Comments on: Heads must roll

By: Kevin

Kevin — Tue, 20 Nov 2012 07:28:20 +0000

It was clearly a,hack. just because some it professionals managed to hack it 18 months before doesn’t make it any less a hack.

Known hackers found and easy portal. They were looking for something and didnt find it or just wanted to embarrass the government. Sob…sob…lost opportunities.

By: mikenmild

mikenmild — Tue, 20 Nov 2012 06:18:29 +0000

‘The staff who were aware of this report and did nothing, clearly must be goneburger – subject to natural justice.’
LOL – do you even know what natural justice is? Maybe you learned it from Alice in Wonderland: ‘Sentence first; verdict afterwards!’

By: Gerrit

Gerrit — Tue, 20 Nov 2012 06:11:21 +0000

Would really like to see the original independent security audit report to see if the security access was reported as closed.

For if it was then we have a conspiracy problem.

Techies created a secure system for the kiosks, independent auditors did not find it open, but someone after the audit changed the settings to enable access.

I would question how often the system was independently audited against the original report. Who had access to the security of the system and how were the changes made approved and recorded.

For it is easy to set up a secure system, have independent auditors agree and sign off as it being secure but still have any techie with access and ability to reset the security levels at a later date.

No regular security review audits and the system is opened up by anyone with malicious intent.

Conspiracy? Possibly.

We need to know the original security audit report findings, the frequency of follow up audits plus terms of reference for the follow up audits. Now that would be interesting.

Wonder how many private and state organizations run full security audits versus the original setup?

By: scrubone

scrubone — Tue, 20 Nov 2012 04:45:22 +0000

If what Brian says is true then it comes back to anonymouse’s point – setting up a subnetwork should not cost, unless your infrastructure is so primitive that that’s not possible in the first place.

But the failure here still boggles my mind. The “hack” is quite literally the first thing I’d check if someone told me to test the security.

I’ve met the sort of moron that builds systems like this. All flash talk and no technical nouse worth a damn. The sort of person who gets promoted far above their actual expertise because they say the right things.

By: Brian Harmer

Brian Harmer — Tue, 20 Nov 2012 03:50:47 +0000

My belief from talking to IT people in the civil service is that the original risk free concept of an entirely isolated network for the kiosks was swatted down at the highest levels as unaffordable. The blame (if that’s the game we are playing) belongs with those who put the techies in the impossible position of being required to produce first class security while providing fourth class funding. Cheap/good …. choose one.

By: lastmanstanding

lastmanstanding — Tue, 20 Nov 2012 03:41:01 +0000

the concept of risk in the civil service is non existant. Like they have no risk of losing their job. Like they can and do white ant their Ministers ( most are Lefties).
Like no ones to blame and if you call for heads to roll you are accussed of having a blame culture. the civil service is neither civil nor does it offer a service. Its just a great big hole sucking tax payers money.

By: anonymouse

anonymouse — Tue, 20 Nov 2012 03:24:57 +0000

This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees.”

But the bigger issue is the entire network architecture of the MSD network,

There is no reason that all corporate MSD employees should have had access to these documents that contained significant amounts of confidential information.