OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 16 17 18 19 20 26 Newer→ Last

  • Matthew Poole, in reply to Neil Graham,

    When assessing risk you look at likelihood and consequence. The consequences of someone breaching the security of the WINZ/MSD network are quite serious, so even if the likelihood is low you do more work to implement security than you would if it was, say, NZ Film Commission. If there's a physical separation of networks the utter compromise of one side does not equate to utter compromise of the other side. If the terminals were on their own network segment, isolated from the rest of MSD, they could be virus-ridden mirrors of the worst of the internet and MSD would be safe. Someone could break them from top to bottom and still have no access to MSD. Even if the kiosks had been joined to the MSD domain they attacker would still not have access to the rest of MSD because they would have no connection.

    As Rich says, it's about defence in depth. Every layer that must be penetrated is another chance for detection, it's another hurdle that might cause the attacker to give up. It deters the casual busy-body, and with physical separation even if nothing else is done the casual busy-body can't get anywhere anyway.

    Using wifi to bridge the gap? If someone has access to connect to wifi on the other side then the gap is irrelevant because they're already inside. They don't need to compromise one side and then leap over, they just start on the inside. Certainly MSD shouldn't be attaching access points to their internal network either, or having network ports in public spaces that are live and connected to the internal network such that someone could plug in their own access point and start sniffing.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Neil Graham, in reply to Rich of Observationz,

    Well of course things are going to have bugs and malware etc, that's why people report and fix exploits. You take precautions and action when necessary. You may and should have privilege checks at multiple levels, admin on a wifi router shouldn't get you admin on the database, that's all in the realms of so bloody obvious that I didn't feel the need to mention. None of that has bearing on physical connectivity. Ultimately all of the privilege restrictions need to be explicit and in software (or firmware in the case of some dedicated boxes).

    This notion that the Kiosks shouldn't have been connected to the same network is what strikes me as odd. The property of connection should grant absolutely no advantage. It would be one of the easiest aspect to bypass.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Matthew Poole, in reply to Neil Graham,

    This notion that the Kiosks shouldn’t have been connected to the same network is what strikes me as odd. The property of connection should grant absolutely no advantage. It would be one of the easiest aspect to bypass.

    Actually, no, it's about the hardest when done properly. If it was as easy as you believe, installations dealing in national security wouldn't be required to physically segment networks based on the classification of information stored and retrieved.
    The GSCB's "bible" on securing electronic information might give you some more insight into the best of good practices when setting up computer systems. Keeping systems with different security profiles separate with a firewall between them is as vital as it gets, given the principle that "If you have the hardware, the hardware is insecure". 0wn the box to your heart's content, but if you can't reconfigure the firewall that keeps it apart from the rest of the network you're stuck in your little corner of the world.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Matthew Poole, in reply to Neil Graham,

    Ultimately all of the privilege restrictions need to be explicit and in software (or firmware in the case of some dedicated boxes).

    But see, here’s the thing. I know, and I’m sure you know, that escalating privilege through software bugs or hardware tampering is pretty damned easy. I’ve spoken already of the demo I saw where a tester had a local account on a computer and was able to turn that into domain administrator access within 15 minutes. That was testing a bank’s computers. Software is easily broken. Getting electrons to jump is really, really hard. If I’m sitting in front of a computer I can probably get myself administrator access by rebooting it and performing a password reset. Bang, there’s that security gone. Once that’s done I can take a copy of the local password files and crack it at my leisure. Do that, and I own the network. Or, at least, I own as much of the network as is within my reach. If there’s a firewall in the way and no way for me to connect to it and reconfigure I have to try and break my way through the firewall, probably setting off an alarm in the process, and then make use of my new-found access. Or, more likely, I have to start again at breaking into another system remotely.

    You appear to believe I think the only thing WINZ should have done was segregate these kiosks. It’s not, but if they had done nothing except segregate them this would not have happened. Could not have happened.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Neil Graham, in reply to Matthew Poole,

    If there's a physical separation of networks the utter compromise of one side does not equate to utter compromise of the other side.

