We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Detail on kiosk fault too risky to release: MSD

Ministry of Social Development declines to give more information on reasons for suppressing details of breach

The security fault labelled "critical" in Security-Assessment.com's May 2011 report on the Ministry of Social Development's kiosk systems was promptly fixed, but MSD still declines to provide detailed information on the reasons for suppressing details of the fault under the Official Information Act.

The public kiosks were exposed by blogger Keith Ng in October as having major security flaws which enabled private information to be exposed. Three inquiries were immediately launched, including one by Deloitte into what happened.

MSD says despite fixing the fault, a continuing security risk attaches to fuller disclosure.

Even to discuss why information on the critical vulnerability was withheld would risk "disclosing information about how to hack into the system" and potentially other similar systems, says a spokeswoman passing on comment from the ministry's "OIA team".

Warning of the critical fault occurs on Page 7 of Dimension Data subsidiary Security-Assessment's "kiosk review". The copy of that report released alongside the analysis of the failing by consultancy Deloitte names only one reason for withholding details -- Section 6(c) of the OIA, which says release might "prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial".

A later copy of the report, linked from a Computerworld article on November 21, adds a reference to Section 9(2)(k) under which information can be withheld to "prevent the disclosure or use of official information for improper gain or improper advantage."

This is not an additional ground thought up this month, the MSD spokeswoman says; it was simply omitted in the first publication of the report; "there were always two grounds."

Other vulnerabilities, given the lower grading of "urgent", remained unfixed after the Security-Assessment report and were used by Keith Ng to gain access to restricted files on MSD's network, in order to demonstrate the failures.

The Deloitte report deals only with the specific question of the self-service kiosks. A report on possible security holes in MSD's systems on a broader front is awaited.

Government CIO Colin MacDonald has also commissioned a review of security over all government systems.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model