Shaky Security Isles

The New Zealand Government has suffered a major data breach...or have they? From the initial reporting it seems more like they had a gaping vulnerability that was found by a freelance journalist and blogger (Keith Ng) - although he had admitted to downloading the data and apparently then wiping it.

So what can we learn from the published details?

The breach was through physical access to kiosk terminals
Despite the fact the kiosks have internet access, there is nothing I've seen so far to indicate the data was steal-able from the internet. Physical access is always going to be trouble, so extra care needs to be taken. (of course if their remaining network security was as poor as this kiosk example, it may well have been even easier to steal this information for afar...)

The kiosk terminals had full MS Office suite installed.
The obvious question is why? Never install any software you don't need. In this case Kevin Ng used the MS Office 'open file' dialog to access the underlying file structure to move and copy files.
This leads to a greater question of why did the (I assume) auto-logon account even have permissions to access to any file location with sensitive data.....

The Kiosk terminals could access other internal network shares.
Again, why? Once again least privilege was not applied here. If all the kiosks needed was intranet/internet access - then that is all they should be able to access. Bare minimum permissions - once again 'least privilege'. In fact they should have been on an isolated network (in a perfect world), but at the very least, firewalled from the sensitive stuff.

The kiosk terminals allowed the use of USB mass storage devices
Obviously a bad idea. Even if you needed to allow Joe Public to upload data, the USB ports can be set to read only via a registry setting. Better still, disable them completely (physically if need be). One can only wonder if the terminals also allowed booting from USB.....

The Kiosks were running Windows 2000 and XP.
Considering they were installed 'just over a year ago' I really hope the reporter got it wrong. Windows 2000? Really? XP is bad enough, but at least it will be supported for a few more years. Windows 2000 support ended quite a while ago - which means no security updates or patches (which makes enabling USB drives even worse....)

There is also some discussion about whether Keith should be charged. Personally I think he didn't need to go as far as downloading data and "taking it home for analysis" in order to confirm the poor security state of the kiosks. But he wouldn't be the first to be prosecuted for embarrassing a government or organization who publicized their poor security...

*edit*: I rather like this opinion piece on the matter. It is probably closer to the mark than we'd like to think. Keith did get 'tipped off' about the vulnerability. Could it have been a disgruntled (or perhaps outraged) insider?

0 Response to "Shaky Security Isles"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme