Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
2525 posts

Uber Geek
+1 received by user: 249

Trusted
Subscriber

  Reply # 701583 15-Oct-2012 16:33 Send private message

KiwiNZ: [removed on request]



Really?  freitasm, is KiwiNZ coming from an MSD IP address?  Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.

KiwiNZ, you claim several things that simply do not ring true.  For a start, that anything was being done to segment these kiosks from the corporate network.  This cannot be true, because it's just not that hard.  Stick the kiosks on a new VLAN.  Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing).  Job done.  They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse.  Not that incompetence is an excuse either of course.

You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing.  This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger.  The ONLY course of action acceptable in this case is to take them offline.  The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.

You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.

And really, calling the CEO would be a waste of time.  The CEO isn't going to know what you're talking about because it's not their job.  The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless.  And yes, I do work in government.




I finally have fibre!  Had to leave the country to get it though.


Phil Gale
1097 posts

Uber Geek
+1 received by user: 39

Trusted
Red Jungle
Subscriber

  Reply # 701592 15-Oct-2012 16:38 Send private message

If previously made away of the issue. I also cannot fathom any other response other than shutting down the Kiosks immediately. Anything else is negligent.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

Awesome
4047 posts

Uber Geek
+1 received by user: 591

Trusted
Subscriber

  Reply # 701596 15-Oct-2012 16:44 Send private message

Kyanar: The ONLY course of action acceptable in this case is to take them offline. 


+1 and at the very least. This level of access could equally be available to others/all users with access to the corporate network, or heck - if things are that open, who is to say a rogue staff member hasn't plugged a wireless router into the network somewhere and parks their car outside at night sucking down data.

MSD needs to go through a full and thorough independent security audit immediately.




Twitter: ajobbins

1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701608 15-Oct-2012 16:59 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N


What does this tag do
374 posts

Ultimate Geek
+1 received by user: 52

Subscriber

  Reply # 701609 15-Oct-2012 16:59 Send private message

It will be very interesting to see what happens here, I think the journalist needs to be charged, obviously the charges could easily be dropped but left without a response it encourages any old Joe Blogger to be poking around at the other thousands of insecure systems in NZ. There was no need for him to go public on his blog with this information as the first course of action, it comes across as a bit of self promotion.
On the other hand, it is a stupid mistake that someone has made and I can understand the desire to expose that and hopefully scare everyone into thinking more about security.

803 posts

Ultimate Geek
+1 received by user: 44

Subscriber

  Reply # 701611 15-Oct-2012 17:01 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Wow.
Public user kiosk has (had) access to Income Support files, CYF files and Benefit Crime units files did they not?

My opinion is that securing this very sensitive information far outweighs ensuring that the public has access to those kiosks. To suggest otherwise (by saying it's a bad thing) brings up a whole new set of questions for me...



1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701613 15-Oct-2012 17:03 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




I know you didn't EXPLICITLY say it, but you've been making darn sure everyone gets the impression you know a lot about the internal runnings... The way you worded your statement makes it seem very plausible that it was what you were suggesting (note I said suggesting, not stating).

Cheers - N


Choice!
712 posts

Ultimate Geek
+1 received by user: 24

Trusted
Subscriber

  Reply # 701615 15-Oct-2012 17:06 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




You still don't grasp the seriousness of the matter! If the MSD network staff knew about the issue - their only course of action would be to take them offline immediately and then start fixing the issue. Not leave the vulnerability open while they spend a week or two fixing it. Wow - I'm stunned by your responses, and am now convinced you must work for the MSD IT department.

1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701622 15-Oct-2012 17:08 Send private message

KiwiNZ: [snip]

See how judgement and conclusions can be so wrong when one is only using what is rumour and speculation. And definite downside to forums etc. 


So what then? You don't have any internal knowledge and you were totally just speculating that the IT staff may have been already trying to fix stuff? That totally doesn't gel with your earlier comments where you seem pretty sure you know more about this that anyone else on Geekzone.

Cheers - N


1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701635 15-Oct-2012 17:19 Send private message

KiwiNZ: [snip]

Yes I was speculating to prove a point, sheesh think laterally. Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


Sorry, I assumed you had some sort of inside knowledge when you have been saying things like

KiwiNZ:I can assure you I am fully aware of the seriousness and consequences of what is happening probably more so than anyone currently involved with this thread.


Mind you, I shouldn't really have believed that as anyone that actually had inside knowledge of this would have to be UNBELIEVABLY secure in their professional capacity to comment on it in this forum unless officially authorised.

Cheers - N


Awesome
4047 posts

Uber Geek
+1 received by user: 591

Trusted
Subscriber

  Reply # 701636 15-Oct-2012 17:19 Send private message

KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.




Twitter: ajobbins

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 701637 15-Oct-2012 17:24 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of?the?Kiosks. Of course turning them off now is?the?prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for?the?sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




My reply to that is that the network staff likely had no idea that someone who wasn't from the media wasn't accessing the network and downloading files they should not have access to. What MSD got was a news story, it could have been so much worse. Think Anonymous leaking entire databases and server configurations.

1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701639 15-Oct-2012 17:25 Send private message

KiwiNZ: [snip]

Waiting until the reviews have been done is the correct process.


All that's been said notwithstanding, this is correct.

It's bad enough that this level of privacy breach was trivially available*, I would really hope that as as also been suggested, the MOMENT someone internal became aware of it they moved heaven and earth to have access removed immediately.

Cheers - N

* - Assuming what the media has reported is even approximately accurate.

Choice!
712 posts

Ultimate Geek
+1 received by user: 24

Trusted
Subscriber

  Reply # 701641 15-Oct-2012 17:28 Send private message

KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


Nice trolling...

1943 posts

Uber Geek
+1 received by user: 480

Trusted
Spark NZ

  Reply # 701645 15-Oct-2012 17:31 Send private message

KiwiNZ:
ajobbins:
KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.


it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


If anyone could walk up to them, and without any form of authorisation or proper audit trail, get access to detailed bank records of thousands of other customers, then yes.

Oh, they can't? Nah, leave them on then.

Cheers - N


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

My un-consented UFB install
Created by thurthur, last reply by InstallerUFB on 27-Nov-2014 19:30 (39 replies)
Pages... 2 3


Gigatown winner town and plans
Created by freitasm, last reply by mdooher on 27-Nov-2014 16:28 (75 replies)
Pages... 3 4 5


Click Monday Deals
Created by mrtoken, last reply by Krishant007 on 24-Nov-2014 17:11 (25 replies)
Pages... 2


Gull Employment Dispute.
Created by networkn, last reply by dafman on 27-Nov-2014 14:00 (145 replies)
Pages... 8 9 10


The Warehouse pulling R18 games and DVD's
Created by semigeek, last reply by Geektastic on 27-Nov-2014 18:32 (64 replies)
Pages... 3 4 5


Spark Fibre Modem with Gigabit Ethernet
Created by Rudder, last reply by plambrechtsen on 27-Nov-2014 11:21 (13 replies)

Knock off electronics in The Warehouse
Created by jpoc, last reply by openmedia on 26-Nov-2014 13:01 (13 replies)

HP Stream 7 arrives
Created by gnfb, last reply by loceff13 on 27-Nov-2014 14:38 (24 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.