At least seven Western Australian government agencies holding sensitive information have been found to have sorely inadequate database security measures, with easily guessed three letter passwords like ‘DBA’ still in use for some accounts with powerful system administrator privileges.
That’s the frightening conclusion of the Western Australian Auditor General after a security probe and penetration testing of 13 systems that found multiple instances of lax password security and unacceptable levels of potential exposures to hacking and data theft.
“We found many instances of database administrator accounts where the default usernames and passwords were still in use. These default user settings are widely known and often the first accounts someone would try to exploit,” the report issued by Auditor General Colin Murphy said.
“We also identified accounts with exceptionally easy to guess passwords. Examples include passwords that were the same as the username, passwords that were the same name as the application and passwords such as ‘test’, ‘password1’, ‘sqladmin’.”
While the Auditor General has not individually named and shamed specific lapses back to agencies – that would just create another security risk – the watchdog has named those probed; the list makes for sobering reading in terms of data that could potentially be compromised.
Those tested include the Department of Health, Department of the Attorney General (DotAG), Drug and Alcohol Office (now incorporated into the Mental Health Commission), Department of Local Government and Communities (DLGC), Legal Aid, Curtain University and Murdoch University.
The findings are certain to ring alarm bells in both the WA state government and Canberra as concern over the increasing number and sophistication of hacking raids escalates, particularly those suspected to come from nation states.
And it’s not just the sloppy selection of passwords that has the WA Auditor General worried.
Another serious problem appears to be the retention of passwords for years at a time when they should be periodically changed to mitigate risk.
“We found several agencies had not changed administrator account passwords anywhere from three to over 10 years. In one database, we found 17 highly privileged accounts that had never had their passwords changed,” the Audit report said.
“We also identified a large number of inactive user accounts, which had weak passwords or not had their passwords changed.”
There were also a swag of configuration issues, particularly around products from US database and applications giant Oracle, that created vulnerabilities. Western Australia remains a heavy user of Oracle’s products after the state government controversially signed-up many agencies several years ago.
“While many accounts we identified on Oracle Databases were ‘locked’, flaws in the configuration of the database may allow attackers to unlock them,” the Audit report said.
“An attacker that has access to an existing account can exploit these flaws to unlock other accounts. These additional accounts might have higher levels of access than the attacker’s account, or allow the attacker to go undetected by occupying an unused account.”
In terms of recommendations, at the top of the list is a strong call for agencies to implement the “the principle of least privilege and grant only those privileges needed to perform the business requirements of a role” as well as using strong passwords that have set expiry dates.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter