So, more of the same corporate media reporting of cybersecurity from Four Corners last night. Journalists misunderstanding “hacking”? Check. Wildly overstating the incidence and impact of “hacking”? Check. Treating consultants from the cybersecurity industry and national security apologists as independent experts? Check. Terms like “cyber war” being thrown around? Check. China being blamed? Check.
In short, a cybersecurity executive’s dream.
The only solid material to emerge from the report was what anyone who works in IT already knew: some companies and government departments fail to do the basics of IT security, from using decent passwords (or at least change them from the factory default), keeping up-to-date with software patches, and not having confidential material on publicly-available servers. This is less “cyberwar” than the equivalent of leaving your front door unlocked so opportunist thieves rob you instead of going somewhere a little easier.
Much was made of the purported “theft” (actually, copying) of plans for ASIO’s headquarters from a building contractor by, seemingly, Chinese hackers.
Espionage for commercial, political or military purposes of course never happened before the internet; in the analog world, no country ever spied on another; no companies devoted resources to stealing ideas or technology from other companies. Only since we could go online have spies been busy trying to steal each other’s secrets.
But who actually copied the plans?
According to former US security officials, the National Security Agency — which hoovers up 2 petabytes of information from around the world every hour — disguises its data theft as … hackers from China, in case it’s detected. You see, on the internet, no one knows you’re an NSA employee.
Obsessed like the corporate media is about Chinese hacking, Four Corners’ Andrew Fowler didn’t understand enough about cybersecurity to question the narrative being fed to us by governments and companies.
Another question: why is the ASIO building plan so secret? When the Howard government first considered the construction of what would eventually become a grossly over-budget and long-delayed monstrosity, Phillip Ruddock as attorney-general moved the project out of the normal Public Works Committee process, ensuring no public oversight of the inflated project (the $460 million budget has become a $630 million cost). The only oversight has come via Senate Estimates, where getting information from ASIO on the building has been like pulling teeth.
As it turns out, poor IT security on a contractor’s laptop has meant the American, or the Chinese, or some joyriding hacker doing the equivalent of trying doors to see what was unlocked, knew more about the project than the taxpayers paying for it.
All that on a night when the really interesting cybersecurity revelation came when Prime Minister and Cabinet’s attended Senate Estimates. Officials from the Cyber Policy and Homeland Security Division — the area charged with oversight of cybersecurity issues — were asked by Greens Senator Scott Ludlam if they’d heard of Tor, the routing system that enables users to communicate online anonymously, which is probably the single most widely-used anonymisation mechanism used in the world. No, never heard of it, officials replied.
So the officials advising the Prime Minister on cybersecurity aren’t even aware of one of the most commonly used mechanisms for avoiding government internet surveillance.
Perhaps that’s a good thing.
I didn’t watch 4C. did they interview Bruce Schier or anyone competent in the field? AFAIK one of the first rules of competent security these days is to assume the bad person knows the scheme you are using. So, like you, I am struggling to understand what threats we’re exposed to here, which ASIO in their role, had not already discounted as a strong likelihood.
Knowledge of the cable ducts is a risk? Yep. And, on that basis, it was built in as a given. They are presumably running some form of security ring which identifies which cable segments lie on paths which can be interfered with, and act accordingly.
Knowledge of the tea-room is a threat? Yep. And, on that basis, they probably have a sign up saying “don’t talk about secret stuff here” or something super clever.
Or alternatively, not. I mean who knows? Does it matter? Does it seriously matter if the Chinese know our floor bid-price on sheep exports to Shenzhen?
Seriously?
It is no surprise the government has IT difficulties. I purportedley cannot get FOI access to a document outlining an overspend because it is housed in an older version of Finance One. Apparently our top agencies cannot access older files once the technology is outdated and it appears that no paper files are being kept on use of public revenue.
As for national security I doubt that the Chinese are alone in extracting information given that the DSD website advertises as follows: “reveal their secrets protect our own”.
Nothing to see here.
Another great piece of writing from Mr Keane.
It only takes one poorly-configured server in China and any foreign power can exploit it in a “false flag” to fit up China. Use of outdated pirated Windows installation disks is common in China so there are many servers to choose from. What motive does China have to put itself in the frame?
Finding the true origins of the requires a forensic analysis of the attack. For example, did the attackers (unintentionally) betray a less-than-perfect use of English, say in crafting a fake email used to phish for passwords, or whatever. The book “The Cuckoo’s Egg” describes this kind of detective work in the early days of the internet.
The key would be ultimately to trace an attack as it happens in real-time using the full resources of the UKUSA Echelon system. Very hard to do, it would be a kind of “honeypot” entrapment operation, and the NSA would have to agree. Asking for use of Echelon and getting a “no” might tell DSD more about the origins of the attack than anything else.
Also worth noting that Microsoft Windows is back-doored with the infamous NSAKEY so it is quite easy for the NSA to get in to any Windows PC with a public IP address, and probably cover their tracks to make it look as if the attack was done another more conventional way.
Yep more rubbish reporting. Like the time at Sydney airport, someone stole a few computers, so this was trumped up as a ‘major cyber theft with security implications’ in the idiot press. In other words someone just flogged a few computers to sell.
Sheesh, talk about extremes. The truth is probably somewhere in the middle, which is long way from this article or its source.