OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 3 4 5 6 7 … 26 Newer→ Last
-
Bart Janssen, in reply to
Any IT manager right up to the new CIO should have spotted this stuff and fixed it.
Nope.
The CIO probably has no computing experience beyond powerpoint but he/she will have an MBA. The priority will have been to meet budgets, their KIPs will be based on reducing salary costs and they will have met those KPIs and received appropriate bonuses.
The poor schmucks on the ground will have come fresh out of their tech training and may or may not be good. But they will have NO experience, because industry experience would cost more in salaries.
This is the nature of business in NZ, worship the MBA and management experience dismiss the experience of the workers as irrelevent.
-
Bart Janssen, in reply to
people who are a little more directly responsible for data security.
I'm certain the codemonkeys at the bottom of the pay scale will get fired.
-
Deborah, in reply to
It’s not that incredible that most people don’t know a lot about the internal workings of computers and computer files and how to access them. Computers are a bit like cars: most of us know how to use them, many of us know how to do minor things (check the oil, change a tyre, top up the windscreen water thingie), but when it comes to doing anything more than that, we hand it over to experts. Some people love tinkering with their cars, so they know a bit more about it, and some people can even do most car stuff themselves. But for many of us, a car is just a tool that facilitates other things we do, and we’re not all that interested in the internal workings, so we hand anything other than very basic maintenance over to experts.
Same thing goes for computers. Keith lost me at about, “just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network.” And what exactly is a file server?
A computer’s just a tool that I use to do my job and other things that I find interesting. Just like my car, I can do basic things like loading new software, and sorting out a printer connection, and changing my desktop picture, but that’s about it. I don’t want to spend effort understanding the rest or fiddling about with it, so I hand those tasks over to experts.
-
Here here Bart.
Key’s already heavily downplaying it saying on Breakfast this morning that “accessing the information wasn’t easy”
Illustrates the extent of JK's computing ability. File, open... is there really an easier process in Windows?
-
Great one, Keith!
This is overdue to be exposed, and there will be much, much more to come, I am sure!
WINZ have a year or so started to scan in almost all relevant documents of clients applying for benefits, updating records, reporting changes of circumstances, documents to support reviews on medical and various other grounds - INTO THEIR SYSTEMS!
So ENDLESS documents are on their file, being PDF and other types of documents.
With this leak having been exposed now, and with others due to be exposed soon, of which I am sure, this makes every client and otherwise with WINZ and MSD involved persons TOTALLY EXPOSED and vulnerable.
Surely now, all reforms and major changes announced have to be put on hold, until MSD have got their whole systems checked and fixed.
It is not coming at the best of times for Bennett and this government.
Good work, anyway!
Marc
-
This is pretty gobsmacking and must be a NEW thing.
I worked for WINZ (frontline in various roles) for 24 years, finishing in 2010. All these details that you have been able to access are amazing, considering we, as staff, were NEVER able to access any of them. Even our Service Managers couldnt get into them.
It was so 'locked down" that we couldnt even access Internet unless we personally had been granted electronic licence. (so no Trade Me, Facebook, Twitter etc)
We did have our own internal "Intranet" and access to our own client's benefit records, but I am appalled that the public has been able to access stuff, even we as staff, could never get to, or would even attempt to get to.
Thank you for exposing this anomaly in their system, but would appreciate it being reported that it is reported that it is not WINZ information that you have been able to see, it is other organisations within MSD. -
Joe Wylie, in reply to
There is no doubt that Bennett is responsible for this farce.
-
Bart Janssen, in reply to
“accessing the information wasn’t easy”
As far as I can tell this is roughly equivalent to a bank leaving the keys under the front door mat attached to note with the alarm codes.
Now most folks wouldn't think to look under the mat...
and most folks wouldn't know where the alarm keypad was ...
but that is about the level of difficulty we are talking about -
Craig Ranapia, in reply to
I’m certain the codemonkeys at the bottom of the pay scale will get fired.
Yeah, and Paula Bennett's head on a spike would totally restore my confidence. It really really would.
-
Hamish, in reply to
...roughly equivalent to a bank leaving the keys under the front door mat attached to note with the alarm codes.
Worse: it’s like the bank leaving a note under the mat saying: "Guess what! There is actually no alarm and the door is left unlocked at night, LOLZ!!!111".
-
stuartm, in reply to
I'm willing to be proven wrong on this, but I'm highly doubtful that the file shares that Keith accessed are open to all and sundry within MSD. It seems more likely to me that the accounts used by the kiosk computers were incorrectly configured which gave them way more rights than they needed.
If true, it would be ironic that the public had more access to MSD's internal systems than their own staff did.
-
Holy shit! Great work, Keith. Massive story.
-
Sacha, in reply to
Well, he’s not wrong but completely misses the point. I couldn’t do what Keith did
Kiosk is not the main problem in any case. Seems staff using MSD's network in their day-to-day job seem to have global access. Easily.
-
Holy heck.
Computerworld is now reporting that the breaches might extent to CERA and other agencies, thanks to their shared services agreements with MSD.
Daniel Ayers is speculating that one of the viewable servers in Keith's screenshot is CERA's office server.
-
6784 views in 12 hours - how does that rate in PA's record books, Russell?
-
Sacha, in reply to
It seems more likely to me that the accounts used by the kiosk computers were incorrectly configured which gave them way more rights than they needed.
That's possible too, yes.
-
izogi, in reply to
Any IT manager right up to the new CIO should have spotted this stuff and fixed it.
That's true, although more to the point when I worked at a small/mid-sized government department up to a couple of years ago, our IT team employed a person who's specific responsibility was to keep track of the IT security implications of virtually everything the department did, be up-to-date with everything relevant, stay in touch with the spooks regarding things like espionage risks and relevant system auditing, and essentially make sure nothing stupid happened whether it be with something we developed ourselves, or auditing the work done by contractors. One of the tougher bits is trying to keep track of different sections of the organisation that've decided to spin off and implement something themselves before you've heard of it, but it's impossible to imagine that could occur here when there are kiosks apparently sitting inside the firewall.
Right now I'm quite flabbergasted that orgs like WINZ and ACC obviously either aren't employing enough people capable of doing this and given a mandate for it, or they're not giving them enough resources, access and control over what's going on to do their job properly.
-
duke,
As usual quality work Keith. Clearly the in house IT team will be suffering some lost heads quick snap.
S.W.I.M encountered a very similar situation at Auckland City Librarries public PC's oh 15 odd years ago. Of course library data is hardly as comprimising!
-
Aren’t GCSB* mandated to deal with this stuff?
We could ask the minister in charge...
who said:“accessing the information wasn’t easy”
He should know, as he (and many of his ministers) have a large problem with any kind of memory systems...
* The Mission of the GCSB is to contribute to the national security of New Zealand through:
• providing foreign intelligence to support and inform Government decision making;
• providing a 24/7 intelligence watch and warning service to Government;
• ensuring the integrity, availability and confidentiality of official information through information assurance (IA) services to Government; and
• contributing to the protection of Critical National Infrastructure from cyber threats. -
I couldn’t do what Keith did
Oh yes you could... that's what Keith shows. It wasn't hard at all, and for Key to say otherwise is just silly.
-
Pete Sime, in reply to
Same thing goes for computers. Keith lost me at about, “just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network.”
Fire up Word. Go to File->Open. There's a box with all the folders and drives you can open a file from. On your computer the dialog box would have areas like "My Documents" "Desktop" and "My Computer". There's also "My Network Places". Presumably Keith navigated through that to computers and files he should not have been able to access. This wasn't super 1337 ("leet" or elite) geekery. It was using Word in the way it was designed to be used.
-
stuartm, in reply to
That appears to be pretty wild speculation at this stage, and not at all helpful.
-
Rebecca Denton, in reply to
Exactly Pete. To use the ‘car’ metaphor – it was like opening the boot.
-
An OIA request has been made to follow up on fyi.org.nz: "Development and Testing of Kiosk Solution".
-
Wow. Kay Brereton of the Beneficiaries Advocacy Federation says she told MSD about the flaws in the kiosks a year ago. Stephen Judd has just said on Twitter that MSD was warned again by its own testers several months ago, and again did nothing.
It seems appropriate to declare this a scandal.
Post your response…
This topic is closed.