The Pacific: General Aviation & Questions The place for students, instructors and charter guys in Oz, NZ and the rest of Oceania.

Stay sharp people...

Reply

Old 11th Jul 2018, 21:24
  #1 (permalink)  
Thread Starter
 
Join Date: Sep 2002
Location: Australia
Posts: 758
Stay sharp people...

Airport security card company reveals data hack as AFP investigates - ABC News (Australian Broadcasting Corporation)


Oh dear oh dear.....
currawong is offline  
Reply With Quote
Old 11th Jul 2018, 22:20
  #2 (permalink)  
 
Join Date: Mar 2018
Location: Melbourne
Posts: 104
Some gems from the article:
"Aviation ID Australia … advise that a localised portion of our website has been intentionally accessed by an unauthorised entity," managing director Ian Barker said.
That sentence alone from their MD indicates that he just has no idea how sensitive data should be stored securely stored. Websites are just a medium for users to access their data, not the data itself. If hacking a website gives the culprits straightforward access to the data, then these people have no idea what they are doing and shouldn't be processing ASIC applications in the first place!

Why are ASIC applications outsourced anyway? Isn't it only obvious that this is mitigating the standards it strives to achieve?

Now from the following two quotes:
This is not the first time Australia's aviation security system has come under scrutiny, with revelations in the past that people have been granted ASICs despite having criminal records or a history of association with radical Islamic groups such as Al Qaeda.
A federal report released last year revealed approximately 20 per cent of airport staff with access to planes have criminal convictions, including for drug trafficking.
I'd like someone (preferably a CASA statistician – hire one if you haven't yet, and give them a C-level role) to explain to me just to what measure they perceive aviation safety to be affected by such preposterously sloppy work by their contractors.

In my humble view, I feel that aviation is undergoing a much greater safety risk by allowing criminals with shoddy beliefs around airports and airliners that carry passengers in the tens or hundreds at a time than by imposing unaffordable maintenance standards on single engine aircraft, lest they all fall out of the skies (simultaneously).

Statistically it would take 100 to 200 single engine aircraft to crash (with fatalities!) to match the human cost of that of a single airliner with 200 souls, a statistical null-event, even within a whole year.

Last remark: security checks on domestic flights in Australia is a laughable joke (I don't think the wording can be strong enough). There's no ID check, scanners let just about anything go through. The only thing they insist on is that you leave your coffee at the gate to increase their onboard sales.
Okihara is offline  
Reply With Quote
Old 11th Jul 2018, 23:07
  #3 (permalink)  
 
Join Date: Feb 2016
Location: Aus
Posts: 56
I recently (as in last 3-4 months) renewed my ASIC with this company. No email correspondence received about the data breach. Should I be worried?
MagnumPI is offline  
Reply With Quote
Old 11th Jul 2018, 23:10
  #4 (permalink)  
 
Join Date: Feb 2016
Location: Aus
Posts: 56
Called them, according to the customer service person on the phone unless you received the email you are not affected. I asked the person if they were certain and she confidently replied yes...
MagnumPI is offline  
Reply With Quote
Old 11th Jul 2018, 23:16
  #5 (permalink)  
 
Join Date: Apr 2008
Location: on the ground
Posts: 131
A federal report released last year revealed approximately 20 per cent of airport staff with access to planes have criminal convictions, including for drug trafficking.
I wonder what proportion of the general adult population have criminal convictions? 2%? 5%? Unless it's 25%+ you'd have to think airports are being actively targeted for the "opportunities" they might provide! And even if these people have no malicious intent, I can't see them being the sorts of people who respect inconvenient rules if they can see a short cut...
nonsense is offline  
Reply With Quote
Old 11th Jul 2018, 23:21
  #6 (permalink)  
 
Join Date: Feb 2016
Location: Aus
Posts: 56
The entire ASIC process is a cancerous growth festering on the dying body of GA, I have written on this forum about it before. Why on earth are we putting up with paying for something that costs almost as much as a passport, yet is valid for only 2 years, and a passport is valid for 10!

The only purpose this serves is lining the pockets of some bottom feeders on the gravy train in Merimbula and elsewhere.
MagnumPI is offline  
Reply With Quote
Old 12th Jul 2018, 02:43
  #7 (permalink)  
Thread Starter
 
Join Date: Sep 2002
Location: Australia
Posts: 758
The ASIC is but one layer of security in Australia. To not have it would be negligent, given the security situation. It is not a magic bullet. It is just one layer.

It would seem to have realistic conditions attached to it under our circumstances.

I would urge those involved (probably all of us) to hope for the best but prepare for the worst.

Your details including certified copies of documents have probably been sold online. You are now in the gun for identity theft.

It is possible that those who may wish to do harm, now know who has access to sensitive areas/ information/ materials. And where you/ your family lives. This could make you a target for coercion or worse.

You figure it out.
currawong is offline  
Reply With Quote
Old 12th Jul 2018, 02:47
  #8 (permalink)  
 
Join Date: Apr 2003
Location: USA
Posts: 1,072
Originally Posted by currawong View Post
The ASIC is but one layer of security in Australia. To not have it would be negligent, given the security situation. It is not a magic bullet. It is just one layer.

It would seem to have realistic conditions attached to it under our circumstances.

I would urge those involved (probably all of us) to hope for the best but prepare for the worst.

Your details including certified copies of documents have probably been sold online. You are now in the gun for identity theft.

It is possible that those who may wish to do harm, now know who has access to sensitive areas/ information/ materials. And where you/ your family lives. This could make you a target for coercion or worse.

You figure it out.
class action? Put them out of business
havick is offline  
Reply With Quote
Old 12th Jul 2018, 05:46
  #9 (permalink)  
 
Join Date: Jul 2001
Location: Australia
Posts: 4,258
Folks,
I would point out that the company mention is only one of many companies that issue ASIC cards.
As for cards mentioned in the inquiry that had been issued to people with criminal records or "interesting" backgrounds, I am confident in say that it was NOT this company, indeed some of the cases involved docks, not even aviation.
For example, most major airports are ASIC issuers, as are larger airlines.
I have no relationship with this company, I just want to see some balance in the comments.
Tootle pip!!
LeadSled is offline  
Reply With Quote
Old 12th Jul 2018, 05:54
  #10 (permalink)  
 
Join Date: Jul 2008
Location: Australia
Posts: 3
ASICS should never have been privatised.
Lookleft is offline  
Reply With Quote
Old 12th Jul 2018, 05:59
  #11 (permalink)  
 
Join Date: Oct 2005
Location: Australia
Posts: 648
CASA steered all the ASICs through one issuing body without giving people a list of options of issuing bodies or putting it out to tender. Now these hackers have your ARN as well. Well done, CASA.
Clare Prop is offline  
Reply With Quote
Old 12th Jul 2018, 06:01
  #12 (permalink)  
 
Join Date: Feb 2016
Location: Aus
Posts: 56
Originally Posted by currawong View Post
The ASIC is but one layer of security in Australia. To not have it would be negligent, given the security situation. It is not a magic bullet. It is just one layer.
Would it though? By all accounts the USA looked into a similar system post 9/11 and didn't go through with it.

Lord knows how many terrorists want to blow up Port Macquarie airport.

I guess the air is different after all in Australia!
MagnumPI is offline  
Reply With Quote
Old 12th Jul 2018, 06:41
  #13 (permalink)  
 
Join Date: Apr 2005
Location: Melbourne
Posts: 1,685
No data is safe. If a decent hacker wants to get in, they will. Government or private, it doesn't matter, it's not safe.
Squawk7700 is offline  
Reply With Quote
Old 12th Jul 2018, 07:05
  #14 (permalink)  
 
Join Date: Nov 2001
Location: Australia/India
Posts: 2,385
Yabbut...the ASIC system itself creates the honeypot of concentrated identity data for hackers and the security vulnerability for exploitation by baddies. Only the law-abiding pay, and not just in money.
Lead Balloon is offline  
Reply With Quote
Old 12th Jul 2018, 07:14
  #15 (permalink)  
Thread Starter
 
Join Date: Sep 2002
Location: Australia
Posts: 758
Personally I don't think the AFP is up to this one. It is a national security issue. The threat is likely to have come from offshore.

Magnum, the USA came up with the TSA and Air Marshals. Not sure either suit our scenario.

