OnPoint by Keith Ng

89

Budget 2013: Bringing Down the House (Prices), but not really

Update: Tool is live!

"On track to surplus"

That's not really true. Revenue projections are down on the 2012 Budget, and the Government would be in deficit - except they cut the Operating Allowance for Budget 2014 by $200m.

I had a crack at Bill English about this during the lock-up; his argument was that money is money - I might as well be saying that of *anything* that saved the government more than $75m, and claim that the government only did that because it would bring them over the threshold.

The difference with changing the Operating Allowance is that they don't have to make any decisions yet - it's just a promise to find some money next year. They really will need to find this money next year, so in that sense, it's quite legitimate. But it makes this "on track to surplus" claim really hollow. It's akin to saying "if I spend less next week, I'll have unspent money". It's true - it just doesn't mean anything.

NZSF

Resumption of contribution to the NZ Super Fund has been delayed, again. It's only a few years, but by Treasury's NZSF model, that matters a lot. By 2033, the NZSF would be $12b smaller (that translates to less money it's feeding back to the government), and about $4b less in tax revenue in the next 20 years.

Of course, that's offset by the decrease in debt and the cost of servicing that debt, and there're the old arguments about whether a dollar in the NZSF is as safe as a dollar less debt.

Student Loans

The Government is getting pretty aggressive about collecting debt from students overseas. Yeah, half the readers of Public Address - that's you, buddy.

  • "Fixed repayment obligations and higher repayment thresholds for overseas-based borrowers" (I think they mean lower thresholds though. I think.)
  • "[Extending] the child support border arrest system for the most non-compliant overseas-based borrowers"
  • "Ongoing information-sharing agreement between IRD and Internal Affairs to collect contact details from passport applications"

More details here.

It's a little horrifying in terms of its aggressiveness, but I also think it makes sense in a lot of ways. Aside from raising the amount of money which is collected, it'll also make it less attractive to try to flee your student loan debt, or to get into the situation where interest stacks up to the point where it becomes impossible for graduates to move back.

It's a big, hideous stick, but I guess good policy doesn't have to be all carrots.

Tertiary Education

  • "New funding" for engineering and science that are basically just inflation adjustments (2% increase), but not for other areas.
  • Signalling that Management, Commerce and Arts should GFYS: Other higher-cost subjects may see an increase in funding if necessary.
  • Private Training Establishments to receive same level of funding as public tertiary education institutions.

Bits and Bobs

  • $80m for new irrigation. Sounds like they're going to be building some dam.
  • New rules to make multinational corporations pay their "fair share" of taxes. But don't expect Google-windfall - it's is only expected to generate $20m over the next 3 years.
  • "Exploring options" or microfinance schemes (low-/no-interest loans) for beneficiaries. Would be great if they get this off the ground - will put predatory finance companies out of business.

--

The interactive visualisation of the Budget is here. If you loaded it up prior to 14:00, remember to refresh your browsers so you're loading up the right one.

For best performance, use Chrome to view it.

--

If you think this kind of blogging/data journalism is worthwhile, I'd really appreciate a few bucks on my Givealittle page. The money is nice, but more importantly, this is an experiment to see if reader-funded independent journalism can work in a small market like NZ.

68

#WTFMSD: "Damning"

"Damning" was actually the word used in the MSD press release:

MSD Chief Executive Brendan Boyle says the report is damning around MSD's failure to separate public kiosks from a network containing corporate files.

And it is. The Dimension Data security review of the kiosks came out, and as expected, they were crystal bloody clear:

The most pressing security issue discovered is the lack of network separation of segregation within the environment... This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recomended, and the current solution should not be deployed into a production environment before network separation is achieved.

The problem was listed as "Urgent".

So where are we now? Four "employment investigations" are under way. Boyle refused to say anything about these people, so we don't know their seniority or the nature of their roles. But he did make clear that the decisions didn't get escalated properly - i.e. Senior managers weren't involved. He also said that it simply "dropped off the radar" - that it wasn't a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData's report. Hopefully we'll find out more once those "employment investigations" are completed and the second phase of the report comes out.

MSD has also ring-fenced the breach: That although 1432 documents contained personal information, they only contained "highly-sensitive" information about 10 people. It's worth noting that many of those documents contained tens of names. I'd estimate that more than 10,000 individuals were identified in those documents.

Many of those would have been MSD contractors, with pay rates, hours etc. It's private, but not terribly sensitive. Reasonable people can disagree about whether that's a big deal or not. But other names, such as individuals being investigated by the Benefit Fraud Unit or the MSD Intelligence Unit, were also deemed not highly sensitive. That's a big call.

Full report here, via NBR.

UPDATE: Some speculation. The email to MSD from Kay Brereton (the beneficary advocate) describes the problem as:

...was able to access info which gave him the "names" of all the computers on the network

By the time the time it got to MSD, this was described as:

...was able to access the IP addresses (you will know better than I what this means) for all the PC's including staff PC's in the office

Printers were also mentioned.

The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).

UPDATE 2My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

213

H4x0rs and You

"No good can come of a hacker talking to a TV journalist," my hacker friend said when I asked him to go on camera for a TV journo. He was goddamn right.

I gave Paul Craig's name to one journalist on Tuesday morning and to a few others after that. I thought it was pertinent that Dimension Data had one of the world's best kiosk hackers on staff, and therefore it was ludicrious to think that they could have missed the shit-simple security hole I used. In hindsight, I really should have paid heed to my friend's advice: No good could have come of it.

Hey Paul - I'm sorry.

Heather du Plessie-Allan's story on TVNZ missed the point for a lot of reasons. For starters, if she'd watched the whole of Paul Craig's Defcon presentation, she would have seen the smoking gun: 12 minutes in, Craig talked about using Open File dialogues as mini-Explorer windows, and discussed how they could be exploited. This was what we used (albeit in a really unsophisticated way). This was Item #2 on Craig's list. It's just not plausible that he would have failed to warn MSD about it.

Second, here's a rule of thumb: If someone is telling you about their hacking, and the system in question hasn't already been reduced to a steaming pile of goop, they're probably not a "malicious" hacker. Craig attacks systems in the same way that a malicious hacker would, so from a security perspective, he is a "malicious" agent. That doesn't mean he's malicious in the "out to get you" sense. I mean FFS, he works for a security testing company. He's *paid* to break into system. It's utterly ridiculous to call him a malicious hacker, and it stems from a total misunderstanding of the context.

Third, the implication that he's a Bad Guy because he's a "Hacking Teacher". Once again, it shows a fundamental misunderstanding of the nature of these security exploits. Standing in front of a conference explaining exploits is what the *good* hackers do (while we're at it, so is selling the exploits to the originating organisation). The bad hackers keep it for themselves, or sell it on the black market to criminal organisations (who then keep it for themselves). The difference is that once an exploit is made public, it usually gets shut down pretty quick. The best way to take advantage of an exploit is to keep it secret while you use it to compromise systems and steal data.

The upshot is, if they're standing in front of you telling you about their hacks, they're probably not the ones you need to worry about.

Same concept applies to Patrick Gower's story earlier this year as well (which I'm rehashing now with my newfound l33t h4x0r credentials... and because I was actually right). If Murray McCully's email was hacked by Russian hackers after military secrets, they would have sat on that email and used it to compromise other systems. They would not have sent out prank emails. See the Wired guy as an example of how you can overrun everything once you have access to an email.

I bring it up because they're both a part of the same problem. Clearly, computer security has moved beyond being just "IT news". Journalists can't report on it unless they have some basic understanding of it, and they can't get that understanding without talking to real hackers. That isn't that hard... unless they keep doing shit like this.

217

The Source

Update: A journalist called up earlier knowing Ira's name, and asked me to confirm him as my source. It was clear that somebody had given her the name, and the story was due to be published tomorrow. Sorry I wasn't clear about this in the orignal.

Update 2: *Obviously* I've been in touch with Ira this whole time. He was also contacted by the journalist yesterday, we discussed how to proceed and then I wrote this. I got his permission to write this and cleared the draft of this with him before I published this. Like, seriously - what kind of dick did you think I was?

So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That's why he asked for anonymity.

He did not have any special access to the system - he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn't appear, so he had a poke around the system to find it - and found the giant vulnerability instead.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it's certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

MSD didn't know what to do with his request, and it got slowly bumped up the food-chain.

Ira didn't hear back from them, so he talked to me instead. I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.

MSD called Ira back two days later. They told Ira that they don't pay for vulnerability reports. Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that.

At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability - the only condition was that his name be kept out of it. He wasn't interested in being in the limelight.

The rest, I've already blogged. We have since both deleted all the material from our computers, and Ira assured me it's all gone, and I've assured the Privacy Commissioner of this.

Since he called MSD and left his name and number, it was always likely that they'd out him as a diversion. We had hoped that it wouldn't get to that, but it has, which is why I'm writing this now.

Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it's not as if the people MSD ended up relying on - KPMG - did it for free.

629

MSD's Leaky Servers

My jeans were torn, my hoodie was pretty ragged, and I hadn't shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.

Last week, I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.

These locked-down kiosks are provided so you could look for jobs online, send off CVs etc. They've had some basic features disabled, which supposedly meant that you couldn't just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.

This basically means you can grab any file that wasn't bolted down on the network, while standing in the middle of a WINZ office. And that's what I did.

So what wasn't bolted down? Let's start with the boring stuff. There were servers connected to their call centre systems, logging calls going in and out. They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls. I guess I'll leave that for the Privacy Commissioner.

And then there were file server logs. Normally, they aren't that exciting. Except that WINZ name their files quite well. For example:

s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA

And so on. There were similar files for other "special" clients as well. There are probably a lot of personally identifying details in there, but I didn't spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year. Among all the invoices for milk and sausage rolls were invoices for:

Contractors
With full names, hours worked, pay rates and pay details for all of MSD's contract workers (Studylink/Call Centre staff, consultants, *coughmediatrainerscough*, temporary staff, etc).

Doctors/Radiology
With full names of candidates for adoptions, foster parents and Limited Services Volunteers (they have to get medical reports first). Others were for children in CYFS care, with their full names and their chief complaint; some of these were for x-rays after injuries.

Debt Collection
MSD's Collection Units uses Veda to keep track of people who owe them money. And Veda's invoices to MSD shows the full name of every person they helped MSD to locate. i.e. The invoice is a list of people who owe MSD money. MSD outsources debt collection to another vendor, whose invoices detail the full name of each person owing money, how much they've paid and how much they still owe to MSD.

Fraud Investigation
The Benefit Control Unit and Intelligence Unit (basically the fraud investigators) also used Veda to locate and get credit records for people they're investigating (with full names, of course). Conveniently, these are billed separately, under "Benefit Control Unit" and "Intelligence Unit", so it doesn't get mixed up with the Collection Units' invoices. Another set of invoices are for the servicing of court documents on behalf of MSD, some done by private investigators.

--

That's the light stuff. Now it start getting messy:

HCN
HCN stands for "High and Complex Needs". These are:

..short-term, intensive interventions aimed at addressing the severe and current needs of the most challenging children or young people

Note "the most". Because of it's interagency nature, invoices come from other agencies to CYFS. These invoices contain the full names of kids in the HCN programme and the cities they live in. In a few cases, they also contain the date of birth and the name of the school which they attend.

Care & Protection
Care & Protection homes are:

This is a safe and secure place where children and young people will go if they are in our care and can’t live in the community for a while. They might stay at a residence if:

  • there are worries about the child or young person’s safety
  • their actions are putting themselves at risk
  • or they are putting others around them at risk.

These invoices contain the first names, dates and costs of children living in CYFS Care & Protection homes. Other CYFS residential arrangements are also listed, containing the full name of children.

Phone bills
Bills from Telecom for CYFS Family Homes and Care & Protection facilities. Since the billing address is just MSD, it's often hard to tell which facility the phone bill is for. So Accounts has handwritten the full address of each of these facilities on each bill.

Along with the name of the facility and its address are the normal stuff contained in a phone bill: The phone number of each of these facilities, along with a complete log of all the toll calls made from that location.

Pharmacy
Bills from pharmacies to CYFS facilities, listing the children in that facility and the medication they are prescribed. These range from the antibiotics and scabies cream to cancer drugs, ADHD drugs, anti-depressants and anti-psychotics.

Legal bills
All of MSD's legal bills are in there, along with other legal bills paid for by MSD (e.g. Representation for foster parents). Most of these are invoices from Crown Law. They often mention the full names of parties and lawyers in the case, as well as the nature of the case. This can be very revealing information, for example, if the nature of the case is "Historical Claims", and the lawyers representing one side specialises in historical abuse and the other side is CYFS.

Some of these claims were settled out of court. The details of the settlements are not there, just the fact that a complaint was made and that it was settled.

In any event, all of these invoices are legally privileged.

Last one
One community group invoiced for providing support to a whanu after a suicide attempt (full name of that person included).

--

I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible. There are probably more outrageous things still on that server, and there probably other servers that I've completely missed. But I'm done for now.

This stuff was all a few clicks away at any WINZ kiosk, anywhere in the country. The privacy breach is massive, and the safety of vulnerable children was put at risk.

This should never have happened:

  • Public kiosks should not have been connected to the corporate network.
  • Servers that didn't need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
  • Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data. 

Aside from the files I got my hands on, I was also told that the configuration files for virtual machines were readily accessible in the same way. I've had no experience with setting up virtual machines, but here you go:

If someone knows how bad/not-bad this stuff is, please explain it to me in the comments section! And yes, the bit I blanked out were passwords in plaintext.

The Acting Privacy Commissioner were briefed on this day, and I'll be handing the files over to them tomorrow. This story took most of the week to do, so if you like it, some money would be greatly appreciated.

UPDATE: MSD has told me that they will be taking the kiosks offline until the problem is resolved.