DFAT upgrades ageing web server for passports system

Australia's Department of Foreign Affairs and Trade has upgraded end-of-life infrastructure supporting the nation’s Passports website in response to scrutiny of the agency's exposure to IT security risks.

DFAT upgraded its Passports web server from Windows 2003 to the open source Nginx web server within months of a freedom of information request made by the Pirate Party earlier in the year, and shortly after questions from Tasmanian Greens Senator Peter Whish-Wilson in the Senate late last month. 

The server had previously been awarded an ‘F’ rating on Qualys’ on-demand SSL Labs service, owing to its use of the weak SSLv2 protocol and the ageing Microsoft Information Services 6.0 web server, which both came standard with Windows Server 2003 upon its release.

As of the start of 2014, DFAT had subsequently failed to meet one of the security controls in the Australian Signals Directorate’s Information Security manual, which requires government agencies to use SSLv3 or higher.

Windows 2003 reached end of mainstream support in April this year, after which time those organisations stuck on the server could choose to pay hefty prices for extended support from Microsoft or leave it unsupported. The department declined to comment on whether it took up the paid option.

DFAT had upgraded to a more modern version of SSL (SSLv3) in January 2014, but continued to run the old Transfer Layer Security (TLS) 1.0 protocol, which had been upgraded twice in 2006 (TLS 1.1) and 2008 (TLS 1.2) since, on the end-of-support server.

The department chose to mitigate these concerns by upgrading to the open source Nginx web server earlier this year, only to run into fresh issues - quickly encountering the new OpenSSL CCS vulnerability once it switched the server live.

The flaw - revealed earlier this month - opens the door for man-in-the-middle attacks against encrypted connections.

The department patched the vulnerability on Monday this week, according to the Qualys SSL web application auditing tool.

DFAT said in a statement it follows the standards set by the Australian Government Information Security Manual, but declined to comment further.

No routine security checks

The agency was also taken to task in parliament over its approach to penetration testing and security auditing.

Attorney-General George Brandis revealed during questions on notice last week that these activities were only performed when launching a new website or migrating to a new platform.

Brandis claimed that no DFAT-managed websites had failed to meet ASD standards in the last five years, nor had any been compromised.

"DFAT websites are protected by Australian Signals Directorate evaluated products, continuously monitored, patched regularly to remediate vulnerabilities and strictly controlled by the change process,” he said.

“The last penetration test conducted was for the Ministers’ websites. This occurred in February 2014. Departmental web site penetration testing was conducted in late 2013. Government standards were met.”

Brandis said website monitoring was continually conducted through intrusion protection systems, and DFAT had processes in place that include stakeholder notification and to rebuild websites from the ground up in cases of compromise.