Hacking McCully's email - a major lapse in security at DPMC?

Forums › Off topic › Hacking McCully's email - a major lapse in security at DPMC?

lchiu7

6470 posts

Uber Geek

Trusted

#98169 25-Feb-2012 09:48

So hackers got into McCully's Xtra email account because of his strong password - NOT. Probably the name of his dog or something.

While apparently nothing major security wise was discovered apart from some emails which might prove embarrassing for him the next time he meets some senior Chinese officials, it raises bigger questions.

First of all, it's a known policy in government departments that one should not forward emails to private accounts That is a major breach of security. Emails between Govt departments are always encrypted through the SEEMAIL (which is at least 128 or 256 bit encryption) service and forwarding them removes all that security, not to mention the vulneralbilty of ISP based email.

When asked by the PM about this breach Key's comment was just as lacking. He noted that his Minister travels often and needs to keep up with email while out of the country. This is hardly an excuse for forwarding mail to an Xtra account.

I would imagine that most Govt deparments have the ability for staff to access email remotely, either via a mobile device like a Blackberry, iPhone or Android phone that would work anywhere Internet access is available. If not then something like Outlook Web Access or some sort of SSL based VPN. If DPMC cannot provide a secure remote email facility for ministers, then one wonders about the IT capability of that department.

As an aside I seem to recall in the last Govt Maurice Williamson was so attached to his iPad that he insisted there was a way for him to get his Parliament email on the device. I presume he did it without having to forward mail to Xtra!

I read somewhere Obama was so attached to his BB that, while it's a convention that the President doesn't do email on a mobile device (apparently Bush gave up his BB for his time in office), he insisted he keep it and the appropriate folks developed an entire secure infrastructure for him to do it.

While I am not suggesting that we would need such high tech security for our MP's, we should at least provide some of remote access facility that most other Govt departments routinely make available to their staff and perhaps if heightened security is important, have the infrastructure audited by GCSB.

BB are approved by GCSB and while not the flavour of the month anymore, it must be better than the alternatives.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#586569 25-Feb-2012 10:09

lchiu7: When asked by the PM about this breach Key's comment was just as lacking. He noted that his Minister travels often and needs to keep up with email while out of the country. This is hardly an excuse for forwarding mail to an Xtra account.

If he needed to read his government email while away he could easily use any mobile device with remote management capabilities, so the IT folks could easily encrypt, erase, lock any device if it is lost.

Using a private email for government business is incredibly dumb and unsafe.

If they used something like Exchange and rights management they could easily set policies to prevent secure messages to be forwarded to anyone outside the server.

Where is our government security communications bureau when it's needed?

A shame. A shame.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#586635 25-Feb-2012 13:05

freitasm:

Where is our government security communications bureau when it's needed?

Helping keep America safe from file sharing, of course.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#586638 25-Feb-2012 13:19

Now, now. This is a conspiracy theory right there, mister. Please wait for the black helicopters to land in your backyard.

lchiu7

6470 posts

Uber Geek

Trusted

#586923 26-Feb-2012 13:55

Getting back on topic I think we agree that GCSB need to focus more on internal security issues with NZ Govt departments than the risk of what some guy who is hosting a file shareing site might pose!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#587579 27-Feb-2012 21:18

An utterly inane "Cyber Warfare - Special Report" on One News tonight.

Leading with Murray McCully's email and the Solid Energy hack, then 'the war on terror', 'attacks on computer systems that run our country' - with a list of targets. Favorite quote: (some poor guy forced to answer silly questions) an attack "could render that country temporarily useless".

The report also says GCSB is a "key part of the international echelon working to prevent online attacks and espionage" - with a nice shot of something that looks like Waihopi. And - if you are doing online shopping you can do more to prevent these attacks.

Special report at 26:45 in this stream - http://tvnz.co.nz/one-news/2012-02-27-video-4744355

alienwithin

136 posts

Master Geek
Inactive user

#588203 29-Feb-2012 10:22

just wondering how one successfully hacks a telecom account, because if you enter the wrong password 8 times the account is locked down for 12 hours.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#588205 29-Feb-2012 10:26

Brute force attempts is just one method, there are many others involving social engineering for example.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

alienwithin

136 posts

Master Geek
Inactive user

#588213 29-Feb-2012 10:40

freitasm: Brute force attempts is just one method, there are many others involving social engineering for example.

but after 8 attempts the account is locked down, so no matter what method a person uses, telecom system locks an account for 12 hours after 8 password failures.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#588216 29-Feb-2012 10:45

That would be true on a brute force attack. But using social engineering, someone could have contacted his PA, with a story like "here is such person and I need the password for..." and it could have happened. Or the password could have been on a blackboard behind the PA as a reminder, or... anything.

That way there would be only one attempt, no more.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#588217 29-Feb-2012 10:45

alienwithin:
freitasm: Brute force attempts is just one method, there are many others involving social engineering for example.

but after 8 attempts the account is locked down, so no matter what method a person uses, telecom system locks an account for 12 hours after 8 password failures.

Mauricio is suggesting that perhaps you might be able to convince someone to just tell you the password, or set it for you, so you never have to guess. This is how most hacks happen in real life.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

SaltyNZ

8218 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#588220 29-Feb-2012 10:48

freitasm: That would be true on a brute force attack. But using social engineering, someone could have contacted his PA, with a story like "here is such person and I need the password for..." and it could have happened. Or the password could have been on a blackboard behind the PA as a reminder, or... anything.

That way there would be only one attempt, no more.

SNAP!

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

alienwithin

136 posts

Master Geek
Inactive user

#588221 29-Feb-2012 10:48

i dont know but i just get the impression these emails were leaked out of the department and not hacked.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#588295 29-Feb-2012 13:08

Is there a link to the original emails anywhere ?

lchiu7

6470 posts

Uber Geek

Trusted

#588344 29-Feb-2012 14:23

alienwithin: i dont know but i just get the impression these emails were leaked out of the department and not hacked.

]

According to the press reports some outside outfit hacked the mail and boasted about it. It was no a leak.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.