Image: SuppliedAs you may have heard, the Census website has had a bit of a technical issue. The official report from the Australian Bureau of Statistics went from "overseas hackers" to a series of DDoS attacks (with some pinpointed to the US) made possible thanks to a geo-blocking failure and finally an overworked router calling it quits — all leading to the decision to shut down the site on Census night.
This all of course raised questions about the security of the 2.3 million Census forms already completed online, prompting assurances from the ABS that the data is as safe as it would have been if the DDoS events hadn't occurred. But what is happening now? Is the site back up? Should we still be doing our Census online? And what does the PM have to say? (Hint: He's mad).
Update: At 6:03 PM, IBM Australia issued a statement.
We genuinely regret the inconvenience that has occurred. We want to thank the ABS, the Australian Signal Directorate and Alastair MacGibbon for their continued support. IBM’s priority over the last two days was to work with the ABS to restore the Census site. We are committed to our role in the delivery of this project.
Continuing to maintain the privacy and security of personal information is paramount. The Australian Signals Directorate has confirmed no data was compromised. Our cyber-security experts are partnering with national intelligence agencies to ensure the ongoing integrity of the site.
When Will The Census Be Back Online?
Update: As of 2:30pm, the site was back up. As of 10:00pm, it's back down again. The latest updates from the ABS still speak of the site being available.
"The secure online Census form was put back up at 2.30 pm, Thursday 11th August, following advice from the Australian Signals Directorate," a statement on the Census website reads.
"The ABS again apologises for the inconvenience and thanks everyone affected for their patience and helping shape Australia's future".
The Census website is now available. Thanks for your patience. We apologise for the inconvenience. https://t.co/j03F1bkPGl
— Census Australia (@ABSCensus) August 11, 2016
Last night's update stated the ABS would continue to work with Australian Signals Directorate "and our providers" to get the online Census form back up "as soon as possible." It took a total of just under 44 hours to get it back up again.
"We'd like to again apologise that the online form is still not available, and reassure the Australian public that their privacy is our highest priority," the statement read.
More Stories on Census
What Is The ABS Saying Happened?
An update from ABS at 3:15pm yesterday explained a little more as to what actually happened, calling the DDoS "attacks" an "attempt to frustrate", and reiterating that Census security was not compromised and no data was lost.
"The events varied in nature and severity," the ABS says, which led it to adopt a "very cautious approach" in relation to the 2016 Census online form, i.e. shutting thew whole thing down.
There were three DDoS "incidents" during the day, which was expected by most security experts and the ABS itself, it says.
"The ABS was expecting denial of service incidents and the protective measures in place managed the first three attempts with only very minor service disruptions," says the ABS.
Commonwealth intelligence agency Australian Signals Directorate (ASD) was notified by the ABS of the DDoS "incidents" and use of the site continued, gaining users until it was receiving 150 forms per second by 7:30pm. The site had been load tested to receive almost one million forms an hour. Ironically, we won't know the exact population of Australia until the Census is completed, but best estimates put the number of household at well above this.
Then it all went down. A fourth DDoS attack occured, as did a large increase in traffic to the website with "thousands of Australians" logging on to complete their Census, the router carcked it and a false alarm in some of the system monitoring information sounded.
"The ABS applied an abundance of caution and took the precaution of closing down the online Census form to safeguard and to protect data already submitted," says the ABS, saying it was to "protect the system from further incidents, and minimise disruption on the Australian public of an unreliable service".
The ABS says "Had these events occurred in isolation, the online system would have been maintained".
After the whole thing is over the Government's Cyber Security Adviser, Alastair MacGibbon will be holding a review into the events.
What Does The Prime Minister Say?
Prime Minister Malcolm Turnbull is not happy, Jan. He has gone full angry Dad at the ABS, saying the Census has been a failure, we all saw this coming, and the department should have been better prepared.
"I too am very angry about this, I am bitterly disappointed about this," Mr Turnbull said. "This has clearly been a failure on the part of the ABS. Absolutely a failure on the part of the ABS."
Turnball was also quick to point the finger at IBM, who were responsible hosting and managing the Census website. The firm was paid $10 million dollars for the gig.
"The denial of service attacks were completely predictable and should have been repelled readily. They weren't because of failures in the system that had been put in place for ABS by IBM," Mr Turnbull said.
"There is no doubt there were failures in the system's preparation for an entirely predictable denial of service attack. Measures that ought to have been in place to prevent these denial of service attacks were not put in place."
Turnball has promised that "heads will roll" for the debacle. "My prediction is that there will be some very serious consequences for this," he stated, which may have ABS head David Kalisch on his $700,000 salary a little concerned.
What Does The Australian Privacy Commissioner Say?
Yesterday Acting Australian Privacy Commissioner Timothy Pilgrim initiated an investigation into the Census website, and today at 2:44pm he released a statement with an update.
"My priority in doing so was to ensure that no personal information had been compromised," Pilgrim says. "My staff and I have been in regular contact with the Australian Bureau of Statistics (ABS), and I have received a briefing directly from the Australian Signals Directorate (ASD) — the Commonwealth's pre-eminent cyber-security analysts".
"ASD advised me that the incident was a denial of service attack and did not result in any unauthorised access to, or extraction of, any personal information and, on the information provided to me by ASD, I am satisfied that personal information was not inappropriately accessed, lost or mishandled," says Pilgrim.
He calls the ABS's decision to shut down the website — to avoid any prospect that the DDoS attack could include or otherwise facilitate a data breach — "a pro-privacy precaution" given the circumstances.
Pilgrim says he has discussed with Mr MacGibbon how to work together as part of the PM's review.
"My Office will also continue to work with the ABS to ensure they are continuing to take appropriate steps to protect the personal information collected through the Census," he concludes.
Any Other Theories?
Well, there's this from infosec expert Patrick Gray:
So here's a screengrab of my #CensusFail post that you barbarians are all trying to download. pic.twitter.com/XU04S91oyE
— Patrick Gray (@riskybusiness) August 11, 2016
So What Do We Do Now?
You do have to complete the Census, or you'll risk fines of up to $180 per day. That being said, there's plenty of time to get it done.
"We ask Australians to complete their forms as soon as possible" the ABS says. "Fines will not be imposed for completing the Census after Census night".
You've actually got until 23 September.
If you haven't completed your Census form you will start receiving reminders from next week. Census Field Officers will start visiting homes that haven't participated in the Census from this weekend to ensure everyone can take part.
If you haven't received your Census materials, the ABS says to wait until the end of the week and then contact the Census Inquiry Service on 1300 214 531 (the line is expected to be pretty busy, so make yourself a cuppa before you call). You can also order a paper form by calling 1300 820 275.
Comments
No claim of responsibilty on the DDoS after 40 hours makes it less likely it was organised hactivists.
Why was the Chief Minister for the ABS, as representitive of the dept, the cabinet and the Australian people at home on the biggest night for the ABS? 1 night in 5 years event of critical importance to the whole of government, mandated compulsary participation for all citizens and no Federal representitive was at ABS headquarters... instead they were playing phone tag and leaving voice nails 2 hours after the #$/^ hit the fan.
Since QLD has already banned IBM from state gov contracts after the health payroll fiasco... will IBM ever work for any fed/state government dept again?
Well, that's gonna work well for them. Utter chumps. To have a system that's clearly unable to cope with anticipated load and then continue to self-promote their own DDoS is unbelievable.
Stagger it for your own sake!
I'm sure someone here will know but why is it taking 2 days to get the site back up after a DDoS? I assumed this kind of thing could be fixed in a matter of hours for something with a high priority.
Most likely it's still down for the investigation by the ASD. They would likely have to comb through system logs to find what they need, and having the system up would likely make that more difficult than it needs to be as logs continue to be written. Also, they could be covering up a much more serious deficit in their systems that they can't risk exposing to the internet again, so keep the system offline.
Thanks for the explanation. I thought it might have been more along the lines of them actually being hacked and that taking more time to deal with.
It might have been a 'real hack' to retrieve data but it just doesn't make sense... if a group wanted to get maximum bang for their buck wouldn't they wait until everyone completed the census and get up to ten times more? DDoS makes a lot of sense and I'm not the least bit surprised it happened... but maybe that's what they want you to think *tinfoil hat time*
There was zero DDoS protection there. They need to add that in.
Well since it was inconceivable it was going to fail and run smoothly on the night... there was no need for a restoration plan. The just govt efficiency.
Yeah, that point is already addressed in the article... I'd suggest reading it.
I think we all know that the one or more of several outcomes is the most likely.
- Either big blue provisioned with the bare minimum of resources despite being paid megabucks, and was overwhelmed when the system came under use. I'd expect they have an iron-clad contract, so no blow-back for them.
- The system was completely 0wned, and the reason why it's not back up again is because they're trying to work out how badly 0wned they were. Again - probably an iron-clad contract, so no blow-back for big blue.
