Australian Teen Alerts Transit Department To Security Hole On Website… Gets Reported To Police
from the not-this-again dept
For years and years, we’ve been stumped by why website owners try to kill the messenger when someone discovers a hole on their website. It’s happened yet again. Down in Australia, a 16-year-old by the name of Joshua Rogers found a security hole in the Metlink website, which is run by the Transport Department in Victoria. The hole appears to be a fairly large one:
The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.
Rogers did exactly what a good security researcher should do: he contacted the Transport Department. After waiting two weeks without further response, he went to the press. Upon hearing from a reporter, rather than focusing on closing this massive security hole (and figuring out how to properly encrypt credit card numbers), the Transportation Department told the reporter that it was reporting Rogers to the police.
In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Incredible.
Filed Under: australia, hacking, joshua rogers, security, security holes
Comments on “Australian Teen Alerts Transit Department To Security Hole On Website… Gets Reported To Police”
When will people start learning to stop reporting these hacks to the authorities and the businesses who are affected by these exploits. Simply post these exploits on hacker websites.
If I discovered an exploit, I sure as hell would not report it to the police or to the businesses who are affected by these exploits because I’ve seen how they treat those people who are reporting these exploits.
I’d be more apt to post the exploits on hacker sites before I reported them to the people running these websites.
Re: Re:
This.
Nobody actually cares about getting hacked. That happens to everyone and everything, and is seen more as a natural disaster (regardless of how tech people see the post-mortem analysis of the security hole, nobody else cares). Being seen as insecure? That’s not a natural disaster, that’s negligence. Someone’s actually responsible for that. The case is the same if someone had gone to fix the problem – someone would have been called to account.
Being responsible for something negative is poison to government and corporate bureaucrats alike (as well as organizations), which is why this sort of thing happens. It’s why whenever there’s a settlement there’s no admission of responsibility by the losing party. Until that changes, on a societal level, humiliating an organization (or doing something which might be humiliating) is going to draw retaliation.
Hence this widespread problem.
Re: Re:
I’m not sure about sharing the security vulnerability with hackers, but I agree, if I somehow stumbled upon something like this, the last thing I’d do would be to tell the business about it, at most I’d probably tell any friends and family to avoid the business due to them not being secure.
Re: not reporting exploits
You’ve seen how “they” treat people who report these exploits ONLY when the treatment comes to your attention by being bad, as it is in this case. How many explots have been reported and fixed without anyone else knowing about it? Dozens, hundreds, thouands? You have absolutely no idea, because you only hear of the cases that turn out like this.
Re: Re:
But if businesses get ‘hackers’ thrown in jail who report security vulnerabilities no one else will be able to find the security flaw!
Why wouldn’t the Stick your fingers in your ears and go ‘la la la’ approach work?
Re: Re:
Actually if I found a security hole I would sue for gross negligence and fraud if I had standing to sue. Otherwise I would shut up. I think a couple of big lawsuits lost with the possibility of managers doing jail time for fraud and/or racketeering would make the PHB more apt to act.
Re: Re: Re:
The existence of a security hole is not, by itself, evidence that there was anything like gross negligence or fraud. I guarantee that every device you (or anybody else) owns that can communicate has more than one security hole.
Re: Re:
Re: Re: Re:
Having no idea what lawyers like to charge, I want to ask just how expensive would it then be to report an exploit?
Re: Re: Re: Re:
All it would take would be a single letter from an attorney. You could get this done on the cheap, even through a free or low cost legal aid clinic.
(The reason to use an attorney for this is that the attorney can’t be compelled to tell anyone who you are.)
aaand Next time on “Old people in charge of computers”….
Lazy “webmaster”, is lazy.
"likely he used a SQL injection vulnerability" -- That IS hacking.
Fact: those don’t attempt to find “vulnerabilities” on web-sites are unlikely to be reported to police. It’s almost as though they’re telling budding “hackers” not to make such attempts but try to find something useful to do with their time. This level of hacking requires almost zero knowledge or skill, no more than running a simple program. So why do it?
Mike’s notion that the web-site would rather allow malicious hackers is unsupported by any evidence. It’s at least as likely that no other attempts were even made.
