Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
2497 posts

Uber Geek
+1 received by user: 241

Trusted
Subscriber

  Reply # 701583 15-Oct-2012 16:33 Send private message

KiwiNZ: [removed on request]



Really?  freitasm, is KiwiNZ coming from an MSD IP address?  Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.

KiwiNZ, you claim several things that simply do not ring true.  For a start, that anything was being done to segment these kiosks from the corporate network.  This cannot be true, because it's just not that hard.  Stick the kiosks on a new VLAN.  Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing).  Job done.  They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse.  Not that incompetence is an excuse either of course.

You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing.  This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger.  The ONLY course of action acceptable in this case is to take them offline.  The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.

You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.

And really, calling the CEO would be a waste of time.  The CEO isn't going to know what you're talking about because it's not their job.  The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless.  And yes, I do work in government.

Phil Gale
1097 posts

Uber Geek
+1 received by user: 39

Trusted
Red Jungle
Subscriber

  Reply # 701592 15-Oct-2012 16:38 Send private message

If previously made away of the issue. I also cannot fathom any other response other than shutting down the Kiosks immediately. Anything else is negligent.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

Awesome
3968 posts

Uber Geek
+1 received by user: 562

Trusted
Subscriber

  Reply # 701596 15-Oct-2012 16:44 Send private message

Kyanar: The ONLY course of action acceptable in this case is to take them offline. 


+1 and at the very least. This level of access could equally be available to others/all users with access to the corporate network, or heck - if things are that open, who is to say a rogue staff member hasn't plugged a wireless router into the network somewhere and parks their car outside at night sucking down data.

MSD needs to go through a full and thorough independent security audit immediately.




Twitter: ajobbins

1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701608 15-Oct-2012 16:59 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N


What does this tag do
298 posts

Ultimate Geek
+1 received by user: 42

Subscriber

  Reply # 701609 15-Oct-2012 16:59 Send private message

It will be very interesting to see what happens here, I think the journalist needs to be charged, obviously the charges could easily be dropped but left without a response it encourages any old Joe Blogger to be poking around at the other thousands of insecure systems in NZ. There was no need for him to go public on his blog with this information as the first course of action, it comes across as a bit of self promotion.
On the other hand, it is a stupid mistake that someone has made and I can understand the desire to expose that and hopefully scare everyone into thinking more about security.

781 posts

Ultimate Geek
+1 received by user: 41

Subscriber

  Reply # 701611 15-Oct-2012 17:01 Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Wow.
Public user kiosk has (had) access to Income Support files, CYF files and Benefit Crime units files did they not?

My opinion is that securing this very sensitive information far outweighs ensuring that the public has access to those kiosks. To suggest otherwise (by saying it's a bad thing) brings up a whole new set of questions for me...



1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701613 15-Oct-2012 17:03 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




I know you didn't EXPLICITLY say it, but you've been making darn sure everyone gets the impression you know a lot about the internal runnings... The way you worded your statement makes it seem very plausible that it was what you were suggesting (note I said suggesting, not stating).

Cheers - N


Choice!
711 posts

Ultimate Geek
+1 received by user: 24

Trusted
Subscriber

  Reply # 701615 15-Oct-2012 17:06 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




You still don't grasp the seriousness of the matter! If the MSD network staff knew about the issue - their only course of action would be to take them offline immediately and then start fixing the issue. Not leave the vulnerability open while they spend a week or two fixing it. Wow - I'm stunned by your responses, and am now convinced you must work for the MSD IT department.

1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701622 15-Oct-2012 17:08 Send private message

KiwiNZ: [snip]

See how judgement and conclusions can be so wrong when one is only using what is rumour and speculation. And definite downside to forums etc. 


So what then? You don't have any internal knowledge and you were totally just speculating that the IT staff may have been already trying to fix stuff? That totally doesn't gel with your earlier comments where you seem pretty sure you know more about this that anyone else on Geekzone.

Cheers - N


1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701635 15-Oct-2012 17:19 Send private message

KiwiNZ: [snip]

Yes I was speculating to prove a point, sheesh think laterally. Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


Sorry, I assumed you had some sort of inside knowledge when you have been saying things like

KiwiNZ:I can assure you I am fully aware of the seriousness and consequences of what is happening probably more so than anyone currently involved with this thread.


Mind you, I shouldn't really have believed that as anyone that actually had inside knowledge of this would have to be UNBELIEVABLY secure in their professional capacity to comment on it in this forum unless officially authorised.

Cheers - N


Awesome
3968 posts

Uber Geek
+1 received by user: 562

Trusted
Subscriber

  Reply # 701636 15-Oct-2012 17:19 Send private message

KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.




Twitter: ajobbins

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 701637 15-Oct-2012 17:24 Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of?the?Kiosks. Of course turning them off now is?the?prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for?the?sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




My reply to that is that the network staff likely had no idea that someone who wasn't from the media wasn't accessing the network and downloading files they should not have access to. What MSD got was a news story, it could have been so much worse. Think Anonymous leaking entire databases and server configurations.

1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701639 15-Oct-2012 17:25 Send private message

KiwiNZ: [snip]

Waiting until the reviews have been done is the correct process.


All that's been said notwithstanding, this is correct.

It's bad enough that this level of privacy breach was trivially available*, I would really hope that as as also been suggested, the MOMENT someone internal became aware of it they moved heaven and earth to have access removed immediately.

Cheers - N

* - Assuming what the media has reported is even approximately accurate.

Choice!
711 posts

Ultimate Geek
+1 received by user: 24

Trusted
Subscriber

  Reply # 701641 15-Oct-2012 17:28 Send private message

KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


Nice trolling...

1887 posts

Uber Geek
+1 received by user: 442

Trusted
Spark NZ

  Reply # 701645 15-Oct-2012 17:31 Send private message

KiwiNZ:
ajobbins:
KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.


it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


If anyone could walk up to them, and without any form of authorisation or proper audit trail, get access to detailed bank records of thousands of other customers, then yes.

Oh, they can't? Nah, leave them on then.

Cheers - N


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Windows 10 announced, as well as developer preview
Created by macuser, last reply by KiwiNZ on 2-Oct-2014 22:38 (119 replies)
Pages... 6 7 8


What time will the Apple Store online be selling the iPhone 6?
Created by scotiwis, last reply by Paul1977 on 2-Oct-2014 22:57 (234 replies)
Pages... 14 15 16


Moment of Truth?
Created by BarTender, last reply by JimmyC on 29-Sep-2014 09:16 (441 replies)
Pages... 28 29 30


Can i have 2 ISP's at home?
Created by ReckITT, last reply by Lazarui on 30-Sep-2014 18:15 (49 replies)
Pages... 2 3 4


Samsung Galaxy S4
Created by beenz, last reply by fizzychicken on 2-Oct-2014 19:46 (21 replies)
Pages... 2


Why is your nickname what it is, what are the origins of it?
Created by Presso, last reply by Presso on 2-Oct-2014 20:12 (97 replies)
Pages... 5 6 7


Harvey Norman's Biggest Ever Retail Sale
Created by DravidDavid, last reply by Dunnersfella on 2-Oct-2014 22:32 (33 replies)
Pages... 2 3


iPhone 6 From Spark - Order Dates and Pricing?
Created by Otagolad, last reply by Yatey on 2-Oct-2014 19:53 (355 replies)
Pages... 22 23 24



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.