Last night the Census website went down preventing millions of Australians from submitting online. At the time messages on the website suggested the outage was due to heavy traffic which lead to a very entertaining night on Twitter watching people point fingers at the source.
This finger pointing was largely a result of radio silence from ABS. For any large company that has customer service problems, the worst thing you can do is go quiet, but if you were hacked, that’s a different story.
This morning the ABC are reporting that ABS chief, David Kalisch has said, the census website was attacked by hackers four times yesterday.
The very brief article, which you can read here, provides no details, something that will undoubtedly be extracted today.
Now ‘hacking attempts’ does not automatically mean they were successful. It doesn’t mean that those of us who were able to submit online have had their data compromised. If the systems in place were robust enough to detect an intrusion attempt, hopefully they shut the connection to the outside world as a protection method.
It is very early, but the technical details matter a lot and there’s not a level of technical explanation on last night’s events, that ABS could go to that would be too deep.
They do need to still reply to the question of traffic volume, the millions of dollars paid to IBM to build the system and hundreds of thousands on load testing. With the new hacking suggestions this morning, the self-inflicted DDOS attack from Australians either played a part, or had nothing to do with the ongoing outage.
I left Twitter close to midnight last night when the site was still offline and checked again the first thing this morning. At 5:50AM, the site still being offline pointed to a much deeper problem than the volume of traffic as most people would still be sleeping.
ABC just updated their story with more detail, some very important detail.
David Kalisch from ABS said,
“It was an attack, and we believe from overseas,” he said.
When asked if the hacks were a deliberate attempt to sabotage the census, Mr Kalisch replied: “We believe so.”
“The online census form was subject to four denial of service attacks yesterday,” he explained.
“The first three caused minor disruption, but more than 2 million forms were successfully submitted and safely stored.”
Mr Kalisch said the site was taken down just after 7:30pm after the fourth attack as a precaution to “ensure the integrity of the data”.
“The Australian Signals Directorate are investigating, but they did note that it was very difficult to source the attack.”
“Steps have been taken during the night to remedy these issues and I can certainly reassure Australians that the data they provided is safe.”
So this confirms the site wasn’t offline due to overwhelming traffic alone. While 4 denial of service attacks occurred, and a flood of data being thrown at the service can, in rare circumstances lead to an entry point being found when the server falls over, this isn’t a hack like exploiting a known vulnerability is a hack, or social engineering is a hack. This points to the data certainly being safe, but again, we’ll have to wait for more details.
I was willing to give them the benefit of the doubt, but it does indeed appear that at least one attempt to compromise the system was successful. Serious questions need to be asked around how this happened and if they truly have shut down that attack vector, then detail who they got in and if any Australian’s data has compromised.
Mr Kalisch said ABS aimed to have the website up and running as soon as possible to allow people to complete their census forms.
“We have steps in place to counter attacks, [but] this one, there was one breach that did actually get through via a third party … and believe that we’ve plugged that gap,” he said.
Census (aka the ABS) have just posted on Facebook announcing they’ll turn the servers back on at 9am. At that time we’ll find out if the overnight outage was spent fixing security on the Census site and DDOS mitigation is successful.
More information at ABC.