OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 21 22 23 24 25 26 Newer→ Last

  • andin, in reply to Russell Brown,

    Im struggling to see the logic of that story. So there is a guy who lives OS is a hacker and is employed by DD, who set up the kiosks.
    So the inference is a hacker broke into the kiosks?
    OH TVNZ did you just flush your moral compass down the toilet!

    raglan • Since Mar 2007 • 1890 posts Report Reply

  • Jimmy Southgate, in reply to Russell Brown,

    If that story is the result of a tip from the ministry side, things are getting very shabby indeed.

    Ugh, beginning to feel all conspiracy theorist or something but again i'm wondering if a big part of the story is where it came from, just like who leaked Ira's name.

    Wellingtown • Since Nov 2006 • 103 posts Report Reply

  • Jimmy Southgate, in reply to andin,

    So there is a guy who lives OS is a hacker and is employed by DD, who set up the kiosks.

    I thought DD just did a security audit of the kiosks, and they'd been setup internally. That's stretching my memory of things through this & other comments & articles threads a bit though.

    Also, wouldn't you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you're trying to deploy?

    Wellingtown • Since Nov 2006 • 103 posts Report Reply

  • andin, in reply to Jimmy Southgate,

    Yeah there were a lot of holes in that story. And Im not a journalist so Im not looking to do an article or anything on it so not researching all the facts. That TVNZ news story tho"? Shit!
    Breathless reporter says " We have heard of this guy who is in a roundabout way connected, may or not be involved, and he has some youtube videos you can look at. But WOW those MSD kiosks...any "hacker" could do it!

    raglan • Since Mar 2007 • 1890 posts Report Reply

  • Lucy Stewart, in reply to Jimmy Southgate,

    Also, wouldn’t you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you’re trying to deploy?

    That would be why security companies spend rather a lot of money to send their employees to hacking conferences, yes. That article is the equivalent of "IRD employees know how tax returns can be falsified".

    Wellington • Since Nov 2006 • 2105 posts Report Reply

  • Matthew Poole, in reply to Jimmy Southgate,

    wouldn’t you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you’re trying to deploy?

    I know a couple of the security testers who work for DiData, and they enjoy breaking into computers. They're some of the luckiest people I know, because they get to do something that's a hobby and get paid for it. They're not so thrilled on the paperwork side of things, but when you're getting paid six figures a year to break stuff you have to take the shit with the smooth. And because they enjoy it, they're strongly inclined to keep figuring out new ways to do things. Some of them even have esoteric hobbies, like Paul Craig's fascination with cracking kiosks, and those hobbies carry have direct application to their testing.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Matthew Poole, in reply to Russell Clarke,

    The vulnerability may have existed for 2 years but that doesn’t mean that people have been taking advantage of it since then. Or ever

    Not taking drastic action to assure security would be adopting a very hopeful attitude towards reality. Examining 700 kiosks (and that's assuming that none have been replaced) for confirmation that nothing untoward has happened is a huge job, and they only have to find one kiosk that's been used to leap all the way into the network to shatter that hopeful attitude. Once someone's got in the kiosk won't necessarily have the evidence of what's been done,so the examination will have to continue on the other kiosks as well as going deeper into the network to look for what else has been done.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • BenWilson, in reply to Kumara Republic,

    The sound of an organisation trying to save both its arse and its face at once.

    And ending up with people finding the two indistinguishable?

    Auckland • Since Nov 2006 • 10650 posts Report Reply

  • cognitive_hazard, in reply to Russell Clarke,

    Do you work on the MSD kiosk team Russel or are you hopelessly naive? The fact there has been a gaping security hole for two years leaves no other option than to assume the whole system is totally comprised. The only way to ensure MSD has a secure system is to rebuild it from scratch. New Active Directory, new domain, new VM's, new PC builds lock stock the f*&king lot.

    New Zealand • Since Oct 2012 • 13 posts Report Reply

  • DexterX,

    The MSD Leaks, the KDC GCSB Saga, the Banks sagas, the education debacles all have an overarching factor is unfathomable incompetence – should Bennett or Key have been Ministers in the Clark government they would now be back benchers.

    That Bennett still retains the confidence of the Prime Minister is a reflection on a Prime Minister who should really sack himself, if only he could remember what it is he is doing in the job in the first place.

    On talk back radio one of the default position offered is that “they” are very hard working and that the job is a thankless and frustrating – that is the lot of work for most working people.

    The lack of account is extremely wearisome as is the way the issues are getting skewed and the "incompetence" keeps repeating on itself.

    They are really really really bad at what they do.

    Auckland • Since Nov 2006 • 1224 posts Report Reply

  • Rich of Observationz, in reply to cognitive_hazard,

    Probably throw out all the hardware as well, in case the BIOS or firmware has been affected. And tear out all the network cabling, probably the power as well.

