RSS

Describe Melbourne IT in one word... Inept

Sat, 28th July 2012, 10:10

A group said to be associated with Anonymous convincingly demonstrated the complete lack of security and the inability of some companies to be trusted with properly protecting the information which would be stored under the Australian Federal Government's data retention draft policies. The group stated that they would not release any user details contained in the stolen data or name the victim telco, divulging only that the telco was "one of Australia's largest" along with a few clues about a 40Gb database backup that was accessed through an unpatched Adobe ColdFusion vulnerability. Soon after telco AAPT announced that that there had been a "security incident" where hackers gained "unauthorised access to some AAPT business customer data" which was being stored on servers at web hosting provider Melbourne IT. The compromised data is suspected to be a 40 GB backup of an Adobe Cold Fusion database, accessed through a well-known vulnerability.

The press and talking heads quickly ramp up the rhetoric.

The CEO of AAPT issued a statement saying: 

It was brought to our attention by our service provider Melbourne IT, at approximately 9:30PM last night that there had been a security incident and unauthorised access to some AAPT business customer data stored on servers at Melbourne IT. 

AAPT immediately instructed Melbourne IT to shut down the servers when we were notified of the incident. 

Preliminary findings suggest it was two files that were compromised and the data is historic, with limited personal customer information. Further, the servers on which the files were stored have not been used or connected to AAPT for at least 12 months. 

We are undertaking a thorough investigation into the incident with Melbourne IT and the relevant authorities to establish exactly the type and extent of data that has been compromised, how the security incident happened and what further measures are required to prevent any future incidents. 

AAPT is extremely concerned about this incident and is treating the matter with the utmost seriousness. AAPT will be contacting any impacted customers as soon as possible. 

IT security experts chimed in claiming the proposed changes to the data retention laws would make ISP storage centres enormous targets for hacktivists, evil state governments, and cyber criminals types.

A spokesperson for Cert, (What ever Cert is ... where I come from, Cert is a type of candy breath mint)...  Australia's national computer emergency response team says: 

The Federal Government takes the issue of cyber security very seriously. Reports such as this highlight the need for all Australian Internet users, businesses and government agencies to protect their data and systems.The Government has invested significantly over a number of years to ensure that we have appropriate arrangements in place to deal with cyber security threats. 

One media outlet quoted someone saying that “it has since confirmed an older version of AAPT's business website ran on Cold Fusion. Newer pages do not appear to be based on the same systems.”

Then there are the statements attributed to Tony Smith, corporate communications general manager at Melbourne IT... 

The company first become aware of the vulnerability after the site defacements late on Tuesday and had patched the issue "within the hour" 

- Smith said the vulnerability was cleared from the "handful of servers" it was found on 

- company's engineers were still investigating the issue and scanning the hosting provider's remaining servers for the potential Cold Fusion vulnerability. 

- Smith would not confirm whether the Australian Federal Police had become involved in the issue 

Abbreviated media quotes may convey only a partial context of the statement attributed to an individual. Whether these individuals “gets it” is open to debate.  “Anonymous” intent was to demonstrate the complete lack of security and the inability of some companies to be trusted with properly protecting the information which would be stored under the Australian Federal Government's data retention draft policies. Whether you agree or not with their tatics, they succeeded in accomplishing the task with unbelievable ease...

With Unbelievable Ease!

Who should worry

Melbourne IT states that its complete portfolio of Internet-based technology services drives more than 350,000 customers around the world. From helping small businesses build an online presence through to managing the complex technology environments of large enterprises and governments - including Internet domain name services, critical web hosting, online brand protection and promotion, video content delivery, managed IT services and more. Melbourne IT features and benefits include:

  • Peace of mind
  • Round-the-clock monitoring and intrusion detection
  • Security
  • Triple data backups for data integrity 

These 350K customers on 28,000 plus websites are the people that need to be concerned right now!
Melbourne IT was running servers (see Tony Smith’s "handful of servers") which had known vulnerabilities for … not four days , nor 4 weeks.. not even 4 months. This vulnerability in Cold Fusion was publicly known and in the wild since 2008.

Tony Smith is quoted as saying Melbourne IT patched the issue "within the hour".. Even if the quote was truncated...it was 4 years late!

Unbelievably Inept

List of alternative Australian web hosting providers

This partial list is provided in no particular order! Use keywords like "Australia" with the HostJury search function for a complete listing of Aussie companies... or if you have a particular favorite just add the company in the comments!

Host Networks

SmartyHost

Netregistry

Relentless Hosting

Layered Networks

Dynomesh

Sliced Tech

SpeedySparrow

HORIZON HOSTING

Ceaser Hosting

TPP Wholesale

 

Shared Hosting - from $2.88/mo