Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
994 posts

Ultimate Geek
+1 received by user: 160

UberGroup

  Reply # 430086 23-Jan-2011 01:18
Send private message

NZTA's client you can download off the net, Nothing stopping a user with a login to get a vpn login aswell.

You need to remember that this was an attack from within, someone who had access and was meant to be shared the details, An attack vector extremely hard to minimise without compromising usability. Remember wireline is used all wholesale clients along with retail and retail partners. Running on a secure "red" network would be impossible as I know of many people who have access to wireline for their jobs using it on client's site's during meetings etc

2446 posts

Uber Geek
+1 received by user: 841

Trusted
Lifetime subscriber

  Reply # 430109 23-Jan-2011 08:39
Send private message

Beccara: NZTA's client you can download off the net, Nothing stopping a user with a login to get a vpn login aswell.

You need to remember that this was an attack from within, someone who had access and was meant to be shared the details, An attack vector extremely hard to minimise without compromising usability. Remember wireline is used all wholesale clients along with retail and retail partners. Running on a secure "red" network would be impossible as I know of many people who have access to wireline for their jobs using it on client's site's during meetings etc


And that is the problem, people with privileged access (much like the case of Vodafone AU) should have remembered that they signed a piece of paper saying they were going to be responsible for the use of that username and password.  VPN's or SSL Certs and such like do very little to increase security since the person was allowed to access the data they looked at.  Additional authentication factors such as One Time Password tokens or similar hardware devices (SSL Certificate on a smartcard) which are tied to one person are the only real way to improve security since a password can be handed on, but a OTP Token is a physical thing that only one person could have at one time.





BDFL - Memuneh
61509 posts

Uber Geek
+1 received by user: 12234

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 430112 23-Jan-2011 08:53
Send private message

It'd be the same if you gave your bank card and PIN to someone, then complained that there's money missing. It's not a technology problem, it's a people problem.

You can do all the background check you want, but if there's one bad person with access to some information then the risk is there.

If there are people willing to pay to get that information then the risk increases.

Still, no technology involved on the risk. You can use technology to try and prevent this happening (locking USB ports so people can't copy files, restricting VPN access to certain IP addresses only, etc) but then either you make it too hard for good people to work, or you just make the bad guy grab a pen and paper and manually copy the information s/he needs or wants.





60 posts

Master Geek


  Reply # 430148 23-Jan-2011 11:30
Send private message

Completely agree with freitasm, also keep in mind that noone seems to be disputing that it was a valid account that was used. The blame as i see it use lies entirely with the people that used it. the reality is that a lot more of your personal information would be protected by only a username/password, its just that the problem hasn't arisen, but that data is just as vulnerable. As someone that connects to multiple client networks i especially agree with "....you make it hard for good people to work". It wasn't 'hacked'  as most people think of systems being hacked, a valid user name and password was used. If hacking was involved, then you would expect that they would be using a multitude of accounts ,not just one .....

Cheers,
H


 



994 posts

Ultimate Geek
+1 received by user: 160

UberGroup

  Reply # 430309 23-Jan-2011 20:03
Send private message

And just to respond to someone earlier, Unlisted numbers can't be resolved in any way shape or form. Unless this has changed since the last time I was trained on it (Trainer made this point very clear)

BDFL - Memuneh
61509 posts

Uber Geek
+1 received by user: 12234

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 497617 25-Jul-2011 14:12
Send private message

The SFO (Serious Fraud Office) found no evidence of criminal offending after its investigation in this case. The Privacy Commissioner said its inquiries were also continuing...




1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.