Qld Govt hacked Brisbane’s traffic systems



blog You would hope, you would really hope, that a major city such as Brisbane, which is about to host the G20 group of twenty global finance ministers and central bank governors, would be in the practice of ensuring that the traffic management systems which govern the operation of systems such as stoplights would be secure from attack. But not so, according to a new report produced by the Queensland Audit Office, which apparently found it relatively easy to break into the systems. A few paragraphs from the report (available online in PDF format):

“Traffic systems had not been adequately secured to withstand targeted physical and software-based attacks. We breached physical security without being detected and gathered information about key staff and technologies used to manage ITS, to plan our penetration tests.

We were able to penetrate some parts of the ITS where sufficient security measures to counteract information technology security attacks had not been deployed. Neither entity had performed a comprehensive security risk assessment of the ITS environment and did not fully appreciate the risks to ITS, nor the controls required to prevent exploitation of security weaknesses.

The general lack of security awareness by staff was a significant factor in why we were able to breach security controls. Staff members did not respond appropriately when exposed to techniques which were aimed at gaining unauthorised access to the systems.”

This report reminds me of a similar report by Western Australia’s auditor-general published in mid-2011, which detailed how the auditor’s office had breached security at a number of departments and agencies by … leaving USB keys with malware lying around the reception areas of those departments. Staff then took the USB keys and plugged them into their PCs … voila! Open access. It’s hard to believe just how easy breaching state government IT security can be.