Public-access kiosk SNAFU gives public access to intimate personal information

Two years ago, I reported from the Kiwicon security conference in New Zealand about the insecurity of many internet kiosks.

(The 2012 Kiwicon event starts in just over a month – if you can get to Wellington, I recommend it.)

Sadly, New Zealand is in the “insecure kiosk” news again, for all the wrong reasons.

Kiwi journalist Keith Ng wrote over the weekend about his experiences with kiosk computers at Work and Income New Zealand (WINZ). That’s where you go for financial assistance and employment services throughout New Zealand.

Ng’s experience was as dramatic as it was unexpected. (Actually, it wasn’t entirely unexpected, as someone had told him they thought the kiosks were insecure. But the scale of the insecurity was alarming.)

The idea of kiosks in public service offices might seem strange. After all, if you’ve gone to the trouble of visiting the office in the first place, surely you’re already beyond the sort of assistance you could obtain online?

Not at all. Kiosks in government offices are a great idea – especially for departments which aim to assist those who are least likely to have internet access themselves at home, for example because they have lost their jobs, are on income support, or are simply intimidated by the many risks and complexities of running their own computers – notably the risks of being hacked and losing personal information to cybercrooks.

What you don’t expect is for public-access self-service kiosks in government departments to be directly connected to the internal, operational networks of the department itself.

What Ng found at WINZ was that things hadn’t been done that way.

One of the functions of the kiosk computers is to let job seekers look for work online, and to send out their CVs. So the kiosk gave Ng access to Microsoft Office.

And right from the File Open dialog, he found he could browse his way around the network of WINZ’s parent department – the Ministry of Social Development (MSD).

Ouch. He was able to see logfiles and documents containing a raft of super-personal stuff. This included logs listing documents naming people being investigated for fraud; invoices naming contractors; invoices for medical services detailing patients and their medical complaints; a list of debtors being chased by a commercial debt collection agency; and more.

In short, an identity crook’s dream.

The “more” that Ng was allegedly able to access was worse, apparently even including the names and addresses of safe houses, and of children living in them.

The good news is that Ng let the Privacy Commission and the Ministry for Social Development know before publishing, and the MSD will be taking the kiosks offline until the situation is sorted out.

The bad news is, of course, that this sort of thing should never be allowed to happen. Ng didn’t even have to hack. He just clicked his way through a standard, ubiquitous, known-by-everyone-by-design File Open dialog – a dialog that’s supposed to make it quick and easy for you to navigate wherever you’re allowed to go on the network.

What to do?

If you are running kiosks, you need to assume the worst.

Assume that each user can escape from the sandbox you provide and access anything else on the same network as the kiosk. Also assume that each user can set booby traps which, if left intact, could harm the privacy of the next user.

You need to ensure the following:

* Kiosks shouldn’t be on your internal network. In fact, your kiosks should give no more access to your internal network than your website does to users who are physically outside your premises. Kiosks are public-access terminals so, from a network perspective, they are external.

* Kiosks should be reimaged or reverted back to a known-clean state after each user. This ensures that user X can’t set a booby trap for user X+1, and that user X+1 can’t accidentally see left-over data from user X.

* Your internal network shouldn’t allow anyone to access anything. Careful access control lists, with “deny-by-default”, should be used to compartmentalise information to prevent unwanted leakage or disclosure, whether deliberate or accidental and whether internal or external.

* Computer logfiles should be considered personally identifiable information (PII). Metadata such as file and directory names often accurately identify the information contained inside each file itself.

* All files containing PII should be encrypted. Even if an unauthorised user is able to identify and copy (or steal) them, they should end up as just so much shredded cabbage.

Let’s hope that WINZ knocks this problem on the head quickly and is able to restore kiosk service, this time safely and on a safe network.

For the rest of us, let’s take this as a handy warning that it’s always a good time to carry out a security review.

Security – as any textbook, operational framework or methodological study will tell you – is a journey, not a destination.