OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 9 10 11 12 13 26 Newer→ Last

  • noizyboy, in reply to Sacha,

    a video of the File Open process

    David's comment here...

    http://publicaddress.net/system/cafe/onpoint-msds-leaky-servers/?p=272401#post272401

    ...visually demonstrates the concept.

    wellington • Since Nov 2006 • 171 posts Report

  • Tom Beard, in reply to Lea Barker,

    development was moved to low cost centres in Pune, India and Tallin, Estonia. The 7.2 release of SMP will be delivered by these new teams."
    I'm sorry, Estonia? Isn't that almost the beating heart of cybercrime?

    Are you sure it wasn't Elbonia?

    Wellington • Since Nov 2006 • 1040 posts Report

  • Terry Baucher, in reply to Matthew Poole,

    F**k. Me. That sounds like a serious amount of work. How long would it take to implement? Would the MSD network remain unsecure until it was done (if I understand you right, yes)?

    Devonport • Since Nov 2008 • 91 posts Report

  • Andrew Elphick, in reply to Matthew Poole,

    I agree with you given the acessibility of there administrators domain the chances are that "software" has been installed and a full system reinstall would be a good idea....whats the bet that this isn't done in a timely manner? The penny will drop!
    I am all in favour of open government, but this taking things a bit too far!

    Greymouth • Since Oct 2012 • 2 posts Report

  • James George, in reply to Chris Miller,

    You said "all I'd have to do would be to set up a file with junk personal information and the target bank account number," Even a coupla decades ago such a thing wouldn't have been possible to create "bennies". A second employee (usually a supervisor) is meant to cast their eyes over the hard copies of docs before a payment can be created. It isn't to say such stuff never occurred just that it would require social hacking of the sort most public servants lack teh imagination to successfully pull off. Which is why they get caught of course.
    As for the claim that the whole system needs to be scrapped and started again that is over the top and no help at all to those people who are genuinely concerned about the reality of this.
    The odds are great that no such penetration occured. If someone did get a few virtual machine snapshots or even clone the VD's, password changes along with a system audit, should prevent any longterm hack.

    Since Sep 2007 • 96 posts Report

  • Hebe, in reply to Matthew Poole,

    . It means that no data on the network can be trusted, unless it checks out when compared to data from backups that were created and stored off the network before the kiosks were installed.

    Jaysus. It's that bad? Would that compromised security reach outside MSD and its files into other areas of government?

    Christchurch • Since May 2011 • 2899 posts Report

  • cognitive_hazard, in reply to Hebe,

    Yup

    New Zealand • Since Oct 2012 • 13 posts Report

  • Neil Graham,

    This is a gif showing an ancient hack on win95 where you could access the system without a password.

    http://i.imgur.com/fqjnK.gif

    The steps you go though to get a File Open dialog are rather convoluted, but once there the principle is the same. From the File Open window you can right click on items to get plenty of options. This mechanism has been known about for years.

    You can pretty much run anything the system lets you do from this view. What systems are supposed to do is not let you do those things. A properly configured system will let you ask for anything and if you are not allowed say no!. Instead, MSD have a system where they tried to hide all of the possible ways to ask. If you could find another way (which Keith did, using a technique known for years) the system will happily comply.

    Christchurch • Since Nov 2006 • 118 posts Report

  • nzlemming, in reply to cognitive_hazard,

    Concur. Hadn't thought it through to that point but, in hindsight, should have picked it up when I saw that screenshot of the VM info.

    Fuck.

    Waikanae • Since Nov 2006 • 2937 posts Report

  • John Holley,

    What is the bigger worry for me is if someone who knew of the security holes used the information for a range of purposes - the best intrusion is where you use the data for gain and those you copied it from are unaware of your level of knowledge.

    So this can make things like benefit fraud easier (I can check what the investigators are doing), identity theft becomes real easy as I have a whole lot of personal details (send me a credit card please),and if RFPs were accessible this would give me in the inside knowledge I could use to get contracts. The list goes on.

    The problem is we will probably never know what information has been taken for illegal purposes and where it has been used.

    Auckland • Since Nov 2006 • 143 posts Report

  • Hebe, in reply to cognitive_hazard,

    I thought it might be from the story. Then I thought, "Nope. Once a drama queen, always a drama queen. Can't be that bad." Now I'm flabbergasted, as m'dear ma used to say.

    Christchurch • Since May 2011 • 2899 posts Report

  • Tim Michie,

    In case I missed it upthread, https://www.givealittle.co.nz/cause/msdleaks will I hope be of interest to everyone who appreciates Keith's work...

