Aardvark Daily

Please visit the sponsor!

Who's (ir)responsible for this?

According SIS director Warren Tucker, NZ government computer systems have been "hacked into" by foreign governments.

What the?

As a taxpayer who (as someone living in NZ) might well be affected by such security lapses, I'd like a little more information than this vague admission.

What computer systems?

What information was accessed?

Who was (ir)responsible for supposedly ensuring these systems were secure and what has been done to avoid a recurrence?

I don't think it's too much to ask to have these questions answered promptly and honestly by those charged with such responsbilities and paid accordingly.

Now we know that there's no such thing as a 100% secure computer system but I'd really love to know which were the most often or severely compromised systems and what OS/applications they were running.

Anyone care to bet that there's some Microsoft code in there somewhere?

And, if that's the case, then whoever recommended an MS environment for anything that could remotely be considered "important" or worthy protecting from unauthorised access ought to have their backside kicked all the way to the dole queue.

Please visit the sponsor!

One only has to look at the number of zero-day exploits that pop up with monotonous regularity and the way that the ELS (evil little sods) out there are now hawking shrink-wrapped hacking systems that will exploit every known weakness of this ubiquitous code.

And where are the security audits that would have detected compromised systems, allowing them to be shut down or "cleansed" straight away?

According to news reports on the matter, "in some cases, departments did not even realise their computer systems had been breached" -- which means any ELS could have popped trojans, spyware or whatever on those machines resulting in goodness knows how much additional data-loss.

According to a story running on Stuff.co.nz, "in one attack, a department had been penetrated and a programme had been inserted to generate bogus but genuine looking e-mails".

Hello... is *anyone* keeping an eye on these systems?

"Sensitive information had been stolen and attempts had been made to gain access to classified information". What? Why on earth is "sensitive information" being placed on publicly accessible computer systems in the first place??

Securing a computer system isn't the easiest task in the world but the basics are pretty fundamental -- hell, even the banking industry have a handle on that.

First up -- don't use a mainstream OS with more holes than your granny's colander.

There are plenty of *very* secure OSes out there such as NetBSD, OpenBSD or (even) FreeBSD that make a hacker's job far more difficult -- so difficult in fact that the "average" ELS will simply take a look and move on to easier pastures.

Secondly, the logs of all systems should be inspected every day to ensure that there are no unauthorised accesses or even potentially dangerous attempts to breach security. Such attempted breaches can represent the prelude to a full-on attack and should tricker a heightened sense of awareness.

Thirdly, if you can't guarantee the strength of your security, don't put "sensitive" or "classified" information on publicly accessible systems -- that's just commonsense!

Now I know there are a lot of very savvy computer security people who read this column, perhaps they'd care to chip in with their 2-cents worth.

And what do you think?

Is our government computing infrastructure being adequately protected?

Are the right OSes, practices and disciplines being used?

Or does the NZ government have a great big "kick me" sign hanging on their computer systems?

Have your say on this...

PERMALINK to this column

Oh, and don't forget today's sci/tech news headlines

Change Font