COMMENT by Juha Saarinen
National has owned up to obtaining some Budget 2019 information, which it released early, and it wasn't done unlawfully police say.
Although Treasury doesn't use the term "site misconfiguration", this is what appears to have happened.
The sensitive data on a staging was indexed by the search engine on the Treasury site, which should not have happened.
National staffers, keen to get the inside running on what the Government intends to spend money on, modified queries containing text from last year's budget documents by substituting 2018 with 2019 and struck paydirt.
This is very similar to a technique called Google Dorking. Few people understand just how much information can be gleaned from "reading the matrix" but it can be heaps.
By observing how sites are coded, the information that they leak in weblinks, and how they're configured, you can ferret out all sorts of information using Google's advanced search operators.
Google finds and indexes just about everything, including sensitive data and unprotected Internet of Things devices and vulnerable computers, if it's allowed to. Eagle-eyed geeks spotted leaked 2019 budget data in Google's cache, suggesting Treasury's site was indexed by outside search engines.
That's how search engines work, and Treasury was lucky not have had more data exposed.
Budget 2019 leak: Did the Nats break the Crimes Act? Lawyer's verdict
'Sat on a lie': Bridges wants heads to roll over Treasury hack claim
From there, things turn murky though. Techies know how easy it can be to make non-obvious configuration mistakes that have disastrous consequences.
They will point to similar flubs that expose confidential data, and say that exploiting these are tantamount to hacking.
One of the most popular such hacks involves sites being configured to accept commands to display, modify or even delete information stored in their databases via the URL box in browsers.
Yes, that's how easy it can be to perform malicious actions on servers with little or no prior knowledge required (you just look for the database commands to use via Google when you find a vulnerable site).
Issuing database commands remotely is a very deliberate and malicious action that is different from using a site's search engine as intended to surface information however.
This will be debated for a while to come, including the legal nuances of what National did, with tech lawyer Rick Shera opining that it fell foul of the law, but wasn't worth pursuing.
I can accept Police not wanting to test s252 un/authorised access, but this still looks like s249 access for a dishonest purpose given the nature of the material and well known confidentiality protocols. Issue then becomes benefit/loss https://t.co/Ovf2Xx0WFl https://t.co/Vi9o9KHjve— Rick Shera (@lawgeeknz) May 29, 2019
If a more serious vulnerability at Treasury's site had been exploited - for example, one that crashed the server and provided access to the inner sanctum of the department's computer systems - then it would've been a clear-cut case of National staffers wearing hacker hoodies.
As it stands, we're in shades-of-grey land on the matter.
Treasury and other government departments might want to take a look at how their search engines work and test them with unusual queries to get a better idea of what they can unintentionally reveal.
Another baffling factoid is Treasury saying that the "dorker" was able to issue around 2000 very specific search engine queries over 48 hours.
That's a big number of unusual queries over a long period of time, targeting sensitive information that wasn't meant to be disclosed until Budget Day.
How come Treasury staffers didn't notice them before the Budget information leaked out?