    In fact, the very fabric of the buildings is probably tainted, they need to rip out the carpets, lino and wallpaper and burn them. Probably each and every WINZ office really needs to be razed and the ground sown with salt.

    Wait, am I channelling Paula Bennett?

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • duke, in reply to Sacha,

    Please don’t bring her here

    +5 (squizillion)

    Replicant mitosis spawn of that pinnacle of Granny Herald journalism Shelley Bridgeman?

    Since Jul 2009 • 24 posts Report Reply

  • BenWilson, in reply to Rich of Observationz,

    Probably each and every WINZ office really needs to be razed and the ground sown with salt.

    Even nuking from space doesn't work - the damn taint will cling to the underside as you lift off. You have to actually become the taint, and then kill yourself.

    ETA: Oops, correct quote put in.

    Auckland • Since Nov 2006 • 10650 posts Report Reply

  • Joe Wylie, in reply to duke,

    Replicant mitosis spawn of that pinnacle of Granny Herald journalism Shelley Bridgeman?

    Now that you mention it, it's probably only the bogan fashion sense that prevents her from being the toast of the media. Give her a dishwasher blonde makeover and she'd be Bridgeman's clone.

    flat earth • Since Jan 2007 • 4593 posts Report Reply

  • Sacha, in reply to andin,

    Breathless reporter says " We have heard of this guy who is in a roundabout way connected

    Google. Not so good for context - or technical knowledge.

    Network security is not intuitive, which is why what Matthew and others have posted here is so useful. But most of the public will take whatever we're fed, and this is highly spun like most other political disasters.

    Check the difference in a story written by someone who knows his stuff - from beyond our shores, even.

    The data breach, already a scandal in NZ and attracting global attention, saw a catalogue of sensitive information about welfare clients publically accessible via up to 700 self-service kiosks located in Work and Income (WINZ) offices across the nation.

    The Australian equivalent would be walking into a Centrelink office and casually looking up the names of children in state care and what medications they are prescribed, or who was under investigation for welfare fraud.

    ...

    Not only accessible, but transferable on to a USB disk for anyone to remove.

    Ak • Since May 2008 • 19707 posts Report Reply

  • Sacha,

    An equivalent of the Science Media Centre might be useful to raise journalists' understanding about IT matters - though, like information security, that also requires ongoing governance buy-in by their editors, publishers and industry.

    Ak • Since May 2008 • 19707 posts Report Reply

  • cognitive_hazard, in reply to Rich of Observationz,

    Was thinking replace all the hardware as well but giving Dell all that money makes me unhappy. As you say the place could be awash with rootkits so best to send it all off to Remarkit (assuming MSD are competent enough to get rid of all the data first...)

    New Zealand • Since Oct 2012 • 13 posts Report Reply

  • Sacha, in reply to cognitive_hazard,

    the place could be awash with rootkits

    Classic example where translation would help journos and others. :)

    Ak • Since May 2008 • 19707 posts Report Reply

  • cognitive_hazard, in reply to Sacha,

    New Zealand • Since Oct 2012 • 13 posts Report Reply

  • Lucy Stewart, in reply to Matthew Poole,

    And because they enjoy it, they’re strongly inclined to keep figuring out new ways to do things. Some of them even have esoteric hobbies, like Paul Craig’s fascination with cracking kiosks, and those hobbies carry have direct application to their testing.

    From what I can tell, the basic qualification for being an IT security expert is being the kind of person whose default first question about any new thing is "how would I break that?". The difference between them and hackers is basically the self-control to not follow through unless they've been asked to.

    Wellington • Since Nov 2006 • 2105 posts Report Reply

  • Rich of Observationz, in reply to Lucy Stewart,

    You haven't met any IT security people? Their default first question about any new thing is "no, you can't".

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Matthew Poole, in reply to Lucy Stewart,

    The difference between them and hackers is basically the self-control to not follow through unless they’ve been asked to.

    Not even that much. The phrase "grey hat" exists for a reason: they skirt the boundaries of being a black hat while being ostensibly a white-hat. I know more grey-hat testers than I do white-hat ones, TBH, though they're largely not malicious in their law-breaking. It's more that to really test their skills or prove their theories they cannot just rely on clients presenting the appropriate opportunities, so they have to edge across into the illegal realms.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Sacha, in reply to Lucy Stewart,

    the kind of person whose default first question about any new thing is "how would I break that?"

    that's a software tester. :)

    Ak • Since May 2008 • 19707 posts Report Reply

  • Matthew Poole, in reply to Sacha,

    the kind of person whose default first question about any new thing is “how would I break that?”

    that’s a software tester. :)

    Or a small child who has just been given a hammer. I'm seeing some similarities :P

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Sacha, in reply to Matthew Poole,

    that accurately describes the impish gleam I've seen in some

    Ak • Since May 2008 • 19707 posts Report Reply

First ←Older Page 1 21 22 23 24 25 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.