Parliamentary website hacked
ABOVE: How the Parliament TV On Demand website looked this morning. BELOW: Its regular appearance (courtesy Google cache).
The government-funded Parliament TV on Demand (inthehouse.co.nz) website was defaced over the weekend by Turkish hacker Iskorpitx - or possibly a copycat.
The cyber-vandal has a long history of compromising a website's server, then replacing its contents with his own "graffiti" - sometime political, but usually just showing off his own talents. But software is also readily available that automates the process of finding a website then exploiting a vulnerability, and it's equally likely the attack was initiated by a no-name "script kiddie".
In Parliament TV's case, the site has been madeover with an animated flag, and the cheery, Borat-ish message: "best regards to all world".
At least one observer was not amused.
"This is serious. Where is our cyber-protection?" asked a Beehive insider who tipped off NBR at 10.30pm last night. "Where's the certification?"
The site came back online late Monday morning.
According to a message on the regular version of inthehouse.co.nz, the site "is funded by the Clerk of the House of Representatives. [Christchurch-based] Tandem Studios designed, developed, and maintains the website for the Clerk of the House of Representatives."
The main Parliament website links to inthehouse.co.nz.
A spokesperson from the Clerk's office said it will review its contract with Tandem Studios, and wants to know if the company's security is sufficient.
Girlfriend knocked out
Mid-morning, NBR spoke to Tandem Studios' sales and marketing manager Dave Dunlay - who said the hack was, in a roundabout way, a product of the Canterbury quake.
The staff member who built and manages inthehouse.co.nz was on the sixth floor of his Christchurch apartment when the quake hit.
Flying debris knocked out his girlfriend and, traumatised, the employee has yet to return to work.
Tandem had a fall-back - a second Christchurch company called Egressive.
But Egressive was also hit by the quake, and has only just started moving back into its office.
The bizarre series of events, which Mr Dunlay describes as a "perfect storm situation" helps to explain why nobody was keeping an immediate eye on the site over the weekend.
Egressive is currently trying to ascertain if the Iskorpitx attack can be pinned on a vulnerability with the site itself, or an issue with the company that hosts it.
"But the initial impression is that it's a very basic hack," Mr Dunlay said.
Buy New Zealand? Not for web hosting
An IT expert consulted by NBR this morning said it was possible the web hosting service being used by Tandem had an insecure web server setup.
"My question would be why inthehouse.co.nz is hosted in Ann Arbor, Michigan, and not in New Zealand".
Offshore hosting can be cheaper, especially for bandwidth intensive content like video.
Mr Dunlay said he could not immediately recall why the decision was made to host the site offshore, but said it was not do do with cost. In terms of the video content, all of the videos were embedded YouTube, so the Google site did all the heavy lifting.
Pulling site back to NZ, boosting security
Egressive's Dave Lane told NBR: "We're working with Tandem Studios to move the site to NZ hosting and provide more robust site security maintenance."
Mr Lane aid his company had been in talks with Tandem about such a solution for the past week, but only officially engaged today.
His initial analysis indicated that the problem was with Inthehouse.co.nz's existing, North American web hosting company.
It was unlikely that the attack was actually initiated by Iskorpitx, Mr Lane said. Rather, it was more likely a copy-cat or no-name "script kiddie" who had downloaded software that automates the process of locating a site with a vulnerability, then defacing its front page.
Inthehouse.co.nz launched last September, and its 4000 videos had attracted more than 100,000 views, Mr Dunlay said.
Tandem approached the government with the idea for the on-demand site, and successfully secured funding.
Inthehouse.co.nz features the same video content as the government's main site, but parcels it into more user-friendly, searchable snippets - such as individual clips of each Q&A during Question Time, and feeds into Twitter, YouTube and Facebook accounts.