29 May 2019

Budget leak: When is a hack not a hack?

8:46 pm on 29 May 2019

IT and tech experts say National's early access to Budget documents was probably not the work of a sophisticated hacker, but could have been an amateur computer sleuth who got lucky.

Gabriel Makhlouf, Secretary of the Treasury. Half Year Economic and Fiscal Update 2017.

Gabriel Makhlouf, Secretary of the Treasury. Half Year Economic and Fiscal Update 2017. Photo: RNZ / Rebekah Parsons-King

Hours after National released Budget 2019 information Treasury said it had evidence its systems were "deliberately and systematically hacked".

But Simon Bridges said the information was not the result of a hack - despite refusing to confirm where it had come from.

It remains unclear what information was accessed via Treasury's hack and whether this was the same information that National had.

Technology commentator Paul Brislen said hacking was hard to define.

"We don't really ever nail it down as to what actually it is. In law they talk about unlawful use of a computer system or an IT network and that's as good as phrase as any - it's the unauthorised access of information stored on a computer."

"A lot of hacking that we've seen in the past has really been not hacking at all. It has been people finding out that they can see information that the people who put the information online... didn't realise would be visible."

Information security consultant Joerg Buss, whose company Darkscope investigates sources of cyber attacks, said he did not think a hack had taken place.

"Hacking would be something like bypassing a security measure, like a username and a password. I don't think that's what happened here I think it was just a lucky guess."

Mr Buss said based on what was known, there were two possibilities for how the information became public.

"One possibility is the web page of Treasury wasn't protected in the right way and it was too easy, which I don't believe.

"The other one is, it wasn't hacked in the matter of the word hacking, it was basically someone tried and found the information which was stored on the web servers in a place which was probably not protected enough."

He said it was likely the documents were uploaded to the Treasury website, hidden, but the folder they were in was not locked down.

He said spider-crawl software, which was free and legal to download, would find such documents.

It works by searching through the hidden folders on a website and trying different URLs to see if any exist.

"The 2000 attempts, in my opinion, would have been something like a spider crawl so someone is investigating the content of a webpage. So he's trying different paths and different URLs and maybe he got lucky and found this in an upload folder or something like that."

"The spider tries different paths which are not visible normally and tries them out [to see] if there is some feedback. In most cases the source is not available, but in some cases someone gets lucky and there is a path or a URL which is then available and which may be posting the information."

He said using such a programme did not require a high level of skill.

"The level of skill is you need to be able to use Google. So you can download a piece of software and run it against any target.

"We see web services being approached by this type of technology millions of times around the world every day. So it's not uncommon."

Treasury secretary Gabriel Makhlouf said no documents were accidentally loaded to the website and the information they have suggested a targeted, persistent attack.

It was unclear whether this was an attack on the website or Treasury's internal server.

Criminal Bar Association president Len Andersen said hacked or not, unauthorised access was covered under the Crimes Act, and the test was pretty simple.

"Documents that are put on the internet that are there publicly, there's a general invitation to view them because they are public. But if they're not - if they're put behind some kind of firewall - then the issue of authorisation to access applies.

"It's just like if you think of a locked car, people try millions of keys and eventually find one that fits, that doesn't entitle them to open the car door."

"The issue, in terms of [section 252 Crimes Act], is not how easy it is to get to it - it's whether the access is authorised."

Mr Andersen said the consequences of retrieving documents you were unauthorised to access could be wide reaching.

"It has other implications too, because just as if you buy a TV set in a pub for $50 and you know it must be stolen, you can be convicted of receiving. Similarly if you get access to documents that you know must have been hacked then that raises the prospect that you can be found guilty of receiving."

Mr Brislen said it was unusual that 2000 attempts over 48 hours warranted a cause for concern - given that this was not a large number of times that websites could be probed for information.

The GCSB declined to comment as the matter was now under police investigation.

Get the RNZ app

for ad-free news and current affairs