Announcement

Collapse
No announcement yet.

Is accessing a public website 'hacking'?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • streaker69
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by Fallenour View Post
    If your site is so insecure that you dont need at least one tool, or you can type in admin admin and log in, your not secure, and thats not hacking, a small child could do that, its not the fact that routed around security if there was none to begin with.
    Technically you're not correct with that theory. While it is incredibly weak security, it is security all the same. Unauthorized trespass is still unauthorized trespass no matter how weak the security is. The current laws in the US do not clarify whether or not 'strong' security was bypassed or 'weak' security was, just that security was bypassed. Actually it defines it as "exceeding authority on a protected system", meaning if you were not granted authority to be there, you shouldn't be there.

    Leave a comment:


  • Fallenour
    replied
    Re: Is accessing a public website 'hacking'?

    If your site is so insecure that you dont need at least one tool, or you can type in admin admin and log in, your not secure, and thats not hacking, a small child could do that, its not the fact that routed around security if there was none to begin with.

    Leave a comment:


  • cronek
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by Deviant Ollam View Post
    interesting... so this was an HTML page that hotlinked some content via that method? thus, making it not clear to the people viewing the page that they were using credentials, etc.

    pretty sneaky, heh. that in itself is a spiffy little hack, i'd have to say.
    to be honest I wasn't even aware that a browser would allow this to be used for linking images, yet then again it makes perfect sense.
    I'm still quite amazed that a person with a severe lack of technical skills came up with this method for fixing the "why doesn't my website work" issue. I'm thinking that it was made using some WYSIWYG webpage-o-tronic software and that he filled this in as the website URL instead of the HTTP link, thus having everything autocreated in this manner.

    Originally posted by Deviant Ollam View Post
    nod. however, that same evidence (if the system logs on the FTP server were being generated in a way that makes sense) would also likely have indicated that the accessing was done with client software that wasn't all that typical... a web browser instead of an FTP client.
    well if you isolate a login entry there's really no difference to be seen, and they kept refusing to show him the full log, only the logs from his IP address. It showed a lot of consecutive logins, so "he must have been hacking really hard" ;)

    connecting to an ftpd with a browser just results in this being logged, so no real visible difference: (just tested it, vsftpd by the way)
    Tue Mar 16 08:54:59 2010 [pid 15609] CONNECT: Client "xxx.xxx.xxx.xxx"
    Tue Mar 16 08:55:03 2010 [pid 15608] [username] OK LOGIN: Client "xxx.xxx.xxx.xxx"

    Originally posted by Deviant Ollam View Post
    it sounds like this is one of those situations where properly fighting it in court could have had the matter thrown out. i don't know Belgian law, but possibly if a lawyer were to demonstrate:

    1. there was this joke page that existed (if someone saved a copy)

    2. viewing that page automatically causes the FTP logins

    3. the FTP logs show it was a web browser logging in

    4. the FTP logs show multiple logins within less than a second (something no human would want to do or even could do manually) and data was only read, not modified

    5. the FTP logs showed scores of other such logins all at the same time, then never happening again

    6. someone, somewhere was irresponsible with keeping their login credentials secret

    ... there's a chance the case would have been dismissed. chances are, however, that it would have cost more than 250 Euro in legal fees. it's all a matter of how much a lack of a criminal record is worth to someone.
    possibly, however by then the page was gone and nobody saved a copy (which probably wouldn't really hold up in court anyway). This also happened in a time where most people didn't even know what the Internet was. The police officers involved in this would be acting like expert witnesses (they were with the FCCU, federal computer crime unit, and therefore were supposed to know everything about this, only they probably still got lost in minesweeper) saying that the logs certainly indicated an evil super hacker "because he logged in so many times"... and people would probably believe this.

    Yet if it was me in that situation I'd have fought it to the bitter end, I'd never take risks resulting in losing my clearance.

    Basically it can all be attributed to the sheer stupidity of the officials involved (I've since met some other people from the FCCU and they knew their stuff, and when I told them about this incident they replied that they have a lot of really dumb people there as well) and of course of the guy who created the website and basically put his credentials online for everyone to use. They should've given him a good taste of the LART.

    Originally posted by Deviant Ollam View Post
    hopefully, this person won't click random links on IRC or will at least have the good sense to enable Tor before doing so.

    i'm glad that they weren't hit with other fines or any incarceration or confiscation of equipment. it's a shame it got that far, but technically someone else's login was "used" even if it could be proven to have been accidental/unintentional.
    I also hope for him that having this on his record won't harm him in the future. However in that time this was only a minor mischief (therefore the low fine and no court involvement) so it could be OK.

