OnPoint by Keith Ng

10:14PM Oct 14, 2012 • Read Post

OnPoint: MSD's Leaky Servers

Subscribe by Email RSS

629 Responses

First ←Older Page 1 … 7 8 9 10 11 … 26 Newer→ Last

• David Hood, 11:46 Oct 15, 2012

  

  Since I am making screenshots today anyway.

  Dunedin • Since May 2007 • 1445 posts Report

• Sacha, in reply to Hebe, 11:47 Oct 15, 2012

  They will push Paula Bennett if it is required to keep National in government

  Won't happen. CEO on the other hand..

  May actually be used to beef up powers of Work and Income's new Rebstock-headed oversight 'Board' if the opposition don't follow this up carefully.

  Ak • Since May 2008 • 19745 posts Report

• Andrew Elphick, in reply to Terry Baucher, 11:49 Oct 15, 2012

  Yes indeed I am also weary that Data matching from IRD could have been accessible during this time

  Greymouth • Since Oct 2012 • 2 posts Report

• Rich of Observationz, in reply to rodgerd, 11:53 Oct 15, 2012

  Or they pay market rates for new hires (because otherwise they get zero qualified candidates and wind up reliant on contractors) and then never give rises because "times are tough". So the only way to get a pay rise is to leave. That's fairly endemic.

  Also, the public sector has always paid a bit lower, but with the advantage of job security and feeling one benefits society. When the job securities gone and the purpose of the Minister in charge is basically to damage people's lives, that kind of goes away.

  Back in Wellington • Since Nov 2006 • 5550 posts Report

• Craig Ranapia, in reply to Hebe, 11:53 Oct 15, 2012

  Craig, I understand this is a hideous start to the week for you, and I wouldn’t contribute to PA if I wasn’t thought-provoked and disagreed with. How about about we call a truce and discuss rather than snark?

  Fair call - but you know what? There's going to be plenty of political fall out for the Minister. There should be, and it goes with the ministerial warrant, so Paula Bennett is going to have to suck it up and deal.

  But I'm a damn sight more angry at the people who directly failed in what should be an absolutely fundamental duty of care to people in the same position today as Emma and her Mum. To people like my foster brother and his wife, who are currently in the middle of adopting -- an incredibly tough process on all parties without wondering if some cyber-perv had their details on a USB stick.

  Plenty of lashing to go around, but I've got to admit calling for Paula Bennett's resignation? Not top of my to-do list at the moment.

  North Shore, Auckland • Since Nov 2006 • 12370 posts Report

• Hebe, in reply to Sacha, 11:55 Oct 15, 2012

  A public-sector CEO suit doesn't have the same public opinion value as a Minister approaching their Best Before date when one must be seen to be dealing to a problem.

  Christchurch • Since May 2011 • 2899 posts Report

• Stephen Judd, in reply to Craig Ranapia, 11:58 Oct 15, 2012

  calling for Paula Bennett’s resignation? Not top of my to-do list at the moment.

  Will you rewrite your list if it turns out she was warned?

  Wellington • Since Nov 2006 • 3122 posts Report

• Craig Ranapia, in reply to Stephen Judd, 12:01 Oct 15, 2012

  Stranger things have happened.

  North Shore, Auckland • Since Nov 2006 • 12370 posts Report

• Hebe, in reply to Craig Ranapia, 12:02 Oct 15, 2012

  I'm a damn sight more angry at the people who directly failed in what should be an absolutely fundamental duty of care to people in the same position today as Emma and her Mum.

  Totally agree, and that is where attention must be focused. And the possibility of information being edited by third parties: astounding.

  Cera access worries me a whole lot less: we have been wanting open government in Christchurch for some time.

  Christchurch • Since May 2011 • 2899 posts Report

• Kyle Matthews, 12:07 Oct 15, 2012

  Keith mentions he could “map any unsecured computer on the network”. Which seems (slightly) more than just going to File Open and navigating to network drives?

  Yes. But mapping is just a way of taking a server that you access frequently on the local network (any one of the computers on that list), and making a virtual link to it. So instead of going to Network Places > ServerName >FolderName > SubFolder you can just access it like it's your local hard drive on your computer. So it's a matter of convenience for future access, not required to have access at all - anyone can navigate through the network places folder.

  Also, hearing that the files were writeable (editable).

  Yes. Though they're pdf files so probably not editable on the machine as that requires specialist software. Whether you can overwrite a file with a pdf that you've brought in...? I'd struggle to think how you could do that from within the microsoft office open file dialogue box.

  Since Nov 2006 • 6243 posts Report

• Sue, 12:08 Oct 15, 2012

  thank you keith

  from a personal perspective i'm shocked my info is possibly that accessible.

  But i'm not one of the countries most vunerable people who needs all the protection and secruity and a place they cant live without fear.

  I also wonder how much info there is about the Benfit fraud investigation teams.
  Fact of life there are some people who do intentionally engage in bennfit fraud and some of those people are not nice and you wouldn't want them knowing where you live. And people in the investigation teams go to very long lenths to keep thei identities out of the public to protect their homes and families. Is their info out there?

  Wellington • Since Nov 2006 • 527 posts Report

• izogi, in reply to TracyMac, 12:10 Oct 15, 2012

  Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.

