Gordon Campbell | Parliament TV | Parliament Today | Video | Questions Of the Day | Search

 


Labour alerts Justice Ministry to gaping security hole

Clare
CURRAN
Communications and IT Spokesperson

9 April 2013 MEDIA STATEMENT

Labour alerts Justice Ministry to gaping security hole in its website
Labour’s Information Technology spokesperson, Clare Curran, has today alerted the Ministry of Justice of a serious security flaw in its website.

The vulnerability leaves the personal and financial details of tens of thousands of New Zealanders potentially exposed, and might allow a malicious person to redirect payments to and from members of the public.

“This is a very serious matter. This is yet another gaping hole in the security of a major government site, with privacy and financial implications for a huge number of people,” says Clare Curran.

The security flaw allows access to Ministry of Justice passwords and databases, via a publicly accessible search engine on its website.

“The Ministry of Justice holds incredibly sensitive data – including information about the victims of crime. The Government has a fundamental duty to protect that information. This flaw, if exploited, could have a devastating effect on thousands of people.

“Earlier today I wrote to the Ministry of Justice, the Minister Judith Collins and the Privacy Commissioner alerting them to the issue, which must be addressed urgently.

“This matter was brought to my attention by a whistle-blower. That person has agreed to help the Ministry of Justice in any way they can to ensure the security flaw is fixed.

“This is the latest in a disturbingly long line of information technology security flaws and privacy breaches. There is clearly a major systemic problem with IT security.

“In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC. This is an issue of public trust and confidence in government systems.

“The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people’s private information,” says Clare Curran



Ministry of Justice security flaw Q and A

What is the nature of the security flaw?
The flaw allows access to what appears to be Ministry of Justice databases covering licences and fines. Those databases would likely include the personal details of many victims of crimes.

Access to the page containing passwords for the databases was found via a publicly accessible part of the Ministry of Justice website.

How serious is this vulnerability?
This is a serious flaw. The passwords were contained in a plain text file, and those passwords could be used to access incredibly sensitive information, and could potentially allow someone to alter fines payments and financial records.

The MoJ website is very vulnerable to anyone who is serious about trying to break into it. The MoJ website’s security is nowhere near an acceptable standard.

Potentially how many people’s information is at risk because of this problem?
That is not clear. But the databases in question could include information about people that the Courts have imposed a fine upon, and any victim of crime that is receiving reparations. At the very least the databases also hold the details of those with licences issued by the Ministry of Justice.

How did Clare Curran become aware of the issue?
Clare Curran was contacted by a concerned member of the public, who identified the vulnerability. That person contacted her in the hope that she could help expose the problem and get it fixed.

The whistle-blower did NOT access the Ministry databases, but did view the plain text file that contained the passwords. This confirmed the seriousness and extent of the security issue. This file has been passed on to the Ministry of Justice.

Clare Curran will not be publicly identifying her source, but they have agreed to help the Ministry of Justice to address this problem.


© Scoop Media

 
 
 
 
 
Parliament Headlines | Politics Headlines | Regional Headlines

Gaza.Scoop: Another Israeli Attack On A Hospital

Israeli tanks attacked Al Aqsa hospital in Deir Al Balah, killing five patients and doctors, and injuring more than 70.

The third and fourth floors, housing the emergency department, orthopaedic department, surgical department, and the Intensive Care Unit (ICU) were destroyed. Operating theatres had to cease work because of the lack of oxygen.

Patients are being evacuated to Shifa Hospital in Gaza City, and the European Gaza Hospital between Rafah and Khan Younes. More>>

 

Parliament Today:

Red Tape: Local Regulations Go Under Microscope

The Government says it is accepting nearly all of the recommendations the Productivity Commission has made on ways to improve local regulations. More>>

ALSO:

Gordon Campbell: On The Non-Apology To Tania Billingsley

The refusal by Prime Minister John Key to issue a personal apology to Tania Billingsley has been accompanied by an array of excuses... Yesterday though, Key’s choice of words indicated that an apology was the last thing on his mind. More>>

ALSO:

Conventions: Winston Peters On The Nation

Winston Peters opens door to standing in East Coast Bays electorate, says it's an "exciting point" and he's thinking about it. "I’ve had a whole lot of people writing to me and calling up and saying ‘why don’t you have a go in East Coast Bays’." More>>

ALSO:

Waitangi Tribunal: Report On The MV Rena

In its interim report, the Waitangi Tribunal has found that the Crown’s conduct in response to the grounding of the MV Rena on Otaiti (Astrolabe) reef breached the principles of the Treaty of Waitangi. More>>

ALSO:

Gaza: Wellington Protest For Palestine Calls For End To Bombing

Around 300 people gathered outside the Israeli Embassy in Wellington on Friday to protest Israel’s occupation of Palestine. More>>

ALSO:

Gordon Campbell: On The Failure To Prosecute The GCSB

So one hand of the state – the Independent Police Conduct Authority – has now washed the hands of its brother agencies, and declared that all hands are clean. Case closed. More>>

ALSO:

Illegal Search: Police Behaviour 'Reminiscent Of Tūhoe Raids'

"Māori will lose further trust and confidence in the New Zealand Police and the Independent Police Conduct Authority (IPCA) if the recent incident in Stratford is not adequately addressed. This behaviour would not occur in Epsom or Khandallah so why should police think that such behaviour was acceptable in Stratford," says Chris McKenzie. More>>

ALSO:

Gordon Campbell:
On The Dotcom Emails

The Dotcom residency decision fails any number of sniff tests... Why, then, was it approved? Here we get into the realm of the “INZ being under political pressure” to approve Dotcom’s application. More>>

ALSO:

Gordon Campbell: On The Shonky Police Statistics, And The Israeli Air Strikes On Gaza

When people systematically alter how being statistics are recorded in order to gain personal and organisational advantage, that’s usually when the Police get called in. Yet in the case of the burglary statistics in Counties-Manakau, it was the Police doing the fudging and – at the time – it was then-Police Minister Judith Collins claiming the credit... More>>

ALSO:

'Clean Rivers': Green Party Launches Key Election Priority

The Green Party will make a series of announcements over the course of the election campaign in which it will outline the specifics of how it will clean up our rivers and protect our beaches. In the first of these announcements the party launched its plan for clean rivers. More>>

ALSO:

Get More From Scoop

 

LATEST HEADLINES

 
 
 
 
 
 
Parliament
Search Scoop  
 
 
Powered by Vodafone
NZ independent news