Ministry of Social Development security woes

Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.

Forums › IT Pro › Ministry of Social Development security woes

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

29 posts

Geek

Reply # 701649 15-Oct-2012 17:34
amanzi: KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line. Nice trolling... Not really, it was actually a kinda lame attempt at trolling. I hope someone has screenshot his statements regarding the MSD knowing about this problem for at least a couple of weeks. Along with his numerous statements saying that he had inside knowledge. They may become useful to Mr Ng in court :-)

Talkiet

1431 posts

Uber Geek

Trusted

Telecom NZ

Reply # 701653 15-Oct-2012 17:37
KiwiNZ: [snip] my point was nearly every device, server etc has vulnerabilities taking systems offline because of risks is just not always feasible. This statement of yours is absolutely correct. A vulnerability would need to be serious, easy to exploit, involve sensitive data and have no real audit trail before someone should consider immediately taking a system offline - and the systems would need to be not critical to the core business functions of the company. Now, do you think the public access terminals being discussed here fit that description? Cheers - N

Talkiet

1431 posts

Uber Geek

Trusted

Telecom NZ

Reply # 701656 15-Oct-2012 17:43
KiwiNZ: Talkiet: KiwiNZ: [snip] my point was nearly every device, server etc has vulnerabilities taking systems offline because of risks is just not always feasible. This statement of yours is absolutely correct. A vulnerability would need to be serious, easy to exploit, involve sensitive data and have no real audit trail before someone should consider immediately taking a system offline - and the systems would need to be not critical to the core business functions of the company. Now, do you think the public access terminals being discussed here fit that description? Cheers - N I agree, however iam prepared to wait until the FULL facts are known, even the the thread title is wrong and alarmist. How much security did the intruder have to break in order to get in, was he using a third parties access to get in, etc etc etc I advise you to read the original post by Mr Ng to answer those questions. Cheers - N

ajobbins

Awesome
3090 posts

Uber Geek

Trusted

Subscriber

Reply # 701657 15-Oct-2012 17:45
Talkiet: KiwiNZ: [snip] my point was nearly every device, server etc has vulnerabilities taking systems offline because of risks is just not always feasible. This statement of yours is absolutely correct. A vulnerability would need to be serious, easy to exploit, involve sensitive data and have no real audit trail before someone should consider immediately taking a system offline - and the systems would need to be not critical to the core business functions of the company. Now, do you think the public access terminals being discussed here fit that description? Cheers - N ^ THIS. KiwiNZ - I really don't think that you are grasping the seriousness of this situation, at least your posts demonstrate you do not. Twitter: ajobbins

tigercorp

415 posts

Ultimate Geek

Subscriber

Reply # 701675 15-Oct-2012 18:17
I wonder how many other departments with public facing terminals have quietly launched their own security audits today? :D

gjm

500 posts

Ultimate Geek

Reply # 701679 15-Oct-2012 18:27
The guy that decided hooking up public facing terminals to the corporate LAN was a good idea should get fired, end of. Any even semi competent tech would never even consider such a thing. As mentioned previously this is trivial to do with vlans if it wasn't feasible to have two physically disparate networks. So much face palm :8

freitasm

BDFL
44238 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701695 15-Oct-2012 18:50
Here, changed the subject to reflect reality then. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

gzt

3244 posts

Uber Geek

Subscriber

Reply # 701715 15-Oct-2012 19:15
Kyanar: Really? freitasm, is KiwiNZ coming from an MSD IP address? Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having. No, MSD IT cannot have those insights yet. MSD IT staff are waiting on a service request trying to get half the permissions those kiosks have...

mjb

904 posts

Ultimate Geek

Trusted

Subscriber

Reply # 701720 15-Oct-2012 19:21
Given KiwiNZ's apparent lack of understanding of the seriousness of this breach, and their comments implying they may have worked on MSD systems, speaks volumes about why this sort of thing happens. contentsofsignaturemaysettleduringshipping

freitasm

BDFL
44238 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701731 15-Oct-2012 19:34
Kyanar: Really? freitasm, is KiwiNZ coming from an MSD IP address? You know I cannot say anything about this to you - or anyone else really. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

freitasm

BDFL
44238 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701747 15-Oct-2012 20:18
And the story goes deeper now. MSD decided that an ad hominen attack would be a good move and ratted out the source. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

freitasm

BDFL
44238 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701765 15-Oct-2012 20:47
And the company behind the kiosk is... Dimension Data: "Dimension Data was responsible for the security testing of the system, having conducted an audit on the kiosks earlier this year, but found no hole. Dimension Data did not respond to request for comment by the time of publication. The kiosks, which run an old version of Windows, 2000 or XP, had some protections in place to prevent unauthorised access." Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

mjb

904 posts

Ultimate Geek

Trusted

Subscriber

Reply # 701784 15-Oct-2012 20:56
freitasm: And the company behind the kiosk is... Dimension Data From DiData's NZ regional page: ....Already more than thirty agencies have joined one.govt including Department of Conservation, Ministry of Education, New Zealand Police and Department of Labour. edit: not that that means anything really, just how embedded they are in our government agencies. contentsofsignaturemaysettleduringshipping

rubygirl

65 posts

Master Geek

Reply # 701795 15-Oct-2012 21:24
gzt: Kyanar: ... he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having. No, MSD IT cannot have those insights yet. MSD IT staff are waiting on a service request trying to get half the permissions those kiosks have... Sooooo funny! love it gzt

tigercorp

415 posts

Ultimate Geek

Subscriber

Reply # 701838 15-Oct-2012 23:31
freitasm: And the story goes deeper now. MSD decided that an ad hominen attack would be a good move and ratted out the source. I guess I shouldn't be surprised that the MSD don't seem have any regard for privacy. /bitterness

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9