OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 8 9 10 11 12 26 Newer→ Last

  • Hebe, in reply to cognitive_hazard,

    font updates on the WINZ kiosks, Ironic Sans if I'm not mistaken?

    Heh. Sans Security?

    Christchurch • Since May 2011 • 2899 posts Report

  • EggsandChips,

    I had no idea the 'Echelon' network now extended to local Winz offices across NZ!!
    Or perhaps a way for student freelancers to get holiday cash out of the Chinese embassy?
    Would hate to see the state of our other govt depts!
    If ministerial docs are on there as previously mentioned, Bennett should surely resign!!

    Aoteoroa, NZ • Since Oct 2012 • 1 posts Report

  • Rich of Observationz, in reply to James George,

    It's one of my main beefs about MacOS that you can't paste a path into a dialogue box - I work a lot in the shell, but if I want to email a file, I have to navigate right through the tree (often, it's easier to copy it to a suitable folder).

    Applications are (mostly) not intended to be security gates. Word definitely isn't.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Karen Adams,

    SECURE FILES - IT can you help?

    Hi to any other people with Secure Files & friendly IT peeps.

    I've spent the morning going mental. Where the hell is any info on this?
    MSD is saying via the 0800 line that no clients have had their privacy breached. This doesn't mean anything because on Friday they would have assured us that no CYFS clients would have had their privacy breached.

    I would like a hell of a lot more assurance that my file has been untouched than this given the level of risk to my family and myself, and the type of sensitive information in my file.

    MSD secure files can "only" be accessed when they are unsecured by a manager, but essentially they are accessible to any MSD staff member, at any location.

    Question for the IT savvy: if there were passwords on the computer that Kevin accessed, is it possible that some of these passwords could be used to access a secure file? I ask knowing you probably need more info but your guess is more than I have from MSD right now. Can't contact PC either.... arrrrgg.

    Under your bed • Since Oct 2012 • 16 posts Report

  • Martin Lindberg, in reply to Sacha,

    Just drop a file with the same name into the open file dialogue box. Microsoft has effectively turned that dialogue box into a slim file-manager

    True. I recall keyboard shortcuts working there in the past too.

    Still, you would require write-access to the files, which I don't think has been established.

    However, if that's the case it would seriously compromise the integrity of any information stored in those documents. This could be a giant legal loophole for any disputes between MSD and ... well, anyone really.

    Stockholm • Since Jul 2009 • 802 posts Report

  • curra_bJ,

    Hmmm.... i wonder what other sh*t can be found on those machines.... that was my 2nd thought after obligatory WTF??!?

    however i can't help but wonder if you can still access al the data form like 2yrs ago when i was a benifit grabber ??? or even curently with study link????????

    *WTF!!!*
    well thanks for exposeing the naked parts ... look forward to the next blog.

    New Zealand • Since Oct 2012 • 1 posts Report

  • Pete Sime, in reply to David Hood,

    Hey, you use Calibri too? *fistbump*

    Dunedin • Since Apr 2008 • 171 posts Report

  • Tom Beard,

    Has anyone weighed in on whether this was due to kiosks with Admin privileges, or an MSD-wide problem where any employee could look anywhere on the network? It's presumably easy for someone at MSD to check, and I'm sure an anonymous word in Keith's ear wouldn't go amiss

    Wellington • Since Nov 2006 • 1040 posts Report

  • Rich of Observationz,

    You know what I think could have happened here:
    - they planned to do the job properly, with the kiosks on their own network with independent Internet access, not connected to the MSD backbone.
    - the network/change control/management process made that all just too hard (and there wasn't the budget)
    - someone realised you could just plug a PC into the wall of any Winz office with no change control needed

    "Security" thwarting security.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • izogi, in reply to cognitive_hazard,

    If this happened at any private enterprise heads would roll top to bottom, why should Govt be any different.

    Are you sure?

    I hear this line from time to time, but then I see private sector businesses seemingly acting with indistinguishable incompetence from some government organisations, just as I've seen government entities that have awesome competence and organisation skills. (We rarely hear about them for good reason.) I'm not convinced this has much to do with differences between the public and private sector.

