Security Related ArticlesOne of the biggest headaches for Centrelink and the Government is trying to keep all of the information that they gather up to date and secure from prying eyes.
This includes hackers and (unfortunately) staff members. After all, without security no-one would trust the government with any information they give it.
One of the recent "security updates" is the use of "biometric data" (fingerprints). These are supposed to be much more secure. Unfortunately, these can be hacked (Digital Persona and on Mythbusters) just like most security
To view or hide an article just click on the title.
To find out exactly where each article came from click in the link imbedded in the pop-up title . This will open up a window and show the original article.
It Managers Support Keylogs To Monitor Staff
MICHAEL CRAWFORD, COMPUTERWORLD
Australian IT managers last week came out in support of the use of keylogging software to monitor staff access to customer records after Centrelink admitted it had been undertaking employee surveillance for the past year.
Centrelink revealed it had been tracking staff in the year-long project to identify inappropriate access to customer records which led to the sacking of 19 staff and the resignation of some other staff.
During this time there were 580 incidents of inappropriate browsing of the agency's records.
Centrelink CEO Jeff Whalan said a further five cases have been referred to the Australian Federal Police or the Department of Public Prosecutions.
General searches by Centrelink staff included unauthorized searches for welfare cheats and as a result of the surveillance, 19 staff have been sacked, 92 resigned when accused of privacy breaches, more than 300 faced salary deductions and fines, a further 46 staff were reprimanded with some others demoted or issued with a warning.
Whalan did not apologize for the tough stance taken last week, but pointed out that the agency has 25,000 staff so only 2 percent behaved inappropriately.
IT managers said the use of keyloggers or spyware has a relevant use in the enterprise.
Russell Close, head of IT within financial services firm Portfolio Partners said ethics isn't an issue if monitoring is conducted lawfully.
"It really depends on the situation; for monitoring of public records such as the police and government departments, keylogging could be very useful," Close said.
"There wouldn't be ethical issues if it is conducted lawfully and the data being monitored is a matter of public concern."
Another IT manager, who requested anonymity, said where employees are in breach of their contracts, the use of monitoring software cannot be considered unethical, especially when employees are forewarned.
"Personally I would not have a problem with using surveillance software to monitor staff."
Hank Jongen, Centrelink general manager, said the agency isn't using one particular type of keylogging software, but an enhanced monitoring system developed over the last two years that includes data matching processes.
"Our monitoring system logs all access to customer records; for example, it logs the time, date and details of the staff member who searched and accessed the record and our improved analysis techniques then establish whether the access to the customer record was inappropriate," Jongen said.
"Inappropriate access exists when a staff member accesses a customer record without a genuine business need. For example, it is inappropriate for staff to access the records of relatives or friends, even if it's at their request.
"Centrelink staff are well aware access to customer records is monitored and of their responsibilities when it comes to dealing with sensitive customer information. Centrelink also conducts training for staff to provide them with an awareness of ethics, privacy and fraud."
Jongen confirmed that Centrelink's security policy, available on the staff intranet, directly explains staff responsibilities under the Australian Public Service Code of Conduct relating to unauthorized access of customer records.
Dermot Browne, communications officer for the Community and Public Sector Union (CPSU) represents more than half the Centrelink workers affected.
Browne said Centrelink management has been upfront about the issue of unauthorized access to data.
He said the issue has been covered for the past three years and there was a comprehensive staff education process before the tracking software's adoption.
"I think most Centrelink workers accept that the rules are pretty clear; as a union we have tried to make sure the guidelines are widely understood," Browne said.
"In terms of representation, we will provide advice for investigations and if the investigations go off on the wrong tangent we will take it up and challenge Centrelink to get natural justice."
Novell scores Centrelink deal
By Sam Varghese
March 16, 2005
Novell has scored a deal with Centrelink to supply a security access system that will replace the existing one.
The company's government manager, Costa Kapantais, said the deal involved the replacement of Centrelink's existing Security Access Management System with a new system based on Novell's eDirectory, Nsure Identity Manager, Nsure Audit, and exteNd products.
He said the company would be using a combination of Linux and Solaris operating systems to implement the project.
The web-based architecture which will be provided is based on Novell's exteNd suite for the user interface and workflow layer of SAMS. The Nsure Identity Manager would will automate and integrate identity information.
Nsure Audit will provide the trail needed to track staff transactions while exteNd would be used to provide access to areas beyond what a staff member normally does - something similar to what is achieved by an access control list or ACL.
