A blogger in New Zealand found that at the offices of the Ministry of Social Development, he could access almost any server in their entire network from one of their kiosk PC's. Not only that, but he could access other government department data too.
The Ministry of Social Development (MSD) is a government agency in New Zealand that provides social policy advice to the government and social services to the public. It is the largest government organization in New Zealand, and provides a number of services to the public that are sensitive in nature.
The kiosk PC's in question are provided so that people can search for jobs online, and they're locked down on a basic level, but it turns out they didn't go far enough to try and secure them. A simple "open file" dialog can map auto-discovered network drives to the computer and then you can poke around in their files.
The blogger, Keith Ng, found that he could access sound recordings of client calls, file server logs and more, and that data just opened the floodgates for even more. The file server logs are so verbose that they gave away pretty much everything an actual hacker would need:
s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA
He then found that he could access the entire department's invoices, contractor details, medical related information of the public, debt collection information and fraud investigation files. It doesn't stop there either, he could also access "High and Complex needs" user information, details of people under the care & protection of the police/government, phone bills, pharmacy bills, legal bills and suicide attempt records. The list goes on.
Even better? Once he'd mapped the drives, the administrator password for the domain had been stored in plain text in an Altiris configuration file. These are utterly sloppy security practices that could easily be prevented with the correct knowledge.
It is reported that these public kiosks have been in play for over a year, and in this same configuration. This means the data could have already been lost at this point and nobody will ever know. Keith Ng spent around 2 hours on a kiosk and downloaded hundreds of files to a USB drive (yep, the USB ports weren't disabled) to send to the New Zealand privacy commission.
The New Zealand Prime Minister thinks it'd be pretty hard for anyone to find the information, saying that he thought "accessing the information isn't easy" but we disagree. All you literally need to do is select "network" in Microsoft Word and you've found it. The department also allegedly knew about the issue a year ago but did nothing;
She said about a year ago, she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.
We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files
It's incredible that a government department so critical to the country could be so incompetent. The data stored in these systems is critical to the safety of protected children, and contains documents detailing almost every person in the country.
The kiosks were taken offline early today, and the department stated it is "very concerned about this and an urgent investigation is underway."
Source: Public Address