Preparations for an assault on the media: Index and the cyber attack on the BKK site

Back when Magyar Nemzet was the Orbán government’s leading propaganda vehicle, it was practically an everyday occurrence that the prosecutor’s office, the police, and the national security offices leaked information to the paper that the government wanted to use against its political opponents. Now that Magyar Nemzet is a respectable newspaper, it is Magyar Idők’s job to indicate the government’s intentions and perhaps even give guidance to all the other government propaganda outlets as to what the official line is.

After two weeks of embarrassment over the irresponsible management of the Budapest Transit Authorities (BKK) and T-Systems’ shoddy e-ticket software, the decision was made to divert attention from this incompetence to an alleged conspiracy that would conveniently involve Index, one of the few quality news sites left in Hungary. This government ruse has the added benefit of being a frontal attack on an independent media outlet that was recently purchased by Viktor Orbán’s domestic archenemy, Lajos Simicska.

To summarize the sequence of events, here are a few facts that are necessary to understand the story. On July 13 BKK made the announcement that at last e-tickets can be purchased on its website. The procedure will be fast and reliable. The purchaser will have a bright green e-ticket on his smart phone that will allow him to use BKK’s transportation system.

Index has a number of journalists who specialize in internet technology. They test new software and report on its reliability and usefulness. As soon as BKK announced the availability of the e-ticket, one of Index’s “tech experts,” Balázs Tóth, purchased a one-day ticket and traveled all over the city, hoping to encounter a ticket controller to see how well the system was prepared for the change. Without going into the details, it turned out that they are not and the whole experiment was a nightmare. The story was told in an article that appeared on July 14 at 12:01.

A few hours later (16:31) Balázs Tóth wrote another article in which he reported that after the appearance of the first article Index received an incredible number of e-mails from people with similar experiences. Among the many such letters was the one from the 18-year-old high school student who became known later as the “ethical hacker.” All the details of his story can be found in my article titled “Another grain of sand on the pile: The e-ticket fiasco,” but here I will focus on this second Index article, which has turned out to be a critical piece of “evidence” according to Magyar Idők, showing Index’s guilt in the massive cyber attack against BKK, intended to create chaos during the World Aquatic Championships.

From this second article we learn that after receiving the ethical hacker’s e-mail, the Index folks got in touch with BKK, telling the company about glitches in the program that allows users to change the price of the tickets. We also learned here that by that time BKK had a chance to read the ethical hacker’s e-mail, his e-ticket had already been deleted. This piece of information will become important later when we try to cast doubt on Magyar Idők’s accusation.

So, let’s move on to the article Magyar Idők published today, which is supposed to expose “an organized cyber attack planned and executed by the ‘ethical hacker’ and Index.” The proof? The timeline prepared most likely by some national security agency attached to the ministry of the interior.

This timeline is as follows. BKK ascertained that the ethical hacker entered its website at 12:49 on July 14–that is, 48 minutes after Index’s first article appeared about the deficiencies of the system. After looking around and discovering the glitch, he bought a ticket at 13:38, which means that it took him one hour and 17 minutes to find the coding error. A little more than an hour later, at 14:49, he sent an e-mail to the wrong address, but soon enough he realized his mistake and sent another e-mail to the proper address at 15:11. I should add something here that the Magyar Idők article omits. Sometime after his first e-mail to BKK, the young man also fired off a letter to Index. At 15:33 Index sent an e-mail to BKK in which Balázs Tóth told the company about the glitch that allows people to buy tickets for practically pennies and asked them a number of questions.

These questions were passed on to Magyar Idők by, I assume, BKK and published verbatim by Zsolt Bayer in an editorial titled “The BKK affair: A bunch of lies,” which appeared in the same issue. Index wanted to know whether the problem was already solved or not, when will the system be secure, will they change the method of password use, and other technical questions. They waited an hour. When the paper still hadn’t received an answer, Balázs Tóth published his article in which he revealed the glitch. He added that Index had contacted BKK but no answer came, but they will “refresh” the article as soon as they hear. And indeed, when the BKK’s meaningless answer arrived, Index updated the article. BKK didn’t answer any of the questions but assured Index that despite extensive internet attacks, the system was working fine and was accessible and usable. BKK claimed from the very beginning that there was an automatic system that precluded any possibility of abuse. BKK also claimed that after the incident further security measures were introduced into the system.

But that was not the end of the story. Once the hackers out there in cyberspace suspected that BKK’s site was vulnerable, they bombarded it with thousands of attacks, the result of which was that the whole site had to be shut down. Magyar Idők considers this to be a criminal act, part of a huge conspiracy between the boy, Index, and who knows who else. The proof is the 22 minutes that elapsed between the ethical hacker’s e-mail to BKK and Index’s e-mail to BKK. First of all, since we know that the e-mail Index passed on to BKK was the one ethical hacker wrote to the wrong address at 14:49, the time between the boy’s purchase of an e-ticket and Index’s letter to BKK was not 22 minutes as Zsolt Bayer claims but more like an hour. But even 22 minutes is a very long time in our cyber world. Our sophisticated high school student, after discovering the error, immediately fired off an e-mail (sometime after 14:49) to Index. Once the internet savvy journalists who specialize in information technology checked out the system and found that the information they received was correct, Index immediately wrote to BKK. They waited an hour. No answer came.

