ADFA hack a national security failure: expert

13

This article is by Sunanda Creagh, news editor at The Conversation. It first appeared on The Conversation and is replicated here with permission.

news A hacker has accessed personal details on thousands of Australia’s future military leaders, a situation one expert has described as a national security failure.

According to media reports, a single hacker from the Anonymous group, calling himself Darwinare, released online the names, birthdays and passwords of 20,000 staff and students from a university database at the Australian Defence Force Academy. The hacker is reported as saying it took three minutes and that his only motivation was boredom.

The University of New South Wales, which runs the campus, emailed all staff and students after the hack occurred on November 15 to say that identification numbers, birthdays, passwords had been stolen. “We believe that the impact on you will be minimal,” the email said. “Email alias information may be used for targeted SPAM, phishing and other sort of email attacks on students. You should be especially vigilant in dealing with any suspicious emails. Student name and birthday information may be used for attempts at identity theft and again this requires additional vigilance.”

A spokesperson for the Department of Defence said UNSW had taken “steps to mitigate the impact of the data breach and reduce the possibility of further data breaches.” “The university also worked with Defence to ensure former military students and staff were made aware of the breach,” the spokesperson said in an email.

Mark Gregory, Senior Lecturer in Electrical and Computer Engineering at RMIT University, described the situation as mind-boggling. “This, in my view, is a national security failure and should be treated as such,” he said. Dr Gregory is a retired army captain and it is his own alma mater that has been hacked. “What’s even more frightening is that they have now have access to private information on the people who are going to be our future military leaders in years to come,” he said.

“Defence spends vast sums protecting every aspect of the organisation. Defence contractors also spend considerable sums achieving security clearance. Yet here we have a massive security failure by an organisation that receives considerable Defence funding. For Defence not to be checking that adequate security is in place at ADFA is, in my view, something that people should face the sack for,” he said.

Dr Gregory said it was not yet clear how Darwinaire accessed the database but said the hacker may have used a brute force attack, where all possibilities are systematically checked until the right password information is found.

Another possibility is that the hacker broke through the university’s firewall to access the administrative system directly or access a computer that can tap into the administrative system. “The administrative systems should only be able to be accessed on the internal network from secure private subnets and never from the external internet. The administrative systems should be partitioned off so only certain people on certain internal networks have access,” said Dr Gregory, adding that the administrative systems should have required two-step authentication — such as the sms passcodes or tokens used by online banks — to verify the security clearance of everyone trying to access the system.

“For most universities and other organisations, it’s standard practice that these kinds of administrative systems can’t be accessed from outside even through the use of VPNs or remote control of desktops. It slows things down but it’s absolutely necessary to ensure security is maintained.”

Jason But from the Centre for Advanced Internet Architectures at Swinburne University of Technology said a security system is only as strong as its weakest link. “No reports have emerged as to how the hacker has accessed the ADFA systems, so we can only speculate as to where the weak link is. It is possible that more secure systems were accessed via less secure systems where the hacker has bypassed the stronger levels of security commonly applied to shield secure systems from generic Internet access,” he said.

“While I can understand the political implications, it is disturbing how much this attack is being downplayed. To claim that only historical passwords were stolen is naive in assuming that most people regularly change their passwords in a routine manner. Coupled with the fact that passwords are regularly reused across multiple systems, this list could provide an avenue of attack into unrelated systems where users share common accounts.”

The potential for identity theft was also being downplayed, Dr But said. “The information which has been stolen can now be used to fish for further information, making ADFA users more vulnerable to future attacks. One would expect that organisations such as ADFA would have a higher priority on security of their computer and data systems.” The speed with which the hacker claimed to be able to access the data was also disturbing, he said.

This article was originally published at The Conversation. Read the original article. Image credit: Department of Defence

The Conversation

13 COMMENTS

  1. And to think the federal government wants to keep call/sms etc information from every Australian! What can possibly go wrong?

    • What could possibli go wrong… That was the first thing that has gone wrong! *gulp*
      Will never forget that off The Simpsons :P

      Back to reality, yes stupid idea, it’s like painting a nice big red target on the data for hackers to attack the one area.

  2. “We believe that the impact on you will be minimal,”
    Telling people that is downright irresponsible, at least tell remind them to change their password if they use it elsewhere!

  3. Another possibility is that the ‘hacker’ was on campus at the time of the data breach. My tip is that it was a simple SQL injection attack on an intranet page requesting a username/password combo that didn’t have appropriate cleaning of the fields in the POST handling

    • Well the hacker did say he was bored at the time, and a uni campus is one of the more common places to be bored :P

      • Might be able to catch the guy by seeing which names are redacted from the list if it was an attack from inside the network chances are they may be a student.

    • Even if they used MD5 or SHA1 for their encryption they may stopped the hacker from accessing the info for a few more days.
      Higher complexity encryption is not usually implimented because it slows the websites login page so you also need patient users that are willing to wait a little longer to make sure their details are more secure.

  4. Oh man, just want you want floating around on the internet, the full names and birthdates of students and staff at a military academy.

  5. UNSW has open wifi network located in dorms and parts around the campus. You could “anonymously connect” then walk off

  6. Question – as an ex-UNSW@ADFA student – how can I find out if my name was on list of stolen information?

  7. It’s precisely this kind of laughable incompetance that’s the reason Australia is a joke internationally, but particularly in IT. All the best engineers leave to work overseas where their skills are actually appreciated and adequately remunerated, instead of ignored, marginalised, undervalued and dismissed by management who lack the skills, vision (and probably intellect) to recognise the tremendous pool of talent they have wasting away right in front of them. Those that remain here are fighting a losing battle trying to convince managers and directors why they need to spend half as much again on security design, implementation and testing as they did on the new data warehouse they’re planning. Instead of Industry Best Practice, we predominantly have Industry Cheapest Practice, while compliance requirements are merely paid lip service knowing full well a few large folders of documentation on intentions is all that’s required to satisfy auditors, as the actual implementation is far beyond their skills to actually perform any meaningful analysis.

    As usual, instead of resulting in large-scale review of the security practices and implementations of large departments and organisations, we will have the usual hand wringing by ‘industry experts’, empty posturing by ministers and senior staff directly responsible for the decisions leading to the actual problem and lots of money thrown at this specific breach (some for patching the holes, but most directed to catching the kid who brought the problem to light). But no one will acknowledge that the problem is wide-spread, indeed endemic, in both govt and private industry in Australia. No one will take responsibility for the management decisions that are the actual cause of poor security implementations, because no matter how incompetent the initial design may be, penetration testing and security auditing should pick things like this up on the first pass, let alone on subsequent testing performed thoroughly prior to live deployment, or ongoing with every subsequent application update.

Comments are closed.