OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 17 18 19 20 21 26 Newer→ Last

  • BenWilson,

    Yeah, nah. The story is well known (in banking circles anyway) which is why deposits don't clear the moment you put them into the machine.

    Sure, and they didn't then either. The plot thickens, eh?

    Auckland • Since Nov 2006 • 10657 posts Report

  • nzlemming, in reply to BenWilson,

    Which is why I call bullshit on your mate's story.

    Waikanae • Since Nov 2006 • 2937 posts Report

  • BenWilson, in reply to nzlemming,

    Which is why I call bullshit on your mate's story.

    Well, there were quite a few people who saw the money, myself included. I also saw the deposits being made. I predicted that it would not work. But truth is stranger than fiction.

    Auckland • Since Nov 2006 • 10657 posts Report

  • nzlemming, in reply to BenWilson,

    Well, that's the first time I've heard someone actually claim to have been there, I'll admit. It's usually "this guy down the pub".

    Waikanae • Since Nov 2006 • 2937 posts Report

  • Rich of Observationz, in reply to nzlemming,

    I guess, but that's usually just done at the equipment level. I'm told there are various rules depending on how near the site boundary you are, as well.

    NZ is a trifle slacker. I've seen cordless phones being used in defence establishments.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • nzlemming, in reply to Rich of Observationz,

    I was the IT Manager (hell, I was pretty much the department!) at a small entity that used to be in #2 The Terrace, a few floors away from the DPMC. We didn't have Tempest machines, but they did and were very proud of them, until I sent them a link to a report about monitoring the pulses in the *cables* to decode data processing. ;-)

    Waikanae • Since Nov 2006 • 2937 posts Report

  • BenWilson, in reply to nzlemming,

    Well, that's the first time I've heard someone actually claim to have been there, I'll admit.

    Yeah, you're right, it's a foolish thing to talk about on the internet, even 26 years after the fact, with the bank no longer in existence.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Ds, in reply to cognitive_hazard,

    Yes BUT those numbers are for 2010 to 2014, pre the problem.

    wellington • Since Sep 2012 • 8 posts Report

  • Neil Graham, in reply to nzlemming,

    Which is why I call bullshit on your mate's story.

    The thing that gives it some credibility for me is the fact It was reported on the news when it happened, with interviews and all the silly staged shots that Keith is being subjected to now.

    If I remember correctly the appropriate protocol had not been triggered when the machine was cleared but the bank said they were confident that they would have noticed it soon. The money had cleared and could be withdrawn.

    Christchurch • Since Nov 2006 • 118 posts Report

  • BenWilson, in reply to Neil Graham,

    If I remember correctly the appropriate protocol had not been triggered when the machine was cleared but the bank said they were confident that they would have noticed it soon. The money had cleared and could be withdrawn.

    Classic. So the protocol wasn't "someone opened the envelope to see if it contains money"?

    I'm sure it would have been noticed soon, because you can't have money not balancing up on a periodic basis. But the window of opportunity was at least a day wide, during which multiple withdrawals on the same machine were possible (that is what he did). He could have cleaned out every ATM in the city. He had opened the account in a false name, too. In fact, that was the joke that gave him to confidence to try it - the teller hadn't even batted an eyelid at a kid calling himself "Arizona Sunset"? I'm still amazed he didn't get any punishment at all, other than his parents yelling at him. I guess the fact that he turned himself in before they even knew it had happened, coupled with how embarrassing for them the facts actually were, was why.

    Which is what makes me think no charges will find our intrepid whistleblowers this time. I highly doubt MSD really wants a blow by blow account in court of just how poor their security really was.

    Auckland • Since Nov 2006 • 10657 posts Report

  • duke, in reply to Rich of Observationz,

    NZ is a trifle slacker. I’ve seen cordless phones being used in defence establishments.

    Listening in on analogue was/is literally childs play ("lets keep pressing the 'Channel' button until we hear the neighbours")

    DECT (compromised but very specialist) and DSS (secure if implemented correctly)

    Since Jul 2009 • 24 posts Report

  • duke,

    Keith in the final screen shot with the open file dialogue showing hyper-v-firewall.bat it appears you're editing said file.

    Did you add the text "I can edit this file.." and save successfully?

    Since Jul 2009 • 24 posts Report

  • Neil Graham, in reply to BenWilson,

    Classic. So the protocol wasn't "someone opened the envelope to see if it contains money"?

    I think the problem was what happened after that. The condition where someone says a Jaffa packet is a million dollars was sufficiently wtf that the next step was unclear. My guess is several people were told about it and they all figured someone else was dealing with it.

    Christchurch • Since Nov 2006 • 118 posts Report

  • BenWilson, in reply to Neil Graham,

    The condition where someone says a Jaffa packet is a million dollars was sufficiently wtf that the next step was unclear. My guess is several people were told about it and they all figured someone else was dealing with it.

