Category Archives: WEB SITES & LINKS

Some major Australian websites that aren’t secure

RENOWNED cyber security expert Troy Hunt has shamed some of Australia’s most visited websites for not being secure.

Among those that don’t encrypt the data travels between users and the website include Australia’s Bureau of Meteorology website,, and the ABC website.

These websites are among a minority that do not use HTTPS – the secure version of the web’s underlying data transfer protocol. The ‘S’ part of the acronym is the important bit.

It stands for Hyper Text Transfer Protocol Secure and is the protocol over which data is sent between your browser and the website that you are connected to.

Here’s how absurdly easy it is for attackers to destroy your website in just ten minutes

You might be amazed at how accessible hacking tools have become. Your site can be p0wn3d and an entire library of hacking tools downloaded and installed in just a few short minutes. Read this article and be prepared.


Every week, we read about another massive breach due to cyberattack. These breaches can cost organizations millions of dollars, subject them to lawsuits, and ruin thousands of lives.

The key to how an attacker gains a foothold inside an organization’s network is by being able to — somehow — gain access to accounts and computers inside the firewall. This often happens with malware that’s inadvertently brought inside the firewall by unsuspecting employees.

That malware can be delivered in a wide variety of ways, from phishing attacks where an insufficiently trained or careless user accidentally opens and runs an email attachment, to visiting a website that downloads information onto an insider’s computer.

It’s that second mechanism we’re going to talk about today. When most of us think about malware-infested websites, we usually think about users who visit inadvisable websites, sites that, frankly, most of us should know better than to visit. Someone visiting a porn site or a smartphone jailbreaking site is, almost by definition, visiting a site that is likely to be operated for nefarious purposes.

But it turns out that a great many innocent websites can be carriers for malware. All it takes is an insufficiently protected directory, an unpatched exploit, a poorly chosen FTP password, or even installing a free (but corrupted) site theme, and your website can become an entry point for a massive malware infection.

What most people don’t realize is how sophisticated and, frankly, user-friendly the tools used for cyberattacks can be. In this article, I’ve included a 10-minute video by the fine folks at Wordfence (a WordPress security firm) that shows how a typical WordPress site can be infected by just two lines of scripting code.

Once those two lines of code execute, they install a complete hacking toolkit that contains 43 separate hacking tools that the hackers can use to further compromise the server. As the video shows, these tools are often browser-based, and work like any other browser-based app.

According to a blog post by Wordfence, after analyzing a recently hacked site, they found what they called a hacking platform, which contained the following tools:

  • Complete attack shells that let [hackers] manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let [hackers] change their configuration to host [their] own malicious code

The following video is only ten minutes long, but it shows you just how accessible hacking tools have become. With tools and hacking platforms like these, it might take attackers no more than about ten minutes to gain a complete hold on your site.

This video illustrates why it’s just so important to update your sites, plugins, and themes frequently. Hackers who discover vulnerabilities can use them to get inside your site. Once they do, they can use your site as a malware delivery platform that can help them breach other sites and organizations.

See also



Henry Sapiecha

Ashley Madison hack: Hackers claim cheaters’ details dumped online


Many feel that the 30 million people whose identities could be revealed following a hack into Ashley Madison’s servers deserve everything they get. Photo: Chris Wattie

Australian names have started to trickle out in the huge Ashley Madison data leak.

Users who claim they have access to the data have posted 22 email addresses linked to the University of Western Sydney on an online message board.

Fairfax Media, the publisher of this article, has not been able to confirm the post’s legitimacy but spoke with two people from UWS whose email addresses appeared in the list

Ashley Madison databases enclosed in the 10GB compressed torrent file.CHART IMAGE
The various Ashley Madison databases enclosed in the 10GB compressed torrent file.

One declined to comment and the other said he had never visited the website.

The Ashley Madison leak allegedly reveals the names, addresses and sexual fetishes of more than 30 million Ashley Madison members. Several computer security researchers who have managed to download the file claim it is legitimate.

“This [data] dump appears to be legit. Very, very legit.,” wrote computer security researchers from TrustedSec, an information security consulting service, on their company’s blog.

Ashley Madison boats its ability to privately facilitate affairs between married individuals. Its slogan is “life is short, have an affair” — hence making the release of user accounts and personal details potentially very damaging for individuals involved.

Fairfax Media has was unable to independently verify the file, which was initially posted as an almost-10-gigabyte torrent file on a web page accessible only on the anonymous Tor network, which requires a special web browser to access.

Hack appears real

Internet message boards Reddit and 8chan lit up with news of the hack on Wednesday, as users frantically tried to download the file — but because of its large size and the number of people trying to download it, few people were able to look at the data quickly.

One Reddit user did appear to confirm that their data had been exposed in the leak.

“Going back through my credit card statements online, I found the days I signed up and opened the portions of the leaked file … associated with those days,” the user said.

“Each time my credit card was hit, all of my information shows up in the leaked credit card file.

“I do not know yet if the [credit card] info can be associated with the information that was contained in profiles, but it’s bad guys.”

Shortly after the users’ message was posted, Reddit banned the thread where users were discussing the alleged hack.

Australian security researcher Troy Hunt said he was uploading anonymised data to his popular website, Have I Been Pwned, so users could check if their log-in details had been exposed. He said that the leak appeared legitimate.

However Raja Bhatia, Ashley Madison’s former chief technology officer, who is currently working to hunt down the hackers, said immediately after the leak that it was too early to tell whether the data was legitimate.

Despite this, high-profile security writer Brian Krebs said he had spoken with sources who “all have reported finding their information and last four digits of their credit card numbers in the leaked database”.

“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal,” Krebs said on Twitter.

Security researcher Per Thorsheim posted in his blog on Tuesday that the dumped data contained an account that he was using on Ashley Madison for research purposes, and that he’d verified several of the accounts contained in the dump were real.

Credit card data included in the dump and attached to user accounts also appeared to be real. Thorsheim claimed to have verified at least one credit card number.

Emails may not reveal identities

Ashley Madison allows account sign ups without verifying email addresses. That means, theoretically, users could sign up without using their real email address — meaning the email addresses in the database could be fake.

According to the logs of email addresses posted online so far, that appears to be the case, with several obviously fake email addresses — including former UK Prime Minister Tony Blair’s — in use

However, the data dump also contains other information, including names, addresses, biographies, and credit card information that may directly identify users.

In a statement to WIRED magazine, the company behind Ashley Madison, Avid Life Media, condemned the reported leak.

“This event is not an act of hacktivism, it is an act of criminality,” it said.

“It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities.”

Hacking originally came to light in July

The hacking originally came to light in July when the hackers behind it posted a small amount of data online and demanded Avid Life Media pull AshleyMadison off the internet.

The hackers claim their actions were motivated by AshleyMadison’s $19 “full delete” feature, which purports to fully scrub account details and personal information from the site’s database. The hackers claim that feature did not work as promised and actually left user information in the site’s database.

Fairfax Media has confirmed a mission statement — supposedly by Impact Team, the hackers behind the leak — was posted to a website on the Tor network.

Hacking group Impact Team posted this message on the Tor network. times up notice image

Hacking group Impact Team posted this message on the Tor network.

“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” it said.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95 per cent of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Know more? Email us

Henry Sapiecha

Online cheating date site AshleyMadison hacked

ashley maddison date site finger on lips woman image

Ashley Madison: up to 1 million Australians could be exposed.

Large caches of data stolen from online cheating site have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hook-up service, whose slogan is “Life is short. Have an affair.”

It is unclear whether the accounts of Australian clients have been compromised.

The data released by the hacker or hackers – which go by the name The Impact Team – includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hook-up sites Cougar Life and Established Men.

Reached late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hook-up site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterised as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks – perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”

Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”

Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”

In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.

