Tuesday, October 16, 2012

Missing the point

Media coverage of MSD making data about its clients available to the public has concentrated on its apparent inability to set up public access kiosks properly.  This is missing the point, as described by Danyl here:


The kiosks aren’t really the problem here. The kiosks are how the public found out that MSD doesn’t seem to have any internal IT security.

Look at it this way: if you’re reading this at work and you try and access the folders or shared drive of your legal department, or HR department and you’re not a member of those groups, you won’t be able to. They’ll contain privileged information so they’re locked down. This level of security has been ubiquitous in corporate environments since the 1980s.

But not at MSD. If someone gets a temporary contract, or an entry level data-entry job at MSD they’ll still have access to all the private information Keith obtained through the kiosks.


Yes.  This is the truly horrifying part.  Either the kiosks were set up to use system administrator accounts to access the network (highly unlikely), or the network has no internal security being applied to it (which up until now I'd also have assumed was highly unlikely, but it's less unlikely than the first option).

This is a genuinely astonishing level of incompetence.  Anyone capable of building MSD's network would be used to building in access controls because every other network on the planet uses them, so there's a suspicion here that someone high up in MSD's management made a policy decision not to control access.  This some serious shit.

It's also a non-party-political issue, ie it could as easily have happened under a Labour govt - but it's worth noting that, as expected, Minister Bennett's response to this bad news was to release private data to try and discredit the people who reported the fuck-up.  Classy as ever...

15 comments:

Anonymous said...

IT systems testing is not taken seriously enought but that's changing slowly as customers get increasingly snotty when their security is compromised. Of course the govt customers can't go elsewhere so they will continue to be treated like cattle.

3:16

David said...

Um Psycho- what discrediting information did Bennett release? AFAK the identity of the person who "discovered" the security hole was exposed by Kieth Ng himself.

Adolf Fiinkensein said...

Milt

Is this your discrete way of saying this whole thing is a Clark gummint fuck up. like their defective terrorist legislation which should have seen this hairy arsehole in the slammer for twenty years?

Psycho Milt said...

what discrediting information did Bennett release?

Her releasing the identity of Ng's source is idle speculation on my part. Ng writes:

A journalist called up earlier knowing Ira’s name, and asked me to confirm him as my source. It was clear that somebody had given her the name, and the story was due to be published tomorrow.

On the basis of "cui bono" and Bennett's previous form for this, one of her staff seems the most likely candidate for the "somebody" in the above quote.

Adolf: no, this is my way of saying there's a limit on how much a govt Minister of any party can be expected to know about computer network security. As to Mr Bailey, his actions on discovering this astonishing, mind-boggling failure serve to highlight what a Pussy-Riot level of ugly authoritarianism would have been involved in locking him up for 20 years as a supposed terrorist.

Paulus said...

Is it not also possible for a flash drive could be used to infect a system ?

dad4justice said...
This comment has been removed by a blog administrator.
Shane Ponting said...

d4j do you recognise the person in the mirror any more?

dad4justice said...
This comment has been removed by the author.
dad4justice said...
This comment has been removed by a blog administrator.
Big Bruv said...

Milt.

Paula Bennett has repeatedly said that she did not release this low life's name to the media. Despite this you (and the left in general)keep pushing the same lie.
The level of faux outrage shown by the left over this trivial matter is hilarious.

Psycho Milt said...

It's an assumption, not a lie. An assumption based on cui bono and Bennett's previous form for this kind of thing, as mentioned above, and also on the fact that one of her staff was nosing for info about the guy before he was dobbed in to the media. You might be enough of a sucker to assume that a politician must be telling the truth, but I take more of a "their lips are moving" view.

As to it being a trivial matter - really? A major govt dept apparently has no access controls on its network file storage and you think it's trivial?

Psycho Milt said...

D4J - your comments were deleted by one of the others.

Anonymous said...

Someone should log this gross breach here http://datalossdb.org/

'DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide.'

If this was the UK, MSD would be fined by the Information Commissioner’s Office. Lots!

dad4justice said...

Deleted comments wasn't the way in Sir Humps day. Who are these timid childish new age cowards milt?

Barnsley Bill said...

It was I, you are quite correct D4J. Sir Humphreys rarely deleted comments. But then you were only half way to being a window licking idiot back then.