February 10 was a bad day for the Dutch police force. A hack of its Website (www.politie.nl), while easily enough accomplished from the technical point of view, was the cyber equivalent of joyriders pinching a squad car.
The site is used by the police to post information about crimes and missing persons. But the hackers got hold of the form required to make a posting. Filling in the form lets you publish a missing persons report on the Web server as if you were a police officer.
You don't need a password
Proud hacker 'Grote Neus' (Dutch for 'Big Nose') published his hack on the IRC (Internet Relay Chat) channel. Soon after, the police site was bombarded by rogue messages and even porn, which stayed posted for about three hours until the authorities realised what was happening and shut the server down.
The hack has stirred up more than one nest of hornets. First, and most obviously, the Dutch force has to redefine its network security policy. It is clear the server should always be protected by a password where content can be changed. The network connection needs to be encrypted. Before being placed on the Web, each application should be reviewed by a security expert and be kept up to date. And as the Dutch police outsources its missing persons application to its ISP, it needs to get reports not just about the server's availability and network traffic, but about the server's security patches as well.
Then there's the law. A Dutch anti-hacking law makes it an offence to abuse a computer system by posing as someone else. But as the Dutch force's Website required no authentication or password, Big Nose hacked it without having to pose as somebody else - and so presumably can't be prosecuted under the Dutch anti-hacking law.
Finally, there's the hacker community, which is pretty mad at Big Nose. The following reaction from one hacker is not untypical: "1 Your attempt has been logged. 2 The police will be out to prosecute you. 3 You mentioned this Website [Tweakers.net], which is stupid since the police can force Tweakers' ISP to reveal your profile. 4 You made fools of the Dutch police's IT taskforce - not a smart move at all. 5 You will get a police record... and FOR WHAT!? My advice is to take on a new identity ASAP. Don't feel that great now, do you?"
In this particular case I think the police will get the hacker. The attack was logged, and combining that information with the computer's IP address will reveal the hacker's telephone number. On the other hand, I doubt whether the hacker can be prosecuted under Dutch law, although I'm not a judge.
Loss of face is something the Dutch police will have to deal with for quite a time now. Although www.attrition.org (a site which reports on hacks) doesn't mention Big Nose's, it reports on a daily basis how Web servers are being defaced. Take a look - and then hire the right people to make sure your company Website never appears there.
Sten 's10' Kalenda is security manager at security specialist PinkRoccade
This was first published in February 2001