Bayer finds Index’s handling of this particular case unethical because in his opinion it was unfair to give BKK “less than an hour to check the information provided by Index to compile the required information.” But Bayer is mistaken. As I pointed out earlier, BKK, by the time it had received Index’s questions, knew about the illegal purchase of an e-ticket and had already deleted the boy’s transaction. BKK didn’t have to spend hours discovering something it already knew. BKK’s eventual answer clearly indicates that the company had no intention of admitting any security problems and wanted to maintain that all was just fine. In brief, they didn’t want any help from anyone because, as far as they were concerned, there was no problem in the first place.

Magyar Nemzet pointed out that today’s world of rapid fire publication of news items online doesn’t allow the luxury of waiting for hours on end or even days with an article that one considers important and newsworthy. Index did what it was supposed to do and what all other internet news sites do. Bayer’s whole conspiracy theory rests on very shaky grounds.

But what is really worrisome is that the Magyar Idők article, based most likely on leaked information from the authority that is working on the case, maintains that the ethical hacker’s individual action was the “introductory act” of the coordinated denial-of-service cyber attack that came a few hours later. Normally there are 300-400 hits per second on that particular site, but that afternoon they numbered 13,000. Within an hour almost 47 million hits were received. As a result the whole system collapsed.

All this indicates to me that both the ethical hacker and Index should look for good lawyers because the cyber security cops will do their best to make them responsible for the subsequent collapse of the system.

July 29, 2017
Sort by:   newest | oldest | most voted
Guest

Typical Hungarian reaction:
It’s always someone else’s fault …
I wonder what will come out of it. If BKK really takes Index to court it might get drawn out until in the end again the European courts have to decide.

PS and not too much OT:
Seems that the EU is going forward in the fight against the Polish “Illiberals” – the German press at least is full of it, describing the crazy actions of the Polish government and speculating on what will happen. Even Poland leaving the EU is being discussed …

ambator
Member

I am inclined to put some blame on the social mores of Hungary too.
It is my observation that even amongst friendly parties the answering of an email is not customary. No matter how well-intentioned an announcement may be, the addressee gives no sign of having received it, even less to thank the sender. (Not very long ago I submitted a manuscript to a publisher. After some six weeks of waiting for an answer and several repeated phone calls, it turned out that the publisher was delighted for the submission and was intent on publishing it. All that was not enough to compel him to answer the initial email. Hungary! Oh!)
BKK could have sent an acknowledgement of receiving the letter and ask for time to investigate. This would have put the whole affair on a reasonable footing. Yet, The Office is supercilious before all else.

exTor
Guest

Math used to be my best subject in highschool, hopefully I’m still good at it at my still-tender age. Your “one hour and 17 minutes” in the paragraph below the photo (which I have reproduced) makes no sense to me, Éva. As a perfectionist and as a semigeek, I tried to follow your timeline. Ultimately that 77-minute time difference is irrelevant to the import of your article.

comment image

Given the rightward drift of the Orbán regime, I am increasingly hesitant about emailing in Hungary [imélés Magyarországon]. I’m not paranoid, just wary. I dont have any probs communicating with contacts in Magyarland, however I would be hesitant to send a complaining email to a government address. The fact that that supposed hacker [hekker] was grabbed shortly after having contacted BKK is proof-in-point of what can happen.

I am in the process of researching the whies and wherefores of securing fake IP addresses to mask the origin of my emails. As Éva full-well knows, all emails show (in their hidden headers) the countries-of-origin, real or phony. Nobody higher-up –Éva excepted– need know my location.

MAGYARKOZÓ

bimbi
Guest

Zsolt Bayer – the government’s Useful Idiot.

If you don’t believe that, what about this pearl:
“Bayer finds Index’s handling of this particular case unethical…”
Bayer doesn’t know anything about ethics! He wouldn’t recognize one if it was pushed down his throat.

Zsolt Bayer – the government’s Useful Idiot.

exTor
Guest

comment image

… … … ORBÁN VIKTOR HASZNOS IDIÓTÁJA … … …

MAGYARKOZÓ

Guest

That term “useful idiot” is not appropriate imho – it is used to describe different situations, more harmless people.
I’d call Bayer the government’s attack dog or?

The guy says those things which O and his henchmen are really thinking and would also like to say but they know that their friends in EPP wouldn’t be happy with that …

exTor
Guest

Good point, wolfi. I sent my earlier comment just to get under the skin of any Orbán troll who might have come across this article. I was going to accompany this comment with a pic of an attack dog, but the pictures I found grossed me out.

A useful idiot is probably, by definition, any person who [un]wittingly is used (by someone known or unknown) in a manner that would ordinarily be antithetical to that used person.

Zsolt Bayer is a witting propagandist, a front person who spews the Fidesz line as it intersects daily issues, such as what happened to Andrea Ladó and its aftermath. Zsolt Bayer is no dummy, he’s just a scumbag, one who knows that Fidesz lies, that it’s corrupt, but he’s okay with it because he’s on the inside and he benefits from it, bigly or not.

comment image

BAYER ZSOLT CSUPA CSÚNYA

MAGYARKOZÓ

wrfree
Guest

Re: ‘witting propagandist’

From ‘Papa’ Hemingway who knew a thing or two…. ‘The writer’s job is to tell the truth’. So Zsolt off the bat kinda has some major issues. Maybe it could be worse. Just think if he was Magyarorszag’s Doktor Seuss. Oh, The Words They’d Know!…from ‘ the Grinch Who Stole Christmas’.😎

bimbi
Guest

In recent days we have been regaled by headlines announcing that:

“The sperm count of western men has fallen by half in 40 years.”

Fear not! That is over there – over here, in the lands of the Carpathian Basin (where Brussels’ day begins) geci is not in short supply, as demonstrated by the current group of political leaders.

wpDiscuz