WA government still hopeless at infosec
Colin Murphy, can we talk about SHA-1?
Western Australia's Auditor General has panned the state's consistently-awful IT security, delivering its report from a site that Chrome warns isn't doing HTTPS right.
The agency has been telling the state government it's security is subpar for years. When it ran hostile scans of agency networks in 2011, 14 out of 15 failed to notice; in 2012, it was displeased with their payment systems.
And this year? From the report:
We have been reporting the capability assessments for a number of years and for the first time have included a trend line for each of the categories. Disappointingly, 2 of the categories have shown no improvement in the last 8 years. These continue to be affected by easy to address issues such as poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.
The Auditor-General, Colin Murphy, is so sick of reading from the same sheet each year, he notes that the office is considering adopting a name-and-shame approach to agencies that don't deal with their security.
Ever helpful, Vulture South will name at least one agency whose card can be marked “must try harder”. As the image below shows, the Auditor-General's Website is marked as insecure by Chrome.
We need to talk about SHA-1 ...
The reason? It still uses SHA-1 certificates, which is on practically everybody's kill list.
Update: A reader suggested we also run the site through SSL Labs, which we did. The result is very discouraging, as you will see below. ®