  I totally agree. I know countless people, IT-background and not, who'd be able to pull this off easily, and many of whom would stumble on it accidentally because they like poking things, especially when a locked-down machine also prevents them from doing something they consider trivial and completely normal. (When computers give you 10 ways to do something, it's natural for some to try method B when method A doesn't work.)

  The discussion here about some people's technical ability to figure this out is beside the point. It's the people who can do it who should worry everyone, and whatever one's ability to understand Keith's descriptions, it's definitely not tricky or obscure stuff. Most people wouldn't abuse it, but it only takes one, and there are some really basic chain screwups here on WINZ's part which have allowed it. (Firewall in the wrong place, account permissions, lack of effective testing, failure to respond to reports a year ago of the problems, etc etc.)

  Wellington • Since Jan 2007 • 1142 posts Report

• snikch, in reply to Kyle Matthews, 12:12 Oct 15, 2012

  Yea, you'd probably have to crack out the 'Save as' file dialogue box for that one.

  Since Oct 2012 • 1 posts Report

• Sacha, in reply to Hebe, 12:12 Oct 15, 2012

  Cera access worries me a whole lot less: we have been wanting open government in Christchurch for some time.

  Heh

  Ak • Since May 2008 • 19745 posts Report

• David Hood, in reply to Kyle Matthews, 12:14 Oct 15, 2012

  I’d struggle to think how you could do that from within the microsoft office open file dialogue box.

  Trivia point, but a big selling point of Word 2013 is that they can open and edit PDFs (not that I am suggesting the Kiosks were using this version). More generally, I can think of a couple of ways, but we are getting into pretty technical "depends on the kind of PDF and how far you want to edit it" might or might not work uncertainties.

  Dunedin • Since May 2007 • 1445 posts Report

• James George, in reply to David Hood, 12:21 Oct 15, 2012

  Altho I am amazed at what you can do in windows browse boxes. Unless someone has been all UAC or AD, pasting into em frequently works.

  Since Sep 2007 • 96 posts Report

• Kyle Matthews, 12:22 Oct 15, 2012

  

  I’m still appalled that these kiosks weren’t set up as “kiosk-style” machines, of which there are copious examples around the place, with accounts that are basically “guest” accounts (assuming they need to be in the Windows security domain for other reasons).

  Yeah. Presumably they have access to the MSD network for printing, you'd struggle to think of another reason why they'd need access beyond internet access - plenty of stuff on the various web sites with forms, jobs etc.

  Yea, you’d probably have to crack out the ‘Save as’ file dialogue box for that one.

  Probably not from word, which wouldn't do that for pdfs yet. If they have adobe on the machines that could be possible.

  Also note this screen shot of the WINZ site taken a couple of minutes ago:

  Current News [...]
  Don't give too much away
  09 October 2012
  Find out how to keep your information safe so you don't become a victim of identity theft

  Since Nov 2006 • 6243 posts Report

• Keir Leslie, in reply to Kyle Matthews, 12:26 Oct 15, 2012

  I am just presuming here, but my money would be on privilege escalation being pretty much trivial on these machines. The worrying thing is that it seems like you pretty much wouldn't need to...

  Since Jul 2008 • 1452 posts Report

• Kyle Matthews, 12:28 Oct 15, 2012

  Yes. If the admin passwords and VM information then there's a whole heap more damage that could be done for anyone with decent IT admin knowledge.

  Since Nov 2006 • 6243 posts Report

• Martin Lindberg, in reply to Kyle Matthews, 12:28 Oct 15, 2012

  I'd struggle to think how you could do that from within the microsoft office open file dialogue box.

  No problem. Just drop a file with the same name into the open file dialogue box. Microsoft has effectively turned that dialogue box into a slim file-manager.

  Stockholm • Since Jul 2009 • 802 posts Report

• James George, in reply to Kyle Matthews, 12:30 Oct 15, 2012

  I just tested out pasting a pdf into Word open file browse box on my domestic lan (pretty much just windows default settings) and managed to drop a PDF on another machine. It appeared to be invisible until I changed the file type from docx to *.*.

  Since Sep 2007 • 96 posts Report

• Sacha, in reply to Martin Lindberg, 12:37 Oct 15, 2012

  Just drop a file with the same name into the open file dialogue box. Microsoft has effectively turned that dialogue box into a slim file-manager

  True. I recall keyboard shortcuts working there in the past too.

  Ak • Since May 2008 • 19745 posts Report

• Andre Alessi, in reply to Terry Baucher, 12:40 Oct 15, 2012

  Leaving aside the appalling security issue, are we all happy that MSD is contracting out a core function of Government?

  Given that a private contractor with a less than stellar track record internationally (G4S) is responsible for monitoring people on home detention, I think the Veda link is small potatoes in comparison.

  Devonport, New Zealand • Since Nov 2006 • 864 posts Report

• cognitive_hazard, in reply to Kyle Matthews, 12:44 Oct 15, 2012

  At least they installed font updates on the WINZ kiosks, Ironic Sans if I'm not mistaken?

  New Zealand • Since Oct 2012 • 13 posts Report

• niceness, in reply to Chris Miller, 12:44 Oct 15, 2012

  Hi Chris, I am intrested in your claim that most of the fraud is committed by MSD staff. Thats a biggie and if i'ts true it needs to be publicised for the sake of all genuinely stuggling beneficiaries out there.

  Auckland • Since Oct 2012 • 1 posts Report

First ←Older Page 1 … 7 8 9 10 11 … 26 Newer→ Last