The revelation last month that screeds of personal information were available for anyone to download (or edit) simply by walking into a WINZ office and using a public kiosk was a shock to everyone. Perhaps most shocked though are those who work in the field of computer networking and security. Neither Keith Ng, the blogger who broke the story, or Ira Bailey, the system administrator who tipped off Ng, ‘hacked’ into the computer network of the Ministry of Social Development. ‘Hacking’ would require some kind of circumvention of security. This was not a case of weak security; it was a case of no security.
As Ng pointed out in his Public Address blog post, the kiosks shouldn’t even have been on the same network as client information. There was really no reason for it, but even if there was a reason for the kiosks being on the same network a very basic principle of network security was ignored. The ‘principle of least privilege’ dictates that if a user doesn’t need to access a file or service on a network, they shouldn’t have permission to. The user account for the public kiosks should not have had the permissions required to access client information and invoices.
Computer security can be broken, just as a lock can be picked, but this case wasn’t a lock being picked, it was the digital equivalent of leaving a filing cabinet unlocked with a door to the street wide open. The Ministry of Social Development (MSD) had been warned about their security hole. Kay Brereton, from Beneficiary Advocacy Federation, told Radio New Zealand that she had tested the kiosks not long after they were introduced and found people could get into the ministry’s system. [Read more...]