ADFA hack a national security failure, expert finds

Dec 12, 2012 by Sunanda Creagh
Hackers have accessed personal details on thousands of Australia’s future military leaders. Credit: AAP Image/Alan Porritt

A hacker has accessed personal details on thousands of Australia's future military leaders, a situation one expert has described as a national security failure.

According to media reports, a single hacker from the Anonymous group, calling himself Darwinare, released online the names, birthdays and passwords of 20,000 staff and students from a university database at the Australian Defence Force Academy.

The hacker is reported as saying it took three minutes and that his only motivation was boredom.

The University of New South Wales, which runs the campus, emailed all staff and students after the hack occurred on November 15 to say that identification numbers, birthdays, passwords had been stolen.

"We believe that the impact on you will be minimal," the email said.

"Email alias information may be used for targeted SPAM, phishing and other sort of email attacks on students. You should be especially vigilant in dealing with any suspicious emails."

"Student name and birthday information may be used for attempts at identity theft and again this requires additional ."

A spokesperson for the Department of Defence said UNSW had taken "steps to mitigate the impact of the data breach and reduce the possibility of further data breaches."

"The university also worked with Defence to ensure former military students and staff were made aware of the breach," the spokesperson said in an email.

Mark Gregory, Senior Lecturer in Electrical and at RMIT University, described the situation as mind-boggling.

"This, in my view, is a failure and should be treated as such," he said.

Dr Gregory is a retired army captain and it is his own alma mater that has been hacked.

"What's even more frightening is that they have now have access to private information on the people who are going to be our future military leaders in years to come," he said.

"Defence spends vast sums protecting every aspect of the organisation. Defence contractors also spend considerable sums achieving security clearance. Yet here we have a massive security failure by an organisation that receives considerable Defence funding. For Defence not to be checking that adequate security is in place at ADFA is, in my view, something that people should face the sack for," he said.

Dr Gregory said it was not yet clear how Darwinaire accessed the database but said the hacker may have used a brute force attack, where all possibilities are systematically checked until the right password information is found.

Another possibility is that the hacker broke through the university's firewall to access the administrative system directly or access a computer that can tap into the administrative system.

"The administrative systems should only be able to be accessed on the internal network from secure private subnets and never from the external internet. The administrative systems should be partitioned off so only certain people on certain internal networks have access," said Dr Gregory, adding that the administrative systems should have required two-step authentication—such as the sms passcodes or tokens used by online banks—to verify the security clearance of everyone trying to access the system.

"For most universities and other organisations, it's standard practice that these kinds of administrative systems can't be accessed from outside even through the use of VPNs or remote control of desktops. It slows things down but it's absolutely necessary to ensure security is maintained."

Jason But from the Centre for Advanced Internet Architectures at Swinburne University of Technology said a security system is only as strong as its weakest link.

"No reports have emerged as to how the hacker has accessed the ADFA systems, so we can only speculate as to where the weak link is. It is possible that more secure systems were accessed via less secure systems where the hacker has bypassed the stronger levels of security commonly applied to shield secure systems from generic Internet access," he said.

"While I can understand the political implications, it is disturbing how much this attack is being downplayed. To claim that only historical passwords were stolen is naive in assuming that most people regularly change their passwords in a routine manner. Coupled with the fact that passwords are regularly reused across multiple systems, this list could provide an avenue of attack into unrelated systems where users share common accounts."

The potential for identity theft was also being downplayed, Dr But said.

"The information which has been stolen can now be used to fish for further information, making ADFA users more vulnerable to future attacks. One would expect that organisations such as ADFA would have a higher priority on security of their computer and data systems."

The speed with which the hacker claimed to be able to access the data was also disturbing, he said.

Explore further: LinkedIn membership hits 300 million

add to favorites email to friend print save as pdf

Related Stories

Twitter settles with FTC over data security lapses

Jun 24, 2010

(AP) -- Twitter has agreed to settle charges by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

Hacker claims porn site users compromised

Feb 13, 2012

A hacker claims to have compromised the personal information of more than 350,000 users after breaking into a disused website operated by pornography provider Brazzers.

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Kosovo group claims hack of US weather service

Oct 19, 2012

The US National Weather Service computer network was hacked this week, with a group from Kosovo claiming credit and posting sensitive data, security experts said Friday.

Hackers turn PlayStation into pay station

May 10, 2011

In late April, a hacker crippled Sony’s PlayStation Network by stealing the names, home addresses and perhaps even the credit card numbers of some 70 million subscribers, who play and download games through ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

( —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...