I didn’t around to posting on the MyHealthRecord mess before the government retreated on the issue, but I just ran across this piece from 2017 which reminded me how insecure the system would have been.
Looking at the broader issue, it’s clear that the push from both governments and corporations to collect and sell our data is going to keep producing disasters unless things change. We need to address the issue comprehensively starting from the premise that any transfer of individual information without explicit consent is, prima facie unlawful, then adding in exceptions based on a clear public benefit test.
I have a piece in Crikey under the title ‘Our spy agencies know less about cybersecurity than the Daily Mail‘.
The central point is that our leading cybersecurity agency, the Australian Signals Directorate, has just rolled out a policy requiring users of government agency websites to change their passwords every 90 days and to use composition rules based on a mix of alphanumeric and special characters. As even the Daily Mail has pointed out, these practices are thoroughly discredited, to the point where the expert responsible for them has publicly recanted.
Our spy agencies know less about cybersecurity than the Daily Mail
I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and must contain a mixture of alphanumeric and special characters (this is called a composition rule)
You don’t need to be a cybersecurity expert to know that this is nonsense. Cartoons like xkcd have been mocking special character passwords for years. As is well known, a long, but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter p@ssw0rd123456 with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy.
The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST) came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.” To quote an the Sophos security site “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack”
Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a week ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.
I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password). But, lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.
So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that their security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.
Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter. The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan ‘Reveal their secrets, protect our own’).
In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300 page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.
Given that ASD is our representative in the ‘Five Eyes’ Anglospheric intelligence agreement, I would have expected them to have access to the best available advice from the US. But apparently, they don’t even read the trade press.
I haven’t read the rest of the manual, and wouldn’t be qualified to assess it in any case. But if the agency responsible for our national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to ‘reveal their secrets’.