OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 11 12 13 14 15 26 Newer→ Last

  • duke, in reply to rodgerd,

    Of course, this requires you have enough “spare” staff that you have people able to take 2 weeks of leave in one block and do one anothers’ jobs. If you’ve got hung up over “efficiency” and fired all the “dead wood” to save a bit of money, well…

    Thank goodness the banking sector is making sufficient profits to support these policies. Hope your pay packet is tasty too.

    Since Jul 2009 • 24 posts Report Reply

  • Russell Clarke, in reply to Matthew Poole,

    This article suggests they're running Curam's system for case management. http://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2007/pr-2007-02-14.html

    So it's Oracle or DB2 unless they have switched in the past few years.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • Matthew Poole, in reply to Russell Clarke,

    So it’s Oracle or DB2 unless they have switched in the past few years.

    Curam Software is owned by IBM, which makes it likely that it'll be DB2. It almost certainly won't be MSSQL. So we're back to hoping that database credentials weren't stored in the clear on the network, which does move the odds of that system being compromised back towards betting territory.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Matthew Poole, in reply to duke,

    Let’s not get carried away. I’ll also bet the core CRM app is not directly affected by this issue (we hope).

    No, it's probably not, but depending how the back-end is accessed...

    Though arguably if Admin passwords were compromised a skilled hacker could go nutts; he’d still need physical access to the network and a machine and a fair bit of quite private nerd time.

    OK, I'll put it like this. I've seen a demonstration of a security tester going from accessing a Citrix application to having full domain administrator rights within 15 minutes. They started off with no credentials for the network that hosted the app they were testing (as part of the test they were just given a networked machine and a local login). I will never, ever rule out someone levering physical access to a networked machine all the way into domain administrator access. And if the firewall was truly a VM, and an attacker could break in, they could take all the time in the world safe in the knowledge they could hide the evidence by changing what was logged.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Matthew Poole,

    It just gets better. The Herald is reporting:

    The kiosks were introduced in late 2010 and trialled for about a year before a network of 700 was introduced around New Zealand.

    That opens the window of compromise to two years, assuming this flawed implementation was present in the original.

    ETA: And there are 700 possible points of compromise.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • cognitive_hazard,

    a la TracyMac. Nuke it from orbit, its the only way to be sure

    New Zealand • Since Oct 2012 • 13 posts Report Reply

  • Sacha,

    Bennett continues the government line that getting into the system was really hard (my highlighting, but it's what you're supposed to read):

    “I’ve demanded answers as to how a journalist managed to gain access to files and I am appalled that it was possible, even with a level of skill.”

    Experts have been working since last night on computer kiosks to find the problem, which they have now done but the kiosks will not reopen until the system can be guaranteed as secure.

    Ak • Since May 2008 • 19745 posts Report Reply

  • Russell Clarke, in reply to Matthew Poole,

    Given the levels of incompetence demonstrated thus far, what makes you think there's a password? ;)

    I'd also wonder if anyone at MSD had the nous to disable the default account/password, which is easily google-able.

    The problems here are less about technical weakness and more about good old-fashioned human incompetence. The most secure tech in the world is tits on a bull if it's set up and run by muppets.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • Glenn Pearce, in reply to Sacha,

    and ups the ante further

    Mr Boyle said the ministry was contacted last week by a man who said their systems weren't robust and he would cooperate if there was a reward.

    "While he wouldn't provide any details we asked KPMG to begin penetration testing at this point and this testing has been accelerated and intensified. He did indicate he was working with a journalist," said Mr Boyle.

    Social Development Minister Paula Bennett said there was no evidence the man who contacted the ministry last week was linked to Keith Ng, the blogger and journalist who exposed the breach.

    Auckland • Since Feb 2007 • 504 posts Report Reply

  • Hebe, in reply to Glenn Pearce,

    Mr Boyle said the ministry was contacted last week by a man who said their systems weren't robust and he would cooperate if there was a reward.

    Did this really happen, or is Mr Boyle relying on the MSD computer phone logs for his evidence?

    Or is it a white knight smear appearing?

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Russell Clarke, in reply to Glenn Pearce,

    "While he wouldn't provide any details we asked KPMG to begin penetration testing at this point and this testing has been accelerated and intensified.

    ...KPMG being the firm that failed to unearth this vulnerability before. Fills me with confidence that they'll do a great job.

