Gordon Campbell | Parliament TV | Parliament Today | Video | Questions Of the Day | Search

 


Labour alerts Justice Ministry to gaping security hole

Clare
CURRAN
Communications and IT Spokesperson

9 April 2013 MEDIA STATEMENT

Labour alerts Justice Ministry to gaping security hole in its website
Labour’s Information Technology spokesperson, Clare Curran, has today alerted the Ministry of Justice of a serious security flaw in its website.

The vulnerability leaves the personal and financial details of tens of thousands of New Zealanders potentially exposed, and might allow a malicious person to redirect payments to and from members of the public.

“This is a very serious matter. This is yet another gaping hole in the security of a major government site, with privacy and financial implications for a huge number of people,” says Clare Curran.

The security flaw allows access to Ministry of Justice passwords and databases, via a publicly accessible search engine on its website.

“The Ministry of Justice holds incredibly sensitive data – including information about the victims of crime. The Government has a fundamental duty to protect that information. This flaw, if exploited, could have a devastating effect on thousands of people.

“Earlier today I wrote to the Ministry of Justice, the Minister Judith Collins and the Privacy Commissioner alerting them to the issue, which must be addressed urgently.

“This matter was brought to my attention by a whistle-blower. That person has agreed to help the Ministry of Justice in any way they can to ensure the security flaw is fixed.

“This is the latest in a disturbingly long line of information technology security flaws and privacy breaches. There is clearly a major systemic problem with IT security.

“In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC. This is an issue of public trust and confidence in government systems.

“The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people’s private information,” says Clare Curran



Ministry of Justice security flaw Q and A

What is the nature of the security flaw?
The flaw allows access to what appears to be Ministry of Justice databases covering licences and fines. Those databases would likely include the personal details of many victims of crimes.

Access to the page containing passwords for the databases was found via a publicly accessible part of the Ministry of Justice website.

How serious is this vulnerability?
This is a serious flaw. The passwords were contained in a plain text file, and those passwords could be used to access incredibly sensitive information, and could potentially allow someone to alter fines payments and financial records.

The MoJ website is very vulnerable to anyone who is serious about trying to break into it. The MoJ website’s security is nowhere near an acceptable standard.

Potentially how many people’s information is at risk because of this problem?
That is not clear. But the databases in question could include information about people that the Courts have imposed a fine upon, and any victim of crime that is receiving reparations. At the very least the databases also hold the details of those with licences issued by the Ministry of Justice.

How did Clare Curran become aware of the issue?
Clare Curran was contacted by a concerned member of the public, who identified the vulnerability. That person contacted her in the hope that she could help expose the problem and get it fixed.

The whistle-blower did NOT access the Ministry databases, but did view the plain text file that contained the passwords. This confirmed the seriousness and extent of the security issue. This file has been passed on to the Ministry of Justice.

Clare Curran will not be publicly identifying her source, but they have agreed to help the Ministry of Justice to address this problem.


© Scoop Media

 
 
 
 
 
Parliament Headlines | Politics Headlines | Regional Headlines

Gordon Campbell:
On The Northland By-Election

Supposedly, Winston Peters’ victory in Northland has exposed the simmering dissatisfaction with the government that exists out in the provinces. Yet it remains to be seen whether this defeat will have much significance – and not simply because if and when Labour resumes business as usual in the Northland seat at the next election, Peters’ hold on it could simply evaporate.

On Saturday, National’s electorate vote declined by 7,000 votes, as the 9,000 majority it won last September turned into a 4,000 vote deficit – mainly because Labour supporters followed the nod and wink given by Labour leader Andrew Little, and voted tactically for Peters. In the process, Labour’s vote went down from nearly 9,000 votes six months ago, to only 1,315 on Saturday. More>>

 
 

PARLIAMENT TODAY:

Climate: Ministers Exclude Emissions From ‘Environment Reporting'

The National Party Government has today revealed that the national environmental report topics for this year will, incredibly, exclude New Zealand’s greenhouse gas emissions, the Green Party said today. More>>

ALSO:

No Retrial: Freedom At Last For Teina Pora

The Māori Party is relieved that the Privy Council has cleared the final legal hurdle for Teina Pora who was wrongfully convicted of murder and sent to prison for 22 years. More>>

ALSO:

Germanwings Crash: Privacy Act Supports Aviation Safeguards In New Zealand

Reports that German privacy laws may have contributed to the Germanwings air crash have prompted New Zealand’s Privacy Commissioner to reassure the public that the Privacy Act is no impediment to medical practitioners notifying appropriate authorities to a pilot’s health concerns. More>>

ALSO:

Treaty: Taranaki Iwi Ngāruahine Settles Treaty Claims For $67.5mln

The settlement includes a $13.5 million payment the government made in June 2013, as well as land in the Taranaki region. The settlement also includes four culturally significant sites, the Waipakari Reserve, Te Kohinga Reserve, Te Ngutu o te Manu and Te Poho o Taranaki. More>>

ALSO:

Gordon Campbell: On A Funeral In Asia, The Northland By-Election, And News Priorities

Supposedly, New Zealand’s destiny lies in Asia, and that was one of Foreign Minister Murray McCully’s rationales for his bungled reforms at MFAT. OK. So, if that’s the case why didn’t Prime Minister John Key attend the state funeral on Sunday of Singapore’s founding leader Lee Kuan Yew? More>>

ALSO:

Werewolf Satire: Not Flag-Waving; Flag-Drowning

The panel choosing the flag options has no visual artists at all. Now, I’ve kerned the odd ligature in my time and I know my recto from my French curve so I thought I’d offer a few suggestions before they get past their depth. More>>

ALSO:

IPCA Reports: Significant Problems In Police Custody

In releasing two reports today, the Independent Police Conduct Authority has highlighted a number of significant problems with the way in which Police deal with people who are detained in Police cells. More>>

ALSO:

Inspector-General of Intelligence and Security: Inquiry Into GCSB Pacific Allegations

The complaints follow recent public allegations about GCSB activities. The complaints, and these public allegations, raise wider questions regarding the collection, retention and sharing of communications data. More>>

ALSO:

TPPA Investment Leak: "NZ Surrender To US" On Corporates Suing Governments

Professor Jane Kelsey: ‘As anticipated, the deal gives foreign investors from the TPPA countries special rights, and the power to sue the government in private offshore tribunals for massive damages if new laws, or even court decisions, significantly affected their bottom line’. More>>

ALSO:

Werewolf: The Myth Of Steven Joyce

Gordon Campbell: The myth of competence that’s been woven around Steven Joyce – the Key government’s “Minister of Everything” and “Mr Fixit” – has been disseminated from high-rises to hamlets, across the country... More>>

ALSO:

Get More From Scoop

 

LATEST HEADLINES

 
 
 
 
 
 
 
 
Parliament
Search Scoop  
 
 
Powered by Vodafone
NZ independent news