[AusNOG] census issues tonight

Andy Taylor andy at coastalaudio.com.au
Wed Aug 10 09:38:35 EST 2016 

So what we are seeing here is a Census that reassures us that our data is
"safe"...
Yet doesn't take adequate steps to properly encrypt it, or protect the
network...
Incidentally, I used "not" and "applicable" for name and surname and a
number for age (without DOB) on my online submission...
It was lodged at about 1830 with no issues at all - before the network and
servers become busy after dinner...
Given that the IT industry is becoming more security-centric every day, why
was this so poorly mitigated?
Does anyone know whether a PenTest was actually commissioned, or whether it
was just load balancing?
Was a proper black box test commissioned in conjunction with the load
balancing...?

I have a sneaking suspicion that it was just poor infrastructure planning as
this map DDoS map from last night shows...
https://twitter.com/GordyPls/status/763145953415090176/photo/1 
http://www.gizmodo.com.au/2016/08/the-australian-census-website-didnt-just-c
rash-it-was-hacked/ 

Matt and Mark have both hit the nail on the head...

Andy Taylor
Technical Director

0424 656 973



www.coastalaudio.com.au 



-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark
Andrews
Sent: Wednesday, 10 August 2016 9:26 AM
To: Matt Perkins <matt at spectrum.com.au>
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] census issues tonight


In message <c7617127-36a9-f5dc-894e-727a6700e016 at spectrum.com.au>, Matt
Perkins writes:
> If you ask me the dataset is now terminally compromised. This is 
> essentially market research and peoples ability to answer that sort of 
> stuff truthfully goes to how much the person doing the servery is 
> trusted. With the ABS spouting stuff like Attack from overseas, people 
> are very unlikely to tell the truth on this census.
> 
> Fellas you blew it.  Cancel the census reschedule for next year and 
> send out paper form's Your collective uselessness just put us back 5
years.
> 
> Matt

A DoS attack does not make the dataset compromised.

Having too small key space does.  1/100000 is not a big space for computers
to search through.  It's only ~20 bits of security.  A extra 4 digits would
have raised it to ~30 bits.  A extra 8 digits would have raised it to ~43
bits.  Entering 5 x 4 digit sequences is not hard.  We do 4 x 4 + 3 for
every visa / mastercard transaction we do online today.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7690 / Virus Database: 4633/12782 - Release Date: 08/09/16

More information about the AusNOG mailing list