Ministry of Social Development security woes

Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.

Forums › IT Pro › Ministry of Social Development security woes

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

65 posts

Master Geek

Reply # 701848 16-Oct-2012 00:09
Apparently we have a place where cyber threats can be reported - but not by the general public it seems. They are only interested if you a government instituion or an organisation critical to national infrastructure. I would say that by the time the organisation has detected the problem the horse has already bolted. http://www.ncsc.govt.nz/ Reporting an Incident If you are a New Zealand government institution or a Critical National Infrastructure (CNI) organisation and you have encountered or suspect the presence of a cyber threat, please complete and return an Incident Reporting Form or speak with us directly on (04) 498-7654. All incident reports provided to the NCSC are treated in the strictest of confidence. What are we paying these NCSC (New Zealand National Cyber Security Centre) clowns for? What do they do? How much do they cost us?

freitasm

BDFL
43727 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701881 16-Oct-2012 08:27
Please note that on request some of the posts were removed. Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

shadybrothers

228 posts

Master Geek

Reply # 701902 16-Oct-2012 09:33
mjb: freitasm: And the company behind the kiosk is... Dimension Data From DiData's NZ regional page: ....Already more than thirty agencies have joined one.govt including Department of Conservation, Ministry of Education, New Zealand Police and Department of Labour. edit: not that that means anything really, just how embedded they are in our government agencies. This is a WAN service. Widely known. this is a slap in the face!

Kyanar

1938 posts

Uber Geek

Trusted

Subscriber

Reply # 701912 16-Oct-2012 09:52
freitasm: Kyanar: Really? freitasm, is KiwiNZ coming from an MSD IP address? You know I cannot say anything about this to you - or anyone else really. Don't worry, it was a rhetorical question, I wasn't actually expecting an answer unless he outed himself first :). The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was. MSD said "no, we don't do that" but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication. The story available does NOT make him look like a good guy at all.

1080p

984 posts

Ultimate Geek

Reply # 701922 16-Oct-2012 10:09
Why is he bad for wanting compensation? This is standard practice in many places. Workstation: Intel DH67CL ~ i5-2500 ~ 4GB Corsair RAM (x2) ~ Intel X25-M 80GB SSD Laptop: Dell Inspiron 1564 ~ i5-520M ~ 4.00GB RAM ~ 500GB SATA HDD ~ Win7 Home Premium x64 Common misconceptions.

davidcole

1533 posts

Uber Geek

Trusted

Reply # 701926 16-Oct-2012 10:13
1080p: Why is he bad for wanting compensation? This is standard practice in many places. Seems very typical of the me me me attitude that prevails this country at the moment. I think people don't like that he asked for compensation and upon being told no, didn't communicate the issue with MSD, he then left and told reporters. All very fine and good to ask. Previously knows as psycik NextPVR Based HTPC: 2 x HVR3000 - DVB-S - Freeview, HVR3000 - DVB-T Freeview\|HD, Nova-T 500 - Dual Freeview\|HD, Digital Coax --> Yamaha RX-v540, 8600GT --> Samsung LA46A650D via HDMI Clients: Popcorn Hour A-100, 1xATV2, 1xATV3 Windows 7 Ultimate Host 4x2TB + 1x1.5TB using DriveBender, VMWare Server 2 with 1xW7, 2xW2k3 1xUbuntu 11.10 Desktop, 1xWHS2011, Plex

ajobbins

Awesome
3004 posts

Uber Geek

Trusted

Subscriber

Reply # 701929 16-Oct-2012 10:27
Google and Facebook are known for paying for information on vulnerabilities, for example Twitter: ajobbins

Kyanar

1938 posts

Uber Geek

Trusted

Subscriber

Reply # 701933 16-Oct-2012 10:33
1080p: Why is he bad for wanting compensation? This is standard practice in many places. So what if it's standard practice in "many" places - what does that have to do with the price of fish? MSD is not one of those places. Hence they said, "no we don't have a reward program" (somewhat understandable, considering it's taxpayer money they're disbursing). Upon doing this, rather than reporting the issue anyway (perhaps ask for a letter of acknowledgement to add to his CV as well - a government department offering thanks for finding a serious issue which put millions of people's information at risk has got to be a real good reference!) he went to a reporter and didn't tell them what the issue was. That's, to me, pretty scummy behaviour. And the "journalist" isn't much better - rather than sending MSD the details and warning them that he will release the details by a certain date whether the issue is solved or not (responsible disclosure in the infosec world) he released the details straight away, leaving them scrambling on a weekend to sort the issue. No, he's not a good guy by any stretch of the term. Neither is MSD in this case, but that's besides the point.

