Very unsophisticated hacking, requiring little skillA hacking attack on an online GST database at the Australian Tax Office last week exposed how security was neglected in the federal government's rush to get the systems up and running in time for new tax deadlines.
While security specialists told Computerworld the hack attack demonstrates a fundamental security flaw in the design of the GST Start-up Web site, an ATO spokesman defended the incident claiming Treasury was forced to build the system with whatever resources were available at the time.
Project manager for the GST Start-up Assistance Office Glenn Carlos said it was a case of building a system "with the best available advice and the skills you've got".
Security analysts described the attack as very unsophisticated hacking which required little skill. The security breach involved a database that handles online processing of the $200 cash rebates on GST-compliant software purchases and a list of registered computer suppliers.
Carlos said suppliers provided contact details, products and prices that were publicly accessible online. Banking details they also submitted, however, were supposed to be secure. "The banking details go to a closed, internal system which is not linked to the front-end site, but the hacker accessed the holding file which had bank account numbers; the hacker then contacted the computer outlets advising them of the breach," he said.
"Front-end applications are outside the firewall and the information in the database was pretty simple by definition, not highly sensitive."
Carlos described the banking details as "not sensitive" because BSB and account details are written on cheques.
"The only thing the hacker could do [with the information] is put money in their accounts," he said.
He added that, because rebates end in October, the database is only temporary.
Carlos said security design was outsourced, adding that it was a new system which went live in March this year, with parts of it still in development.
Although the hacker showed very little malicious intent by advising those on the database and providing his own e-mail address, the attack hampered the GST Start-up site for three days.
"The hacker didn't cover his tracks and the logs told us where to go, so we plugged the hole quickly; he began broadcasting on Wednesday night and we had the site pulled down Thursday morning," Carlos said.
"We ran tests Thursday night to be up again lunch-time Friday, but had to pull it down anyway to post the new GST prices; it was a long weekend."
Internet security consultant Andrew Haussegger of eSec said it is amazing such a high-profile government site could be hacked by a novice.
"In the rush to get up and running Treasury overlooked security, but it makes you wonder what's underneath and if this is the tip of the iceberg," Haussegger said. "It is an indicator that government lags behind the private sector in security, but defence agencies certainly invest a lot; the government struggles to attract security specialists who know how to address the new wave of cybercrime."
This is the third serious privacy breach involving the ATO in recent months including the sale of ABN details, GST information sent to entrants on the electoral roll and this latest hacking incident.