Joshua Rogers成功骇进维州公共交通局PTV网站,暴露了该网站的脆弱性。Simon Schluter摄
网易教育讯 据《悉尼先驱晨报》报道,澳大利亚维州1名16岁的少年日前轻易地骇入维州公共交通局(PTV)的网站,取得网站使用者的个人机密资料,暴露维省政府网站安全性不足问题。
维州公共交通运输网站提供火车、公交车及电车票价和时刻表查询,例如即将在墨尔本举行的澳洲网球公开赛交通方式,并可使用在线myki充值服务。
目前仍在学的罗杰斯(Joshua Rogers)自称是网络安全研究者,侵入网站动机在于改善网络安全性。他以简易的黑客手法发现这个网站数据库,包含使用者姓名、生日、住址、住家和手机号码,以及电子邮件和信用卡部分卡号等资料,约有60万笔资料。
网络安全专家柯尼克(Phil Kernick)指出,罗杰斯所使用的黑客方式十分简单,罗杰斯或许不是第一个骇入该网站的人,这些资料可能已被别人取得。柯尼克对于政府单位研发出如此漏洞百出的网站感到十分失望。
网络安全控管公司主管米勒(Ty Miller)则担忧这些个人资料被不肖人士取得而作非法使用,例如以此资料向银行作身分确认,便可重新设定账号密码,或直接进行转帐交易等。
罗杰斯去年12月26日以电子邮件联系维州公共交通运输网站,告知他所发现的网络安全漏洞,1个礼拜后未获回应,目前此案已交由维省警方处理。
维州公共交通运输网站表示,目前个人资料已无法透过在线系统取得。而该数据库并未与myki在线储值账户连结,因此信用卡卡号等相关信息都不在数据库中。
Personal information about public transport users in Victoria has been exposed to potential identity theft because government authority Public Transport Victoria failed to secure its website.
The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.
The database includes full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and nine-digit extracts of credit card numbers.
Joshua contacted PTV last month to warn it of the site's vulnerabilities. On Tuesday it referred the matter to the police.
Joshua, a self-described ''white hat'' security researcher, said he was motivated by a desire to improve online security. He first contacted PTV by email on Boxing Day, but received no response. He later contacted Fairfax Media.
More than a week after Joshua made contact with PTV, it still had not responded, but this week it referred the matter to Victoria Police and Privacy Victoria following inquiries by Fairfax Media.
The method Joshua used to enter PTV's site has been described by cyber security experts as one that is easy to guard against.
It is not known if others have previously hacked the website, which is the primary online source for information about train, tram and bus timetables, myki, and current and planned public transport projects. Metlink was the Transport Department's ''shop front'' for public transport users before Public Transport Victoria's formation in 2012. An estimated 600,000 entries were found in the database.
Phil Kernick, of cyber security consultancy CQR, said PTV had failed to take proper care to secure its site from potential hacking.
''It's truly disappointing that a government agency has developed a website which has these sorts of flaws,'' Mr Kernick said.
''So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.''
Ty Miller, director of Threat Intelligence, which locates security flaws in websites so they can be fixed, said the type of personal information hidden on PTV's site was sought by criminal hackers.
''Most of the stuff is personally identifiable information that is often used for things like identity theft, for example, ringing up your bank, and then answering their basic questions - like, 'what's your birthday, what's your address','' Mr Miller said. ''That then allows you to maybe reset a password for internet banking and then make fraudulent transactions.''
Fairfax Media gave PTV time to secure its site before publishing.
A spokesman said the personal data was no longer accessible or available via any online system. He added that the database was not linked to myki online accounts and that no usable credit card details were stored in the database.