About 24 hours ago (as I write this) journalist Keith Ng dropped a bombshell about lax security from one of our government’s biggest departments.
The Ministry of Social Development, it turns out, had some pretty big IT security issues in house and operate publicly accessible computer kiosks. These two things meant that anyone could literally wander in off the street and start browsing potentially sensitive data with a few mouse clicks.
The details have been widely covered in the media, and Ben Gracewood offered up a great post about the difficulty of doing things right in enterprise IT.
The Source
This evening the story took another interesting turn – after being alerted by inquiries from a journalist that the name of his source had been released (presumably by the MSD) Keith Ng decided to preemptively publish the source’s name and details of his dealings with the MSD.
There are two big bullet points that will gain attention in the media – the first is that the source, Ira Bailey, was one of the Urewera 17. The second is that he’d approached the MSD asking if they had a vulnerability reward program.
The first issue is a distraction – a co-incidence.
The second issue is more complicated. To someone who has no familiarity with IT security it could easily appear that Bailey was attempting to extort the MSD. As Ng describes it I don’t think that’s the case. Bailey appeared to make a genuine query about such a program. Upon learning there was no such program he did what I think is the next best thing – talked to a good journalist who would strive to properly understand and report the issue (while also giving MSD reasonable notice to mitigate risk).
Vulnerability Rewards are not uncommon (they are offered by Google, Facebook, Firefox, Paypal and many many others). The idea is that they reward people for reporting security issues to them. Generally all they ask is a reasonable time period to correct the issue before public disclosure.
It’s an acknowledgment that these security issues will have a value to someone.
Preemptive Exposure
It appears that the MSD has already floated the blackmail idea (scare quotes around reward in a Herald article quoting Paula Bennett for example) – the next step was naming the “hacker” in question. It seems they’d leaked the name to at least one journalist.
Keith Ng’s decision (with Ira Bailey) to disclose all the details preemptively seems like the right one to me. It assures that journalists writing about the story aren’t only presented with the details as the MSD wish to frame them. Ng and Bailey could have responded after his name was publicly disclosed but by then the MSD’s framing of the approach would have been presented unchallenged.
Avoiding a Repeat
So what should be done about this issue and how can similar things be prevented?
The answer is to be found within this event. A vulnerability reward program. The government should establish some sort of IT advisory or oversight group that can properly communicate and cooperate with various government IT departments and contractors, and that groups should establish and publicise a vulnerability reward program.
The information in question is far too important to simply hope that a “good citizen” will report any issue they find and that it will be properly addressed without any oversight or accountability.
Ideally this process would be transparent. All vulnerability would be publicly reported once they’d been addressed and credit given (if
desired) to those that reported them.