OnPoint: MSD's Leaky Servers
629 Responses
First ←Older Page 1 … 15 16 17 18 19 … 26 Newer→ Last
-
Matthew Poole, in reply to
the security hole has been there for two years
FTFY
-
merc, in reply to
The mind boggles on the potential level of exposure we face.
As with leaky buildings Council failure, the physical cost to the taxpayer will be huge, far outweighing any gains made in kiosks (Air NZ model right?).
We need to know how much Govt. has exposed us to liabilities for non-transparent spending decisions. -
For the curious, I spent 10 minutes being interviewed on Nine to Noon this morning and also contributed to this piece on Morning Report.
It's been interesting becoming an "expert" overnight.
-
Sacha, in reply to
it's why I pimped your excellent comment yesterday, hoping it could spread further
-
Sacha, in reply to
interviewed on Nine to Noon this morning
other listening options.
-
Hacking a network is a crime. Leaving it open, exposing thousands of people's data, is a statistic.
-
Russell Clarke, in reply to
Has that been confirmed? Looks like this could have happened as part of an IT ops balls-up, not helped by poor change management.
-
Matthew Poole, in reply to
Well, your wish was granted :) I also got republished on itnews.com.au. Thanks for the initial push.
-
Matthew Poole, in reply to
It was uncovered a year ago by Dimension Data’s testers. That suggests the vulnerability has been there since day dot.
ETA: That’d be uncovered in April 2011, and the kiosks only went into testing late in 2010.
-
quist, in reply to
Mountain Standard Time has no relevance except that it is a setting in what is known as the "answer file". When setting up a lot of computers "en-masse", let's say an administrator has to set up 100 computers. Instead of going through the set up wizard 100 times, you submit an answer file instead. This file has all the answers to the setup wizard questions. One of the questions you get asked when setting up a computer (installing Windows) is what the timezone is... and another one is what you want your admin password to be. The screenshot shown is once such answer file. It seems they've set the time zone to Mountain Standard Time, for whatever reason, my best guess is that's the default and they didn't bother to change it to the correct time zone!
Altiris is a tool used to deploy multiple computers using this method, so presumably they use it when setting up computers in the organisation. It's a perfectly good tool for the job and made by Symantec.
-
Ian Dalziel, in reply to
Databus que...
‘data-busker’ has a certain ring to it...
a roving True-badour even
or black-and-white minstrel...
(no shades of gray here)
Thesaurus Rex...Their basic duty of care…
I think they think that the 'duty' bit means a tax of some sort...
-
Matthew Poole, in reply to
We need to know how much Govt. has exposed us to liabilities for non-transparent spending decisions.
What makes this one so infuriating is that it could've been mitigated if the recommendations had been followed through. The cost to mitigate this risk properly might've run up to $100-ish-k if scaled out across all WINZ offices with the kiosks (assuming additional costs for physical segregation devices), but that's guesstimating at the very high end and compared to the costs of cleaning up properly after this debacle it's a complete bargain. Doing the damage control properly on this one is millions of dollars.
-
merc, in reply to
I think they think that the 'duty' bit means a tax of some sort...
Heh. I think it is timely we ask the real simple questions of our Govt. as to what they consider adequate duty of care for our most vulnerable, don't you?
-
Sacha, in reply to
nice work. we all do what we can :)
-
merc, in reply to
This Govt. has proven time and time again that they feel no need to assess costs. This time it is so glaringly obvious that no one is thinking about the very people they are supposed to be helping that no review of costs is going to change the simple fact that the problem is demonstrably Govt. unbounded, unchecked and un-checkable.
-
Aside from the obvious privacy implications, the screenshots at the end of your post are rather worrying.
The first one is the file structure for the Hyper-V server. The Hyper-V server is a server that hosts virtual machines running in an organisation. If you know what you’re doing, you could quite conceivably alter the configuration of any one of those virtual machines to do your bidding. You could infact insert your own code into the machine configuration to say, log keystrokes. The possibilities are endless. You’d need some special software tools but it’s not beyond the realms of possibility if you have access to the server.
The screenshot that mentions “Altiris” is known as an “answer file”. An answer file is like a template for setting up multiple computers. If you want to set up 100 computers, instead of setting up the computers one by one, which would take a long time – you use an imaging tool like Symantec Altiris. An imaging tool lets you take a snapshot of a single computer and then deploy it to multiple new computers, a bit like cloning. The answer file is a way to customise the configuration and your screenshot shows the admin passwords and other configurations such as time zone that will be applied to the cloned computers.
These configurations could be altered to anything you wanted. If you had access to the disk images (these are the snapshots of the cloned computers) you could alter them (insert your own software) and then the administrator who subsequently used those disk images would be creating computers containing your software and probably not be aware of it.
Symantec Altiris is an industry standard tool to do this kind of work and someone with knowledge of it could do that easily.
The last screenshot on your article is a batch script file for setting the firewall settings in Windows on individual computers. You could alter this with any firewall rules you liked – including switching the firewall off completely.
-
cognitive_hazard, in reply to
Hence the semi humorous 'nuke it from orbit' comments. The whole network is utterly comprised, it's more than conceivable that MSD are now guests in there own systems...
-
Ah, now I understand why the Govt isn't that concerned about Huawei.
ICT Minister Amy Adams has previously said the government is monitoring the situation, but has no security concerns about any of the equipment suppliers...
-
Hebe, in reply to
I know everyone is pretty much focusing on the privacy breach - and it is huge. But the more I think about this the more I agree with Matthew Poole (good piece on RNZ btw).
The bigger story here is the biggest security breach in NZ Govt history. Quite frankly we should be assuming that any of the information that was accessible from the kiosk (and Keith only took a small fraction), is 100% compromised and quite possibly in the hands of a foreign interests. (the security hole has been there for months)
The cascade effect from WINZ->MSD->the rest of Govt e.g. CERA, DIA etc., is something we need to highlight. It might all come to nothing but, as Matthew said, we have to assume the entire WINZ network (and networks with trust relationships) could have been/was compromised.
The mind boggles on the potential level of exposure we face.Agree totally. The implications are enoromous and until the extent of the exposure is mapped in detail, we will not know. Chances are we will never know. I'm happy to hear Matthew has been elevated to expert!
Leading on from that, I note that the govt's minimising tactics for the potential of this security failure are being given some creedence by the TV and newspapers' distaste that the story was broken by "a blogger" -- I can almost hear the sniffy nose-holding. Don't you guys on PA wash or something? Or is it the Lynx that makes them splutter? I hadn't clearly seen the MSM's distate of the internet media until this story.
If I was the Herald management or the Stufferati (Sinead, are you reading?), I would be drawing up a hefty no strings, hands-off, complete editorial freedom, annual retainer to be allowed to link to Public Address from their news site. That would give the dinosaur media entree to the net for their ad base (while not advertising directly on PA); give PA and its people a decent living; and it would raise the quality of journalism in NZ much more cheaply than having a horde of Senior Specials (if they still exist) on the payroll.
That idea would only work with total editorial silo-ing, of course.
-
I don't understand the reasoning behind physical segregation for security. Could you enlighten me Matthew? It seems to me you take the position that networks must be separate because privilege escalation is easy.
I'm not a sysadmin so I don't get to see the pragmatic view from the field. I am a programmer of the fairly low level variety so I think of things in terms of architecture and theory. My view, from that theoretical position is that you should assume that everything is connected to your network and untrusted connections have low privileges. Any system where you can easily escalate your privileges has effectively no security.
That doesn't appear to be the way systems are set up. Surely it would be easy to make a bridge across any barrier if you can escalate privileges anyway (even with just a couple of usb wifi sticks)
-
Steve Barnes, in reply to
private company Dimension Data was hired to test the security of the kiosks prior to Mr Ng’s experience and reported no problems.
But according to te Herald
The Ministry of Social Development revealed this morning that IT company Dimension Data had tested the self-serve kiosks in April last year and identified issues of concern.
Which I read as “They told us there was a problem but we didn’t do nuffink” Why nothing was done is a matter of total incompetence on the part of the Ministry as a whole, you would not leave decisions as to what to do up to private company, surely?.
eta
Thinking this through a little more I started to wonder whether the people responsible for day to day management of the system were "Let go" as they were considered as surplus to requirements now that the general public can access the system and do all that confusing configuration stuff themselves. -
Hebe, in reply to
The implications get worse then...
-
Rich of Observationz, in reply to
Because of bugs, errors and omissions. Contrary to the cookie-cutter beliefs of many "hey I'm using an open source product so I won't have the problems of those clueless n00bs with M$" , anything can and will have bugs.
So you provide multiple layers of protection. You use a firewall that limits access by "outsiders", you secure access to machines, you run virus scanners and keep upgraded, you partition the system so one set of credentials doesn't unlock everything. Also, you consider appropriate security for the data/function being protected.
That way, the consequences of a fault anywhere in the system are limited.
-
Jeremy Andrew, in reply to
What makes this one so infuriating is that it could've been mitigated if the recommendations had been followed through. The cost to mitigate this risk properly might've run up to $100-ish-k if scaled out across all WINZ offices with the kiosks (assuming additional costs for physical segregation devices), but that's guesstimating at the very high end and compared to the costs of cleaning up properly after this debacle it's a complete bargain. Doing the damage control properly on this one is millions of dollars.
Sure, <$100K would have prevented this from blowing up into a million-dollar cock-up, but you need to look at the big picture. This is just one instance, there are probably dozens of similar problems, not just IT system issues, but general systemic problems (for example, allowing rich foreigners with iffy backgrounds to buy residency). Finding and fixing all of them would be very, very expensive.
So they amortise the risk of one or two of the problems blowing up over the whole portfolio and bingo, its waaay cheaper to just sweep 'em under the carpet and fix the few that turn up in the papers. -
Jeremy Andrew, in reply to
Cynical? Me?
Post your response…
This topic is closed.