OnPoint: #WTFMSD: "Damning"
68 Responses
First ←Older Page 1 2 3 Newer→ Last
-
The MSD media release (and another link to the full report at bottom).
-
But he did make clear that the decisions didn’t get escalated properly
It is a failure of management if the staff below do not feel it is possible or appropriate to pass information of this kind upwards.
It is simply poor leadership.
-
Hebe,
Manners! Mr Boyle seems to have forgotten to say thank you to Keith and Ira. he at least owes them a good dinner on the Winz entertainment account: if they hadn’t pursued the story the potential for his own job being threatened would have been huge.As it is, I can see a great big bulge under that carpet - as John Holley says in the post below..
-
The report focuses on privacy when the bigger whole of government issue is the potential cascade of security breaches. The analysis of this seems to be entirely missing.
The MSD network was wide open for months and to assume that other people (domestic and foreign) did not gather material or utilises authentication trust relationships is just plain sticking your head into the sand. As Matthew Poole stated, you have to assume the entire MSD network is compromised. Logs won't necessarily show breaches as anyone trying to gain information, if they knew what they were doing, would be utilising trusted access e,g. accounts/passwords/trust relationships.
If the MSD network is assumed to be compromised then so are any other networks with trust relations with the MSD network and so on... the security breach cascade effect. For some, the MSD network could have just been the gateway into other Govt orgs that they were seeking to gain information from.
This is the biggest security breach in NZ Govt history but unfortunately everyone is focusing on the privacy breaches.
-
Sacha, in reply to
unfortunately everyone is focusing on the privacy breaches
exactly as intended. #spin
-
Keith Ng, in reply to
The report focuses on privacy when the bigger whole of government issue is the potential cascade of security breaches. The analysis of this seems to be entirely missing.
It's true. Not a conspiracy though - I just don't know what the story is. With the invoices, I can tell you how many invoices are contained on the servers, what they contained and what significance it has.
But the security context? True, it has the potential to compromise everything everywhere. But there are probably vulnerabilities elsewhere that has the same potential. The consequences are somewhere between nothing and everything, and I don't know what to do with that.
-
Rich of Observationz, in reply to
I'm not sure where the root of this idea lies, but wonder that Deloittes might have picked up if there was actually any compromise of production Active Directory files and the like. I'm suspecting it's a bit of a red herring.
-
From MSD behind that NBR link and on Scoop: "Investigations have determined that there is no evidence that the Kiosk breach went beyond that of Keith Ng and his associate Ira Bailey."
Am I correct in assuming that this statement only addresses the specific breach by Keith and Ira, and not the potential for earlier undiscovered breaches by the same technique, or other data that was available but not accessed by either of them?
Without MSD categorically stating otherwise I'd totally believe there's no reliable auditing of potential security breaches given how the rest of the thing was set up, hence a "lack of evidence", but there have been plenty of scattered forum posts here and elsewhere from people claiming they saw it ages ago but steered clear of reporting it. It still seems very plausible to me that others may have accessed and made their own bulk copies of everything available on the network with malicious intent and we'd be none-the-wiser.
-
Easy solution Mr Ng, be like winz and play it down. See Deloittes only recommend kicking a few junior IT staff out of their expensive to obtain (if as yet unpaid for) careers.
The poor fuckers who will cop the shellacking will have chosen to ignore the security warnings not from negligence, but for the simple reason that was the only option available to them in circumstances where they were under orders to deliver n kiosks for x dollars.
This report can hardly be described as independant given that a big chunk of Deloitte's revenue comes from Wellington senior public servants' desire for 'outside inquiries' which reliably report that said senior public servants were innocent of all allegations of incompetency and mendacity, further any bad apples were well down the pecking order. -
Idiot Savant, in reply to
The Deloittes report makes it clear that there's no auditing or logging. So their claim that there were no other breaches is pulled from their arse. I wonder how much they got paid for that?
-
“In the meantime I can confirm that at this stage four employment investigations are being undertaken by an independent barrister."
Are they going to fire the whole IT department?
-
@izogi Yeah even the herald report pretty much admitted that the only breaches the report considered were those of Bailey & Ng, with a passing reference to the 'consumer advocate' who warned them last year.
Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN. Some may have been more secure than those Bailey and Ng visited and some may have been a whole lot less and opened a door to the 'crown jewels', the national benefits database, even the national identity card database, aka NZ driver's license. -
Anyways, I'm of the view that this kind of issue could happen in just about every organisation* I've ever dealt with or heard of, especially, but not exclusively, in New Zealand.
The financiers (whether government or private owners) don't want to spend money. The management don't want to understand "techy stuff". The techs can't communicate upward or outward.
