Census 2016: Online attack was inevitable, say IT experts

Experts say a Census security threat was always on the cards and the ABS dropped the ball with its readiness.

Chris Griffith

4 min read

9:12AMAugust 10, 2016.

Updated 10:13PMAugust 10, 2016

Denial of service attacks are the likely technique used to close down the eCensus site just as Australians went online last night to fill it out.

Repeated bombarding of the site from multiple computers around the world is the standard way for hacktivists to bring down websites and humiliate governments and agencies.

Whatever the case, the question is why didn’t the Bureau of Statistics and the Australian government realise an attack of this venom and nature was likely given the amount of hostility — justified or not — levied against the census in the online community.

At a news conference this morning ABS statistician David Kalisch admitted saying yesterday that there were no issues with the eCensus system even though two of the four DDoS attacks claimed by the government apparently had already taken place.

The ABS also admitted there was a router failure and that geo-blocking of traffic internationally had stopped working. Knowing that the bot traffic bombarding the eCensus website was mainly from the US, apparently, would have been one way to filter it out. But geo-blocking had failed.

The government maintains the issue was caused by denial of service attacks and not impacted by the high load of people submitting forms online. The ABS says the system could cope with up to 260 people filing their census simultaneously, well above the actual peak load rate of 150 per second.

Despite the government constantly blaming DDoS attacks, there are people out there, including senior IT professionals, who believe the problem was predominantly too many people online simulateneously, and that the DDoS line is a smoke screen.

With the ABS planning for 65 per cent of Australians to fill the census out online, it’s a disaster of huge proportions. How long will now it take for the ABS to declare the site safe? Could it be repeatedly attacked again if the eCensus comes back online? Should people revert to paper forms? Are there enough paper forms in existence if they did?

And shouldn’t we be asking these questions of IBM too to whom the task of developing the online Census was outsourced? IBM won the contract to develop the eCensus operation worth around $10 million while another firm, Revolution IT, was reportedly paid $469,000 to load test it — ie to determine if the eCensus would cope with the increased traffic on census day.

But whether that load testing included withstanding a massive bombardment of international traffic designed to bring the site down is another issue

A senior global IT security expert last week told The Australian that the site’s hacking was “inevitable”.

It’s important to say that a denial of service attack (DDoS) — blasting a website with traffic — is a separate operation to hacking into a website and stealing information, but if a hacktivist organisation is hell bent on closing a site down, it’s likely that internationally there’s a plot to try to steal data — to further make a point.

At this time, there is nothing to suggest people’s identities and addresses have been stolen, along with their census answers. But sometimes organisations don’t know until later when hackers dump data caches online whether they have managed .

Rightly or wrongly, there is venom in the online community over what they see is the patronising and ill informed approach taken by the ABS whose explanations of the eCensus often have been vague.

Steve Wilson, managing director of consultancy firm Lockstep, said that given the toxicity a DDoS attack was always on the cards.

“They (the ABS) said this data is not identifiable, that the site is secure,’’ he said. “It was red rag to a bull. A number of hactivists would say ‘I’m going to show you’.

“But there is very little you can about a well organised DDoS attack on finite budget.”

He said the only way to avoid such problems is not to attract hostility in the first place.

“You need to be calm and credible, you need to talk straight and explain, and not patronise people. The government has given a lot of assurances about anonymity and security. It’s a bit of a tragedy.

“It’s really disappointing that they dropped the ball on this.”

Security researcher Troy Hunt said you would’ve had to expect a DDos given what has happened. “The question was, were they prepared for a DDoS attack? And if they were, what scale of an attack were they ready for?’’ Mr Hunt said.

“Could it happen again? There’s no guarantees.”

He said sometimes DDoS attacks were a decoy. “Sometimes DDos attacks are a misdirection, a decoy to keep everyone busy while another operation to steal data happens in the background.”

Given these attacks, there’s also likely to be an increased focus on whether the ABS made the right call in allowing people to fill in their census in browsers with compromised security.

The ABS last week told The Australian that when people submitted their census forms, they would check whether their browser offered sufficient security protection, and would suggest they do a paper return where it doesn’t.

But that didn’t include blocking SHA1, even though the Bureau would prefer improved SHA2 security which the majority of browser support. Why?

“With the assessments we’ve had, we’ve decided to allow the support of that”, the ABS told The Australian. “SHA1 is still a sufficient technology.” They may live to regret that decision.