Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
BDFL
47995 posts

Uber Geek
+1 received by user: 3559

Administrator
Trusted
Geekzone
Subscriber

  Reply # 701248 15-Oct-2012 09:17 Send private message

I don't know that, but my guess would be each Ministry has its own IT group instead of a consolidated one across the government. Does anyone know how it works?





1472 posts

Uber Geek
+1 received by user: 106


  Reply # 701250 15-Oct-2012 09:20 Send private message

i remember going into the winz office to wait for my wife about 8 months ago and trying out the kiosks and found that if you clicked on the herald job page you could then access the full herald and from there the full internet by clicking on links, so even then they were not secure.

gjm

619 posts

Ultimate Geek
+1 received by user: 40

Subscriber

  Reply # 701251 15-Oct-2012 09:20 Send private message

I know there is definitely not just one across the govt so suspect they would have their own internal IT dept. Maybe the work experience guy set it up?




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

BDFL
47995 posts

Uber Geek
+1 received by user: 3559

Administrator
Trusted
Geekzone
Subscriber

  Reply # 701252 15-Oct-2012 09:22 Send private message

I'm asking because I know a couple of folks working for the MBIE and I know they'd be terrified if that happened under their guardianship.





720 posts

Ultimate Geek
+1 received by user: 95


  Reply # 701254 15-Oct-2012 09:28 Send private message

Why has the blogger not been arrested yet ?   It's not like he did it accidently, he deliberatly went and accessed the confidential files after being told how to do it.

The shoddy setup on the kiosks is a seperate issue.






3402 posts

Uber Geek
+1 received by user: 800

Trusted

  Reply # 701262 15-Oct-2012 09:33 Send private message

Because of the likely public outcry against someone who has exposed a serious problem, it would only make it worse for them.

1846 posts

Uber Geek
+1 received by user: 97

Trusted

  Reply # 701263 15-Oct-2012 09:37 Send private message

For all the facepalms, headdesks etc issues brought up here, what NZBen says here: http://www.ben.geek.nz/2012/10/how-it-works/  is probably so close to the truth it's not funny.

There's always a correct way, and a fast and cheap way.  And even with risks attached, the bean counters deadline based project managers (as opposed to technically trained ones) will go for the quick and dirty.





Previously known as psycik

NextPVR Based HTPC:

2 x HVR3000 - DVB-S - Freeview, HVR3000 - DVB-T Freeview|HD, Nova-T 500 - Dual Freeview|HD, Digital Coax --> Yamaha RX-v540, 8600GT --> Samsung LA46A650D via HDMI
Clients:
Popcorn Hour A-100, 1xATV2, 1xATV3, Roku3
Windows 7 Ultimate Host
3x2TB, 1x3TB + 1x1.5TB using DriveBender, VMWare Workstation 10 with 1xW7, 2xW2k3 1xUbuntu 11.10 Desktop, 1xWHS2011, Plex

UnblockUS - Unblock your freedom

Choice!
693 posts

Ultimate Geek
+1 received by user: 6

Trusted
Subscriber

  Reply # 701271 15-Oct-2012 09:52 Send private message

Here are my initial thoughts copied and pasted from my blog...

If I get time later today, I'd love to write more on this topic, especially since I've spent the last 10 years working in various government IT departments, and have also spent a considerable amount of time securing and testing various kiosk computers.

But for now I'll just say that this is a failure on so many levels it's difficult to know where to start. And while some are keen to jump to conclusions about the MSD security, we don't yet know the exact cause of the apparent open permissions - perhaps all file shares were readable to all users (I doubt it), or perhaps the account the kiosk computer logged in with was a member of a group that gave it way too many rights.

I'm still picking that Keith Ng was tipped off by either a current or ex employee that had worked in or with the MSD IT department. In Keith's article, he confidently says that this exploit was available from any WINZ branch around NZ - he wouldn't know that for sure unless he had been told by someone knowledgable.

Regardless, I believe he's done the right thing but publishing the details - this ensures that he'll get maximum effect.




Stuart Maxwell
Choice Technology (Managed IT Services)


gzt

3767 posts

Uber Geek
+1 received by user: 110

Subscriber

  Reply # 701279 15-Oct-2012 10:15 Send private message

It is unclear exactly how the exposure occurred. In the one case imaginable the kiosk user is running as some kind of network admin user. In others the kiosk user may have network backup permissions for some obscure and bad reason. There are many possibilities in that area. Sometimes a user (or all users) are granted something during troubleshooting or to get a 'misbehaving' application or service to work then it accidentally gets left that way forever or worse it is then written into the standard configuration.

The case where the 'user' group has read and write access to a lot including call logs is just horrible and hard to imagine. A public kiosk user should never be a member of the 'user' group at all, but see above.

In combination another common case is a culture where many users and network staff have been putting files and service outputs in 'user' accessible locations for network convenience reasons - like because staff could not find an admin to create a proper service user or some other self defeating network policy reason so a culture develops where this is accepted (it should never be) just to get anything done.

