The Dim-Post

October 16, 2012

And another thought

Filed under: general news — danylmc @ 10:42 am

Media reports have described Ira Bailey as the first person to discover the #wtfmsd exploit. That might be correct – but the department’s real problem is that they don’t know who else has discovered this. Maybe no one. Or, maybe members of a criminal organisation found out about this and have used the exploit to commit a massive benefit fraud costing taxpayers millions! MSD simply doesn’t know, and it’s going to take a multi-million dollar investigation and audit process to find out.

That possibility and the huge costs involved in resolving it seems more newsworthy than the possibility suggested by the PM that Keith Ng paid Bailey, or that Bailey asked MSD for a reward, or whatever.

12 Comments »

  1. I tweeted about this comment under Keith’s original post yesterday. It’s a newly-registered commenter, so I can’t vouch for the person, but there seems no particular reason to disbelieve it:

    I was at my friend’s place when I read this. I said to her cripes, listen to this, and she said “oh yeah, when I was on one of those kiosks a few months ago I did the same thing and read some internal memos by Paula Bennett about her plans for WINZ”. She thought about printing some out but didn’t in case someone noticed.
    http://publicaddress.net/system/cafe/onpoint-msds-leaky-servers/?p=272231#post272231

    Comment by Russell Brown — October 16, 2012 @ 10:49 am

  2. Given how easy it was to access the information and it seems that the issue has been around for more than a year, I think that the chances of Bailey and Ng being the first to discover the hole are about zero.

    Comment by wtl — October 16, 2012 @ 11:10 am

  3. the department’s real problem is that they don’t know who else has discovered this. Maybe no one.

    But almost certainly someone. If you’re in one of those places with long queues, and you have free computer access, you check your e-mail, surf the porn and then, if you’re still waiting, and it’s raining, well, what else is on here, let’s see, a couple of clicks, and …

    It’s the modern equivalent of flicking through New Idea, while you’re waiting for the doctor.

    Comment by sammy 2.0 — October 16, 2012 @ 11:10 am

  4. 700 kiosks and a 2 year time span – it’s hard to imagine he was the first person to discover this.

    Comment by MeToo — October 16, 2012 @ 11:10 am

  5. PM
    “But it’s something we can resolve, and will resolve quickly.”

    OH REALLY

    An article by Mathew Poole, an IT security expert.

    http://www.itnews.com.au/News/319250,nz-government-needs-to-start-over-on-security.aspx

    And what does that all mean? It means that every backup, all the way to when the kiosks were installed is an unknown quantity. Recovering from this isn’t just a matter of fishing out the last backup tapes and reinstalling the computers.

    It means reinstalling all the computers.

    It means reinstalling the computers from scratch using media that hasn’t been stored on the network. It means that no data on the network can be trusted, unless it checks out when compared to data from backups that were created and stored off the network before the kiosks were installed

    OH well glad it was simple PM

    Comment by Dv — October 16, 2012 @ 11:22 am

  6. No worries DV, from #wtfmsd:

    ‏@SpeakerHenare
    with the money we saved by cutting staff & overheads, we’ve got exactly enough to investigate & repair all the problems

    Comment by MeToo — October 16, 2012 @ 11:57 am

  7. It means that no data on the network can be trusted

    Poole is dead on the money.

    As data could be exported onto USB from an unsecured device on the MSD network, one could logically conclude that write access to that network device was also not secured. Ergo, the entire MSD network and all the data it contains (excepting any devices/shares that were locked off or key encrypted) is irretrievably compromised.

    Further assuming that the same monkeys have been in charge for a while, there is no way of knowing whether other holes have been built into their network and security design by omission over time.

    Comment by Gregor W — October 16, 2012 @ 12:11 pm

  8. One of my technicians told me he’d noticed it earlier this year when he took his wife into WINZ for something. Noticed you could get into their network from the kiosks, looked on their incompetence as none of his business and didn’t report it to them. I don’t believe Bailey was the first to notice this either, he’s just the first who gave enough of a shit to point it out to the wazzocks in charge. I guess the govt’s giving us a salutary lesson in how much thanks you’ll get for being public-spirited…

    Comment by Psycho Milt — October 16, 2012 @ 12:12 pm

  9. The disturbing thing to me – is that the company that built the infrastructure and the kiosks stands to make money from the audit. I’d hope that the governments lawyer were smart enough to put penalty clauses in the contract for this very thing.
    But that’s what the government is for, isn’t it?
    Siphoning money off taxpayers and funneling it to your already privileged old-boys club (or similar)

    Comment by Steevo — October 16, 2012 @ 1:00 pm

  10. I guess the govt’s giving us a salutary lesson in how much thanks you’ll get for being public-spirited…

    You’ll get investigated by Paula Bennett’s office. She did it last week, before Keith Ng published.

    Comment by sammy 2.0 — October 16, 2012 @ 3:42 pm

  11. I wonder how many people have been syphoning data out of these systems and selling them to the likes of Veda Advantage? Something tells me there’d be some money in that.

    Also identity theft becomes pretty easy when you have access to this sort of information.

    Better revoke passports for all the people in the system who have one, just in case they’ve been sent to Al Qaeda operatives.

    What an immense cock-up.

    Comment by Ben — October 16, 2012 @ 4:12 pm

  12. Why worry about Huawei security issues when they could’ve just visited any WINZ office?

    Comment by Tasi — October 17, 2012 @ 9:41 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: