Detail on kiosk fault too risky to release: MSD

Ministry of Social Development declines to give more information on reasons for suppressing details of breach

The security fault labelled "critical" in Security-Assessment.com's May 2011 report on the Ministry of Social Development's kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

The public kiosks were exposed by blogger Keith Ng in October as having major security flaws which enabled private information to be exposed. Three inquiries were immediately launched, including one by Deloitte into what happened.

MSD says despite fixing the fault, a continuing security risk attaches to fuller disclosure.

Even to discuss why information on the critical vulnerability was withheld would risk "disclosing information about how to hack into the system" and potentially other similar systems, says a spokeswoman passing on comment from the ministry's "OIA team".

Warning of the critical fault occurs on Page 7 of Dimension Data subsidiary Security-Assessment's "kiosk review". The copy of that report released alongside the analysis of the failing by consultancy Deloitte names only one reason for withholding details -- Section 6(c) of the OIA, which says release might "prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial".

A later copy of the report, linked from a Computerworld article on November 21, adds a reference to Section 9(2)(k) under which information can be withheld to "prevent the disclosure or use of official information for improper gain or improper advantage."

This is not an additional ground thought up this month, the MSD spokeswoman says; it was simply omitted in the first publication of the report; "there were always two grounds."

Other vulnerabilities, given the lower grading of "urgent", remained unfixed after the Security-Assessment report and were used by Keith Ng to gain access to restricted files on MSD's network, in order to demonstrate the failures.

The Deloitte report deals only with the specific question of the self-service kiosks. A report on possible security holes in MSD's systems on a broader front is awaited.

Government CIO Colin MacDonald has also commissioned a review of security over all government systems.

Tags Government use of ITsecurityMinistry of Social Developmentgovernment

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.