A blogger in New Zealand found that at the offices of the Ministry of Social Development, he could access almost any server in their entire network from one of their kiosk PCs. Not only that, but he could access other government department data too.
The Ministry of Social Development (MSD) is a government agency in New Zealand that provides social policy advice to the government and social services to the public. It is the largest government organization in New Zealand, and provides a number of services to the public that are sensitive in nature.
The kiosk PCs in question are provided so that people can search for jobs online, and theyre locked down on a basic level, but it turns out they didnt go far enough to try and secure them. A simple "open file" dialog can map auto-discovered network drives to the computer and then you can poke around in their files.
The blogger, Keith Ng, found that he could access sound recordings of client calls, file server logs and more, and that data just opened the floodgates for even more. The file server logs are so verbose that they gave away pretty much everything an actual hacker would need:
s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA
He then found that he could access the entire departments invoices, contractor details, medical related information of the public, debt collection information and fraud investigation files. It doesnt stop there either, he could also access "High and Complex needs" user information, details of people under the care & protection of the police/government, phone bills, pharmacy bills, legal bills and suicide attempt records. The list goes on.
Even better? Once hed mapped the drives, the administrator password for the domain had been stored in plain text in an Altiris configuration file. These are utterly sloppy security practices that could easily be prevented with the correct knowledge.
It is reported that these public kiosks have been in play for over a year, and in this same configuration. This means the data could have already been lost at this point and nobody will ever know. Keith Ng spent around 2 hours on a kiosk and downloaded hundreds of files to a USB drive (yep, the USB ports werent disabled) to send to the New Zealand privacy commission.
The New Zealand Prime Minister thinks itd be pretty hard for anyone to find the information, saying that he thought "accessing the information isnt easy" but we disagree. All you literally need to do is select "network" in Microsoft Word and youve found it. The department also allegedly knew about the issue a year ago but did nothing;
She said about a year ago, she had tested the kiosks not long after they were introduced and found people could get into the ministrys system.
We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files
Its incredible that a government department so critical to the country could be so incompetent. The data stored in these systems is critical to the safety of protected children, and contains documents detailing almost every person in the country.
The kiosks were taken offline early today, and the department stated it is "very concerned about this and an urgent investigation is underway."
Source: Public Address