OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 11 12 13 14 15 … 26 Newer→ Last
-
duke, in reply to
Of course, this requires you have enough “spare” staff that you have people able to take 2 weeks of leave in one block and do one anothers’ jobs. If you’ve got hung up over “efficiency” and fired all the “dead wood” to save a bit of money, well…
Thank goodness the banking sector is making sufficient profits to support these policies. Hope your pay packet is tasty too.
-
Russell Clarke, in reply to
This article suggests they're running Curam's system for case management. http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2007/pr-2007-02-14.html
So it's Oracle or DB2 unless they have switched in the past few years.
-
Matthew Poole, in reply to
So it’s Oracle or DB2 unless they have switched in the past few years.
Curam Software is owned by IBM, which makes it likely that it'll be DB2. It almost certainly won't be MSSQL. So we're back to hoping that database credentials weren't stored in the clear on the network, which does move the odds of that system being compromised back towards betting territory.
-
Matthew Poole, in reply to
Let’s not get carried away. I’ll also bet the core CRM app is not directly affected by this issue (we hope).
No, it's probably not, but depending how the back-end is accessed...
Though arguably if Admin passwords were compromised a skilled hacker could go nutts; he’d still need physical access to the network and a machine and a fair bit of quite private nerd time.
OK, I'll put it like this. I've seen a demonstration of a security tester going from accessing a Citrix application to having full domain administrator rights within 15 minutes. They started off with no credentials for the network that hosted the app they were testing (as part of the test they were just given a networked machine and a local login). I will never, ever rule out someone levering physical access to a networked machine all the way into domain administrator access. And if the firewall was truly a VM, and an attacker could break in, they could take all the time in the world safe in the knowledge they could hide the evidence by changing what was logged.
-
It just gets better. The Herald is reporting:
The kiosks were introduced in late 2010 and trialled for about a year before a network of 700 was introduced around New Zealand.
That opens the window of compromise to two years, assuming this flawed implementation was present in the original.
ETA: And there are 700 possible points of compromise.
-
a la TracyMac. Nuke it from orbit, its the only way to be sure
-
Bennett continues the government line that getting into the system was really hard (my highlighting, but it's what you're supposed to read):
“I’ve demanded answers as to how a journalist managed to gain access to files and I am appalled that it was possible, even with a level of skill.”
Experts have been working since last night on computer kiosks to find the problem, which they have now done but the kiosks will not reopen until the system can be guaranteed as secure.
-
Russell Clarke, in reply to
Given the levels of incompetence demonstrated thus far, what makes you think there's a password? ;)
I'd also wonder if anyone at MSD had the nous to disable the default account/password, which is easily google-able.
The problems here are less about technical weakness and more about good old-fashioned human incompetence. The most secure tech in the world is tits on a bull if it's set up and run by muppets.
-
Glenn Pearce, in reply to
and ups the ante further
Mr Boyle said the ministry was contacted last week by a man who said their systems weren't robust and he would cooperate if there was a reward.
"While he wouldn't provide any details we asked KPMG to begin penetration testing at this point and this testing has been accelerated and intensified. He did indicate he was working with a journalist," said Mr Boyle.
Social Development Minister Paula Bennett said there was no evidence the man who contacted the ministry last week was linked to Keith Ng, the blogger and journalist who exposed the breach.
-
Hebe, in reply to
Mr Boyle said the ministry was contacted last week by a man who said their systems weren't robust and he would cooperate if there was a reward.
Did this really happen, or is Mr Boyle relying on the MSD computer phone logs for his evidence?
Or is it a white knight smear appearing?
-
Russell Clarke, in reply to
"While he wouldn't provide any details we asked KPMG to begin penetration testing at this point and this testing has been accelerated and intensified.
...KPMG being the firm that failed to unearth this vulnerability before. Fills me with confidence that they'll do a great job.
KPMG were regularly engaged to conduct tests on the safety of MSD's systems and to attack them in a bid to highlight weak areas.
They had not found any issues.
-
Or is it a white knight smear appearing?
That's my fear, that they will say "oh there's no evidence of a link to Keith" but we'll all think it anyway.
Let's not forget the last person who publicly took on Paula Bennett...
-
rodgerd, in reply to
Thanks for your valuable, not to mention insightful, contribution.
-
Hebe, in reply to
Or is it a white knight smear appearing?
That's my fear, that they will say "oh there's no evidence of a link to Keith" but we'll all think it anyway.It is the saying. The shit machine is cranking into operation, and if this country wants any form of journalistic freedom (read a democracy) everyone who can should get behind Keith Ng and Russell Brown (as the publisher) now.
-
Hebe,
On the bright side, this saga proves that National has taken open government to a new level of transparency.
-
Rich of Observationz, in reply to
*All* mainstream databases (MSSQL, Mysql, Oracle, Postgres) are vulnerable to a user gaining access to the data files or even the backups.
You can mitigate against this by encrypting at file system or column level, but that is unusual.
-
Islander, in reply to
Would you repost the donation site (I know it didnt come from you Hebe!! )Anyone?
I decided I could do without my miserable pensioner’s bottle of whisky this week- which does show I esteem Keith’s work-
(have temporary eye-condition which means trawling through pages & pages isnt really an option…) -
Hebe,
It's a serious scandal; Key whips out the Brash/Muldoon crisis handbook. Guess what page he's on: "playing the race card":
http://www.stuff.co.nz/business/industries/7818021/No-share-plus-scheme-in-asset-sales
But this MSD scandal will burn long and hot. -
Russell Clarke, in reply to
-
There should be no excuse - The Minister and the executive team need to be gone.
-
Thanks Russell! Miserable pensioner's bottle-of-whisky duly donated-
-
It’s a serious scandal; Key whips out the Brash/Muldoon crisis handbook.
Well at least he won't have to answer any questions about Dotcom. Today.
I'd say tomorrow's Question Time could get a wee bit testy.
-
Jonathan King, in reply to
And there are 700 possible points of compromise.
Then why are they confidently telling (distressed and anxious) people on the phone that their privacy hasn't been breached? They simply have no way of knowing, right?
-
Russell Clarke, in reply to
Correct.
Unless they have logged every system access from every entry point (which is deemed unnecessary in most IT environments, so I highly doubt they do it), they can't categorically know.
So they are saying this because they are:
a) Bullshitting us
b) Misinformed
c) All of the above -
"Aw Jeez Boss, couldn't we just share our password and access to the kiosk so that when those local jobs come in we can put them onto the kiosk real quick and then get on with that other work we have to do since the last layoffs?"
You know, like how much easier it is to leave the car door unlocked in the garage so that when we want to use it it is no hassles (guilty). Those remote door openers are good too (guilty). And 1,2,3,4 on my eftpos card is easy to remember (NOT guilty!). Hide my hand while punching in the number (Most certainly!)? What are ya?
I have to say though, the security on PDFs from the Govt has improved out of sight since we discovered the "blacked out" bits were being made inaccessible by changing the font to white......
Well done Keith. Bet you the heart was beating more each time you went in just in case the leak had been found and you might get busted. Anyone wanna vote him for Wellingtonian of the Year?
Post your response…
This topic is closed.