NZ government network leaking data like a sieve A row has broken out in New Zealand after a blogger exposed serious security flaws in that country’s job-seeker network. The blogger, Keith Ng, demonstrated that public job-seeker kiosks had unauthenticated access to the corporate network of the Ministry of Social Development (MND). His posting raised concerns that attackers …
New Zealand still exists as if it were the 1950's, no wonder they get a bit flummoxed where technology is concerned, first Dotcom, now this, and with the Prime Minister asking why he needed to put a password on his email, there was a look of amazement on his face.
'Do you mean I don't have to put any stamps on the envelope?' He said gazing at the screen.
'And what's that beige box next to the telly that's whirring?' He asked.
Yes 1950's.
Meanwhile, Institute of IT Professionals New Zealand chief executive Paul Matthews says MSD's security woes appear to go far beyond the kiosks:
"As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance."
Really?
You think NZ has a monopoly on inept government contractors?
WOW.
The only reason this came to light was because they connected a kiosk to it. What is crazier is that all users inside their network could see everything about everyone, including the setup scripts for the VM's used. Probably have for a long time.
The whole network was basically one giant shared drive.
...why all the competent and accomplised kiwi i.t pros iv'e met all work in aus. i guess a brain drain will do that to your skill base. im not sure which way i feel about Mr. Ng's actions morally, however i'm all about naming and shaming idiots who insist on poor i.t practice and get paid in six figures. i assume that's the pay grade for manager in a ministry department.
Given the number of incidents of this type over the years, there seem to be many skilled amateur penetration and security testers out there. (Also, many clueless software developers). Why don't they just hire them on a short term contract with low basic salary and big bonuses for every flaw they find? If it's important enough to spend money on, then spend a bit more to find the faults.
Admit fault, crack on with getting it fixed, make world a better place.
Keith Ng is a serious tech & social blogger, has been for years, not some skiddie or look-at-me-I-can-haxor type. Throwing the rulebook at him would be a traversty - you want these people on your side.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
