Quantcast

worse security than a diebold voting machine

DaveW

Space Monkey
Jul 2, 2001
8,724
637
Karori, Poneke Te Ika-a-Maui
Man there's gonna be some major fallout from this!
The I.T security at the largest government department here in NZ is found to be pretty much non existent.
Anyone and I do mean anyone was able to browse all the sensitive files of the ministry of social development (social welfare).
Story was busted open last night by this freelance journo/blogger.

http://publicaddress.net/onpoint/msds-leaky-servers/

Face meets palm............
This basically means you can grab any file that wasn’t bolted down on the network, while standing in the middle of a WINZ office. And that’s what I did.

So what wasn’t bolted down? Let’s start with the boring stuff. There were servers connected to their call centre systems, logging calls going in and out. They contained sound recordings which I couldn’t open, but which I suspect (for various reasons) are NOT complete recording of calls. I guess I’ll leave that for the Privacy Commissioner.

And then there were file server logs. Normally, they aren’t that exciting. Except that WINZ name their files quite well. For example:

s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA

And so on. There were similar files for other “special” clients as well. There are probably a lot of personally identifying details in there, but I didn’t spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year. Among all the invoices for milk and sausage rolls were invoices for:
For those unfamiliar with the departmental acronyms mentioned,

MSD = Ministry of Social Development http://www.msd.govt.nz/
WINZ = Work and Income New Zealand http://www.workandincome.govt.nz/
CYFS = Child, Youth and Family Services http://www.cyf.govt.nz/
 

DaveW

Space Monkey
Jul 2, 2001
8,724
637
Karori, Poneke Te Ika-a-Maui
Oh and it gets worse...... They were told about the problem over a year ago!
http://www.stuff.co.nz/technology/7815266/WINZ-kiosk-security-flaw-exposed

Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery of a privacy flaw was nothing new.

She said about a year ago, she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.

"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."

MSD deputy chief executive Marc Warner last night issued a statement saying: "a security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".