Lax Password Security Highlighted at Hearing Into Australian Parliament House Hack
Spear-phishing was behind the February hack of Australia's Parliament House that saw attackers remain in the parliamentary network for eight days.
But how did the hackers remain in the system for this length of time - the breach was discovered on January 31 and the attackers were removed on February 8 - and what happened during those eight days?
"At this point I have to say that ... I am unable to go into any further detail," said the President of the Senate, Senator Scott Ryan, who tabled a report on the incident and was giving evidence to the Senate Finance and Public Administration.
Ryan, however, did admit that: "a small number of users visited a legitimate external website that had been compromised. This caused malware to be injected into the parliamentary computing network."
As soon as the breach was discovered, the network was shut down. The problem is, the "several thousand people who access the network" were sent a message telling them to reset their passwords ... via the network they couldn't access.
This caught the attention of those on the committee, prompting the question: "If the department knew that the system was down, why send out an email to a system that wasn't accessible? That's a little problematic."
Ryan's response - "No, we were fully aware" - was met with: "That would not make sense."
One of the committee members also noted that, at the time, "there was a suggestion made to DPS (Department of Parliamentary Services) that DPS might acquire our mobile numbers and contact people that way."
"That's currently ... still under discussion," said Ryan.
One document presented to the committee was titled "Authority to reset parliamentarians' passwords". However, this wasn't issued until two weeks after the breach was discovered and was introduced to "enable parliamentarians to provide formal authority for passwords to be changed on parliamentarians' behalf by their staff." Up until then, this was done by email or phone.
"If we see a phone call come from that office," said Ian McKenzie, the DPS chief information security officer, "then it verifies at least that that is the extension and the call is coming from the verified senator or member's office. And the same with electorate offices."
While the phone number or email might (appear to) come via official channels, this leaves the door open for attackers.
No one has been caught - or named - for the Parliament House hack and, while many are pointing the finger at the Chinese, this hearing is highlighting the lax nature of cyber security that existed within what is meant to be one of Australia's most secure buildings.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.