There's a reason why the data breach legislation has been delayed, and it's not good.
As someone who has worked with federal government, I can almost guarantee it was a public servant who made the call against the recommendation of IBM.
That's the thing about the public service, they know they have no accountability so any corner they can cut, they will. You hire contractors so that they can agree with you, not provide actual industry expertise.
When you put the whole country under (a perceived) threat of $180 fine per day for not filling out the census (most didn't know you had until the end of September) and in 2006, there were a total of 7.8 million households and the system was designed to handle 1million requests per hour it doesn't take a rocket scientist to work out this was a DDOS that the ABS initiated themselves...
Update: As of 2:55pm, the site is back up.
An hour later, it is down again.
It seems the much used google DNS server 8.8.8.8 now doesn't point to the correct IP...
Yeah, like I'm going to trust them with my details!
I'll be waiting until the absolute last minute, so every possible crack has been ironed out. Then filling in what I think is appropriate based on the way they handle the aftermath of this. (If they can't admit and show they've rectified their issues, and further prove the information is safe, they'll get no identifying information from me)
Bollocks Mr Turnbull.
This is a protest attack.
I think the Census site crash/DDOS attack is due to someone in Australia doing, as has been pointed out elsewhere, denial of service attacks through foreign servers, probably motivated with regard to the contentious data-linking issue that the ABS/Govt is carrying out.
http://www.salingerprivacy.com.au/2016/03/17/census-no-longer-anonymous/
Government is blaming the ABS of course.
Turnbulls noise is just a distraction.
I bet data has been leaked and they are now in damage control.
Last edited 11/08/16 5:25 pmBut it's probably just AUS GOV "efficiency"
No foreign DDoS traffic was recorded coming in to Australia so it was simply not enough capacity for the service to handle solely Australian traffic. If the service was actually 0wned then then it mind mindbogglingly pathetic.
What I am more astonished about is how a the head of the ABS has a 700k salary...
I bet most of the "overseas" IPs they recorded are just Aussies with VPNs.
I just did mine, it was v easy.
nyah nyah...
I reckon we should all wait for the last possible minute on the 23rd and cause another DoS. Now that would be funny.
Request a paper form and fill it out on the last day.
They stuff us around we can stuff them around too.
ecensus supposed to save millions, I wonder how many millions would have been saved if they just stuck with the paper census?
sadly, who really expects any better performance from government departments.
Here's the series of events gathered by infosec journalist Patrick Gray.
https://twitter.com/riskybusiness/status/763605906047107073
We also included this in our story from when the site went down again: http://www.gizmodo.com.au/2016/08/the-australian-census-website-is-down-again/
http://www.news.com.au/technology/online/hacking/what-does-this-digital-attack-map-tell-us-about-the-alleged-census-attack/news-story/2c06914dec07beca6079801634b99a58
What does this digital attack map tell us about the alleged Census attack?
However, a tool devised by Google Ideas and cyber security company Abor Networks to track DDoS attacks around the world, the Digital Attack Map, failed to detect any unusual activity in Australia at the time the alleged attacks took place.
If accurate, it gives credence to accusations widely circulating on social media and beyond that mysterious overseas hacker story is a cover for the real culprit — incompetence.
Yep, we covered that also, here: http://www.gizmodo.com.au/2016/08/the-australian-census-website-didnt-just-crash-it-was-hacked/
probably already been mentioned, but if you are using an international DNS provider, this may be the source of your problems (google dns, open dns, etc)
I'm all for an online Census system, but they screwed up majorly in more ways than one. Even more alarming is the fact that you are able to go through everyone else's information in your household... This is definately not cool for renters. We have 4 people living at our place and I realised that anyone can login and go through each others information about their housemates, especially the sections about needing help, religion, and income etc…. WHY IS NO ONE TALKING ABOUT THIS?!
Slight moment of amusement with this. One of the problems here was that the geoblocking didnt work, or wasnt put in place, or something like that. With a PM thats promoted geododging in the past. Who's now mad that geoblocking failed.
Little ironic, aint it?
Everyone is upset over the census failure...I'm more concerned that a government official is on a 700K Salary.
NO government official is worth 700K.
The folly of the sheeple never ceases to amaze me. When a tool of oppression is temporarily broken, they complain and demand it to be restored ASAP. LOL. It's as if sheep were lining up outside an abattoir, baaing and waiting impatiently for the door to open...
Join the discussion!
Comment Voting
Up Votes
Down Votes
Only logged in users may vote for comments!
Please log in or register to gain access to this feature.
Get Permalink