Tag Archives: ethical hacker

Preparations for an assault on the media: Index and the cyber attack on the BKK site

Back when Magyar Nemzet was the Orbán government’s leading propaganda vehicle, it was practically an everyday occurrence that the prosecutor’s office, the police, and the national security offices leaked information to the paper that the government wanted to use against its political opponents. Now that Magyar Nemzet is a respectable newspaper, it is Magyar Idők’s job to indicate the government’s intentions and perhaps even give guidance to all the other government propaganda outlets as to what the official line is.

After two weeks of embarrassment over the irresponsible management of the Budapest Transit Authorities (BKK) and T-Systems’ shoddy e-ticket software, the decision was made to divert attention from this incompetence to an alleged conspiracy that would conveniently involve Index, one of the few quality news sites left in Hungary. This government ruse has the added benefit of being a frontal attack on an independent media outlet that was recently purchased by Viktor Orbán’s domestic archenemy, Lajos Simicska.

To summarize the sequence of events, here are a few facts that are necessary to understand the story. On July 13 BKK made the announcement that at last e-tickets can be purchased on its website. The procedure will be fast and reliable. The purchaser will have a bright green e-ticket on his smart phone that will allow him to use BKK’s transportation system.

Index has a number of journalists who specialize in internet technology. They test new software and report on its reliability and usefulness. As soon as BKK announced the availability of the e-ticket, one of Index’s “tech experts,” Balázs Tóth, purchased a one-day ticket and traveled all over the city, hoping to encounter a ticket controller to see how well the system was prepared for the change. Without going into the details, it turned out that they are not and the whole experiment was a nightmare. The story was told in an article that appeared on July 14 at 12:01.

A few hours later (16:31) Balázs Tóth wrote another article in which he reported that after the appearance of the first article Index received an incredible number of e-mails from people with similar experiences. Among the many such letters was the one from the 18-year-old high school student who became known later as the “ethical hacker.” All the details of his story can be found in my article titled “Another grain of sand on the pile: The e-ticket fiasco,” but here I will focus on this second Index article, which has turned out to be a critical piece of “evidence” according to Magyar Idők, showing Index’s guilt in the massive cyber attack against BKK, intended to create chaos during the World Aquatic Championships.

From this second article we learn that after receiving the ethical hacker’s e-mail, the Index folks got in touch with BKK, telling the company about glitches in the program that allows users to change the price of the tickets. We also learned here that by that time BKK had a chance to read the ethical hacker’s e-mail, his e-ticket had already been deleted. This piece of information will become important later when we try to cast doubt on Magyar Idők’s accusation.

So, let’s move on to the article Magyar Idők published today, which is supposed to expose “an organized cyber attack planned and executed by the ‘ethical hacker’ and Index.” The proof? The timeline prepared most likely by some national security agency attached to the ministry of the interior.

This timeline is as follows. BKK ascertained that the ethical hacker entered its website at 12:49 on July 14–that is, 48 minutes after Index’s first article appeared about the deficiencies of the system. After looking around and discovering the glitch, he bought a ticket at 13:38, which means that it took him one hour and 17 minutes to find the coding error. A little more than an hour later, at 14:49, he sent an e-mail to the wrong address, but soon enough he realized his mistake and sent another e-mail to the proper address at 15:11. I should add something here that the Magyar Idők article omits. Sometime after his first e-mail to BKK, the young man also fired off a letter to Index. At 15:33 Index sent an e-mail to BKK in which Balázs Tóth told the company about the glitch that allows people to buy tickets for practically pennies and asked them a number of questions.

These questions were passed on to Magyar Idők by, I assume, BKK and published verbatim by Zsolt Bayer in an editorial titled “The BKK affair: A bunch of lies,” which appeared in the same issue. Index wanted to know whether the problem was already solved or not, when will the system be secure, will they change the method of password use, and other technical questions. They waited an hour. When the paper still hadn’t received an answer, Balázs Tóth published his article in which he revealed the glitch. He added that Index had contacted BKK but no answer came, but they will “refresh” the article as soon as they hear. And indeed, when the BKK’s meaningless answer arrived, Index updated the article. BKK didn’t answer any of the questions but assured Index that despite extensive internet attacks, the system was working fine and was accessible and usable. BKK claimed from the very beginning that there was an automatic system that precluded any possibility of abuse. BKK also claimed that after the incident further security measures were introduced into the system.

