People of NSW – don’t believe the spin about the SMH hacking a website

Background

On Friday 19th Feb 2010, Sydney Morning Herald reporters Matthew Moore and Andrew West were advised by a contact to go to the website nswtransportblueprint.com.au, where material on the transport blueprint was available.

The reporters did not require a password to view the documents, which were available to anyone with the URL address.

The reporters immediately printed out as much material as possible.

*The Premier’s chief of staff, Walt Secord, that evening told West: "This was a website in progress." *

– paraphrased from this article on the SMH

Link to original article [smh.com.au] revealing the leaked plans on 20th Feb 2010.

Link to hansard transcript for Feb 23 2009 – see ‘Transport Plan Confidential Documents’ on page 19. Quoting the Minister for Transport:

An internal investigation by Bang the Table found a total of 3,727 unauthorised hits on the website’s firewall security over a two-day period—18 and 19 February. That is akin to 3,727 attempts to pick the lock of a secure office to take highly confidential documents.

Here is my explanation of the wrongness of the statement.

• A hit does not equal a page load. A web page might be made up of many different resources (images, stylesheets, scripts), each of them has to be requested from the server and counts as a hit. It might take 50 hits to load all the things required for one web page. So don’t imply that this was 3,727 attempts to load a document that was supposed to be secure.
• Port scanners and probes generate ‘hits’ all the time. These scanners make requests for well known documents and configuration information in an attempt to find vulnerabilities left by inept system administrators who do not properly secure their systems.
• Governments don’t collaborate on small web sites set up for a limited purpose. Why would ‘working documents’ be stored on a public website?
• The Premier’s Chief of Staff apparently confirmed it was a website in progress on Friday evening (according to the SMH)
• As if the journalists involved would hack the website themselves – surely a third party would be used if they were really trying to be nefarious

Additional info

WHOIS information for the domain nswtransportblueprint.com.au reveals the following details:

Crikey article about Bang the Table – with appropriate counter-response from the company directors mentioned in the article in the comments below.

Slashdot Article about this saga [slashdot.org] for the technically minded.

The original website doesn’t appear to be available anymore – suggesting they scrapped the whole thing after this embarrassment.

Luckily Google has a cache of some of the pages and it appears that there was some attempt at security (at least for the GoogleBot).

A good description of this debacle here at Luddites hacked my website [Techeye.net].

Conclusion

• Either someone did hack the web site to make it available to the public and tipped off the journos; or
• Some mistake made the web site content available to anyone who knew the address (either temporarily or permanently)

Either way it’s not a good look for Bang the Table [bangthetable.com] and its customers. They should be concerned that their platform is either easily hacked or that there are not appropriate procedures in place to ensure that content is secured.

Update – 25 Feb 2010 10:20am

Apparently Bang the Table have owned up to a problem with the security and now the Transport Minister has apologised in Parliament. See SMH for more.

A director of Bang the Table, Matthew Crozier, said areas of the site were temporarily accessible on Friday.

”This is a matter of significant embarrassment to us,” Mr Crozier said in a statement. ”While security was in place on the front page of the site, clearly it was not sufficient to prevent the internal content being accessed.”