back to article Oz military megahack: When crappy defence contractor cybersecurity 'isn't uncommon', surely alarm bells ring?

While Australia's federal government scrambles to hose down a hacking incident, it's important to ask why a defence contractor of any size could run a network so insecure it exposed default administrative interfaces to the Internet. An Australian Signals Directorate (ASD) presentation to the Australian Information Security …

  1. Winkypop Silver badge
    Facepalm

    Time for some Pyne-o-clean

    Christopher Pyne must be accountable, otherwise why is he a Minister?

  2. Anonymous Coward
    Anonymous Coward

    third party assurance

    "the government can't be held responsible for a contractor's lax security."

    I'm guessing you can do the bare minimum audit before onboarding them though?

    1. frank ly Silver badge

      Re: third party assurance

      Also, have a third party pen-test organisation try to break in with no warning and let you know how they get on. Give a bonus for breaching security. It's not rocket science!

      1. jmch Silver badge

        Re: third party assurance

        "have a third party pen-test organisation try to break in with no warning"

        The (potential) contractor would have to know about the test, so they would have to have SOME warning even if not knowing the exact date. It's illegal to commission a pen-test on a network you do not own, even for a government ministry. For all the horrorshows of government overreach, Australia is still not North Korea.

        1. Charles 9 Silver badge

          Re: third party assurance

          What if it's an official term of the contract? Wouldn't that count as express consent?

        2. Alan Brown Silver badge

          Re: third party assurance

          "It's illegal to commission a pen-test on a network you do not own, even for a government ministry. "

          Pass a law allowing it for national security purposes. Problem solved.

          1. Charles 9 Silver badge

            Re: third party assurance

            No need for additional laws. Simply require it in the terms of any government contract. Since agreeing to the contract would mean expressed consent, they'll gain legal permission to do the testing.

  3. Amos1

    "Vendor Management" in most companies is just a paperwork exercise

    "What do you mean, I have to assure the vendor is doing their job? That's why we hired them!" is a common push-back from "The Business". "An on-site visit? I'm not paying for that! We outsourced to save money!"

    So they request audit paperwork which comes back as an SSAE 16 SOC 1 Type 1, which can only be used for financial reviews and not technical operations and had no testing done. It covers the vendor's "cloud" provider's infrastructure and nothing else, not even the web apps the vendor wrote themselves. The security group writes them up for numerous problems marked in the vendor's own docs as "Requires management attention" where the vendor's response was "Accepted the risk".

    The paper-pushers in the customer's Vendor Management program look it all over and say "We can't tell the vendor how to run their business and they accepted the risk. So did our business unit."

    And then the vendor loses a butt-load of the company's customer data *cough* Equifax *cough* and "The Business" squawks "What do you mean, we have to notify our customers that the vendor we hired got breached? We're not the ones who lost it!"

    That's my Monday. Want to know what the rest of the week looks like? You guessed it, the same.

    Safe for work video on the subject: https://www.youtube.com/watch?v=9IG3zqvUqJY

  4. Robert Carnegie Silver badge

    "Isn't uncommon"

    The hypothetical Star Trek fan web site I run from my bedroom may have lax security like that (so does Starship Enterprise evidently, see "takeover of the week", at least it means that Kirk, Spock, Uhura and Chekov can break in themselves and take it back).

    A real-world security industry resource should be held to a higher standard. So I hope this incompetence is, so, uncommon in this sector. Unless we declare war on Australia - then I hope they're all idiots of "Three Stooges" level.

  5. Andytug
    Flame

    First rule of management

    You can delegate actions, but not responsibility. Responsibility is (allegedly) what managers get paid more for. Although seems quite a few have managed to avoid it via various trickery........

    1. Mark 85 Silver badge

      Re: First rule of management

      Once upon a time, it was that way. Managers and execs took responsibility. Now they by-pass it for bonuses due to "cost savings". Guess who's cost is "saved"? Not theirs but usually IT and other workers.

    2. Charles 9 Silver badge

      Re: First rule of management

      You sure as he'll can deflect risks. That's why corporations exist in the first place. Otherwise, investors would be unwilling.

      1. Alan Brown Silver badge

        Re: First rule of management

        Corporations exist to shield investors from financial risk

        There is _nothing_ protecting irresponsible management from personal liablity for negligence or recklessness.

        Adam Smith (The one who's regarded as a titan economic theory) felt that the concept of corporate managers was fatally flawed because such people had temptation to steal and/or play fast&loose with other people's money. He's been proven right many times since he raised his misgivings about corporate structures.

        1. Charles 9 Silver badge

          Re: First rule of management

          "There is _nothing_ protecting irresponsible management from personal liablity for negligence or recklessness."

          No, you use corporate bureaucracy to deal with that.

          As for Adam Smith, did anyone ever ask him what the alternative was if no one was willing to invest due to the liabilities involved? That's the main reason we have corporations in the first place: to encourage investment in an environment where investors were reluctant enough to make the money flow too slow for economic viability.

  6. Alistair Silver badge
    Windows

    "One individual is responsible"

    Per certain large corporate leaky entities.

    Hmmmm. Somethings not right......

  7. Potemkine! Silver badge

    It's easy to explain

    50 people in the company, 1 IT guy.

    When companies CFO will stop seeing IT as a cost , when companies will understand that they have to invest in sufficient human resources to have a good service, when principals will stop pressuring subcontracting companies to get the lower price, then things will change (and pigs will probably fly too). Till then, we'll hear this story again and again.

