OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 2 3 4 5 … 26 Newer→ Last
-
Ninja.
-
Holy crapola. Word.
-
I'm really shocked to read this, its appalling that information about vulnerable people is so freely available. Good on you Keith for drawing attention to this situation. Happy to support independent journalism.
-
Holy shit.
I'm also aghast at the implication that any WINZ / MSD staff member can see sensitive information held by another unit. Have they no concept of information security? Do they not care that there have been prosecutions of their staff for committing fraud based on the internal information, and still done nothing to do basic folder / directory security?
-
Crimes Act s252 (1) "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."
Did you get any legal advice before a) breaching the security of the MSD systems, b) putting up this post?
-
Astonishing.
-
You got a response from WINZ on a Sunday?
That was the 2nd thought that occurred, after the obligatory wtf?
-
I'm worried about how short the administrator passwords are. It almost looks like they're the same as the registered owner, altiris.
-
Thomas, I would love to see them go after him for this. LOVE TO. He may well have technically broken the law but public opinion if they tried to charge him for it could get very messy.
And yeah, I've seen statistics that suggest a significant amount if not the majority of benefit fraud is committed by MSD staff, so the fact that the staff can access this stuff is pretty horrifying in and of itself.
-
I'm pretty sure I know why this happened... Some bright spark decided because people had to print this CVs they had to be on the network.
Now why that data wasn't locked down tighter than the safe at the nakatomi plaza is anyones guess. I expect this will be big news thanks to ACC
...yippie kaiay mother fucker
-
A) What Thomas said. My immediate reaction is "wow Keith you could end up in a lot of trouble". Bravo!
B) I'm sadly not very surprised. I'm surprised the kiosks can see the data, but I'm not surprised by the shitty internal security. These departments spend hours and millions making sure their users can't access Twitter, but couldn't give a crap if a file server is one click away from unauthorized access.
-
Fucking. Hell.
I cannot believe this. This is sysadmin 101. What the fuck were they thinking?
My experience with VMs is limited but I think the data you show is significant, especially the clear text password. Without command line or explorer access, I think you'd have had difficulty launching them but you could possibly have copied them to a large enough USB key for off-site study. But FFS their firewall is a virtual server on the corporate network??? Surely not!
Mind blown.
Well done you.
-
Nigel McNie, in reply to
Thomas, don't be silly. He asked the servers if they would give him the information and they said 'OK!'
-
Chris Miller, in reply to
Agree Nigel, I don't know that you can really call it breaching the servers! He went to the File menu of a public computer and clicked Open File. Mega hax there. If he wasn't supposed to have it, surely they wouldn't have put it there, as I'm sure plenty of lawyers would argue.
-
They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls.
When you phone the W&I call centre, there's always a message that says calls may be recorded "for our purposes". I assume those sound files are the result of such a recording. I'm still very intrigued to know what these 'purposes' are.
BTW, you know what's almost as scandalous as this network sharing issue? The W&I kiosks block access to Google Docs/Drive, which surely is an extremely valuable tool for a job seeker with no home computer.
-
I just hope someone somewhere has still got the cover your ass email/memo where they pointed this lack of security out years ago but were told the solutions were too expensive.
-
I don't think there are enough /facepalm gifs in the world to express my feelings right now.
I mean, I've worked in some sloppy/cack-handed corporate IT environments in my time, but this...
-
And also, someone ask Bradley Ambrose if he thinks the govt would need a cut and dry case before sicking the cops onto Keith out of embarrasment and the need to shoot the messenger.
I think it would be a PR disaster, so I hope you don't mind that I'm kind of rooting for them to give it a shot, Keith.
I'll donate a little bit more to your legal fund if they do though.
-
Wow! In theory you could have copied the hyper-v folders and stood them up with very little effort on any other machine. I'd like to assume they have some form of encryption on the network/virtual disks to stop that happening but it appears that's not the case.
This is IT security 101. You can have them all connected to the corporate network (although why you wouldn't have them in their own workgroup/domain is beyond me) you just make sure the user account associated to the kiosk machines can't see anything other than itself and a printer. The fact that the network and it's shares are open internally is extremely poor work on the sys admins behalf.
If I'm not mistaken the kiosk machines have full access to the internet too which could be exploited pretty easily. As I'm typing I realise that this is probably how the files were copied off the machine.
-
牛逼
-
nzlemming, in reply to
Really?
-
James Harden, in reply to
Phone recordings are used for quality assurance, training and in investigations of complaints or fraud. It's pretty much as you'd expect from any call centre. Remember, you are entitled to request a copy of a recording of you via the Privacy Act.
-
mark taslov, in reply to
For sure.
-
Chris Miller, in reply to
Or from the WINZ kiosk, apparently.
-
From the NBR article this evening it states - "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after. " - so in theory someone has looked at these kiosks twice (at least) and thought they were all good.
Post your response…
This topic is closed.