Computers – if you don’t patch, you leave a gap – Edith Cowan University
The leader of a research team that penetrated many of Western Australia’s state government departments has warned that the exercise could be carried out anywhere in the world.
The investigation, whose conclusions are contained in the report Auditor General’s “Information Systems Audit Report (4/2011)” breached 15 of Western Australia’s administrative departments, used hacking techniques easily downloaded from the internet and embarrassing lapses of security to break into the systems.
According to Professor Craig Valli, Head of Edith Cowan University’s highly respected School of Security and Computer Science, the security weaknesses exploited by his team were easily avoidable and all too common through every country in the developed world.
‘I would not be surprised to find similar vulnerabilities in any country in Europe or America,’ said Valli, who said that one of the chief ways his team had been able to breach the departments was through unpatched systems but that they had also been able to find their way in by “losing” USB sticks inside state buildings.
‘We found that there is a set and forget mentality. There were some things that were set very predictably, there was other stuff that was left in the default setting. We also found that much of the patching was non-existent a lot of the stuff was 2-3 years out of date,’ Professor Valli added, pointing out that often the weaknesses were simply a matter of allocating resources.
More embarrassing for the local government departments, which ranged from the Departments of the Attorney General, Treasury and Finance, and Health and Education, was the team’s use of social engineering techniques, in this case the random dropping of USB sticks within state buildings.
USB sticks were left in toilets, on the carpets in offices, on the stairs of buildings, in the lift, and on the stairs at the entrance of the state offices.
According to Valli, the USB sticks were deliberately loaded with software programme that alerted the team to the fact that they had been used but at the same time should have sounded off alarm bells with the people putting them into their computers.
One of the programs stated that it was a password protected encrypted file but opened when the person who had placed the USB drive into their computer inputted their own password.
‘We have a long, way to go with awareness in cyber-security,’ said Professor Valli, who described the practice of putting unknown USBs into a PC as ‘like picking up a hypodermic from the street and reusing it.’
To get a copy of the report from Edith Cowan University, which is an associate of the CSRI click on this link http://www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf