Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Australia Government Your Rights Online IT

Aussie PM Office Calls For Government Ban On Gmail, Hotmail 178

aesoteric writes "The Australian National Audit Office has called on all Australian government agencies to block free web-based email services like Gmail and Hotmail to mitigate security and information integrity risks. The auditor noted that such public email services 'should be blocked on agency IT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.' Not surprisingly, the move is seen by some as an attempt to prevent a WikiLeaks-style disclosure from occurring."
This discussion has been archived. No new comments can be posted.

Aussie PM Office Calls For Government Ban On Gmail, Hotmail

Comments Filter:
  • Why not just block uploading/download attachments from those services. That seems like it would solve the problem for the most part, even if you could hand type or copy/paste sensitive informtiation the time to do so would be prohibative.

    • Once this session is in HTTPS how do you determine what's a POST for someone sending text and someone sending data?

      The only way to do it would be in the browser and not anywhere in the rest of the network. Simply from a management perspective, this just isn't possible.

      • by upuv ( 1201447 ) on Thursday March 24, 2011 @03:42AM (#35596140) Journal

        It is 100% possible and it is done ever day.

        The proxy terminates the https request and then creates a new https request going out. So yes you can tell if there is POST event. You can tell if it is a file. You may not be able to read the file as it may have separate encryption.

        • by Nursie ( 632944 )

          This relies on the browser trusting the proxy of course, and the proxy being able to fake being any/all websites.

          What sorts of systems can do this at the moment?

          I'm interested, because I can see it's possible to build it into an HTTP or HTTPS proxy, but there would be quite a lot of certificate futzing needed to get it working properly.

          • I can't completely answer the question, but it's worth noting that the system only works because the same entity has control of both the proxy and the client browser; they can set up their own internal CA if need be. And since the proxy is redirecting everything, trying to bypass it (e.g. running a browser of a usb drive) just means you can't get to anything over ssl.

            • by upuv ( 1201447 )

              You got it in 1. :)

              A large enterprise like the government can most definitely have this level of control over the proxy, internal CA and client standard operating environment.

              This is actually rather trivial to setup. I can assure you it is used in practice.

              Oh you can use your own browser. You just have to add the CA cert and make sure you use the proxy.pac file that a standard install would use. Some of the weirdo auth mechanism that some enterprises use can get in the way however.

              • by sorak ( 246725 ) on Thursday March 24, 2011 @08:01AM (#35597332)

                This is why nerds will never rule the world. We see an article about Governments blocking mail services with the intention of silencing would-be whistle-blowers, and the first thread is about "wouldn't this be a better way to accomplish that?" :)

                • Well, yes and no. One of the first steps in figuring out a fool-proof way to work around damage is to figure out what the damage is, or might be.

                  Gmail over Tor might work... assuming you can find any Tor peers that aren't yet blocked.

          • It is certainly done in certain companies. I'll not mention the company name (though it is no secret really) but I have a friend who works for a defence contractor who work on MoD projects, and they do this to monitor outgoing HTTPS connections. No machine that touches their network does so without running one of their locked-down OS builds, and all their builds include the certificate for their internal CA in the trusted list for the OS and any extra browsers. Once your CA cert is trusted by all your clie
            • Interesting. So this turns their proxy into a Man-In-The-Middle-Attack by faking the SSL certificate of the server you are trying to connect?

              • Exactly. Though it isn't really a MitM "attack" in their case as the behaviour of the proxy is well publicised internally so all staff should know about it.

                This is why self-signed certificates should not be used outside a testing/development environment: anyone who hacks into a proxy at your ISP, anyone running a public internet access service, or anyone on the same wireless network who manages an arp-spoofing attack in order to setup a transparent proxy, or anyone who manages a DNS poisoning attack, can
                • Is the software that does this fancy HTTPS interception and fake SSL cert generation typically off-the-shelf, or is it simple enough that companies write it themselves? If off-the-shelf, what this type of software be called?

          • Any Windows machine on a domain can be tricked instantly.

            Windows on a domain with enterprise certificate services installed trusts the domain certificate authority by default. The admins can then issue certs from that authority for any domain they like, which will be fully validated to anything using the Windows certificate store ... meaning Internet Explorer by default, firefox doesn't, which is freaking annoying and I don't remember what chrome does. Either way, you just simply only allow IE to be used/

          • Have a look at Microsoft Forefront Threat Management Gateway (It's the renamed ISA Server)

            It has full support for a man-in-the-middle HTTPS filtering module, with a wildcard certificate creation done for you as part of the wizard (the certificate is usually distributed in Active Directory to the clients)

            It does however prompt you that there may be legal issues in your company should you enable the HTTPS filtering without notifing your users, and it also will prompt anyone using the client-side component wit

        • OK, fair point.

          I've seen that technology being used as an anti-virus filter, but never seen it to be able to intercept specific streams. Especially pulling everything apart at the application level....

        • by Pieroxy ( 222434 )

          IIRC, the POST keyword in the http request is encrypted as well. EVERYTHING is encrypted. How can you tell if it's a file? I mean, everything is a stream of bits. Encrypted in https how can you tell the difference?

          • by jon3k ( 691256 )
            If the web proxy terminates the tunnel, decrypts the traffic, looks at it, and then recreates a new https connection to the actual destination. That's the argument anyway. As I posted above, I don't know of any forward proxies doing SSL termination, but technically I think it would be possible, so I wouldn't be surprised if there was web proxy software that did it.
            • How does it decrypt the traffic? It can't; only the parties in the SSL handshaking can do that, and that is the user's browser and the end server with its certificate.

              Other posts on this thread detail how this is possible: You work for company X and go to https://bank.com./ [bank.com.] Company X creates a Certificate Authority SSL certificate and installs it on all browsers. When you go to https://bank.com/ [bank.com] the proxy intercepts and pretends to be bank.com by generating a new server certificate for bank.com and talki

              • This is only possible if you are forced to use a browser with that CA cert installed, and the company has a proxy or other software/hardware that can essentially do a Man In The Middle attack.

                And since the subject of TFA is government-internal government-provided IT services and networks, that's not just feasible, it's easy. If you're on the gov.au internal network, you would be using hardware assets provided by the government for performing government duties. These hardware assets would be administrative

        • by jon3k ( 691256 )
          That's called SSL termination, and as far as I know is only done for reverse proxies, not forward proxies. If you're aware of a forward web proxy with this feature I would definitely be interested. I don't believe our current vendor (WebSense) does this, at least on the version we have in place (7.1).
          • (Disclaimer: I resell some Barracuda products to my clients)

            As far as I can tell, Barracuda's Web Filter does this. From the section of the help file associated with HTTPS filtering:

            [snip]

            HTTPS Filtering

            You can expand HTTP filtering to include HTTPS filtering. HTTPS traffic can be detected by content category filters and domain filters, as well as by blocking exceptions for all Web traffic, content category filters, and domain filters. This option is disabled by default.

            Limitations for enabling HTTPS

        • Surely, it will work because it's impossible for someone to encode stuff in Base64 or even Base36 and just paste in the email about 4-8K of characters at a time.
          Or maybe it's too hard to just create a 1x1 pixel PNG file in paint, run copy smallpicture.png+secretdocument.doc fakepicture.png in command line, and use this picture inline in the email...

    • by c0lo ( 1497653 )
      Attachments? Gmail uploads them by HTTP. GMail lets you use HTTPS to access GMail.
      Good luck detecting what is an attachment and when you just "copy/pasted sensitive information in the very body of the email".

      Even when blocking gmail/yahoo, still not addressing leakers using :
      a. a HTTP proxy (e.g. to access gmail).
      b. a private mailserver
      c. a combination of the above (one can arrange for tunneling through HTTP [wikipedia.org] a totally different protocol).

