OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 9 10 11 12 13 … 26 Newer→ Last
-
noizyboy, in reply to
a video of the File Open process
David's comment here...
http://publicaddress.net/system/cafe/onpoint-msds-leaky-servers/?p=272401#post272401
...visually demonstrates the concept.
-
Tom Beard, in reply to
development was moved to low cost centres in Pune, India and Tallin, Estonia. The 7.2 release of SMP will be delivered by these new teams."
I'm sorry, Estonia? Isn't that almost the beating heart of cybercrime?Are you sure it wasn't Elbonia?
-
Terry Baucher, in reply to
F**k. Me. That sounds like a serious amount of work. How long would it take to implement? Would the MSD network remain unsecure until it was done (if I understand you right, yes)?
-
Andrew Elphick, in reply to
I agree with you given the acessibility of there administrators domain the chances are that "software" has been installed and a full system reinstall would be a good idea....whats the bet that this isn't done in a timely manner? The penny will drop!
I am all in favour of open government, but this taking things a bit too far! -
James George, in reply to
You said "all I'd have to do would be to set up a file with junk personal information and the target bank account number," Even a coupla decades ago such a thing wouldn't have been possible to create "bennies". A second employee (usually a supervisor) is meant to cast their eyes over the hard copies of docs before a payment can be created. It isn't to say such stuff never occurred just that it would require social hacking of the sort most public servants lack teh imagination to successfully pull off. Which is why they get caught of course.
As for the claim that the whole system needs to be scrapped and started again that is over the top and no help at all to those people who are genuinely concerned about the reality of this.
The odds are great that no such penetration occured. If someone did get a few virtual machine snapshots or even clone the VD's, password changes along with a system audit, should prevent any longterm hack. -
Hebe, in reply to
. It means that no data on the network can be trusted, unless it checks out when compared to data from backups that were created and stored off the network before the kiosks were installed.
Jaysus. It's that bad? Would that compromised security reach outside MSD and its files into other areas of government?
-
cognitive_hazard, in reply to
Yup
-
This is a gif showing an ancient hack on win95 where you could access the system without a password.
The steps you go though to get a File Open dialog are rather convoluted, but once there the principle is the same. From the File Open window you can right click on items to get plenty of options. This mechanism has been known about for years.
You can pretty much run anything the system lets you do from this view. What systems are supposed to do is not let you do those things. A properly configured system will let you ask for anything and if you are not allowed say no!. Instead, MSD have a system where they tried to hide all of the possible ways to ask. If you could find another way (which Keith did, using a technique known for years) the system will happily comply.
-
nzlemming, in reply to
Concur. Hadn't thought it through to that point but, in hindsight, should have picked it up when I saw that screenshot of the VM info.
Fuck.
-
What is the bigger worry for me is if someone who knew of the security holes used the information for a range of purposes - the best intrusion is where you use the data for gain and those you copied it from are unaware of your level of knowledge.
So this can make things like benefit fraud easier (I can check what the investigators are doing), identity theft becomes real easy as I have a whole lot of personal details (send me a credit card please),and if RFPs were accessible this would give me in the inside knowledge I could use to get contracts. The list goes on.
The problem is we will probably never know what information has been taken for illegal purposes and where it has been used.
-
Hebe, in reply to
I thought it might be from the story. Then I thought, "Nope. Once a drama queen, always a drama queen. Can't be that bad." Now I'm flabbergasted, as m'dear ma used to say.
-
In case I missed it upthread, https://www.givealittle.co.nz/cause/msdleaks will I hope be of interest to everyone who appreciates Keith's work...
-
Oh, and I forgot. Intrusion testing 101 is all about capturing IDs/passwords which allows you to cascade through the infrastructure via trusted logins. No need to attack the MSD, just head to a kiosk and browse for usercodes/passwords (users never store them in files do they?).
I have been involved with an organisation where within an hour the external testers had admin passwords due to a compromise of a network admin password which let them gain access to more secure systems.
Who knows what passwords where stored and available for inspection and use?
Yes, I may seem paranoid, but we do not live in a benign cybersphere!
-
Chris Miller, in reply to
They're meant to at my job too. (Most of the actual information is stored hard copy; things like name, address, bank details, action history is in the database file.) The point is more that staff are familiar enough with the back end to know how to get around the checks and balances. Not all of them, but enough of them. External fraud has less knowledge of that sort of thing and often has a higher failure rate - we have a fair few cases that went to the courts as attempted fraud, but only a very few that actually GOT money they shouldn't have.
-
Guys guys guys... I think you're looking at this whole thing from completely the wrong perspective. You say it's a huge breach of privacy pertaining to beneficiaries' personal information, I say "what are those bludgers trying to hide?" (you can have that one Paula)
-
Sacha, in reply to
And that graphic has been most appreciated - as has Matthew's great explanation of the implications, which Computerworld NZ just retweeted.
-
Karen Adams, in reply to
Hey, it's more than what I get from MSD. The thing is that we definately know what types of things Kevin was able to access, but when someone is obsessed with you and knows you have a file with current details held by MSD I can't help but wonder with more time and motivation how can MSD say conclusively that my file hasn't been accessed? They can't.
-
Tony Meyer, in reply to
Rich: in any OS X open file dialog, type / and you get the "Go to the folder" pane, and from there you can paste.
Easy as /, ⌘A, ⌘V.
-
Tom Beard, in reply to
how can MSD say conclusively that my file hasn't been accessed? They can't.
The CEO's just said on live TV that they can't guarantee that other people haven't accessed the same info Keith did. Not sure what the 0800 message says, but might there be a contradiction?
-
Sacha, in reply to
we will probably never know what information has been taken for illegal purposes and where it has been used
Which should help reinforce how big this is.
-
Morgan Nichol, in reply to
Whoa, whoa, whoa, slow down their Poindexter.
-
Karen Adams, in reply to
Guys guys guys... I think you're looking at this whole thing from completely the wrong perspective. You say it's a huge breach of privacy pertaining to beneficiaries' personal information, I say "what are those bludgers trying to hide?" (you can have that one Paula)
You mean those CYFS kids?
-
Karen Adams, in reply to
*groan* Figures. 0800 line is always making stuff up and offering it as advice.
-
izogi, in reply to
The CEO's just said on live TV that they can't guarantee that other people haven't accessed the same info Keith did.
If the kiosks have been sitting there like that in public for a year or more, it'd be incredible if other people hadn't accessed the same info. It'd just be luck if it hasn't been bulk-copied or otherwise used maliciously.
-
Tom Beard, in reply to
Do you know whether the line is still saying that? It would be good to have a transcript to see whether they're giving unsubstantiated reassurances, or whether they have enough weasel words to get them out of it.
Post your response…
This topic is closed.