Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


freitasm

BDFL - Memuneh
68841 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

#237987 27-Jun-2018 21:55
Send private message

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

 

 

A Z spokesperson initially told Stuff Circuit they did not want to be interviewed, saying "yes, our Z card online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we don't really have any more to add on this".

 

But after being told Stuff Circuit had more information, they eventually agreed for CEO Mike Bennetts to be interviewed, and, confronted with evidence, he admitted the company was not aware of the extent of the problem.

 

The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL.

 

Bennetts said when initially alerted to the vulnerability the company sought experts to determine whether the system had been compromised.

 

"To the best of our ability to determine that, it had not been."

 

But on Wednesday, when shown screenshots obtained by Stuff Circuit of Z's own account details, Bennetts admitted the problem was far greater than Z knew.

 

The screenshot shows accounts under Z Energy Limited, and includes details of car registration numbers and drivers. It also appears to give access to PIN numbers and the ability to suspend accounts.

 

"We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing."

 

When asked whether it seemed extraordinary that all the experts Z had engaged didn't identify the compromise found by a member of the public, he said, "Yes it's certainly very, very disappointing and I apologise to our customers about that. This is clearly something that was missed and we're very sorry about that".

 

 

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

 

 





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


Create new topic
amanzi
971 posts

Ultimate Geek

Trusted

  #2045059 27-Jun-2018 22:16
Send private message

Just listened to the interview too - really poorly handled. In summary, his response was: "There was no breach. But even if there was, we fixed it straight away. But even if we didn't fix it, it wasn't that bad." But in the end he had no choice but to apologise.


UHD

UHD
656 posts

Ultimate Geek
Inactive user


  #2045102 27-Jun-2018 23:24
Send private message

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

 

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.


 
 
 
 


michaelmurfy
/dev/null
9632 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2045105 27-Jun-2018 23:28
Send private message

UHD:

 

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

 

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.

 

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/ 

 

But yes, pretty bad this time around also.





Andib
1122 posts

Uber Geek

Trusted

  #2045142 28-Jun-2018 08:03
Send private message

michaelmurfy:

 

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/ 

 

But yes, pretty bad this time around also.

 

 

 

 

yep, first thing that came to mind after seeing this is that it's the same type of breach as the My Vodafone portal had. I wonder how many other NZ businesses have the same flaw?


Coil
6615 posts

Uber Geek
Inactive user


  #2045144 28-Jun-2018 08:05
Send private message

Vodafone did this a few months ago with Red stack mobile. 


OwenWatson
60 posts

Master Geek


  #2045295 28-Jun-2018 11:10
Send private message

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.


stinger
628 posts

Ultimate Geek
Inactive user


  #2045346 28-Jun-2018 11:50
Send private message

OwenWatson:

 

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.

 

 

And now we receive an e-mail from Ticketmaster that there is a security incident https://security.ticketmaster.co.nz


 
 
 
 


freitasm

BDFL - Memuneh
68841 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2045751 28-Jun-2018 19:50
Send private message

From InternetNZ "InternetNZ weighs in on Z Energy data breach"

 

 

InternetNZ believes the Z Energy data breach provides a useful lesson for them, and other organisations.

 

Ben Creet, Policy Manager at InternetNZ and author of New Zealand’s guidelines for security vulnerability disclosure says, “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to disclose and fix a vulnerability.”

 

Firstly, this is a data breach. That’s why it’s important that the Privacy Bill and it’s mandatory data breach reporting regime is enacted. New Zealand needs to collectively lift its game when data breaches happen. The default position should be to tell your customers when a breach occurs.

 

If people are finding vulnerabilities and data breaches in New Zealand organisation's websites and services, you should report to CERTNZ. They are the experts and have the mana to get an organisation's attention. You can report a vulnerability to CERT here: https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/

 

Additionally, we think that more New Zealand organisations should have their own vulnerability disclosure policies. The New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems in 2013: http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf

 

We run a disclosure policy for the .nz registry (here) and organisations like SkyTVVend and even the Office of the Privacy Commissioner have their own policies to encourage reporting directly to their security experts.

 

InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are identified and fixed in a safe, collaborative timely manner.

 





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


Rikkitic
Awrrr
12936 posts

Uber Geek

Lifetime subscriber

  #2045754 28-Jun-2018 20:04
Send private message

This kind of thing, which seems to happen quite a lot, is one reason I prefer to pay cash. Some people may think that is quaint, but at least I don't have to worry about my identity being stolen and passed around the world for every kind of shady dealing imaginable.

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


vulcannz
436 posts

Ultimate Geek
Inactive user


  #2045986 29-Jun-2018 12:07
Send private message

freitasm:

 

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

 

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

 

 

 

 

Yes our privacy and data breach laws are a joke.

 

Makes you wonder what Z's PCI-DSS compliance looks look too.

 

Was the site development outsourced off shore?


sbiddle
29276 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #2045989 29-Jun-2018 12:20
Send private message

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year 

 

 

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

 

It says it was the advice of cyber experts which led to it not telling customers what was really going on.  

 

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

 

 

 


amanzi
971 posts

Ultimate Geek

Trusted

  #2046010 29-Jun-2018 12:52
Send private message

sbiddle:

 

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year

 

 

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

 

It says it was the advice of cyber experts which led to it not telling customers what was really going on.  

 

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

 

 

 

 

 

Hmmm.... someone's not telling the whole story...


vulcannz
436 posts

Ultimate Geek
Inactive user


  #2046012 29-Jun-2018 12:55
Send private message

LOL publicity from additional threats? Only if you think your security is so rubbish it can't handle a few kiddies handling a poke around.

 

More likely the question would be "do we have to tell?" - and the answer is "nope".


Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.