Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersMinistry of Social Development security woes
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #701583 15-Oct-2012 16:33
Send private message

KiwiNZ: [removed on request]



Really?  freitasm, is KiwiNZ coming from an MSD IP address?  Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.

KiwiNZ, you claim several things that simply do not ring true.  For a start, that anything was being done to segment these kiosks from the corporate network.  This cannot be true, because it's just not that hard.  Stick the kiosks on a new VLAN.  Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing).  Job done.  They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse.  Not that incompetence is an excuse either of course.

You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing.  This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger.  The ONLY course of action acceptable in this case is to take them offline.  The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.

You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.

And really, calling the CEO would be a waste of time.  The CEO isn't going to know what you're talking about because it's not their job.  The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless.  And yes, I do work in government.



RedJungle
Phil Gale
1108 posts

Uber Geek

Trusted
Red Jungle
Subscriber

  #701592 15-Oct-2012 16:38
Send private message

If previously made away of the issue. I also cannot fathom any other response other than shutting down the Kiosks immediately. Anything else is negligent.

ajobbins
5052 posts

Uber Geek

Trusted

  #701596 15-Oct-2012 16:44
Send private message

Kyanar: The ONLY course of action acceptable in this case is to take them offline. 


+1 and at the very least. This level of access could equally be available to others/all users with access to the corporate network, or heck - if things are that open, who is to say a rogue staff member hasn't plugged a wireless router into the network somewhere and parks their car outside at night sucking down data.

MSD needs to go through a full and thorough independent security audit immediately.




Twitter: ajobbins



Talkiet
4792 posts

Uber Geek

Trusted

  #701608 15-Oct-2012 16:59
Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

jnimmo
1097 posts

Uber Geek


  #701609 15-Oct-2012 16:59
Send private message

It will be very interesting to see what happens here, I think the journalist needs to be charged, obviously the charges could easily be dropped but left without a response it encourages any old Joe Blogger to be poking around at the other thousands of insecure systems in NZ. There was no need for him to go public on his blog with this information as the first course of action, it comes across as a bit of self promotion.
On the other hand, it is a stupid mistake that someone has made and I can understand the desire to expose that and hopefully scare everyone into thinking more about security.

dolsen
1476 posts

Uber Geek

Trusted
Lifetime subscriber

  #701611 15-Oct-2012 17:01
Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Wow.
Public user kiosk has (had) access to Income Support files, CYF files and Benefit Crime units files did they not?

My opinion is that securing this very sensitive information far outweighs ensuring that the public has access to those kiosks. To suggest otherwise (by saying it's a bad thing) brings up a whole new set of questions for me...

Talkiet
4792 posts

Uber Geek

Trusted

  #701613 15-Oct-2012 17:03
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




I know you didn't EXPLICITLY say it, but you've been making darn sure everyone gets the impression you know a lot about the internal runnings... The way you worded your statement makes it seem very plausible that it was what you were suggesting (note I said suggesting, not stating).

Cheers - N




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

 
 
 
 

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).
amanzi
Amanzi
1292 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #701615 15-Oct-2012 17:06
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




You still don't grasp the seriousness of the matter! If the MSD network staff knew about the issue - their only course of action would be to take them offline immediately and then start fixing the issue. Not leave the vulnerability open while they spend a week or two fixing it. Wow - I'm stunned by your responses, and am now convinced you must work for the MSD IT department.

Talkiet
4792 posts

Uber Geek

Trusted

  #701622 15-Oct-2012 17:08
Send private message

KiwiNZ: [snip]

See how judgement and conclusions can be so wrong when one is only using what is rumour and speculation. And definite downside to forums etc. 


So what then? You don't have any internal knowledge and you were totally just speculating that the IT staff may have been already trying to fix stuff? That totally doesn't gel with your earlier comments where you seem pretty sure you know more about this that anyone else on Geekzone.

Cheers - N




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

Talkiet
4792 posts

Uber Geek

Trusted

  #701635 15-Oct-2012 17:19
Send private message

KiwiNZ: [snip]

Yes I was speculating to prove a point, sheesh think laterally. Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


Sorry, I assumed you had some sort of inside knowledge when you have been saying things like

KiwiNZ:I can assure you I am fully aware of the seriousness and consequences of what is happening probably more so than anyone currently involved with this thread.


Mind you, I shouldn't really have believed that as anyone that actually had inside knowledge of this would have to be UNBELIEVABLY secure in their professional capacity to comment on it in this forum unless officially authorised.

Cheers - N




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

ajobbins
5052 posts

Uber Geek

Trusted

  #701636 15-Oct-2012 17:19
Send private message

KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.




Twitter: ajobbins

1080p
1332 posts

Uber Geek
Inactive user


  #701637 15-Oct-2012 17:24
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of?the?Kiosks. Of course turning them off now is?the?prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for?the?sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




My reply to that is that the network staff likely had no idea that someone who wasn't from the media wasn't accessing the network and downloading files they should not have access to. What MSD got was a news story, it could have been so much worse. Think Anonymous leaking entire databases and server configurations.

Talkiet
4792 posts

Uber Geek

Trusted

  #701639 15-Oct-2012 17:25
Send private message

KiwiNZ: [snip]

Waiting until the reviews have been done is the correct process.


All that's been said notwithstanding, this is correct.

It's bad enough that this level of privacy breach was trivially available*, I would really hope that as as also been suggested, the MOMENT someone internal became aware of it they moved heaven and earth to have access removed immediately.

Cheers - N

* - Assuming what the media has reported is even approximately accurate.




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

amanzi
Amanzi
1292 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #701641 15-Oct-2012 17:28
Send private message

KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


Nice trolling...

Talkiet
4792 posts

Uber Geek

Trusted

  #701645 15-Oct-2012 17:31
Send private message

KiwiNZ:
ajobbins:
KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.


it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


If anyone could walk up to them, and without any form of authorisation or proper audit trail, get access to detailed bank records of thousands of other customers, then yes.

Oh, they can't? Nah, leave them on then.

Cheers - N




Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright