We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Detail on kiosk fault too risky to release: MSD

Ministry of Social Development declines to give more information on reasons for suppressing details of breach

The security fault labelled "critical" in Security-Assessment.com's May 2011 report on the Ministry of Social Development's kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

The public kiosks were exposed by blogger Keith Ng in October as having major security flaws which enabled private information to be exposed. Three inquiries were immediately launched, including one by Deloitte into what happened.

MSD says despite fixing the fault, a continuing security risk attaches to fuller disclosure.

Even to discuss why information on the critical vulnerability was withheld would risk "disclosing information about how to hack into the system" and potentially other similar systems, says a spokeswoman passing on comment from the ministry's "OIA team".

Warning of the critical fault occurs on Page 7 of Dimension Data subsidiary Security-Assessment's "kiosk review". The copy of that report released alongside the analysis of the failing by consultancy Deloitte names only one reason for withholding details -- Section 6(c) of the OIA, which says release might "prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial".

A later copy of the report, linked from a Computerworld article on November 21, adds a reference to Section 9(2)(k) under which information can be withheld to "prevent the disclosure or use of official information for improper gain or improper advantage."

This is not an additional ground thought up this month, the MSD spokeswoman says; it was simply omitted in the first publication of the report; "there were always two grounds."

Other vulnerabilities, given the lower grading of "urgent", remained unfixed after the Security-Assessment report and were used by Keith Ng to gain access to restricted files on MSD's network, in order to demonstrate the failures.

The Deloitte report deals only with the specific question of the self-service kiosks. A report on possible security holes in MSD's systems on a broader front is awaited.

Government CIO Colin MacDonald has also commissioned a review of security over all government systems.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia