Skip to content Skip to main navigation

Business

Australia's tier 4 data centre. Micron21 mission critical hosting services.

But how do we leak without webmail?

By johnboy - 24 March 2011 22

The Register is taking a look at a recent AuditOffice report which has fingered the Department of Prime Minister and Cabinet as allowing access to webmail from departmental computers.

As noted many years ago in Yes Minister, “the ship of state is the only ship that leaks from the top”, so it’s unsurprising that the Department of Prime Minister and Cabinet is identified in the report as allowing its staff to access Webmail.

The ANAO report stated that while government information security was mostly acceptable – “generally operating in accordance with Government protective security requirements” in agency-speak – public Web-based e-mail services provide too many vulnerability vectors

It must, however, be noted that the audit only covered four agencies, there might well be others less sensitive to the machinery of State also allowing webmail access. Although in the era of the smartphone why anyone needs to use a work machine for personal mail is beyond me.

What’s Your opinion?


Post a comment
Please login to post your comments, or connect with
22 Responses to
But how do we leak without webmail?
vg 8:25 pm 24 Mar 11

“If documents are classified, they’re on a separate system that doesn’t have internet.”

Rubbish

sexynotsmart 7:30 pm 24 Mar 11

I think it may depend on the job you’re doing, the network you’re on and if you have access to any classified material.

The last two government projects I’ve worked on have been ‘open source’ and with a corresponding agency in another country. Day 1 tasks for new starters include ‘get a google account’, because all the project material is on google code and google docs.

So for codecutters on a dev network without access to secrets of the realm, the risk of inappropriate disclosure are nil. And obviously that’s been accepted by someone.

creative_canberran 6:19 pm 24 Mar 11

Grrrr said :

creative_canberran said :

Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

No – webmail means the documents don’t go through the department’s servers. Unless perhaps you count a web proxy server – and even then, webmail is encryped (HTTPS) so the administrators wouldn’t be able to see what was sent. I know the headline is rhetorical – perhaps even facetious – but there’s a million ways to leak, and no way to stop a determined leaker.

Some people here don’t seem to understand Classification of documents. More or less every document is classified – at one of a number of levels. A network classified at Security-In-Confidence (and containing documents at that level) may well be allowed access the Internet. Perhaps as a matter of policy webmail is not allowed in some departments, but it is impossible to block every webmail site on the Internet without using whitelisting.

Best check you’re facts.

Fact: All access through public service computers to the internet is through Government DNS servers, owned by the government and operated under contract; which control traffic, log on and privileges. Same for ACT Government computers. They’re all on their own intranet which then has a facility to go through to the internet.

Fact: Only the log in screen for most webmail services is encrypted. If you log in to Hotmail right now, you’ll see the HTTPS replaced with HTTP once you log in. Further, the actual email once sent wouldn’t be encrypted anyway unless you manually assigned a Digital Certificate to it. Meaning it leaves a record of it on every server before it reaches a destination. A typical email will exist for a time on 7 different servers.

Fact: a web proxy server is simply a way to route your connection to a website through an intermediary server that masks your IP address from the visited website’s server. It doesn’t prevent your ISP (which on a government computer is the government) from seeing that you visited that proxy. And given operating systems by default transmit little details like the MAC address of a computer and even the O.S. serial number, it’s by no means a complete way to be annon online.

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

Grrrr 4:21 pm 24 Mar 11

creative_canberran said :

Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

No – webmail means the documents don’t go through the department’s servers. Unless perhaps you count a web proxy server – and even then, webmail is encryped (HTTPS) so the administrators wouldn’t be able to see what was sent. I know the headline is rhetorical – perhaps even facetious – but there’s a million ways to leak, and no way to stop a determined leaker.

Some people here don’t seem to understand Classification of documents. More or less every document is classified – at one of a number of levels. A network classified at Security-In-Confidence (and containing documents at that level) may well be allowed access the Internet. Perhaps as a matter of policy webmail is not allowed in some departments, but it is impossible to block every webmail site on the Internet without using whitelisting.

Bosworth 2:50 pm 24 Mar 11

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

That’s a sneaky hyperlink.

no access to “MAIL.google.com”

“google.com” is ok.

creative_canberran 2:46 pm 24 Mar 11

banjo said :

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

Not sure what you mean by that? google.com and gmail are two separate things if that is what your implying?

Mind you I have never worked in defence and have no desire to because I think not having personal email there would be the least of your complaints on that network 🙂

They might not give you webmail access but at least you get a free laptop working for federal departments: http://m.zdnet.com.au/fed-s-lame-lost-laptop-excuses-rouse-labor-anger-120262999.htm

EvanJames 2:43 pm 24 Mar 11

You’d rather hope that APS departments would be happy to have people leaking from their webmails at work, as then they could catch them. Sadly, the abilities of most IT departments are being impugned by this ANAO report, they clearly don’t think they’re much chop.

banjo 2:25 pm 24 Mar 11

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

Not sure what you mean by that? google.com and gmail are two separate things if that is what your implying?

Mind you I have never worked in defence and have no desire to because I think not having personal email there would be the least of your complaints on that network 🙂

p1 2:03 pm 24 Mar 11

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

johnboy 2:00 pm 24 Mar 11

As noted the most common leaks are deliberate, wouldn’t want to deprive themselves of that tool CC.

creative_canberran 1:57 pm 24 Mar 11

Google search “shortwave numbers station” and “cherry ripe”.
It’s kind of ironic that some of the most secure communications are in the open for all to hear.
Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

banjo 1:43 pm 24 Mar 11

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability. Facebook for example has email like capability. It’s got nothing to do with productivity and everything to do with separating official work correspondence channels from unofficial means. Perhaps it is somewhat heavy handed and it’s obvious some agencies allow certain things where others don’t as it can be a gray area, but most err on the side of caution. It is also becoming increasingly difficult to draw the line on this as “social networking”, for some agency, is becoming another means of connecting with the public, especially the younger demographic.

georgesgenitals 1:36 pm 24 Mar 11

dtc said :

why is it that virtually all private sector companies trust their employees sufficiently to allow access to web mail, facebook etc etc; but apparently public servants are just too risky?

Because public companies are far less accountable than government.

dtc 12:27 pm 24 Mar 11

why is it that virtually all private sector companies trust their employees sufficiently to allow access to web mail, facebook etc etc; but apparently public servants are just too risky? I appreciate that some Departments do have access to genuine ‘national security’ documentation; but most dont have access to anything more confidential than what is held by a private corporation.

And does anyone, nowdays, use emails from their work computer to leak? Arent most people smarter than that?

EvanJames 12:16 pm 24 Mar 11

national security document wouldn’t be on the computers that could access webmail. If documents are classified, they’re on a separate system that doesn’t have internet. And if they’re going to go that route, they need to re-visit the issue of smart phones, i phones, camera phones et al

Related Articles

CBR Tweets

Sign up to our newsletter

Top
Copyright © 2017 Riot ACT Holdings Pty Ltd. All rights reserved.
www.the-riotact.com | www.b2bmagazine.com.au | www.thisiscanberra.com

Search across the site