This is an HTML version of an attachment to the Freedom of Information request 'Security Audit of www.passports.gov.au'.

Hi Peter and Brendan,

We received the answers to the internet security questions today. They are attached for your reference.

Cheers,

Megan

Megan Jolly
Office Manager
Office of Senator Peter Whish-Wilson
Australian Greens Senator for Tasmania
PO Box 5194
Launceston TAS 7250
Ph: 03 6331 0033
Fax: 03 6331 2044
Web: http://peter-whish-wilson.greensmps.org.au/

-----Original Message-----
From: Peter Lawler [mailto:xxxxxxxxxxx@xxxxx.xxx]
Sent: Thursday, 22 May 2014 2:21 PM
To: Jolly, Megan (Sen P. Whish-Wilson)
Cc: xxxxxxx@xxxxxx.xxx
Subject: RE: Encryption and Cipher of Australian Gov't Passport website

Yes.

SSL was the "original" method of encrypting. When a different standards group took over managing the standard, it became known as TLS. Thus SSL 3.0 is the final version of SSL. TLS 1.0 is colloquially known as SSL 3.1.

Rule of thumb is these days anything TLS 1.1 or below is considered a bit of a joke (the older, the funnier the punch line).

On 22 May 2014 2:15:27 PM AEST, "Jolly, Megan (Sen P. Whish-Wilson)" <xxxxx.xxxxx@xxx.xxx.xx> wrote:
>Hi Peter,
>
>The questions have been submitted and they came back with a query in
>relation to the following question:
>
>What is the minimum SSL or TLS certificate version used by DFAT managed
>websites?
>
>Does;
>
>SSL refer to Secure Sockets Layer
>And
>TLS to Transport Layer Security
>
>Please advise if these are the correct terms for the acronyms used.
>
>Thanks,
>
>Megan
>
>Megan Jolly
>Office Manager
>Office of Senator Peter Whish-Wilson
>Australian Greens Senator for Tasmania
>PO Box 5194
>Launceston    Tasmania     7250
>Ph:  03 6331 0033
>Fax: 03 6331 2044
>www.peter-whish-wilson.greensmps.org.au
>
>-----Original Message-----
>From: Peter Lawler [mailto:xxxxxxxxxxx@xxxxx.xxx]
>Sent: Monday, 19 May 2014 5:26 PM
>To: Jolly, Megan (Sen P. Whish-Wilson)
>Cc: xxxxxxx@xxxxxx.xxx
>Subject: Re: Encryption and Cipher of Australian Gov't Passport website
>
>Hi Megan,
>Apologies in lengthy delay getting back to you.
>
>
>1. How often is penetration testing of the websites managed by the
>Department of Foreign Affairs and Trade (DFAT) websites conducted?
>a. Are they regular, random or a mixture of both?
>b. Are they undertaken by internal (DFAT) officers or by external
>consultants
>c. What (if any) professional qualifications are used by DFAT to
>determine those performing the required are capable and knowledgeable
>
>
>2. How often is security auditing of the websites managed by the
>Department of Foreign Affairs and Trade (DFAT) websites conducted?
>a. Are they regular, random or a mixture of both?
>b. Are they undertaken by internal (DFAT) officers or by external
>consultants
>c. What (if any) professional qualifications are used by DFAT to
>determine those performing the tasjs are capable and knowledgeable
>
>3. When was the last
>a. penetration test conducted and did it meet Government standards as
>outlined in Australian Government Information Security Manual (ISM)?
>b. audit test conducted and did it meet Government standards as
>outlined
>in Australian Government Information Security Manual (ISM)?
>
>4. Over the past 5 years have any penetration tests or security audits
>on DFAT managed websites failed to meet Government standards as
>outlined
>in the ISM?
>a. Was the Minister at the time informed?
>b. Was client/customer data compromised in any way, both theoretically
>or practically?
>
>5. If a penetration test or security audit is found to have compromised
>
>DFAT data what is the process for
>a. Rectifying the situation; and
>b. Notifying affected people?
>
>6. What is the minimum SSL or TLS certificate version used by DFAT
>managed websites?
>
>7. Has the Minister requested a briefing on the security of the data
>and
>information on DFAT managed websites?
>a. Have any previous Ministers over the past 5 years requested a
>briefing on data and information security?
>
>
>Reasoning for suggested edit:
>Q1 & 2 Pentesting and audit are, although usually related, different
>matters. Some level of automated auditing (eg, intrusion detection) is
>ongoing whereas pentesting and specific auditing are not.
>Q3 Modified to reflect the slight differences in pentest and audit thus
>
>may have different answers
>Q4 I've added a 'both theoretically and practically' because my
>understanding of the known certificate vulnerability DFAT were running
>with on their website, someone sitting in between their website and the
>
>client computer could have compromised data transmitted between the
>two.
>It does not require knowledge that the data on DFAT has been breached,
>just knowledge that there was insufficient encryption between DFAT and
>client computers.
>Q6. 'SSL/TLS' changed to 'SSL or TLS' to be a little more clear. TLS is
>
>the later version of SSL. In fact, since Windows XP has been
>de-supported, no consumer grade commercial operating system one can buy
>
>off the shelf in Australia is capable of talking non-TLS level SSL any
>more.
>
>I guess there'd be follow up questions depending on the response/s.
>
>Hope this helps,
>
>Pete.
>
>
>On 09/04/14 11:33, Jolly, Megan (Sen P. Whish-Wilson) wrote:
>> Hi Peter and Brendan,
>>
>> Attached please find our first stab at the questions for the Foreign
>Minister regarding the security of the DFAT website in regards to
>passport applications by Australian citizens.
>>
>> Can you please add any technical questions you think are necessary to
>explain the sequence of events and what measures have been taken to fix
>the issue?
>>
>> We can't ask for specific documents but can ask members of the
>department to explain what happened via the minister.
>>
>> Thanks,
>>
>> Megan
>>
>> Megan Jolly
>> Office Manager
>> Office of Senator Peter Whish-Wilson
>> Australian Greens Senator for Tasmania
>> PO Box 5194
>> Launceston Tasmania 7250
>> Ph: 03 6331 0033
>> Fax: 03 6331 2044
>> www.peter-whish-wilson.greensmps.org.au
>>
>> -----Original Message-----
>> From: Peter Lawler [mailto:xxxxxxxxxxx@xxxxx.xxx]
>> Sent: Tuesday, 8 April 2014 1:45 PM
>> To: Jolly, Megan (Sen P. Whish-Wilson); xxxxxxx@xxxxxx.xxx
>> Subject: Re: Encryption and Cipher of Australian Gov't Passport
>website
>>
>> Dear Megan,
>> Thanks for getting back to me. I've cc'd Brendan on this reply so
>it'll
>> be easier for you to send the questions to both him and myself when
>> you're ready for us to look over them. I appreciate that they can be
>a
>> little technical in nature, happy to help out where needs be, etc.
>>
>> Cheers,
>>
>> Pete.
>>
>> On 08/04/14 13:39, Jolly, Megan (Sen P. Whish-Wilson) wrote:
>>> Dear Peter,
>>>
>>> Sorry for the delay in getting back to you.
>>>
>>> Thank you for getting in touch with Senator Whish-Wilson regarding
>the encryption technologies being used on the Australian government's
>passport website. I have reviewed the correspondence on the link you
>included and see that Brendan chose to withdraw his FOI request due to
>the costs involved. Unfortunately we are subject to the same charges if
>we request documents from DFAT.
>>>
>>> We are drafting questions to the Minister for Foreign Affairs based
>on Brendan's questions. I will send them through to you for input to
>make sure we are covering the key questions you would like answers to.
>>>
>>> I will be in touch again soon.
>>>
>>> Kind regards,
>>>
>>> Megan
>>>
>>> Megan Jolly
>>> Office Manager
>>> Office of Senator Peter Whish-Wilson
>>> Australian Greens Senator for Tasmania
>>> PO Box 5194
>>> Launceston Tasmania 7250
>>> Ph: 03 6331 0033
>>> Fax: 03 6331 2044
>>> www.peter-whish-wilson.greensmps.org.au
>>>
>>> -----Original Message-----
>>> From: Peter Lawler [mailto:xxxxxxxxxxx@xxxxx.xxx]
>>> Sent: Thursday, 20 March 2014 8:23 PM
>>> To: Whish-Wilson, Peter (Senator)
>>> Cc: Brendan Molloy
>>> Subject: Encryption and Cipher of Australian Gov't Passport website
>>>
>>> Resend as per request:
>>> https://twitter.com/SenatorSurfer/status/446569010058903553
>>>
>>> ----
>>>
>>> (as per https://twitter.com/Tim_Beshara/status/433698337166860288)
