Auditor to Oz PM&C: Don’t use Webmail for leaks
Security spooks slap sloppy civil servants
Australian cloud computing chauvinists are prepping the “#GovDoesn’tGetIt” hashtag after the Australian National Audit Office (ANAO), with a bit of help from the spooks in the Defence Signals Directorate, identified services like Hotmail and Gmail as key vulnerabilities in government information security.
As noted many years ago in Yes Minister, “the ship of state is the only ship that leaks from the top”, so it’s unsurprising that the Department of Prime Minister and Cabinet is identified in the report as allowing its staff to access Webmail.
The ANAO report stated that while government information security was mostly acceptable – “generally operating in accordance with Government protective security requirements” in agency-speak – public web-based email services provide too many vulnerability vectors.
“Emails using public web‐based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure. Webmail accounts were accessible in one of the audited agencies, and logs showed that some staff were using these accounts on a regular basis,” the report said.
The review only covered four agencies – the Australian Office of Financial Management, ComSuper, Medicare Australia and the Department of Prime Minister and Cabinet – which perhaps explains why only one agency was found to be allowing access to Webmail services.
The PM’s department outed itself in its response to the report’s recommendations, stating that it will block access to Webmail services from July 1.
The ANAO report recommends that if such access is required in the future, it should be via standalone single-purpose machines like kiosks.
Other vulnerabilities noted in the report include out-of-date policies, and that perennial standby, unpatched third-party software. ®
One of our politicians (I think it was one of ours)...
...several years back, admitted he couldn't watch Yes Minister because it was too disturbingly close to reality.
The NHS Trust my husband works at has provided an MS Exchange/Outlook webmail service in recent years. This does require interaction with his phone to get a session specific code by text message - which was better than the previous system.
Unfortunately they allow him to set up forwarding rules from his system to ANY external address. This means that he can and does receive all sorts of confidential material when he switches on his out of office reply and forwarding.
Inept staff in the NHS, generally female managers above him, seem to delight at copying as many people as possible on trivial matters - without ever trimming material.
Posting anonymously this week as he is being made redundant from the end of next week.
Britain is as bad
The NHS in the UK has done better than that. They have set up their own webmail system!
It has been officially labelled as secure. Staff are being told to use it to send confidential data from one location to another. They are told that as long as they send to another address on this system, it is secure. Presumably, they have ignored the possibility of any reading it from an unsecure computer. Yes, it can be seen on non-NHS computers - public libraries, your own virus ridden one or apparently ones abroad if you ask them.
Lets have a competition to see who can have the biggest official security hole.