One login, one password, one huge data breach

By on
One login, one password, one huge data breach

[Blog post] Transparency for myGov security, please.

The Australian Government must urgently address security holes in myGov if it is to consider making it the central hub by which citizens lodge their financial data.

To recap, SMH journalist and former iTnewshound Ben Grubb recently reported that myGov is vulnerable to cross-site scripting.

This is not just a hypothetical issue, but one that security researcher Nik Cubrilovic demonstrated could be used to snag the account details of any myGov user.

Cross-site scripting or XSS is not new, it's not magic, and there are ways to mitigate against it being abused.

That said, it can catch out even seasoned operators, such as eBay, which if a German security researcher is to be believed remains vulnerable to persistent XSS because it allows JavaScript in auctions.

In the case of myGov, the attack was a simple one. You would expect the Department of Human Services to appreciate the free, public-minded penetration testing Cubrilovic provided and the detailed instruction on how to plug the hole quickly.

Not so. Rather than being appreciative that the serious issue was brought to the department's attention the response was more of a “yawn, whatever”. The Government places data security well behind cost savings and convenience.

The myGov story gets better; that is, if you enjoy tales of one hand not knowing what the other is doing.

From this year, Australians wanting to file their tax returns online must use myGov accounts to do so.

In other words, not only is there an increasing amount of sensitive personal information on millions of Australians that can be accessed through hijacking a single login, but the government wants to add to the opportunity without shoring up security.

This isn’t just any old worthless data either. Damian Harvey, Australia-NZ country manager of encryption provider Vormetric, reminded me that individual profiles with official data sell for big dollars.

Last year, Dell SecureWorks dug up prices for packages with personal data such as bank accounts, social welfare registration numbers, credit cards and more, and found they go for as much as US$1200 to US$1300 each.

These packages of individual's information are called “kitz”. Additional credentials, such as adding health insurance information, makes the package into “fullz” with an increased to the price tag of US$500.

If it’s not secure, myGov risks being turned into a Kitz bazaar for identity theft with millions of Australians’ sensitive information at risk.

Is the site secure, then? DHS say that myGov users “can be confident that their personal information and records are in very safe hands”.

To this end, third party security consultants audit myGov regularly, but how did they miss the simple XSS flaw? Or if they didn't miss that flaw (and possibly others we don't know about), why wasn't it sorted out? 

The assurance given by DHS that the site is thoroughly tested and safe rings hollow. MyGov is not a new site, it has been available for several years. The flaws Cubrilovic found are fairly basic and should not exist on a site built to hold citizen information securely. I wonder whether data has been leaked already.

As part of my research I searched for information on the site for myGov's data security policy and testing practices. I experienced my own ghost in the machine when the JavaScript on the site timed out and logged off yours truly. The trouble was that I had not logged in beforehand.  

A myGov site that gets a B grade on the Qualys SSL test is not something that inspires confidence in the site either.

Furthermore, it’s inexplicable why two-factor authentication isn’t offered at least as an option.

Sure, it’s a hassle for users but it’s also a necessary backstop to catch those inevitable security design misses.

DHS needs to back up and start again with greater transparency on security if it is serious about the digital by default strategy.

MyGov is taxpayer funded and the public should know how it is secured. It really isn’t too much to ask.

Tags:
Juha Saarinen
Juha Saarinen has been covering the technology sector since the mid-1990s for publications around the world. He has been writing for iTnews since 2010 and also contributes to the New Zealand Herald, the Guardian and Wired's Threat Level section. He is based in Auckland, New Zealand. Google
Read more from this blog: SigInt

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?