Australian Census Website Shut Down On Census Night After 4 DDoS Attacks

Heart44 writes: News sites are reporting that the Australian census website has been shut down until further notice. This happened on census night, Tuesday (Australian time), August 9th, 2016. This is the first attempt at an online census where [the internet] is the default data collection method. You had to call an often busy number to get a paper form. This is on top of a long running controversy that the Australian Bureau of Statistics will keep the names and addresses of everyone for five years. I presume more useful links will appear over time. "The site was targeted by four denial of service (DoS) attacks," chief statistician David Kalisch told ABC radio. The Sydney Morning Herald reports: "The first three caused minor disruptions and did not stop more than two million census forms from being 'successfully submitted and safely stored,' he said. But the site was shut down after a 'gap' in the system's security measures was found during a fourth attack (AEST), Mr Kalisch said. 'After the fourth attack, which took place just after 7:30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data,' Mr Kalisch said. 'I can certainly reassure Australians the data they provided is safe,' he said."

UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."

Yeaaaaaaa

'I can certainly reassure Australians the data they provided is safe

If you believe that I have some ocean front property in Alice Springs I will sell you...

Re:Yeaaaaaaa

[donaldm]

A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

What you said is certainly true. I tried at about 7:45 PM and from then on every 30 minutes and eventually I just gave up since the site was so busy or under DDOS attacks.

What would be interesting (ABS take note) is how many of those DDOS slave machines were running a version Microsoft Windows and what version was the most compromised. I am sure we could think of a few more statistics to highlight but unfortunately, most people won't learn.

As for security. If people have installed (err! Updated) or purchased a PC with Windows 10 and by default Windows 10 has telemetry including a keystroke logger then those people have effectively given Microsoft all their information. What about Google Chrome? Well it does like to collect information if you let it (it's pretty easy to turn off) however it does not log your keystrokes and if you are worried about it then use a web browser that is reasonably secure.

For those people who used the Edge browser to fill out the Census. Sigh!

Never assume malice when stupidity will suffice

Never assume malice when stupidity will suffice.

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

Re:Never assume malice when stupidity will suffice

[Heart44]

Yes, this link does not show any large DDoS attacks on Australia or in Australia. Interesting to look at what China is doing to Saudi Arabia at the moment.

Re:Never assume malice when stupidity will suffice

[bloodhawk]

It is pretty bad spin doctoring. They have just been ranting for the last week on how good the security measures implemented for the census are, either they were too stupid to put in mitigations for the most obvious and likely attack vector (DDoS) or their countermeasures were inadequate or they are lying to cover up for other security flaws or incompetence. None of those options inspire confidence, especially given the previous week of boasting that those that did not want to trust the site with information were just conspiracy nuts. Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

Re:Never assume malice when stupidity will suffice

[donaldm]

Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

Oh! really clever aren't you.

When you get the ABS letter for your address it has a unique number on it which makes it incredibly easy to know which address that number is from. So putting in a bogus address is sure to raise a huge red flag and a please explain from the Government.

If you think all the people in the ABS are morons then think again. Some have Master's and PhD's in Mathematics and Statistics as well as computer science, so it would be very easy to track you down. Let's put it this way. "Did you fill out the census from your home or mobile?" - you did well say hello to a fine.

Personally, I am still trying to get onto the census website since it is so busy and when I do I will be doing the census from a Linux operating system using a more trusted web browser such as QupZilla (comes standard with Fedora 24). If you have done the Census from Windows 10 and using the Edge browser congratulations you have just given a foreign country your information even though some of it may be fraudulent.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

The link you provided also states that the AGS and Bureau disagrees with his conclusion, I would not put faith in what a statistician says on legal matters over what the lawyers are saying.

I agree. That is why I wrote "there is an argument." Moreover the argument, to wit, that a name is not 'statistical information' for the purposes of ss8,9 & 12 of the Act (if I understand Mr McLennan) is not hopeless IMO. Which is far from saying it would prevail.

credit card

[Smiddi]

I got stuck at the "Please enter your credit card details" question.

Re:How can you tell?

[Smiddi]

Its better politically to blame "overseas hackers" than admit they screwed up.

Re:How can you tell?

[PPH]

Four million people?!! Crikey! We didn't know there were that many. I guess we should have counted them or something.

IBM wins $9.6m to host eCensus in 2016

[Lefty2446]

http://www.itnews.com.au/news/...

ABS ditches in-house plans in favour of outsourcing.
The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.

