OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 12 13 14 15 16 … 26 Newer→ Last
-
duke, in reply to
a la TracyMac. Nuke it from orbit, its the only way to be sure
Add the Beehive to the target list while you're at it
-
Matthew Poole, in reply to
*All* mainstream databases (MSSQL, Mysql, Oracle, Postgres) are vulnerable to a user gaining access to the data files or even the backups.
Of course, hence my comment about someone writing down access credentials and storing them on the network. However, a database that's not backed by MSSQL/Windows doesn't grant instant access if you manage to get yourself domain admin access. It's probably not going to show up in My Network Places, and it's certainly not going to bend over and spread wide just because you're God to the network's Microsoft systems (unless someone's doing something extraordinarily silly with single-sign-on, and I just don't see that kind of cl00 emanating from MSD).
-
Matthew Poole, in reply to
the security on PDFs from the Govt has improved out of sight since we discovered the “blacked out” bits were being made inaccessible by changing the font to white
ROFL. That's awesome. It's as good as some of the boo-boos from the US where classified material was released to the public with juicy details "redacted" and it turned out the redaction was simply the application of a wide black line as another layer to the document. Remove the line et voila, classified information freely available. They've smartened up since then, and there's a market for software to manage release of sensitive documents to ensure it can't happen, but these things are funny when they do happen.
-
duke, in reply to
Thanks for your valuable, not to mention insightful, contribution.
Cheers; I believe it is moral and correct for such exorbitant excesses to be highlighted. Such greed and profiteering is one of the many ills of the neo-lib quick sand we are floundering in.
Following the latest interim profit reporting season, Australia's four big banks are on track to deliver combined annual profits of $22 billion
-
duke, in reply to
Good ole RadioNZ just reported that the Kiosk system was previosuly audited by a private contractor (missed the name) whom obviously failed to detect the completely fucked implementation.
Massive fail on top of massive fail.
"Ministry chief executive Brendan Boyle says private company **Dimension Data** was hired to test the security of the kiosks prior to Mr Ng's experience and reported no problems." RadNZ
DiData implicated in massive NZ govt data breach Good, prompt stuff Juha
-
Matthew Poole, in reply to
Without breaking a confidence, don't believe everything you read.
-
So far there have been 3 potential sidesteps put out by the paid liars in obs. Bennett's office.
(i) The 'anonymous defence'. That it was a complex hack requiring highly trained 'scriptkiddies' (yes oxymoron intentional) to get at the meaningless data.
(ii) The 'ACC smear' That the publication of this is actually payback for a failed blackmail attempt.
(iii) The 'it was the other fella' or trad def 'duck shoving' ploy. This one most likely came from the MSD secretariat. Blame the consultants, after all that is what they get the big bucks for; carrying the can when you're in more shit than a Mangere duck.There will be other worm squirms floated out on the periphery. After a day or so of seeing which one copped the salute after it was 'run up the flag pole', obs Bennett and M.F. Key will select one & reduce it down to a sound bite then spread it out thicker than muck on a cowshed floor.
-
4 years ago I was unemployed fresh out of a job and found myself in WINZ. Being bored of having to attend the weekly sessions having nothing better to do tried to see how 'secure' the terminals were. I was able to get an explorer shell and from there text editor and then start a command prompt. Long story short i downloaded 5000 files to my USB pen which contained personal phone numbers email addresses work history's DOB etc. I also copied the entire login script directory and later on reverse engineered the script to get the domain credentials. This means at any computer terminal in NZ WINZ or government department I can logon as admin. Anyway just letting you all know that all the NZ government departments are linked including student job services, NZ justice etc.
You exposing the weakness finally and there is a very simple reg hack that could have prevented it.Bit disappointed that the client files i have now are not worth any glory. heh.
-
wow. just wow. Keith, $100 sent your way for doing a brilliant job. I'm just waiting to see what a proper journalist like J.R. will do with this!
Oh, and if I were you, I'd be giving away all of my hardware to friends, in anticipation of having my door kicked in by Blue Power.....
-
Leading both tv news shows, and TV1 saying something like, "It's easy, once you know how."
-
Hebe, in reply to
Proof?
-
Sacha, in reply to
Haven't seen that one yet, but it may have been quoting MSD's CEO who told Radio NZ's Checkpoint show that it was only easy "if you know where to look" - continuing the misdirection.
-
Hebe,
Boyle on TV was adamant no spillover into other government departments/ministries, bar a few rats and mice at Cera and somewhere else inconsequential. Would you like a side of damage control with that humble pie Sir?
-
Rich of Observationz, in reply to
You're touching on a complex area here, and one that doesn't have easy answers of the "my fave DB good, M$ bad" type.
It's possible to configure MSSQL, along with most other databases, to run on a standalone server with password (or often public key) access. But then you've got a vulnerability to anyone who can access a client machine and find the config files.
Using a trust relationship avoids that, but introduces a vulnerability if a trusted machine (or the authentication server) gets compromised.
As with most other things, you need multiple layers of protection so that a failure at one level (which will *always* be possible) doesn't open the whole system up. That's what MSD failed to do.
-
James George, in reply to
Umm 5000 files eh. Ahhh. . . what format did these files use and how much space did 5000 of 'em take up?
-
Matthew Poole, in reply to
Boyle on TV was adamant no spillover into other government departments/ministries
I'm not inclined to disbelieve that, TBH. Mr Blogger's anonymous allegations above don't really mesh with how government agencies are structured.
-
It occurs to me that MSD's main failing, however, was in PR. They could have issued a short statement:
"Well done Mr Ng. Welcome to our honeypot network. You win a pot of honey" -
Hebe, in reply to
I'm not inclined to disbelieve that, TBH. Mr Blogger's anonymous allegations above don't really mesh with how government agencies are structured
I don't know much about government IT so I have no idea. However, Mr Blogger activates my bs sensor. Until I see proof...
-
Russell Clarke, in reply to
Indeed. Having been around numerous government IT departments, linked infrastructure is wishful thinking.
-
nzlemming, in reply to
Trying to get the buggers to link up in any way was what the E-government Unit was supposed to do and we were singularly unsuccessful in that.
-
Sacha, in reply to
Open-slather kiosks were your missing ingredient. :)
-
Russell Clarke, in reply to
I feel your pain.
-
Lucy Bailey, in reply to
Well, Brendon Boyle was the head of the E-government unit back in 2000 and seems to have done his best to integrate departments when he was CEO of Internal Affairs and was integrating 8 Auckland councils, when he integrated the National Library, Archives etc, when he presided over the creation of LINZ, and in his most recent incarnation as GCIO. He does seem to like IT integration and appears to have been advising the govt on how to do so.
-
Eric Dutton, in reply to
Their professional liability insurance will cover MSD's costs.
I have a bridge for sale. -
SteveH, in reply to
You’re touching on a complex area here, and one that doesn’t have easy answers of the “my fave DB good, M$ bad” type.
I think Matthew’s point here is simply that MSSQL tends to be configured to use Windows authentication so if you have access to a sufficiently privileged Windows account (as seems to be the case here), then you have access to the database. Most other database systems are configured to use with their own authentication schemes.
It's not that MSSQL is bad in this case, it's just more integrated.
Post your response…
This topic is closed.