Law students being awesome hackers……what is going on?

October 11th, 2007 Drazen Drazic Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance |

The reason for the lack of posts recently is because I am away…..it’s harder looking after 2 young girls, 6 and 4 on school holidays in Noosa than it is running a business.

Pete Benson sent me this one yesterday and I have to admit, it blew me away on many levels. WTF:

http://www.computerworld.com.au/index.php/id;1057000875;fp;16;fpid;1

Being out of touch in paradise for the last 10 days, I have no idea where this went or whether there was a follow-up. I’ll add to this when I get back but if anyone has more to add now, please respond. This whole story sounds a bit suspect to me.

12 Responses to “Law students being awesome hackers……what is going on?”

  1. D2 Says:
    October 12th, 2007 at 12:11 pm

    Gotta’ be a joke. The paperwork to set something like this up would take ages, the logistics etc and the legality.

    Law students should know better… need more info on this… very shoddy reporting. Also the terminology is all wrong.

    In short. Ridiculous.

  2. Big Galoot Says:
    October 12th, 2007 at 2:55 pm

    D2: “Ridiculous” and Draz: “WTF”…. ???

    Rather blunt sentiments. If Big Galoot were down at the a pub having this same discussion, I’d throw in a few more expletives for good measure.

    My first thoughts were - how do those blokes find the time to do their real-life jobs, in between nation-wide conference circuit speaking engagements, book signings and regular media interviews ? I’m buggered if I know. :-)

    Seriously though, there’s something not right about all this.

    Either you accept as fact that the top 200 companies knowingly allowed their systems to be hacked by a bunch of uni students, led by Ajoy Ghosh, or you don’t.

    As I see it, either way, there are major concerns here;

    If you accept that it did happen, with full permission, it is a major worry. As a shareholder in some of the top 200 Australian companies, I’m very annoyed & I will want answers as to why they allowed the excersise to proceed.

    If you accept that it did not happen and permission was not sought, but hacking did occur - it is an even bigger worry.

    My reality-meter is telling me that no top 200 Australian company and definitely no Government Department would ever permit testing of their systems by a bunch of uni students.

    I really hope there’s another, more logical explanation, but for the life of me, I’m struggling to find one.

    Yes, it is a truly remarkable story on a number of levels.

  3. Christian Heinrich Says:
    October 12th, 2007 at 3:55 pm

    I am tracking commentary at http://del.icio.us/cmlh - I justed added this Post :)

    I will be providing further comment after http://www.securitycampoz.com this weekend as I am “QA-ing” my presentation for Saturday @ 4:30PM

  4. Drazen Drazic Says:
    October 12th, 2007 at 6:22 pm

    I am hesitant to say much more at present until some more facts come out on this.

    I exchanged a brief email with Darren Pauli, the journo who covered the story that came from Ajoy. I have a feeling given some feedback Darren has been getting that he will do a follow-up story on this.

    From information passed to me by Darren; “the hack was given legal clearance through court, although there are questions about that.” Not sure what the last part means but no doubt, we may hear more.

    “Only the CEOs were told about the hack, as it was deemed important that IT be kept ignorant so they could judge day to day security.”

    “Only one had IT experience, and according to Ghosh, he performed the worst.”

  5. Christian Heinrich Says:
    October 15th, 2007 at 3:04 pm

    @Drazen

    Ajoy Ghosh has previously attempted to present himself as a Subject Matter Expert on “hacking” in an article published in 2001 i.e. “… Research by Mr Ghosh showed 80 per cent of .com.au websites were vulnerable to intrusion and control by hackers. …”

    However, another quote from this same article may come back to haunt Ajoy Ghosh, specifically: “… due in part to misleading information from technologists who exploited fears about hacking, Mr Ghosh said. …”

  6. Christian Heinrich Says:
    October 15th, 2007 at 3:11 pm

    @Drazen,

    “But wait there’s more” ?

    Again to quote the article from 2001: “Mr Ghosh worked for Westpac and the NSW Police before joining Unisys and he is a member of the National Office of the Information Economy’s e-security co-ordination group”.

    I have reproduced the e-mail from NOIE in response the claim that Ajoy Ghosh “is a member of the National Office of the Information Economy’s e-security co- ordination group”.” below:

    >Date: Wed, 9 May 2001 08:41:08 +1000
    >From: “Byrne, Steven”
    >To: ‘Grant Bayley’
    >Subject: RE: Mr Ghosh again
    >
    >Hi Grant:
    >
    >Thanks for your email to info@govonline.gov.au.
    >
    >I have forwarded your email onto the appropriate area of
    >NOIE for their information.
    >
    >We too have noticed the comments of Mr Ghosh.
    >
    >Cheers
    >
    >Steven Byrne
    >NOIE web services

  7. Drazen Drazic Says:
    October 16th, 2007 at 2:59 pm

    I spoke with Darren yesterday and I believe he’s doing a follow-up story to provide further clarification on the initial story. I understand there’s been quite a few people asking questions.

    At present, I’m still sitting back to get the full story…..it’s an interesting one and hopefully we’ll get the full scope and context of what Ajoy’s experiment entailed.

  8. Anonymous Says:
    October 16th, 2007 at 5:47 pm

    Some exceptionally big calls made in that article, I’m surprised the internet isn’t falling down around me now if 20 non-computer students can ./hack their way into all those companies.

    “The really bad guys pee on their hard drives,” Ghosh says, “They’ve been told by whoever teaches them bad-guy stuff that it’s a good way to get rid of the evidence..”

    http://www.misweb.com/magarticle.asp?doc_id=25991&rgid=2&listed_months=0

  9. Dec Says:
    October 17th, 2007 at 11:21 am

    @Anonymous

    Wow. There are so many thing wrong with this I don’t know where to start…

  10. Big Galoot Says:
    October 17th, 2007 at 11:26 am

    A CEO cannot authorise an illegal act, namely, the unauthorised access to private & confidential customer financial details and confidential customer insurance information.

    And I very much doubt any in Court in Australia would authorise the access to private & confidential client data, unless it was reasonably satisfied that it was doing so specifically in order to gather evidence for a potential breach of the law - by a law enforcement agency. In these circumstances, one would envisage a type of search warrant being be issued.

    Clearly, a pen-test by a bunch of uni students does not satisfy any of the above criteria.

    Rather alarmingly, the computerworld article states;
    “The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions.”

    The questions I have are;
    *Exactly what confidential client information was accessed, when, and by whom ?
    *Was my personal confidential client data that I have entrusted to my insurance company compromised in any way, and if so, who authorised it ?

  11. Christian Heinrich Says:
    October 17th, 2007 at 8:35 pm

    @Drazen

    The quotes in relation to the articles that were published in “The Australian” are taken from various threads (dated May 2001) from the 2600 Mailing List hosted at wiretapped.net.

  12. Drazen Drazic Says:
    October 18th, 2007 at 2:27 pm

    Darren Pauli has just posted a follow-up to the story:
    http://www.computerworld.com.au/index.php/id;1282913381;fp;16;fpid;1

Leave a Reply