Australia’s national statistics agency first offered Australians the option to avoid completing the Census via its traditional paper-based form with a web-based eCensus in 2006.

It partnered with IBM in a $9 million deal in 2005 to develop and support the web-based eCensus application - which is hosted on IBM’s AIX operating system and a WebSphere application server, out of the company's Baulkham Hills, Sydney data centre.

But the agency later virtualised its server infrastructure (with VMware’s vSphere) to create its own private cloud with the intention of hosting the 2016 eCensus.

Running the Census in-house would help address security perceptions arising from the data being handled from a third-party, the ABS said at the time. It said it also made sense to outsource the project to a third-party rather than deal with the one-off high traffic spike internally.

The agency became 95 percent virtualised after cutting 300 physical servers to 70, which hosted 1500 virtual machines.

But the Bureau of Statistics today confirmed it had decided to once again partner with IBM for hosting of the 2016 eCensus in order to ensure the expected high volumes would be properly managed.

The ABS expects the percentage of Australians completing the census online to double in 2016, forecasting a 65 percent take-up compared to 33 percent in 2011. For the first year of the eCensus, 10 percent of Australians submitted their form online.

“The ABS virtualisation project was successfully completed providing a very efficient platform for ongoing ABS operations, including supporting a number of components of the digital Census in 2016,” a spokesperson said.

“However, due to the peak volume of the online form during Census 2016 it was decided that contracting IBM would provide the best value for money and management of operational risk.”

Duncan Young, head of the 2016 Census within the ABS, said IBM had been contracted through a limited tender after proving it could offer the best value for money.

“This contract capitalises on the investment in the existing online Census system,” Young said in a statement to iTnews.

“Our existing solution has shown itself to be robust, and can be expanded to manage increased volumes. Using a known platform will reduce the risk of costly development and integration issues.”

The IBM contract will expire in October 2016.

Re:Canada Australia

[c-A-d]

I got to do the damned thing twice this year. Once because they thought my PO Box was an apartment. Another because they sent one directly to my home. I filled out both truthfully and marked "0" as the number of residents at my PO Box. The other, I filled out with less than clear answers.

Re:The DDOS attack was conducted by...

[xxxJonBoyxxx]

Whad'ya expect from an island of criminals and reprobates?

Re:Lie down with pigs.....

[dwywit]

To be fair to IBM, Qld Health signed off every stage of the project, and:

http://www.abc.net.au/news/201...

It was mostly the fault of the senior public servants involved.

My involvement with IBM in Queensland in the mid-to-late 1980s and early 90s taught me a few things:

1. IBM solutions cost a lot more than other peoples' solutions
2. IBM at its best was a thoroughly professional and competent group of people
3. IBM at its worst is still expensive

Not hacked. Just bad capacity planning

[Neo-Rio-101]

http://www.abc.net.au/news/201...

Now they are saying it's not been attacked from overseas.

How hard would it have been to "do a Netflix" and block IP addresses based on location anyway? - That would at least stem the amount of foreign intelligence services from trying to hack the website which contains information on Australian citizens.

I read that they tested the system to 150% capacity, where 100% capacity was estimated to be 1 million forms processed per hour.

http://www.abc.net.au/news/201...

That estimate was a gross underestimation of the numbers of sessions needed to handle an estimated 16 million households - all of whom most likely would have logged in during a 4-6 hour period in the evening. You don't have to be a rocket scientist to calculate that the system didn't have the capacity to deal with this spike in traffic.

The capacity should have been somewhere in a ball park of 5-10 million forms processed per hour, or more.
Couldn't have been cheap to have load balancers maxxed out trying to maintain that many accelerated SSL sessions.... but there you go.

Re:How can you tell?

[Neo-Rio-101]

Its better politically to blame "overseas hackers" than admit they screwed up.

but even that is a crappy excuse.

There's no reason at all for the rest of the internet outside of Australia to even have access to the Census website.
They could have at least geo-blocked any IP address originating from outside Australia.
Such a simple solution to that problem, that *not* doing it makes them look incompetent.

Re: Never assume malice when stupidity will suffic

[sexconker]

For those who don't know the rest: IBM farmed out all labor to the 3rd world and it the product was delivered in a busted, useless state.

Re:How can you tell?

[Barny]

"Black Friday Online"?

You want to burn half of Victoria, virtually?

Basic Electoral Fraud

[rsborg]

Never assume malice when stupidity will suffice.

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

Basic Electoral fraud starts with gerrymandering - an input of which requires census data to be amenable to the district hacking.