The only interest here is meta-view of “teh internets” re-writing trivia: from “TheAge” to “Wired” and now all the way down to bottom-feeder Techdirt. A good question for Mike is why he links to “Wired” and not the original. But think I have the answer:
http://en.wikipedia.org/wiki/Link_farming
Only on Techdirt play Spot The Fan-Bots! Clues: 1) sheer ad-hom yapping like an ankle-biter 2) copy-pasted to either a) paraphrase without new thought b) merely gainsay 3) complaining about prior comments instead of on-topic
12:42:53[n-765-8]
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Oh, I found the fan-bot, his name is out_of_the_blue. I wouldn’t call him a fan, but he matches all of your criteria including 2a and 2b. What do I win?
Re: Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
He also fits 1 and 3 succinctly!
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
I’m confused… if Jimmy the neighborhood teenager gives the crazy-town gazette a picture of the contents of your safe deposit box because the bank was leaving a window into the vault open (even after he told the manager) you’d say the bank did everything within their power to protect your stuff and the teenager needed to do something useful with his life?
Sorry for feeding the troll, and the runon sentence.
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Found a t-shirt that has YOU all over it OOTB…
Wear it with pride
Re: Re:
“likely he used a SQL injection vulnerability” — That IS hacking.
Fact: those don’t attempt to find “vulnerabilities” on web-sites are unlikely to be reported to police. It’s almost as though they’re telling budding “hackers” not to make such attempts but try to find something useful to do with their time. This level of hacking requires almost zero knowledge or skill, no more than running a simple program. So why do it?
Why do it? I’ll tell you why Blue. It’s rather simple and I’m surprised you don’t get it.
Hacking in this manner is a modern day version of questioning authority. These hackers are pushing the edge just to determine the limits of these systems. They are simply questioning the authority of those limiting what they can achieve with their knowledge and a computer.
For someone who constantly rails against Government and “The Rich”, this appears to be another of your disconnect areas. You scream and yell that we should be questioning those in authority, but if your labeled a “hacker” then you are supposed shut up and meekly follow all the rules. That doesn’t make much sense, Once again, your consistency is lacking.
Re: Re: Re:
SQL injection so well known that if the code allows it to occur one should question the management and developers because some screwed up.
Re: "likely he used a SQL injection vulnerability" -- That IS hacking.
Actually, SQL injection does, in fact, take a certain level of knowledge and skill. You have to know SQL, you have to have a fundamental understanding of the way it tends to be used for this type of application, and you have to get the right table names.
It’s not rocket science, but it’s not something you usually see the script kiddies doing, either.
Just flag blues shit and move along..
Funny he gets all touchy about someone getting their ass handed to them by a kid though. Its quite telling.
High School is clearly rough for that dude.
Sorry to make fun of this, but...
The transit department, “throwing someone under a bus?”
Really?
Re: Sorry to make fun of this, but...
Hopefully they’ll calculate so it does not affect the line schedule!
It’s 2014. Time to embrace the hackers ( not crackers ) and get this shit fixed. Especially in a time security is becoming a big thing.
New Game
I’ve started playing a new game…
Step 1: Open random post with comments on Techdirt.
Step 2: Find the ootb comment, revealing all hidden comments if need be.
Step 3: Record distance from First that ootb comment appears, including all comments hidden by moderation programming.
Step 4: Repeat.
The point is to see how far you can get before 5 posts have been opened.
————————————–
Yes, using a SQL Injection Vulnerability can be considered hacking. However, here’s the bigger issue, and it’s not with how this kid spends his time. 5, 10, even 15 years from now, I’d much rather have this kid finding vulnerabilities on websites and reporting them than hearing about how he shanked his roommate for a pack of cigs. I’d much rather live in a world where excellence at computing is celebrated, rather than the world that ootb seems to look forward to. If you want security, fix your damn holes…don’t cover them up. Open holes in one site ruin the rest.
Also, Streisand Effect applies to security vulnerabilities too.
i sai dit on reddit and il say it here
THERE IS NO PROFIT , NO PAT ON THE BACK ONLY WORK FOR US OR JAIL TIME…
DO NOT HELP THEM….
i cant think which country, apart from the USA who already does this sort of thing. then they wonder what the hell they can do when no one bothers to help them out of the shit they have caused for themselves. this is exactly the sort of thing that Obama has started, thanks to the way he pisses all over those who have done what he wanted, what he encouraged people to do, report to the authorities things that are wrong! he left out the bit about throwing you in jail for your trouble, as your reward! as two faced as the rest of politicians!!!
Re: Re:
Welcome to Australia, we are the 51st American state. Our politicians have some of the brownest noses around.
Re: Re: Wash ya mouth out boyo
with carbolic soap. That is one of the foulest things to say. Yankee go home, we didna lykya in ww2 and we lykya even less t’die.
Re: Re: Re: Wash ya mouth out boyo
Erm, isn’t that a Scottish “accent” you’re using there? :p
Re: Re: Re:
No no, the 51st state is Canada. You’re #52.
Re: Re: Re: Re:
You sure, the UK really seems to be bucking for that #51 spot.
Re: Re:
It’s nothing to do with Obama, it was happening under Bush as well. (Although given, it may have got worse under Obama.) So sorry to puncture your favourite boogeyman.
maybe the hole is deliberate?
These companies are hilarious! They really believe in security through obscurity.
And really, is “one guy found it, maybe others will too, and maybe they won’t be as upfront about it” such a difficult concept to grasp?
At this point, the only recourse for white hat hackers is to anonymously make vulnerabilities public knowledge. It’s a shame that the companies won’t get a grace period to fix their vulnerabilities while few black hats are aware of them, but at this point they’ve made it clear they don’t want one.
At least by publicizing the vulnerabilities they won’t end up being silently exploited for years.
Re: Re:
I wonder if it didn’t go down more like this:
Rogers: Excuse me sir, but I noticed a security flaw on your website that I thought you might want to be aware of…
Webmaster: WHAT??!!! You little shit, how dare you call my baby ugly! I’m calling the cops.
Re: Re:
I wonder, if it’s that bad when someone points it out they’ll probably start a witch hunt to find the anonymous leaker and completely ignore the real issue at hand…
Thank you Senator Leahy for your brilliant new bill that makes discussing computer security a crime as if you did it. Instead of reporting this to people who you would think would be grateful for having prevented a major hack, they are now pushing for hacking charges.
I agree with #1 and #14 over the issues. No longer report to those that would benefit from a more secure site. Instead report it to the hackers who will force them to deal with it when their customers start raising hell about shit missing.
Re: Re:
I see new commenter jackn hasn’t popped in to admit he was wrong… this kind of thing happens all the time.
Isn’t getting on the company’s case just a form of victim blaming though? It’s basically the same as telling women to “cover up” to avoid assault. Is that OK?
~ ~ ~
Alternatively, if you this kid’s behavior is OK, what’s your home address? I’d like to spend some time trying to break in without your permission in the next week or so. Don’t worry I probably won’t really break in – break in, I’m just curious as to how secure your house is…see if I can jimmy the locks and such. I will definitely probably maybe tell you about any vulnerabilities I find. I’m pretty good at this. I don’t have like any certification for this and I don’t work for any sort of organization that might legitimize this or anything; it’s just kind of a hobby of mine when I get bored. So, we cool?
If we are going to allow hobbyist pen testers to operate, and maybe that’s a good idea, it needs to be regulated.
Re: Re:
Let me guess, you work at some company that was told about a glaring security issue in your system that you were too lazy to deal with?
‘Victim blaming’? Really? The kid was pointing out that the website had a massive security issue, one that made available a ton of personal data on everyone listed on it, and since contacting the department itself got him nothing, he went to the press to force them to address the issue and fix it.
This(which again only happened because they refused to listen to him when he contacted them directly about the problem) left them with a bunch of work to do and egg on their face, but rather than do the sane thing and thank him for pointing out a security problem they had, one that would have led to massive problem if someone less ethical stumbled across it, they blame him for their embarrassment.
Re: Re: Re:
Exactly. We can call Rogers a white hat without imagining him to be a saint. I assume he’s contacting metlink to demand they “please to be now better securing HIS personal data”. Not mine. Not yours.
The thing about metlink is… locals can either catch their trains, or no trains.
Re: safe as houses
Analogy Does Not Hold.
