The revelation last month that screeds of personal information were available for anyone to download (or edit) simply by walking into a WINZ office and using a public kiosk was a shock to everyone. Perhaps most shocked though are those who work in the field of computer networking and security. Neither Keith Ng, the blogger who broke the story, or Ira Bailey, the system administrator who tipped off Ng, ‘hacked’ into the computer network of the Ministry of Social Development. ‘Hacking’ would require some kind of circumvention of security. This was not a case of weak security; it was a case of no security.
As Ng pointed out in his Public Address blog post, the kiosks shouldn’t even have been on the same network as client information. There was really no reason for it, but even if there was a reason for the kiosks being on the same network a very basic principle of network security was ignored. The ‘principle of least privilege’ dictates that if a user doesn’t need to access a file or service on a network, they shouldn’t have permission to. The user account for the public kiosks should not have had the permissions required to access client information and invoices.
Computer security can be broken, just as a lock can be picked, but this case wasn’t a lock being picked, it was the digital equivalent of leaving a filing cabinet unlocked with a door to the street wide open. The Ministry of Social Development (MSD) had been warned about their security hole. Kay Brereton, from Beneficiary Advocacy Federation, told Radio New Zealand that she had tested the kiosks not long after they were introduced and found people could get into the ministry’s system.
“I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system,” she said.
“We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files.”
MSD was also warned in April 2011 by Dimension Data, the firm contracted to check the kiosks security. In a presentation to hacker convention Defcon, Paul Craig, a Dimension Data employee, gave a presentation about kiosk security. Twelve minutes in, he talked about using Open File dialogues as mini-Explorer windows, and discussed how they could be exploited. “This was what we used (albeit in a really unsophisticated way)” wrote Ng in a follow up to his original blog post. “This was Item #2 on Craig’s list. It’s just not plausible that he would have failed to warn MSD about it.”
As well as the concerns raised by Brereton and Dimension Data systems administrator, Ira Bailey had discovered the hole while trying to access his USB flash drive on a WINZ kiosk. He had contacted the ministry and asked if there was a vulnerability report reward like that offered by some private companies such as Google. Some media have falsely reported this as Bailey demanding money for his information. Ng has written that all Bailey received from him was “a cup of coffee”.
The fault here it would seem lies not with those IT professionals working on the computer network, but higher up in the ministry. Computer World quoted Ministry of Social Development CEO Brendan Boyle as saying “I am not confident that we took the right actions in response to Dimension Data’s recommendations on security.””