Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Wireline database compromised
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #430086 23-Jan-2011 01:18
Send private message

NZTA's client you can download off the net, Nothing stopping a user with a login to get a vpn login aswell.

You need to remember that this was an attack from within, someone who had access and was meant to be shared the details, An attack vector extremely hard to minimise without compromising usability. Remember wireline is used all wholesale clients along with retail and retail partners. Running on a secure "red" network would be impossible as I know of many people who have access to wireline for their jobs using it on client's site's during meetings etc



BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #430109 23-Jan-2011 08:39
Send private message

Beccara: NZTA's client you can download off the net, Nothing stopping a user with a login to get a vpn login aswell.

You need to remember that this was an attack from within, someone who had access and was meant to be shared the details, An attack vector extremely hard to minimise without compromising usability. Remember wireline is used all wholesale clients along with retail and retail partners. Running on a secure "red" network would be impossible as I know of many people who have access to wireline for their jobs using it on client's site's during meetings etc


And that is the problem, people with privileged access (much like the case of Vodafone AU) should have remembered that they signed a piece of paper saying they were going to be responsible for the use of that username and password.  VPN's or SSL Certs and such like do very little to increase security since the person was allowed to access the data they looked at.  Additional authentication factors such as One Time Password tokens or similar hardware devices (SSL Certificate on a smartcard) which are tied to one person are the only real way to improve security since a password can be handed on, but a OTP Token is a physical thing that only one person could have at one time.

freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #430112 23-Jan-2011 08:53
Send private message

It'd be the same if you gave your bank card and PIN to someone, then complained that there's money missing. It's not a technology problem, it's a people problem.

You can do all the background check you want, but if there's one bad person with access to some information then the risk is there.

If there are people willing to pay to get that information then the risk increases.

Still, no technology involved on the risk. You can use technology to try and prevent this happening (locking USB ports so people can't copy files, restricting VPN access to certain IP addresses only, etc) but then either you make it too hard for good people to work, or you just make the bad guy grab a pen and paper and manually copy the information s/he needs or wants.





Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



hamistheman
82 posts

Master Geek
+1 received by user: 7


  #430148 23-Jan-2011 11:30
Send private message

Completely agree with freitasm, also keep in mind that noone seems to be disputing that it was a valid account that was used. The blame as i see it use lies entirely with the people that used it. the reality is that a lot more of your personal information would be protected by only a username/password, its just that the problem hasn't arisen, but that data is just as vulnerable. As someone that connects to multiple client networks i especially agree with "....you make it hard for good people to work". It wasn't 'hacked'  as most people think of systems being hacked, a valid user name and password was used. If hacking was involved, then you would expect that they would be using a multitude of accounts ,not just one .....

Cheers,
H


 

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #430309 23-Jan-2011 20:03
Send private message

And just to respond to someone earlier, Unlisted numbers can't be resolved in any way shape or form. Unless this has changed since the last time I was trained on it (Trainer made this point very clear)

freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #497617 25-Jul-2011 14:12
Send private message

The SFO (Serious Fraud Office) found no evidence of criminal offending after its investigation in this case. The Privacy Commissioner said its inquiries were also continuing...




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright