Member log in

GCSB role highlighted as govt orders urgent review of all publicly-accessible computers

The State Services Commissioner and head of state services, Iain Rennie, today asked Department of Internal Affairs and Government Chief Information Office head Colin McDonald to undertake an urgent review of publicly-accessible systems operated by State Services.

“The Work and Income kiosk security failure has been a serious breach of the trust that New Zealanders place in their government. It is imperative that government takes the lead to ensure the public and in repairing the damage that has been done to this trust,” Mr Rennie says.

A spokeswoman for the commissioner told NBR ONLINE there were no terms-of-reference for the inquiry. They were expected in the next couple of days.

Mr McDonald will be contacting government agencies in the first instance to seek assurances that their current systems are robust.

“In keeping with the increase in responsibility of his role, the GCIO will lead public service agencies in evaluating and strengthening their ICT security measures to ensure that there are no systemic faults that could cause additional security issues,” Mr Rennie says.

“Since the findings of the Privacy Commission report in August on the handling of private material held by ACC, the State Services Commission have been considering a wider role for the GCIO across the system.”

GCSB role highlighted
Meanwhile, a senior IT industry manger, who did not want to be named but has worked with the Government Communications Security Bureau, has highlighted the agency's role in domestic computer network security.

He told NBR there is a common misconception - even among those working in government IT - that the Department of Internal Affairs (DIA) mandates security practices.

In fact, all government agencies must follow a set of security guidelines laid down by the GCSB.

The GCSB protocols, called the New Zealand Information Security Manual, are online here (with some sections censored).

Former GCSB director Jerry Mateparae writes in the introduction:

The New Zealand Information Security Manual (NZISM) is the national baseline technical security policy, describing baseline and minimum mandatory technical security standards for government departments and agencies.

The guidelines, which run to 247 pages, are comprehensive. Among many other measures, they say information should be encrypted if there is any possibility it can be accessed from a computer in a public space.

However, the manager said he had encountered widespread ignorance about the GCSB rules among government agencies.

They had obviously not been followed by the MSD and its private contractors.

 Beyond connecting public kiosks to its main corporate network, storing passwords in plain text (which Keith Ng and Ira Bailey could view) was contrary to any security security guidelines, let alone the GCSB-mandated protocols.

The source said the security issue at the GCSB went beyond the potential for rogue staff, or locals like Ng and Bailey to access the MSD network. Any foreign power looking to access sensitive files would not make a full frontal assault, but likely find a weak point, such as the MSD kiosks, then work there way in from there.

Deloitte contracted for MSD inquiry
Developments yesterday saw Ministry of Social Development CEO Brendan Boyle acknowledge he was wrong to blame IT contractor Dimension Data yesterday for the WINZ kiosk breach.

In fact, the IT services company had warned of a possible security issue in April last year.

The MSD contracted Deloitte to conduct an independent inquiry. Its scope will go beyond the public kiosk security to wider network security and MSD culture and governance.

Ex-Deloitte senior manager Daniel Ayers told NBR the initial two-week assessment by Deloitte could cost $40,000 to $50,000 - but network fixes required could run to tens of millions of dollars.

Mr Ayers maintains he already knows what Deloitte will say; read more of his comments here.

More by Chris Keall

Comments and questions

Good start. Now what about a review of ministers?

Duh. The government's IT security sucks because they are all up Microsoft's butt. Their solution to the problem is "reinstall everything." They are like vapid office workers from the '90s, using the same strategies they learned running Windows '98 and hemmorrhaging taxpayer money buying everything Redmond ponies out in front of them. PATHETIC

Nice try. MSD's systems were (as I understand) Unix-based. You can screw up a SMB server config just as easily as you can a Windows server. Likewise both can be bullet-proof secure.

It's not the software, stupid.

You're right, it isn't just the software. But, let's see, which was the interface that was providing the hole. That "UNIX" backend shouldn't be running a CIFS service if it wasn't for all the MSFT frontend.

Sigh. Any system or network can be insecure regardless of the underlying technology stack.

No one said otherwise. If any system can be insecure, then criticism of MSFT is justfied and valid.

When you have flawed ministers, flawed CIO, flawed processes, flawed operating systems, flawed oversight, flawed communication, flawed reaction times to correct-and-remedy -- it all makes for the 'perfect storm'.

Tell me, what does Iain Rennie do, when he goes into work? Besides, unwrapping his Glad-wrapped sandwiches (with the crust carefully trimmed-off).

Can we get some real ministers,real IT experts(LOL) real CEO's as the present lot seem to be defective, incompetent, moronic, munters,who got the job because they"knew" someone,who could employ them,when no one else would.

Mr McDonald will be contacting government agencies in the first instance to seek assurnaces that their systems are robust.
DUH!!!!!! Thats like asking a drunk if they want another drink.
Assume nothing or assume the worst and start from there.

you can't jump to conclusions about those plaintext passwords that were screen shotted and pasted into the blog post

for all we know those were build scripts from a test lab
or they were used to build the kiosks and then they were changed when they were managed by the domain

I've seen all sorts of crazy claims that these were domain admin/root passwords stored in the clear, and from the screen shot you can't just assume that