Ng names source: Urewera 17 member Ira Bailey
"The government should establish an IT advisory group that can co-ordinate with any and all government IT departments on issues like this and that group should institute and publicise a Vulnerability Reward program."Featured comment
UPDATE Oct 16:
The Prime Minister was stirring on TV3's Firstline this morning, speculating that blogger Keith Ng paid Urewera 17 member Ira Bailey for his tip about an MSD security breach.
"Obviously it would have been better if the individual involved had actually told the government and not tried to charge the government some sort of 'fee' - to put it in those terms - but he didn't and goodness knows what he did with the blogger. I don't know if he gave it to him or sold it to him," John Key said.
The Prime Minister and MSD CEO have framed Mr Bailey's request for money in sinister terms, implying some kind of shake-down. Mr Bailey's supporters have pointed out that a number of organisations, including Google, regularly pay people who report bugs.
After Mr Key's interview, NBR asked Keith Ng whether he had paid Mr Bailey.
"No," he replied.
Mr Ng also reiterated his line from his latest blog that, "He showed me the vulnerability - the only condition was that his name be kept out of it."
The blogger has now received more than $4400 in donations from the public after asking readers to chip in if they appreciated his investigative story.
Oct 15, 8pm: Blogger Keith Ng this evening named the man who tipped him off to a major Ministry of Social Development security hole: Urewera 17 member Ira Bailey, younger brother of Urewera Four member Emily Bailey.
Mr Bailey faced firearms charges the wake of the 2007 Urewera terrorism raids. A police expert witness said a chemical recipe and instructions found in his flat could be used to create a thermite bomb capable of melting the the engine block of a car. All charges against the Wellington man were ultimately dropped.
Mr Ng's move had the look of a preemptive strike.
And indeed when NBR ONLINE contacted the blogger, he said he had received a call from NZ Herald reporter Claire Trevett, asking him to confirm if Mr Bailey was his source (as NBR types, the Herald has yet to publish an article based on that tip).
Did he suspect the MSD had tipped off the Herald, raising a different kind of question about its security?
Mr Ng responded, "People who knew Ira's identity were me, our lawyer, his family and MSD."
But in his On Point blog, he elaborates:
Since he called MSD and left his name and number, it was always likely that they’d out him as a diversion. We had hoped that it wouldn’t get to that, but it has, which is why I’m writing this now.
Tonight, MSD spokesman David Venables told NBR, "MSD has not named anyone".
Ms Trevett declined to discuss her source.
The Urewera 17 tie-in is juicy, and could, indeed, distract the media (see - cough - the headline above). Conspiracy theorists might see Mr Bailey looking to extract some utu on the Crown.
Mr Ng writes that the truth is much more straight forward:
He currently works as a system administrator, has a young child and is not interested in being the media limelight. That’s why he asked for anonymity.
He [Ira] did not have any special access to the system – he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. [Earlier today, MSD CEO Brendan Boyle said an attempt had been made to receive money in return for details of a security issue]. This is not unusual practice, and it’s certain not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
MSD didn’t know what to do with his request, and it got slowly bumped up the food-chain.
Ira didn’t hear back from them, so he talked to me instead.
Mr Ng ran his own week-long investigation to confirm Mr Bailey's tip-off, then went public with what he found: an embarrassing security lapse that meant many parts of the ministry's network and sensitive client files, were accessible from public WINZ kiosks.
Institute of IT Professionals head Paul Matthews told NBR the MSD's security woes appear to go far beyond the kiosks.
He told NBR last night, "As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance."
The MSD has commissioned an independent inquiry, but confined it to kiosk security at this point, CEO Brendan Boyle said yesterday.
The chief exeucitve said the ministry worked with two companies on security issues, KPMG and Dimension Data.
Dimension Data had carried out penetration testing on the kiosks, which were installed in April last year, but uncovered no issues.
Penetration testing was now being intensified.
Comments on this story are welcome, but any more offensive or potentially defamatory remarks and they will all be disabled, thereby losing the opportunity for sensible discussion.