24 March 2011

But how do we leak without webmail?

| johnboy
Join the conversation
22

The Register is taking a look at a recent AuditOffice report which has fingered the Department of Prime Minister and Cabinet as allowing access to webmail from departmental computers.

As noted many years ago in Yes Minister, “the ship of state is the only ship that leaks from the top”, so it’s unsurprising that the Department of Prime Minister and Cabinet is identified in the report as allowing its staff to access Webmail.

The ANAO report stated that while government information security was mostly acceptable – “generally operating in accordance with Government protective security requirements” in agency-speak – public Web-based e-mail services provide too many vulnerability vectors

It must, however, be noted that the audit only covered four agencies, there might well be others less sensitive to the machinery of State also allowing webmail access. Although in the era of the smartphone why anyone needs to use a work machine for personal mail is beyond me.

Join the conversation

22
All Comments
  • All Comments
  • Website Comments
LatestOldest

Well this is all very interesting, however I am feeling extremely acronymically challenged.
But I know a TLA when I see one.

thebrownstreak9:21 am 25 Mar 11

JC said :

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Fact: Restricted is a national security rating. In some, not all department this can be found on machines connected to the Internet, Defence being a prime example of where it IS allowed. Indeed the rules even allow restricted to be sent over the Internet legally but it is still a national security rating.

You can send higher than Restricted or In-Confidence over the Internet also, you simply need to use the appropriate crypto. The details are in the ISM.

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Fact: Restricted is a national security rating. In some, not all department this can be found on machines connected to the Internet, Defence being a prime example of where it IS allowed. Indeed the rules even allow restricted to be sent over the Internet legally but it is still a national security rating.

creative_canberran said :

Best check you’re facts.

Best check your spelling.

creative_canberran said :

Fact: All access through public service computers to the internet is through Government DNS servers, owned by the government and operated under contract; which control traffic, log on and privileges. Same for ACT Government computers. They’re all on their own intranet which then has a facility to go through to the internet.

You’re obviously not an IT guy or you wouldn’t be confusing DNS servers with a Secure Gateway Service. Also, they’re not all operated by outside providers under contract. Some are run in-house.

creative_canberran said :

Fact: Only the log in screen for most webmail services is encrypted. If you log in to Hotmail right now, you’ll see the HTTPS replaced with HTTP once you log in. Further, the actual email once sent wouldn’t be encrypted anyway unless you manually assigned a Digital Certificate to it. Meaning it leaves a record of it on every server before it reaches a destination. A typical email will exist for a time on 7 different servers.

Fact: No, I won’t see HTTP because Hotmail has offered everyone HTTPS-only connections for several months now. Gmail much longer. They’re not the only two webmail providers doing it, and they handle the majority of webmail users, so your statistics are either off or misleading.

If SSL is used, whether the email itself is encrypted is irrelevant as the governernment department (and their gateway provider) are unable to see inside the HTTPS connection. Sure, add PGP or whatever if you’re paranoid.

creative_canberran said :

Fact: a web proxy server is simply a way to route your connection to a website through an intermediary server that masks your IP address from the visited website’s server. It doesn’t prevent your ISP (which on a government computer is the government) from seeing that you visited that proxy. And given operating systems by default transmit little details like the MAC address of a computer and even the O.S. serial number, it’s by no means a complete way to be annon online.

Fact: A proxy doesn’t have to mask an address – it can work transparently. But, you feel free to keep trying to explain stuff to me that I’m way ahead of you on.

I never said it stopped anyone from seeing you visit a website via the proxy – simply that the use of a proxy (or any other network device) cannot allow a third party to looking inside the encrypted HTTPS session, thus removing any conclusive proof that a user sent particular data.

creative_canberran said :

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

I can’t decide – are you confused, or agreeing with me?

Also, you didn’t mention Restricted – at which, funnily enough, there exists Internet connected networks.

