Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersMinistry for Culture and Heritage privacy breach


2148 posts

Uber Geek

Trusted

#255729 26-Aug-2019 14:30
2 people support this post
Send private message

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

Now the follow comments are my own an in no way reflect my current employer

 

A couple of concerns

 

  • The Ministry isn't being transparent about the issue

     

    • For example where was the data being hosted and who was the external company responsible for operating the service
  • The lack of governance for this project

     

    • The appears to have been no security audit of a service that contains fairly critical confidential information
  • No one is being held accountable

     

    • and yet they've know about the issue for some time before deciding to go public.

What I'd personally like to see

 

  • Security review of all NZ Govt services with a focus on data security
  • Immediate on-shoring of all NZ Govt data
  • Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with

     

    • broken down by agency
    • for example passport data being shared for immigration purposes
    • options to opt out of data sharing

I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.

 

 

 

 




Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  #2306206 26-Aug-2019 14:39
5 people support this post
Send private message

"Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

1243 posts

Uber Geek


  #2306210 26-Aug-2019 14:50
Send private message

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 


655 posts

Ultimate Geek


  #2306252 26-Aug-2019 15:41
Send private message

Big cloud providers are certain to have significantly better security available than small local providers who haven’t invested in specialists. This breach illustrates this perfectly.




BlinkyBill

1243 posts

Uber Geek


  #2306261 26-Aug-2019 15:52
One person supports this post
Send private message

Yeah the only guys i'd trust in NZ for cloud like this would be Catalyst

 

 

 

edit:// Govt Dept's also have the ISM which is a pretty good framework for this under the PSR. I doubt the root cause of this issue is lacking policy but lacking implementation https://www.nzism.gcsb.govt.nz/




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

Will not stab you
238 posts

Master Geek

Subscriber

  #2306280 26-Aug-2019 16:16
Send private message

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/




Recursion: See recursion.
--
“It is important not to let the perfect become the enemy of the good, even when you can agree on what perfect is. Doubly so when you can't. As unpleasant as it is to be trapped by past mistakes, you can't make any progress by being afraid of your own shadow during design.”

     --Greg Hudson, Subversion developer

7262 posts

Uber Geek

Trusted
Subscriber

  #2306282 26-Aug-2019 16:18
Send private message

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril

21958 posts

Uber Geek

Trusted
Lifetime subscriber

  #2306283 26-Aug-2019 16:19
2 people support this post
Send private message

As a result of having no culture or heritage, thankfully I am unaffected by this :)

 

 

 
 
 
 


195 posts

Master Geek

Subscriber

  #2306308 26-Aug-2019 17:17
Send private message

BuffyNZ:

 

Beccara:

 

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

 

 

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

 

I recall some chatter about how no data stored in the AU can be GDPR compliant.

 

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

 

 

 

 

yes they can, law changed Dec 2018

Lock him up!
11397 posts

Uber Geek

Lifetime subscriber

  #2306356 26-Aug-2019 17:39
Send private message

openmedia:

 

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

 

 

Actually, I did start one in Politics yesterday afternoon but no-one responded.

 

 




I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 



2148 posts

Uber Geek

Trusted

  #2306406 26-Aug-2019 19:14
Send private message

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

 

 

 

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.




Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.

Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  #2306425 26-Aug-2019 20:01
2 people support this post
Send private message

openmedia:

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.


 


Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.



A lot of cloud solutions can be configured so that the keys to decrypt are only in the control of the company who buys the service. Not much AU/US can do in that situation except come at the company asking for the keys.

Your data most likely will be easier for a 3rd party to "take" in a local providers infrastructure - where they have less money to spend on threat protections, and information protection.




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

1243 posts

Uber Geek


  #2306474 26-Aug-2019 21:21
Send private message

If a state wants your data it will get your data no matter where it is. There's a reason security levels jump in terms of cost and manpower when your threat model is a state level actor




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

21 posts

Geek


  #2306481 26-Aug-2019 21:31
Send private message

cyril7:

 

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

 

Cyril

 

 

I looked up the Google cache, and yes, it is (or was) a Wordpress site, using the Divi drag and drop page builder, so likely built by a designer, not a developer from the look of things.

 

Even worse, looking at the source code, it looks as though it requires Flash!

 

I've seen some pretty dodgy stuff at times, probably more so from designers, but also sometimes from developers.

 

  • Using the same password easily guessable password for multiple websites for the admin admin login. 
  • Using Wordpress with a stack of plugins, with no idea of whether they're secure or not.
  • Using libraries with known XSS vulnerabilities.
  • Sites running on http instead of https even though offerings like letsencrypt make https trivial to implement. 

I'm a bit disappointed though that the government response is now that only a limited range of suppliers will be considered in future, as this is likely to lock out small providers who do make an effort to take more care with security.

 

It can be hard enough competing with the Wordpress crowd, without them giving the industry a bad name.

133 posts

Master Geek


  #2306628 27-Aug-2019 10:13
One person supports this post
Send private message

https://www.reseller.co.nz/article/665671/government-mandates-use-approved-ict-providers-after-security-failure/

 

Govt Mandate on ICT providers sounds like a reasonable response. The issue isn't the hosting location, it is the people rolling it out without being competent. I think what Microsoft and Amazon are investing in their hosting is not able to be reproduced onshore in terms of the infrastructure and levels of security. But if you use Admin/Admin as the credentials to access, there's no helping you.

655 posts

Ultimate Geek


  #2306635 27-Aug-2019 10:35
Send private message

The same sort of people who established the approved providers list selected the provider for this Culture and Heritage website. That is, Public Servants.




BlinkyBill

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55

Vodafone launches innovation initiatives to help businesses use 5G
Posted 26-Feb-2020 05:00

Ultimate Ears HYPERBOOM brings massive sound and extreme bass
Posted 25-Feb-2020 09:00

Withings launches three new devices to help monitor heart health from home
Posted 13-Feb-2020 20:05

Auckland start-up Yourcar matches new car buyers with dealerships
Posted 13-Feb-2020 18:05

School gardens go high tech to teach kids the importance of technology
Posted 13-Feb-2020 11:10

Malwarebytes finds Mac threats outpace Windows for the first time
Posted 13-Feb-2020 08:01

Amazon launches Echo Show 8 in Australia and New Zealand
Posted 8-Feb-2020 20:36

Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24

Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26

New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25

N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22

Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42

Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45

Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.