AusCERT loses passwords to Govt service

Powered by SC Magazine
 

Security hash unknown.

The Australian Computer Emergency Response Team (AusCERT) has conceded losing a DVD containing the usernames and passwords of subscribers to the Federal Government's Stay Smart Online Alert Service in the mail.

AusCERT sent the disc — containing usernames, email addresses, passwords and memorable phrases — through Australia Post on April 11 but it was never received as intended by the Department of Broadband, Communications and the Digital Economy.

The department alerted affected subscribers late last week but assured the passwords were "unreadable" due to a cryptographic hash.

However, neither AusCERT or the department were able to say what encryption hash was used to secure the records.

Weak encryption algorithms, such as MD5, can be easily defeated, placing subscriber details at risk.

This was recently demonstrated after users on the forum insiderpro cracked thousands of SHA-1 -protected passwords relating to LinkedIn and eHarmony accounts.

The passwords were cracked within a day in part because LinkedIn did not use salting, which would have added more complexity.

The Government has urged users to change their passwords but said it had "no reason to believe that this information has been found and misused by any third party".

It added that it did "not believe that there is a privacy risk".

The DVD was sent prior to the expiry of AusCERT's contract to run the service on behalf of the department. The Government is re-developing the alert service under two new contractors.

The number of subscribers affected could not be confirmed at time of writing.

Copyright © SC Magazine, Australia


AusCERT loses passwords to Govt service
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1841

Vote
Do you support the abolition of the Office of the Information Commissioner?