Two years ago, I reported from the Kiwicon security conference in New Zealand about the insecurity of many internet kiosks.
employment services throughout New Zealand.
New Zealand public-access kiosk SNAFU gives public access to intimate personal information
http://www.stuff.co.nz/technology/7815266/WINZ-kiosk-security-flaw-exposed
WINZ kiosk security flaw exposed
Ministry of Social Development officials were alerted to a major security flaw at its Work and Income kiosks over a year ago, a beneficiary advocate says.
The kiosks were shut down last night and a ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington WINZ office.
He said he walked into a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
However, Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery was nothing new.
She said she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.
http://publicaddress.net/onpoint/
22:00 Oct 14, 2012
MSD's Leaky Servers
My jeans were torn, my hoodie was pretty ragged, and I hadn't shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.
Last week, I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.
These locked-down kiosks are provided so you could look for jobs online, send off CVs etc. They've had some basic features disabled, which supposedly meant that you couldn't just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.
This basically means you can grab any file that wasn't bolted down on the network, while standing in the middle of a WINZ office. And that's what I did.
Normally, they aren't that exciting. Except that WINZ name their files quite well. For example:
s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA