Tuesday, March 3. 2009
On exposing vulnerabilities on .gov.my websites
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
. Well like I said, I do support this kind of initiative but then just to avoid any entanglement with the Law Enforcement, better obtain the consent or authorization. It would be a waste for our own local community if that guy behind that website (I know who he is
) to be shut out.He can publish his findings provided do some anonymity on the findings.
Like HD Moore said,
"The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks"
That need to evaluate the risks not only on the owner(target) side but also from his side as well.
consent? authorization? NDA? what else have there done to make not to vulnerable or been rog0n! by "hello world" out there..
is that all will resolve those stupidity at gov system admin or authorization gov IT security agency or appointed l33t
security consultant company??business!! nahh!! recently "pak arab" actively deface our malaysia website..especially gov site..what happen??what next?? all this just becos there depend and believe on those stoopid element installed on there network (la la la la..when next will be installed for gov), rubbish or bla bla bla event reports sent to them..WTF?
Any suggestions to mitigate this kind of risks? It is easier to stand outside and criticize without any solutions ya'know
Hahaha.. No prob maa.. But I think at least we can have brain storming on how to buck up our govn.
The information to fix is out there, and has been pointed in various postings on this blog. The real question is - will the relevant authorities do anything about it? Or are they going to shoot the messenger?
"You can lead a horse to water, but you can’t make him drink."
Inilah masalah sebenarnya. Kalau berbuih mulut nasihat suruh patch tapi tak buat jugak, susahla kan
Inilah masalah sebenarnya. Kalau berbuih mulut nasihat suruh patch tapi tak buat jugak, susahla kan
Ayoi, I don't think I am guilty of criticizing the security of .gov.my - if I am please point to the evident. As far as I am concerned, the best way to raise awareness is through publicity. I've been in the security business for 8 years, and while there are general improvements in security of government websites over the years, the rate has been marginal, if not slow. I don't have data to back this up, as I am speaking merely from experience.
When the .gov.my (Ayoi, you and your employer included) starts to view these disclosure seriously, I think I've already given my contributions to making .gov.my more secure. That, however, depends purely on which side your on
When the .gov.my (Ayoi, you and your employer included) starts to view these disclosure seriously, I think I've already given my contributions to making .gov.my more secure. That, however, depends purely on which side your on
To be honest, I am more worried about the owner of hackingexpose. The possibility of him being charge is high and I believe the affected parties are more interested to shift the blame on him instead of their own lack of awareness on their apps. Yeah, they will shoot the messenger and trust me, they have the reason to do so.
However I also believe that the government should engage these websites and try to sort out any possible collaboration (trainings/seminars/workshops/talks) instead of confronting them.
I believe that they must make use of those disclosure information for counter measures instead of harping on different thing like the web owner etc.
One thing that I do notice is the "bad guys"always share the techniques, methods, tools, flaws and findings where this so called "white hats" tends to share the information among their peer or ppl within their community or whatnot.
Like I said before, use anonymity when publishing the infos. Just dun give them any avenue to turn things back to you. But then finding sensitive information via search engine is different from exploiting a database
However I also believe that the government should engage these websites and try to sort out any possible collaboration (trainings/seminars/workshops/talks) instead of confronting them.
I believe that they must make use of those disclosure information for counter measures instead of harping on different thing like the web owner etc.
One thing that I do notice is the "bad guys"always share the techniques, methods, tools, flaws and findings where this so called "white hats" tends to share the information among their peer or ppl within their community or whatnot.
Like I said before, use anonymity when publishing the infos. Just dun give them any avenue to turn things back to you. But then finding sensitive information via search engine is different from exploiting a database
feel hot in here.. and the topic also..
Disclaimer: saya bukan lawyer
Saya rasa elok la kalau kawan-kawan semua membaca undang-undang yang ada.
COMPUTER CRIMES ACT 1997 [REPRINT 2002]
http://www.msc.com.my/cyberlaws/act_computer.asp
Under Part II, read the Section 3 to 6.
Whether we like it or not Unauthorized access to computer is punishable by the laws.
Kena baca jugak Section Section 7. Abetments and attempts punishable as offences.
Definition of Abetments
1 : to actively second and encourage (as an activity or plan)
2 : to assist or support in the achievement of a purpose
According to Section 7, sesiapa yang men"encourage" this type of activities boleh kena jugak woo.
Bacalah jugak PART III - ANCILLARY AND GENERAL PROVISIONS
"(3) Any police officer may arrest without a warrant any person whom he reasonably believes to have committed or to be committing an offence against this Act, and every offence against this Act shall be deemed to be seizable offence for the purposes of the law for the time being in force relating to criminal procedure."
Anytime boleh kena cekup beb.
Niat tu baik tapi The End Does Not Justify The Means (kalau ikut law la)
So macam gmie cakap kat comment di bawah tu, "Sendiri mau ingat la"
Terima Kasih
Saya rasa elok la kalau kawan-kawan semua membaca undang-undang yang ada.
COMPUTER CRIMES ACT 1997 [REPRINT 2002]
http://www.msc.com.my/cyberlaws/act_computer.asp
Under Part II, read the Section 3 to 6.
Whether we like it or not Unauthorized access to computer is punishable by the laws.
Kena baca jugak Section Section 7. Abetments and attempts punishable as offences.
Definition of Abetments
1 : to actively second and encourage (as an activity or plan)
2 : to assist or support in the achievement of a purpose
According to Section 7, sesiapa yang men"encourage" this type of activities boleh kena jugak woo.
Bacalah jugak PART III - ANCILLARY AND GENERAL PROVISIONS
"(3) Any police officer may arrest without a warrant any person whom he reasonably believes to have committed or to be committing an offence against this Act, and every offence against this Act shall be deemed to be seizable offence for the purposes of the law for the time being in force relating to criminal procedure."
Anytime boleh kena cekup beb.
Niat tu baik tapi The End Does Not Justify The Means (kalau ikut law la)
So macam gmie cakap kat comment di bawah tu, "Sendiri mau ingat la"
Terima Kasih
DISCLAIMER: don't post any politik or kutuk2 politik..try buat..masuk tv and newspaper la..tu jer yg bleh derang gunakan..apa act tadi tu, karpal singh??
COMPUTER CRIMES ACT 1997 [REPRINT 2002]
so..shoutz to all ere..who know who u are.."man man kiaa (rilek-rilek) jer"
COMPUTER CRIMES ACT 1997 [REPRINT 2002]
so..shoutz to all ere..who know who u are.."man man kiaa (rilek-rilek) jer"
korang beranik ker cabar budak2 hacker menggodam sever online korang? publish la kat sini kalo beranik...
law konon... piirraahhh...
kalau kira law.. website ni pon MCMC patut dah block..
apsal orang tak amik tindakan????
nak jugak kira law ka? Sultan pon dorang nak saman...
apa punya org...
haa.. apa lagi..
list kan la sever address korang...
bagi la username & password sekali..
baru korang tau langit tu tinggi ke rendah...
law konon... piirraahhh...
kalau kira law.. website ni pon MCMC patut dah block..
apsal orang tak amik tindakan????
nak jugak kira law ka? Sultan pon dorang nak saman...
apa punya org...
haa.. apa lagi..
list kan la sever address korang...
bagi la username & password sekali..
baru korang tau langit tu tinggi ke rendah...
Dude.. I think u're out of the topic a lil bit. Btw u can always find the IP address by yourself and only an idiot will give his identification and authentication information to others.
hahaha... dunno what to say.. it's either stupid or out-of-logic to list down the username+password. And there's no thrill of getting/owning a server if those information was already listed. The real thrill is when you do the information gathering, finding vulnerables, injecting codes and bla... bla... bla... until you own the root... The longer it takes, the thrill will also getting higher and the better result you'll get. Key >>> sabar... sabar... sabar....
No prob. I just hate to see another precious talent in this industry gone.
any 1 know who choose "No" in the vote at hacking expose??
http://hackingexpose.blogspot.com/
n Y??
personally i choose yes, coz is a step to impove..
take comment from ppl n learn sincerely!
http://hackingexpose.blogspot.com/
n Y??
personally i choose yes, coz is a step to impove..
take comment from ppl n learn sincerely!
Guys, maybe we can have a TT session and share our knowledge/experience/skills etc. Just an idea
kalau kene tangkap leh suruh bro mel jamin kita semua ok. jgn risau. teruskan usaha.
what even it is..."lu pikir la sendiri" - nabil
layan...zass!
toyok: ada ke gigi ngko ni?
wha eva it is..."lu pikir la sendiri" - nabil
layan...zass!
toyok: ada ke gigi ngko ni?
Biasa lah budak-budak .. dah berpengalaman/tua/makin pandai nanti senyap la tu ...
Ikut sejarah semua pon macam tu jugak .. cheer
Ikut sejarah semua pon macam tu jugak ..
cheer
yeah... Im totaly agreed with you latif... If not them?? who else gonna give this fucking free pentes???
taiko,
dont relate us with such term "free pentest"
later other old timers also "melatah" and "business people" will condemn us..
just bare in mind we do this for community..
we dont want to be threat for anybody..
i wonder, if there is "free pentest" than probably must be something similar like GPL for this.. luls ;-p
we just another street kiddie who wannabe somebody, in the same time contributing to the community
dont relate us with such term "free pentest"
later other old timers also "melatah" and "business people" will condemn us..
just bare in mind we do this for community..
we dont want to be threat for anybody..
i wonder, if there is "free pentest" than probably must be something similar like GPL for this.. luls ;-p
we just another street kiddie who wannabe somebody, in the same time contributing to the community
This is just not the way to contibute ..
i'm ok if you guy find some bug, publishing advisory, creating exploit ,present security research , creating security tools etc.. this is something we can proud of.
don't blame other if you did't understand their problem.
This is not one person problem, it's the whole system.
R*****r & Z****f., i know you are better than this.
Good luck .. ha ha ha
-cakapmacambest-
i'm ok if you guy find some bug, publishing advisory, creating exploit ,present security research , creating security tools etc.. this is something we can proud of.
don't blame other if you did't understand their problem.
This is not one person problem, it's the whole system.
R*****r & Z****f., i know you are better than this.
Good luck ..
ha ha ha -cakapmacambest-
ahh.. we need to change our tagline then..
"malaysian sites hacker safe and public awareness"
"malaysian sites hacker safe and public awareness"
I think most of the people who commented here know who are the people behind this. After all, they are not that "anonymous"...
Why not instead of the so called "berkhidmat untuk masyarakat", do something like taking part in the HITB Conference CTF. Atleast that is legal and will put you out of trouble. There are many ways you can shine without risking yourself sleeping behind the bars. But why choose to do it this way?
Public disclosure of what you did is good, but I am afraid that soon enough you guys have to pay the price instead of getting paid and as Ayoi said earlier, that will be a waste of talents.
Anyway, I am not suppose to jump into a conclusion. But if the work were done for the sake of getting recognition, I can only say that you guys are on the wrong side of the road. Many people have gone through all these and made the same mistakes, but how soon you grow up and realize your mistakes will make a difference if you're planning to be in this field as a professional for good.
I am nobody to stop you guys, the best I can do is to warn.
Just my 2 cents
Why not instead of the so called "berkhidmat untuk masyarakat", do something like taking part in the HITB Conference CTF. Atleast that is legal and will put you out of trouble. There are many ways you can shine without risking yourself sleeping behind the bars. But why choose to do it this way?
Public disclosure of what you did is good, but I am afraid that soon enough you guys have to pay the price instead of getting paid and as Ayoi said earlier, that will be a waste of talents.
Anyway, I am not suppose to jump into a conclusion. But if the work were done for the sake of getting recognition, I can only say that you guys are on the wrong side of the road. Many people have gone through all these and made the same mistakes, but how soon you grow up and realize your mistakes will make a difference if you're planning to be in this field as a professional for good.
I am nobody to stop you guys, the best I can do is to warn.
Just my 2 cents
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia joomla! hitbsecconf hitb web vulnerability defaced malaysia defacement
Recent Entries
Defaced - http://www.masjidannur.com.my
Defaced - http://orogenic.com.my/ - http://orogenicgroup.com/
Defaced - http://www.kedairakyat.com
Defaced - http://andamansetipengantin.com
Defaced - http://klse.info/.~x/
Defaced - http://{www,ict,akademik}.kedah.edu.my/
www.mampu.gov.my - hacked or misconfigured?
UMNO spends RM300 million hiring hackers to stop PKR for the next general election
Defaced - http://www.politeknik.edu.my
Defaced - http://ncer.com.my
March 24 2010
Defaced - http://orogenic.com.my/ - http://orogenicgroup.com/
March 24 2010
Defaced - http://www.kedairakyat.com
March 24 2010
Defaced - http://andamansetipengantin.com
March 24 2010
Defaced - http://klse.info/.~x/
March 24 2010
Defaced - http://{www,ict,akademik}.kedah.edu.my/
March 24 2010
www.mampu.gov.my - hacked or misconfigured?
March 12 2010
UMNO spends RM300 million hiring hackers to stop PKR for the next general election
March 12 2010
Defaced - http://www.politeknik.edu.my
March 4 2010
Defaced - http://ncer.com.my
March 4 2010
