Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
65 posts

Master Geek


  Reply # 701848 16-Oct-2012 00:09 Send private message

Apparently we have a place where cyber threats can be reported - but not by the general public it seems. They are only interested if you a government instituion or an organisation critical to national infrastructure. I would say that by the time the organisation has detected the problem the horse has already bolted.

http://www.ncsc.govt.nz/
Reporting an Incident
If you are a New Zealand government institution or a Critical National Infrastructure (CNI) organisation and you have encountered or suspect the presence of a cyber threat, please complete and return an Incident Reporting Form or speak with us directly on (04) 498-7654. All incident reports provided to the NCSC are treated in the strictest of confidence.

What are we paying these NCSC (New Zealand National Cyber Security Centre) clowns for? What do they do? How much do they cost us?

BDFL
49908 posts

Uber Geek
+1 received by user: 4621

Administrator
Trusted
Geekzone
Subscriber

  Reply # 701881 16-Oct-2012 08:27 Send private message

Please note that on request some of the posts were removed.





237 posts

Master Geek


  Reply # 701902 16-Oct-2012 09:33 Send private message

mjb:
freitasm: And the company behind the kiosk is... Dimension Data


From DiData's NZ regional page:

....Already more than thirty agencies have joined one.govt including Department of Conservation, Ministry of Education, New Zealand Police and Department of Labour.

edit: not that that means anything really, just how embedded they are in our government agencies.


This is a WAN service. Widely known.




this is a slap in the face!

2505 posts

Uber Geek
+1 received by user: 243

Trusted
Subscriber

  Reply # 701912 16-Oct-2012 09:52 Send private message

freitasm:
Kyanar: Really?  freitasm, is KiwiNZ coming from an MSD IP address?


You know I cannot say anything about this to you - or anyone else really.



Don't worry, it was a rhetorical question, I wasn't actually expecting an answer unless he outed himself first :).

The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was.  MSD said "no, we don't do that" but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication.

The story available does NOT make him look like a good guy at all.

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 701922 16-Oct-2012 10:09 Send private message

Why is he bad for wanting compensation? This is standard practice in many places.

2065 posts

Uber Geek
+1 received by user: 118

Trusted

  Reply # 701926 16-Oct-2012 10:13 Send private message

1080p: Why is he bad for wanting compensation? This is standard practice in many places.


Seems very typical of the me me me attitude that prevails this country at the moment. 

I think people don't like that he asked for compensation and upon being told no, didn't communicate the issue with MSD, he then left and told reporters.  All very fine and good to ask.




Previously known as psycik

NextPVR Based HTPC:

Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, SiliconDust HDHomeRun Dual DVB-T Tuner, NextPVR, Plex Plugin 
Clients:
Popcorn Hour A-100, 1xATV2, 1xATV3, Roku3
Windows 7 Ultimate Host (Plex Server)
3x2TB, 1x3TB, 1x4TB + 1x1.5TB using DriveBender, VMWare Workstation 10 with 1xW7, 2xW2k3 1xUbuntu 11.10 Desktop, 1xWHS2011, Plex, Crashplan, NextPVR channel for Plex

UnblockUS - Unblock your freedom

Awesome
3994 posts

Uber Geek
+1 received by user: 572

Trusted
Subscriber

  Reply # 701929 16-Oct-2012 10:27 Send private message

Google and Facebook are known for paying for information on vulnerabilities, for example




Twitter: ajobbins

2505 posts

Uber Geek
+1 received by user: 243

Trusted
Subscriber

  Reply # 701933 16-Oct-2012 10:33 Send private message

1080p: Why is he bad for wanting compensation? This is standard practice in many places.


So what if it's standard practice in "many" places - what does that have to do with the price of fish?

MSD is not one of those places.  Hence they said, "no we don't have a reward program" (somewhat understandable, considering it's taxpayer money they're disbursing).  Upon doing this, rather than reporting the issue anyway (perhaps ask for a letter of acknowledgement to add to his CV as well - a government department offering thanks for finding a serious issue which put millions of people's information at risk has got to be a real good reference!) he went to a reporter and didn't tell them what the issue was.  That's, to me, pretty scummy behaviour.  And the "journalist" isn't much better - rather than sending MSD the details and warning them that he will release the details by a certain date whether the issue is solved or not (responsible disclosure in the infosec world) he released the details straight away, leaving them scrambling on a weekend to sort the issue.

No, he's not a good guy by any stretch of the term.  Neither is MSD in this case, but that's besides the point.

Awesome
3994 posts

Uber Geek
+1 received by user: 572

Trusted
Subscriber

  Reply # 701940 16-Oct-2012 10:46 Send private message

Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue.

The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.)




Twitter: ajobbins

790 posts

Ultimate Geek
+1 received by user: 152


  Reply # 701990 16-Oct-2012 11:39 Send private message


The Ministry of Social Development has appointed Deloittes to review its computer network security, the Ministry's Chief Executive, Brendan Boyle, said today.  
 
The review will happen in two phases. The first will deal with the immediate issue regarding the security of our public kiosks. Deloittes will look at what happened, how secure information was able to be accessed, and will determine why it happened and what steps we need to take to ensure it can't happen again. 

The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture. This second phase will take longer and more work needs to be done on the scope of this part of the review. 

We received a report from Dimension Data in April 2011, which identified flaws in our system. We will be asking Deloittes to determine what we did to follow up this report?s recommendations and whether our response was adequate. Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data?s recommendations on security. I will look to the review to provide me with the answers. 

I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system. 

Our immediate aim is to resolve any security problems and restore public confidence in our systems,? Mr Boyle said.


ETA: My bolding, but the whole thing is revealing. Press release from MSD: http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/deloittes-appointed-to-review-network-security.html
See also: http://www.stuff.co.nz/national/politics/7821061/MSD-concedes-Winz-security-failure

BDFL
49908 posts

Uber Geek
+1 received by user: 4621

Administrator
Trusted
Geekzone
Subscriber

  Reply # 701996 16-Oct-2012 11:51 Send private message

Holy cow, Batman. "We received a report from Dimension Data in April 2011, which identified flaws in our system."

April 2011 - October 2012 and nothing done.

Great work there. First because a report was generated, obviously costing money. Second because no action based on that report seems to have been taken.

I also like "The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture."

If there's one thing they need to change is the internal culture. We already know they don't give a damn to some important issues...






gzt

4595 posts

Uber Geek
+1 received by user: 244

Subscriber

  Reply # 701998 16-Oct-2012 11:54 Send private message

Kyanar: The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was.  MSD said "no, we don't do that"

If he (Bailey) had called and asked "Do you have a bug bounty?" and left it at that - there would still be questions but the situation would be a lot clearer.

By the way do we know exactly what he asked? Probably not.

Kyanar: but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication.

If his (Bailey) intention was malicious he could have let many people know and it would have been a free for all or he could have published the information to the web anonymously to be picked up by people who would misuse it before anyone knew.

Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning.

gzt

4595 posts

Uber Geek
+1 received by user: 244

Subscriber

  Reply # 702008 16-Oct-2012 12:04 Send private message

Our immediate aim is to resolve any security problems and restore public confidence in our systems, Mr Boyle said.

This press release should have included mention of releasing the report in full. Without that the public will not gain confidence.

The full review mentioned should also be released when it is complete.

Both will be released anyway because someone will request them under the Official Information Act. In the meantime the MSD is not doing anything much to increase public confidence.

790 posts

Ultimate Geek
+1 received by user: 152


  Reply # 702013 16-Oct-2012 12:09 Send private message

ajobbins: Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue.

The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.)


According to the MSD themselves, they were made aware of the problem long ago and chose to ignore it.
I think that more than vidicates the original leaker and Keith Ng's decision to go public.

2505 posts

Uber Geek
+1 received by user: 243

Trusted
Subscriber

  Reply # 702057 16-Oct-2012 13:48 Send private message

gzt:

Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning.


No, not at all.  The professional method of dealing with knowledge of a vulnerability is to provide complete details of the method to the responsible party (MSD in this case) and a deadline by which details will be released, regardless of whether the issue is fixed.  In the majority of cases, this deadline is actually very short (sometimes a matter of only days) in order to force the issue.

Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional.  And before you ask, no I'm not defending MSD either.  I'm probably the most likely person you'll meet to criticize every move they make (more so under a National government), but that doesn't excuse the fact that neither Bailey nor Ng acted with any sense of ethics or professionalism in this case.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Snap have failed our company!
Created by dafman, last reply by kornflake on 21-Oct-2014 23:04 (23 replies)
Pages... 2


Spark Socialiser
Created by freitasm, last reply by Flickky on 21-Oct-2014 22:10 (21 replies)
Pages... 2


Another Trade Me competitor: SellShed
Created by freitasm, last reply by jonathan18 on 21-Oct-2014 23:12 (32 replies)
Pages... 2 3


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


Overcharged by Slingshot for months - warning to existing customers
Created by dusty42, last reply by richms on 21-Oct-2014 19:15 (27 replies)
Pages... 2


Why would Suresignal calls be worse quality than non-Suresignal calls from the same location?
Created by Geektastic, last reply by froob on 21-Oct-2014 08:21 (41 replies)
Pages... 2 3


Just bought a TiVo online. No wireless adaptor. Will a standard one work? Or do I need the TiVo one ?
Created by Limerick, last reply by graemeh on 20-Oct-2014 16:03 (11 replies)

Spark Socialiser and new plan
Created by saeran, last reply by eXDee on 21-Oct-2014 21:52 (10 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.