Ministry of Social Development security woes

Forums › IT Pro and developers › Ministry of Social Development security woes

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41072

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#702059 16-Oct-2012 13:58

Perhaps because neither have experience of knowledge of how security vulnerabilities should be reported to the interested parties, since they are not in the security scene?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#702062 16-Oct-2012 14:00

Kyanar: Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional. And before you ask, no I'm not defending MSD either. I'm probably the most likely person you'll meet to criticize every move they make (more so under a National government), but that doesn't excuse the fact that neither Bailey nor Ng acted with any sense of ethics or professionalism in this case.

How is it not responsible, ethical or professional?

Twitter: ajobbins

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#702063 16-Oct-2012 14:01

freitasm: Perhaps because neither have experience of knowledge of how security vulnerabilities should be reported to the interested parties, since they are not in the security scene?

Ng put Bailey in touch with an "experienced hacker", so he has access to someone who is, and therefore should have known better.

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41072

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#702065 16-Oct-2012 14:02

Good point.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#702067 16-Oct-2012 14:04

ajobbins:

How is it not responsible, ethical or professional?

Are you really asking that? It's obvious - there's a vulnerability with a pretty high chance of being of a severe nature, and rather than disclosing it to the affected party with a deadline for public disclosure, they disclosed it to them at the same time as disclosing it to the general public - malicious individuals included. Great way to get hits to your site, but it's a serious breach of ethics. It's also highly unprofessional and incredibly irresponsible.

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#702070 16-Oct-2012 14:12

Kyanar: Immediate disclosure on a high traffic blog without warning is NOT responsible, ethical, or professional.

To cut a long story short and removing conditionals - I completely agree.

But even so - you are confusing the long history of ethics in professional journalism with Responsible Disclosure.

Dell

Shop now for Dell laptops and other devices (affiliate link).

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#702072 16-Oct-2012 14:15

Kyanar: Are you really asking that? It's obvious - there's a vulnerability with a pretty high chance of being of a severe nature, and rather than disclosing it to the affected party with a deadline for public disclosure, they disclosed it to them at the same time as disclosing it to the general public - malicious individuals included. Great way to get hits to your site, but it's a serious breach of ethics. It's also highly unprofessional and incredibly irresponsible.

You keep saying it's 'a breach of ethics', 'highly unprofessional', 'irresponsible' etc, but you don't actually quantify why.

They disclosed it at a time when the public couldn't access the kiosks - mitigating any risk that disclosure would cause people to use the exploit, they consulted with a lawyer and the privacy commissioner before releasing the information and have been fully co-operative ever since.

It's pretty clear to me that MSD were not going to take this issue with the seriousness this deserves until it was in the public domain.

If full disclosure was made to MSD prior to release, what I suspect would have happened would be they would have gone straight to a judge for a a gag order - and the journalist involved probably knows this.

Twitter: ajobbins

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#702074 16-Oct-2012 14:21

gzt: But even so - you are confusing the long history of ethics in professional journalism with Responsible Disclosure.

The biggest issue with Responsible Disclosure, and the reason I don't think it is an appropriate response in this instance, is that it exists to allow time for the problem to be fixed, without putting the details into the public domain (Where the exploit could then be used).

In this instance the data available was so incredibly sensitive that the ONLY response was to immediately and shut the kiosks down.

Adding a time delay should not have changed the response to this incident. Effectively, the time needed for them response is zero. Someone making the order 'shut them down', so a time delay for would just be for the sake of a time delay.

Twitter: ajobbins

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#702075 16-Oct-2012 14:24

By the way - I'm still not sure of all the circumstances of publication.

I have read that Ng published the story on his blog at 10pm at night. Fron what I have read these kiosks are not available to the public until Winz opens.

Ng may have considered this period adequate notice of the issue and adequate time to take these kiosks offline.

Additionally - publishing at 10pm would have been enough time to get the story in the national morning papers as well. I'm curious to hear if that happened.

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41072

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#702168 16-Oct-2012 17:18

Quite true:

"That such sensitive data was available is incredibly serious, but in my opinion the more-serious implication is that - based on what Keith could do - I believe the entire WINZ network should be treated as compromised.

What do I mean by 'fully compromised'? I mean that every server and workstation should be considered to be accessible and controllable by people who are not employees of the WINZ/MSD system administration team.

And what does that all mean? It means that every backup, all the way to when the kiosks were installed is an unknown quantity. Recovering from this isn't just a matter of fishing out the last backup tapes and reinstalling the computers.

It means reinstalling all the computers."

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

gjm

810 posts

Ultimate Geek
+1 received by user: 122

#702190 16-Oct-2012 17:47

surely all this talk of responsible disclosure is a moot point if they already knew about the issues (if that is indeed what the DiData audit found). They have had a year and a half to fix this stuff!

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

Tockly

353 posts

Ultimate Geek
+1 received by user: 88

#702709 17-Oct-2012 22:55

"We have no reason to believe other people have separately accessed private information through our kiosks.

If however anyone has done so, I would strongly urge them to do the right thing and hand it over."

From here http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/kiosk-security-breach.html

So in other words... We don't know, but please give us our data back....

This is so incredibly bad that it just defies words. And the fact they knew about it for months and months and did nothing is just staggering.

StevieT

706 posts

Ultimate Geek
+1 received by user: 34

#702932 18-Oct-2012 13:50

The blogger did the right thing. Get the files and hand them over to MSD to say 'look, you have a problem'. He made them aware of it, and the public. I don't think any legal action should be taken against him. He had legitimite access to the files, and if they happened to be there, he could only assume that he was allowed to view them. Whether they were made public and WE NOT INTENDED FOR THE PUBLIC, then thats on the Ministry, not the blogger.

I should also mention that last year when I applied for the sickness benefit, the guy at his desk opened up a PDF, and the Adobe program used was rather outdated. It makes me wonder what software, and what version of the software, they use.

StevieT

706 posts

Ultimate Geek
+1 received by user: 34

#703343 19-Oct-2012 07:43

Just sent this email to Paula Bennett:

"Hi Paula,

In light of the MSD security breach, which I assume includes a review of StudyLink IT systems, I request that no information pertaining to me is on the MSD and Studylink servers ? but the continuation of StudyLink payments (loan and allowance), and disability allowance, to still take place, as well as the ability to update my profile on StudyLink?s website ? until an absolute guarantee is given to me that my information is safeguarded in accordance with principal five of the Privacy Act (http://privacy.org.nz/storage-and-security-of-personal-information-principle-five/).

Best,
Stevie"

Satire

27 posts

Geek
+1 received by user: 19

#703636 19-Oct-2012 17:00

StevieT: Just sent this email to Paula Bennett:

"Hi Paula,

In light of the MSD security breach, which I assume includes a review of StudyLink IT systems, I request that no information pertaining to me is on the MSD and Studylink servers ? but the continuation of StudyLink payments (loan and allowance), and disability allowance, to still take place, as well as the ability to update my profile on StudyLink?s website ? until an absolute guarantee is given to me that my information is safeguarded in accordance with principal five of the Privacy Act (http://privacy.org.nz/storage-and-security-of-personal-information-principle-five/).

Best,
Stevie"

Your e-mail makes little sense.

Firstly, why are you asking questions when you are apparently trying to (very poorly) issue a statement (

I request

is not how you start a question it is how you start a statement unless you are some how trying to get Paula to guess if you are actually requesting something or not)

Then what you request is utter nonsense.

You request (although, you TRIED to request as you didn't really)
* That no information about you is on studylink or MSD servers
* That the continuation of loan and allowance payments still take place (seriously, you expect this if they have no information about you?)
* That they continue to allow you to update your 'profile' (when you asked they keep no information on you ? seriously, do you even know what you are saying?)
* You want all of this to continue until they can guarantee that they comply with the law with respect to privacy and instead of quoting the legislation you quote a third party website.

And this doesn't go into the legalities of whether by putting the kiosk there and allowing anyone opening a file/open dialogue to access the information WINZ were not expressly giving permission for the general public to access your info they had stored.

Your e-mail is complete nonsense and has probably been printed out, stuck to a wall somewhere and used as an example on how NOT to write an e-mail to someone.

GG.

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9