ADFA hack a national security failure, expert finds

Dec 12, 2012 by Sunanda Creagh
Hackers have accessed personal details on thousands of Australia’s future military leaders. Credit: AAP Image/Alan Porritt

A hacker has accessed personal details on thousands of Australia's future military leaders, a situation one expert has described as a national security failure.

According to media reports, a single hacker from the Anonymous group, calling himself Darwinare, released online the names, birthdays and passwords of 20,000 staff and students from a university database at the Australian Defence Force Academy.

The hacker is reported as saying it took three minutes and that his only motivation was boredom.

The University of New South Wales, which runs the campus, emailed all staff and students after the hack occurred on November 15 to say that identification numbers, birthdays, passwords had been stolen.

"We believe that the impact on you will be minimal," the email said.

"Email alias information may be used for targeted SPAM, phishing and other sort of email attacks on students. You should be especially vigilant in dealing with any suspicious emails."

"Student name and birthday information may be used for attempts at identity theft and again this requires additional ."

A spokesperson for the Department of Defence said UNSW had taken "steps to mitigate the impact of the data breach and reduce the possibility of further data breaches."

"The university also worked with Defence to ensure former military students and staff were made aware of the breach," the spokesperson said in an email.

Mark Gregory, Senior Lecturer in Electrical and at RMIT University, described the situation as mind-boggling.

"This, in my view, is a failure and should be treated as such," he said.

Dr Gregory is a retired army captain and it is his own alma mater that has been hacked.

"What's even more frightening is that they have now have access to private information on the people who are going to be our future military leaders in years to come," he said.

"Defence spends vast sums protecting every aspect of the organisation. Defence contractors also spend considerable sums achieving security clearance. Yet here we have a massive security failure by an organisation that receives considerable Defence funding. For Defence not to be checking that adequate security is in place at ADFA is, in my view, something that people should face the sack for," he said.

Dr Gregory said it was not yet clear how Darwinaire accessed the database but said the hacker may have used a brute force attack, where all possibilities are systematically checked until the right password information is found.

Another possibility is that the hacker broke through the university's firewall to access the administrative system directly or access a computer that can tap into the administrative system.

"The administrative systems should only be able to be accessed on the internal network from secure private subnets and never from the external internet. The administrative systems should be partitioned off so only certain people on certain internal networks have access," said Dr Gregory, adding that the administrative systems should have required two-step authentication—such as the sms passcodes or tokens used by online banks—to verify the security clearance of everyone trying to access the system.

"For most universities and other organisations, it's standard practice that these kinds of administrative systems can't be accessed from outside even through the use of VPNs or remote control of desktops. It slows things down but it's absolutely necessary to ensure security is maintained."

Jason But from the Centre for Advanced Internet Architectures at Swinburne University of Technology said a security system is only as strong as its weakest link.

"No reports have emerged as to how the hacker has accessed the ADFA systems, so we can only speculate as to where the weak link is. It is possible that more secure systems were accessed via less secure systems where the hacker has bypassed the stronger levels of security commonly applied to shield secure systems from generic Internet access," he said.

"While I can understand the political implications, it is disturbing how much this attack is being downplayed. To claim that only historical passwords were stolen is naive in assuming that most people regularly change their passwords in a routine manner. Coupled with the fact that passwords are regularly reused across multiple systems, this list could provide an avenue of attack into unrelated systems where users share common accounts."

The potential for identity theft was also being downplayed, Dr But said.

"The information which has been stolen can now be used to fish for further information, making ADFA users more vulnerable to future attacks. One would expect that organisations such as ADFA would have a higher priority on security of their computer and data systems."

The speed with which the hacker claimed to be able to access the data was also disturbing, he said.

Explore further: Study: Social media users shy away from opinions

add to favorites email to friend print save as pdf

Related Stories

Twitter settles with FTC over data security lapses

Jun 24, 2010

(AP) -- Twitter has agreed to settle charges by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

Hacker claims porn site users compromised

Feb 13, 2012

A hacker claims to have compromised the personal information of more than 350,000 users after breaking into a disused website operated by pornography provider Brazzers.

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Kosovo group claims hack of US weather service

Oct 19, 2012

The US National Weather Service computer network was hacked this week, with a group from Kosovo claiming credit and posting sensitive data, security experts said Friday.

Hackers turn PlayStation into pay station

May 10, 2011

In late April, a hacker crippled Sony’s PlayStation Network by stealing the names, home addresses and perhaps even the credit card numbers of some 70 million subscribers, who play and download games through ...

Recommended for you

Study: Social media users shy away from opinions

16 hours ago

People on Facebook and Twitter say they are less likely to share their opinions on hot-button issues, even when they are offline, according to a surprising new survey by the Pew Research Center.

US warns shops to watch for customer data hacking

Aug 23, 2014

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

User comments : 0