"A Clash of Development Cultures"

Not strictly security related, but I wanted to point out an interesting post over on a blog written by Symanetc's Anthony Langsworth titled 'A Clash of Development Cultures'. It is an interesting viewpoint and one that I thing also fits into other IT realms, such as Infrastructure or Security.

I met Anthony while studying for the CISSP, and he's a smart cookie. His blog is worth checking out.

Once more unto the breach dear friends....

The Australian Attorney-General's office has released the long-awaited Australian Privacy Breach Notification discussion paper [pdf]

It seems to be generating interesting discussion both for and against.

I have commented previously on data breach legislation and haven't really changed my view. The only thing I'd add is that maybe the 'public shaming' fallout isn't as bad as it used to be, simply as the result of so many companies being hacked.

It is interesting that Information Security is back on the political agenda in Australia, as it is to in the United States with President Obama considering using an executive order to reinstate the "Cybersecurity" bill that was previously defeated in the US Senate. Probably not surprising though, as it is an election year....

I haven't read the AG's discussion paper in detail yet, but will hopefully get to it this weekend and provide my thoughts.

Shaky Security Isles


The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

Cyberwar in One Handy Graphic

Amusing

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme