Patrick Gray is an IT security journalist who runs the website Risky Business, which features regular podcasts on the issues around cyber security.
Since the Australian Census failure on Tuesday night, he’s been busy on Twitter offering insight and insider details on what went wrong, revealing that the Australian Bureau of Statistics (ABS) and IBM, who set up the census website, initially knocked back an offer from a third party provider for geo-blocking, which would have dealt with the Distributed Denial of Service (DDoS) that led ABS officials to shut down the site on Tuesday night.
Gray put together a timeline on what he’s learnt from trusted sources about the issue, which has prime minister Malcolm Turnbull saying he’s “very angry about this” and “bitterly disappointed”, declaring “heads will roll”.
In a post titled “What I’ve been told about #censusfail”, Gray writes “Their plan was to just ask NextGen to geoblock all traffic outside of Australia in the event of an attack”.
He continues: “Unfortunately another attack hit them from inside Australia. This was a straight up DNS [Domain Name System] reflection attack with a bit of ICMP [Internet Control Message Protocol] thrown in for good measure. It filled up their firewall’s state tables. Their solution was to reboot their firewall, which was operating in a pair.”
But the problem was they hadn’t synced the ruleset, which means they two firewalls not operating under the same filters to keep out the bad guys. Gray says it made the second firewall “a very expensive paperweight” that that led to the short in the router.
When IBM’s monitoring systems sounded false alarms, the ABS worried that DDoS was simply a distraction for someone attempting to hack into the system.
And that’s why “they pulled the pin and ASD [Australian Signals Directorate] was called in”.
The website went back online yesterday afternoon, 43 hours after it was taken down, so Australians can complete the census.
Yesterday, ABS chief statistician David Kalisch apologised for what happened, reading from a prepared statement, but refused to take any questions.
And IBM issued the following statement:
We genuinely regret the inconvenience that has occurred. We want to thank the ABS, the Australian Signal Directorate and Alastair MacGibbon for their continued support.
IBM’s priority over the last two days was to work with the ABS to restore the Census site. We are committed to our role in the delivery of this project. Continuing to maintain the privacy and security of personal information is paramount.
The Australian Signals Directorate has confirmed no data was compromised. Our cyber-security experts are partnering with national intelligence agencies to ensure the ongoing integrity of the site.
Here’s Gray’s post in a tweet.
— Patrick Gray (@riskybusiness) August 11, 2016