Posts by nzlemming
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: The Source, in reply to papango,
The New Zealand National Cyber Security Centre is an actual thing
Which is here and is hosted inside the GCSB...
-
OnPoint: MSD's Leaky Servers, in reply to Sacha,
Probably with Insouciance.
-
OnPoint: MSD's Leaky Servers, in reply to SteveH,
It's not that MSSQL is bad in this case, it's just more integrated.
Yep. The fact that it's a piece of crap is just icing on the cake! :-p
-
OnPoint: MSD's Leaky Servers, in reply to Lucy Bailey,
Well, Brendon Boyle was the head of the E-government unit back in 2000 and seems to have done his best to integrate departments when he was CEO of Internal Affairs and was integrating 8 Auckland councils, when he integrated the National Library, Archives etc, when he presided over the creation of LINZ, and in his most recent incarnation as GCIO. He does seem to like IT integration and appears to have been advising the govt on how to do so.
Yes, he was my boss back then, he's not actually a bad bloke, for all that he's a Southlander. I don't envy him his day today.
Actually, what he had to do as CE of DIA was absorb two departments (National Library and Archives NZ); LINZ existed before he was CE there (he went there from E-government); much of the Auckland Council activity was handled outside of DIA's workstream with the transition authority; and I think the GCIO role defaulted to the CE at DIA after Laurence Millar was let go. Prior to that, it was a lower level policy position at SSC, until the ICT unit that had grown up around e-government (now ict.govt.nz) was transferred to DIA. They're still working through a number of issues with those mergers.
Sharing of IT resources makes sense. That's not what this was about. This was about not securing data, which is a whole different kettle of fish. There's a whole lot to get upset about with this cockup without trying to find a conspiracy around Boyle.
-
OnPoint: MSD's Leaky Servers, in reply to Russell Clarke,
Trying to get the buggers to link up in any way was what the E-government Unit was supposed to do and we were singularly unsuccessful in that.
-
OnPoint: MSD's Leaky Servers, in reply to TracyMac,
I can't see how it would be anything to do with the kiosk image. I mean, sure, the fact the USB was unlocked is a concern from a workstation security point of view (viruses, anyone?), but may have been a requirement for other reasons.
If it was an actual built-for-purpose kiosk, you'd be correct. What it is, though, is an instance of Windows which has been customised by having certain options "removed". But you can't actually remove Windows Explorer - it's integral to the operation of the OS and applications rely on it. So they've just removed immediate desktop access to Explorer (not to be confused with Internet Explorer)
These are not simple terminals from which you can browse an intranet, or the jobs listings. They are workstations that have been installed with a full OS. It will have been set up once by an administrator, copied to a disk image and deployed by sending that image to each of the physical workstations, which will then be rebooted.
The hole will be related to what account is used to run the kiosk, whether that was baked in at installation time or (mis)configured later.
If the sysadmin set the original machine up using her own account, her privileges may well have been inherited by the 'kiosk' image.
ETA: if they used a domain admin-type account or something over-elevated to join the computer to the domain or similar, which wasn't subsequently changed, that's where the kiosk installation could be relevant. Still an account issue.
It always was an account issue, due to it being about access to machines and files. The question is whether the kiosks are operating of an admin account, or whether all accounts that aren't personally allocated to staff have this sort of access.
-
OnPoint: MSD's Leaky Servers, in reply to duke,
I'm guessing the former. Someone made a big mistake on the template Kiosk image.
That's my guess as well. Plus they were probably connected to the network to make bulk updating easier for the admins.
-
OnPoint: MSD's Leaky Servers, in reply to Karen Adams,
Keith's investigation did not touch case files. What he found was (what should be) mundane administration material, plus the odd security no-no - okay, lots of security no-no's.
I want to reassure you, but I can't. If invoices contained identifying material for an individual, then there is some risk.
-
OnPoint: MSD's Leaky Servers, in reply to cognitive_hazard,
Concur. Hadn't thought it through to that point but, in hindsight, should have picked it up when I saw that screenshot of the VM info.
Fuck.
-
Keith, do you know how widespread the knowledge of this is? You said you were alerted to it by someone else, and tomj mentions his friend knew about it. RadioNZ have just mentioned a memo of a risk over a year ago.