OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 2 3 4 5 26 Newer→ Last

  • Jackson James Wood,

    Ninja.

    New Zealand • Since May 2011 • 21 posts Report Reply

  • Mellopuffy,

    Holy crapola. Word.

    Dunedin, NZ • Since Feb 2007 • 63 posts Report Reply

  • ange wither,

    I'm really shocked to read this, its appalling that information about vulnerable people is so freely available. Good on you Keith for drawing attention to this situation. Happy to support independent journalism.

    Wellington • Since Nov 2006 • 54 posts Report Reply

  • Scott A,

    Holy shit.

    I'm also aghast at the implication that any WINZ / MSD staff member can see sensitive information held by another unit. Have they no concept of information security? Do they not care that there have been prosecutions of their staff for committing fraud based on the internal information, and still done nothing to do basic folder / directory security?

    The wilds of Kingston, We… • Since May 2009 • 133 posts Report Reply

  • Thomas Beagle,

    Crimes Act s252 (1) "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."

    Did you get any legal advice before a) breaching the security of the MSD systems, b) putting up this post?

    New Zealand • Since Nov 2007 • 50 posts Report Reply

  • Yamis,

    Astonishing.

    Since Nov 2006 • 903 posts Report Reply

  • Ben Curran,

    You got a response from WINZ on a Sunday?

    That was the 2nd thought that occurred, after the obligatory wtf?

    Since May 2011 • 47 posts Report Reply

  • Indy Griffiths,

    I'm worried about how short the administrator passwords are. It almost looks like they're the same as the registered owner, altiris.

    New Zealand • Since Oct 2012 • 1 posts Report Reply

  • Chris Miller,

    Thomas, I would love to see them go after him for this. LOVE TO. He may well have technically broken the law but public opinion if they tried to charge him for it could get very messy.

    And yeah, I've seen statistics that suggest a significant amount if not the majority of benefit fraud is committed by MSD staff, so the fact that the staff can access this stuff is pretty horrifying in and of itself.

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report Reply

  • Tristan,

    I'm pretty sure I know why this happened... Some bright spark decided because people had to print this CVs they had to be on the network.

    Now why that data wasn't locked down tighter than the safe at the nakatomi plaza is anyones guess. I expect this will be big news thanks to ACC

    ...yippie kaiay mother fucker

    Auckland • Since Nov 2006 • 221 posts Report Reply

  • Ben Gracewood,

    A) What Thomas said. My immediate reaction is "wow Keith you could end up in a lot of trouble". Bravo!

    B) I'm sadly not very surprised. I'm surprised the kiosks can see the data, but I'm not surprised by the shitty internal security. These departments spend hours and millions making sure their users can't access Twitter, but couldn't give a crap if a file server is one click away from unauthorized access.

    Orkland • Since Nov 2006 • 168 posts Report Reply

  • nzlemming,

    Fucking. Hell.

    I cannot believe this. This is sysadmin 101. What the fuck were they thinking?

    My experience with VMs is limited but I think the data you show is significant, especially the clear text password. Without command line or explorer access, I think you'd have had difficulty launching them but you could possibly have copied them to a large enough USB key for off-site study. But FFS their firewall is a virtual server on the corporate network??? Surely not!

    Mind blown.

    Well done you.

    Waikanae • Since Nov 2006 • 2937 posts Report Reply

  • Nigel McNie, in reply to Thomas Beagle,

    Thomas, don't be silly. He asked the servers if they would give him the information and they said 'OK!'

    New Zealand • Since Oct 2012 • 15 posts Report Reply

  • Chris Miller, in reply to Nigel McNie,

    Agree Nigel, I don't know that you can really call it breaching the servers! He went to the File menu of a public computer and clicked Open File. Mega hax there. If he wasn't supposed to have it, surely they wouldn't have put it there, as I'm sure plenty of lawyers would argue.

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report Reply

  • Robyn Gallagher,

    They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls.

    When you phone the W&I call centre, there's always a message that says calls may be recorded "for our purposes". I assume those sound files are the result of such a recording. I'm still very intrigued to know what these 'purposes' are.

    BTW, you know what's almost as scandalous as this network sharing issue? The W&I kiosks block access to Google Docs/Drive, which surely is an extremely valuable tool for a job seeker with no home computer.

    Since Nov 2006 • 1946 posts Report Reply

  • Ben McNicoll,

    I just hope someone somewhere has still got the cover your ass email/memo where they pointed this lack of security out years ago but were told the solutions were too expensive.

    Grey Lynn • Since May 2007 • 115 posts Report Reply

  • Andre Alessi,

    I don't think there are enough /facepalm gifs in the world to express my feelings right now.

    I mean, I've worked in some sloppy/cack-handed corporate IT environments in my time, but this...

    Devonport, New Zealand • Since Nov 2006 • 864 posts Report Reply

  • Ben McNicoll,

    And also, someone ask Bradley Ambrose if he thinks the govt would need a cut and dry case before sicking the cops onto Keith out of embarrasment and the need to shoot the messenger.

    I think it would be a PR disaster, so I hope you don't mind that I'm kind of rooting for them to give it a shot, Keith.

    I'll donate a little bit more to your legal fund if they do though.

    Grey Lynn • Since May 2007 • 115 posts Report Reply

  • danielpresling,

    Wow! In theory you could have copied the hyper-v folders and stood them up with very little effort on any other machine. I'd like to assume they have some form of encryption on the network/virtual disks to stop that happening but it appears that's not the case.

    This is IT security 101. You can have them all connected to the corporate network (although why you wouldn't have them in their own workgroup/domain is beyond me) you just make sure the user account associated to the kiosk machines can't see anything other than itself and a printer. The fact that the network and it's shares are open internally is extremely poor work on the sys admins behalf.

    If I'm not mistaken the kiosk machines have full access to the internet too which could be exploited pretty easily. As I'm typing I realise that this is probably how the files were copied off the machine.

    Auckland • Since Nov 2006 • 6 posts Report Reply

  • mark taslov,

    牛逼

    Te Ika-a-Māui • Since Mar 2008 • 2281 posts Report Reply

  • nzlemming, in reply to mark taslov,

    Really?

    Waikanae • Since Nov 2006 • 2937 posts Report Reply

  • James Harden, in reply to Robyn Gallagher,

    Phone recordings are used for quality assurance, training and in investigations of complaints or fraud. It's pretty much as you'd expect from any call centre. Remember, you are entitled to request a copy of a recording of you via the Privacy Act.

    Since Oct 2012 • 1 posts Report Reply

  • mark taslov, in reply to nzlemming,

    For sure.

    Te Ika-a-Māui • Since Mar 2008 • 2281 posts Report Reply

  • Chris Miller, in reply to James Harden,

    Or from the WINZ kiosk, apparently.

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report Reply

  • danielpresling,

    From the NBR article this evening it states - "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after. " - so in theory someone has looked at these kiosks twice (at least) and thought they were all good.

    Auckland • Since Nov 2006 • 6 posts Report Reply

First ←Older Page 1 2 3 4 5 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.