So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.
He did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certain not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
MSD didn’t know what to do with his request, and it got slowly bumped up the food-chain.
Ira didn’t hear back from them, so he talked to me instead. I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don’t really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.
MSD called Ira back two days later. They told Ira that they don’t pay for vulnerability reports. Ira told them he’d been talking to a journalist and the conversation didn’t go anywhere after that.
At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability – the only condition was that his name be kept out of it. He wasn’t interested in being in the limelight.
The rest, I’ve already blogged. We have since both deleted all the material from our computers, and Ira assured me it’s all gone, and I’ve assured the Privacy Commissioner of this.
Since he called MSD and left his name and number, it was always likely that they’d out him as a diversion. We had hoped that it wouldn’t get to that, but it has, which is why I’m writing this now.
Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it’s not as if the people MSD ended up relying on – KPMG – did it for free.
******************************
UPDATED: MSD's response has been swift, doubtless at the behest of the Minister. MSD's CEO Brendan Boyle has announced an urgent and independant inquiry:
Ministry of Social Development Chief Executive Brendan Boyle says the security breach uncovered yesterday is serious.
"What's occurred is simply unacceptable," Boyle told reporters in Wellington this afternoon.
"I will be engaging an independent organisation to conduct an independent review so that I can understand what's happened and whether further action must be taken to safeguard client information," he said.
The terms of reference for the investigation will be drafted in the next 24 hours and Boyle said he wants an interim report completed over the next two weeks.
The investigation will initially examine the specific breaches around the kiosk, and if this shows a broader independent review into ministry systems is needed, this will also be commissioned," Boyle said.
He is also establishing an internal taskforce to support the review and will be in close contact with the Privacy Commissioner throughout, he said.
******************************************
There's been another privacy botch from a government department. And it's MSD is in the gun this time; the Dom-Post reports:
The Social Development Ministry (MSD) has closed computer kiosks in Work and Income offices and launched an investigation after a major security flaw was exposed.
Freelance journalist Keith Ng reported on his blog that he was able to access thousands of files on the agency's servers from computers at self-service kiosks in a Wellington WINZ office.
He said he walked into a WINZ kiosk and was able to open files included sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owned MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
MSD deputy chief executive Marc Warner issued a statement last night saying "MSD is very concerned about this and an urgent investigation is underway.
The ministry had been alerted to the security flaw late yesterday and took immediate steps to secure the system, he said.
Ng had stated he accessed client information through WINZ kiosks at two Wellington sites, Warner said.
"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
Ng had given an assurance that he would pass all the information to the Privacy Commissioner this morning and had guaranteed that none of the information would be given to anyone else or placed in the public arena, Warner said .
Keith Ng has exposed a very significant flaw here. And he has handled it well, ensuring that none of the information he has discovered gets into the public domain. By alerting MSD, but carefully avoiding the release of any personal information into the public domain he has played this well. Others may have been less responsible.
This is a serious breach by the MSD, and should not be trivialised. MSD's initial response has been to shut down the internet kiosk's whilst it conducts an inquiry into how privacy settings could have been so lax. We are sure that Paula Bennett will have a "please explain" waiting for her Chief Executive this morning.
Government departments should treat personal information with the highest possible levels of security. At first glimpse it seems that the MSD's standards have fallen well short of what could be reasonably expected. Their response and that of Paula Bennett will be watched with interest.
14 comments:
Paula Bennett assured New Zealand, on national television at the weekend, that her new scheme to target at risk children would be tight and secure, that none of thew information held would get out into the community - she emphasized how we could trust her!
Nice timing, Paula.
Resign now.
And the MSD CEO's immediate previous job was - wait for it - Government Chief Information Officer.
it's all John Keys fault. He along with Paula Bennett should resign now .. keep on those who stuffed it up though aye, not their fault aye
I'm tiring of these National Party cock-ups. There's one per week now and they're big ones. The Opposition are going to flay Key and his hopeless party tomorrow and the next day and the next and the next...
I wonder how those polls are going to look after a month of that?!
jabba is right, the buck has to stop with someone. Send Bennett down the road first. Key will soon follow, thanks to Kim Dotcom. Clean out the rot, I say!
oh for the good old days (the 90s) when National were competent, or the even older days (the 70s) when National were competent and believed they had NZ's best interests at heart.
Bye bye Paula!
The scale of this privacy breach is so bad that I would expect Paula Bennett to resign. Remember these kiosks were introduced by this minister in 2011 as a cost cutting initiative. The conception and implementation of these kiosks occured exclusively on this ministers watch.
Oh dear oh dear oh dear!
"Keith Ng has exposed a very significant flaw here. And he has handled it well, ensuring that none of the information he has discovered gets into the public domain. By alerting MSD, but carefully avoiding the release of any personal information into the public domain he has played this well. Others may have been less responsible"
Do you mean Cameron Slater?
Damning stuff coming through. Not only is Key failing to manage his Ministerial responsibilities, so is Bennett:
Beneficiary Advocacy Federation spokeswoman Kay Brereton said she alerted officials to the fact members of the public could access sensitive information in July last year.
Ms Brereton said staff at the Wellington People's Centre (WPC) were trained to use the self-service kiosks when they were introduced at Work and Income (WINZ) offices.
[...]
She said an IT person from WPC found you could track backwards into WINZ's system.
"We got to the place where we could find all the IP addresses for all the computers in the local network and we thought that was probably far enough.
The governmernt cannot duck this one. Right across the public service we have seen cost-cutting taken to ludicrous extremes. IT staff, including CIOs, have been in the thick of this. Senior people are massively under resourced. They can only do the best they can with half the resources they need, and hope for the best.
It is time public sector CEOs stood up to their political masters and demanded resource where needed.
That said, role-based access is a fundamental element of any IT system. Someone – probably several people – have stuffed up to a catastrophic extent. The Chief Executive and Minister both have to be held to account for this, as well as the unfortunate worker/s who have tried to do too much with too little.
By far the worst of the major security breakdowns we have seen in the past few months.
Lindsay Mitchell's real worried, KS!
"Who knows what MSD information is now at large? Will the Privacy Commissioner advise MSD that clients will have to be notified that their information may no longer be private? How does this stuff work?
And how many aggrieved clients out there would happily accept an apology from the Minister? The relationships between WINZ/CYF and their clients are often far from hunky dory as it stands.
I do not think I am overstating this situation as a nightmare for the government. Do you?"
You'll be wanting to copy and post Scott Yorke's latest, keeping Stock, just as you did recently. he's good!
http://www.imperatorfish.com/2012/10/how-could-this-happen.html#comment-form
Perhaps instead of all the hand wringing people need to ask themselves why an "employed" computer system analyst was doing in a WINZ office using the terminal in the first place. I'm sorry but "just killing time" seems a little too easy.
Post a Comment