My house contains no such database of other peoples’ credit card numbers. If my home is breached, you will sleep soundly.
Metlink’s database for comparison: “full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site”.
Hence, all australians wake in fright.
Re: Re:
A better analogy is leaving the house with your door wide open, and then when your neighbor calls to let you know, you ignore them. So, they call your partner/spouse/kids (anyone affected by the open door) to let them know you left the door open so they will tell you to close it. When they get mad at you, you call the police on your neighbor.
The 3rd option
If they don’t want the help, you don’t have to say anything at all.Just keep it to yourself and move on.
According to Mike Rogers, If no one knows about it, it doesn’t exist.Besides it may be a good thing to have a back door.
Re: The 3rd option
Are you saying that he should have told the company about the vulnerability, then if they did not do anything about it, just tell no one else?
If so, I see a major problem with this. When Mr Black hat finds it 6 months later and steals everyone’s credit card info, the first thing they are going to do is report him to the police as being the thief.
If he is getting in trouble for this “hack” when nothing bad happened, imagine how much worse it would be if the police thought he actually did something harmful.
Re: The 3rd option
The better solution is to do what white-hat hackers used to do routinely: publish the vulnerability widely and publicly.
The only reason that practice stopped is because companies, quite reasonably, asked everyone to please tell them about their security problems first, to give them a chance to fix it, before telling the world.
If the company doesn’t want to be told, then just skip that step.
about a month and a half ago the same trasport department started an advertising campaign for registering your credit card on the metlink ticketing system so youu can be automaticlly billed. they have egg on face syndrome.
DeadDrop
Dear [insert Company]
I know who you are. I know what you have. If you are looking for a security hole, you have one. If you are looking for a scapegoat, I can tell you I’m not him. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you plug your security hole now, that’ll be the end of it. I will not look for you, I will not pursue you. But if you don’t, I will look for you, I will find you, and I will Barbra Streisand you.
This message was brought to you by SecureDrop
Re: DeadDrop
Oh that was brilliant, if that doesn’t at least make editor’s choice for funny this week something is seriously wrong…
Re: Re: DeadDrop
I was tempted to use goatse instead of Barbra Streisand sigh
Bobby Tables
If I was a security researcher and found a site that was vulnerable to SQL injection I would just delete their database tables using the exploit.
This way I have protected the data from crackers and the site operators would have no clue I did it. Seems like a better alternative than being prosecuted for being a nice guy.
http://xkcd.com/327/
what is it with website owners?
this isn’t the same thing, but i once discovered that find-a-grave had six famous people as being buried in the wrong cemetery.? i had an account with them at that time and occasionally submitted a gravestone pic for the site.
the graves were actually in the old city cemetery, which wasn’t very large, but find-a-grave had them listed in a large commercial cemetery nearby.? i knew that people wanting to find those famous graves would waste a lot of time in that huge cemetery and never find the graves, so i went to a lot of trouble to show that they were in the other cemetery.? i knew they would be skeptical, so i made it perfectly obvious.
i was never able to log into my account again.? all my pics were still in their possession but most no longer showed on the site.? i have no idea what happened there.? what is it with website owners?
Perhaps these people need some one with more skin in the have to report these security flaws to. Who has more skin in the game than the credit card companies who would end up eating the cost of the fraud. The credit card companies are powerful enough to get noticed and to powerful to be ridden rough shod over. Simply promise to cut off companies who fail to repair flaws in a timely manor.
Re: Re:
… now this I like. CC companies would be the perfect foil.
Believe me this Teenager is definitely not going to be convicted on anything under the Crimes Act.
Though Metlink might have bit off more than they can chew under the Federal Privacy Act now.. More so since they are government contractors (for Govt Public Transport sector in Victoria)and can be criminally charged (Directors of companies are liable) because they had full foreknowledge and refused to act.
In March this all changes to even more detrimental affect towards Companies who knowingly do NOT secure there information that comes under the new Australian Privacy Principles.
Would suck to be a Director of Metlink at moment 😉
Also on an interesting note Victoria is the state where the first ever Australian so called ‘hacking’ cases were done on the pushing by the US Secret Service and FBI way back in late 80’s and early 90’s with NO major punishments or any other major detriment to the teenage defendants.