A read of the ISM would fill out your simplified view of the physical and logical requirements of the various security levels.

creative_canberran11:47 pm 24 Mar 11

LSWCHP said :

creative_canberran said :

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

That would be AUSTEO material and a SCIF (http://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility)

Indeed, the measures are different.

You would right about SCIF, or whatever they call it in Australia. I don’t know specifics.

AUSTEO on the other hand and the other “eyes” labels on documents can be a very high rating, but curiously, it can be used on documents of lower classifications. Like this DFAT document to then foreign Minister Downer which was marked AUSTEO but only classified as SECRET. http://www.ag.gov.au/www/inquiry/offi.nsf/indexes/images/DFT.0007.0220.pdf

(Don’t worry, JB, this document won’t turn you into the next Jullian Assange. It’s evidence from the Attorney General’s Dept. inquiry into AWB made public on their website.)

Indeed AUSTEO materials are even shared on occasion: http://www.abc.net.au/7.30/stories/s219320.htm

And it’s a little known fact in the foreign affairs community that at times, when discussions or info needs communicating between countries… sometimes it’s not diplomats sent to do it, given those in the intelligence community tend to be better at talking with one another than actual diplomats.

And while I’m dredging up academic trivia on Australia’s intelligence community. Here’s a great one: The original document establishing DSD, it’s role and charter essentially, has only ever been viewed by a handful of people. Most of the time, the minister for that portfolio will never see it, nor the AG. Makes you wonder just how much autonomy they have?

creative_canberran said :

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

That would be AUSTEO material and a SCIF (http://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility)

Indeed, the measures are different.

georgesgenitals8:56 pm 24 Mar 11

vg said :

“If documents are classified, they’re on a separate system that doesn’t have internet.”

Rubbish

Agreed. The ISM even describes the measures needed in order to allow this to happen.

“If documents are classified, they’re on a separate system that doesn’t have internet.”

Rubbish

sexynotsmart7:30 pm 24 Mar 11

I think it may depend on the job you’re doing, the network you’re on and if you have access to any classified material.

The last two government projects I’ve worked on have been ‘open source’ and with a corresponding agency in another country. Day 1 tasks for new starters include ‘get a google account’, because all the project material is on google code and google docs.

So for codecutters on a dev network without access to secrets of the realm, the risk of inappropriate disclosure are nil. And obviously that’s been accepted by someone.

creative_canberran6:19 pm 24 Mar 11

Grrrr said :

creative_canberran said :

Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

No – webmail means the documents don’t go through the department’s servers. Unless perhaps you count a web proxy server – and even then, webmail is encryped (HTTPS) so the administrators wouldn’t be able to see what was sent. I know the headline is rhetorical – perhaps even facetious – but there’s a million ways to leak, and no way to stop a determined leaker.

Some people here don’t seem to understand Classification of documents. More or less every document is classified – at one of a number of levels. A network classified at Security-In-Confidence (and containing documents at that level) may well be allowed access the Internet. Perhaps as a matter of policy webmail is not allowed in some departments, but it is impossible to block every webmail site on the Internet without using whitelisting.

Best check you’re facts.

Fact: All access through public service computers to the internet is through Government DNS servers, owned by the government and operated under contract; which control traffic, log on and privileges. Same for ACT Government computers. They’re all on their own intranet which then has a facility to go through to the internet.

Fact: Only the log in screen for most webmail services is encrypted. If you log in to Hotmail right now, you’ll see the HTTPS replaced with HTTP once you log in. Further, the actual email once sent wouldn’t be encrypted anyway unless you manually assigned a Digital Certificate to it. Meaning it leaves a record of it on every server before it reaches a destination. A typical email will exist for a time on 7 different servers.

Fact: a web proxy server is simply a way to route your connection to a website through an intermediary server that masks your IP address from the visited website’s server. It doesn’t prevent your ISP (which on a government computer is the government) from seeing that you visited that proxy. And given operating systems by default transmit little details like the MAC address of a computer and even the O.S. serial number, it’s by no means a complete way to be annon online.

Fact: You’re confusing the national-security clearance ratings with the non-national-security ratings. Security-in-confidence, department-in-confidence, cabinet-in-confidence and so on, you’ll find those on internet connected terminals.

Once you get into C, S, TS and materials beyond TS (yes, there’s stuff beyond TS which one lecturer indicated requires special, limited access rooms) for people with TS-PV rated staff, the measures are different.

creative_canberran said :

Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

No – webmail means the documents don’t go through the department’s servers. Unless perhaps you count a web proxy server – and even then, webmail is encryped (HTTPS) so the administrators wouldn’t be able to see what was sent. I know the headline is rhetorical – perhaps even facetious – but there’s a million ways to leak, and no way to stop a determined leaker.

Some people here don’t seem to understand Classification of documents. More or less every document is classified – at one of a number of levels. A network classified at Security-In-Confidence (and containing documents at that level) may well be allowed access the Internet. Perhaps as a matter of policy webmail is not allowed in some departments, but it is impossible to block every webmail site on the Internet without using whitelisting.

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

That’s a sneaky hyperlink.

no access to “MAIL.google.com”

“google.com” is ok.

creative_canberran2:46 pm 24 Mar 11

banjo said :

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

Not sure what you mean by that? google.com and gmail are two separate things if that is what your implying?

Mind you I have never worked in defence and have no desire to because I think not having personal email there would be the least of your complaints on that network 🙂

They might not give you webmail access but at least you get a free laptop working for federal departments: http://m.zdnet.com.au/fed-s-lame-lost-laptop-excuses-rouse-labor-anger-120262999.htm

You’d rather hope that APS departments would be happy to have people leaking from their webmails at work, as then they could catch them. Sadly, the abilities of most IT departments are being impugned by this ANAO report, they clearly don’t think they’re much chop.

p1 said :

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

Not sure what you mean by that? google.com and gmail are two separate things if that is what your implying?

Mind you I have never worked in defence and have no desire to because I think not having personal email there would be the least of your complaints on that network 🙂

banjo said :

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability.

Ahhh, so no google.com for anyone in defence then?

As noted the most common leaks are deliberate, wouldn’t want to deprive themselves of that tool CC.

creative_canberran1:57 pm 24 Mar 11

Google search “shortwave numbers station” and “cherry ripe”.
It’s kind of ironic that some of the most secure communications are in the open for all to hear.
Conversely, with the resources DSD would have, one has to wonder why they wouldn’t want webmail on computers given the opportunity it would provide to identify leakers. Put digital watermarks in sensitive documents, track the traffic through the departmental servers and surely they could turn it into a counter-leaking system.

DSD are pretty clear on this, no external email providers are allowed to be used on a government network or any applications that has email like capability. Facebook for example has email like capability. It’s got nothing to do with productivity and everything to do with separating official work correspondence channels from unofficial means. Perhaps it is somewhat heavy handed and it’s obvious some agencies allow certain things where others don’t as it can be a gray area, but most err on the side of caution. It is also becoming increasingly difficult to draw the line on this as “social networking”, for some agency, is becoming another means of connecting with the public, especially the younger demographic.

georgesgenitals1:36 pm 24 Mar 11

dtc said :

why is it that virtually all private sector companies trust their employees sufficiently to allow access to web mail, facebook etc etc; but apparently public servants are just too risky?

Because public companies are far less accountable than government.

why is it that virtually all private sector companies trust their employees sufficiently to allow access to web mail, facebook etc etc; but apparently public servants are just too risky? I appreciate that some Departments do have access to genuine ‘national security’ documentation; but most dont have access to anything more confidential than what is held by a private corporation.

And does anyone, nowdays, use emails from their work computer to leak? Arent most people smarter than that?

national security document wouldn’t be on the computers that could access webmail. If documents are classified, they’re on a separate system that doesn’t have internet. And if they’re going to go that route, they need to re-visit the issue of smart phones, i phones, camera phones et al

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.