Top Shows

Contact ONE News

Hacking teacher employed by Winz's IT company

Published: 9:01AM Wednesday October 17, 2012 Source: ONE News

An employee of the IT company contracted to test Work and Income's kiosks teaches hackers how to break into them, ONE News has discovered.
The Singapore-based New Zealander, who works for Dimension Data, claims that all kiosks are so insecure he can break into any of them in less than two minutes.
IT company Dimension Data, paid to help keep hackers out of Work and Income's kiosks, employs Kiwi Paul Craig who has taught hackers how to break in.

Craig calls himself the "king of internet kiosk hacking".

"I'm gonna show you how to hack any windows-internet kiosk in less than a 120 seconds. Guaranteed!" Craig said to applause in a speech to a Defcon conference on January 19, 2011.

Since giving technical advice to TVNZ's Flipside programme eight years ago, the security consultant has moved to Singapore.

ONE News has found two videos on YouTube of him teaching kiosk hacking to a conference of underground computer hackers as recently as August last year.

Only a few months earlier, his company found the fault in Work and Income's kiosks that exposed thousands of private files. A blogger this week reported being able to access thousands of confidential files on publicly accessible computers in Winz branches.

ONE News asked Dimension Data, the Minister of Social Development's office and the ministry if Craig himself was involved in the testing of Work and Income's kiosks. None have been prepared to say either way.

'Malicious hacker'

In his conference speech, Craig described himself as a "malicious hacker" and claims that no kiosk is ever truly secure.

"The great thing about hacking kiosks is that it's really Goddamn easy," he said in the clip posted on YouTube.

They are also a cheap way of helping beneficiaries find jobs.

IT security expert Daniel Ayers said kiosks are pretty cost-effective "because they're just specialised PCs."

"I mean you can actually use real PCs. They're not expensive to set up and run at all," Ayres said.

"The person who designed the kiosk solution I'd describe as incompetent because they made some very basic mistakes and have done things they never should have done," IT Security Expert Daniel Ayers told TV ONE's Breakfast.

"If you're going to give the public access to computers you need to make sure you lock it down so they can only access what they're meant to access."

'Hugely concerning'

ONE News asked the Minister, Paula Bennett, if the ease of hacking kiosks, with access to so much private information, worries her.

"I would certainly say that when you look at our kiosks and the information they got to and what I would say, with relative ease, that it's hugely concerning," Bennett said.

If Craig is right, he and a conference of hackers can break into Winz kiosks in less than two minutes.

"That's the end of my talk. Thanks very much. Have fun owning kiosks!" Craig said at the end of his conference speech.

Dimension Data responds

This evening Dimension Data issued this statement to ONE News.

The company said it has a global team of IT security consultants and each participates in their community by attending and presenting at conferences, developing security tools and responsibly disclosing details of vulnerablities that have been discovered.

The company also said security testing is an excellent way to verify whether protection used by a network is appropriate to the risk that organisation is prepared to accept.