>>>
>>> Dear Mr Whish-Wilson,
>>> Earlier this year, I noticed that http://www.passports.gov.au was
>>> running a selection of encryption technologies that had been
>abandoned
>>> last century as insecure.
>>>
>>> https://twitter.com/PeteLawler/status/422582395460526080
>>> https://twitter.com/PeteLawler/status/422585014769840130
>>>
>>> Before continuing, I'd ask you to get a screendump of the output of
>the
>>> following website, which gives a breakdown of the encryption/cipher
>>> quality as of the moment you make the website request.
>>>
>https://www.ssllabs.com/ssltest/analyze.html?d=www.passports.gov.au&s=203.39.89.146
>>>
>>> Most people just assume that if their web browser shows a 'lock'
>icon,
>>> and/or it's an 'https' connection, everything is OK. However these
>>> indicators merely indicate that SOME form of encryption is taking
>place.
>>> It does not give any indication of the QUALITY of the encryption.
>>>
>>> Unfortunately I have not been able to locate any screenshots or
>dumps I
>>> got of the site at that time, so all I can do for the moment is
>>> reference the tweets. However I do recall that the site was running
>a
>>> cipher that was abandoned back in the early days of Windows 95, when
>>> someone wrote a screensaver to break the encryption of the lock the
>>> screensaver ran with (thus, by letting the saver run it'd unlock the
>>> account). If we consider this was possible on machines nearly 20
>years
>>> ago without much trouble, one can imagine how 'simple' it would've
>been
>>> for anyone to decrypt the data being passed between citizens and
>DFaT's
>>> passport site.
>>>
>>> Please note that since then, the encryption and ciphers have been
>>> 'worked on' and are different from what I saw back then. At the
>tile,
>>> SSLLabs.com rated passports.gov.au an 'F', the worst possible. Kind
>of
>>> ironic that SSLLabs.com still only rate the site as a 'C'
>>>
>https://www.ssllabs.com/ssltest/analyze.html?d=www.passports.gov.au&s=203.39.89.146
>>> (arguably, the three 'non-weak' ciphers that the site currently
>using
>>> are in fact weak, but that's a debate for another day)
>>>
>>> Brendan Malloy noticed my comments and composed an FoI request, with
>>> some input from me.
>>>
>>>
>https://www.righttoknow.org.au/request/security_audit_of_wwwpassportsgo
>>>
>>> This request is very much 'on the money' as to the curious questions
>>> regarding the situation.
>>> ---
>>> a) Documents relating to security auditing policy used for
>>> determining the security of DFAT websites. This may for example
>>> include (but certainly are not limited to):
>>> i) Documents pertaining to minimum standards for SSL/TLS
>>> certificates, and
>>> ii) Documents pertaining to penetration testing that has been
>>> undertaken by the department to determine security standards have
>>> been met;
>>> b) Reports from any security audits conducted on the
>>> www.passports.gov.au website in the last 5 years; and
>>> c) Documents regarding changes made to the www.passports.gov.au
>>> website since January 2009.
>>> ---
>>>
>>> My point of view is that the Passports site was susceptible to 'Man
>In
>>> The Middle' attacks and decryption of any/all encrypted data. Thus
>there
>>> is a possibility that private information between citizens and the
>>> government in what must be considered one of the most sensitive ID
>areas
>>> possible,
>>>
>>> It would appear that DFAT are asking for over $600 from Mr Malloy so
>the
>>> public can find out how such a situation occurred and thus whether
>their
>>> own applications may have been vulnerable. I find this totally
>unacceptable.
>>>
>>> As both a Senator for my state of Tasmania, I request that you and
>your
>>> office place the same request to DFAT (or as similar as possible) as
>per
>>> what was originally submitted by Mr Malloy (again,
>>>
>https://www.righttoknow.org.au/request/security_audit_of_wwwpassportsgo
>>> ) on my behalf.
>>>
>>> Regards,
>>>
>>>
>>> Peter Lawler.
>>> PO Box 195
>>> Lindisfarne 7015
>>> AUSTRALIA
>>>
>>