As for crims on airports? GA is a vital part of the local infrastructure.
currawong is offline  
Reply With Quote
Old 12th Jul 2018, 08:39
  #16 (permalink)  
 
Join Date: Feb 2006
Location: Melbourne
Posts: 1,591
class action? Put them out of business
Why? It will make our lives harder.

CASA steered all the ASICs through one issuing body without giving people a list of options of issuing bodies or putting it out to tender. Now these hackers have your ARN as well. Well done, CASA.
Ummm - No.
1.Aviation ID exists because CASA made a complete dogs breakfast of its initial attempt issue ASIC Cards. By complete dogs breakfast, I mean unmitigated disaster taking months to issue cards and losing applications, etc.
2. There are many other issuing bodies. But the system is centered around the airlines who issue their own ASIC cards. GA was left out in the cold by CASA and Aviation ID filled the vacuum

Would it though? By all accounts the USA looked into a similar system post 9/11 and didn't go through with it.
100% correct.

After 9/11 both the FAA &CASA looked at aviation security. CASA wrote about a 2 page report and concluded we needed fences at airports, locks on GA aircraft and Aviation ID cards. The FAA wrote about a 50 page document that looked in depth at the risks associated with each of the different segments of GA (private, corporate, charter, training, sport, airshows, aerial agriculture) and concluded that the low risk of GA didn't warrant additional measures except for aerial ag which had some biosecurity concerns.

I read both documents in detail. Unfortunately, they are both long gone from the public websites.

We have ASIC cards because of lack of competence by CASA and the arrogant attitude it has to GA.

Who cares if Aviation ID are making money? The alternative will be more expensive with worse service via CASA. What we really need is a review of the whole security arrangements. Its time to ditch the aircraft locks, security gates and ASIC cards.
Old Akro is offline  
Reply With Quote
Old 12th Jul 2018, 10:10
  #17 (permalink)  
 
Join Date: Oct 2005
Location: Australia
Posts: 648
Old Akro,

Aivation ID Australia are a private company that were set up, according to their website, "as a service provided to Merimbula Airport in 2005".
Yes CASA made a complete hash of it at first and then outsourced it to this private company that was already doing it, via a direct link from their website. AFAIK without any tender process and certainly without any reference to other issuing bodies, so that most people think this is the only way to get an ASIC. Now this system has been hacked. Not all issuing bodies use online application forms which are vulnerable to hacking.
Clare Prop is offline  
Reply With Quote
Old 12th Jul 2018, 10:25
  #18 (permalink)  
 
Join Date: Aug 2000
Location: WA
Posts: 1,132
It is not correct to refer to CASA and aviation security in the same context. CASA has no input whatsoever into the enforcement of the ATSA and ATSR.
As for their relationship with Merimbula. When the ASIC debacle started back in about 2005 most, if not all, security controlled airports were automatically directed to become issuing bodies. That was culled back a few years ago to the relatively modest list that exists today. Merimbula from the outset through Aviation ID Australia set themselves up as a provider to GA. As Old Akro correctly said above, CASA made a complete dogs breakfast of it and although still required by legislation to be an issuing body, the day to day functions of receiving applications and issuing cards is done by AIDA.
I have been told that as a result of this breach the requirements that the Department has put on issuing bodies with regard to auditing of IT systems and gaining accreditation is going to be quite onerous - which is another word for expensive. The hacking appears to have been with the online submission of an applicants data. Many issuing bodies continue to use a manual paper based application process and the only online activity is the submission of the background check through the Departments secure website so unless you applied through AIDA or the other issuing body that was compromised, your information should remain safe.
YPJT is offline  
Reply With Quote
Old 12th Jul 2018, 12:06
  #19 (permalink)  
 
Join Date: Sep 2009
Location: space
Posts: 187
ASIC is a total waste of our money and a useless document. I am done re proving myself as a non terrorist every two years. Bin the whole system as it protects NO ONE!
The 9/11 culprits were PASSENGERS who had no requirement for ASIC.
zanthrus is offline  
Reply With Quote
Old 12th Jul 2018, 12:24
  #20 (permalink)  
 
Join Date: Aug 2000
Location: WA
Posts: 1,132
I for one don't dispute a lot of the misgivings about ASICs but sadly they are here to stay.
YPJT is offline  
Reply With Quote

Thread Tools
Search this Thread

Contact Us Archive Advertising Cookie Policy Privacy Statement Terms of Service