    1. herman Silver badge

      Re: It's easy to explain

      Support personnel numbers:

      50:1 for Windows

      250:1 for Linux

      10,000:1 for Linux cloud servers

    2. Alan Brown Silver badge

      Re: It's easy to explain

      "when principals will stop pressuring subcontracting companies to get the lower price,"

      One of the bigger problems is subcontractors farming things out when their contract prohibits this from happening. Because it's a breach of contract it's covered up and the effort that goes into the coverup far exceeds any effort checking compliance at the sub-subcontractor.

  8. John Smith 19 Gold badge
    FAIL

    Still none of that matters if the data being protected is not that valuable.

    Only this presentation is from the "Australian Signals Directorate "

    Which (I'm taking a wild stab here) is the Aus miltary version of the US NSA (which people forget is also a military operation, despite all the suits being worn).

    So I'm guessing they (and their sub-contractors, and their sub-sub-contractors) have something a little bit more important to guard than last weeks Fosters consumption figures. *

    *Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed).

    1. Hans 1 Silver badge
      Joke

      Re: Still none of that matters if the data being protected is not that valuable.

      Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed).

      I think there are only two other brands of lager in the world that would be interested in Fosters consumption figures, that would be Millers and Bud (the USian company), any other purveyor is in a different league , like, which Premier League team would care about the performance of Purbrook FC (Hampshire, England, UK) ?

    2. Winkypop Silver badge

      Re: Still none of that matters if the data being protected is not that valuable.

      "(IMHO lager is mfg'd, not brewed)."

      Perhaps.

      But IMHO Fosters is NOT beer.

      Exactly what it is, who knows.

      Australians rarely drink the shit.

    3. Anonymous Coward
      Anonymous Coward

      Re: Still none of that matters if the data being protected is not that valuable.

      "Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed)."

      By what do you mean? Ale brewing and lager brewing are very similar. They only diverge really in the maturation process since ales age warm and lagers age cold.

  9. Eclectic Man
    FAIL

    Relax ..

    ... it is not as if Australia was a major military ally and NATO member we have deep defence relations with.

    Oh, err, hang on a minute.

    S H I T

    1. Anonymous Coward
      Anonymous Coward

      Re: Relax ..

      Correct, Australia is not a NATO member. So only half in the shit.

    2. WolfFan Silver badge

      Re: Relax ..

      it is not as if Australia was a major military ally and NATO member

      SEATO and ANZUS, not NATO. SEATO's dead and has been for 40 years, but ANZUS lives on, despite New Zealand's best efforts.

      It should be remembered that Australia and South Korea sent troops to Vietnam to support the US. Indeed, the RoK Marines in Vietnam established a reputation somewhat similar to that enjoyed by the Waffen-SS in Russia and the Australian SAS weren't exactly namby-pamby either. https://www.quora.com/Were-ROK-troops-scary-in-the-Vietnam-war http://theaustraliansas.com/

      1. Kernel

        Re: Relax ..

        "It should be remembered that Australia and South Korea sent troops to Vietnam to support the US."

        As did New Zealand - and both ourselves and the Australians (and probably the South Koreans as well) had to dodge bullets not only from the Vietcong, whom at least were expected to be firing at our troops, but from our US allies as well on occasion - presumably as a result of general incompetence and crappy map reading skills..

        1. Robert Carnegie Silver badge

          Re: Relax ..

          One civilian newswatcher's impression from a series of wars where the U.S. had allies is that U.S. forces early on test the commitment of said allies by shooting some of them dead. If that is put up with, and it usually is, then so will a lot more be, e.g. Abu Ghraib (until the photos get out).

  10. Triggerfish

    Automation at it's finest.

    I mean years ago you'd have to go a bit Smiley, or Palmer. Infiltrate the country, set up an asset, use a dead drop, and exfil.

    Nowadays you just find a defence contractor whose security team is run by bean counters, send a "joke" attachment and wait for some fool to open it.

  11. Uffish

    The buck stops somewhere

    The sub-contractor got the commercially sensitive information from somewhere. If the somewhere was a bundle of papers casually handed across at a meeting with no real warnings about the security to be provided for the data (or the email equivalent of that scenario) then any data loss is both the sub-contractor's and the main contractor's fault. If the main contractor gave specific and sufficient security instructions and got specific and sufficient assurances from the sub-contractor then it is the sub-contractor's fault. Even if it is the fault of some poor sod in purchasing who didn't read the Ts&Cs properly, someone didn't do his job properly.

    Maybe in Australia a terse comment from the ASD is enough to get standards raised but they will still have to prove it.

  12. Lotaresco Silver badge

    Australia also needs to look at accountability

    "A contractor did a bad thing" didn't save anyone at MoD from the consequences of the EDS data leak when an unencrypted laptop containing 600,000 records of military personnel was stolen, leading to the revelation that this had happened three times before. The Burton report of 30 April 2008 resulted in shortened career paths.

  13. Hazmoid

    Sounds like a case of using a local for IT support

    reading the article on PCauthority, https://www.pcauthority.com.au/news/australian-contractors-only-it-technician-steals-30gb-of-defence-secrets-475238

    It sounds like a local in the Middle East was used for the IT support and was not particularly careful with password or account security.

    Suspect this contractor no longer has a contract.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019