    I don't see how that can possibly be an issue. Presuming a connection between the two. Either the compromised side is trusted or it isn't. If the compromised side is untrusted, no amount of activity on it should be a problem (short of DOSing). Yes, being connected to a trusted site that is compromised means that you are screwed, but there is no way around that, you grant that trust very sparingly.

    Using wifi to bridge the gap? If someone has access to connect to wifi on the other side then the gap is irrelevant because they're already inside.

    I think this might show we are talking about different things when we mean physical network. I was assuming a physically attached network was a network that was physically attached (even if the physics involved are a wifi signal). Two machines with ad-hoc paired USB wifi connections are physically connected. Indeed any two machines that can reach Google are on the same physical network.

    So by physical network, I'm guessing you mean logical network? In which case, nevermind. Forget I said anything :-).

    Christchurch • Since Nov 2006 • 118 posts Report

  • Russell Clarke,

    If you'd started with an OSI Layer Number it could have saved a lot of typing :)

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • Neil Graham, in reply to Matthew Poole,

    Actually, no, it's about the hardest when done properly. If it was as easy as you believe, installations dealing in national security wouldn't be required to physically segment networks based on the classification of information stored and retrieved.

    I can see how that would be the case where physical access security was extremely tight, but I can't imagine many instances where what would apply. It would very much be an environment were you were aware of security at every moment. I wouldn't expect many businesses to do that for the bulk of their day-to-day staff.


    As an aside.
    I remember reading a piece a while back on how to install an exploit on the inside of a computer system. The easiest way was to put your software on a thumb-drive and drop it on the ground outside the front door. Wait and let human nature take it's course.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Neil Graham, in reply to Russell Clarke,

    If you'd started with an OSI Layer Number it could have saved a lot of typing :)

    Maybe that's a Programmer / SysAdmin perspective.

    Like "how many syllables in coax?"

    Christchurch • Since Nov 2006 • 118 posts Report

  • Russell Clarke, in reply to Neil Graham,

    I'll give my favourite consulting answer: It depends.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • Ds,

    Here is another interesting fact in the mix

    The MSD are spending >$1billion on IT between 2010 and 2014


    http://www.msd.govt.nz/about-msd-and-our-work/publications-resources/corporate/statement-of-intent/2011/our-capital-intentions.html

    wellington • Since Sep 2012 • 8 posts Report

  • cognitive_hazard, in reply to Ds,

    Sounds about right to rebuild a Microsoft Active Directory of that size from scratch, the only way to ensure a non compromised network at MSD

    New Zealand • Since Oct 2012 • 13 posts Report

  • Matthew Poole, in reply to Neil Graham,

    Clearly talking to cross purposes. To a network engineer, physical separation means distinct cables that, if they talk at all, talk through a firewall. Logical separation would be VLANs with a shared switch and shared cable and a firewall (ETA: or router) in between the VLANs. Using wifi to create a bridge just gives you a dual-homed host rather than building a single network, just like you’d be dual-homed with two network connections (be they physical or logical) coming into the back of your computer over UTP.

    And we don’t see the internet as one big, physical network because there are hand-offs of control over the physical infrastructure. The demarcations between owners of physical networks are the borders. I can see how you’d get confused if you see the world as a single physical network.

    Auckland • Since Mar 2007 • 4097 posts Report

  • BenWilson,

    Classic, a discussion about setting up the perfectly secure network in the context of the problem being no security at all. Even if there was just a weak password on the network access, that would have been a million times more secure, and most likely this news story would never have happened.

    The easiest way was to put your software on a thumb-drive and drop it on the ground outside the front door. Wait and let human nature take it's course.

    Pfft, that's way hi-tech. A friend of mine stole a million dollars from a bank just by lying on a deposit slip at an ATM and padding it with a Jaffa packet. I'd tell the whole story if I thought anyone would actually believe it. It's quite indicative about computer systems, security, and what hackers are actually like.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Matthew Poole, in reply to BenWilson,

    Even if there was just a weak password on the network access, that would have been a million times more secure, and most likely this news story would never have happened.

