In this article, we are hunting for websites under the .gov.au domain hosted outside Australia. We explain why it is a risk of running services associated with the Australian Government overseas and how things are changing.

Shodan is a well-known scanner of the internet. Probably everyone is familiar with the search engine notorious for finding IoT cameras and remote desktop services left wide-open unintentionally.

Australian Government domain names

The gov.au domain space is reserved for use by government entities in Australia. Since 2018, the allocation of these Second Level Domains (2LD) is delegated to the Digital Transformation Agency (DTA).

In short, *.gov.au domain names are reserved for state and local government bodies in Australia (e.g. ato.gov.au, passports.gov.au).

Missing regulations

At the time of writing, the DTA does not require these government bodies to host their services within Australia. Because of the lack of supervision, random websites, email servers and other services (associated with the Australian Government) ended up running outside of Australia.

Finding .gov.au services hosted overseas

This is where we circle back to the Shodan search engine. To find 2LDs hosted overseas, we need to punch hostname:gov.au -country:AU. The result is about 200 websites, email servers and other internet services all potentially hosted overseas.

A total of 201 services hosted outside of Australia according to Shodan.
A total of 201 services hosted outside of Australia according to Shodan.

Refining the search results

Before drawing any conclusion, the search results have to be manually processed beforehand and any false positives from the results need to be removed. For example, Content Delivery Networks (CDN) and SaaS products (e.g. Salesforce) are known to be running on overseas servers.

To refine the results, we need to change the search query to hostname:gov.au -country:AU -country:"AQ" -country:"HM" -country:"CC". This change excludes search results hosted on the external territories of Australia such as Antarctica and Cocos Islands.

Secondly, we need to handpick and remove any Content Delivery Networks (CDN) and SaaS services (e.g. Salesforce) known to operate outside of Australia. Although some of the SaaS products may also raise questions around data sovereignty, the focus of this research is self-hosted services.

Once the search results are hand-processed, the remaining list is small enough to put them under scrutiny.

The refined search results page on Shodan.
The refined search results page on Shodan.

.gov.au services running outside Australia

The following table attempts to summarise what services are running outside of the Australian jurisdiction and the potential risks associated with these services.

United States

Domain Name IP Address IP Geolocation Description Potential Risks
emailservice.rba.gov.au 209.119.0.200 United States Reserve Bank of Australia’s newsletter service (running on Listserv mailing list software) Login page taking passwords, list of newsletter subscribers, contradictions with the Privacy Policy.
imap.vic.gov.au 198.58.96.158 United States Inner Melbourne Action Plan (IMAP)  
mystic.ses.nsw.gov.au 72.14.184.33 United States NSW State Emergency Services (SES) member database and mailing lists. List of volunteers.
newsroom.abf.gov.au 208.86.167.230 United States Australian Border Force Newsroom Login page taking passwords.
ppwcma.vic.gov.au 104.236.175.36 United States Port Phillip and Westernport Catchment Management Authority Hosts ‘contact us’ form, hosts login page taking passwords.
The Australian Border Force Newsroom takes passwords on a login page hosted in the US.
The Australian Border Force Newsroom takes passwords on a login page hosted in the US.

Singapore

Domain Name IP Address IP Geolocation Description Potential Risks
nrmclimate.vic.gov.au 128.199.219.21 Singapore Provides access to climate change information developed by ten different Catchment Management Authorities in Victoria.  
wgcma.vic.gov.au 128.199.255.5 Singapore West Gippsland Catchment Management Authority Hosts ‘contact us’ forms.
www.ccyp.vic.gov.au 128.199.139.241 Singapore Commission for Children and Young People  
www.joondalup.wa.gov.au 174.138.16.113 Singapore City of Jondaloop (WA) Council Takes online payments, hosts contact forms, hosts application forms taking personal details.
A contact us form routing messages via Singapore.
A contact us form routing messages via Singapore.

New Zealand

Domain Name IP Address IP Geolocation Description Potential Risks
www.lhis.ehp.qld.gov.au 131.203.91.107 New Zealand Queensland Living Heritage Information System (LHIS) Login page taking passwords.
Queensland LHIS login page taking passwords through New Zealand.
Queensland LHIS login page taking passwords through New Zealand.

Should I be worried?

Hosting services outside Australia is not necessarily a bad thing. For instance, the web hosting charges may be lower saving money to the taxpayer. However, there are a few risks associated with the practice that may need to be addressed.

Password reuse

Login pages capturing passwords. Compromised passwords (including password reuse) is the number one reason behind companies being hacked and data breaches. For example, someone may decide to:

  • use the same password for logging into a .gov.au website hosted in the United States, and;
  • the VPN service allowing full access to the internal network of a governmental agency.

In summary, passwords of users such as public sector employees and contractors appear to be transmitted via services running on the soil of foreign nations.

Contact us pages

Website visitors use the ‘contact us’ web pages for submitting sensitive enquiries normally sent over emails (doh!) or discussed over the phone. For example, a business owner in Jondaloop may ask the council over the contact us form about a planning application. Why it is necessary to route potentially sensitive enquiries via Singapore?

Private messages sent through the contact form are routed via Singapore.
Private messages sent through the contact form are routed via Singapore.

Conclusion

In summary, the gist of the issue (with services running from foreign soil) is that:

  • websites associated with the Australian Government; and
  • hosted in foreign countries like Singapore and the United States;
  • transmit, process and store passwords and sensitive data belonging to Australian citizens and public sector employees/contractors.

One concerning issue is the data sovereignty aspects. Because the overseas hosting providers running outside Australia are following the local applicable laws and legislations, foreign law enforcement agencies and civil/criminal courts have the power to access data on them with a subpoena.

Secondly, (puts tinfoil hat on) it is not unheard of that foreign intelligence agencies are interested in people associated with government agencies. For example, the Reserve Bank of Australia seems to store their email list subscribers database in the United States. Similarly, the NSW State Emergency Services (SES) Unit Member Database also appear to be running from a US datacentre.

NSW State Emergency Services Unit Member Database hosted in Salt Lake City, UT.
NSW State Emergency Services Unit Member Database hosted in Salt Lake City, UT.

While both scenarios are unlikely and likely to have a limited impact on state-security, Australian governmental organisations should limit any unnecessary exposure to foreign nations by choosing an inland hosting provider.

On the plus side, the list of overseas services under the .gov.au 2LD is not that long.

How things are changing?

In contrast, the DTA is currently rolling out a Hosting Certification Framework for addressing data sovereignty issues outlined above.

In addition, the federal government is also considering to change web hosting requirements when it comes to sensitive data.

These upcoming changes are welcomed as the changes would not only make the data sovereignty issues vanish but also would support local IT businesses – small and large – during these tough times of recession.

In Part 2 of this series, we investigate what Service NSW has to do with a Russian datacentre.