Ministry of Social Development security woes

Forums › IT Pro and developers › Ministry of Social Development security woes

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

67 posts

Master Geek

#701848 16-Oct-2012 00:09

Apparently we have a place where cyber threats can be reported - but not by the general public it seems. They are only interested if you a government instituion or an organisation critical to national infrastructure. I would say that by the time the organisation has detected the problem the horse has already bolted.

http://www.ncsc.govt.nz/
Reporting an Incident
If you are a New Zealand government institution or a Critical National Infrastructure (CNI) organisation and you have encountered or suspect the presence of a cyber threat, please complete and return an Incident Reporting Form or speak with us directly on (04) 498-7654. All incident reports provided to the NCSC are treated in the strictest of confidence.

What are we paying these NCSC (New Zealand National Cyber Security Centre) clowns for? What do they do? How much do they cost us?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#701881 16-Oct-2012 08:27

Please note that on request some of the posts were removed.

shadybrothers

236 posts

Master Geek

#701902 16-Oct-2012 09:33

mjb:
freitasm: And the company behind the kiosk is... Dimension Data

From DiData's NZ regional page:

....Already more than thirty agencies have joined one.govt including Department of Conservation, Ministry of Education, New Zealand Police and Department of Labour.

edit: not that that means anything really, just how embedded they are in our government agencies.

This is a WAN service. Widely known.

this is a slap in the face!

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#701912 16-Oct-2012 09:52

freitasm:
Kyanar: Really? freitasm, is KiwiNZ coming from an MSD IP address?

You know I cannot say anything about this to you - or anyone else really.

Don't worry, it was a rhetorical question, I wasn't actually expecting an answer unless he outed himself first :).

The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was. MSD said "no, we don't do that" but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication.

The story available does NOT make him look like a good guy at all.

1080p

1332 posts

Uber Geek
Inactive user

#701922 16-Oct-2012 10:09

Why is he bad for wanting compensation? This is standard practice in many places.

davidcole

6029 posts

Uber Geek

Trusted

#701926 16-Oct-2012 10:13

1080p: Why is he bad for wanting compensation? This is standard practice in many places.

Seems very typical of the me me me attitude that prevails this country at the moment.

I think people don't like that he asked for compensation and upon being told no, didn't communicate the issue with MSD, he then left and told reporters. All very fine and good to ask.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

ajobbins

5052 posts

Uber Geek

Trusted

#701929 16-Oct-2012 10:27

Google and Facebook are known for paying for information on vulnerabilities, for example

Twitter: ajobbins

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#701933 16-Oct-2012 10:33

1080p: Why is he bad for wanting compensation? This is standard practice in many places.

So what if it's standard practice in "many" places - what does that have to do with the price of fish?

MSD is not one of those places. Hence they said, "no we don't have a reward program" (somewhat understandable, considering it's taxpayer money they're disbursing). Upon doing this, rather than reporting the issue anyway (perhaps ask for a letter of acknowledgement to add to his CV as well - a government department offering thanks for finding a serious issue which put millions of people's information at risk has got to be a real good reference!) he went to a reporter and didn't tell them what the issue was. That's, to me, pretty scummy behaviour. And the "journalist" isn't much better - rather than sending MSD the details and warning them that he will release the details by a certain date whether the issue is solved or not (responsible disclosure in the infosec world) he released the details straight away, leaving them scrambling on a weekend to sort the issue.

No, he's not a good guy by any stretch of the term. Neither is MSD in this case, but that's besides the point.

ajobbins

5052 posts

Uber Geek

Trusted

#701940 16-Oct-2012 10:46

Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue.

The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.)

Twitter: ajobbins

BlueShift

1692 posts

Uber Geek

#701990 16-Oct-2012 11:39

The Ministry of Social Development has appointed Deloittes to review its computer network security, the Ministry's Chief Executive, Brendan Boyle, said today.

The review will happen in two phases. The first will deal with the immediate issue regarding the security of our public kiosks. Deloittes will look at what happened, how secure information was able to be accessed, and will determine why it happened and what steps we need to take to ensure it can't happen again.

The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture. This second phase will take longer and more work needs to be done on the scope of this part of the review.

We received a report from Dimension Data in April 2011, which identified flaws in our system. We will be asking Deloittes to determine what we did to follow up this report?s recommendations and whether our response was adequate. Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data?s recommendations on security. I will look to the review to provide me with the answers.

I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system.

Our immediate aim is to resolve any security problems and restore public confidence in our systems,? Mr Boyle said.

ETA: My bolding, but the whole thing is revealing. Press release from MSD: http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/deloittes-appointed-to-review-network-security.html
See also: http://www.stuff.co.nz/national/politics/7821061/MSD-concedes-Winz-security-failure

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#701996 16-Oct-2012 11:51

Holy cow, Batman. "We received a report from Dimension Data in April 2011, which identified flaws in our system."

April 2011 - October 2012 and nothing done.

Great work there. First because a report was generated, obviously costing money. Second because no action based on that report seems to have been taken.

I also like "The second phase will involve a broader look at security across all the Ministry's IT systems, including policies, governance and culture."

If there's one thing they need to change is the internal culture. We already know they don't give a damn to some important issues...

gzt

17104 posts

Uber Geek

Lifetime subscriber

#701998 16-Oct-2012 11:54

Kyanar: The one thing that is of interest to me - the guy who found the issue apparently called MSD and asked if they'd give him money to tell them what the issue was. MSD said "no, we don't do that"

If he (Bailey) had called and asked "Do you have a bug bounty?" and left it at that - there would still be questions but the situation would be a lot clearer.

By the way do we know exactly what he asked? Probably not.

Kyanar: but no story indicates whether he then chose to tell them anyway - in fact Keith's blog made it look like when they said "no, we don't pay for reports" he then responded "ok, I'm in talks with a journalist" and ended communication.

If his (Bailey) intention was malicious he could have let many people know and it would have been a free for all or he could have published the information to the web anonymously to be picked up by people who would misuse it before anyone knew.

Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning.

gzt

17104 posts

Uber Geek

Lifetime subscriber

#702008 16-Oct-2012 12:04

Our immediate aim is to resolve any security problems and restore public confidence in our systems, Mr Boyle said.

This press release should have included mention of releasing the report in full. Without that the public will not gain confidence.

The full review mentioned should also be released when it is complete.

Both will be released anyway because someone will request them under the Official Information Act. In the meantime the MSD is not doing anything much to increase public confidence.

BlueShift

1692 posts

Uber Geek

#702013 16-Oct-2012 12:09

ajobbins: Nothing wrong with asking for payment either. This practise exists to encourage people to disclose vulnerabilities they discover. It isn't blackmail. The blogger did the right thing by going to the media - It brought appropriate focus to and accountability for the issue.

The risk was that if he didn't write the story, the issue would not have been taken as seriously (And there has already been suggestion in this thread that it was known, and wasn't taken seriously, but rather they were 'trying to fix it' without having to take the kiosks offline.)

According to the MSD themselves, they were made aware of the problem long ago and chose to ignore it.
I think that more than vidicates the original leaker and Keith Ng's decision to go public.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#702057 16-Oct-2012 13:48

gzt:

Instead he contacted a journalist to tell the story. That is a responsible move. A journalist (in the trained sense) is a professional with a code of ethics. Either way - Ng appears to have acted professionally. The journalist obtained legal advice and contacted the privacy commission before publishing. It is unclear so far if the journalist notified MSD directly or indirectly or did not give thought to this at all but no doubt it was consistent with his legal advice. He published at 10pm and the kiosks were not available until Winz opened the following morning.

No, not at all. The professional method of dealing with knowledge of a vulnerability is to provide complete details of the method to the responsible party (MSD in this case) and a deadline by which details will be released, regardless of whether the issue is fixed. In the majority of cases, this deadline is actually very short (sometimes a matter of only days) in order to force the issue.

Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional. And before you ask, no I'm not defending MSD either. I'm probably the most likely person you'll meet to criticize every move they make (more so under a National government), but that doesn't excuse the fact that neither Bailey nor Ng acted with any sense of ethics or professionalism in this case.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9