    Wellington • Since Jan 2007 • 1142 posts Report

  • Sue, in reply to Rich of Observationz,

    the kiosks are a way of replacing humans
    that was the only plan, less staff & less interation with clients

    So they can focus on important things like making people fill out forms saying they've been out of the country and photocopying passorts with no stamps in them (becuase it's a fancy digital passport) and then having somone enter that info into a computer. even tho all that info automatically got sent to winz the moment a person left and returned to the country and befits are automatically stopped

    Wellington • Since Nov 2006 • 527 posts Report

  • David Hood, in reply to Rich of Observationz,

    It’s one of my main beefs about MacOS that you can’t paste a path into a dialogue box – I work a lot in the shell, but if I want to email a file

    Er, Spotlight search for it (default command + spacebar) and drag it straight into the email body from the spotlight search results. On the Mac some combination of drag and drop is normally more efficient than using the dialog boxes.

    Dunedin • Since May 2007 • 1445 posts Report

  • Sacha, in reply to niceness,

    claim that most of the fraud is committed by MSD staff

    Just as most shop theft is committed by staff, not customers. Next time you're in a store, check which side of the till the security cameras are monitoring.

    Ak • Since May 2008 • 19745 posts Report

  • Rich of Observationz,

    It isn't as easy as people might think to control access to sensitive data in a big organisation, either. When you've got some place like a design shop, where everything's reasonably low-sensitivity apart from the payroll, it's easy. In MSD, nearly everyone needs access to sensitive data of some sort.

    Take accounts payable, for instance. They probably cut cheques centrally, but local offices have contractors sending in invoices for building work and the like. They'll have Joe Builder ringing up see when they're getting paid, and will need to see the invoices. Granting selective access for that could well have been treated as just too hard, so any manager can see any invoice. And then...

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Matthew Poole, in reply to Martin Lindberg,

    Still, you would require write-access to the files, which I don’t think has been established.

    If you can edit the file (that is, open it and then save changes), you can probably overwrite it with a file of the same name. Particularly since default permissions are grouped as "read only" or "read/write" and anything else requires work by administrators who don't appear to have cared very much.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Tom Beard, in reply to Karen Adams,

    I've spent the morning going mental. Where the hell is any info on this?
    MSD is saying via the 0800 line that no clients have had their privacy breached. This doesn't mean anything because on Friday they would have assured us that no CYFS clients would have had their privacy breached.

    I'm not an expert, but from Keith's description I don't think they would have any way of knowing for sure. It's possible that they were logging all activity on every kiosk, but given the evident amateurishness of their setup I'd very much doubt that. Maybe they have central logging of every file access, so they'd know if any other files had been accessed from any other kiosks: that seems like the only way they'd be able to update their 0800 lines so quickly to reassure people.

    Otherwise, while they could rely on Keith's word as a responsible journalist and all-around good guy not to have distributed the data the accessed, I doubt they could be sure that someone hadn't been in the day before and done the same thing with less public-spirited purpose.

    Can anyone more qualified comment on how likely it is that they could make this assurance?

    Wellington • Since Nov 2006 • 1040 posts Report

  • Stephen Judd, in reply to izogi,

    Welll.... in my experience, many times when a disaster happens on a senior manager's watch, they get moved to a pointless assignment with no one reporting to them (see the Peter Principle and the "lateral arabesque"). But on a really, truly spectacular public fuckup, resigning so you can spend more time with your family is generally the done thing.

    Wellington • Since Nov 2006 • 3122 posts Report

  • Lea Barker, in reply to dc_red,

    In reply to dc_red:

    Altiris is headquartered in Utah, hence the reference to Mountain Standard Time. Altiris was acquired by Symantec. Maybe what Keith saw was from a training session linked to a non-production database. (One can only hope!!)

    The Wilipedia entry for Altiris includes this information:

    "In December 2011 the original team which developed the Symantec Management Platform (previously known as the Altiris Notification Server), based in Sydney, Australia was sacked in a cost cutting exercise. All future development on the Symantec Management Platform development was moved to low cost centres in Pune, India and Tallin, Estonia. The 7.2 release of SMP will be delivered by these new teams."

    I'm sorry, Estonia? Isn't that almost the beating heart of cybercrime?

    BTW, the Symantec corporate blog is called "Information Unleashed"--how apt is that!
    http://www.symantec.com/social/pr-blog/

    Oakland, CA • Since Nov 2006 • 45 posts Report

  • Russell Clarke, in reply to Tom Beard,

    Auditing every file and folder access across their network is is possible but unlikely. If they do, they can show us the evidence - the terabytes of access logs they have captured over the past couple of years...

    So seeing such a rapid categorical denial that security has been breached is somewhat surprising.

    I'm picking they don't just work using files - they'll have a case management system that has its own database, and probably does have some level of access logging going on. So while they're probably dissembling about security in general, they might be more assured about the case records in the system.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • Karen Adams, in reply to Tom Beard,

    Thanks, I feel better and more assured anyway.

