OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 3 4 5 6 7 26 Newer→ Last

  • Bart Janssen, in reply to Sacha,

    Any IT manager right up to the new CIO should have spotted this stuff and fixed it.

    Nope.

    The CIO probably has no computing experience beyond powerpoint but he/she will have an MBA. The priority will have been to meet budgets, their KIPs will be based on reducing salary costs and they will have met those KPIs and received appropriate bonuses.

    The poor schmucks on the ground will have come fresh out of their tech training and may or may not be good. But they will have NO experience, because industry experience would cost more in salaries.

    This is the nature of business in NZ, worship the MBA and management experience dismiss the experience of the workers as irrelevent.

    Auckland • Since Nov 2006 • 4461 posts Report

  • Bart Janssen, in reply to Craig Ranapia,

    people who are a little more directly responsible for data security.

    I'm certain the codemonkeys at the bottom of the pay scale will get fired.

    Auckland • Since Nov 2006 • 4461 posts Report

  • Deborah, in reply to Jonathan King,

    It’s not that incredible that most people don’t know a lot about the internal workings of computers and computer files and how to access them. Computers are a bit like cars: most of us know how to use them, many of us know how to do minor things (check the oil, change a tyre, top up the windscreen water thingie), but when it comes to doing anything more than that, we hand it over to experts. Some people love tinkering with their cars, so they know a bit more about it, and some people can even do most car stuff themselves. But for many of us, a car is just a tool that facilitates other things we do, and we’re not all that interested in the internal workings, so we hand anything other than very basic maintenance over to experts.

    Same thing goes for computers. Keith lost me at about, “just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network.” And what exactly is a file server?

    A computer’s just a tool that I use to do my job and other things that I find interesting. Just like my car, I can do basic things like loading new software, and sorting out a printer connection, and changing my desktop picture, but that’s about it. I don’t want to spend effort understanding the rest or fiddling about with it, so I hand those tasks over to experts.

    New Lynn • Since Nov 2006 • 1447 posts Report

  • cognitive_hazard,

    Here here Bart.

    Key’s already heavily downplaying it saying on Breakfast this morning that “accessing the information wasn’t easy”

    Illustrates the extent of JK's computing ability. File, open... is there really an easier process in Windows?

    New Zealand • Since Oct 2012 • 13 posts Report

  • Marc C,

    Great one, Keith!

    This is overdue to be exposed, and there will be much, much more to come, I am sure!

    WINZ have a year or so started to scan in almost all relevant documents of clients applying for benefits, updating records, reporting changes of circumstances, documents to support reviews on medical and various other grounds - INTO THEIR SYSTEMS!

    So ENDLESS documents are on their file, being PDF and other types of documents.

    With this leak having been exposed now, and with others due to be exposed soon, of which I am sure, this makes every client and otherwise with WINZ and MSD involved persons TOTALLY EXPOSED and vulnerable.

    Surely now, all reforms and major changes announced have to be put on hold, until MSD have got their whole systems checked and fixed.

    It is not coming at the best of times for Bennett and this government.

    Good work, anyway!

    Marc

    Auckland • Since Oct 2012 • 437 posts Report

  • La Maison du Che'z,

    This is pretty gobsmacking and must be a NEW thing.
    I worked for WINZ (frontline in various roles) for 24 years, finishing in 2010. All these details that you have been able to access are amazing, considering we, as staff, were NEVER able to access any of them. Even our Service Managers couldnt get into them.
    It was so 'locked down" that we couldnt even access Internet unless we personally had been granted electronic licence. (so no Trade Me, Facebook, Twitter etc)
    We did have our own internal "Intranet" and access to our own client's benefit records, but I am appalled that the public has been able to access stuff, even we as staff, could never get to, or would even attempt to get to.
    Thank you for exposing this anomaly in their system, but would appreciate it being reported that it is reported that it is not WINZ information that you have been able to see, it is other organisations within MSD.

    BOP • Since Oct 2012 • 1 posts Report

  • Joe Wylie, in reply to James George,

    There is no doubt that Bennett is responsible for this farce.

    "Paula Rebstock is running Work and Income'"

    flat earth • Since Jan 2007 • 4593 posts Report

  • Bart Janssen, in reply to Daniel Webster,

    “accessing the information wasn’t easy”

    As far as I can tell this is roughly equivalent to a bank leaving the keys under the front door mat attached to note with the alarm codes.

    Now most folks wouldn't think to look under the mat...
    and most folks wouldn't know where the alarm keypad was ...
    but that is about the level of difficulty we are talking about

    Auckland • Since Nov 2006 • 4461 posts Report

  • Craig Ranapia, in reply to Bart Janssen,

    I’m certain the codemonkeys at the bottom of the pay scale will get fired.

    Yeah, and Paula Bennett's head on a spike would totally restore my confidence. It really really would.

    North Shore, Auckland • Since Nov 2006 • 12370 posts Report

  • Hamish, in reply to Bart Janssen,

    ...roughly equivalent to a bank leaving the keys under the front door mat attached to note with the alarm codes.

    Worse: it’s like the bank leaving a note under the mat saying: "Guess what! There is actually no alarm and the door is left unlocked at night, LOLZ!!!111".