    In many ways that would have been worse. The illusion of security would have been preserved, Keith would never have been tipped off, and any ne'er-do-well who was inclined to spend the limited time required to break the password might never be discovered.

    Auckland • Since Mar 2007 • 4097 posts Report

  • tussock,

    Sort of explains how Bennet got that "confidential" client data out to the press so easily, doesn't it. Attach File -> Search on network -> Send. No wonder she doesn't think she broke anyone's privacy, it was all right there on her office (and home) computer!

    Since Nov 2006 • 611 posts Report

  • Rich of Observationz,

    I did a job once where the server (and all terminals) were in a copper lined room with an airlock like arrangement on the door to ensure that no bits could ever escape. Military, needless to say. No bloody rentacops guarding the place either - actual Royal Marines with the smarts to remember you as well as checking id.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Matthew Poole, in reply to Rich of Observationz,

    The black helicopters will be with you shortly.

    Auckland • Since Mar 2007 • 4097 posts Report

  • BenWilson, in reply to Matthew Poole,

    In many ways that would have been worse.

    This thing has been hanging wide open to all comers for a couple of years. It doesn't really get much worse. You can't rule out that "ne'er do wells" could have done a whole lot already.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Matthew Poole, in reply to BenWilson,

    You can’t rule out that “ne’er do wells” could have done a whole lot already.

    Given that I've been broadcast on radio as saying I believe the entire network should be treated as though the ne'er-do-wells have been running rampant since the kiosks were installed, I'm hardly ruling it out. However, because there was no security we now know about this. If there had been a fig leaf this situation might have continued, potentially with the vulnerable children database being installed into the same network or with a degree of trust that would have made it accessible. So, yes, I do think it could've been worse.

    Auckland • Since Mar 2007 • 4097 posts Report

  • BenWilson, in reply to Matthew Poole,

    So, yes, I do think it could've been worse.

    Whilst at the same time not knowing how bad it is.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Trevor Nicholls, in reply to BenWilson,

    Fixing it now is better than never fixing it at all, regardless of how bad it is now.

    Wellington, NZ • Since Nov 2006 • 325 posts Report

  • Matthew Poole, in reply to BenWilson,

    Whilst at the same time not knowing how bad it is.

    We’ll never, ever know how bad (or otherwise) it is currently, but the vulnerable children database being attached to such an insecure system would have made it more bad. I don’t need to be able to quantify “bad” to know that there is a completely foreseeable way in which it could be worse.

    Auckland • Since Mar 2007 • 4097 posts Report

  • nzlemming, in reply to BenWilson,

    A friend of mine stole a million dollars from a bank just by lying on a deposit slip at an ATM and padding it with a Jaffa packet. I'd tell the whole story if I thought anyone would actually believe it.

    Yeah, nah. The story is well known (in banking circles anyway) which is why deposits don't clear the moment you put them into the machine. It's the equivalent of the old "night deposit" slot some banks used to have. As soon as the machine was cleared in the morning, the deposit was reversed.

    Waikanae • Since Nov 2006 • 2937 posts Report

  • nzlemming, in reply to Rich of Observationz,

    I did a job once where the server (and all terminals) were in a copper lined room with an airlock like arrangement on the door to ensure that no bits could ever escape.

    Tempest specced?

    Waikanae • Since Nov 2006 • 2937 posts Report

  • BenWilson, in reply to Matthew Poole,

    I don't need to be able to quantify "bad" to know that there is a completely foreseeable way in which it could be worse.

    It could always be worse. I'm just not sure you can show that it would be likely to be worse. Currently, thousands of people could have compromised the system. If it had even weak security, that number would reduce by several orders of magnitude.

    Which is not to say that we shouldn't be using strong security.

    Auckland • Since Nov 2006 • 10657 posts Report

First ←Older Page 1 16 17 18 19 20 26 Newer→ Last

Post your response…

This topic is closed.