Thought this would have some meaning to Linkers as well. Thanks, Roger. >ABS forced to defend Census website security >By Allie Coyne on Aug 1, 2016 2:43PM >Insecure encryption raises eyebrows. >http://www.itnews.com.au/news/abs-forced-to-defend-census-website-security-432176 > >The Australian Bureau of Statistics has been forced to answer questions about >the security of its online Census website after it was revealed to be using an >insecure and deprecated form of encryption to protect the sensitive personal >details of the nation's citizens. > >Tests of the strength of encryption used on the main Census website, first >highlighted by security consultant and software engineer Ben Dechrai, reveal >the website supports the SHA-1 hashing algorithm long considered to be >insecure. > >SHA is a component of a Secure Sockets Layer (SSL) certificate that is used to >prevent the modification of data. > >[Not the way to say it, but we know what you mean.] > >All major web browser operators have said they will stop accepting SHA-1-based >signatures by next January. Internet Explorer owner Microsoft recently said it >would bring that date forward to September 2016 after research showed >real-world 'collision attacks' could open the door to digital signature >forgeries even before 2017. > >The Australian Signals Directorate deprecated SHA-1 from its list of approved >cryptographic algorithms in December 2011 after finding the risk of a >successful attack on the platform was "higher than acceptable". The US >National Institute of Standards and Technology (NIST) has said SHA-1 should >"not be trusted" past January 2014. > >Despite this, the ABS is still supporting SHA-1 to ensure those using older >versions of web browsers are able to fill out the online form on Census night. > >"As the overwhelming majority of browsers and operating systems are SHA-2 >compliant, most people completing the Census will be secured using SHA-2," a >spokesperson said. > >"However there are some older browsers and operating systems that only support >SHA-1. To enable users with these older systems to complete their Census >online, the online Census also supports older SHA-1." > >But users will still face the risk of a man-in-the-middle downgrade attack, >which uses available backwards compatibility to force a computer to a lower >and more vulnerable version of encryption, Dechrai said. > >"[It] increases the likelihood of a user's data being intercepted," he said. > >The security expert suggested a better approach was either to stick with the >current paper forms or introduce a tiered model of online security. > >"[They should make] the page where people click to start the Census less >secure, so it works on older browsers, [then] do browser detection, and if the >browser is too old, prompt them to upgrade, or order the paper form," he said. > >"Only supported browsers show the "Start" button [which loads the submission >form from a properly secured server]." > >The ABS was also criticised for choosing not to implement perfect forward >security, which would protect past communications and sessions from compromise >should attackers be able to access long-term secret keys. > >The agency argued that perfect forward security would disrupt its other >security protections. > >"As part of our total platform security for the online Census, we need to be >able to detect and respond to any malicious traffic," the spokesperson said. > >"Implementing perfect forward secrecy would reduce the effectiveness of other >security layers, and as such may compromise overall security." > >However, Dechrai said that while perfect forward security could disrupt web >application firewalls and intrusion detection systems, it was a "solvable >problem". > >"Better architecture is a bit more complex, but doable," he said. > >"Given the sensitivity, I would hope the [government] would spend on security >and scalability, not scrimp on security and avoid scalability." > >#Censusfail? > >The security issues carry even greater weight this year give it's the first >time the ABS will keep and use all names and addresses collected under the >Census for data linkage purposes. > >Public concerns have been growing in the lead up to the August 9 national >survey over the potential risks to individual privacy generated by the policy >change. > >Former ABS chief statistician Bill McLennan called it the "most significant >invasion of privacy" ever perpetrated by the ABS. Privacy lobby group >Electronic Frontiers Australia labelled it a "serious breach of trust", and >NSW Privacy Commissioner Elizabeth Coombs this week said she was "concerned" >about the risks. > >Concerned citizens have taken to Twitter in increasing numbers under the >#censusfail hashtag to rail against the changes to Census data collection and >implore the ABS to reverse its decision, with many promising to boycott this >year's survey. > >"Several experts with great knowledge on this topic have expressed concerns. >Why won't the ABS listen?," Queensland University of Technology criminologist >Dr Cassandra Cross said. > >"I want to emphasise how saddened I am, as a researcher and someone concerned >about the public good, to feel compelled to protest census," philosopher and >author Dr Leslie Cannold said. > >The ABS has said it is not concerned about a civil disobedience campaign and >is persevering with its change in policy. > >IBRS security advisor James Turner said he was "horrified" by the "naivety" of >the ABS' response to public concerns. > >"ABS executives had to know that privacy would be a huge issue raised around >this change of protocol," Turner said. > >"I think most people are looking at the ABS responses as "we think this is >cool, so we're doing it and we don't care about your privacy". > >"[It] doesn't seem to understand that it gets one shot at this. If there is a >breach, then the horse has well and truly bolted. It won't even matter if they >promise not to do it again, because the data has already gone." > > >-- >Roger Clarke http://www.rogerclarke.com/ > >Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA >Tel: +61 2 6288 6916 http://about.me/roger.clarke >mailto:roger.cla...@xamax.com.au http://www.xamax.com.au/ >
I write books. http://janwhitaker.com/?page_id=8 Melbourne, Victoria, Australia jw...@janwhitaker.com Twitter: <https://twitter.com/JL_Whitaker>JL_Whitaker Blog: www.janwhitaker.com Some psychopaths become serial killers, and other psychopaths become prosecutors. - Bob Ruff, Truth and Justice, June 2016 Sooner or later, I hate to break it to you, you're gonna die, so how do you fill in the space between here and there? It's yours. Seize your space. ~Margaret Atwood, writer _ __________________ _ _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link