Australia sweeps security breaches under the carpet

Australian Federal Police agent, Nigel Phair, said most Australian organisations sweep security breaches under the carpet to avoid public scrutiny in the courts.

"A lot of this is kept under the radar," Phair said at a Logica CMG conference in Sydney yesterday. "A lot of organisations don't report security breaches to police. For some organisations, it's easier to sweep under the carpet ... and move on."

The problem with reporting security breaches, according to Phair, is that taking the matter to police means the facts and the company name are dragged through the courts -- an outcome most organisations prefer to avoid.

While sweeping security problems under the carpet may protect an organisation's image, the lack of reporting offers Australian organisations a false sense of security.

"For whatever reason, Australian organisations aren't as concerned or aware that their information could be used for bad things. For some countries that are more exposed to [security threats] -- such as the UK where a bomb has gone off -- it's a bit more in their minds," said Ajoy Ghosh, a security executive for Logica CMG.

Australia "a soft touch"
Ghosh said this mentality has contributed to Australian organisations being considered "soft targets", which a group of 35 students on a two week course led by Ghosh -- mostly people working in the legal profession with very little background in IT -- proved, by hacking into the "certified gateway protected" IT systems of 200 organisations. All the organisations were either on the Business Review Weekly Top 200 list or large government departments, said Ghosh.

The vulnerability tests resulted in over 50 percent of the systems being compromised within 12 hours, to the extent that content could be altered. Where transactional systems were penetrated, Ghosh said the students could have elected to gain root access, which would have allowed personal financial data to be changed.

A further 18 percent of the systems tested were hacked with 12 to 24 hours, while only 21 percent of the systems were deemed "secure" because the students failed to penetrate the system within 24 hours.

"Only 20 percent of the secure systems had any kind of intrusion detection system (IDS) installed and, in fact, half of those were freeware IDS tools, so it's not costly to put in reasonable protection," said Ghosh.

Perhaps a more startling figure is that only twice -- including those equipped with IDS tools -- did a security team respond to security breaches during the exercise.

Ghosh added that an equal spread of vulnerabilities found organisations using Microsoft, Apache and Domino servers, dispelling claims that some servers are more secure than others.

Ghosh said most organisations still believe a firewall provides the necessary level of security, however a third of security breaches occur where there is a firewall in place.

A case in point is Roses Only, whose IT personnel earlier this year told Ghosh their systems were secure because they had a firewall in place. In June it was discovered that Roses Only had experienced a security breach where as many as 20,000 customer details were stolen.

Sweeping security breaches under the carpet may today suit organisations trying to avoid public embarrassment, but if the Australian Law Reform Commissions' recommendations are accepted, organisations will soon be forced to disclose data breaches to the Privacy Commissioner, which might prevent Australia from continuing to be considered a "soft touch".

• Related stories

• Alerts

Add your opinion

Ajoy Ghosh has confused the GPL with the exceptionally high cost of the initial Christian Heinrich -- 11/10/07

In addition to the hardware costs, which exponentially increase depending on bandwidth, the initial build of Snort requires a significant level of technical knowledge Snort and its dependent packages, such as libpcap, MySQL, Barnyard, Sguil, etc

Furthermore, the operation of Snort is exceptionally high, based on the release cycle of Snort, updating recently released rules with Oinkmaster, writing rules specific to your technical network implementation, responding to alerts, etc. This is exponentially increased with need to repeat the same procedure for each host dedicated to Snort.

Based on the above, I would be interested if Ajoy Ghosh would publicly state that LogicaCMG would deliver Snort for free or reveal his hidden agenda (i.e. LogicaCMG charging "Professional Services" to build and operate Snort)?

• Reply to comment
• Reply to story
• Report offensive content

Subject Truncated :) Christian Heinrich -- 11/10/07 (in reply to #320087620)

Without Truncating, the Subject is:

Ajoy Ghosh has confused the GPL with the exceptionally high cost of the initial build and operation of Snort

• Reply to comment
• Report offensive content

Legality ! Anonymous -- 11/10/07

I can't see many circumstances where if what Mr Gosh said is accurate quoted, it could have possibly been legal. I can�t imagine 200 Major organisations agreeing to have their systems hacked by a group of students. It raises other questions, such as whether the organisations were informed of what had been done to them by these students. It would be interesting to hear how having an intrusion "Detection" system such as IDS snort in place could have prevented these extensive sounding hacks, unless he is suggesting that such systems be placed in-line to drop such traffic or modify firewall rules. All I can see a standard implementation of IDS (as opposed to IPS) doing is alerting the victims to the hack after the event.

The information about these hacks on its own really does not sound very believable and seems like it is missing some essential background context.

• Reply to comment
• Reply to story
• Report offensive content

No Quote from Ajoy Ghosh Christian Heinrich -- 11/10/07 (in reply to #320087635)

There is no reference to a quote made by Ajoy Ghosh regarding Network Intrusion Prevention or more specifically the snort_inline project at [http://snortinline.com/]

• Reply to comment
• Report offensive content

Groundhog day for security 'experts' ?? Hugh Jorgan -- 11/10/07

Here we go again.

Its the same ol' self-appointed 'security experts' trotting out their publicity (read - news) & cheesy mug shots all in the name IT security news.

Here's a news flash, Mr Ghosh - it ain't news that systems are insecure.

And it aint news that a mob of pimply-faced uni students can hack into them.

Big deal.

Publicity stunts migh persuade some people to buy your services, but most people aren't that gullible.

• Reply to comment
• Reply to story
• Report offensive content

Prior Quote from Ajoy Ghosh Christian Heinrich -- 15/10/07 (in reply to #320087650)

Ajoy Ghosh has previously attempted to present himself as a Subject Matter Expert on �hacking� in an article published in 2001 i.e. �� Research by Mr Ghosh showed 80 per cent of .com.au websites were vulnerable to intrusion and control by hackers. ��

However, another quote from this same article may come back to haunt Ajoy Ghosh, specifically: �� due in part to misleading information from technologists who exploited fears about hacking, Mr Ghosh said. ��

• Reply to comment
• Report offensive content

â� Christian Heinrich -- 15/10/07 (in reply to #320088063)

Odd, the quotation marks in my comment above are published as â� or â��â�¦

• Reply to comment
• Report offensive content

To Live By the Sword Christian Heinrich -- 15/10/07 (in reply to #320087650)

Is To Die By the Sword :)

Again to quote the article from 2001:[quotation mark]Mr Ghosh worked for Westpac and the NSW Police before joining Unisys and he is a member of the National Office of the Information Economys e-security co-ordination group[quotation mark].

I have reproduced the e-mail from NOIE in response the claim that Ajoy Ghosh[quotation mark]is a member of the National Office of the Information Economys e-security co- ordination group[quotation mark]. [quotation mark] below:

>Date: Wed, 9 May 2001 08:41:08 +1000
>From:[quotation mark]Byrne, Steven[quotation mark]
>To: [quotation mark]Grant Bayley[quotation mark]
>Subject: RE: Mr Ghosh again
>
>Hi Grant:
>
>Thanks for your email to info@govonline.gov.au.
>
>I have forwarded your email onto the appropriate area of
>NOIE for their information.
>
>We too have noticed the comments of Mr Ghosh.
>
>Cheers
>
>Steven Byrne
>NOIE web services

• Reply to comment
• Report offensive content

Shamless self-promotion ? Anonymous -- 12/10/07

What with the seemingly endless professional conference circuit speaking commitments, the self-promoting media releases and personal book launches, how do these 'cops' find the time for actual police work ?

Correct me if I'm wrong, but I thought my govt taxes were intended for catching cyber-crooks, not for gallavanting about the country on the speaker circuit & self-promotion.

How silly of me.

• Reply to comment
• Reply to story
• Report offensive content

Agenda Christian Heinrich -- 17/10/07 (in reply to #320087721)

I actually suspect that Nigel�s ultimate agenda in appearing in public is to sell out to the private sector.

Similarly to when Alistair MacGibbon went to eBay for 300K under the guise moving from Canberra for �family� reasons even though the AFP has an office in Sydney.

• Reply to comment
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials