MSD's Leaky Servers

22:00 Oct 14, 2012 629

My jeans were torn, my hoodie was pretty ragged, and I hadn't shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.

Last week, I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.

These locked-down kiosks are provided so you could look for jobs online, send off CVs etc. They've had some basic features disabled, which supposedly meant that you couldn't just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.

This basically means you can grab any file that wasn't bolted down on the network, while standing in the middle of a WINZ office. And that's what I did.

So what wasn't bolted down? Let's start with the boring stuff. There were servers connected to their call centre systems, logging calls going in and out. They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls. I guess I'll leave that for the Privacy Commissioner.

And then there were file server logs. Normally, they aren't that exciting. Except that WINZ name their files quite well. For example:

s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA

And so on. There were similar files for other "special" clients as well. There are probably a lot of personally identifying details in there, but I didn't spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year. Among all the invoices for milk and sausage rolls were invoices for:

Contractors
With full names, hours worked, pay rates and pay details for all of MSD's contract workers (Studylink/Call Centre staff, consultants, *coughmediatrainerscough*, temporary staff, etc).

Doctors/Radiology
With full names of candidates for adoptions, foster parents and Limited Services Volunteers (they have to get medical reports first). Others were for children in CYFS care, with their full names and their chief complaint; some of these were for x-rays after injuries.

Debt Collection
MSD's Collection Units uses Veda to keep track of people who owe them money. And Veda's invoices to MSD shows the full name of every person they helped MSD to locate. i.e. The invoice is a list of people who owe MSD money. MSD outsources debt collection to another vendor, whose invoices detail the full name of each person owing money, how much they've paid and how much they still owe to MSD.

Fraud Investigation
The Benefit Control Unit and Intelligence Unit (basically the fraud investigators) also used Veda to locate and get credit records for people they're investigating (with full names, of course). Conveniently, these are billed separately, under "Benefit Control Unit" and "Intelligence Unit", so it doesn't get mixed up with the Collection Units' invoices. Another set of invoices are for the servicing of court documents on behalf of MSD, some done by private investigators.

That's the light stuff. Now it start getting messy:

HCN
HCN stands for "High and Complex Needs". These are:

..short-term, intensive interventions aimed at addressing the severe and current needs of the most challenging children or young people

Note "the most". Because of it's interagency nature, invoices come from other agencies to CYFS. These invoices contain the full names of kids in the HCN programme and the cities they live in. In a few cases, they also contain the date of birth and the name of the school which they attend.

Care & Protection
Care & Protection homes are:

This is a safe and secure place where children and young people will go if they are in our care and can’t live in the community for a while. They might stay at a residence if:

there are worries about the child or young person’s safety

their actions are putting themselves at risk

or they are putting others around them at risk.

These invoices contain the first names, dates and costs of children living in CYFS Care & Protection homes. Other CYFS residential arrangements are also listed, containing the full name of children.

Phone bills
Bills from Telecom for CYFS Family Homes and Care & Protection facilities. Since the billing address is just MSD, it's often hard to tell which facility the phone bill is for. So Accounts has handwritten the full address of each of these facilities on each bill.

Along with the name of the facility and its address are the normal stuff contained in a phone bill: The phone number of each of these facilities, along with a complete log of all the toll calls made from that location.

Pharmacy
Bills from pharmacies to CYFS facilities, listing the children in that facility and the medication they are prescribed. These range from the antibiotics and scabies cream to cancer drugs, ADHD drugs, anti-depressants and anti-psychotics.

Legal bills
All of MSD's legal bills are in there, along with other legal bills paid for by MSD (e.g. Representation for foster parents). Most of these are invoices from Crown Law. They often mention the full names of parties and lawyers in the case, as well as the nature of the case. This can be very revealing information, for example, if the nature of the case is "Historical Claims", and the lawyers representing one side specialises in historical abuse and the other side is CYFS.

Some of these claims were settled out of court. The details of the settlements are not there, just the fact that a complaint was made and that it was settled.

In any event, all of these invoices are legally privileged.

Last one
One community group invoiced for providing support to a whanu after a suicide attempt (full name of that person included).

I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible. There are probably more outrageous things still on that server, and there probably other servers that I've completely missed. But I'm done for now.

This stuff was all a few clicks away at any WINZ kiosk, anywhere in the country. The privacy breach is massive, and the safety of vulnerable children was put at risk.

This should never have happened:

Public kiosks should not have been connected to the corporate network.

Servers that didn't need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data.

Aside from the files I got my hands on, I was also told that the configuration files for virtual machines were readily accessible in the same way. I've had no experience with setting up virtual machines, but here you go:

If someone knows how bad/not-bad this stuff is, please explain it to me in the comments section! And yes, the bit I blanked out were passwords in plaintext.

The Acting Privacy Commissioner were briefed on this day, and I'll be handing the files over to them tomorrow. This story took most of the week to do, so if you like it, some money would be greatly appreciated.

UPDATE: MSD has told me that they will be taking the kiosks offline until the problem is resolved.

629 responses to this post

First ←Older Page 1 2 3 4 5 … 26 Newer→ Last

Jackson James Wood, 22:14 Oct 14, 2012

Ninja.

New Zealand • Since May 2011 • 21 posts Report
Mellopuffy, 22:18 Oct 14, 2012

Holy crapola. Word.

Dunedin, NZ • Since Feb 2007 • 63 posts Report
ange wither, 22:24 Oct 14, 2012

I'm really shocked to read this, its appalling that information about vulnerable people is so freely available. Good on you Keith for drawing attention to this situation. Happy to support independent journalism.

Wellington • Since Nov 2006 • 54 posts Report
Scott A, 22:26 Oct 14, 2012

Holy shit.
I'm also aghast at the implication that any WINZ / MSD staff member can see sensitive information held by another unit. Have they no concept of information security? Do they not care that there have been prosecutions of their staff for committing fraud based on the internal information, and still done nothing to do basic folder / directory security?

The wilds of Kingston, We… • Since May 2009 • 133 posts Report
Thomas Beagle, 22:27 Oct 14, 2012

Crimes Act s252 (1) "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."
Did you get any legal advice before a) breaching the security of the MSD systems, b) putting up this post?

New Zealand • Since Nov 2007 • 50 posts Report
Yamis, 22:28 Oct 14, 2012

Astonishing.

Since Nov 2006 • 903 posts Report
Ben Curran, 22:30 Oct 14, 2012

You got a response from WINZ on a Sunday?
That was the 2nd thought that occurred, after the obligatory wtf?

Since May 2011 • 47 posts Report
Indy Griffiths, 22:32 Oct 14, 2012

I'm worried about how short the administrator passwords are. It almost looks like they're the same as the registered owner, altiris.

New Zealand • Since Oct 2012 • 1 posts Report
Chris Miller, 22:33 Oct 14, 2012

Thomas, I would love to see them go after him for this. LOVE TO. He may well have technically broken the law but public opinion if they tried to charge him for it could get very messy.
And yeah, I've seen statistics that suggest a significant amount if not the majority of benefit fraud is committed by MSD staff, so the fact that the staff can access this stuff is pretty horrifying in and of itself.

Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report
Tristan, 22:33 Oct 14, 2012

I'm pretty sure I know why this happened... Some bright spark decided because people had to print this CVs they had to be on the network.
Now why that data wasn't locked down tighter than the safe at the nakatomi plaza is anyones guess. I expect this will be big news thanks to ACC
...yippie kaiay mother fucker

Auckland • Since Nov 2006 • 221 posts Report
Ben Gracewood, 22:33 Oct 14, 2012

A) What Thomas said. My immediate reaction is "wow Keith you could end up in a lot of trouble". Bravo!
B) I'm sadly not very surprised. I'm surprised the kiosks can see the data, but I'm not surprised by the shitty internal security. These departments spend hours and millions making sure their users can't access Twitter, but couldn't give a crap if a file server is one click away from unauthorized access.

Orkland • Since Nov 2006 • 168 posts Report
nzlemming, 22:35 Oct 14, 2012

Fucking. Hell.
I cannot believe this. This is sysadmin 101. What the fuck were they thinking?
My experience with VMs is limited but I think the data you show is significant, especially the clear text password. Without command line or explorer access, I think you'd have had difficulty launching them but you could possibly have copied them to a large enough USB key for off-site study. But FFS their firewall is a virtual server on the corporate network??? Surely not!
Mind blown.
Well done you.

Waikanae • Since Nov 2006 • 2937 posts Report
Nigel McNie, in reply to Thomas Beagle, 22:35 Oct 14, 2012

Thomas, don't be silly. He asked the servers if they would give him the information and they said 'OK!'

New Zealand • Since Oct 2012 • 15 posts Report
Chris Miller, in reply to Nigel McNie, 22:40 Oct 14, 2012

Agree Nigel, I don't know that you can really call it breaching the servers! He went to the File menu of a public computer and clicked Open File. Mega hax there. If he wasn't supposed to have it, surely they wouldn't have put it there, as I'm sure plenty of lawyers would argue.

Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report
Robyn Gallagher, 22:40 Oct 14, 2012

They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls.
When you phone the W&I call centre, there's always a message that says calls may be recorded "for our purposes". I assume those sound files are the result of such a recording. I'm still very intrigued to know what these 'purposes' are.
BTW, you know what's almost as scandalous as this network sharing issue? The W&I kiosks block access to Google Docs/Drive, which surely is an extremely valuable tool for a job seeker with no home computer.

Since Nov 2006 • 1946 posts Report
Ben McNicoll, 22:46 Oct 14, 2012

I just hope someone somewhere has still got the cover your ass email/memo where they pointed this lack of security out years ago but were told the solutions were too expensive.

Grey Lynn • Since May 2007 • 115 posts Report
Andre Alessi, 22:47 Oct 14, 2012

I don't think there are enough /facepalm gifs in the world to express my feelings right now.
I mean, I've worked in some sloppy/cack-handed corporate IT environments in my time, but this...

Devonport, New Zealand • Since Nov 2006 • 864 posts Report
Ben McNicoll, 22:49 Oct 14, 2012

And also, someone ask Bradley Ambrose if he thinks the govt would need a cut and dry case before sicking the cops onto Keith out of embarrasment and the need to shoot the messenger.
I think it would be a PR disaster, so I hope you don't mind that I'm kind of rooting for them to give it a shot, Keith.
I'll donate a little bit more to your legal fund if they do though.

Grey Lynn • Since May 2007 • 115 posts Report
danielpresling, 22:57 Oct 14, 2012

Wow! In theory you could have copied the hyper-v folders and stood them up with very little effort on any other machine. I'd like to assume they have some form of encryption on the network/virtual disks to stop that happening but it appears that's not the case.
This is IT security 101. You can have them all connected to the corporate network (although why you wouldn't have them in their own workgroup/domain is beyond me) you just make sure the user account associated to the kiosk machines can't see anything other than itself and a printer. The fact that the network and it's shares are open internally is extremely poor work on the sys admins behalf.
If I'm not mistaken the kiosk machines have full access to the internet too which could be exploited pretty easily. As I'm typing I realise that this is probably how the files were copied off the machine.

Auckland • Since Nov 2006 • 6 posts Report
mark taslov, 23:04 Oct 14, 2012

牛逼

Te Ika-a-Māui • Since Mar 2008 • 2281 posts Report
nzlemming, in reply to mark taslov, 23:07 Oct 14, 2012

Really?

Waikanae • Since Nov 2006 • 2937 posts Report
James Harden, in reply to Robyn Gallagher, 23:08 Oct 14, 2012

Phone recordings are used for quality assurance, training and in investigations of complaints or fraud. It's pretty much as you'd expect from any call centre. Remember, you are entitled to request a copy of a recording of you via the Privacy Act.

Since Oct 2012 • 1 posts Report
mark taslov, in reply to nzlemming, 23:09 Oct 14, 2012

For sure.

Te Ika-a-Māui • Since Mar 2008 • 2281 posts Report
Chris Miller, in reply to James Harden, 23:09 Oct 14, 2012

Or from the WINZ kiosk, apparently.

Otautahi, Aotearoa • Since Nov 2011 • 17 posts Report
danielpresling, 23:20 Oct 14, 2012

From the NBR article this evening it states - "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after. " - so in theory someone has looked at these kiosks twice (at least) and thought they were all good.

Auckland • Since Nov 2006 • 6 posts Report