OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 2 3 4 5 … 26 Newer→ Last
-
For those unfamiliar with the departmental acronyms mentioned,
MSD = Ministry of Social Development http://www.msd.govt.nz/
WINZ = Work and Income New Zealand http://www.workandincome.govt.nz/
CYFS = Child, Youth and Family Services http://www.cyf.govt.nz/Apart from not expanding these acronyms even once in the post, excellent work! I will now give you money.
-
Graeme Edgeler, in reply to
Thomas - why not include subsection (2):
To avoid doubt, subsection (1) [i.e. offence Thomas mentions] does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
Although, as Keith isn't a WINZ client...
-
Hebe,
Well done Keith for outing this. Absolutely fucking appalling mismanagement. Bennett must resign.
-
My mind is boggling at the incompetence from MSD IT in this.
Firstly, public access (web and kiosks) should be completely sandboxed from internal sensitive data. Ideally this should be an "air gap" (no physical connection), but that's not reasonable these days, and firewalls are usually adequate.
Secondly, assuming someone *is* inside you network, how the fuck does a regular, unprivileged account enumerate all these files and servers? Even "system" files like the virtual machine configs?
Either the kiosk login account has system admin privileges (Domain Admin in Microsoft-speak), or EVERY unprivileged account inside MSD has the same access.
I'm not sure which scenario is scarier.
-
Keith, thank you for exposing this. MSD's attitude to data security is appalling. This goes to show that the MSD's internal systems are completely unfirewalled. If there were admin passwords available in plain text to a kiosk user, you have to assume that every MSD employee has access to every piece of data on every person. This is truly horrifying.
It's going to take a lot more than just turning off the kiosks to fix this.
-
As Paul O'Reilly mentioned on Facebook, this is the agency that Paula Bennett wants to manage an inter-agency database of at risk kids. I don't think so...
-
Hebe, in reply to
It's going to take a lot more than just turning off the kiosks to fix this
Yes. This could bring down the government. I cannot recall a bigger case of neglectful administration and betrayal of the "clients" in New Zealand politics.
The more I think about it, the bigger the implications are: would the Justice Ministry, Police, Courts and IRD systems be compromised by this?
-
nzlemming, in reply to
Their systems are independent, although they do share data on certain matters. I sued to work for IRD IT and the security was pretty tight then (90's). I don't imaging that's changed. From memory, even the data exchange was done on tape, when required - it wasn't on demand, though that may have changed.
-
Hebe, in reply to
Good.
What a story; Keith is courageous; everyone must support him because the shit machine will get to work. I will be donating tomorrow.
-
Keith Ng, in reply to
Thomas/Graeme: Yeah, what Graeme said. That's pretty much my defence. Except that those were self-service kiosks - not restricted to WINZ clients in any way.
-
Yes. This could bring down the government. I cannot recall a bigger case of neglectful administration and betrayal of the "clients" in New Zealand politics.
The more I think about it, the bigger the implications are: would the Justice Ministry, Police, Courts and IRD systems be compromised by this?
I suspect this whole thing gives the Public Service Association even more reason to say, 'we told you so!'
-
This reminds me of my old high school in which personal and intern data was exposed like this - the "open file" in Office.
-
mjb, in reply to
Be realistic - it's more likely that IT staff heads will roll, not Bennett or the guvmint.
-
Hang on.
My jeans were torn, my hoodie was pretty ragged, and I hadn’t shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.
Bloody hell. That's a shitty stereotype to perpetuate in the service of an opening gag. Everyone I saw down at the Willis Street office was usually nicely dressed!
-
There's a lot of useful files there, especially the virtual machine & firewall rules. Could come in handy for later compromises. This is a classic example of security through obscurity. Experience tells me though that instead of doing an audit on the overall security of their information systems and taking further responsibility, they will just sort out the kiosk computers and do some PR about how naughty it was of you to access this information. Could have been worse if someone malicious was to get in there...
-
John Marshall, in reply to
Could have been worse if someone malicious was to get in there…
It's entirely likely that they have. It may well be that Keith and his informant are not the only people to have experimented with these kiosks.
-
Keith Ng, in reply to
Bloody hell. That's a shitty stereotype to perpetuate in the service of an opening gag. Everyone I saw down at the Willis Street office was usually nicely dressed!
I was in Newtown. Also: Ain't nothing wrong with dressing down. I do my best work terribly dressed.
-
tomj,
I was at my friend's place when I read this. I said to her cripes, listen to this, and she said "oh yeah, when I was on one of those kiosks a few months ago I did the same thing and read some internal memos by Paula Bennett about her plans for WINZ". She thought about printing some out but didn't in case someone noticed.
-
A year ago a Dutch IT news website ran a month-long campaign exposing privacy leaks like this from numerous Dutch companies and government organisations. They reported about one leak a day for the month. In the fallout questions were asked in parliament, new guidelines devised, IT systems overhauled, and the journalist behind the campaign got a journalist of the year award.
So there is some hope for Keith Ng.
-
I wonder if they contracted someone to set up the terminals or did it in house.
-
Amazingly terrible IT work, leading to excellent journalism. So at least there is symmetry.
-
There's always the Ecuadorean Embassy, dude.
-
Just out of interest this PowerPoint presentation gives you some idea of the IT infrastructure of MSD and WINZ (scroll to the bottom). It's two years old, dunno ho much has changed but at least it shows how the agencies are connected.
http://archives.govt.nz/advice/training-and-events/previous-forum-papers-html/making-difference
-
Scary stuff, certainly worth a donation. I'll even sign a petition if Keith gets locked up on Soames Island
-
Let’s be clear here that this is not simply an IT issue – this is a governance failure that goes right to the top, implicating the CEO of MSD at the very least, if not ministers as well.
There are two possible scenarios here. Either the terminals are running as some administrative account with special privileges to access the entire network. Or there simple are no access controls. I think we can assume the latter.
So crucial sensitive data had no access controls. We’re not talking about shoddy access controls, which would be an IT issue. We are talking no access controls, meaning that at a policy level controls have never been instituted. Meaning that, even if by omission, a decision has been made that it’s okay for all MSD staff (and anyone else with access to MSDs network) to have access to all MSD information.
This is huge.
Post your response…
This topic is closed.