Posts by Matthew Poole
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: MSD's Leaky Servers, in reply to merc,
I wonder if when they took the kiosks offline they bumped up staff numbers to cope?
Herald article I saw yesterday said that wasn't going to be happening.
-
Breaking news, from Mr Boyle:.
Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security.
IOW, the testers found things and were ignored.
-
OnPoint: MSD's Leaky Servers, in reply to lynne walker,
can you be a bit more explicit, I need it spelt out, don’t believe what exactly
The blame-shifting in those two articles. Don't believe everything you read. More will come out.
-
OnPoint: MSD's Leaky Servers, in reply to SteveH,
I think Matthew’s point here is simply that MSSQL tends to be configured to use Windows authentication so if you have access to a sufficiently privileged Windows account (as seems to be the case here), then you have access to the database. Most other database systems are configured to use with their own authentication schemes.
Exactly. Thank you. If you have access to a domain admin account you can gain full access to MSSQL on a server that is a member of (or trusts the admins of) the domain. Other databases, largely, don't have that integration. MSSQL is quite capable as a DB server, but it's awfully vulnerable if your domain access gets compromised.
-
OnPoint: MSD's Leaky Servers, in reply to Hebe,
Boyle on TV was adamant no spillover into other government departments/ministries
I'm not inclined to disbelieve that, TBH. Mr Blogger's anonymous allegations above don't really mesh with how government agencies are structured.
-
OnPoint: MSD's Leaky Servers, in reply to duke,
Without breaking a confidence, don't believe everything you read.
-
OnPoint: MSD's Leaky Servers, in reply to Ross Mason,
the security on PDFs from the Govt has improved out of sight since we discovered the “blacked out” bits were being made inaccessible by changing the font to white
ROFL. That's awesome. It's as good as some of the boo-boos from the US where classified material was released to the public with juicy details "redacted" and it turned out the redaction was simply the application of a wide black line as another layer to the document. Remove the line et voila, classified information freely available. They've smartened up since then, and there's a market for software to manage release of sensitive documents to ensure it can't happen, but these things are funny when they do happen.
-
OnPoint: MSD's Leaky Servers, in reply to Rich of Observationz,
*All* mainstream databases (MSSQL, Mysql, Oracle, Postgres) are vulnerable to a user gaining access to the data files or even the backups.
Of course, hence my comment about someone writing down access credentials and storing them on the network. However, a database that's not backed by MSSQL/Windows doesn't grant instant access if you manage to get yourself domain admin access. It's probably not going to show up in My Network Places, and it's certainly not going to bend over and spread wide just because you're God to the network's Microsoft systems (unless someone's doing something extraordinarily silly with single-sign-on, and I just don't see that kind of cl00 emanating from MSD).
-
It just gets better. The Herald is reporting:
The kiosks were introduced in late 2010 and trialled for about a year before a network of 700 was introduced around New Zealand.
That opens the window of compromise to two years, assuming this flawed implementation was present in the original.
ETA: And there are 700 possible points of compromise.
-
OnPoint: MSD's Leaky Servers, in reply to duke,
Let’s not get carried away. I’ll also bet the core CRM app is not directly affected by this issue (we hope).
No, it's probably not, but depending how the back-end is accessed...
Though arguably if Admin passwords were compromised a skilled hacker could go nutts; he’d still need physical access to the network and a machine and a fair bit of quite private nerd time.
OK, I'll put it like this. I've seen a demonstration of a security tester going from accessing a Citrix application to having full domain administrator rights within 15 minutes. They started off with no credentials for the network that hosted the app they were testing (as part of the test they were just given a networked machine and a local login). I will never, ever rule out someone levering physical access to a networked machine all the way into domain administrator access. And if the firewall was truly a VM, and an attacker could break in, they could take all the time in the world safe in the knowledge they could hide the evidence by changing what was logged.