One of the men arrested in the Urewera terror raids asked the Ministry of Social Development to pay him for information about problems with its privacy systems, it has been alleged.
A ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington WINZ office.
He said he walked into a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
Ng last night named Ira Bailey as the person who tipped him off about a "giant vulnerability" in the Work and Income system.
Bailey was initially arrested in October 2007 as part of the police raid against a suspected terror plot. Charges were later dropped against him.
Ng said Bailey now worked as a system administrator and had asked for anonymity after telling him about the problems at Work and Income.
Ng wrote on his blog that Bailey had told him he had "half an hour to kill" at a Work and Income office. He had plugged in a USB drive when it did not appear, "he had a poke around the system to find it and found the giant vulnerability instead".
Bailey had called MSD to ask if they had a reward system for reporting security vulnerabilities.
"This is not unusual practice, and it's certain not blackmail," Ng said.
When Bailey had not heard back from MSD he had decided to contact Ng.
"I put him in touch with an experienced hacker. This hacker told us that government organisations in New Zealand don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all," Ng said.
MSD later contacted Bailey and told him they would not pay for vulnerability reports.
"Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that," Ng said.
This revelation has certainly added an element of intrigue to Ng's story from yesterday, but it also raises a number of questions. Is it credible that an employed "system administrator" had "half an hour to kill" so he went to a WINZ office to access a kiosk? Why would an employed system administrator be inserting a USB stick into a WINZ computer? What was already on the USB stick that Bailey admits to inserting into the computer? And why did Keith Ng put Bailey in touch with an experienced hacker?
Ira Bailey has a history of activism. When he was arrested as part of the Urewera raids, Scoop published a profile on him which ended thus:
Although clearly a committed political, environmental and rights activist of long standing, friends say Ira had not been heavily involved in recent months, concentrating instead on his wind-generating project.
And interestingly, the Scoop profile noted that Ira Bailey is a good friend of Nicky Hager, of the Don Brash e-mails infamy. The Wellington activist community is indeed a small world!
It would seem that the MSD computer security story has just grown an extra and most intriguing set of legs. Granted; there is no excuse whatsoever for lax computer security, and those who designed and maintained the WINZ kiosks must face scrutiny via the independant inquiry announced yesterday.
There are so many questions surrounding this privacu breach. But we reckon that the most important question is this one; is there more to this whole story than Keith Ng has revealed so far, such as an underlying political agenda, and a concerted attack on the credibility of the Ministry of Social Development, its Minister and the Government?
Watch this space...
18 comments:
"a concerted attack on the credibility of the Ministry of Social Development, its Minister and the Government?"
Boo hoo!
"Granted; there is no excuse whatsoever for lax computer security"
True! None whatsoever.
Paula Bennett couldn't and can't keep confidential information about New Zealanders secure. She is a threat to our privacy.
Resign now, Paula.
Psycho Milt - unimpressed!
"
Yes. This is the truly horrifying part. Either the kiosks were set up to use system administrator accounts to access the network (highly unlikely), or the network has no internal security being applied to it (which up until now I'd also have assumed was highly unlikely, but it's less unlikely than the first option).
This is a genuinely astonishing level of incompetence. Anyone capable of building MSD's network would be used to building in access controls because every other network on the planet uses them, so there's a suspicion here that someone high up in MSD's management made a policy decision not to control access. This some serious shit.
It's also a non-party-political issue, ie it could as easily have happened under a Labour govt - but it's worth noting that, as expected, Minister Bennett's response to this bad news was to release private data to try and discredit the people who reported the fuck-up. Classy as ever..."
Systems analysts like Bailey usually work on one-off projects. So it is entirely credible that he went to a WINZ office to see what jobs were going in his field of expertise.
"...is there more to this whole story than Keith Ng has revealed so far, such as an underlying political agenda, and a concerted attack on the credibility of the Ministry of Social Development, its Minister and the Government?"
Ah no. This is a stuff up by the government that should leave Bennet's headless corpse consigned to the back benches for what remains of her political career.
I will not argue with you on political stunts such as purported tapes of the PM clowning around, something he does by his own admission on a daily basis. This is yet another total stuff up by the current administration. Smile and wave as a political philosophy / practice is starting to wear thin.
Why is it that whenever there are questions around systems or process it has to be purely political?
This Government would gain much more credibility if they actually ate some humble pie occasionally and tried to do the right thing.
National Standards were introduced in the most unprofessional and shoddy way of any educational initiative that I have experienced in over 30 years of teaching. A trial was called for so that problems could be addressed before they were imposed on all schools and this suggestion was called political and ignored.
ACC was dysfunctional for some time and anybody who questioned the system were dismissed as a political agitator.
The schooling plan for Christchurch was highly flawed and little consultation occurred leading up to the plan. Now that several weeks of the time allowed for submissions have passed communities are only just getting some of the detail they need to respond. This is right at the most hectic time of a school year and no extension of time is being offered and those who complain are also told to pull their heads in and stop being "political".
Here we have one of the worst possible scenarios of security mismanagement and those who have exposed the whole debacle are accused of having political motives. Good grief!
I'm sure most people become more political after experiencing what I have described above but what motivates them is the utter incompetence of those who are entrusted to deliver services competently, honestly and efficiently. Paula Bennett would get no grief if she made sure that the departments she is responsible for actually functioned well, were properly staffed and had good systems in place. Cuts across the public service were designed to save money only and no review was done regarding any compromise to safe management. I know how overworked and stressed many public servants are so things like this are only going to happen more.
No one going to defend Paula?
Come on team, pull up your socks!
"... it is entirely credible that he went to a WINZ office to see what jobs were going..."
Credible??? Bollocks! I'd suspect that a WINZ kiosk would not be the place to be looking for a systems analyst job.
Working man goes into WINZ to kill time with a USB to up or download some random stuff irrelevent to his reality?
I've read the profile on scoop of Ira Bailey and I'm not saying the above is impossible, or that it proves Bailey had other motivations, but as far as mainstream PR war goes, everyone who tries to stick up for Bailey's actions shoots themselves in the foot.
Average working Joe's don't know what activist programmers get up to for entertainment. All they see is that if it were them, they might have hung out in the library or a café or maybe done some window shopping. But poking around in WINZ? That'd be like a mechanic wandering round a car yard with his testing equipment, testing random stuff, just to kill time.
The main story is the massive security problem. It stands regardless of who and why it was exposed. Even if a gateway in was opened recently, it's still a serious security problem.
I am watching this space, hoping for significant coment from you, Keeping Stock.
Scott Yorke is the go to man for that and he says:
"When Ira Bailey discovered the security problem at MSD and asked if there was a reward for finding a security vulnerability (as there is with many companies), someone within MSD gave his name to the media.
In the latter case, there was no justification for publishing Bailey's name. What exactly did he do wrong? The person he told (Keith Ng) behaved entirely properly in bringing the matter to the media's attention. Had Ng just told MSD on the quiet I suspect they would have done nothing. It seems they did next to nothing when they were told of security problems 12 months ago.
What this demonstrates is a pattern of bullying and intimidation by the government..."
DPF is ‘raising questions that need to be considered’,
Whaleoil is going full metal jacket,
and all the little puppy repeater blogs like Keeping Stock, (and BM in here), are running whale’s crap.
It’s a strategy
Nice try FYI - except that my post went up at 7.11am this morning (I actually started on it just before 6am, but that's neither here nor there), whilst Farrar's was posted at 9am and Slater's at 8.30am.
All I needed to do for this post was go to Stuff and read its story, and go to Google and type in "ira bailey"...it's not rocket science!
when we get a Govt of the left, and it could be in 2014, I hope you left leaners remember how scathing you are over this sort of thing because a Govt lead by Shearer, Norman as DPM and possibly MOF and a front bench with Peters, Ardhern, Turei and maybe another Gween and possibly Hone will be a Bloggers wonderland
"when we get a Govt of the left, and it could be in 2014."
Yes, yes baby, YES!
One of my technicians told me he’d noticed it earlier this year when he took his wife into WINZ for something. Noticed you could get into their network from the kiosks, looked on their incompetence as none of his business and didn’t report it to them. I don’t believe Bailey was the first to notice this either, he’s just the first who gave enough of a sh*t to point it out to the wazzocks in charge. I guess the govt’s giving us a salutary lesson in how much thanks you’ll get for being public-spirited…
Some of you may be interested in Whale Oil's post and comments on this subject for some additional balance.
Whale Oil! Balance!
Best laugh of the day!
Thanks David, you wag!
Post a Comment