OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 2 3 4 5 26 Newer→ Last

  • BarnabyHM,

    For those unfamiliar with the departmental acronyms mentioned,

    MSD = Ministry of Social Development http://www.msd.govt.nz/
    WINZ = Work and Income New Zealand http://www.workandincome.govt.nz/
    CYFS = Child, Youth and Family Services http://www.cyf.govt.nz/

    Apart from not expanding these acronyms even once in the post, excellent work! I will now give you money.

    New Zealand • Since Oct 2012 • 1 posts Report Reply

  • Graeme Edgeler, in reply to Thomas Beagle,

    Thomas - why not include subsection (2):

    To avoid doubt, subsection (1) [i.e. offence Thomas mentions] does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

    Although, as Keith isn't a WINZ client...

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report Reply

  • Hebe,

    Well done Keith for outing this. Absolutely fucking appalling mismanagement. Bennett must resign.

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Ben Gracewood,

    My mind is boggling at the incompetence from MSD IT in this.

    Firstly, public access (web and kiosks) should be completely sandboxed from internal sensitive data. Ideally this should be an "air gap" (no physical connection), but that's not reasonable these days, and firewalls are usually adequate.

    Secondly, assuming someone *is* inside you network, how the fuck does a regular, unprivileged account enumerate all these files and servers? Even "system" files like the virtual machine configs?

    Either the kiosk login account has system admin privileges (Domain Admin in Microsoft-speak), or EVERY unprivileged account inside MSD has the same access.

    I'm not sure which scenario is scarier.

    Orkland • Since Nov 2006 • 168 posts Report Reply

  • Mark Hansen,

    Keith, thank you for exposing this. MSD's attitude to data security is appalling. This goes to show that the MSD's internal systems are completely unfirewalled. If there were admin passwords available in plain text to a kiosk user, you have to assume that every MSD employee has access to every piece of data on every person. This is truly horrifying.

    It's going to take a lot more than just turning off the kiosks to fix this.

    Hamilton • Since May 2011 • 3 posts Report Reply

  • nzlemming,

    As Paul O'Reilly mentioned on Facebook, this is the agency that Paula Bennett wants to manage an inter-agency database of at risk kids. I don't think so...

    Waikanae • Since Nov 2006 • 2937 posts Report Reply

  • Hebe, in reply to Mark Hansen,

    It's going to take a lot more than just turning off the kiosks to fix this

    Yes. This could bring down the government. I cannot recall a bigger case of neglectful administration and betrayal of the "clients" in New Zealand politics.

    The more I think about it, the bigger the implications are: would the Justice Ministry, Police, Courts and IRD systems be compromised by this?

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • nzlemming, in reply to Hebe,

    Their systems are independent, although they do share data on certain matters. I sued to work for IRD IT and the security was pretty tight then (90's). I don't imaging that's changed. From memory, even the data exchange was done on tape, when required - it wasn't on demand, though that may have changed.

    Waikanae • Since Nov 2006 • 2937 posts Report Reply

  • Hebe, in reply to nzlemming,

    Good.

    What a story; Keith is courageous; everyone must support him because the shit machine will get to work. I will be donating tomorrow.

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Keith Ng, in reply to Graeme Edgeler,

    Thomas/Graeme: Yeah, what Graeme said. That's pretty much my defence. Except that those were self-service kiosks - not restricted to WINZ clients in any way.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • Kumara Republic,

    Yes. This could bring down the government. I cannot recall a bigger case of neglectful administration and betrayal of the "clients" in New Zealand politics.

    The more I think about it, the bigger the implications are: would the Justice Ministry, Police, Courts and IRD systems be compromised by this?

    I suspect this whole thing gives the Public Service Association even more reason to say, 'we told you so!'

    The southernmost capital … • Since Nov 2006 • 5446 posts Report Reply

  • Tony Siu,

    This reminds me of my old high school in which personal and intern data was exposed like this - the "open file" in Office.

    Auckland • Since Mar 2008 • 82 posts Report Reply

  • mjb, in reply to Hebe,

    Be realistic - it's more likely that IT staff heads will roll, not Bennett or the guvmint.

