Auditor calls for Government ban on Gmail, Hotmail

By John Hilvert on Mar 23, 2011 9:00 PM
Filed under Security

Vector for attack or accidental leaks.

The Australian National Audit Office has called on all government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks.

An audit of electronic security at four Federal departments and agencies found one department - Prime Minister and Cabinet - allowed staff to access the free unsecured email services for business reasons.

Log files obtained by the auditor showed some department staff were using the free accounts regularly.

However, the auditor noted that such public email services "should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

Prime Minister and Cabinet told the auditor that it would cease allowing staff access to free email services from July 1.

Other agencies included in the electronic security audit also agreed to the recommendation to stop using public email.

They were Medicare, ComSuper and the Australian Office of Financial Management.

Password security

The auditor also called on agencies to review log-in credentials after administrator or service account passwords were compromised at three of the four agencies examined in the report.

A ‘brute force’ test resulted in around 20 percent of passwords being compromised, according to the audit.

As a percentage, the results "compared reasonably favourably with some private sector and state government agencies", the auditor noted.

However, the compromise of administrator and/or service account passwords was a concern.

To reduce the risk of attackers gaining access to privileged access accounts, the audit recommended that agencies review the passwords and policies for administrator and service accounts and, where required, set password complexity requirements suited to that level of system privilege.

Other results

The Audit highlighted other areas to improve network security including:

Ensuring content filtering software blocks access to Internet sites that are inappropriate for work use or may be high risk for malicious content, such as those with adult content, gambling, chatrooms, dating sites, criminal or terrorist information, music downloads and SPAM.
A documented patching process for the network operating system and third party applications, and monitoring that the processes was correctly implemented.
The use of email filtering software that blocked delivery of suspicious emails and prevented transmission of unmarked or inappropriately marked emails.

Auditor calls for Government ban on Gmail, Hotmail

Display of random letters with magnifying glass bringing up the word "password".

15 comments in this discussion

"@panto: "I struggle to think of any good reasons why employees need to use public web mail at work" Although I would usually agree with this comment, I am also realistic enough to realise that ..."

By Ezy2Confuze

Tags

australian national audit office, anao, security, passwords, webmail, pressgallery

Flawed Apple update traps passwords in plain text

Veterans Affairs runs fault-ridden feedback system

App removes faces from Facebook

British, US agencies brace for Olympic cyber attacks

Breaking Stories

Hackett steps down from Internode

ACCC approves Optus NBN deal

Australia shares $2bn Square Kilometre Array

RIM to cut 2000 jobs

NSW retains right to veto data centre co-tenants

Readers of this article also read...

Comments: 15

DJ Mar 24, 2011 6:59 AM	This is the right move. Anyone using freemail as a primary business communication method deserves the risk of being junked or non-delivery of messages.
BigAussie Mar 24, 2011 7:41 AM	@DJ -- you missed the point of this article. They (ANAO) are blocking the public servants from accessing any of the public email services; hotmail and the like; because the IT Department (Security) are unable to read what is being sent and received. This is more a case of stopping any future wiki"Leaks" than trying to fix security issues -- although some seem to feel they are one and the same. Losing freedom by stealth. We are following closely in the footsteps of BamBam and the boys in the big white house.
teresa Mar 24, 2011 9:08 AM	DJ - agree completely. We blocked access to all web mail in the private sector company I work for many, many years ago as it was deemed a security risk. Stop being put out at your perceived lack of freedom and smell the reality.
leakage Mar 24, 2011 9:21 AM	We use DeviceLock for web based mail and it works well.
martyvis Mar 24, 2011 10:24 AM	@teresa I bet you don't ;-) Unless you have blocked the web completely, or have a very comprehensive whitelist, I am sure your job isn't finished. For instance, if you can browse to https://mail.sunriseroad.net/ and see the login page you can see my "webmail" server and so could any of your employees (you will likely get a cert error because of CAcert signed certificate, but that is immaterial to my point). While you may have blocked the low-hanging fruit of Google, MSN and Facebook, don't feel comfortable that you have somehow circumvented the inventiveness of your employees. Of course if you also need to be worried about USB keys and pieces of paper that can leak from your organisation. ;-)
rodzilla666 Mar 24, 2011 10:49 AM	@BigAussie: Blocking idiotmail won't stop future leaks, but it will reduce the likelihood of malware attack.
teresa Mar 24, 2011 11:39 AM	@martyvis, you assume a lot for someone who knows nothing about what I do ;-)
OlgieD Mar 24, 2011 2:33 PM	@teresa, Did you block downloading of binaries? From any site? Even those that had extensions other than .exe? Did you disable all CDROM's? USB ports? NAC control on all switch ports? If not, anyone in the company can download or bring a portable version of Tor (which includes Firefox) and run it from either USB, CDROM or desktop, not requiring the software to be installed and access gmail through the Tor network across a https channel. If you blocked 443, (which I find unlikely) it would still be able to use port 80, in an encrypted form. You wouldn't have blocked port 80 as that would render any website unusable. Tor works very nicely through a proxy too btw, so even that won't stop anyone. If accessing webmail is a problem, then don't provide internet access. It's the only certain way to prevent people from leaking information. Through webmail that is. Because people can still use copiers, printers, USB sticks, to transport information out of the company. And how many companies check outgoing mail? I mean the old fashioned snail mail? Do you really know what's going out the doors? What about rubbish bins? Are they checked? And if I really wanted to get information out, I could simply hold papers up against the windows and have a buddy photograph it with a good zoomlens. We don't need to know what you do to know that its not feasable.
OlgieD Mar 24, 2011 2:39 PM	@rodzilla666, Gmail's spamfiltering is better than most reasonable sized companies. Good spam/malware filtering is not cheap and requires constant maintenance and updating. You're more likely to get malware in your company email than gmail. Gmail errs slightly on the conservative side so you'll have to get into the spam folder every now and then and retrieve incorrectly marked emails, but I rather have that than a mailbox full of not identified spam.
goodwin.owen@googlemail.com Mar 25, 2011 4:40 AM	What a short sighted myopic audit. If we're going to go down this route of supreme paranoia and block everything - then a big trick has been missed.... Take this example (which the audit apparently missed...). We live in 2011. An era in which we have the ubiquitous Smartphone. With a camera included. With web access. Many people have such smartphones. If access to 'normal' internet services like free email is unavailable from a work computer - then how hard is it not going to be - using any one of a number of Apps/Smartphones+Camera - to photograph/scan (with this device) anything deemed to be confidential, or in the national interest in a government department and then sharing it in a multitude of different ways using the inherent connnectivity in the smartphone. My example - I have a sony Xperia X10 running Android. I could, if so motivated, using the CamScan App I downloaded (for Free) - scan basically whatever I felt like and then share it with my googlemail account (via Googlemail App) or my hotmail account, or uploading to Picasa.... Short of either shrouding all government buildings with a Faraday shield, or forcing mandatory submission of workers smartphones on entry to government buildings... are we starting to see how rediculous this audit actually was. And the subsequent reaction. Come on guys and Grow up Australia - it's the 21st century. Join the rest of the world. (BTW. To address some of the other comments - there's some big Government Departments in other countries that are using commercial cloud based email hosting providers (such as google - there is a paid-for solution from them specifically for business.). (I'm actually an expat Australian, by the way. Its articles and reactions like this that makes me cringe.)
pameacs Mar 25, 2011 7:53 AM	Other funny one, that will have been completely overlooked and they pretty much don't care except for low hanging fruit like child porn but student email from all the uni's, I wonder if they blocked that. Yes a phone and twitter and facebook access would make a right mess of this block.
Johnny Mar 26, 2011 11:06 PM	Gotta love a brute force attack. especially when the password is something to do with their area of work . The amount of passwords and accounts i've 'hacked' due to other peoples stupidity in choosing passwords is beyond belief. It's just too easy to "hack" this day and age because the computer systems themselves are secure, its the idiots who use the computers that are the issue in almost every IT system in the world. You don't need computer skills no more, it's such a shame.
Ezy2Confuze Mar 28, 2011 2:46 PM	All we've done is use the IronPorts to block webmail and our AV solution to block USB key access. Managers etc can still access their data from home via Citrix. If anyone gets around either of the locks in place, they answer to the CEO. Everyone in our small IT department knows that if someone wants to get aorund things, given enough time, they can. So we try to the best of our ability and technology to stop them, which is all we can really do. We only block webmail and USB because we are a home loan institution, as it's a known fact that most data theft is via internal means, we concentrate a little more on internal security than normal. Hell, if the US military with all their IT people and resources still gets hacked, it's not like we can stop people hacking us if they tried.
panto Mar 28, 2011 3:47 PM	I think this is the right decision. A lot of vulnerabilities are exploited unwittingly by employees through email, who don't fully understand the consequences of opening unsolicited mail. It happens in much the same way as what happened to Google when an employee was socially engineered on MSN - they are just as susceptible on email. While it can still happen on internal mail, it is less likely because the company has control over their own servers and can enforce their own security policies. I struggle to think of any good reasons why employees need to use public web mail at work. Probably the leaking of information they are referring to in this article is the kind that was just mentioned, where the threat is external and stolen unknowingly through exploits. In fact most of the measures mentioned address external threats - the insider threat is unfortunately much more common and much harder to police. But this is a right move to minimize the attack surface to outsiders.
Ezy2Confuze Mar 28, 2011 7:41 PM	@panto: "I struggle to think of any good reasons why employees need to use public web mail at work" Although I would usually agree with this comment, I am also realistic enough to realise that people cannot do a full 8 hours a day without some downtime or may not easily be able to do banking etc during their 30 minute or 1 hour lunch break. What we have done is provide some net connected PC's that are VLANed off from our corporate network yet still checked by our IronPort's and have AV etc installed. This way, we don't have to deal with unhappy staff because they can still do Net banking, webmail, Facebook etc during break time on these PC's. Unfortunately from past experience, boredom can be more of a security risk than anything else. That's usually when people start to Google how to get around things such as anonymous email etc.