#WTFMSD: "Damning"

11:37 Nov 2, 2012 68

"Damning" was actually the word used in the MSD press release:

MSD Chief Executive Brendan Boyle says the report is damning around MSD's failure to separate public kiosks from a network containing corporate files.

And it is. The Dimension Data security review of the kiosks came out, and as expected, they were crystal bloody clear:

The most pressing security issue discovered is the lack of network separation of segregation within the environment... This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recomended, and the current solution should not be deployed into a production environment before network separation is achieved.

The problem was listed as "Urgent".

So where are we now? Four "employment investigations" are under way. Boyle refused to say anything about these people, so we don't know their seniority or the nature of their roles. But he did make clear that the decisions didn't get escalated properly - i.e. Senior managers weren't involved. He also said that it simply "dropped off the radar" - that it wasn't a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData's report. Hopefully we'll find out more once those "employment investigations" are completed and the second phase of the report comes out.

MSD has also ring-fenced the breach: That although 1432 documents contained personal information, they only contained "highly-sensitive" information about 10 people. It's worth noting that many of those documents contained tens of names. I'd estimate that more than 10,000 individuals were identified in those documents.

Many of those would have been MSD contractors, with pay rates, hours etc. It's private, but not terribly sensitive. Reasonable people can disagree about whether that's a big deal or not. But other names, such as individuals being investigated by the Benefit Fraud Unit or the MSD Intelligence Unit, were also deemed not highly sensitive. That's a big call.

Full report here, via NBR.

UPDATE: Some speculation. The email to MSD from Kay Brereton (the beneficary advocate) describes the problem as:

...was able to access info which gave him the "names" of all the computers on the network

By the time the time it got to MSD, this was described as:

...was able to access the IP addresses (you will know better than I what this means) for all the PC's including staff PC's in the office

Printers were also mentioned.

The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).

UPDATE 2: My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

68 responses to this post

First ←Older Page 1 2 3 Newer→ Last

Sacha, 11:51 Nov 2, 2012

The MSD media release (and another link to the full report at bottom).

Ak • Since May 2008 • 19745 posts Report
Bart Janssen, 11:59 Nov 2, 2012

But he did make clear that the decisions didn’t get escalated properly
It is a failure of management if the staff below do not feel it is possible or appropriate to pass information of this kind upwards.
It is simply poor leadership.

Auckland • Since Nov 2006 • 4461 posts Report
Hebe, 12:09 Nov 2, 2012

Manners! Mr Boyle seems to have forgotten to say thank you to Keith and Ira. he at least owes them a good dinner on the Winz entertainment account: if they hadn’t pursued the story the potential for his own job being threatened would have been huge.As it is, I can see a great big bulge under that carpet - as John Holley says in the post below..

Christchurch • Since May 2011 • 2899 posts Report
John Holley, 12:11 Nov 2, 2012

The report focuses on privacy when the bigger whole of government issue is the potential cascade of security breaches. The analysis of this seems to be entirely missing.
The MSD network was wide open for months and to assume that other people (domestic and foreign) did not gather material or utilises authentication trust relationships is just plain sticking your head into the sand. As Matthew Poole stated, you have to assume the entire MSD network is compromised. Logs won't necessarily show breaches as anyone trying to gain information, if they knew what they were doing, would be utilising trusted access e,g. accounts/passwords/trust relationships.
If the MSD network is assumed to be compromised then so are any other networks with trust relations with the MSD network and so on... the security breach cascade effect. For some, the MSD network could have just been the gateway into other Govt orgs that they were seeking to gain information from.
This is the biggest security breach in NZ Govt history but unfortunately everyone is focusing on the privacy breaches.

Auckland • Since Nov 2006 • 143 posts Report
Sacha, in reply to John Holley, 12:13 Nov 2, 2012

unfortunately everyone is focusing on the privacy breaches
exactly as intended. #spin

Ak • Since May 2008 • 19745 posts Report
Keith Ng, in reply to John Holley, 12:22 Nov 2, 2012

The report focuses on privacy when the bigger whole of government issue is the potential cascade of security breaches. The analysis of this seems to be entirely missing.
It's true. Not a conspiracy though - I just don't know what the story is. With the invoices, I can tell you how many invoices are contained on the servers, what they contained and what significance it has.
But the security context? True, it has the potential to compromise everything everywhere. But there are probably vulnerabilities elsewhere that has the same potential. The consequences are somewhere between nothing and everything, and I don't know what to do with that.

Auckland • Since Nov 2006 • 543 posts Report
Rich of Observationz, in reply to John Holley, 12:28 Nov 2, 2012

I'm not sure where the root of this idea lies, but wonder that Deloittes might have picked up if there was actually any compromise of production Active Directory files and the like. I'm suspecting it's a bit of a red herring.

Back in Wellington • Since Nov 2006 • 5550 posts Report
izogi, 12:33 Nov 2, 2012

From MSD behind that NBR link and on Scoop: "Investigations have determined that there is no evidence that the Kiosk breach went beyond that of Keith Ng and his associate Ira Bailey."
Am I correct in assuming that this statement only addresses the specific breach by Keith and Ira, and not the potential for earlier undiscovered breaches by the same technique, or other data that was available but not accessed by either of them?
Without MSD categorically stating otherwise I'd totally believe there's no reliable auditing of potential security breaches given how the rest of the thing was set up, hence a "lack of evidence", but there have been plenty of scattered forum posts here and elsewhere from people claiming they saw it ages ago but steered clear of reporting it. It still seems very plausible to me that others may have accessed and made their own bulk copies of everything available on the network with malicious intent and we'd be none-the-wiser.

Wellington • Since Jan 2007 • 1142 posts Report
James George, 12:36 Nov 2, 2012

Easy solution Mr Ng, be like winz and play it down. See Deloittes only recommend kicking a few junior IT staff out of their expensive to obtain (if as yet unpaid for) careers.
The poor fuckers who will cop the shellacking will have chosen to ignore the security warnings not from negligence, but for the simple reason that was the only option available to them in circumstances where they were under orders to deliver n kiosks for x dollars.
This report can hardly be described as independant given that a big chunk of Deloitte's revenue comes from Wellington senior public servants' desire for 'outside inquiries' which reliably report that said senior public servants were innocent of all allegations of incompetency and mendacity, further any bad apples were well down the pecking order.

Since Sep 2007 • 96 posts Report
Idiot Savant, in reply to izogi, 12:37 Nov 2, 2012

The Deloittes report makes it clear that there's no auditing or logging. So their claim that there were no other breaches is pulled from their arse. I wonder how much they got paid for that?

Palmerston North • Since Nov 2006 • 1717 posts Report
Roger Lacey, 12:44 Nov 2, 2012

“In the meantime I can confirm that at this stage four employment investigations are being undertaken by an independent barrister."
Are they going to fire the whole IT department?

Whatakataka Bay Surf Club… • Since Apr 2008 • 148 posts Report
James George, 12:45 Nov 2, 2012

@izogi Yeah even the herald report pretty much admitted that the only breaches the report considered were those of Bailey & Ng, with a passing reference to the 'consumer advocate' who warned them last year.
Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN. Some may have been more secure than those Bailey and Ng visited and some may have been a whole lot less and opened a door to the 'crown jewels', the national benefits database, even the national identity card database, aka NZ driver's license.

Since Sep 2007 • 96 posts Report
Rich of Observationz, 12:50 Nov 2, 2012

Anyways, I'm of the view that this kind of issue could happen in just about every organisation* I've ever dealt with or heard of, especially, but not exclusively, in New Zealand.
The financiers (whether government or private owners) don't want to spend money. The management don't want to understand "techy stuff". The techs can't communicate upward or outward.
The result is that every project either comes to a dead stop (which can create its own scandal, if high profile enough) or gets dragged into service with a burden of compromise and expedient. That compromise might be that it crashes under load, makes life difficult for the users, or has some kind of security hole.
(Example: I was in the bank the other day. To calculate mortgage repayments, they use CICS. That's not just software from the first half of the history of computing, it's from the first third. It's like AirNZ still operating Zeppelins. Obviously there have been many, many projects to improve the calculation of compound interest, but all have failed to achieve the importance/return/profile to surmount the bureaucracy).
* with the possible exception of military organisations where the systems/data are identified as of security importance. And their approach was often around stuff like putting the hard disk back in a locked safe after you finished with it.

Back in Wellington • Since Nov 2006 • 5550 posts Report
nzlemming, 12:54 Nov 2, 2012

The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).
I think your take is correct.
Did the Terms of Reference get published? Because Ira and Keith didn't "breach" anything. They walked in through an open door. The "breach" was in the design. As I/S says, Deloittes are making this stuff up, because they can't know about any breaches if no logging exists.

Waikanae • Since Nov 2006 • 2937 posts Report
Lucy Stewart, in reply to Bart Janssen, 12:54 Nov 2, 2012

It is a failure of management if the staff below do not feel it is possible or appropriate to pass information of this kind upwards.
It is simply poor leadership.
It's also a failure of procedure. Good security protocols should not allow urgent security breaches to not be passed up immediately. Whether they are acted on is still probably going to be subject to somewhat arbitrary decision-making, but it shouldn't be possible for them to just not be reported (at least, without someone actively choosing to not do their job.)

Wellington • Since Nov 2006 • 2105 posts Report
James George, 12:55 Nov 2, 2012

Sorry to 'daisy chain' but all sorts of ideas are flicking up, not least of which is that we thought at first this was an Active Directory issue. An Active Directory is the method of setting tasks, access and privileges in networks that feature windows server technology, but it may be that winz offices are just conglomerations of independant free-standing PCs with no real control over who acesses what. In other words privacy breaches are the default as every worker can access every other worker's product through shared directories.

Since Sep 2007 • 96 posts Report
Martin Lindberg, in reply to Rich of Observationz, 12:58 Nov 2, 2012

or has some kind of security hole.
(Example: I was in the bank the other day. To calculate mortgage repayments, they use CICS.
I dare you to find a security hole in CICS ;-)

Stockholm • Since Jul 2009 • 802 posts Report
Sacha, in reply to Rich of Observationz, 13:09 Nov 2, 2012

It's like AirNZ still operating Zeppelins.
you clearly haven't met their reservations mainframe. :)

Ak • Since May 2008 • 19745 posts Report
BenWilson, 13:10 Nov 2, 2012

BTW, good on you, Keith, for trying to find out how Bailey was outed to Sleazy Slater. And good luck.
I love how "no evidence of other breaches" can be used in this context to actually appear as a positive. There's no evidence because there is no possible way to collect evidence, other than people coming forward and reporting that they committed an act that could possibly be a crime. If Keith and Ira hadn't come forward, there would be "no evidence of any breach at all", but it would obviously still have happened.

Auckland • Since Nov 2006 • 10657 posts Report
Kyle Matthews, 13:12 Nov 2, 2012

And you can map network resources through the printer dialogue (let me know if I’m wrong about this).
No you're right, at least in Windows 7. Go to print, click find printer, up pops an explorer window, right click on your computer and map away. Not very intuitive however, if someone told most people that you wouldn't think having access to printers gave you access to the entire network.
The poor fuckers who will cop the shellacking will have chosen to ignore the security warnings not from negligence, but for the simple reason that was the only option available to them in circumstances where they were under orders to deliver n kiosks for x dollars.
I think some people are making a big jump here. Problem was identified by DD and given to MSD. Problem wasn't escalated to senior management, so some grunts on the ground and/or lower level managers have chosen not to push it up the line.
There may be cultural/structural reasons for that, which indicate that some blame needs to flow up, but the answer may actually be that some people close to the ground fucked up. Difficult to tell but at the face of it, if they were made aware of this problem, and didn't inform their superiors or fix it, they haven't done very well.

Since Nov 2006 • 6243 posts Report
BenWilson, in reply to Idiot Savant, 13:12 Nov 2, 2012

I wonder how much they got paid for that?
My bet is that it's a lot more than Keith or Ira did, and they actually found and reported the bloody problem.

Auckland • Since Nov 2006 • 10657 posts Report
Keith Ng, in reply to Idiot Savant, 13:15 Nov 2, 2012

The Deloittes report makes it clear that there's no auditing or logging. So their claim that there were no other breaches is pulled from their arse. I wonder how much they got paid for that?
My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

Auckland • Since Nov 2006 • 543 posts Report
Keith Ng, in reply to James George, 13:16 Nov 2, 2012

Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN.
My understanding is that all the computers were connected on a single, national, corporate network.

Auckland • Since Nov 2006 • 543 posts Report
Rich of Observationz, in reply to Kyle Matthews, 13:22 Nov 2, 2012

I would imagine that they reported it, or were aware it had been reported, by making an entry in the project risk register, on the meeting minutes, or, if using Agile, in crayon on a piece of brightly coloured paper stuck to the wall of the meeting room, which will subsequently have fallen on the floor and been hoovered up by the cleaner*
Either way it was reported. Management would have then failed to understand it and ignored it.
* those outside the IT industry may not be aware of this, but this is actually the current fashionable way to manage things. The risk of data loss is usually mitigated by not employing cleaners.

Back in Wellington • Since Nov 2006 • 5550 posts Report
Sacha, in reply to Rich of Observationz, 13:25 Nov 2, 2012

Management would have then failed to understand it and ignored it.
I'd expect any review to have looked at the paper trail about this. Some person or group has made a decision about the cost/benefit of acting on concerns raised.

Ak • Since May 2008 • 19745 posts Report