[LINK] SMH: 'Open slather for hackers on official databases'

Roger Clarke Roger.Clarke at xamax.com.au
Thu Oct 21 13:15:51 AEDT 2010 

[Comments at end]

Open slather for hackers on official databases
Date: October 21 2010
The Sydney Morning Herald
Brian Robins
http://www.smh.com.au/technology/technology-news/open-slather-for-hackers-on-official-databases-20101020-16ucw.html?skin=text-only

Computer hackers could gain access to personal information held in 
government databases as state departments routinely ignore government 
edicts that tighter security be imposed.

The government rarely discloses when its computer security systems 
have been breached, although in a report yesterday, the NSW 
Auditor-General, Peter Achterstraat, confirmed the Jobs NSW website 
was hacked last year, with email addresses of job applicants stolen 
and the applicants spammed by the hackers.

Similarly, RailCorp's computer networks were infected with the 
Conficker virus last year. This disabled security services in its 
network, with data vulnerable to theft or modification by hackers.

''There could be more such breaches,'' the report said, noting that 
in some cases organisations may never know security has been breached.

''I'm calling on the government to set minimum standards departments 
must follow, to ensure that departments understand how important 
information security is and to hold people to account,'' Mr 
Achterstraat said yesterday.

''The latest edict was promulgated in 2007 and Š not a lot has been 
done in relation to that. In fact, the fact that over two-thirds of 
government departments have not complied with the Š standard sets off 
alarm bells.''

Mr Achterstraat said that of the remaining third, it is not clear 
what their level of compliance has been.

''It's a bit like for 10 years asking someone to build a shark net 
around the beach, and not checking for 10 years whether its been 
built, or not. It may well have been built but I've got no 
information to suggest it has been.''

The Auditor-General blamed the lack of a deadline being set for 
compliance with the government's policies for tighter computer 
security, coupled with little monitoring to ensure the policy is 
implemented.

Citizens had a ''fundamental right'' to expect that their personal 
information to be kept private and governments had a fundamental 
obligation to ensure this happened, Mr Achterstraat said. ''At the 
moment, I've not been able to establish that this is occurring.''

The opposition spokesman on legal affairs, Greg Smith, said a 
Coalition government would address the issues raised by the 
Auditor-General if elected.

''The community has the right to be angry at the Keneally Labor 
government's failure to take security of people's personal 
information seriously,'' he said.

''This is a damning report and shows the complete incompetence and 
failure of the Labor government to address the issue of security of 
personal information over its entire term.''

The head of the Department of Premiers and Cabinet, Brendan O'Reilly, 
conceded the need to ''properly manage security risks''.

''The existing government policy on the security of electronic 
information Š is now being reconsidered,'' he wrote in a response to 
the Auditor-General's report released yesterday, without indicating 
any timing for any fuller response.

  Private information held by the government:
*   Details of relationships and family members.
*   Bank accounts, credit card details, salary and financial details.
*   Professional memberships and associations.
*   Driver's licence and other identification details.
*   Medical information.
*   Police records, criminal convictions.


[A quick impression is:  great work, that's what auditors should do.

[Report:
http://www.audit.nsw.gov.au/publications/reports/performance/2010/info_security/info_security_contents.htm
[Exec Summary in HTML:
http://www.audit.nsw.gov.au/publications/reports/performance/2010/info_security/execsum.htm


[It's been going on all too long.  Greybeards will remember the ICAC 
enquiry 20 years ago.  It recommended (inter alia):
"1.   Security of all information storage and retrieval systems 
should be constantly monitored, and where necessary updated and 
improved.
2.   Access to protected information should be strictly limited, and 
an efficient system maintained to enable the persons responsible for 
all accesses to be identified.
3.   Unauthorised dealing in protected government information should 
be made a criminal offence."

[And we knew all of the basics in 1992:
http://www.rogerclarke.com/DV/PaperICAC.html


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list