Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


freitasm

BDFL - Memuneh
76817 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#237987 27-Jun-2018 21:55
Send private message

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

 

 

A Z spokesperson initially told Stuff Circuit they did not want to be interviewed, saying "yes, our Z card online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we don't really have any more to add on this".

 

But after being told Stuff Circuit had more information, they eventually agreed for CEO Mike Bennetts to be interviewed, and, confronted with evidence, he admitted the company was not aware of the extent of the problem.

 

The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL.

 

Bennetts said when initially alerted to the vulnerability the company sought experts to determine whether the system had been compromised.

 

"To the best of our ability to determine that, it had not been."

 

But on Wednesday, when shown screenshots obtained by Stuff Circuit of Z's own account details, Bennetts admitted the problem was far greater than Z knew.

 

The screenshot shows accounts under Z Energy Limited, and includes details of car registration numbers and drivers. It also appears to give access to PIN numbers and the ability to suspend accounts.

 

"We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing."

 

When asked whether it seemed extraordinary that all the experts Z had engaged didn't identify the compromise found by a member of the public, he said, "Yes it's certainly very, very disappointing and I apologise to our customers about that. This is clearly something that was missed and we're very sorry about that".

 

 

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

 

 





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


Create new topic
amanzi
Amanzi
1166 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2045059 27-Jun-2018 22:16
Send private message

Just listened to the interview too - really poorly handled. In summary, his response was: "There was no breach. But even if there was, we fixed it straight away. But even if we didn't fix it, it wasn't that bad." But in the end he had no choice but to apologise.


 
 
 

You will find anything you want at MightyApe (affiliate link).

UHD

UHD
655 posts

Ultimate Geek
Inactive user


  #2045102 27-Jun-2018 23:24
Send private message

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

 

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.


michaelmurfy
meow
12496 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2045105 27-Jun-2018 23:28
Send private message

UHD:

 

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

 

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.

 

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/ 

 

But yes, pretty bad this time around also.





Michael Murphy | https://murfy.nz
Referral Links: Octopus Energy ($50 Credit) | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.




Andib
1309 posts

Uber Geek

ID Verified
Trusted

  #2045142 28-Jun-2018 08:03
Send private message

michaelmurfy:

 

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/ 

 

But yes, pretty bad this time around also.

 

 

 

 

yep, first thing that came to mind after seeing this is that it's the same type of breach as the My Vodafone portal had. I wonder how many other NZ businesses have the same flaw?





Signing up for Frank Energy? Use my referral and we both get $50 credit.


Coil
6614 posts

Uber Geek
Inactive user


  #2045144 28-Jun-2018 08:05
Send private message

Vodafone did this a few months ago with Red stack mobile. 


OwenWatson
91 posts

Master Geek


  #2045295 28-Jun-2018 11:10
Send private message

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.


stinger
628 posts

Ultimate Geek
Inactive user


  #2045346 28-Jun-2018 11:50
Send private message

OwenWatson:

 

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.

 

 

And now we receive an e-mail from Ticketmaster that there is a security incident https://security.ticketmaster.co.nz




freitasm

BDFL - Memuneh
76817 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2045751 28-Jun-2018 19:50
Send private message

From InternetNZ "InternetNZ weighs in on Z Energy data breach"

 

 

InternetNZ believes the Z Energy data breach provides a useful lesson for them, and other organisations.

 

Ben Creet, Policy Manager at InternetNZ and author of New Zealand’s guidelines for security vulnerability disclosure says, “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to disclose and fix a vulnerability.”

 

Firstly, this is a data breach. That’s why it’s important that the Privacy Bill and it’s mandatory data breach reporting regime is enacted. New Zealand needs to collectively lift its game when data breaches happen. The default position should be to tell your customers when a breach occurs.

 

If people are finding vulnerabilities and data breaches in New Zealand organisation's websites and services, you should report to CERTNZ. They are the experts and have the mana to get an organisation's attention. You can report a vulnerability to CERT here: https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/

 

Additionally, we think that more New Zealand organisations should have their own vulnerability disclosure policies. The New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems in 2013: http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf

 

We run a disclosure policy for the .nz registry (here) and organisations like SkyTVVend and even the Office of the Privacy Commissioner have their own policies to encourage reporting directly to their security experts.

 

InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are identified and fixed in a safe, collaborative timely manner.

 





Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


Rikkitic
Awrrr
17547 posts

Uber Geek

Lifetime subscriber

  #2045754 28-Jun-2018 20:04
Send private message

This kind of thing, which seems to happen quite a lot, is one reason I prefer to pay cash. Some people may think that is quaint, but at least I don't have to worry about my identity being stolen and passed around the world for every kind of shady dealing imaginable.

 

 





Plesse igmore amd axxept applogies in adbance fir anu typos

 


 


vulcannz
436 posts

Ultimate Geek
Inactive user


  #2045986 29-Jun-2018 12:07
Send private message

freitasm:

 

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

 

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

 

 

 

 

Yes our privacy and data breach laws are a joke.

 

Makes you wonder what Z's PCI-DSS compliance looks look too.

 

Was the site development outsourced off shore?


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2045989 29-Jun-2018 12:20
Send private message

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year 

 

 

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

 

It says it was the advice of cyber experts which led to it not telling customers what was really going on.  

 

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

 

 

 


amanzi
Amanzi
1166 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2046010 29-Jun-2018 12:52
Send private message

sbiddle:

 

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year

 

 

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

 

It says it was the advice of cyber experts which led to it not telling customers what was really going on.  

 

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

 

 

 

 

 

Hmmm.... someone's not telling the whole story...


vulcannz
436 posts

Ultimate Geek
Inactive user


  #2046012 29-Jun-2018 12:55
Send private message

LOL publicity from additional threats? Only if you think your security is so rubbish it can't handle a few kiddies handling a poke around.

 

More likely the question would be "do we have to tell?" - and the answer is "nope".


Create new topic





News and reviews »

Synology Introduces BeeStation
Posted 23-Feb-2024 14:14


New One UI 6.1 Update Brings Galaxy AI to More Galaxy Devices
Posted 23-Feb-2024 10:50


Amazon Echo Hub Available in New Zealand
Posted 23-Feb-2024 10:40


InternetNZ Releases Internet Insights 2023
Posted 20-Feb-2024 10:31


Seagate Adds 24TB IronWolf Pro Hard Drives for Multi-user Commercial and Enterprise RAID Storage Solutions
Posted 19-Feb-2024 16:54


Seagate Skyhawk AI 24TB Elevates Edge Security Capacity and Performance
Posted 9-Feb-2024 17:18


GoPro Releases Quik Desktop App for macOS and Introduces Premium+ Subscription Tier
Posted 9-Feb-2024 17:14


Ring Introduces New Ring Battery Video Doorbell Pro
Posted 9-Feb-2024 16:51


Galaxy AI Transforms the new Galaxy S24 Series
Posted 18-Jan-2024 07:00


D-Link launches AI-Powered Aquila Pro M30 Wi-Fi 6 Mesh Systems
Posted 17-Jan-2024 20:02


Newest LG 4K Lifestyle Projector Doubles as Art Objet
Posted 9-Jan-2024 15:50


More LG Smart TV Owners Set To Enjoy the Latest webOS Upgrade
Posted 9-Jan-2024 15:45


Panasonic Announces the Z95A and Z93A With Fire TV Built In
Posted 9-Jan-2024 15:30


Amazon Echo Pop Review
Posted 8-Jan-2024 14:22


Samsung Tab S9 FE Review
Posted 17-Dec-2023 08:26









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup