "hackers" not to make such attempts but try to find something useful to do with their time. This level of hacking requires almost zero knowledge or skill, no more than running a simple program. So why do it?
Why do it? I'll tell you why Blue. It's rather simple and I'm surprised you don't get it.
Hacking in this manner is a modern day version of questioning authority. These hackers are pushing the edge just to determine the limits of these systems. They are simply questioning the authority of those limiting what they can achieve with their knowledge and a computer.
For someone who constantly rails against Government and "The Rich", this appears to be another of your disconnect areas. You scream and yell that we should be questioning those in authority, but if your labeled a "hacker" then you are supposed shut up and meekly follow all the rules. That doesn't make much sense, Once again, your consistency is lacking.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
> would not report it to the police or to
> the businesses who are affected by these
> exploits because I've seen how they treat
> those people who are reporting these exploits.
At this point, at a minimum, someone wanting to do this should probably get an attorney and report it anonymously through the lawyer.
[ link to this | view in thread ]
Re: The 3rd option
If so, I see a major problem with this. When Mr Black hat finds it 6 months later and steals everyone's credit card info, the first thing they are going to do is report him to the police as being the thief.
If he is getting in trouble for this "hack" when nothing bad happened, imagine how much worse it would be if the police thought he actually did something harmful.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
The existence of a security hole is not, by itself, evidence that there was anything like gross negligence or fraud. I guarantee that every device you (or anybody else) owns that can communicate has more than one security hole.
[ link to this | view in thread ]
Re: Re: Re:
(The reason to use an attorney for this is that the attorney can't be compelled to tell anyone who you are.)
[ link to this | view in thread ]
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Actually, SQL injection does, in fact, take a certain level of knowledge and skill. You have to know SQL, you have to have a fundamental understanding of the way it tends to be used for this type of application, and you have to get the right table names.
It's not rocket science, but it's not something you usually see the script kiddies doing, either.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: The 3rd option
The only reason that practice stopped is because companies, quite reasonably, asked everyone to please tell them about their security problems first, to give them a chance to fix it, before telling the world.
If the company doesn't want to be told, then just skip that step.
[ link to this | view in thread ]
FTFY
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]