    Under your bed • Since Oct 2012 • 16 posts Report

  • Allan Moyle, in reply to Deborah,

    I think a video of the File Open process and of the the looking at other computers would provide a significant "aha" moment for many users who, while not recognising the terms being used will immediately see the familiarity and simplicity of the actions they themselves will have used many times.

    Auckland • Since Nov 2006 • 104 posts Report

  • Matthew Poole, in reply to rodgerd,

    Mark, if you can access the VM images, then you have the Windows SAM files within those images, which mean you will be able to get domain admin logins as quickly as you can crack them.

    Bingo bango bongo, we have ourselves a winner. I believe that the entire WINZ network, and probably the entire MSD network, should be considered to be fully compromised.
    What do I mean? I mean that every server and workstation should be considered to be accessible and controllable by people who are not employees of the WINZ/MSD system administration team. For the uninitiated, a domain administrator is God within the boundaries of their network. Potentially they are God within the boundaries of networks that have special relationships with the primary network.

    How serious is this? Unless there is fine-grained auditing of the use of access privileges – meaning a written record of every time a privileged account logs in or does something that’s beyond the capabilities of an ordinary user – there is no way to know what has been done. And a person who’s conducting a full attack can always erase the audit logs, which shows up but it still removes the evidence. As God, someone could install software on servers to track password changes, watch particular files or directories, or any number of other things. It looks like the firewall may have been easily accessible – a virtual computer, rather than a dedicated piece of hardware – which would let an attacker configure the firewall to allow them to upload anything they wanted, to anywhere they wanted, and leave no record. And even if that wasn’t possible, there’s always the old fall-back of plugging in an external hard drive and doing what Keith did: copying things off.

    And what does that all mean? It means that every backup all the way to when the kiosks were installed is an unknown quantity. Recovering from this isn’t just a matter of fishing out the last backup tapes and reinstalling the computers. It means installing all the computers. From scratch. Using media that hasn’t been stored on the network. It means that no data on the network can be trusted, unless it checks out when compared to data from backups that were created and stored off the network before the kiosks were installed.

    Am I being paranoid? I don’t think so, to be quite honest. I was an IT security auditor in a recent past life, and a network and system administrator before that. Were I a WINZ IT administrator I would be saying exactly the same things. I know how easy it is to escalate from being a local user to being a domain admin, without the benefit of stored passwords, and I know what can be done once one is a domain admin.

    ETA: Also, given that Keith was able to drag out data from computers that were across the network it's possible that the kiosk's local SAM file (a local cache of network credentials) could have been copied off to a USB key. It's only necessary to be a local administrator to achieve that, and making that happen would've been straightforward, I'm sure.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Chris Miller, in reply to niceness,

    When I say most, I would probably be talking more like 60% than 90%. It's a conclusion reached from a combination of several studies so unfortunately I can't link you to any one document, but certainly there's plenty to show that fraud by people applying for benefits is far lower than most people seem to think and a large number of confirmed frauds consist of things like staff members using the system to set up payments to people who have not been vetted (it would be extremely easy to do this at my job, incidentally, all I'd have to do would be to set up a file with junk personal information and the target bank account number, not sure what the WINZ systems are like for similar schemes). Simply put staff have far more opportunity to commit fraud while also having a higher level of trust.

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report

  • Sacha, in reply to Allan Moyle,

    a video of the File Open process

    I thought the same. Couldn't find one after about 10 minutes searching.

    Ak • Since May 2008 • 19745 posts Report

  • Tom Beard, in reply to Russell Clarke,

    I'm picking they don't just work using files - they'll have a case management system that has its own database, and probably does have some level of access logging going on. So while they're probably dissembling about security in general, they might be more assured about the case records in the system.

    That seems to be the case, and if there's one thing that's reassuring, it's that the really sensitive information seems to have only been visible in a fairly ad hoc and incidental way, through things like invoices rather than a case database. If someone went to a kiosk with the intent of maliciously accessing a specific person's information, it wouldn't have been as easy as typing a name into a search box (I think). However, someone with a more generic grudge could have released it out of spite or found someone to blackmail, or even sold the data. Not that anyone would do that.

    Karen, I'm not sure if that really helps :-(

    Wellington • Since Nov 2006 • 1040 posts Report

First ←Older Page 1 8 9 10 11 12 26 Newer→ Last

Post your response…

This topic is closed.