HTTPS vulnerability
Sources say Australia's online census was hacked due to a whole series of mistakes made by ABS and IBM that could have been prevented iStock

The cyberattacks that caused Australia's online census to fail were possible due to multiple blunders made by the Australian Bureau of Statistics (ABS) and IBM which enabled the attackers to hack into the census from within the country.

On 9 August, the website for Australia's first ever digital census was taken offline by hackers for 43 hours using distributed denial of service (DDoS) attacks to overload the site's servers, and ABS blamed the cyberattacks on overseas hackers.

Every five years it is mandatory for citizens to complete national census forms so the government can gauge population demographics, with many people looking forward to filling it out online.

Citizens who were able to complete the online census before the attacks occurred were worried that their personal details had been stolen by the hackers.

However, Australian information security journalist and podcaster Patrick Gray says his confidential sources are telling him a different story.

Refusing DDoS prevention services

According to Gray's news site Risky.Biz, ABS and its lead contractor IBM made multiple mistakes that contributed to the cyberattacks being possible – first, IBM and ABS turned down the opportunity to get DDoS prevention services from their upstream provider NextGen Networks, saying they didn't need it.

Instead, ABS and IBM asked NextGen to simply just geoblock all traffic if it came from outside Australia, even if the traffic was only equivalent to that of a small scale attack. Unfortunately, the hackers must have somehow found out, as they sent the traffic from within the country using a DNS Amplication Attack and a Smurf Attack.

A DNS Amplification attack is a type of DDoS "reflection" attack whereby publicly-accessible domain name systems are manipulated into flooding a target with a large number of UDP packets, which can be inflated in size to bring down even the most robust server. At the same time, the attack is also reflected off a third party so that the origin of the attack is concealed from the victim.

And at the same time, a Smurf Attack was also carried out, whereby large numbers of Internet Control Message Protocol (ICMP) packets with the source IP address of the victim were sent out to huge networks. When devices on these networks responded to ABS, it flooded its network with traffic.

Firewalls not properly configured

Gray says that ABS and IBM had also not configured its firewalls properly, so when the attacks hit, ABS' two firewalls had to be rebooted. The firewalls worked as a pair though, and unfortunately they had not been properly synced so only one firewall began working again, and this led to a short outage.

ABS had IBM traffic monitoring equipment in place that did issue some alerts but ABS staff thought the alerts meant that attackers had already gotten past firewalls and were now attacking the system, and that the DDoS attacks were being used as a distraction. Eventually they took the website down completely and called the Australian Signals Directorate (ASD), which is the government's intelligence agency.

IBM's traffic monitors reported false positives

It also turned out that the IBM alerts were in fact false positives that were characterising systems logs going out of Australia as attempts by hackers to transfer stolen data out of the online census to their own servers.

"ASD still needs to roll incident response before they can send the website live again. Even though it was false positives that triggered the investigation, there still needs to be an investigation," wrote Gray in a blog post.

"At least IBM got to bump their margins up a bit by not paying for the DDoS prevention though... amirite?!"