When government aspires to be one big API, surely this needs to change
While Australia’s federal government scrambles to hose down a hacking incident, it’s important to ask why a defence contractor of any size could run a network so insecure it exposed default administrative interfaces to the Internet.
An Australian Signals Directorate (ASD) presentation to the Australian Information Security Association (AISA) conference yesterday detailed the hack.
I’m happy for credit for the story to remain with ZDNet’s Stilgherrian, since he was at the conference and I wasn’t (the full horror is here).
Suffice to say that a medium-sized defence contractor was breached, the breach delivered gigabytes of aerospace data and commercial arrangements for military aircraft and naval vessels into the hands of the attackers. The ASD used it as a case study for the AISA conference yesterday.
The government has since said the information was commercial-in-confidence, but not classified.
This is not an isolated incident: in Australia as elsewhere, attackers thwarted by a network’s defences then seek out third-party contractors as an easier mark.