Kapantais said the project was likely to be completed by the end of the year. He said while existing hardware would be used, new components would be sourced by Centrelink.
"The Centrelink system is a mature one as they have been having it for a decade. This means that the new system we put in place will be about our most advanced," he said.
Centrelink employs 25,000 staff, in over 450 locations. The Centrelink IT group supports the fourth largest IT environment in Australia.
A media release from Novell quoted Centrelink's security and privacy national manager Pat Fegan as saying that the introduction of new technologies into Centrelink had created demands for integration of SAMS with new software products.
These did not easily interface with the existing SAMS architecture, but would integrate well with the planned Novell solution.
Centrelink backs up fingerprint scanners with Novell
Renai LeMay, ZDNet Australia
16 March 2005 03:27 PM
Tags: nsure, edirectory, extranet, extend, centrelink, identity management, ato, fingerprint
Centrelink has contracted Novell to provide identity management software to support its recently-outlined plans to roll out at least 31,000 fingerprint scanners across its nationwide network.
Under the deal, Novell will replace Centrelink's existing Security Access Management System (SAMS) with its own solution. The old solution, which Novell government manager Costa Kapantais told ZDNet Australia was developed in the mid-1990s on Sybase and SQL technology, will be replaced by the end of 2005 with a new system based on Novell's eDirectory, Nsure Identity Manager, Nsure Audit and exteNd products.
Kapantais confirmed that Novell's software would provide the back-end infrastructure to support the fingerprint scanners. "The SAMS system using our technology has the ability to manage that kind of technology," he said. "Currently the SAMS system manages their authentication tokens, which they use in their environment today. The new SAMS system will manage the biometric devices in the same sort of way. It's the back-end part of it."
The Novell government manager went on to say of the old SAMS solution "because it's based on old technology it's become more difficult to integrate new platforms and systems". Centrelink security and privacy national manager Pat Fegan confirmed this in a statement, saying: "The introduction of new technologies into Centrelink's IT infrastructure had imposed increasing demands for the integration of SAMS with new software product sets which did not readily interface with the existing SAMS architecture."
Centrelink's existing authentication scheme uses single use passwords generated after users enter a PIN code into a stand-alone device usually worn by staff around the neck.
Despite the fact that Centrelink is moving away from the single-use password scheme, Kapantais said the fact that the organisation even used such a scheme indicates that it was "a good five years ahead of most organisations" in the area of identity management. "Centrelink was one of the first organisations to deploy a stronger authentication system in the mid-to-late 90s," said Kapantais. "In our view, they're probably a generation ahead of any other client we've come across."
Kapantais also said the original system was based on a client/server model, which had technical issues "because a lot of the application logic was built into the client." However Novell was able to "build it [the application logic] into the network and into the directory," making the whole system a lot more flexible.
Government agencies who work closely with Centrelink will also be able to access Centrelink data through the new system. Kapantais mentioned the fact that "Centrelink provides applications for the Australian Tax Office (ATO) and the Health Insurance Commission (HIC) to access the delivery of integrated services."
However external agencies will need to use a Web interface: "Because it's a different kind of access, they're actually browser-based applications," said Kapantais. "There's a separate enrolment process for them versus the Centrelink employees."
Kapantais believes that Web access for at least several external agencies will be facilitated through a private extranet belonging to Centrelink's Family Assistance Office. "The users can be loaded into the directory and managed like they would any other user," he said. "You could say that people like HIC and ATO using the Family Assistance Office applications will be integrated somewhere through the system, but it's a small part of the system."
Kapantais said the Novell rollout will "happen this year. There will be components that will be deployed in the next month even, but it will probably happen by the end of this year. One of the reasons that we were able to win this [contract] was that we were able to simply add the system in and not muck around with existing systems." He added: "By the end of this year we hope to have it in production and running."
Centrelink ditches single password for fingerprints
Iain Ferguson, ZDNet Australia
15 March 2005 11:38 AM
Tags: fingerprint, iain, ferguson, centrelink, scanners, password, tender
Centrelink plans to dump its single-password user verification scheme for fingerprint scanners.
In a request for tender released today, Centrelink -- the Australian government's nationwide human services agency -- said the scanners would encompass its entire network, including the national support office, area support offices, call centres and customer centres.
The initial purchase is to be for 31,000 scanners. They are to be attached by Centrelink to all personal computers and laptops and will be used by staff in office environments and for remote access by mobile users for conection to Centrelink's computing environment, the agency said in the tender documents.
