The ABS Census Debacle

by | Aug 10, 2016 | computer security

census

Most people in Australia know that the night of August the 9th was census night. What was new about this one is that this was the first one that could be filled out online.

What most people also now know is that the online census was a complete failure. Tens of thousands of people were unable to complete the census, and the ABS website failed. For hours, people were unable to access the site.

This was no surprise to me, and most likely anyone else who has a decent understanding of how to engineer network services to handle heavy loads.

The loads we are talking about astronomical compared to normal loads experienced by many systems.

A newspaper report suggested that the ABS had load tested the system (as they should) prior to implementation and it could handle 1,000,000 hits an hour. Yeah that’s great. Unless your system gets a million hits a second. This is the most likely scenario that occurred as virtually every family in Australia said after dinner on Tuesday night, “let’s get this out of the way”.

I used to work for Tabcorp and year after year, their systems crashed on Melbourne Cup day (this was a dozen years ago, so it’s most likely much better engineered now). The problem was that the spike in load for that brief time leading up to the cup is far more that the system’s regular load. We’re not talking double here, we’re talking about 50 times your normal traffic. The point is, it’s very hard to engineer for such peak loads.

The ABS chiefs had an excuse. It wasn’t the load; we’d tested for that. It was a denial of service (DOS) attack.Well having worked for the public service before (like many Australians) I could see that one for what it most likely was; a bureaucrat’s excuse. I may be cynical, but I wouldn’t be surprised if they had meetings beforehand, planning excuses if the system didn’t work. After all, may as well be prepared.

I call that excuse as most likely bull. Calling on past experience as a computer security professional I find it very hard to believe that the systems implemented by the ABS wouldn’t have DOS protection. Why? Because they have things called firewalls and intrusion prevention systems that detect these and stop them.

But what is a denial of service attack? It’s a fairly basic attack. What the attacker does is send a large amount of requests to a site in an attempt to overwhelm it.

One way to do this is to open thousands and thousands of half open connections. The way a PC connects to a server is by a thing known as a 3 way handshake. The PC requests a connection. The server responds by saying I have a connection and the PC responds back saying I’ll take that connection. If the PC doesn’t responds, the server waits for a time with a connection waiting for the response. Do this thousands of times and the server runs out of connections.

That is the description of a simple attack. To the best of my knowledge, modern systems are completely immune to simple attacks like this, but there are likely to be other types of similar attacks that are more effective.

Anyway, the bottom line is that a DOS attack either isn’t likely or shows that they weren’t very prepared, as this article in the Sydney Morning Herald says.

Update: What we are seeing now is typical public services shenanigans as those responsible for the debacle duck for cover. All very predictable as public service heads blame IBM. This is why they hire external consultants; so that they can ensure that when heads roll, it’s not theirs. IBM will be doing the same thing; seeking a scapegoat. Most likely a senior contractor. Definitely not management Either that or looking at the contract and pointing out that they delivered as per the specifications in the contract.

what has also come out in the press is that other computing experts have come out and said exactly what I have said. That a DOS attack is unlikely and that the load experienced was simply beyond the capacity of the system to cope.

The Importance Of A Strong Password

by | Sep 18, 2015 | computer security

profile1

In another life I was a computer security consultant. It’s a funny world, computer security. It revolves around manipulating people’s  (people here being non technical managerial types) fear, uncertainty and doubt, also known as FUD.

What FUD campaigns do in the case of computer security is make managers question whether the security measures they have taken are enough. You have a firewall? Oh that’s great, but it won’t protect you from intrusions. You need an intrusion detection system. You have an intrusion detection system? Yeah but does it save you from zero day attacks? And so on it goes. Always with one intent. To sell more product.

Meanwhile the basics are ignored. How do most viruses get on PCs? From free downloads usually. These days computing operating systems are quite secure. Most people have some kind of personal security on their home PC and their internet router usually also has protection.  So the the easiest way for those strange people who get off on creating and distributing viruses to get one on your system is for you to invite them onto your system.

The other big basic that is ignored on a regular basis is passwords. You may have encountered it when you try to create a password for some sites where they have password policies in place. You try to put in your basic password (like your cat’s name) and it tells you you need to add uppercase and lowercase characters, special characters and numbers.

Recently the adultery site Ashley Madison was hacked. The most common passwords have been revealed. They are ridiculously simple. The top ones are “123456”,”password” and “qwerty”.  These are ridiculously easy for a hacker to crack.

It seems rather strange to me. If you’re one an adultery website, surely you’re going to want to keep your account a secret. I guess it’s a case of “it will never happen to me”. Clearly when it comes to high profile websites these days, that is not a good way to be thinking.

I don’t know the motivation for the hacking attack. Was it a moral crusade by some hackers or was it ego driven? Proving that they could. It doesn’t really matter. The lesson to be taken from the incident is that you need a secure password.

Ideally a passphrase is a better idea that a password. The reason being that most password cracking tools work on brute force dictionary attacks. This is where the program runs through word list to try to guess your password. Clearly “password” is not going to last long.

A passphrase is something like “ILoveToEatNoodles”. You can add complexity to that by substituting numbers for letters – “1L0veT03atN00dl3s”. If you need to further complexity can be added by using special characters as well – “1L0veT03@tN()()dl3s”.

Whatever you do, take away a principle from this. If your data is important to you; if it will be disastrous for your account to be hacked, protect it. As the Ashley Madison hack showed, the “it won’t happen to me” strategy is not a winning strategy.

Top 100 Ashley Madison Passwords Revealed