Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4974 posts

Uber Geek
+1 received by user: 105

Trusted

Topic # 98169 25-Feb-2012 09:48
Send private message

So hackers got into McCully's Xtra email account because of his strong password - NOT. Probably the name of his dog or something.

While apparently nothing major security wise was discovered apart from some emails which might prove embarrassing for him the next time he meets some senior Chinese officials, it raises bigger questions.

First of all, it's a known policy in government departments that one should not forward emails to private accounts That is a major breach of security.  Emails between Govt departments are always encrypted through the SEEMAIL (which is at least 128 or 256 bit encryption) service and forwarding them removes all that security, not to mention the vulneralbilty of ISP based email.

When asked by the PM about this breach Key's comment was just as lacking. He noted that his Minister travels often and needs to keep up with email while out of the country.  This is hardly an excuse for forwarding mail to an Xtra account.

I would imagine that most Govt deparments have the ability for staff to access email remotely, either via a mobile device like a Blackberry, iPhone or Android phone that would work anywhere Internet access is available. If not then something like Outlook Web Access or some sort of SSL based VPN.  If DPMC cannot provide a secure remote email facility for ministers, then one wonders about the IT capability of that department.

As an aside I seem to recall in the last Govt Maurice Williamson was so attached to his iPad that he insisted there was a way for him to get his Parliament email on the device. I presume he did it without having to forward mail to Xtra!

I read somewhere Obama was so attached to his BB that, while it's a convention that the President doesn't do email on a mobile device (apparently Bush gave up his BB for his time in office), he insisted he keep it and the appropriate folks developed an entire secure infrastructure for him to do it.

While I am not suggesting that we would need such high tech security for our MP's, we should at least provide some of remote access facility that most other Govt departments routinely make available to their staff and perhaps if heightened security is important, have the infrastructure audited by GCSB.

BB are approved by GCSB and while not the flavour of the month anymore, it must be better than the alternatives.




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 


Create new topic
BDFL - Memuneh
61777 posts

Uber Geek
+1 received by user: 12432

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 586569 25-Feb-2012 10:09
Send private message

lchiu7: When asked by the PM about this breach Key's comment was just as lacking. He noted that his Minister travels often and needs to keep up with email while out of the country.  This is hardly an excuse for forwarding mail to an Xtra account.


If he needed to read his government email while away he could easily use any mobile device with remote management capabilities, so the IT folks could easily encrypt, erase, lock any device if it is lost.

Using a private email for government business is incredibly dumb and unsafe.

If they used something like Exchange and rights management they could easily set policies to prevent secure messages to be forwarded to anyone outside the server.

Where is our government security communications bureau when it's needed?

A shame. A shame.
 




4717 posts

Uber Geek
+1 received by user: 2201

Trusted
Subscriber

  Reply # 586635 25-Feb-2012 13:05
Send private message

freitasm:

Where is our government security communications bureau when it's needed?
 
 


Helping keep America safe from file sharing, of course. 




iPad Air + iPhone SE + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.


 
 
 
 


BDFL - Memuneh
61777 posts

Uber Geek
+1 received by user: 12432

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 586638 25-Feb-2012 13:19
Send private message


4974 posts

Uber Geek
+1 received by user: 105

Trusted

  Reply # 586923 26-Feb-2012 13:55
Send private message

Getting back on topic I think we agree that GCSB need to focus more on internal security issues with NZ Govt departments than the risk of what some guy who is hosting a file shareing site might pose!




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 


gzt

10310 posts

Uber Geek
+1 received by user: 1582


  Reply # 587579 27-Feb-2012 21:18
Send private message

An utterly inane "Cyber Warfare - Special Report" on One News tonight.

Leading with Murray McCully's email and the Solid Energy hack, then 'the war on terror', 'attacks on computer systems that run our country' - with a list of targets. Favorite quote: (some poor guy forced to answer silly questions) an attack "could render that country temporarily useless".

The report also says GCSB is a "key part of the international echelon working to prevent online attacks and espionage" - with a nice shot of something that looks like Waihopi. And - if you are doing online shopping you can do more to prevent these attacks.

Special report at 26:45 in this stream - http://tvnz.co.nz/one-news/2012-02-27-video-4744355

136 posts

Master Geek
+1 received by user: 15
Inactive user


  Reply # 588203 29-Feb-2012 10:22
Send private message

just wondering how one successfully hacks a telecom account, because if you enter the wrong password 8 times the account is locked down for 12 hours.

BDFL - Memuneh
61777 posts

Uber Geek
+1 received by user: 12432

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 588205 29-Feb-2012 10:26
Send private message
136 posts

Master Geek
+1 received by user: 15
Inactive user


  Reply # 588213 29-Feb-2012 10:40
Send private message

freitasm: Brute force attempts is just one method, there are many others involving social engineering for example.



but after 8 attempts the account is locked down, so no matter what method a person uses, telecom system locks an account for 12 hours after 8 password failures.

BDFL - Memuneh
61777 posts

Uber Geek
+1 received by user: 12432

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 588216 29-Feb-2012 10:45
Send private message

That would be true on a brute force attack. But using social engineering, someone could have contacted his PA, with a story like "here is such person and I need the password for..." and it could have happened. Or the password could have been on a blackboard behind the PA as a reminder, or... anything.

That way there would be only one attempt, no more.

 




4717 posts

Uber Geek
+1 received by user: 2201

Trusted
Subscriber

  Reply # 588217 29-Feb-2012 10:45
Send private message

alienwithin:
freitasm: Brute force attempts is just one method, there are many others involving social engineering for example.



but after 8 attempts the account is locked down, so no matter what method a person uses, telecom system locks an account for 12 hours after 8 password failures.


Mauricio is suggesting that perhaps you might be able to convince someone to just tell you the password, or set it for you, so you never have to guess. This is how most hacks happen in real life.




iPad Air + iPhone SE + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.


4717 posts

Uber Geek
+1 received by user: 2201

Trusted
Subscriber

  Reply # 588220 29-Feb-2012 10:48
Send private message

freitasm: That would be true on a brute force attack. But using social engineering, someone could have contacted his PA, with a story like "here is such person and I need the password for..." and it could have happened. Or the password could have been on a blackboard behind the PA as a reminder, or... anything.

That way there would be only one attempt, no more.

 


SNAP! 




iPad Air + iPhone SE + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.


136 posts

Master Geek
+1 received by user: 15
Inactive user


  Reply # 588221 29-Feb-2012 10:48
Send private message

i dont know but i just get the impression these emails were leaked out of the department and not hacked.

gzt

10310 posts

Uber Geek
+1 received by user: 1582


  Reply # 588295 29-Feb-2012 13:08
Send private message

Is there a link to the original emails anywhere ?








4974 posts

Uber Geek
+1 received by user: 105

Trusted

  Reply # 588344 29-Feb-2012 14:23
Send private message

alienwithin: i dont know but i just get the impression these emails were leaked out of the department and not hacked.
]


According to the press reports some outside outfit hacked the mail and boasted about it. It was no a leak.




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.