But that was not the end of the story. Once the hackers out there in cyberspace suspected that BKK’s site was vulnerable, they bombarded it with thousands of attacks, the result of which was that the whole site had to be shut down. Magyar Idők considers this to be a criminal act, part of a huge conspiracy between the boy, Index, and who knows who else. The proof is the 22 minutes that elapsed between the ethical hacker’s e-mail to BKK and Index’s e-mail to BKK. First of all, since we know that the e-mail Index passed on to BKK was the one ethical hacker wrote to the wrong address at 14:49, the time between the boy’s purchase of an e-ticket and Index’s letter to BKK was not 22 minutes as Zsolt Bayer claims but more like an hour. But even 22 minutes is a very long time in our cyber world. Our sophisticated high school student, after discovering the error, immediately fired off an e-mail (sometime after 14:49) to Index. Once the internet savvy journalists who specialize in information technology checked out the system and found that the information they received was correct, Index immediately wrote to BKK. They waited an hour. No answer came.

Bayer finds Index’s handling of this particular case unethical because in his opinion it was unfair to give BKK “less than an hour to check the information provided by Index to compile the required information.” But Bayer is mistaken. As I pointed out earlier, BKK, by the time it had received Index’s questions, knew about the illegal purchase of an e-ticket and had already deleted the boy’s transaction. BKK didn’t have to spend hours discovering something it already knew. BKK’s eventual answer clearly indicates that the company had no intention of admitting any security problems and wanted to maintain that all was just fine. In brief, they didn’t want any help from anyone because, as far as they were concerned, there was no problem in the first place.

Magyar Nemzet pointed out that today’s world of rapid fire publication of news items online doesn’t allow the luxury of waiting for hours on end or even days with an article that one considers important and newsworthy. Index did what it was supposed to do and what all other internet news sites do. Bayer’s whole conspiracy theory rests on very shaky grounds.

But what is really worrisome is that the Magyar Idők article, based most likely on leaked information from the authority that is working on the case, maintains that the ethical hacker’s individual action was the “introductory act” of the coordinated denial-of-service cyber attack that came a few hours later. Normally there are 300-400 hits per second on that particular site, but that afternoon they numbered 13,000. Within an hour almost 47 million hits were received. As a result the whole system collapsed.

All this indicates to me that both the ethical hacker and Index should look for good lawyers because the cyber security cops will do their best to make them responsible for the subsequent collapse of the system.

July 29, 2017

Another grain of sand on the pile: The e-ticket fiasco

There is a Hungarian word “nagypolitika” (literally “large politics”) that is used when talking about a piece of news or an event that has national or international significance. Today’s topic is anything but “nagypolitika.” On the contrary, on the surface at least, it seems like an insignificant affair that luckily hasn’t caused major problems, only annoyance. Yet, judging from the public’s reaction to the faulty software of the newly introduced e-tickets of the Budapest Transit Center (Budapest Közlekedési Központ/BKK), the case has become the focal point of all the frustration Hungarians are experiencing over the incompetence and the arrogance of the Orbán regime in general.

Itcafé, an internet site serving those interested in information technology, claims that the present public mood can be compared only to the impromptu mass demonstrations against the government’s plans to introduce a heavy tax on internet use during the fall of 2015. Just like then, thousands are planning to march in defense of the 18-year-old boy who discovered the software glitch in the first place. Our young hero handled the situation pretty much the way most white hat hackers would have. After he discovered that by changing something in the “POST request” he could set his own price for a ticket, he purchased a monthly ticket for 50 forints (20 cents) instead of 10,000 ($38.00). He then fired off an e-mail to BKK pointing out the security risk, assuring them that his intentions were good. He also perhaps foolishly announced that at the age of 13 he wouldn’t have made such a gross error as the one he found in the brand new e-ticket software. The software company responsible for this shoddy piece of work was I T Systems Magyarország, an affiliate of the German I T Systems Group.

I T Systems Magyarország reported the hacking “crime,” and the police appeared at the boy’s house some 300 km from Budapest and arrested him. The very fact of the arrest upset the internet crowd, but the fact that the arrest took place at 7 a.m. really infuriated them. Media critics of the government interpreted the timing as intimidation, especially since this was not the first time that the Hungarian police have visited people for some minor offenses as, for example, not appearing in court as a witness, in the early hours. Soon enough everybody began calling our hero “the ethical hacker,” although, as I T System countered, “an ethical hacker” is someone who is hired by the company to catch glitches of the kind Szilárd found. The fact is, of course, that no one had found the glitch before our hacker reported it. I T Systems claimed that they had no choice but to move against the boy, regardless of his intentions.

Soon enough other security problems came to light, one of which at least was quite serious. Index warned those who had already signed up on BKK’s website for an e-ticket to change their passwords immediately because hackers can get to their passwords and their e-mail addresses. At a joint press conference given by BKK and I T Systems, the journalists gained the impression that the companies were blaming the customers instead of admitting that there is something wrong with the whole system. As days went by, anger grew. First, BKK’s Facebook page was bombarded with less than polite comments about what people thought of BKK and the decision to bring charges against the boy. On one afternoon 35,000 comments appeared on the site. Two days ago BKK’s website stopped functioning, and it is still unreachable. It is hard to tell whether it became the victim of not so ethical hackers or was just overloaded with users who wanted to vent their frustration. The two companies remained silent until late Friday night when they released a terse statement about the illegal hacking of their system, adding that they were sorry that the accused is a young student whose intentions were well-meaning, but otherwise they expressed no remorse. People demanded an apology.

BKK released statements about all the improvements they are working on, which only revealed the ignorance of the company about the technical aspects of the software the company purchased. The CEO of BKK kept talking about installing a “stronger firewall” as a solution, which of course is nonsense given the problems of the software. At last on Saturday the two companies “issued a half-hearted apology,” as 24.hu put it. Most likely Mayor István Tarlós put pressure on Kálmán Dabóczi, CEO of BKK, to make a statement. A day earlier Tarlós had disclaimed any responsibility for the situation created by the joint incompetence of BKK and I T Systems. Tarlós also promised an investigation of the whole debacle. The CEO of I T Systems by the end was also forced to engage the “ethical hacker” in professional dialogue, which almost sounded like a job offer.

All’s well that ends well, one could say. The boy was a bit shaken by the few hours he had to spend in jail; the software will be fixed; and the two CEOs have been humbled. It is possible that the head of BKK will lose his job as opposition parties demand. Why then the demonstration? The answer, I think, is simple. This public outburst is not just against the shabby treatment of the “ethical hacker.” It is against the whole system which is riddled with incompetence and graft. Vasárnapi Hírek pointed out that the Budapest Transit Authority has been promising an e-ticket system for ten solid years. According to them, this useless software cost 250 million forints. However, according to another source, “BKK received a 550 million forint subsidy” for a project that “is not worth more than 1 or 2 million.” Where did the money go, asks Z. V. in a letter to the editor. Actually, I’m afraid these figures greatly underestimate the real cost of the e-ticket project. I found an item on BKK’s official website—which unfortunately I can’t access at the moment, and which may no longer be there when the website comes back online—from 2012, according to which the city council voted to launch the e-ticket service and for that purpose the City of Budapest gave 6 billion forints to BKK. Six billion. Five years ago, and that’s what came of it.

Finally, here is an interpretation of this BKK affair that I wish were mine. The Hungarian “Szilárd” reminded Szabolcs Bogdán, a writer, of Mathias Rust, the 17-year-old West German youngster who in 1987 landed his plane on Red Square, escaping recognition by the Soviet Air Force. The self-confident Soviet leaders with seemingly limitless powers ruled the empire, but then came this small plane from West Germany. Heads rolled in the Soviet Air Force and the bigwigs thought all was well, merely a fleeting embarrassment. It turned out, however, that the weakness of the whole political system was laid bare by this plane’s landing. The regime was not omnipotent.

I don’t think the comparison is far-fetched. I don’t know how long it will take, but Orbán’s seeming self-confidence is unwarranted. Political life in Hungary right now is like the pile of sand made famous by the Danish physicist Per Bak: once the pile reaches the critical point, adding another grain of sand to it may cause an avalanche. There are times when one small thing can inexorably change the course of history.

July 23, 2017