We Asked Our Resident Tech Legend To Explain What Was Really Behind The Census “Hack”

Was it a hack, a distributed denial-of-service (DDoS) attack, or basic incompetence? This morning the Australian Bureau of Statistics (ABS) claimed that the Census website crashed after it was targeted by “foreign hackers”. But this afternoon they’d changed their tune, now saying the website was pulled in response to a DDoS attack, and denying any data was lost in a “hack”.

So what’s going on? Is it game over for the Census? Were we actually targeted by unknown foreign hackers or is the ABS covering for its own technical failures?

We asked Junkee’s Chief Information Officer and resident tech legend, Ian Grant, to help break down what happened on Census night.

ABS boss: are we ready for census night?

ABS employee: we've done painstaking preparation, nothing can go wrong! pic.twitter.com/cvsgwPKOnc

— Josh: Butler. (@JoshButler) August 9, 2016

–

Junkee: Do you think the Census crash was actually a DDoS attack?

Ian: On paper and by definition yes it was, however it was an unintentional attack. What that means is that each household didn’t know what they were contributing to an overwhelming amount of traffic to the site. If you’re looking at this from a network security perspective, you would look at the evidence and call it a DDoS.

Officially stating that it was an overseas attack is scapegoating and misleading and, in my opinion, cheap. If this was an overseas attack it would have been easier to control and the ABS would have been able to identify that traffic and deny it at the network edge.

What is a DDoS attack and how do they work?

DoS stands for Denial of Service. It’s an attack on an institution or service in attempt to render the institution unable to process its primary service. A standard, commonly used analogy is where a postbox receives so much mail at once that it can no longer accept mail from your postie. We’ve probably all felt that when we’ve gone away for a few weeks without leaving the postbox key with a trusty neighbour.

That’s the crux of the intention of a DoS attack: render someone or something useless. The extra D at the front of DoS stands for Distributed.This means that all the traffic flooding the victim comes from various locations geographically speaking.

How common are they?

They happen a lot more than you think. Hacktivism is pretty commonplace nowadays and a DoS attack is the weapon of choice; they can be executed by individuals or small groups of people with a common ideology.

Most, if not all, hosting and networking service providers are adequately able to handle small scale DoS attacks without much hassle. DDoS attacks on the other hand tend to be executed by larger hacktivism groups, or could be state-sponsored. These require a larger number of agents, scripts, services all working in sync to cripple an institution. You generally hear about DDoS attacks in media, depending on the scale and the victim involved.

Should the ABS have anticipated this?

Absolutely.

was hosting census website on geocities a bad move

— Aus Gov Just Googled (@GovGoogles) August 9, 2016

They basically whipped up a fearful frenzy in the national psyche to make sure they dealt themselves the worst case scenario: almost 100 percent of households all logging on at the same time. You can simulate that all you want and throw as much money at it as you want, but unless your simulations take your theoretical worst case scenario and then multiply it by 1,000 you’re doomed. I know this through experience.

Why should people trust the ABS with their personal details if their systems can fail like this?

It’s important to understand the difference between a DDoS and a hack. What the ABS experienced was a result of underestimated testing and ill preparation and they we’re denied providing the service they we’re required to provide. A hack is an exploitation of a systems security systems and protocols and there is absolutely no evidence of this having happened yesterday.

hmmm. nothing unusual DDoS wise for australia and yesterday #censusfail pic.twitter.com/x7rQ0jzI1F

— Matthew Hackling (@mhackling) August 9, 2016

A substantial proportion of the $9 million awarded to IBM for this project would have been dedicated to the secure input and storage of your data. Data storage, protocols, the security layers surrounding it would have been under some pretty intense scrutiny.

Liken yesterday’s events to that of a busy bank branch. A shit tonne of customers all arriving at once has meant that they can no longer serve you, but that doesn’t mean the vault has been broken into. They’re two very separate things.

Should we trust other government websites if such an important one went down like this?

It’s a tough question but as I work through it, I come to the same conclusion: probably. They’ve got your data already, you just hope that whoever is leading the techs, the engineers and the delivery teams respects their voices and educated opinions.