Anonymous' AAPT plunder

Hackers may have made another ISP look foolish but the hit could actually increase demand for the draconian laws they want to prevent.

The Anonymous-branded hack of AAPT proves the point. Internet service providers (ISPs) can't be trusted to keep telecommunications data safe for use in criminal investigations. But we knew this already, and random hacks don't help.

AAPT chief executive David Yuile is working hard to downplay the seriousness of this data breach. His short, all-caps press statement spun the predictable spin. Sure, we lost some data, but it was old and there wasn't really that much of it. We'll contact those affected, but the rest of you can move along now.

There was even some bizarre Yuile paralogic claiming that the servers weren't being "used" by AAPT even though they held AAPT data. Uhuh.

As I've said before, this isn't good enough.

All companies have an obligation to protect this kind of data. All of it. All the time. Given the endless stories of data protection failures by everyone from Sony to Stratfor, Telstra to The Sun, we shouldn't be letting them get away with it with a bit of misdirection from the PR department.

For an ISP, though, data protection is meant to be a core competency. If major players like AAPT and Telstra can't get it right now, they certainly won't be able to get it right once they're given even more data protection responsibilities under the mooted cybercrime data retention regime.

It's almost inevitable that police and other investigators will be given access to ISP customers' email, web browsing and perhaps even social network activity logs in some form or other.

The current most likely outcome is embodied in the Cybercrime Legislation Amendment Bill 2011, just one Senate reading away from being law. Law enforcement agencies could, without warrant, require an ISP to start logging data about a customer's internet use. Later, they'd be able to access that data with a warrant.

From one angle this looks roughly like the way telephone communications are handled. Police can request your phone call records -- who, when, where -- without a warrant but do need a warrant to conduct an intercept and listen in.

However there are far more comprehensive proposals being floated, including a requirement for all ISPs to log all customer comms data for two years.

We're talking a huge amount of data here. We already see 250,000 warrantless requests for communications data each year, just for phone calls. Now add in every email, every website visit, very Facebook post, every Tweet, every Angry Birds game... it'll add up big time.

The challenge for ISPs will be keeping all this data safe from hackers, and even from their own staff.

They'll also have to keep it compartmentalised. Any ISP data retention regime will presumably mirror the existing system for telephone logs, so access to any individual's internet logs can only be granted to the specific individual investigators and lawyers working on that specific case -- with serious criminal penalties for any other access.

Small ISPs don't have the skill or budget to set up such a secure data repository. It'll spell their doom -- though they're already doomed by the looming costs of migrating their wholesale arrangements to the National Broadband Network.

Even big ISPs will fail to meet this challenge.

If you talk to penetration testers, the "white hat" hackers who evaluate the security of computer systems and networks, you'll soon learn that no matter what the target they can always find a way to break in.


Whether the bad guys actually do break in is simply a matter of risk versus return on investment. Whether they're sufficently motivated by the potential gains, given the time and effort needed to plan and execute an attack that successfully avoids detection.

A warehouse containing detailed information on the personal communications of tens of thousands of people? That's an attractive, motivating target.

An attack doesn't even have to avoid detection. A noisy penetration, even leaving a "Kilroy was here" message, would cast reasonable doubt on the integrity of the data logs, potentially ruining their use in any criminal prosecution. That's even more motivating.

This latest Anonymous attack has, as the culprits intended, illustrated how the data of a major ISP (AAPT) held on servers at an established service provider (Melbourne IT) can be breached. But ISPs have already delivered this message to the government in less public forums, where it's more likely to influence policy.

The message delivered to the public by this Anonymous attack, when combined with all the scattergun attacks by the more numerous, less-focused wearers of the Guy Fawkes mask, is that the internet is under threat by unknown criminals who must be stopped.

The tactics of Anonymous will actually increase demand for the draconian laws they want to prevent. Time for a rethink, guys.


{{ twilioFailed ? 'SMS Code Failed to Send…' : 'Enter your SMS code' }}

A text message with your verification code was just sent to {{user.DayPhone}}

We cannot send you a code via SMS to {{user.DayPhone}}

Hi {{ user.FirstName }}, please provide your mobile number.

{{ content.trialHeading.replace('{0}', user.FirstName) }}

We'll send you a text message with a verification code to start your free trial.

Log in

{{ content.upgradeHeading.replace('{0}', user.FirstName) }}

The email address you entered is registered with InvestSMART.

Login or to reset your password, select Forgotten password

Email is required.
Email must be a valid email.
Password is required.
First name is required.
Last name is required.
Mobile phone number is required.
Mobile phone number is invalid.
You must accept the terms and conditions.

Already an InvestSMART member? Log in

SMS code cannot be sent due to: {{ twilioStatus }}

Please select one of the options below:


Looks you are already a member. Please enter your password to proceed

You have entered an incorrect email or password

Email is required.
Email must be a valid email.
Password is required.

Please untick this box when using a public or shared device

Not a member? Sign up

Forgotten password? Click here

Your membership to InvestSMART Group recently failed to renew.

Please make sure your payment details are up to date to continue your membership.

Having trouble renewing?

Please contact Member Services on or 1300 880 160

You've recently updated your payment details.

It may take a few minutes to update your subscription details, during this time you will not be able to view locked content.

If you are still having trouble viewing content after 10 minutes, try logging out of your account and logging back in.

Still having trouble viewing content?

Please contact Member Services on or 1300 880 160

{{ upgradeCTAText }}

Updating information

Please wait ...


{{ productPrice }} / day
( GST included )
Price $0
Discount -{{productDiscount}}
GST {{productGST}}
TOTAL   (inc. GST) {{productPrice}}
  • Mastercard
  • Visa

Please click on the ACTIVATE button to finalise your membership

You have entered an incorrect email or password

Email is required.
Email must be a valid email.
Password is required.

Please untick this box when using a public or shared device

Not a member? Sign up

Forgotten password? Click here

Related Articles