OnPoint by Keith Ng

Read Post

OnPoint: MSD's Leaky Servers

629 Responses

First ←Older Page 1 12 13 14 15 16 26 Newer→ Last

  • duke, in reply to cognitive_hazard,

    a la TracyMac. Nuke it from orbit, its the only way to be sure

    Add the Beehive to the target list while you're at it

    Since Jul 2009 • 24 posts Report

  • Matthew Poole, in reply to Rich of Observationz,

    *All* mainstream databases (MSSQL, Mysql, Oracle, Postgres) are vulnerable to a user gaining access to the data files or even the backups.

    Of course, hence my comment about someone writing down access credentials and storing them on the network. However, a database that's not backed by MSSQL/Windows doesn't grant instant access if you manage to get yourself domain admin access. It's probably not going to show up in My Network Places, and it's certainly not going to bend over and spread wide just because you're God to the network's Microsoft systems (unless someone's doing something extraordinarily silly with single-sign-on, and I just don't see that kind of cl00 emanating from MSD).

    Auckland • Since Mar 2007 • 4097 posts Report

  • Matthew Poole, in reply to Ross Mason,

    the security on PDFs from the Govt has improved out of sight since we discovered the “blacked out” bits were being made inaccessible by changing the font to white

    ROFL. That's awesome. It's as good as some of the boo-boos from the US where classified material was released to the public with juicy details "redacted" and it turned out the redaction was simply the application of a wide black line as another layer to the document. Remove the line et voila, classified information freely available. They've smartened up since then, and there's a market for software to manage release of sensitive documents to ensure it can't happen, but these things are funny when they do happen.

    Auckland • Since Mar 2007 • 4097 posts Report

  • duke, in reply to rodgerd,

    Thanks for your valuable, not to mention insightful, contribution.

    Cheers; I believe it is moral and correct for such exorbitant excesses to be highlighted. Such greed and profiteering is one of the many ills of the neo-lib quick sand we are floundering in.

    Following the latest interim profit reporting season, Australia's four big banks are on track to deliver combined annual profits of $22 billion

    Bank profits lead world

    Since Jul 2009 • 24 posts Report

  • duke, in reply to duke,

    Good ole RadioNZ just reported that the Kiosk system was previosuly audited by a private contractor (missed the name) whom obviously failed to detect the completely fucked implementation.

    Massive fail on top of massive fail.

    "Ministry chief executive Brendan Boyle says private company **Dimension Data** was hired to test the security of the kiosks prior to Mr Ng's experience and reported no problems." RadNZ

    DiData implicated in massive NZ govt data breach Good, prompt stuff Juha

    Since Jul 2009 • 24 posts Report

  • Matthew Poole, in reply to duke,

    Without breaking a confidence, don't believe everything you read.

    Auckland • Since Mar 2007 • 4097 posts Report

  • James George,

    So far there have been 3 potential sidesteps put out by the paid liars in obs. Bennett's office.
    (i) The 'anonymous defence'. That it was a complex hack requiring highly trained 'scriptkiddies' (yes oxymoron intentional) to get at the meaningless data.
    (ii) The 'ACC smear' That the publication of this is actually payback for a failed blackmail attempt.
    (iii) The 'it was the other fella' or trad def 'duck shoving' ploy. This one most likely came from the MSD secretariat. Blame the consultants, after all that is what they get the big bucks for; carrying the can when you're in more shit than a Mangere duck.

    There will be other worm squirms floated out on the periphery. After a day or so of seeing which one copped the salute after it was 'run up the flag pole', obs Bennett and M.F. Key will select one & reduce it down to a sound bite then spread it out thicker than muck on a cowshed floor.

    Since Sep 2007 • 96 posts Report

  • Joeseph Bloggers,

    4 years ago I was unemployed fresh out of a job and found myself in WINZ. Being bored of having to attend the weekly sessions having nothing better to do tried to see how 'secure' the terminals were. I was able to get an explorer shell and from there text editor and then start a command prompt. Long story short i downloaded 5000 files to my USB pen which contained personal phone numbers email addresses work history's DOB etc. I also copied the entire login script directory and later on reverse engineered the script to get the domain credentials. This means at any computer terminal in NZ WINZ or government department I can logon as admin. Anyway just letting you all know that all the NZ government departments are linked including student job services, NZ justice etc.


    You exposing the weakness finally and there is a very simple reg hack that could have prevented it.

    Bit disappointed that the client files i have now are not worth any glory. heh.

    New Zealand • Since Oct 2012 • 2 posts Report

  • terryg,

    wow. just wow. Keith, $100 sent your way for doing a brilliant job. I'm just waiting to see what a proper journalist like J.R. will do with this!

    Oh, and if I were you, I'd be giving away all of my hardware to friends, in anticipation of having my door kicked in by Blue Power.....

    home • Since Oct 2012 • 1 posts Report

  • Deborah,

    Leading both tv news shows, and TV1 saying something like, "It's easy, once you know how."

    New Lynn • Since Nov 2006 • 1447 posts Report

  • Hebe, in reply to Joeseph Bloggers,

    Proof?

    Christchurch • Since May 2011 • 2899 posts Report

  • Sacha, in reply to Deborah,

    Haven't seen that one yet, but it may have been quoting MSD's CEO who told Radio NZ's Checkpoint show that it was only easy "if you know where to look" - continuing the misdirection.

    Ak • Since May 2008 • 19745 posts Report

  • Hebe,

    Boyle on TV was adamant no spillover into other government departments/ministries, bar a few rats and mice at Cera and somewhere else inconsequential. Would you like a side of damage control with that humble pie Sir?

    Christchurch • Since May 2011 • 2899 posts Report

  • Rich of Observationz, in reply to Matthew Poole,

    You're touching on a complex area here, and one that doesn't have easy answers of the "my fave DB good, M$ bad" type.

    It's possible to configure MSSQL, along with most other databases, to run on a standalone server with password (or often public key) access. But then you've got a vulnerability to anyone who can access a client machine and find the config files.

    Using a trust relationship avoids that, but introduces a vulnerability if a trusted machine (or the authentication server) gets compromised.

    As with most other things, you need multiple layers of protection so that a failure at one level (which will *always* be possible) doesn't open the whole system up. That's what MSD failed to do.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • James George, in reply to Joeseph Bloggers,

    Umm 5000 files eh. Ahhh. . . what format did these files use and how much space did 5000 of 'em take up?

    Since Sep 2007 • 96 posts Report

  • Matthew Poole, in reply to Hebe,

    Boyle on TV was adamant no spillover into other government departments/ministries

    I'm not inclined to disbelieve that, TBH. Mr Blogger's anonymous allegations above don't really mesh with how government agencies are structured.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Rich of Observationz,

    Attachment

    It occurs to me that MSD's main failing, however, was in PR. They could have issued a short statement:
    "Well done Mr Ng. Welcome to our honeypot network. You win a pot of honey"

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Hebe, in reply to Matthew Poole,

    I'm not inclined to disbelieve that, TBH. Mr Blogger's anonymous allegations above don't really mesh with how government agencies are structured

    I don't know much about government IT so I have no idea. However, Mr Blogger activates my bs sensor. Until I see proof...

    Christchurch • Since May 2011 • 2899 posts Report

  • Russell Clarke, in reply to Matthew Poole,

    Indeed. Having been around numerous government IT departments, linked infrastructure is wishful thinking.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • nzlemming, in reply to Russell Clarke,

    Trying to get the buggers to link up in any way was what the E-government Unit was supposed to do and we were singularly unsuccessful in that.

    Waikanae • Since Nov 2006 • 2937 posts Report

  • Sacha, in reply to nzlemming,

    Open-slather kiosks were your missing ingredient. :)

    Ak • Since May 2008 • 19745 posts Report

  • Russell Clarke, in reply to nzlemming,

    I feel your pain.

    -36.76, 174.61 or thereab… • Since Nov 2006 • 164 posts Report

  • Lucy Bailey, in reply to nzlemming,

    Well, Brendon Boyle was the head of the E-government unit back in 2000 and seems to have done his best to integrate departments when he was CEO of Internal Affairs and was integrating 8 Auckland councils, when he integrated the National Library, Archives etc, when he presided over the creation of LINZ, and in his most recent incarnation as GCIO. He does seem to like IT integration and appears to have been advising the govt on how to do so.

    Since Oct 2012 • 6 posts Report

  • Eric Dutton, in reply to Russell Clarke,

    Their professional liability insurance will cover MSD's costs.
    I have a bridge for sale.

    Whangarei • Since Nov 2006 • 13 posts Report

  • SteveH, in reply to Rich of Observationz,

    You’re touching on a complex area here, and one that doesn’t have easy answers of the “my fave DB good, M$ bad” type.

    I think Matthew’s point here is simply that MSSQL tends to be configured to use Windows authentication so if you have access to a sufficiently privileged Windows account (as seems to be the case here), then you have access to the database. Most other database systems are configured to use with their own authentication schemes.

    It's not that MSSQL is bad in this case, it's just more integrated.

    Since Sep 2009 • 444 posts Report

First ←Older Page 1 12 13 14 15 16 26 Newer→ Last

Post your response…

This topic is closed.