      • by deniable ( 76198 )
        That's assuming a browser, a connection and sensitive information on the same machine. If so, you've already lost. This idea is probably to stop the leaks of things that aren't secret but are embarrassing.
        • That's what I thought. There's no reason you couldn't just send the information out on another email service. Or set up a dropbox account, and post the files to that. There's a million different ways to get the data out there. Like you said, once you have confidential documents, a browser, and an internet connection, all bets are off. Unless you are running with a small white-list of sites, and you are really sure of what is on those web sites.
        • by rtb61 ( 674572 )

          More accurately the whole concept is that all email leaving or entering government departments adhere to similar principles of snail mail. That it adhere to the standards set forth by each department, with regards to record keeping and content.

          Bit of a miss of private email but then that is the quirk of employer supplied email versus employer supplied snail mail. With snail mail, you wrote in on company time, pilfered a stamp but you used non letter head paper and a blank envelope, nobody really cared di

      • by mirix ( 1649853 )

        Gmail forces HTTPS these days. Maybe there is an option to turn it off, but it is default. (it used to be the other way around, not too long ago).

      • by mwvdlee ( 775178 )

        d. a USB stick
        e. a printout

        • Physical theft scares most people more than electronic since you can easily be caught holding the evidence. A USB stick is relatively easy to conceal ... unless they do searches in and out.

          A print out? Anything of a size to be worth while is going to be big enough to be obvious that you're taking it out of the building.

          In the end however, its mostly the mental component that makes people do an electronic transfer rather than sneaker net. Since they can't see the data flowing out, they have less fear of

        • by jon3k ( 691256 )
          Depends on the environment, but both of those can be stopped relatively easy assuming you have control over the endpoint. Something as simple as the Microsoft Group Policy to disable USB mass storage devices and not having any printers, or restricting access to the printer network/VLAN from systems that contain sensitive information.
    • by deniable ( 76198 )
      Easier to just implement the evil bit.
    • by Dan541 ( 1032000 )

      I would think this is also to stop people from using their personal email accounts on the taxpayers time.

      • So people shouldn't have breaks? I thought you wanted productive employees.

        • by Dan541 ( 1032000 )

          Nice strawman. I never said anything about denying people breaks.

          • So people should have breaks, but be blocked from using personal email accounts during them, why?

            • by Dan541 ( 1032000 )

              No they shouldn't at all be blocked from using their own email. I send and receive emails all the time when on break, however I use my own equipment for that.
              Why should your employer allow you to use their system for anything other than the work they pay you for?

              • Why should your employer allow you to use their system for anything other than the work they pay you for?

                Because they are paying you to be in the office, not renting your fucking brain and soul for every second you're there.

                • by Dan541 ( 1032000 )

                  No they are paying you to do a job. What they are not paying you for is to use their equipment for your own personal activities. If you want to check personal email do it from your own system or not at all. Next you'll be wanting to borrow a company vehicle to help you move house.

              • I certainly hope you are not in management. Strict authoritarian for no good reason rule tends to alienate your employees. And let's be honest, preventing employees from checking their email is a dick move. Instead of going the extra mile for you, they will be thinking, "How long until I can quit this job?" I check personal email from work. In fact, I have all my accounts forward to a single account. I also bring in my own personal equipment to do my job at times. I have a large piece in there right
    • no, please let this be. This cracks me up. This is like closing a pinhole leak in a door but leaving the door open. The site suggests filtering of inbound and outbound emails, even though anyone leaking things who knows what they are doing will get around that incredibly easy.

      Steganography, easily done without using steganography. Rename a file to a different file type, and send it to someone. Done.

      • I don't know what software you use for virus scanning and such, but nothing they would use to filter files is going to give a flying fuck what the extension is. Content scanners realized in the 90s that file extensions don't mean jack shit.

        • bahahahahaha seriously? Go look around.

          You know what content scanners depend on? Knowing the type of content. You don't even need an extension to mask that.

    • Exactly, shows how little the PM knows about computers and what he is suggesting is going to affect such a broad spectrum of things, although here at work, we block gmail and hotmail, but this is only to avoid too much time spent on those sites, not for blocking uploading and downloading, as we still need to be able to do that for our daily activities.

