The risk of Australian Government services hosted overseas
In this article, we are hunting for websites under the .gov.au domain hosted outside Australia. We explain why it is a risk of running services associated with the Australian Government overseas and how things are changing.
Shodan is a well-known scanner of the internet. Probably everyone is familiar with the search engine notorious for finding IoT cameras and remote desktop services left wide-open unintentionally.
Australian Government domain names
The gov.au domain space is reserved for use by government entities in Australia. Since 2018, the allocation of these Second Level Domains (2LD) is delegated to the Digital Transformation Agency (DTA).
In short, *.gov.au domain names are reserved for state and local government bodies in Australia (e.g. ato.gov.au, passports.gov.au).
Missing regulations
At the time of writing, the DTA does not require these government bodies to host their services within Australia. Because of the lack of supervision, random websites, email servers and other services (associated with the Australian Government) ended up running outside of Australia.
Finding .gov.au services hosted overseas
This is where we circle back to the Shodan search engine. To find 2LDs hosted overseas, we need to punch hostname:gov.au -country:AU. The result is about 200 websites, email servers and other internet services all potentially hosted overseas.
Refining the search results
Before drawing any conclusion, the search results have to be manually processed beforehand and any false positives from the results need to be removed. For example, Content Delivery Networks (CDN) and SaaS products (e.g. Salesforce) are known to be running on overseas servers.
To refine the results, we need to change the search query to hostname:gov.au -country:AU -country:"AQ" -country:"HM" -country:"CC". This change excludes search results hosted on the external territories of Australia such as Antarctica and Cocos Islands.
Secondly, we need to handpick and remove any Content Delivery Networks (CDN) and SaaS services (e.g. Salesforce) known to operate outside of Australia. Although some of the SaaS products may also raise questions around data sovereignty, the focus of this research is self-hosted services.
Once the search results are hand-processed, the remaining list is small enough to put them under scrutiny.
.gov.au services running outside Australia
The following table attempts to summarise what services are running outside of the Australian jurisdiction and the potential risks associated with these services.
United States
| Domain Name | IP Address | IP Geolocation | Description | Potential Risks |
|---|---|---|---|---|
| emailservice.rba.gov.au | 209.119.0.200 | United States | Reserve Bank of Australia’s newsletter service (running on Listserv mailing list software) | Login page taking passwords, list of newsletter subscribers, contradictions with the Privacy Policy. |
| imap.vic.gov.au | 198.58.96.158 | United States | Inner Melbourne Action Plan (IMAP) | |
| mystic.ses.nsw.gov.au | 72.14.184.33 | United States | NSW State Emergency Services (SES) member database and mailing lists. | List of volunteers. |
| newsroom.abf.gov.au | 208.86.167.230 | United States | Australian Border Force Newsroom | Login page taking passwords. |
| ppwcma.vic.gov.au | 104.236.175.36 | United States | Port Phillip and Westernport Catchment Management Authority | Hosts ‘contact us’ form, hosts login page taking passwords. |
Singapore
| Domain Name | IP Address | IP Geolocation | Description | Potential Risks |
|---|---|---|---|---|
| nrmclimate.vic.gov.au | 128.199.219.21 | Singapore | Provides access to climate change information developed by ten different Catchment Management Authorities in Victoria. | |
| wgcma.vic.gov.au | 128.199.255.5 | Singapore | West Gippsland Catchment Management Authority | Hosts ‘contact us’ forms. |
| www.ccyp.vic.gov.au | 128.199.139.241 | Singapore | Commission for Children and Young People | |
| www.joondalup.wa.gov.au | 174.138.16.113 | Singapore | City of Jondaloop (WA) Council | Takes online payments, hosts contact forms, hosts application forms taking personal details. |
New Zealand
| Domain Name | IP Address | IP Geolocation | Description | Potential Risks |
|---|---|---|---|---|
| www.lhis.ehp.qld.gov.au | 131.203.91.107 | New Zealand | Queensland Living Heritage Information System (LHIS) | Login page taking passwords. |
Should I be worried?
Hosting services outside Australia is not necessarily a bad thing. For instance, the web hosting charges may be lower saving money to the taxpayer. However, there are a few risks associated with the practice that may need to be addressed.
Password reuse
Login pages capturing passwords. Compromised passwords (including password reuse) is the number one reason behind companies being hacked and data breaches. For example, someone may decide to:
- use the same password for logging into a .gov.au website hosted in the United States, and;
- the VPN service allowing full access to the internal network of a governmental agency.
In summary, passwords of users such as public sector employees and contractors appear to be transmitted via services running on the soil of foreign nations.
Contact us pages
Website visitors use the ‘contact us’ web pages for submitting sensitive enquiries normally sent over emails (doh!) or discussed over the phone. For example, a business owner in Jondaloop may ask the council over the contact us form about a planning application. Why it is necessary to route potentially sensitive enquiries via Singapore?
Conclusion
In summary, the gist of the issue (with services running from foreign soil) is that:
- websites associated with the Australian Government; and
- hosted in foreign countries like Singapore and the United States;
- transmit, process and store passwords and sensitive data belonging to Australian citizens and public sector employees/contractors.
One concerning issue is the data sovereignty aspects. Because the overseas hosting providers running outside Australia are following the local applicable laws and legislations, foreign law enforcement agencies and civil/criminal courts have the power to access data on them with a subpoena.
Secondly, (puts tinfoil hat on) it is not unheard of that foreign intelligence agencies are interested in people associated with government agencies. For example, the Reserve Bank of Australia seems to store their email list subscribers database in the United States. Similarly, the NSW State Emergency Services (SES) Unit Member Database also appear to be running from a US datacentre.
While both scenarios are unlikely and likely to have a limited impact on state-security, Australian governmental organisations should limit any unnecessary exposure to foreign nations by choosing an inland hosting provider.
On the plus side, the list of overseas services under the .gov.au 2LD is not that long.
How things are changing?
In contrast, the DTA is currently rolling out a Hosting Certification Framework for addressing data sovereignty issues outlined above.
In addition, the federal government is also considering to change web hosting requirements when it comes to sensitive data.
These upcoming changes are welcomed as the changes would not only make the data sovereignty issues vanish but also would support local IT businesses – small and large – during these tough times of recession.
In Part 2 of this series, we investigate what Service NSW has to do with a Russian datacentre.