Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 

gzt

4135 posts

Uber Geek
+1 received by user: 156

Subscriber

  Reply # 704263 21-Oct-2012 11:19 Send private message

StevieT: Just sent this email to Paula Bennett: Hi Paula, In light of the MSD security breach, which I assume includes a review of StudyLink IT systems, I request that no information pertaining to me is on the MSD and Studylink servers but the continuation of StudyLink payments (loan and allowance), and disability allowance, to still take place, as well as the ability to update my profile on StudyLinks website until an absolute guarantee is given to me that my information is safeguarded in accordance with principal five of the Privacy Act.


Did you get a response to that? It would be surprising if they acted based on email.

I see other people are taking a similar approach asking for data to be removed from MSD systems:

Surprisingly it looks like WINZ staff agreed to remove that person from the system.

In all seriousness maybe they are planning to keep a special filing cabinet in Wellington for the purpose.

638 posts

Ultimate Geek
+1 received by user: 69


  Reply # 704316 21-Oct-2012 14:31 Send private message

This MAY be part of a very cunning plan. If all beneficiaries ask for their data to be removed, we solve the govt spending problems in one hit! Nice:)

PS Please leave my Super records on.

90 posts

Master Geek


Reply # 704980 23-Oct-2012 11:01 Send private message

IMO, lots of heads should roll for this balls up.

It cannot be that hard to provide secure kiosks - banks and other private companies manage it.  Hell, *I* did it back in the 90's when I worked at one firm.

The more worrying concern though is that we don't know where else the info has gone.  Sure, the blogger and hacker have been vocal about it but who's to say others haven't been pilfering the info for ages and keeping quiet about it.

gzt

4135 posts

Uber Geek
+1 received by user: 156

Subscriber

  Reply # 704997 23-Oct-2012 11:28 Send private message

Ministry of Justice kiosks shut down for 'similar issue'.

http://tvnz.co.nz/national-news/ministry-justice-shuts-down-kiosks-5142119

Not good. Raises more and more questions. The public deserve to know a lot more about how central government IT is being managed.

BDFL
49137 posts

Uber Geek
+1 received by user: 4147

Administrator
Trusted
Geekzone
Subscriber

  Reply # 710885 2-Nov-2012 10:48 Send private message

First report just released. PDF download here.


MSD releases independent report into IT security breach and confirms no widespread privacy breach

The Ministry of Social Development today released the independent report by Deloitte into the security breach of Work and Income kiosks.

Ministry of Social Development Chief Executfive Brendan Boyle says the report is damning around MSD’s failure to separate public kiosks from a network containing corporate files.

“However I am very pleased to report that there has not been a widespread privacy breach. Investigations have determined that there is no evidence that the Kiosk breach went beyond that of Keith Ng and his associate Ira Bailey.

“Both men have cooperated with the Deloitte investigation and with the Privacy Commissioner. They have handed the information over and promised they have not shared that information with anyone else.

“I’m sorry that this matter has created concern amongst people who have information stored with us. However, it is good that we are able to reassure people today,” said Brendan Boyle.

“The report found insufficient work was done by the Ministry to ensure appropriate security was placed around the protection of information at the time the kiosk infrastructure and services were designed and built.

“While independent testing done on the kiosks was sound, the Ministry’s response to the security issues identified was inadequate.

“The review found the Ministry’s response to the issues raised by Keith Ng and Ira Bailey was sound, prompt and considered.

“In terms of people’s privacy we are extremely fortunate that the risk of harm from this is extremely low because there were only two people who looked at a limited number of the invoices. Both men have returned all the information and assured us and the Privacy Commissioner that they have not distributed it to anyone else.

“Around 1,432 of the 7,300 odd items did contain some personal information such as a person’s name and/or date of birth and some description of the medical and legal services that were purchased.

“Of all the items downloaded the invoices relating to 10 individuals contained highly sensitive information.

“In the case of the eight children and two adults whose invoices contained highly sensitive information – we will be working on how best to respond to these individuals. This approach is in accordance with the Privacy Commissioner’s guidelines.

“In announcing the independent review I said that what had occurred was completely unacceptable and I continue to hold that view.

“The review finds security issues were identified and raised on a number of occasions, including by Dimension Data, but staff woefully under-estimated the risk of a malicious attack.

“In doing so they appear to have failed to take the necessary steps to ensure the Ministry safeguarded people’s personal information.

“I’m gutted and disappointed that we’ve let people down.

“Of particular concern is that risks and concerns which were identified do not appear to have been escalated to the right people.

“The Deloitte report confirms that staff members in leadership positions were not alerted to these issues and therefore had no opportunities to exercise appropriate judgement.

“The report makes it clear there were risk and governance processes in place, however these were not appropriately used.

“Questions must now be asked about the adequacy of these processes and whether this was an extraordinary series of events, or whether it raises broader issues about the appropriateness and effectiveness of the Ministry’s wider information systems security.

“This will all be considered in the second phase of the Deloitte independent review, which will include consideration of our policies, governance, capability and culture.

“This second phase review will be completed later this month.

“In the meantime I can confirm that at this stage four employment investigations are being undertaken by an independent barrister.

“These investigations need to run their course before I determine the next steps.

