NZ Government needs to start over on security

The entire Work and Income New Zealand network, and probably the entire NZ Ministry of Social Development (MSD) network, should be considered to be fully compromised.

When Keith Ng investigated a tip-off about vulnerabilities in public kiosks at branches of WINZ, I doubt he expected to gain full access to read invoices, investigation records and details of children in government care.

That such sensitive data was available is incredibly serious, but in my opinion the more-serious implication is that - based on what Keith could do - I believe the entire WINZ network should be treated as compromised.

What do I mean by 'fully compromised'? I mean that every server and workstation should be considered to be accessible and controllable by people who are not employees of the WINZ/MSD system administration team.

For the uninitiated, a domain administrator is God within the boundaries of their network. Potentially they are God within the boundaries of networks that have special relationships with the primary network.

How serious is this? Unless there is fine-grained auditing of the use of access privileges - meaning a written record of every time a privileged account logs in or does something that's beyond the capabilities of an ordinary user - there is no way to know what has been done. And a person who is conducting a full attack can always erase the audit logs, which shows up but it still removes the evidence.

As God, someone could install software on servers to track password changes, watch particular files or directories, or any number of other things.

It looks like the firewall may have been easily accessible - a virtual computer, rather than a dedicated piece of hardware - which would let an attacker configure the firewall to allow them to upload anything they wanted, to anywhere they wanted, and leave no record. And even if that wasn't possible, there is always the old fall-back of plugging in an external hard drive and doing what Keith did: copying things off.

And what does that all mean? It means that every backup, all the way to when the kiosks were installed is an unknown quantity. Recovering from this isn't just a matter of fishing out the last backup tapes and reinstalling the computers.

It means reinstalling all the computers.

It means reinstalling the computers from scratch using media that hasn't been stored on the network. It means that no data on the network can be trusted, unless it checks out when compared to data from backups that were created and stored off the network before the kiosks were installed.

Am I being paranoid?

I don't think so, to be quite honest. I was an IT security auditor in a recent past life, and a network and system administrator before that. If I were a WINZ IT administrator I would be saying exactly the same things. I know how easy it is to escalate from being a local user to being a domain admin, without the benefit of stored passwords, and I know what can be done once one is a domain admin.

Also, given that Keith Ng was able to drag out data from computers that were across the network, it is possible that the kiosk's local SAM file (a local cache of network credentials) could have been copied off to a USB key.

It's only necessary to be a local administrator to achieve that, and making that happen would have been straightforward. An attacker could then use freely-available software to find out the usernames and passwords for use on the network.

At this point, there is no way of finding out who might have done these things. Public-access terminals don’t require identification, which is entirely normal, so anyone could walk in off the street and make use of the kiosks.

All that can be done is damage mitigation and to assure control of the network. Every user password needs to be changed immediately, with accounts locked out if the password isn’t changed within a few hours of the directive being sent. Any pattern for setting administrative passwords needs to be ditched before those passwords are changed.

Above all, though, the kiosks must never be re-attached to the global WINZ network.

Other departments should learn from this and implement good-practice behaviours for public terminals. Anything else done in response will be for nothing if this same fundamental mistake is made.

For WINZ, any future audit of their systems needs to be accompanied by a public undertaking to comply to the letter with recommendations, with post-compliance auditing to confirm that holes have been completely closed.

Matthew Poole is an independent information security and risk analyst and director of Daemon Consulting Limited.