    Since Oct 2012 • 1 posts Report Reply

  • Robyn Gallagher,

    Hang on.

    My jeans were torn, my hoodie was pretty ragged, and I hadn’t shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.

    Bloody hell. That's a shitty stereotype to perpetuate in the service of an opening gag. Everyone I saw down at the Willis Street office was usually nicely dressed!

    Since Nov 2006 • 1946 posts Report Reply

  • Gerald Stevenson,

    There's a lot of useful files there, especially the virtual machine & firewall rules. Could come in handy for later compromises. This is a classic example of security through obscurity. Experience tells me though that instead of doing an audit on the overall security of their information systems and taking further responsibility, they will just sort out the kiosk computers and do some PR about how naughty it was of you to access this information. Could have been worse if someone malicious was to get in there...

    Since Oct 2012 • 1 posts Report Reply

  • John Marshall, in reply to Gerald Stevenson,

    Could have been worse if someone malicious was to get in there…

    It's entirely likely that they have. It may well be that Keith and his informant are not the only people to have experimented with these kiosks.

    Cambridge, UK • Since Nov 2006 • 3 posts Report Reply

  • Keith Ng, in reply to Robyn Gallagher,

    Bloody hell. That's a shitty stereotype to perpetuate in the service of an opening gag. Everyone I saw down at the Willis Street office was usually nicely dressed!

    I was in Newtown. Also: Ain't nothing wrong with dressing down. I do my best work terribly dressed.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • tomj,

    I was at my friend's place when I read this. I said to her cripes, listen to this, and she said "oh yeah, when I was on one of those kiosks a few months ago I did the same thing and read some internal memos by Paula Bennett about her plans for WINZ". She thought about printing some out but didn't in case someone noticed.

    Since Oct 2012 • 1 posts Report Reply

  • Jarno van der Linden,

    A year ago a Dutch IT news website ran a month-long campaign exposing privacy leaks like this from numerous Dutch companies and government organisations. They reported about one leak a day for the month. In the fallout questions were asked in parliament, new guidelines devised, IT systems overhauled, and the journalist behind the campaign got a journalist of the year award.

    So there is some hope for Keith Ng.

    Nelson • Since Oct 2007 • 82 posts Report Reply

  • Pete Sime,

    I wonder if they contracted someone to set up the terminals or did it in house.

    Dunedin • Since Apr 2008 • 171 posts Report Reply

  • John Russell,

    Amazingly terrible IT work, leading to excellent journalism. So at least there is symmetry.

    Auckland • Since Aug 2008 • 17 posts Report Reply

  • Tze Ming Mok,

    There's always the Ecuadorean Embassy, dude.

    SarfBank, Lunnin' • Since Nov 2006 • 154 posts Report Reply

  • Jerome Kerviel,

    Just out of interest this PowerPoint presentation gives you some idea of the IT infrastructure of MSD and WINZ (scroll to the bottom). It's two years old, dunno ho much has changed but at least it shows how the agencies are connected.

    http://archives.govt.nz/advice/training-and-events/previous-forum-papers-html/making-difference

    Wellington • Since Nov 2008 • 10 posts Report Reply

  • Ben Austin,

    Scary stuff, certainly worth a donation. I'll even sign a petition if Keith gets locked up on Soames Island

    London • Since Nov 2006 • 1027 posts Report Reply

  • Sam Stephens,

    Let’s be clear here that this is not simply an IT issue – this is a governance failure that goes right to the top, implicating the CEO of MSD at the very least, if not ministers as well.

    There are two possible scenarios here. Either the terminals are running as some administrative account with special privileges to access the entire network. Or there simple are no access controls. I think we can assume the latter.

    So crucial sensitive data had no access controls. We’re not talking about shoddy access controls, which would be an IT issue. We are talking no access controls, meaning that at a policy level controls have never been instituted. Meaning that, even if by omission, a decision has been made that it’s okay for all MSD staff (and anyone else with access to MSDs network) to have access to all MSD information.

    This is huge.

    United States • Since Oct 2012 • 2 posts Report Reply

First ←Older Page 1 2 3 4 5 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.