“I can assure people that the employment investigations will be thorough and people will be held to account for their conduct,” concluded Brendan Boyle.





gzt

4135 posts

Uber Geek
+1 received by user: 156

Subscriber

  Reply # 710912 2-Nov-2012 11:40 Send private message

Ministry of Social Development Chief Executfive Brendan Boyle says the report is damning around MSD's failure to separate public kiosks from a network containing corporate files.

The report isn't damming at all - but the report does make very clear Dimension Data reported the exact issues to the ministry and the ministry did nothing.

However I am very pleased to report that there has not been a widespread privacy breach. Investigations have determined that there is no evidence that the Kiosk breach went beyond that of Keith Ng and his associate Ira Bailey.

There is absolutely nothing in the report to substantiate this claim that there was no widespread privacy breach. The report itself states:

Based on the risk exposure of the kiosk deployment as a result of not using network separation, and the trust privileges the kiosks had to the Ministry's network, a higher level of audit trail visibility and retention required to moderate the risk would be expected. This was not found to be in place.

It looks to me like MSD simply does not have the audit trail in place they need to make this blanket assurance in that first sentence.

There are also a couple of completely irrelevant bang-head-on-table lines in the report about not being able to retain logs because the kiosk image or whatever is refreshed every day.

How is that a reason not to retain logs or an audit trail? It is completely and utterly irrelevant. How did that get in to the report?

Unrelated: In any case there is a good case for refreshing machines every user to mitigate security risk for users where machines are used to access personal information. If they are refreshing every day they are likely doing nothing like this to maintain user security and privacy at all.





Edit: The root of the problem is the organisation appears to have no CISO and no independent security function to report issues to. There is no indication there was any kind of security sign off function on the kiosk projects.

No one reviewing these kiosk plans from a security perspective would ever have signed off in a million years. No one reviewing the vulnerability reports MSD received from Dimension Data (and then after that members of the public) from a security perspective would ever have let those issues go unaddressed.

No doubt there are many internal issues which are not being correctly dealt with as well.

Vulnerability reports and security reviews often reveal systemic issues which cannot be fully addressed by a simple patch/fix approach and require a far longer attention span and a strategic approach over a long period of time.

gjm

646 posts

Ultimate Geek
+1 received by user: 54

Subscriber

  Reply # 710917 2-Nov-2012 11:50 Send private message

I get a page not found when I click on the link for the PDF. Wonder if they pulled it for some reason.




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

BDFL
49137 posts

Uber Geek
+1 received by user: 4147

Administrator
Trusted
Geekzone
Subscriber

  Reply # 710918 2-Nov-2012 11:51 Send private message

The link works just fine for me.




gzt

4135 posts

Uber Geek
+1 received by user: 156

Subscriber

  Reply # 710920 2-Nov-2012 11:54 Send private message

gjm: I get a page not found when I click on the link for the PDF. Wonder if they pulled it for some reason.


Still up for me. Here's a link to the phase 1 report in google docs online viewer for those without pdf browser capability.


gjm

646 posts

Ultimate Geek
+1 received by user: 54

Subscriber

  Reply # 710935 2-Nov-2012 12:09 Send private message

yup works now.....random?




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

BDFL
49137 posts

Uber Geek
+1 received by user: 4147

Administrator
Trusted
Geekzone
Subscriber

  Reply # 726680 4-Dec-2012 11:23 Send private message

This is beyond a joke now:


The security fault labelled “critical” in Security-Assessment.com’s May 2011 report on the Ministry of Social Development’s kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

MSD says despite fixing the fault, a continuing security risk attaches to fuller disclosure. 

Even to discuss why information on the critical vulnerability was withheld would risk “disclosing information about how to hack into the system” and potentially other similar systems, says a spokeswoman passing on comment from the ministry’s “OIA team”.


Security by obscurity - no security at all actually.





gzt

4135 posts

Uber Geek
+1 received by user: 156

Subscriber

  Reply # 726781 4-Dec-2012 12:59 Send private message

The only possible valid reason I can think they withheld disclosure is because the issues with information security in MSD continue, because everything may be set up to work that way, and everything will stop working if normal reasonable security practices are implemented immediately. If that is the case they just explained it to everyone anyway.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Geekzone giveaway: Thecus N2310 NAS
Created by freitasm, last reply by Dunnersfella on 24-Jul-2014 23:17 (81 replies)
Pages... 4 5 6


Hierarchy of a mistake: Gerry Brownlee
Created by joker97, last reply by wasabi2k on 25-Jul-2014 10:53 (30 replies)
Pages... 2


MH 17 "shot down" all dead
Created by joker97, last reply by ScuL on 24-Jul-2014 21:40 (203 replies)
Pages... 12 13 14


Is chorus going to deliberately slow adsl internet down
Created by rugrat, last reply by sbiddle on 25-Jul-2014 09:39 (40 replies)
Pages... 2 3


Huge Fuss, didn't even make it a year.
Created by networkn, last reply by Glassboy on 22-Jul-2014 19:50 (121 replies)
Pages... 7 8 9


Sickening floral smell in car, What next?
Created by TimA, last reply by KiwiNZ on 25-Jul-2014 10:43 (36 replies)
Pages... 2 3


Skinny's new aggressive ad campaign
Created by Yabanize, last reply by Yabanize on 22-Jul-2014 23:35 (52 replies)
Pages... 2 3 4


Giving notice
Created by IlDuce, last reply by kharris on 24-Jul-2014 17:36 (15 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.