  • Hyperbole much? (Score:5, Insightful)

    by Leafheart ( 1120885 ) on Thursday March 24, 2011 @02:43AM (#35595914)

    Now seriously guys, there are bad titles, and there are pathetic ones. This takes the cake as the prime of the prime on the latter camp. You make it sound like they want to ban it on Australia as a whole, while the truth is much more simple and in fact, valid. They simply urged the agencies to not use those services. The puzzlement should come from why are they using it anyway?

    This was an audit performed on the security of Government data and not an exercise on quashing free speech. FFS aesoteric and samzepous, this was so pathetic that it wasn't even funny.

    • Agreed and public servants should have better things to do than ping around personal e-mails all day. While with a proper security model the attachment aspect shouldn't matter for security, in practice it will. Also if you know what the Australian public sector is like I'd be concerned about my tax being used to pay for $50K for "counselling" and "support" to someone after being exposed to a naked pair of breasts in the workplace.

      • It seems that many if not most of the american politicians use gmail/yahoo from their offices to conduct state business on in order to hide from public discovery/freedom of information act... Perhaps the U.S. needs policies like this too!

        • by metlin ( 258108 )

          This is true in the US, as well.

          When I was at Los Alamos, you could not access public email sites -- although, you could (back then) access social media sites (Orkut, MySpace etc). Plus, they had blocked off access to all USB ports as well (that was around the time when they had the whole hard-drive missing and found thing going on).

    • by c0lo ( 1497653 )

      aesoteric and ..., this was so pathetic that it wasn't even funny.

      aesoteric [slashdot.org] a user that doesn't post comments, but only stories. And which's web page leads to...itnews.com.au.
      It is bound to lead to a double dose of advertising... with luck, the TFA may fall into "stuff that matters" category but... how muck luck can one have on /. these days?

      • by baegucb ( 18706 )

        ummm...you read TFA? You must be new here ;)

        • by jdgeorge ( 18767 )

          Dude, I know you oldtimers had the decency not to read the article, but please don't worry. Most of us newcomers didn't read it either. Besides, there's no specific evidence that the GP actually read the article, only that he or she followed the link. And checked the profile of the other user.

          Wait, seriously? Slashdot has a user profile section? Whoah, look... all my old comments are there.... ;-)

    • Re:Hyperbole much? (Score:5, Interesting)

      by aesoteric ( 1344297 ) on Thursday March 24, 2011 @03:58AM (#35596204)
      I actually agree. The title is inaccurate. It's also not the one that was submitted.
      • How about a new hyperbole? Slashdot editors are trying to control what we see and think. I was getting bored with the usual terrorist and government boogeymen anyway.

    • What's more the majority of Australian government sites already block hotmail and gmail as well as most other ISP and internet mail providers and have done so for a long time.
    • Re:Hyperbole much? (Score:5, Informative)

      by Cimexus ( 1355033 ) on Thursday March 24, 2011 @05:54AM (#35596702)

      I've worked in quite a few Australian Govt. Departments (Commonwealth and State). In at least three-quarters of them, webmail such as Gmail and Yahoo and Hotmail were ~already blocked~. So this recommendation I suppose is just to pull the few departments that haven't already blocked them, into line.

      • It is the same in US Gov already. Most (if not all) US government agencies block all of these sites. Some people I know ( >.> ) just use an SSH proxy with SOCKS support to use their home computers to access their gmail-based webmail accounts.
    • Hey, now. How are we supposed to get our daily dose of Nerd Rage if people like you keep using common sense and critical thinking? You're supposed to froth at the mouth about Australia's evil government censorship, not actually read the article!
    • by pz ( 113803 )

      Agreed.

      In the US, where governmental records are required by law to be kept, using a non-governmental privately-owned system for email that is (a) insecure, and (b) likely not compliant with the necessary auditing and archiving requirements, (c) likely not subject to FOIA, when the email is for official business is against the law in many states in addition to being just outright stupid. As in ex-Gov. Palin stupid, remember?

      There is no reason for the government employees to be using GMail or Hotmail for th

  • by Elimental ( 2013582 ) on Thursday March 24, 2011 @02:54AM (#35595954)

    In the private sector I have been doing this for years, because of security. If a user want to access his Gmail/private mail he can use his mobile not via my network and if management agrees I would place a shared system in areas that is on a separate network for such uses.