Re: Re:
In fact further to this if any Victorians are reading this I would advise you if you are a Metlink customer (and that’s basically anyone who has ridden on a Bus, Train or Tram) to contact your Local MP (Federal and State) as well specifically the Victorian Privacy CommissionerM/a>
I would also recommend any organisation within Australia (this covers ALL now not just government) or wanting to do business with Australia to read, analyse, and implement the new Australian Privacy Principles (APP’s)that come into effect on March 2014.
Also you might note that Notification of Data breaches are now mandatory (not just voluntary under the old guide)
so, uh, what’s the website?
Re: Re:
Here is the login/about page
http://ptv.vic.gov.au/tickets/myki
It’s part of Public Transport Victoria
also for a nice laughable read now.. read there privacy policy http://ptv.vic.gov.au/privacy/#myki [my favourite part is where they state “PTV and its agents will take all reasonable measures to secure personal information.” )
oh and the Contact details at bottom are TO USE!
PTV does not have the most enviable reputation for IT
If you ask the right people, you will find out how screwed up PTV is in their handling of IT (systems and people). One has to remember that it is a government based bureaucracy and has all the failings there-in.
Consider for example, they have a serious infrastructure problem with their current ticketing system and their solution is based in enforcement. Basically, if you ticket is not validated, you are considered guilty, unless you can categorically prove that the equipment has not worked. This you can only really do by testing and also seeing the actual transactions sent by the validating devices. Since you can’t test the devices and it can take a month or more to see your own transactions, you are stuck with the “on the spot” fines. The reputation that the ticket inspectors have is probably lower than used car salesmen and lawyers.
I have seen all the validators on a single tram just turn off and it take some time for them to come on line again. If you get on while these machines are off line, and then the inspectors decide to check your tickets, they will generally fine you even if they have observed the problem occurring.
Doubt he gets charged
Heres the original (updated) source. The Age
http://www.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
I seriously doubt anyones going to press charges at the end of the day. Its not the first time or the last this will happen. Our media (the part not owned my Rupert Murdoch) at least makes sure the people responsible end up with egg on their face and dont want to risk the embarrassment of more details coming out due to legal action
Re: Doubt he gets charged
Look up “Weev,” Clownius.
In ZA it is standard operating procedure for all governmental / municipal / etc. agencies, i.e. those paying with taxpayer’s money to:
1. Sub-contract for a website that is built at several times the going rate;
2. When a security hole is found (composite explanation with minor local variances):
(a) Accuse the world of hacking the website;
(b) Report the hack to the police;
(c) Close down the website for ‘maintenance’;
(d) Never re-open the website.
While they Shoot the canary
While they are busy shootin’ the canary, and yelling the word “terr” every 60 seconds.
Someone is probably hammering their site without them knowing about it. (not that they knew before).
What is scary is that this will have a chilling effect on people who might actually help.
Part of me wants to see that whole site collapse, but then they will just blame the kid again.
Bureaucrats and Engineers
This whole ‘prosecute the messenger’ thing makes perfect sense when you consider that most companies are run by bureaucrats not engineers.
To an engineer, the objective is to build the best whatever possible. When someone points out a flaw, that person is a hero because then the engineer can fix the problem and make their product better.
To a bureaucrat, the objective is to cover his ass. Problems don’t exist until someone reports them; In effect, the person reporting the problem didn’t discover it, they created it where it did not exist before. And worse, the person it is reported to is now an accomplice to creating the problem unless they bury it so deep it will never be heard from again.
Given that very few engineers are the heads of companies, you get the absurdity playing itself out over and over, where companies go on the attack against anyone who points out a problem in one of their products or systems.
Doesn’t mean the police will do shit. Over-reaction here is absolutely epic, from all angles.
They should be offering this kid a job or contract work, I’m amazed at the stupidity coming out of corporate offices and nations these days aren’t we supposed to be in a constant state of evolution.
If he has an account with them, after two weeks of no response from the company, he should have filed charges with the police against the company for putting his personal information at risk. Maybe also sue them for a violation of their privacy policy if they promised to keep his information safe.
FTFY
In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Typical.
They don’t want the teen to get their job.