The result is that every project either comes to a dead stop (which can create its own scandal, if high profile enough) or gets dragged into service with a burden of compromise and expedient. That compromise might be that it crashes under load, makes life difficult for the users, or has some kind of security hole.
(Example: I was in the bank the other day. To calculate mortgage repayments, they use CICS. That's not just software from the first half of the history of computing, it's from the first third. It's like AirNZ still operating Zeppelins. Obviously there have been many, many projects to improve the calculation of compound interest, but all have failed to achieve the importance/return/profile to surmount the bureaucracy).
* with the possible exception of military organisations where the systems/data are identified as of security importance. And their approach was often around stuff like putting the hard disk back in a locked safe after you finished with it.
-
The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).
I think your take is correct.
Did the Terms of Reference get published? Because Ira and Keith didn't "breach" anything. They walked in through an open door. The "breach" was in the design. As I/S says, Deloittes are making this stuff up, because they can't know about any breaches if no logging exists.
-
Lucy Stewart, in reply to
It is a failure of management if the staff below do not feel it is possible or appropriate to pass information of this kind upwards.
It is simply poor leadership.
It's also a failure of procedure. Good security protocols should not allow urgent security breaches to not be passed up immediately. Whether they are acted on is still probably going to be subject to somewhat arbitrary decision-making, but it shouldn't be possible for them to just not be reported (at least, without someone actively choosing to not do their job.)
-
Sorry to 'daisy chain' but all sorts of ideas are flicking up, not least of which is that we thought at first this was an Active Directory issue. An Active Directory is the method of setting tasks, access and privileges in networks that feature windows server technology, but it may be that winz offices are just conglomerations of independant free-standing PCs with no real control over who acesses what. In other words privacy breaches are the default as every worker can access every other worker's product through shared directories.
-
Martin Lindberg, in reply to
or has some kind of security hole.
(Example: I was in the bank the other day. To calculate mortgage repayments, they use CICS.
I dare you to find a security hole in CICS ;-)
-
Sacha, in reply to
It's like AirNZ still operating Zeppelins.
you clearly haven't met their reservations mainframe. :)
-
BTW, good on you, Keith, for trying to find out how Bailey was outed to Sleazy Slater. And good luck.
I love how "no evidence of other breaches" can be used in this context to actually appear as a positive. There's no evidence because there is no possible way to collect evidence, other than people coming forward and reporting that they committed an act that could possibly be a crime. If Keith and Ira hadn't come forward, there would be "no evidence of any breach at all", but it would obviously still have happened.
-
And you can map network resources through the printer dialogue (let me know if I’m wrong about this).
No you're right, at least in Windows 7. Go to print, click find printer, up pops an explorer window, right click on your computer and map away. Not very intuitive however, if someone told most people that you wouldn't think having access to printers gave you access to the entire network.
The poor fuckers who will cop the shellacking will have chosen to ignore the security warnings not from negligence, but for the simple reason that was the only option available to them in circumstances where they were under orders to deliver n kiosks for x dollars.
I think some people are making a big jump here. Problem was identified by DD and given to MSD. Problem wasn't escalated to senior management, so some grunts on the ground and/or lower level managers have chosen not to push it up the line.
There may be cultural/structural reasons for that, which indicate that some blame needs to flow up, but the answer may actually be that some people close to the ground fucked up. Difficult to tell but at the face of it, if they were made aware of this problem, and didn't inform their superiors or fix it, they haven't done very well.
-
BenWilson, in reply to
I wonder how much they got paid for that?
My bet is that it's a lot more than Keith or Ira did, and they actually found and reported the bloody problem.
-
Keith Ng, in reply to
The Deloittes report makes it clear that there's no auditing or logging. So their claim that there were no other breaches is pulled from their arse. I wonder how much they got paid for that?
My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).
-
Keith Ng, in reply to
Every Winz regional office (do they still call them that?) would have had their own local area network which was compromised to varying extents depending on what that regional office chose to make available on its LAN.
My understanding is that all the computers were connected on a single, national, corporate network.
-
Rich of Observationz, in reply to
I would imagine that they reported it, or were aware it had been reported, by making an entry in the project risk register, on the meeting minutes, or, if using Agile, in crayon on a piece of brightly coloured paper stuck to the wall of the meeting room, which will subsequently have fallen on the floor and been hoovered up by the cleaner*
Either way it was reported. Management would have then failed to understand it and ignored it.
* those outside the IT industry may not be aware of this, but this is actually the current fashionable way to manage things. The risk of data loss is usually mitigated by not employing cleaners.
-
Sacha, in reply to
Management would have then failed to understand it and ignored it.
I'd expect any review to have looked at the paper trail about this. Some person or group has made a decision about the cost/benefit of acting on concerns raised.
Post your response…
This topic is closed.