Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
2244 posts

Uber Geek
+1 received by user: 152

Trusted
Subscriber

  Reply # 701583 15-Oct-2012 16:33 Send private message

KiwiNZ: [removed on request]



Really?  freitasm, is KiwiNZ coming from an MSD IP address?  Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.

KiwiNZ, you claim several things that simply do not ring true.  For a start, that anything was being done to segment these kiosks from the corporate network.  This cannot be true, because it's just not that hard.  Stick the kiosks on a new VLAN.  Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing).  Job done.  They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse.  Not that incompetence is an excuse either of course.

You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing.  This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger.  The ONLY course of action acceptable in this case is to take them offline.  The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.

You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.

And really, calling the CEO would be a waste of time.  The CEO isn't going to know what you're talking about because it's not their job.  The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless.  And yes, I do work in government.

Phil Gale
1094 posts

Uber Geek
+1 received by user: 37

Trusted
Red Jungle
Subscriber

  Reply # 701592 15-Oct-2012 16:38 Send private message

If previously made away of the issue. I also cannot fathom any other response other than shutting down the Kiosks immediately. Anything else is negligent.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

Awesome
3701 posts

Uber Geek
+1 received by user: 311

Trusted
Subscriber

  Reply # 701596 15-Oct-2012 16:44 Send private message

Kyanar: The ONLY course of action acceptable in this case is to take them offline. 


+1 and at the very least. This level of access could equally be available to others/all users with access to the corporate network, or heck - if things are that open, who is to say a rogue staff member hasn't plugged a wireless router into the network somewhere and parks their car outside at night sucking down data.

MSD needs to go through a full and thorough independent security audit immediately.




Twitter: ajobbins

1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701608 15-Oct-2012 16:59 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N


172 posts

Master Geek
+1 received by user: 21

Subscriber

  Reply # 701609 15-Oct-2012 16:59 Send private message

It will be very interesting to see what happens here, I think the journalist needs to be charged, obviously the charges could easily be dropped but left without a response it encourages any old Joe Blogger to be poking around at the other thousands of insecure systems in NZ. There was no need for him to go public on his blog with this information as the first course of action, it comes across as a bit of self promotion.
On the other hand, it is a stupid mistake that someone has made and I can understand the desire to expose that and hopefully scare everyone into thinking more about security.

739 posts

Ultimate Geek
+1 received by user: 20

Subscriber

  Reply # 701611 15-Oct-2012 17:01 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Wow.
Public user kiosk has (had) access to Income Support files, CYF files and Benefit Crime units files did they not?

My opinion is that securing this very sensitive information far outweighs ensuring that the public has access to those kiosks. To suggest otherwise (by saying it's a bad thing) brings up a whole new set of questions for me...



1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701613 15-Oct-2012 17:03 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




I know you didn't EXPLICITLY say it, but you've been making darn sure everyone gets the impression you know a lot about the internal runnings... The way you worded your statement makes it seem very plausible that it was what you were suggesting (note I said suggesting, not stating).

Cheers - N


Choice!
693 posts

Ultimate Geek
+1 received by user: 6

Trusted
Subscriber

  Reply # 701615 15-Oct-2012 17:06 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




You still don't grasp the seriousness of the matter! If the MSD network staff knew about the issue - their only course of action would be to take them offline immediately and then start fixing the issue. Not leave the vulnerability open while they spend a week or two fixing it. Wow - I'm stunned by your responses, and am now convinced you must work for the MSD IT department.




Stuart Maxwell
Choice Technology (Managed IT Services)


1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701622 15-Oct-2012 17:08 Send private message

KiwiNZ: [snip]

See how judgement and conclusions can be so wrong when one is only using what is rumour and speculation. And definite downside to forums etc. 


So what then? You don't have any internal knowledge and you were totally just speculating that the IT staff may have been already trying to fix stuff? That totally doesn't gel with your earlier comments where you seem pretty sure you know more about this that anyone else on Geekzone.

Cheers - N


1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701635 15-Oct-2012 17:19 Send private message

KiwiNZ: [snip]

Yes I was speculating to prove a point, sheesh think laterally. Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


Sorry, I assumed you had some sort of inside knowledge when you have been saying things like

KiwiNZ:I can assure you I am fully aware of the seriousness and consequences of what is happening probably more so than anyone currently involved with this thread.


Mind you, I shouldn't really have believed that as anyone that actually had inside knowledge of this would have to be UNBELIEVABLY secure in their professional capacity to comment on it in this forum unless officially authorised.

Cheers - N


Awesome
3701 posts

Uber Geek
+1 received by user: 311

Trusted
Subscriber

  Reply # 701636 15-Oct-2012 17:19 Send private message

KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.




Twitter: ajobbins

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 701637 15-Oct-2012 17:24 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of?the?Kiosks. Of course turning them off now is?the?prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for?the?sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




My reply to that is that the network staff likely had no idea that someone who wasn't from the media wasn't accessing the network and downloading files they should not have access to. What MSD got was a news story, it could have been so much worse. Think Anonymous leaking entire databases and server configurations.

1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701639 15-Oct-2012 17:25 Send private message

KiwiNZ: [snip]

Waiting until the reviews have been done is the correct process.


All that's been said notwithstanding, this is correct.

It's bad enough that this level of privacy breach was trivially available*, I would really hope that as as also been suggested, the MOMENT someone internal became aware of it they moved heaven and earth to have access removed immediately.

Cheers - N

* - Assuming what the media has reported is even approximately accurate.

Choice!
693 posts

Ultimate Geek
+1 received by user: 6

Trusted
Subscriber

  Reply # 701641 15-Oct-2012 17:28 Send private message

KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


Nice trolling...




Stuart Maxwell
Choice Technology (Managed IT Services)


1748 posts

Uber Geek
+1 received by user: 267

Trusted
Telecom NZ

  Reply # 701645 15-Oct-2012 17:31 Send private message

KiwiNZ:
ajobbins:
KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.


it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


If anyone could walk up to them, and without any form of authorisation or proper audit trail, get access to detailed bank records of thousands of other customers, then yes.

Oh, they can't? Nah, leave them on then.

Cheers - N


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Sideface on 17-Apr-2014 17:28 (735 replies)
Pages... 47 48 49


Forms of government for New Zealand
Created by charsleysa, last reply by KiwiNZ on 20-Apr-2014 10:08 (111 replies)
Pages... 6 7 8


galaxy s4 now on 4.4.2
Created by nzrock, last reply by Yabanize on 19-Apr-2014 21:59 (56 replies)
Pages... 2 3 4


why does the tax payer have to pay for the prince and princess' 6 star holiday?
Created by joker97, last reply by Geektastic on 17-Apr-2014 15:49 (67 replies)
Pages... 3 4 5


Whats the best wife friendly media centre?
Created by amorpeth, last reply by jonolynn on 19-Apr-2014 20:20 (14 replies)

Snap suffering Trans-Tasman congestion 18/04?
Created by Lias, last reply by NonprayingMantis on 19-Apr-2014 00:05 (26 replies)
Pages... 2


Help ! Home business connection and VDSL dead. yikes.
Created by Scotsman, last reply by Scotsman on 17-Apr-2014 21:10 (26 replies)
Pages... 2


Amazon Fire TV
Created by sonyxperiageek, last reply by freitasm on 19-Apr-2014 11:04 (205 replies)
Pages... 12 13 14



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.