“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”

Henry Sapiecha

Inside The Dark Web – Documentary Video Report


Published on 8 Nov 2014

Twenty-five years after the World Wide Web was created, the issue of surveillance has become the greatest controversy of its existence. With many concerned that governments and corporations can monitor people’s every move, this programme meets hackers and scientists who are using technology to fight back, as well as the law enforcement officers who believe it’s leading to opportunities for risk-free crimes.

With contributors including World Wide Web inventor Tim Berners-Lee and WikiLeaks co-founder Julian Assange.


Henry Sapiecha


STOP SIGN AFP has defended its use of a controversial power that it uses to block websites image

The AFP has defended its use of a controversial power that it uses to block websites. Photo: Andrew Quilty

Australia’s top law-enforcement agency has defended its use of a controversial law that requires internet service providers to block websites government agencies deem illegal, without judicial oversight.

Speaking before a parliamentary inquiry, Australian Federal Police’s officials explained  they need section 313 of the Telecommunications Act, which requires telcos such as Telstra and Optus to assist government agencies to enforce criminal laws, protect public revenue and safeguard national security.

The AFP, financial regulator ASIC and an unidentified national security agency have interpreted the law to mean they have the power to order telcos to block websites hosting illegal material.

But internet providers such as  iiNet and industry bodies such as  the Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance have called for restrictions. They argue there is not enough oversight and that some providers had even received blocking requests from animal protection agency the RSPCA.

Section 313  allows an “almost unlimited range of government and law-enforcement agencies that can rely on the powers set out in section 313”, iiNet’s submission to the inquiry says.

That interpretation of the Act came to light last year after ASIC inadvertently blocked more than 250,000 websites by requesting a block on an internet protocol (IP) address as opposed to a domain name like As many IP addresses host multiple websites, the request resulted in many  legal sites being blocked.

ASIC has used the power to block websites being employed for investment fraud. It’s unknown what the RSPCA wanted to block.

AFP officials said they couldn’t comment on the ASIC incident but thought their use of the power was uncontroversial.

The AFP said it had used the power to block malicious software, child exploitation material and sites such as  online marketplace Silk Road, which are used by criminals to sell drugs and other illegal items. As the judicial process “takes time”, it said it preferred section 313 blocks over court orders.

To justify its position, the AFP used the analogy of blocking access to a building in the real world that was unsafe to access.

“We’re not asking for information, we’re simply saying this needs to stop,” said Commissioner Kevin Zuccato, acting Deputy Commissioner of Close Operations Support.

“An example for me would be the ability to go outside and identify that there’s a threat coming up the road and ask my people to erect bollards so that folks can’t get to this building. It’s simply saying ‘stop, you can’t enter’ and allows us to do what we need … ”

Department of Communications officials  attending the hearing admitted the blocks could be circumvented by the use of virtual private networks (VPNs), which allow web users to camouflage their location.

Between 2011 and 2013 the department estimated 32 requests to block websites had been made.

As far as it was aware, only three government agencies had used the power.

As a form of oversight, the department recommended agencies making use of the power report their requests to the Australian Communications and Media Authority (ACMA).

AFP officials said on Wednesday they would not have a problem with this. It added thatthe auditing of its use of the powers was already “robust” and that blocking of sites was only “used as a last resort”.

Getting websites taken down first was usually the preferred method, they said.

Australian Greens Senator Scott Ludlam has previously said the interpretation of the law opened the door “to wide-scale banning of sites” on the internet.

“It also means no one is effectively in charge; other government agencies could demand sites be blocked with no co-ordination or accountability in place.”

Henry Sapiecha


austrac-website-logo image

Review of the AML/CTF Act, Rules and regulations
Submissions for the issues paper on the review of the AML/CTF Act, regulations and AML/CTF Rules closed on 28 March 2014. Information on further stakeholder engagement will be issued after submissions have been considered by the Attorney-General’s Department (AGD) and AUSTRAC.

More here…

Henry Sapiecha