Security Is Always Down To The Weakest Link
Nice non-paywalled report <https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12235615> into how the National Party (and others) were able to obtain supposedly-confidential details of today’s Budget announcements. In summary, a “clone” was made of the Treasury website, containing the Budget info, that was supposed to be swapped for the current production site later today. It was not publicly accessible, at least directly. However, the search function on the public site was inadvertently sucking up the confidential info from the clone server as well, and carefully-worded searches would reveal bits of such info as search context, even if the actual documents being indexed were not accessible in full. The Police have decided that, even though such leaks are considered a serious matter, the accesses were “not unlawful”. Which seems a refreshing change from, say, the UK, where someone was prosecuted and jailed some years ago just for putting “../” into a URL ...
Nice non-paywalled report <https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12235615> into how the National Party (and others) were able to obtain supposedly-confidential details of today’s Budget announcements.
In summary, a “clone” was made of the Treasury website, containing the Budget info, that was supposed to be swapped for the current production site later today. It was not publicly accessible, at least directly. However, the search function on the public site was inadvertently sucking up the confidential info from the clone server as well, and carefully-worded searches would reveal bits of such info as search context, even if the actual documents being indexed were not accessible in full.
The Police have decided that, even though such leaks are considered a serious matter, the accesses were “not unlawful”. Which seems a refreshing change from, say, the UK, where someone was prosecuted and jailed some years ago just for putting “../” into a URL ...
+1 for common sense. Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Thu, 30 May 2019 08:17:37 +1200, I wrote:
Nice non-paywalled report <https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12235615> into how the National Party (and others) were able to obtain supposedly-confidential details of today’s Budget announcements.
Followup report <https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12239460> clarifies the timeline over the GCSB advising ministers that the “hacking” claim was false. Apparently that notification did not come in until about 40 minutes after the Treasury boss made the claim, and 30 minutes after the Finance Minister repeated it.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann