Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 701583 15-Oct-2012 16:33
Send private message

KiwiNZ: [removed on request]



Really?  freitasm, is KiwiNZ coming from an MSD IP address?  Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.

KiwiNZ, you claim several things that simply do not ring true.  For a start, that anything was being done to segment these kiosks from the corporate network.  This cannot be true, because it's just not that hard.  Stick the kiosks on a new VLAN.  Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing).  Job done.  They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse.  Not that incompetence is an excuse either of course.

You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing.  This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger.  The ONLY course of action acceptable in this case is to take them offline.  The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.

You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.

And really, calling the CEO would be a waste of time.  The CEO isn't going to know what you're talking about because it's not their job.  The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless.  And yes, I do work in government.




I finally have fibre!  Had to leave the country to get it though.


Phil Gale
1107 posts

Uber Geek
+1 received by user: 44

Trusted
Red Jungle
Subscriber

  Reply # 701592 15-Oct-2012 16:38
Send private message

If previously made away of the issue. I also cannot fathom any other response other than shutting down the Kiosks immediately. Anything else is negligent.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

 
 
 
 


Awesome
4760 posts

Uber Geek
+1 received by user: 1040

Trusted
Subscriber

  Reply # 701596 15-Oct-2012 16:44
Send private message

Kyanar: The ONLY course of action acceptable in this case is to take them offline. 


+1 and at the very least. This level of access could equally be available to others/all users with access to the corporate network, or heck - if things are that open, who is to say a rogue staff member hasn't plugged a wireless router into the network somewhere and parks their car outside at night sucking down data.

MSD needs to go through a full and thorough independent security audit immediately.




Twitter: ajobbins


3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701608 15-Oct-2012 16:59
Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N


What does this tag do
841 posts

Ultimate Geek
+1 received by user: 154

Subscriber

  Reply # 701609 15-Oct-2012 16:59
Send private message

It will be very interesting to see what happens here, I think the journalist needs to be charged, obviously the charges could easily be dropped but left without a response it encourages any old Joe Blogger to be poking around at the other thousands of insecure systems in NZ. There was no need for him to go public on his blog with this information as the first course of action, it comes across as a bit of self promotion.
On the other hand, it is a stupid mistake that someone has made and I can understand the desire to expose that and hopefully scare everyone into thinking more about security.

1092 posts

Uber Geek
+1 received by user: 112

Trusted
Subscriber

  Reply # 701611 15-Oct-2012 17:01
Send private message

KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Wow.
Public user kiosk has (had) access to Income Support files, CYF files and Benefit Crime units files did they not?

My opinion is that securing this very sensitive information far outweighs ensuring that the public has access to those kiosks. To suggest otherwise (by saying it's a bad thing) brings up a whole new set of questions for me...



3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701613 15-Oct-2012 17:03
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




I know you didn't EXPLICITLY say it, but you've been making darn sure everyone gets the impression you know a lot about the internal runnings... The way you worded your statement makes it seem very plausible that it was what you were suggesting (note I said suggesting, not stating).

Cheers - N


Amanzi
784 posts

Ultimate Geek
+1 received by user: 46

Trusted
Subscriber

  Reply # 701615 15-Oct-2012 17:06
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of the Kiosks. Of course turning them off now is the prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for the sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




You still don't grasp the seriousness of the matter! If the MSD network staff knew about the issue - their only course of action would be to take them offline immediately and then start fixing the issue. Not leave the vulnerability open while they spend a week or two fixing it. Wow - I'm stunned by your responses, and am now convinced you must work for the MSD IT department.

3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701622 15-Oct-2012 17:08
Send private message

KiwiNZ: [snip]

See how judgement and conclusions can be so wrong when one is only using what is rumour and speculation. And definite downside to forums etc. 


So what then? You don't have any internal knowledge and you were totally just speculating that the IT staff may have been already trying to fix stuff? That totally doesn't gel with your earlier comments where you seem pretty sure you know more about this that anyone else on Geekzone.

Cheers - N


3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701635 15-Oct-2012 17:19
Send private message

KiwiNZ: [snip]

Yes I was speculating to prove a point, sheesh think laterally. Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


Sorry, I assumed you had some sort of inside knowledge when you have been saying things like

KiwiNZ:I can assure you I am fully aware of the seriousness and consequences of what is happening probably more so than anyone currently involved with this thread.


Mind you, I shouldn't really have believed that as anyone that actually had inside knowledge of this would have to be UNBELIEVABLY secure in their professional capacity to comment on it in this forum unless officially authorised.

Cheers - N


Awesome
4760 posts

Uber Geek
+1 received by user: 1040

Trusted
Subscriber

  Reply # 701636 15-Oct-2012 17:19
Send private message

KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.




Twitter: ajobbins


1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 701637 15-Oct-2012 17:24
Send private message

KiwiNZ:
Talkiet:
KiwiNZ: OK you all seemed to misunderstand what I was saying about the switch off of?the?Kiosks. Of course turning them off now is?the?prudent action to take, however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients, something the attacker has now made impossible. The result the clients will be with the service until fixed, all for?the?sake of someones 15 minutes.


Are you really suggesting that IT staff were aware of this massive security and privacy risk, and KNOWINGLY allowed it to carry on for at least WEEKS!?!?

That's almost as good a story as the original one.

Cheers - N



Not what I said "however what I was saying is that is posters here had no idea if MSD Network staff were trying to fix the issue in the last weeks without disrupting the service to clients,"

In other words what was going on in the background is not in the public arena.




My reply to that is that the network staff likely had no idea that someone who wasn't from the media wasn't accessing the network and downloading files they should not have access to. What MSD got was a news story, it could have been so much worse. Think Anonymous leaking entire databases and server configurations.

3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701639 15-Oct-2012 17:25
Send private message

KiwiNZ: [snip]

Waiting until the reviews have been done is the correct process.


All that's been said notwithstanding, this is correct.

It's bad enough that this level of privacy breach was trivially available*, I would really hope that as as also been suggested, the MOMENT someone internal became aware of it they moved heaven and earth to have access removed immediately.

Cheers - N

* - Assuming what the media has reported is even approximately accurate.

Amanzi
784 posts

Ultimate Geek
+1 received by user: 46

Trusted
Subscriber

  Reply # 701641 15-Oct-2012 17:28
Send private message

KiwiNZ: it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


Nice trolling...

3287 posts

Uber Geek
+1 received by user: 1735

Trusted
Spark NZ

  Reply # 701645 15-Oct-2012 17:31
Send private message

KiwiNZ:
ajobbins:
KiwiNZ: Again what I was saying is NO one in this conversation will know what was happening in the background but are certainly prepared to judge without the knowledge.

Waiting until the reviews have been done is the correct process.


We do know enough about the situation to categorically say that if anyone inside of MSD knew about this, or even suspected it, the ONLY acceptable course of action would be to IMMEDIATELY take all kiosks offline until an investigation was done and any security flaws identified and fixed.

If your suggestion (whether speculation or not) that MSD might have been 'fixing this in the background' was true, then all involved should be sacked. Again, if they even suspected this issue the ONLY reasonable action is to take those clients offline immediately.


it's possible to hack a Bank terminal or intercept a Eftpos terminal so those should all be immediately taken off line.


If anyone could walk up to them, and without any form of authorisation or proper audit trail, get access to detailed bank records of thousands of other customers, then yes.

Oh, they can't? Nah, leave them on then.

Cheers - N


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Sky TV boss blames pirates, evidence says otherwise
Posted 24-Aug-2017 17:29


New Zealand consumers ahead of the curve in digital
Posted 24-Aug-2017 15:47


Samsung introduces Galaxy Note8
Posted 24-Aug-2017 08:50


How Oppo shakes New Zealand’s phone market
Posted 22-Aug-2017 18:32


Recognition for top small business advisors
Posted 22-Aug-2017 17:23


OPPO R11 dual 20MP camera phone debuts in New Zealand
Posted 22-Aug-2017 15:45


Intel introduces new 8th Generation processors
Posted 21-Aug-2017 19:02


Trend Micro launches Home Network Security
Posted 21-Aug-2017 18:38


Avondale College students at top of Microsoft Office Specialist World Championship
Posted 21-Aug-2017 14:11


Garmin introduces inReach SE+ and inReach Explorer+
Posted 21-Aug-2017 14:05


Public Wi-Fi plus cloud file sharing
Posted 18-Aug-2017 11:20


D-Link NZ launches professional Wireless AC Wave 2 Access Point for businesses
Posted 17-Aug-2017 19:25


Garmin introduces the Rino 700 five-watt two-way handheld radio
Posted 17-Aug-2017 19:04


Garmin announces the Foretrex 601 and Foretrex 701 Ballistic Edition for outdoor and tactical use
Posted 17-Aug-2017 19:02


Brightstar announces new distribution partnership with Samsung Knox platform in Australia
Posted 17-Aug-2017 17:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.