Tuesday, October 16, 2012

Massive security breach at NZ ministry

Well we have an IT story from New Zealand that is front page news. On the 14th October kiwi blogger, Keith Ng, posted a piece titled: MSD's Leaky Servers. Read his post for his full story, but the basic gist of it is that by using Work and Income's public information kiosks he was able to access every server within the Ministry of Social Development simply by using the Open File dialog of MS Office. Once inside a server information was stored as plain unencrypted documents ranging from information about claimants, fraud investigations, court cases, invoices, and most alarmingly, information about children under the care of Child,Youth & Family.
    In many ways this isn't a security breach as it seems there was no security present to breach - Keith Ng isn't a hacker.
   Let's start from the bottom up; computer kiosks shouldn't allow access to any of the computer's underlying setup. They certainly shouldn't be connected to the entire ministry's network. Kiosks shouldn't have USB ports, which apparently these machines do. Nobody, apart from the sysadmin, should have access to the entire organisation's network. It seems any MSD employ can access any document. It seems that data isn't stored in a database, so there is no information gathered on when documents have been accessed and by whom. Moreover sensitive information, including passwords aren't encrypted.
   Finally, to make matters worse, Ministry chief executive, Brendan Boyle, has said the ministry received a report from Dimension Data in April last year identifying "flaws" in its system - obviously no action was taken! Perhaps the government is implementing an "open information" policy but has forgotten to tell us.