    KPMG were regularly engaged to conduct tests on the safety of MSD's systems and to attack them in a bid to highlight weak areas.

    They had not found any issues.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • David Cormack,

    Or is it a white knight smear appearing?

    That's my fear, that they will say "oh there's no evidence of a link to Keith" but we'll all think it anyway.

    Let's not forget the last person who publicly took on Paula Bennett...

    Suburbia, Wellington • Since Nov 2006 • 218 posts Report Reply

  • rodgerd, in reply to duke,

    Thanks for your valuable, not to mention insightful, contribution.

    Wellington • Since Nov 2006 • 512 posts Report Reply

  • Hebe, in reply to David Cormack,

    Or is it a white knight smear appearing?
    That's my fear, that they will say "oh there's no evidence of a link to Keith" but we'll all think it anyway.

    It is the saying. The shit machine is cranking into operation, and if this country wants any form of journalistic freedom (read a democracy) everyone who can should get behind Keith Ng and Russell Brown (as the publisher) now.

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Hebe,

    On the bright side, this saga proves that National has taken open government to a new level of transparency.

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Rich of Observationz, in reply to Matthew Poole,

    *All* mainstream databases (MSSQL, Mysql, Oracle, Postgres) are vulnerable to a user gaining access to the data files or even the backups.

    You can mitigate against this by encrypting at file system or column level, but that is unusual.

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Islander, in reply to Hebe,

    Would you repost the donation site (I know it didnt come from you Hebe!! )Anyone?
    I decided I could do without my miserable pensioner’s bottle of whisky this week- which does show I esteem Keith’s work-
    (have temporary eye-condition which means trawling through pages & pages isnt really an option…)

    Big O, Mahitahi, Te Wahi … • Since Feb 2007 • 5643 posts Report Reply

  • Hebe,

    It's a serious scandal; Key whips out the Brash/Muldoon crisis handbook. Guess what page he's on: "playing the race card":
    http://www.stuff.co.nz/business/industries/7818021/No-share-plus-scheme-in-asset-sales
    But this MSD scandal will burn long and hot.

    Christchurch • Since May 2011 • 2899 posts Report Reply

  • Russell Clarke, in reply to Islander,

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • DexterX,

    There should be no excuse - The Minister and the executive team need to be gone.

    Auckland • Since Nov 2006 • 1224 posts Report Reply

  • Islander,

    Thanks Russell! Miserable pensioner's bottle-of-whisky duly donated-

    Big O, Mahitahi, Te Wahi … • Since Feb 2007 • 5643 posts Report Reply

  • Terry Baucher,

    It’s a serious scandal; Key whips out the Brash/Muldoon crisis handbook.

    Well at least he won't have to answer any questions about Dotcom. Today.

    I'd say tomorrow's Question Time could get a wee bit testy.

    Devonport • Since Nov 2008 • 91 posts Report Reply

  • Jonathan King, in reply to Matthew Poole,

    And there are 700 possible points of compromise.

    Then why are they confidently telling (distressed and anxious) people on the phone that their privacy hasn't been breached? They simply have no way of knowing, right?

    Since Sep 2010 • 185 posts Report Reply

  • Russell Clarke, in reply to Jonathan King,

    Correct.

    Unless they have logged every system access from every entry point (which is deemed unnecessary in most IT environments, so I highly doubt they do it), they can't categorically know.

    So they are saying this because they are:
    a) Bullshitting us
    b) Misinformed
    c) All of the above

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report Reply

  • Ross Mason,

    "Aw Jeez Boss, couldn't we just share our password and access to the kiosk so that when those local jobs come in we can put them onto the kiosk real quick and then get on with that other work we have to do since the last layoffs?"

    You know, like how much easier it is to leave the car door unlocked in the garage so that when we want to use it it is no hassles (guilty). Those remote door openers are good too (guilty). And 1,2,3,4 on my eftpos card is easy to remember (NOT guilty!). Hide my hand while punching in the number (Most certainly!)? What are ya?

    I have to say though, the security on PDFs from the Govt has improved out of sight since we discovered the "blacked out" bits were being made inaccessible by changing the font to white......

    Well done Keith. Bet you the heart was beating more each time you went in just in case the leak had been found and you might get busted. Anyone wanna vote him for Wellingtonian of the Year?

    Upper Hutt • Since Jun 2007 • 1590 posts Report Reply

First ←Older Page 1 11 12 13 14 15 26 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.