[AusNOG] Fwd: LulzSec Leader Arrested in Sydney - One of our own

Tim March march.tim at gmail.com
Thu Apr 25 14:27:16 EST 2013 

On 25/04/13 2:18 AM, Michael Kahl wrote:
> It's interesting that a "commonly known exploit" was used to "hack" a
> government website.
>
> If it was actually exploited remotely and assuming it is a government
> website it's safe to assume it was compliant with all of the various
> security standards, so what does that say for all of the standards and
> certification testing that's required these days?
>
> Businesses spend huge amounts of money complying with those requirements
> just to be allowed to stay in business but when Government sites get
> hacked through "commonly known exploits", and assuming they're the
> champions of those rules seeing as they created them, it has to be
> questioned the value of those rules and certifications in the first place.

Couple of thoughts in no particular order...

1. It's not interesting or particularly different from any other network 
or system. Most of these systems are operated by external managed 
services type entities, many of whom are garbage. I'll give you an 
example...

Some months ago I stumbled upon a .gov.au host with directory indexing 
enabled where Google had indexed a load (thousands) of system and 
database administration scripts. I spent some time sussing it out and it 
was more than enough to compromise the wider org.

I emailed the agency a couple of times and was unable to generate a 
response so I called them. They had absolutely no idea what to do with 
the request and eventually I found out who the outsourcing org 
responsible for their systems was. I called them and they basically 
didn't want to know about what I was telling them, I even walked one of 
their techos through finding the files via Google in a browser. 
Ultimately it took them nearly 6 months to append 'Options -Indexes' to 
their Apache configuration. A load of the files are still in Google's cache.

2. Many of the compliance requirements .gov.au clients place around 
security staff are garbage, eg. "You must be a CISSP. That's all." as 
well. To put this in a networking context - How many absolute garbage 
CCIE's do you guys come across all the time?

3. Many individual departments really don't have a lot to lose from 
security breaches the same way corporates do, eg. if a corporate loses a 
bunch of PII they cop an immediate reputational and ongoing profit hit. 
Government organisations aren't spending their own money and can change 
laws to protect themselves where required.

4. Government organisations generally don't pay anywhere near as well as 
the private sector and therefore can't attract the same level of talent. 
Comparing the competence level in an average political party with that 
of a company board of similar size. It works the same way in infosec.

5. The only reason government sites don't get hit more than they do is 
because they're incorrectly considered to be hard targets. This is for a 
couple of reasons;

5.1. General misperceptions such as the ones you mention - "they're 'DA 
MAN', so they should have l33t hax0r security"

5.2. The fact that where a corporate may be unwilling to report to or 
work with LEA a .gov entity ABOLUTELY WILL achieve high level LEA 
engagement on any and all intrusions.

... Just thinkin' out loud...




T.

More information about the AusNOG mailing list