Tech

A Hacker Tells Us How the Government Could Have Prevented the Census Site Crash

The Australian Bureau of Statistics pulled their site after several Denial of Service attacks overloaded the system. This was avoidable.
August 10, 2016, 12:00am

Still from an informative YouTube tutorial titled "How to be a Computer Hacker"

The tinfoil hat wearing truthers who warned us all to boycott the online Census are probably feeling pretty smug today. Last night, multiple hackers attacked the supposedly secure Census website and forced it offline before most Australians could complete their forms.

It would appear that the Australian Bureau of Statistics (ABS) pulled the site offline after several attempted Denial of Service attacks completely overloaded the system. The ABS' head statistician David Kalisch has blamed overseas hackers, while Michael McCormack—the Federal MP in charge of the Census—has denied the attacks happened at all, saying that the online Census system was simply overwhelmed by the number of users and forced to shut down.

Whatever actually happened, we can all agree that Census 2016 was a bit of flop. To get a better idea about where the ABS went wrong, VICE spoke to Gordon Maddern, chief technology officer at Melbourne's Pure Hacking agency.

VICE: Hi Gordon. Let's start with the denial of service attack. What does that mean?
Gordon Maddern: That's where a lot of remote computers form what's called a Botnet and all try to connect at once. Basically [they] try to take a service offline because it can't handle the load and it's too hard to tell legitimate traffic from malicious traffic.

Why would someone use a DDoS to hack the Census website in the first place?
Well, don't think of it as a hack. It's not a hack to try and obtain the data, it's an attack to try and embarrass the government and make them look bad. They boasted a bit about how they weren't vulnerable to attack and kind of put the bull's eye on themselves. That's probably all it was. A handful of people trying to take them offline to basically prove them wrong.

Some people are saying this wasn't a DDoS attack because it didn't show up on the DDoS digital attack map.
I wouldn't actually rely on that map. They say themselves on there that it's impossible to map all of these attacks because of their changing nature. It's an incomplete picture.

Who were these attackers? It it, as the ABS says, likely they were from overseas?
Interestingly, a lot of people trying to complete the Census online last night who had VPNs were unable to access the site. Which indicates they'd locked the site down so only Australians could use it. Which… for them to say hackers from overseas, that would mean hackers would have had to control a Botnet inside of Australia to coordinate the attack of the network. Which would be difficult, so that's something to take into account.

How common are cyber attacks on government departments?
Very common. A good recent example it the attacks on the Iranian government. DDoS attacks are also a tool that's used by Anonymous quite a lot. Sony has been DDoS'd several times, the entire Playstation network has been taken offline several times.

There are so many websites that we entrust our personal information—banks, online shops. They seem safe. How preventable are these kinds of attacks?
Oh, they're preventable. Lots of companies offer DDoS protection. Basically you just have to pay for their services.

So all the ABS needed to do was put more money into protecting the website?
Yes, this should have been done in the planning phase. The project manager should have realised DDoS protection was a requirement. What I think may have happened is there was some confusion between load testing and DDoS testing. I've seen that they did conduct load testing via a company called Revolution IT, who probably did load testing but not DDoS testing. The project managers might have had some confusion about what the difference is.

So load testing is testing how many people the website can handle at once?
Yes, and making sure it's still useable. If it's taking users too long to load their answers into the form then that's a problem. So they would need to add more CPU and memory to make sure people's responses were coming back in only a few seconds. Whereas DDoS testing is for pure junk traffic, it's different.

It's bizarre because they justified the switch to online forms from paper forms as a money saving measure, but they should really have been spending as much money on cyber security as they could.
Yeah that's right, they simply have to pay for these services.

Follow Kat on Twitter.