    The A.K. • Since Nov 2006 • 155 posts Report

  • stuartm, in reply to La Maison du Che'z,

    I'm willing to be proven wrong on this, but I'm highly doubtful that the file shares that Keith accessed are open to all and sundry within MSD. It seems more likely to me that the accounts used by the kiosk computers were incorrectly configured which gave them way more rights than they needed.

    If true, it would be ironic that the public had more access to MSD's internal systems than their own staff did.

    Wellington • Since Jun 2008 • 4 posts Report

  • BenWilson,

    Holy shit! Great work, Keith. Massive story.

    Auckland • Since Nov 2006 • 10657 posts Report

  • Sacha, in reply to Craig Ranapia,

    Well, he’s not wrong but completely misses the point. I couldn’t do what Keith did

    Kiosk is not the main problem in any case. Seems staff using MSD's network in their day-to-day job seem to have global access. Easily.

    Ak • Since May 2008 • 19745 posts Report

  • Russell Brown,

    Holy heck.

    Computerworld is now reporting that the breaches might extent to CERA and other agencies, thanks to their shared services agreements with MSD.

    Daniel Ayers is speculating that one of the viewable servers in Keith's screenshot is CERA's office server.

    Auckland • Since Nov 2006 • 22850 posts Report

  • Hilary Stace,

    6784 views in 12 hours - how does that rate in PA's record books, Russell?

    Wgtn • Since Jun 2008 • 3229 posts Report

  • Sacha, in reply to stuartm,

    It seems more likely to me that the accounts used by the kiosk computers were incorrectly configured which gave them way more rights than they needed.

    That's possible too, yes.

    Ak • Since May 2008 • 19745 posts Report

  • izogi, in reply to Sacha,

    Any IT manager right up to the new CIO should have spotted this stuff and fixed it.

    That's true, although more to the point when I worked at a small/mid-sized government department up to a couple of years ago, our IT team employed a person who's specific responsibility was to keep track of the IT security implications of virtually everything the department did, be up-to-date with everything relevant, stay in touch with the spooks regarding things like espionage risks and relevant system auditing, and essentially make sure nothing stupid happened whether it be with something we developed ourselves, or auditing the work done by contractors. One of the tougher bits is trying to keep track of different sections of the organisation that've decided to spin off and implement something themselves before you've heard of it, but it's impossible to imagine that could occur here when there are kiosks apparently sitting inside the firewall.

    Right now I'm quite flabbergasted that orgs like WINZ and ACC obviously either aren't employing enough people capable of doing this and given a mandate for it, or they're not giving them enough resources, access and control over what's going on to do their job properly.

    Wellington • Since Jan 2007 • 1142 posts Report

  • duke,

    As usual quality work Keith. Clearly the in house IT team will be suffering some lost heads quick snap.

    S.W.I.M encountered a very similar situation at Auckland City Librarries public PC's oh 15 odd years ago. Of course library data is hardly as comprimising!

    Since Jul 2009 • 24 posts Report

  • Ian Dalziel,

    Aren’t GCSB* mandated to deal with this stuff?

    We could ask the minister in charge...
    who said:

    “accessing the information wasn’t easy”

    He should know, as he (and many of his ministers) have a large problem with any kind of memory systems...

    * The Mission of the GCSB is to contribute to the national security of New Zealand through:
    • providing foreign intelligence to support and inform Government decision making;
    • providing a 24/7 intelligence watch and warning service to Government;
    ensuring the integrity, availability and confidentiality of official information through information assurance (IA) services to Government; and
    • contributing to the protection of Critical National Infrastructure from cyber threats.

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Juha Saarinen,

    I couldn’t do what Keith did

    Oh yes you could... that's what Keith shows. It wasn't hard at all, and for Key to say otherwise is just silly.

    Since Nov 2006 • 529 posts Report

  • Pete Sime, in reply to Deborah,

    Same thing goes for computers. Keith lost me at about, “just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network.”

    Fire up Word. Go to File->Open. There's a box with all the folders and drives you can open a file from. On your computer the dialog box would have areas like "My Documents" "Desktop" and "My Computer". There's also "My Network Places". Presumably Keith navigated through that to computers and files he should not have been able to access. This wasn't super 1337 ("leet" or elite) geekery. It was using Word in the way it was designed to be used.

    Dunedin • Since Apr 2008 • 171 posts Report

  • stuartm, in reply to Russell Brown,

    That appears to be pretty wild speculation at this stage, and not at all helpful.

    Wellington • Since Jun 2008 • 4 posts Report

  • Rebecca Denton, in reply to Pete Sime,

    Exactly Pete. To use the ‘car’ metaphor – it was like opening the boot.

    United Kingdom • Since Oct 2012 • 5 posts Report

  • Rowan Crawford,

    An OIA request has been made to follow up on fyi.org.nz: "Development and Testing of Kiosk Solution".

    Auckland • Since Oct 2008 • 27 posts Report

  • Russell Brown,

    Wow. Kay Brereton of the Beneficiaries Advocacy Federation says she told MSD about the flaws in the kiosks a year ago. Stephen Judd has just said on Twitter that MSD was warned again by its own testers several months ago, and again did nothing.

    It seems appropriate to declare this a scandal.

    Auckland • Since Nov 2006 • 22850 posts Report

First ←Older Page 1 3 4 5 6 7 26 Newer→ Last

Post your response…

This topic is closed.