Im struggling to see the logic of that story. So there is a guy who lives OS is a hacker and is employed by DD, who set up the kiosks.
So the inference is a hacker broke into the kiosks?
OH TVNZ did you just flush your moral compass down the toilet!
If that story is the result of a tip from the ministry side, things are getting very shabby indeed.
Ugh, beginning to feel all conspiracy theorist or something but again i'm wondering if a big part of the story is where it came from, just like who leaked Ira's name.
So there is a guy who lives OS is a hacker and is employed by DD, who set up the kiosks.
I thought DD just did a security audit of the kiosks, and they'd been setup internally. That's stretching my memory of things through this & other comments & articles threads a bit though.
Also, wouldn't you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you're trying to deploy?
Yeah there were a lot of holes in that story. And Im not a journalist so Im not looking to do an article or anything on it so not researching all the facts. That TVNZ news story tho"? Shit!
Breathless reporter says " We have heard of this guy who is in a roundabout way connected, may or not be involved, and he has some youtube videos you can look at. But WOW those MSD kiosks...any "hacker" could do it!
Also, wouldn’t you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you’re trying to deploy?
That would be why security companies spend rather a lot of money to send their employees to hacking conferences, yes. That article is the equivalent of "IRD employees know how tax returns can be falsified".
wouldn’t you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you’re trying to deploy?
I know a couple of the security testers who work for DiData, and they enjoy breaking into computers. They're some of the luckiest people I know, because they get to do something that's a hobby and get paid for it. They're not so thrilled on the paperwork side of things, but when you're getting paid six figures a year to break stuff you have to take the shit with the smooth. And because they enjoy it, they're strongly inclined to keep figuring out new ways to do things. Some of them even have esoteric hobbies, like Paul Craig's fascination with cracking kiosks, and those hobbies carry have direct application to their testing.
The vulnerability may have existed for 2 years but that doesn’t mean that people have been taking advantage of it since then. Or ever
Not taking drastic action to assure security would be adopting a very hopeful attitude towards reality. Examining 700 kiosks (and that's assuming that none have been replaced) for confirmation that nothing untoward has happened is a huge job, and they only have to find one kiosk that's been used to leap all the way into the network to shatter that hopeful attitude. Once someone's got in the kiosk won't necessarily have the evidence of what's been done,so the examination will have to continue on the other kiosks as well as going deeper into the network to look for what else has been done.
The sound of an organisation trying to save both its arse and its face at once.
And ending up with people finding the two indistinguishable?
Do you work on the MSD kiosk team Russel or are you hopelessly naive? The fact there has been a gaping security hole for two years leaves no other option than to assume the whole system is totally comprised. The only way to ensure MSD has a secure system is to rebuild it from scratch. New Active Directory, new domain, new VM's, new PC builds lock stock the f*&king lot.
The MSD Leaks, the KDC GCSB Saga, the Banks sagas, the education debacles all have an overarching factor is unfathomable incompetence – should Bennett or Key have been Ministers in the Clark government they would now be back benchers.
That Bennett still retains the confidence of the Prime Minister is a reflection on a Prime Minister who should really sack himself, if only he could remember what it is he is doing in the job in the first place.
On talk back radio one of the default position offered is that “they” are very hard working and that the job is a thankless and frustrating – that is the lot of work for most working people.
The lack of account is extremely wearisome as is the way the issues are getting skewed and the "incompetence" keeps repeating on itself.
They are really really really bad at what they do.
Probably throw out all the hardware as well, in case the BIOS or firmware has been affected. And tear out all the network cabling, probably the power as well.
In fact, the very fabric of the buildings is probably tainted, they need to rip out the carpets, lino and wallpaper and burn them. Probably each and every WINZ office really needs to be razed and the ground sown with salt.
Wait, am I channelling Paula Bennett?
Please don’t bring her here
Replicant mitosis spawn of that pinnacle of Granny Herald journalism Shelley Bridgeman?
Probably each and every WINZ office really needs to be razed and the ground sown with salt.
Even nuking from space doesn't work - the damn taint will cling to the underside as you lift off. You have to actually become the taint, and then kill yourself.
ETA: Oops, correct quote put in.
Replicant mitosis spawn of that pinnacle of Granny Herald journalism Shelley Bridgeman?
Now that you mention it, it's probably only the bogan fashion sense that prevents her from being the toast of the media. Give her a dishwasher blonde makeover and she'd be Bridgeman's clone.
Breathless reporter says " We have heard of this guy who is in a roundabout way connected
Google. Not so good for context - or technical knowledge.
Network security is not intuitive, which is why what Matthew and others have posted here is so useful. But most of the public will take whatever we're fed, and this is highly spun like most other political disasters.
Check the difference in a story written by someone who knows his stuff - from beyond our shores, even.
The data breach, already a scandal in NZ and attracting global attention, saw a catalogue of sensitive information about welfare clients publically accessible via up to 700 self-service kiosks located in Work and Income (WINZ) offices across the nation.
The Australian equivalent would be walking into a Centrelink office and casually looking up the names of children in state care and what medications they are prescribed, or who was under investigation for welfare fraud.
Not only accessible, but transferable on to a USB disk for anyone to remove.
An equivalent of the Science Media Centre might be useful to raise journalists' understanding about IT matters - though, like information security, that also requires ongoing governance buy-in by their editors, publishers and industry.
Was thinking replace all the hardware as well but giving Dell all that money makes me unhappy. As you say the place could be awash with rootkits so best to send it all off to Remarkit (assuming MSD are competent enough to get rid of all the data first...)
the place could be awash with rootkits
Classic example where translation would help journos and others. :)
LOL, point taken http://en.wikipedia.org/wiki/Rootkit
And because they enjoy it, they’re strongly inclined to keep figuring out new ways to do things. Some of them even have esoteric hobbies, like Paul Craig’s fascination with cracking kiosks, and those hobbies carry have direct application to their testing.
From what I can tell, the basic qualification for being an IT security expert is being the kind of person whose default first question about any new thing is "how would I break that?". The difference between them and hackers is basically the self-control to not follow through unless they've been asked to.
You haven't met any IT security people? Their default first question about any new thing is "no, you can't".
The difference between them and hackers is basically the self-control to not follow through unless they’ve been asked to.
Not even that much. The phrase "grey hat" exists for a reason: they skirt the boundaries of being a black hat while being ostensibly a white-hat. I know more grey-hat testers than I do white-hat ones, TBH, though they're largely not malicious in their law-breaking. It's more that to really test their skills or prove their theories they cannot just rely on clients presenting the appropriate opportunities, so they have to edge across into the illegal realms.
the kind of person whose default first question about any new thing is "how would I break that?"
that's a software tester. :)
the kind of person whose default first question about any new thing is “how would I break that?”
that’s a software tester. :)
Or a small child who has just been given a hammer. I'm seeing some similarities :P
that accurately describes the impish gleam I've seen in some