The one year deal may be extended for an additional two one-year extension options. Delivery of the scanners is due to start on 30 June after the RFT closes, the tenderer selection is completed and the contract signed -- due by 10 June.
Centrelink said tendered devices had to be "easy for all staff to use, acceptable to and useable by a large number of people from a number of diverse backgrounds.
"The Centrelink staff base comes from a diverse multicultural background and any device should not be difficult to use by any particular group of people".
The organisation said its staff in a particular location "can currently be required to enter their one-time password anywhere between 50 and 80 times per day for logon or screen unlock.
"It is highly desirable that the tendered device be robust enough to remain effective with a useage pattern of approximately 50 fingerprint scans per working day -- plus five percent for possible retries -- for a minimum period of three years".
A Centrelink spokesperson declined to comment on the tender.
Centrelink Privacy and Security Statement
Centrelink places great emphasis on maintaining and enhancing the privacy and security of your personal information. With a number of strong security measures in place and the continued development of our internet services, our main focus is on improving existing measures as well as keeping you informed about the latest developments.
- Collection of information
- When you send a message to Centrelink
- When using online services
- Access to information
- Use and disclosure of information
Collection of information
Centrelink collects a range of information about visits to the Centrelink website. The following information is stored for twelve months:
- entry and exit pages
- how often the site was used
- the time of day the site was accessed
- the length of time spent on the site
- how much information was downloaded
- if the visit is from a company or an individual
- if you are browsing from Australia or outside Australia
- the general area you visited from
- what browser types are being used.
When you send a message to Centrelink
You may provide personally identifiable information such as your name, physical address and email address, when you send us a message. Personal information collected by Centrelink is protected by the Privacy Act 1988 and the relevant confidentiality provisions contained in legislation administered by Centrelink.
When using online services
Please refer to the Privacy Notice for each online service for details.
Access to information
In the unlikely event of an investigation, a law enforcement agency or other government agency may exercise its legal authority to inspect our Internet Service Provider's logs.
Use and disclosure of information
Personal information provided to Centrelink when you send us a message will only be used for the purpose for which you have provided it. Your details will not be added to a general mailing list. Unless required by law, Centrelink will not disclose this information without your consent.
Cookies are pieces of information a website can transfer to an individual's computer hard drive.
Most internet browsers are preset to accept cookies, but you can choose if and how a cookie will be accepted by configuring the preferences and options in your browser.
While Centrelink does track some demographic information about website usage, we make no attempt to personally identify you in any way when you are in the public section of the Centrelink website. The type of demographic information generated when browsing the public site can include:
- Area Code
- Domain Name
- Geographic Region
- Time Zone
- determine whether your computer has support for cookies turned on (this allows us to advise that you need to enable cookies to use a particular service)
- help identify you during your secure session
- time your session so you will be logged off if you are not using the service for a specified time period
- maintain an audit trail of your secure session.
For more detailed information about privacy in general please refer to Privacy & Your Personal Information or ask Centrelink for a copy of the factsheet "Your Right to Privacy".
Your personal information is protected by law. These laws prohibit any person from accessing, using or disclosing any personal information in the possession of Centrelink unless it is in the performance of their duties or is in accordance with these laws. Penalties apply to those who fail to observe these provisions.
Centrelink encrypts all messages between the browser running on your PC and Centrelink's computers when these messages are sent from the Secure Messages section of the website.
The encryption process used by Centrelink is Secure Socket Layer (SSL). For SSL encryption to work, your browser must support SSL. Freely available browsers that support SSL include Netscape version 6.0 or later, Firefox version 1.0 or later and Microsoft Internet Explorer Version 4.0 or later. Go to our Downloads section of the site to get the latest version of these browsers.
While Centrelink endeavours to provide a secure internet environment, users should note that there are inherent risks associated with transmission of information via the internet. Centrelink provides alternative ways to obtain and provide information for those who do not wish to use public networks such as the internet. These include direct contact at a Customer Service Centre, telephone, facsimile or post. In some circumstances, the Centrelink security guidelines may also require us to send particular information by non-electronic means.
Note: Any link to an external site is provided for your information and convenience only. Centrelink does not endorse, monitor or control such sites (or any associated organisation, product or service) and is not responsible for their content, or your access or use of them. Without limiting the forgoing, you are advised to review their privacy and security statements and take precautions to ensure any content is accurate and downloaded software is safe.
If you have any privacy or security concerns please visit your nearest Centrelink Customer Service Centre for advice.