ajobbins

Awesome
3004 posts

Uber Geek

Trusted

Subscriber

Reply # 701940 16-Oct-2012 10:46
Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue. The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.) Twitter: ajobbins

BlueShift

571 posts

Ultimate Geek

Reply # 701990 16-Oct-2012 11:39
The Ministry of Social Development has appointed Deloittes to review its computer network security, the Ministry's Chief Executive, Brendan Boyle, said today. The review will happen in two phases. The first will deal with the immediate issue regarding the security of our public kiosks. Deloittes will look at what happened, how secure information was able to be accessed, and will determine why it happened and what steps we need to take to ensure it can't happen again. The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture. This second phase will take longer and more work needs to be done on the scope of this part of the review. We received a report from Dimension Data in April 2011, which identified flaws in our system. We will be asking Deloittes to determine what we did to follow up this report?s recommendations and whether our response was adequate. Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data?s recommendations on security. I will look to the review to provide me with the answers. I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system. Our immediate aim is to resolve any security problems and restore public confidence in our systems,? Mr Boyle said. ETA: My bolding, but the whole thing is revealing. Press release from MSD: http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/deloittes-appointed-to-review-network-security.html See also: http://www.stuff.co.nz/national/politics/7821061/MSD-concedes-Winz-security-failure

freitasm

BDFL
43727 posts

Uber Geek

Administrator

Trusted

Geekzone

Subscriber

Reply # 701996 16-Oct-2012 11:51
Holy cow, Batman. "We received a report from Dimension Data in April 2011, which identified flaws in our system." April 2011 - October 2012 and nothing done. Great work there. First because a report was generated, obviously costing money. Second because no action based on that report seems to have been taken. I also like "The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture." If there's one thing they need to change is the internal culture. We already know they don't give a damn to some important issues... Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blog, technology disclosure, my tweets, Web Performance Optimization) Geekzone Price comparison \| Amazon Kindle order page \| How to get the best out of Geekzone \| New Zealand IT Jobs \| Geekzone News \| Jinglebugs

gzt

3202 posts

Uber Geek

Subscriber

Reply # 701998 16-Oct-2012 11:54
Kyanar: The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was. MSD said "no, we don't do that" If he (Bailey) had called and asked "Do you have a bug bounty?" and left it at that - there would still be questions but the situation would be a lot clearer. By the way do we know exactly what he asked? Probably not. Kyanar: but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication. If his (Bailey) intention was malicious he could have let many people know and it would have been a free for all or he could have published the information to the web anonymously to be picked up by people who would misuse it before anyone knew. Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning.

gzt

3202 posts

Uber Geek

Subscriber

Reply # 702008 16-Oct-2012 12:04
Our immediate aim is to resolve any security problems and restore public confidence in our systems, Mr Boyle said. This press release should have included mention of releasing the report in full. Without that the public will not gain confidence. The full review mentioned should also be released when it is complete. Both will be released anyway because someone will request them under the Official Information Act. In the meantime the MSD is not doing anything much to increase public confidence.

BlueShift

571 posts

Ultimate Geek

Reply # 702013 16-Oct-2012 12:09
ajobbins: Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue. The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.) According to the MSD themselves, they were made aware of the problem long ago and chose to ignore it. I think that more than vidicates the original leaker and Keith Ng's decision to go public.

Kyanar

1938 posts

Uber Geek

Trusted

Subscriber

Reply # 702057 16-Oct-2012 13:48
gzt: Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning. No, not at all. The professional method of dealing with knowledge of a vulnerability is to provide complete details of the method to the responsible party (MSD in this case) and a deadline by which details will be released, regardless of whether the issue is fixed. In the majority of cases, this deadline is actually very short (sometimes a matter of only days) in order to force the issue. Immediate disclosure on a high traffic blog without warning is *NOT* responsible, ethical, or professional. And before you ask, no I'm not defending MSD either. I'm probably the most likely person you'll meet to criticize every move they make (more so under a National government), but that doesn't excuse the fact that neither Bailey nor Ng acted with any sense of ethics or professionalism in this case.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9