    Leave a comment:


  • Deviant Ollam
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by cronek View Post
    Is accessing a public website 'hacking'?
    heh, only in the movies... when the geeky yet smooth-skinned protagonist goes to changemygrades.com and impresses the sexy, iconoclastic girl who will later kiss or sleep with him depending on the movie's MPAA rating.

    what i think we're really asking here is "is doing basic HTTP stuff with a web browser an act of prosecutable computer trespass?"

    Originally posted by cronek View Post
    this person had linked all pages and images in the following fashion: ftp://username:password@users.isp.tld/file. So naturally if you visit this page you'll login a couple times with this guys credentials.
    interesting... so this was an HTML page that hotlinked some content via that method? thus, making it not clear to the people viewing the page that they were using credentials, etc.

    pretty sneaky, heh. that in itself is a spiffy little hack, i'd have to say.


    Originally posted by cronek View Post
    the only evidence they had was a log of his IP address successfully logging in with the victim's credentials.
    nod. however, that same evidence (if the system logs on the FTP server were being generated in a way that makes sense) would also likely have indicated that the accessing was done with client software that wasn't all that typical... a web browser instead of an FTP client.


    Originally posted by cronek View Post
    the case went through and in the end he had to pay a 250 euro fine, for clicking a link.
    it sounds like this is one of those situations where properly fighting it in court could have had the matter thrown out. i don't know Belgian law, but possibly if a lawyer were to demonstrate:

    1. there was this joke page that existed (if someone saved a copy)

    2. viewing that page automatically causes the FTP logins

    3. the FTP logs show it was a web browser logging in

    4. the FTP logs show multiple logins within less than a second (something no human would want to do or even could do manually) and data was only read, not modified

    5. the FTP logs showed scores of other such logins all at the same time, then never happening again

    6. someone, somewhere was irresponsible with keeping their login credentials secret

    ... there's a chance the case would have been dismissed. chances are, however, that it would have cost more than 250 Euro in legal fees. it's all a matter of how much a lack of a criminal record is worth to someone.

    hopefully, this person won't click random links on IRC or will at least have the good sense to enable Tor before doing so.

    i'm glad that they weren't hit with other fines or any incarceration or confiscation of equipment. it's a shame it got that far, but technically someone else's login was "used" even if it could be proven to have been accidental/unintentional.

    Leave a comment:


  • streaker69
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by bluerules View Post
    Long ago a local ISP had a policy of setting every user's default FTP password to "Changeit". Of course, most people didn't (or didn't know how to) change it, so a bunch of web sites got defaced before they changed their policy.

    Really you have to wonder about the people in charge who come up with these ideas...
    Allowing world+dog to have FTP access is generally a bad idea to begin with.

    Leave a comment:


  • bluerules
    replied
    Re: Is accessing a public website 'hacking'?

    Long ago a local ISP had a policy of setting every user's default FTP password to "Changeit". Of course, most people didn't (or didn't know how to) change it, so a bunch of web sites got defaced before they changed their policy.

    Really you have to wonder about the people in charge who come up with these ideas...

    Leave a comment:


  • cronek
    replied
    Re: Is accessing a public website 'hacking'?

    A similar story happened to a friend of mine:

    On a rainy day, quite a few years ago, we were idling on IRC. Some guy comes in, posts a link to some ISP customer's webpage (like users.isp.tld/username). Everyone clicks it, another boring personal homepage with pictures of pets, however, something was off. It then came to us that this person had linked all pages and images in the following fashion: ftp://username:password@users.isp.tld/file. So naturally if you visit this page you'll login a couple times with this guys credentials. Everyone had a laugh at the sheer stupidity and life continued.

    A few days later, this friend, who was also on that channel that day, received a visit from the rozzers. They claimed that he "hacked" some poor innocent guy's ISP account and read his email/changed his subscription, defaced his webpage, raped his dog, ... which by the way he didn't.

    So the only evidence they had was a log of his IP address successfully logging in with the victim's credentials. It apparently didn't matter that there were about a gazillion more logins all from different IP addresses, they just seemed to have randomly chosen him. As no LEO involved in the case had even the slightest idea of what it all meant, the case went through and in the end he had to pay a 250 euro fine, for clicking a link.

    Leave a comment:


  • TheCotMan
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by renderman View Post
    Nearly identical thing happened just a short time ago back home.

    http://blog.mastermaq.ca/2010/02/09/...ugh-obscurity/
    Something similar happened in 2005 College Admissions Sites Breached. Really, what the applicants did was to alter form variables posted to a page (after logging in) to get access to information on being accepted before official notice of acceptance was sent to them by email or snail-mail. (There is an advantage in knowing early if you are accepted at a college, so you can begin to plan for housing, and more.)

    Originally posted by article
    Applicants accessed admissions sites ... after a hacker posted instructions ...

    The instructions told applicants to log in to their admissions Web page and find their identification numbers in the source code, or raw Web programming instructions, available on the site. By plugging those numbers into another Web page address, they were directed to a page where their admissions decision would be found.
    The result? Harvard decided to reject 119 applicants that used this technique to get an early glimpse of their acceptance and MIT did the same for 32 would-be students.

    Leave a comment:


  • renderman
    replied
    Re: Is accessing a public website 'hacking'?

    Nearly identical thing happened just a short time ago back home.

    http://blog.mastermaq.ca/2010/02/09/...ugh-obscurity/

    Local blogger guessed a URL for upcoming budget docs, faces got red, but no one called it a hack. Guess some people are not as worried as others.

    Leave a comment:


  • sintax_error
    replied
    Re: Is accessing a public website 'hacking'?

    Well, that plot certainly revealed itself in a manner befitting a script. I suppose all you can really do in this sort of situation is hope that lessons have been learned on all parties accounts. I'm sure that heads are in the process of rolling over at Bang The Table.

    Leave a comment:


  • streaker69
    replied
    Re: Is accessing a public website 'hacking'?

    http://www.computerworld.com.au/arti...4194304&fpid=1

    "On the basis of this statement, the Government has lost confidence in Bang the Table and will terminate arrangements with the company," Campbell said. "It is because questions were raised about the Government's ability to protect information that I spoke in the House yesterday.

    "It is now clear that Bang the Table not only did not protect the security of the Government's information, it also provided wrong advice to the Government about its security measures. This is completely unacceptable to the Government. I made yesterday's statement in good faith and based on information provided to me by Bang the Table. That information was wrong and, accordingly, I apologise. Now it is time for Bang the Table to apologise."
    I guess the most important part here is, the government official should have never made such statements to begin with until all the facts were known. Glad to see that they owned up to their failures and are dealing with it accordingly.

    Leave a comment:


  • streaker69
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by TwinVega View Post

    Who names their company Bang the Table anyway?
    Bang the Hoe was already taken?

    Leave a comment:


  • TwinVega
    replied
    Re: Is accessing a public website 'hacking'?

    http://www.abc.net.au/news/stories/2...24/2829344.htm
    In a statement, Bang the Table says while the front page of the blueprint site was password protected, other pages were temporarily accessible. ... "That information was wrong and accordingly I apologise. Now it is time for Bang the Table to apologise."
    Sounds like they've gotten around to figuring out it was the hosting company's fault so they figure they're in the clear blame wise. The buck has been passed.

    Who names their company Bang the Table anyway?

    Leave a comment:


  • sintax_error
    replied
    Re: Is accessing a public website 'hacking'?

    Originally posted by streaker69 View Post
    Ooooh, the plot thickens.

    http://www.computerworld.com.au/arti..._goes_offline/



    So now the ISP is failing to stand up to their fsckup and claiming it was hacking. I surely hope they have some real logs showing the 'hacking' and not just site access logs. Otherwise they could be looking at the wrong end of a defamation suit.
    I suppose that only time, and logs will tell. Honestly it sounds to me that Bang the Table, may have had a bit of a whoops moment. The site being taken offline, tells me that they may be trying to figure out what actually happened, and are using the standard disaster recovery procedure of "It was hacked." Then again, they may be closing security holes that made all or parts of the site accessible in the first place. Like I said, time and logs will tell.

    Leave a comment:


  • streaker69
    replied
    Re: Is accessing a public website 'hacking'?

    Ooooh, the plot thickens.

    http://www.computerworld.com.au/arti..._goes_offline/

    In a speech to Parliament Transport Minister David Campbell said the company which was responsible for the website, Bang the Table, had claimed it was secured and had experienced 3727 unauthorised hits on the website's firewall over a two-day period.

    β€œI am advised by Bang the Table that at no time was the website available to casual viewers,” Campbell said.

    β€œOn the advice provided by Bang the Table, it seems that the only way to enter the site was to hack into it. And allegedly someone did. It was not a one-off but a concerted effort.”
    So now the ISP is failing to stand up to their fsckup and claiming it was hacking. I surely hope they have some real logs showing the 'hacking' and not just site access logs. Otherwise they could be looking at the wrong end of a defamation suit.

    Leave a comment:

Working...
X