    Auckward • Since Nov 2006 • 614 posts Report

  • John Holley,

    Oh, and I forgot. Intrusion testing 101 is all about capturing IDs/passwords which allows you to cascade through the infrastructure via trusted logins. No need to attack the MSD, just head to a kiosk and browse for usercodes/passwords (users never store them in files do they?).

    I have been involved with an organisation where within an hour the external testers had admin passwords due to a compromise of a network admin password which let them gain access to more secure systems.

    Who knows what passwords where stored and available for inspection and use?

    Yes, I may seem paranoid, but we do not live in a benign cybersphere!

    Auckland • Since Nov 2006 • 143 posts Report

  • Chris Miller, in reply to James George,

    They're meant to at my job too. (Most of the actual information is stored hard copy; things like name, address, bank details, action history is in the database file.) The point is more that staff are familiar enough with the back end to know how to get around the checks and balances. Not all of them, but enough of them. External fraud has less knowledge of that sort of thing and often has a higher failure rate - we have a fair few cases that went to the courts as attempted fraud, but only a very few that actually GOT money they shouldn't have.

    Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report

  • Damian Christie,

    Guys guys guys... I think you're looking at this whole thing from completely the wrong perspective. You say it's a huge breach of privacy pertaining to beneficiaries' personal information, I say "what are those bludgers trying to hide?" (you can have that one Paula)

    Wellington • Since Nov 2006 • 1164 posts Report

  • Sacha, in reply to noizyboy,

    And that graphic has been most appreciated - as has Matthew's great explanation of the implications, which Computerworld NZ just retweeted.

    Ak • Since May 2008 • 19745 posts Report

  • Karen Adams, in reply to Tom Beard,

    Hey, it's more than what I get from MSD. The thing is that we definately know what types of things Kevin was able to access, but when someone is obsessed with you and knows you have a file with current details held by MSD I can't help but wonder with more time and motivation how can MSD say conclusively that my file hasn't been accessed? They can't.

    Under your bed • Since Oct 2012 • 16 posts Report

  • Tony Meyer, in reply to Rich of Observationz,

    Rich: in any OS X open file dialog, type / and you get the "Go to the folder" pane, and from there you can paste.

    Easy as /, ⌘A, ⌘V.

    Ahuroa • Since Jul 2012 • 11 posts Report

  • Tom Beard, in reply to Karen Adams,

    how can MSD say conclusively that my file hasn't been accessed? They can't.

    The CEO's just said on live TV that they can't guarantee that other people haven't accessed the same info Keith did. Not sure what the 0800 message says, but might there be a contradiction?

    Wellington • Since Nov 2006 • 1040 posts Report

  • Sacha, in reply to John Holley,

    we will probably never know what information has been taken for illegal purposes and where it has been used

    Which should help reinforce how big this is.

    Ak • Since May 2008 • 19745 posts Report

  • Morgan Nichol, in reply to snikch,

    Whoa, whoa, whoa, slow down their Poindexter.

    Auckland CBD • Since Nov 2006 • 314 posts Report

  • Karen Adams, in reply to Damian Christie,

    Guys guys guys... I think you're looking at this whole thing from completely the wrong perspective. You say it's a huge breach of privacy pertaining to beneficiaries' personal information, I say "what are those bludgers trying to hide?" (you can have that one Paula)

    You mean those CYFS kids?

    Under your bed • Since Oct 2012 • 16 posts Report

  • Karen Adams, in reply to Tom Beard,

    *groan* Figures. 0800 line is always making stuff up and offering it as advice.

    Under your bed • Since Oct 2012 • 16 posts Report

  • izogi, in reply to Tom Beard,

    The CEO's just said on live TV that they can't guarantee that other people haven't accessed the same info Keith did.

    If the kiosks have been sitting there like that in public for a year or more, it'd be incredible if other people hadn't accessed the same info. It'd just be luck if it hasn't been bulk-copied or otherwise used maliciously.

    Wellington • Since Jan 2007 • 1142 posts Report

  • Tom Beard, in reply to Karen Adams,

    Do you know whether the line is still saying that? It would be good to have a transcript to see whether they're giving unsubstantiated reassurances, or whether they have enough weasel words to get them out of it.

    Wellington • Since Nov 2006 • 1040 posts Report

First ←Older Page 1 9 10 11 12 13 26 Newer→ Last

Post your response…

This topic is closed.