Oz military megahack: When crappy defence contractor cybersecurity 'isn't uncommon', surely alarm bells ring?

30GB of data nicked in 'Alf's Mystery Happy Fun Time' attack

While Australia's federal government scrambles to hose down a hacking incident, it's important to ask why a defence contractor of any size could run a network so insecure it exposed default administrative interfaces to the Internet.

An Australian Signals Directorate (ASD) presentation to the Australian Information Security Association (AISA) conference yesterday detailed the hack.

I'm happy for the credit to remain with ZDNet's Stilgherrian for the story, since he was at the conference and I wasn't (the full horror is here).

Suffice to say that a medium-sized defence contractor was breached and gigabytes of aerospace data and commercial arrangements for military aircraft and naval vessels were delivered into the hands of the attackers. The ASD used it as a case study for the AISA conference yesterday.

The government has since said the information was commercial-in-confidence, but not classified.

This is not an isolated incident: in Australia, as elsewhere, attackers thwarted by a network's defences then seek out third-party contractors as an easier mark.

Horror movie in a PowerPoint slide

This slide from the presentation should frighten you:

What the spooks saw in the hack

"This isn't uncommon" - Image credit Stilgherrian

What struck Vulture South was the long exposure window. The ASD slide sets it at a minimum four months – and adds "this isn't uncommon".

This suggests a problem in sub-contractor oversight – you can win a government contract without proving you have adequate network security.

Minister for Defence Industry Christopher Pyne seems to agree. This morning, he told Radio National's Breakfast programme that the government can't be held responsible for a contractor's lax security.

He added that the "upwards of 4,000" defence industry businesses in Australia need to take their cybersecurity seriously, and we agree.

The Register asked Nigel Phair, of the Centre for Internet Safety, about the policy or contractual requirements that apply to defence contractors.

"There's no stipulation [about required infosec measures], no ticklist of the essential eight [the ASD's don't-be-stupid list of protective measures – ed], or anything remotely sensible. That is a major issue," he said.

Things get worse the further away from the master contract you get: a sub-contractor can be so far removed from the master tender that things get very murky.

Phair said the government "needs to go through all these defence sub-contractors and sub-sub-contractors and audit them".

Yes, documents like the Defence Procurement Policy Manual (PDF) and the government's Protective Security Policy Manual exist. But try finding a suggested computer/network security framework in them.

Enforcement is also a gap. For example, there's no body randomly auditing contractors' internet-facing networks. Contractors have to promise to abide by non-disclosure agreements, but that's nothing more than a self-certification.

"It's like speeding: if you're not getting pulled over, you're free to claim you always drive within the speed limit," Phair said.

Defence isn't the only sector where very sensitive information is handled by sub-contractors of sub-contractors. The "Alf's Mystery Happy Fun Time" incident (an ASD wag named the attack after a television soap opera character from Home and Away) has to be seen in this context.

Australia's government has already made it clear that its vaunted facial recognition database will be accessible to the private sector. Yesterday it announced its intention to outsource Centrelink phone services to Serco, and one mission of its Digital Transformation Office is to present government as an API for others to use.

Governments hoping to reap financial, efficiency and national security dividends from outsourcing can no longer wash their hands of contractors' security. ®

Broader topics

Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022