  • If I want to get a file off a computer with Internet access, it WILL happen.

    • If I want to get a file off a computer with Internet access, it WILL happen.

      Perhaps. But if your employee handbook forbids it, the vast majority of file sharing sites and email sites are locked down, your USB port is disabled, and you can't burn CDs or DVDs, your machine is locked down and can't join an unauthorized WiFi network, your Bluetooth is disabled, and there's an application firewall that proxies (and inspects) your SSL packets, a DLP engine scanning your outbound mail through company servers, and 20 other things that can be done... guess what, your IT security team has do

  • Obviously they can't come out and say directly that Google doesn't protect your from CIA BS, nor from the CIA's Wikileaks media outlet. They would be considered conspiracy nuts (as you consider me after reading this).

  • There are literally more than 290.000.000 of ways to upload data to the internet. Blocking 2 gets you a list of 289.999.999 ways. On top of that, people can use his phones, usb drives, etc.

    Proper safety stuff is *nothing* like that.
    Anyway could be a first step in a "defense in deep" protection, to achieve a 2% or 5% more protection.

  • by Chrisq ( 894406 ) on Thursday March 24, 2011 @03:11AM (#35596032)
    it is not unusual for companies to block webmail. I don't see why government departments shouldn't do it either. As others have pointed out anyone who is determined will get information out anyway, but it does prevent the "casual" release, either accidental "There's a lot of hassle in the office, I haver heard people say the merger might be off" deliberate but non-malicious "I'll email this document home and I can finish it this evening" or malicious "I'll email this home then if I don't get my pay rise.....".
  • by upuv ( 1201447 ) on Thursday March 24, 2011 @03:21AM (#35596062) Journal

    I don't have to mention how much of nothing this solves.

    The real issue is non-IT people making IT decisions.

    • by dbIII ( 701233 ) on Thursday March 24, 2011 @03:43AM (#35596146)
      Remember Sarah Palin and her webmail that somebody got into by just answering some incredibly easy "security" questions? If I was in government IT security I'd be recommending that nothing remotely important was sent to or from hotmail etc.
      There's also the archiving problem. An important email sent to or from hotmail may disappear into a black hole never to be seen again within a year so you are out of luck if you want the information in it after that date.
      Then there's the "paper trail". We wouldn't have had so much on Poindexter and North selling weapons to terrorists (Hezbolla via Iran after Hezbolla killed all those US Marines) if their emails hadn't been on the backup tapes. That's one reason why places have rules about not using hotmail etc.
      Finally, gmail may be stable but if you are a University that has outsourced your students mail to hotmail and a stupid internal Microsoft DNS error prevents them getting email your trouble ticket gets put in a queue for a week before it gets fixed. That's for paying customers. Lost mail and no access for over a week. Now consider how those on free accounts are going to get treated when things go wrong.
      It really is quite stupid to rely on it for anything work related if you want to pretend to be any sort of professional organisation.
    • Where did you come up with this? Many corporations in the US block external mail sites - in fact, the one I work at does. Its quite simple - to keep proprietary and classified information from inadvertantly leaving the company. Its amazing what people think is information that can be publicly shared. Restricting webmail, and forcing everyone to use the company e-mail, cuts down on the number of leaks. Of course, you can still use your iPhone or Blackberry or Android in the office for personal stuff, the ide

  • And scan all email for viruses and malware? I've never so much as had a peep from anything I've gotten in GMail in 5 years.

  • I can definitely say, as an Australian Federal Public Service employee that web-based email is completely blocked. It is actually cause for immediate dismissal if you try to access them.
  • by The Fanta Menace ( 607612 ) on Thursday March 24, 2011 @06:11AM (#35596788) Homepage
    Blocking webmail services is like whack-a-mole. There's likely to be one somewhere that you'll miss, and when the potential leakers (henceforth known as patriots) find it, you're back to square one.

Keep up the good work! But please don't ask me to help.

Working...