    He attempted it multiple times, something that may not have been made clear at the time. For several weeks, he'd do it, and then a few days later he'd tell me that it hadn't cleared, that his balance had gone back down, and I'd say "told you so". Which suggests that the obvious process of simply cancelling rather than confirming the amount in the package was working most of the time. The one time it didn't, however...

    Auckland • Since Nov 2006 • 10657 posts Report

  • BenWilson, in reply to duke,

    DECT (compromised but very specialist) and DSS (secure if implemented correctly)

    Copper cable running out of property that carries the call to the provider...not very secure. I'd be glad I've finally got fiber, if I had anything to hide. Then again, breaking in through a window and looking at the WPA key is hardly rocket science. While there, absolutely everything I've got could be compromised. Cracks me up to be super concerned about how many bits of security one has, and how expensive it would be to crack. A crowbar just doesn't cost very much.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Martin Lindberg, in reply to BenWilson,

    A crowbar just doesn't cost very much.

    ... or a wrench

    Stockholm • Since Jul 2009 • 802 posts Report

  • duke, in reply to BenWilson,

    A crowbar just doesn’t cost very much.

    A rock even less ;p

    Come now surely you've changed the default password on your router Ben!

    p.s. lucky living in UFB zone bastard

    Since Jul 2009 • 24 posts Report

  • nzlemming, in reply to duke,

    hem. Been on cable since 2000 (Lucky living-in-Saturn-TelstraClear zone bastard)

    Waikanae • Since Nov 2006 • 2937 posts Report

  • BenWilson,

    Even luckier! The installation and gear was free, as is the first three months usage! Orcon rockz!

    Auckland • Since Nov 2006 • 10657 posts Report

  • duke, in reply to BenWilson,

    Even luckier! The installation and gear was free, as is the first three months usage! Orcon rockz!

    Yeah those are some sharp plans they've just pushed out. However did you read the T&C's !?:

    "If, in Orcon's sole opinion, your usage is so heavy that it materially exceeds estimated use patterns over any month or Orcon believes that your usage of our services will adversely affect the quality of the service received by other customers, then Orcon may (in its sole discretion):

    - de-prioritise your access to the network;

    - apply charges to your account for the excessive and/or unreasonable element of your usage;

    - suspend or restrict access to your service; or

    - terminate your service.

    Where reasonable, Orcon will provide you with notice before suspension, restriction or termination. If we terminate your services and you have agreed to a fixed contract term you may have to pay the applicable early termination fee.""

    Apologies for the off topic.

    Since Jul 2009 • 24 posts Report

  • Katita, in reply to Russell Clarke,

    I cringe when I hear of people blaming the business for the requirements. As a technology consultant who does a lot of requirements work, I'm working with the business to add value, not just to scribe ill-thought out blue sky wish lists

    Please let me clarify - I wasn't blaming the business. I go on to state that undoubtedly security requirements were understood and addressed. However (given my 13+years of consulting expereince) I find it plausible to believe that these items were de-scoped or given lower priority. In some cases you can scream and shout all you like, but if the governance stakeholders have a different set of priorities, then ... you can lead a horse to water.
    The real point being that a security breach of this nature is

    systemic, cultural and pervasive

    Ergo my point that even if MSD had received good advice, they may not have seen the need to follow it.

    Auckland • Since Nov 2006 • 67 posts Report

  • Sacha, in reply to Katita,

    governance stakeholders

    exactly

    Ak • Since May 2008 • 19745 posts Report

  • Matthew Poole, in reply to Sacha,

    governance stakeholders

    exactly

    And, worse, political stakeholders. This is an organisation that is very, very politically-influenced, and is being expected to do more with less. Cutting spending on IT is a first-reaction move in the public and private sectors, because it's easy to do and doesn't really hurt in visible ways. When told that the pet IT system that's going to free up thousands and thousands of person-hours is fundamentally insecure, the immediate reaction will be to examine the IT budget (because the project's budget is well and truly spent) to look for the money to make it secure. If that money ain't there, it's not going to sit well politically to go begging for more money.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Sacha, in reply to Matthew Poole,

    it's not going to sit well politically to go begging for more money

    That's where Keith may have done us all a huge favour - more likely now that Cabinet will approve extra money before all the other cross-agency systems are in place, especially Health ones.

    Ak • Since May 2008 • 19745 posts Report

  • Tim Michie,

    Being expected to do more with less. Cutting spending on IT is a first-reaction move

    and that the government is using e-government mechanisms as a counterpoint to the public servants removed for the same goals. The Prime Minister's opinion that many government IT systems are clunky is a generalisation of course and clearly not aimed at those with IT knowledge but hardly recommends their approach.

    Auckward • Since Nov 2006 • 614 posts Report

First ←Older Page 1 17 18 19 20 21 26 Newer→ Last

Post your response…

This topic is closed.