I have seen comment that the journalist could be exposed to charges under the Crimes Act Amendment 2003. IMHO this is incorrect in this particular case. Ng is clearly acting as a journalist in the public interest and did not use his access of the system for personal gain. Add to this - it is likely he stayed close to responsible disclosure and communicated the issue to the party concerned a reasonable time before publication and/or before the issue could be exploited by a member of the public.

A full audit is required to determine how much information was accessed by members of the public during this time.

A wider and separate audit of ministry AD security and AD maintenance policy is also required.

http://www.nbr.co.nz/article/msd-opens-investigation-after-ng-exposes-massive-security-hole-ck-130658

339 posts

Ultimate Geek
+1 received by user: 102

Subscriber

  Reply # 701281 15-Oct-2012 10:17 Send private message

Does anyone know what they have done to "close the kiosks" while they investigate this? Hopefully more than just power them down, or unplug the network cable...

Awesome
3703 posts

Uber Geek
+1 received by user: 311

Trusted
Subscriber

  Reply # 701294 15-Oct-2012 10:23 Send private message

Don't MSD outsource at least some of their IT to Datacom?




Twitter: ajobbins

720 posts

Ultimate Geek
+1 received by user: 95


  Reply # 701308 15-Oct-2012 10:34 Send private message

eXDee: Because of the likely public outcry against someone who has exposed a serious problem, it would only make it worse for them.


It's still an illegal access of a computer system .. doesn't matter if it was a peice of cake to achieve or really hard.  Say for example it was not a simple thing to achieve and he had to "hack" his way in to the files and then he bragged about it on his blog ... they'd arrest him straight away, how can this be different ?

To my mind it is two different things :

1) He got told how to access files, he made the decision to go off and access those files ... that is where he went wrong he should never ever ever ever gone and done it.  (I can tell you how to get into my neighbours house without the key ... would you go do it ?  And then go through the undies drawer ?)

2) Security for the kiosks at MSD is crap and someone needs dragging over the coals to explain why they were not fully tested out.

Sorry ... people doing stupid things and then getting praised for it erks me ... then I get more erked when stupider (I'm sure that is a word :-) people get all scared about enforcing the law.




657 posts

Ultimate Geek
+1 received by user: 5

Subscriber

  Reply # 701317 15-Oct-2012 10:38 Send private message

It's still an illegal access of a computer system .. doesn't matter if it was a peice of cake to achieve or really hard.  Say for example it was not a simple thing to achieve and he had to "hack" his way in to the files and then he bragged about it on his blog ... they'd arrest him straight away, how can this be different ?

To my mind it is two different things :

1) He got told how to access files, he made the decision to go off and access those files ... that is where he went wrong he should never ever ever ever gone and done it.  (I can tell you how to get into my neighbours house without the key ... would you go do it ?  And then go through the undies drawer ?)

2) Security for the kiosks at MSD is crap and someone needs dragging over the coals to explain why they were not fully tested out.

Sorry ... people doing stupid things and then getting praised for it erks me ... then I get more erked when stupider (I'm sure that is a word :-) people get all scared about enforcing the law.


And this issue would have been addressed how exactly without this sort of exposure?



3402 posts

Uber Geek
+1 received by user: 800

Trusted

  Reply # 701322 15-Oct-2012 10:41 Send private message

From December 2011:
A national review of Work and Income security has been triggered after the ''appalling'' breaches of privacy, which could result in prosecutions.


Right, so we know one of two things
a) This system was set up since then
b) This claim they did a review of security is a pile of BS.

http://www.stuff.co.nz/national/6187390/WINZ-staff-under-fire

Choice!
693 posts

Ultimate Geek
+1 received by user: 6

Trusted
Subscriber

  Reply # 701325 15-Oct-2012 10:43 Send private message





Stuart Maxwell
Choice Technology (Managed IT Services)


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Telecom introduces unlimited broadband data plan
Created by freitasm, last reply by bongojona on 24-Apr-2014 10:43 (96 replies)
Pages... 5 6 7


Stonedine
Created by Lizard1977, last reply by TwoSeven on 24-Apr-2014 12:19 (59 replies)
Pages... 2 3 4


Using my Mac to ring family in the UK
Created by Geektastic, last reply by nakedmolerat on 24-Apr-2014 11:28 (19 replies)
Pages... 2


Telecom has started metering their TiVo customers' broadband usage (WITHOUT PRENOTIFICATION)
Created by Peteriv, last reply by mxpress on 24-Apr-2014 11:52 (72 replies)
Pages... 3 4 5


Forms of government for New Zealand
Created by charsleysa, last reply by Kyanar on 24-Apr-2014 10:55 (171 replies)
Pages... 10 11 12


Parallel imported product
Created by Wills1, last reply by joker97 on 23-Apr-2014 21:01 (53 replies)
Pages... 2 3 4


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by joker97 on 23-Apr-2014 22:37 (737 replies)
Pages... 48 49 50


Upcoming Freeview Restack AUCKLAND
Created by Brunzy, last reply by richms on 23-Apr-2014 21:05 (13 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.