NZ SIS

From LeakDirectory

Jump to: navigation, search

Contents

General Notes

New Zealand Security Intelligence Service (NZSIS)

Who are we? The NZSIS is a government agency, responsible for giving the Government advice about matters relating to New Zealand’s security. The Service has approximately 200 staff, comprising:

   intelligence officers
   support staff, and
   specialists (including linguists, technicians, legal and accounting staff and information professionals).

Our offices The Head Office is in Wellington and there are regional offices in Auckland, Wellington and Christchurch.

Our role The NZSIS is a civilian intelligence and security organisation. Its threefold roles are:

   to investigate threats to security and to work with other agencies within Government, so that the intelligence it collects is actioned and threats which have been identified are disrupted
   to collect foreign intelligence, and
   to provide a range of protective security advice and services to Government.


The Public Contribution Form

https://providinginformation.nzsis.govt.nz

is SSL / TLS encrypted and it also seems to use a GnuPG generated PGP Public Key hidden in the javascript, however this PGP Key is not published per se.

Unfortunately this web form also logs the IP address and other browser details

The rest of the NZ SIS website , for no good reason, tracks visitors using the US based commercial Google Analytics system, so these visitor statistics and web browser and IP address details are also available to at least the US Government as well as the New Zealand one.

The Public Contribution Form does generate unique reference number on completion.

Update 28th August 2011

Matthijs Koot updated his blog post to point out that

UPDATE 2011-08-25: it appears that NZSIS removed the PGP key [2] from the source of https://providinginformation.nzsis.govt.nz/vwi/

They are still, however tracking the remote_addr and http_user_agent web browser environment variables within this form and they are still using Google Analytics on the rest of the website.

Contact Details

website: http://nzsis.govt.nz

http://nzsis.govt.nz/contact/how-you-can-help.html

http://nzsis.govt.nz/contact/

Press Enquiries

No

General Enquiries

  • telephone: Free phone 0800 SIS 224 (0800 747 224)

Postal Address:

Wellington Head Office

Defence House, 2-12 Aitken Street, Wellington

Postal Address:

PO Box 900, Wellington

Phone/Fax

Phone: (04) 472 6170
Fax: (04) 472 8209

Social Networking publicity

Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.

Twitter

No

FaceBook

No

Blog

No

Financial Donation methods

Not Applicable - New Zealand taxpayers

Currently accepting submissions of whistleblower leaks ?

Yes

Explicit promises about Anonymity, Privacy or Security

Any information you choose to supply through this website (including personal details) will be kept confidential. This is subject to the NZSIS’ statutory mandate to communicate information to any persons in the interests of security. The NZSIS is also permitted to provide information to the New Zealand Police or any other persons for the purpose of preventing or detecting serious crime.

Under no circumstances will the NZSIS provide your name or contact details to any private or commercial organisation.

Restrictive legal Terms & Conditions

No

Practical Advice on preserving Whistleblower Anonymity

No

Leak Submission Encryption

Digital Certificate fingerprints published on their website:

No

Qualsys SSLLabs SSL Server Test rating:

https://www.ssllabs.com/ssldb/analyze.html?d=providinginformation.nzsis.govt.nz

Overall rating: **A [85]**

Certificate: 100

Protocol Support: 85

Key Exchange 80

Cipher Strength: 90

Strong RSA / 4096 bit private key but only SHA-1 digital signature No major cipher suite protocol weaknesses

Appears to be running on a DSL internet connection ? 203-97-204-25.dsl.clear.net.nz

PGP Public Encryption Key

The Public Contribution Form is SSL / TLS encrypted and when launched it used a GnuPG generated PGP Public Key hidden in the JavaScript,

This PGP Key has now been removed from the Javascript but it is available via public PGP keyservers

http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x607635D9ADE83D5F

email address: Virtual Walk-In [Public Submissions] <vwi@nzis.govt.nz>

PGP ID: 0xADE83D5F

Created:19/07/2011

Expires: Never

Type: RSA 4096/4096

Cipher: AES 256 bit

PGP Fingerprint: DF53 D60E 492D 969E 8132 7D77 6076 35D9 ADE8 3D5F

Whether NZ SIS will ever reply to any emails sent to this address, with or without PGP encryption, remains to be seen.

TOR Hidden Service

No

I2P eepsite

No

PrivacyBox.de

No

Hushmail Secure Form

No

Leak Submission Anonymity

TOR users blocked from access

No

3rd Party or persistent tracking cookies or graphics

No

CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha

The web form does use a CAPTCHA but this is pulled safely from the same SSL / TLS encrypted web server

Mixed mode non-SSL graphics or style sheets

No

Embedded video clips etc. from another website e.g. YouTube

No

Flash file uploader class

No

Communications / Acknowledgement back to the whistleblower via the website

The Public Contribution Form does ask for optional details such as: Home Address, Telephone Number, Mobile Phone Number, Email Address and Preferred Contact Details/Arrangements

If you choose to submit information to us, we may take steps to contact you if follow up is required.

Acknowledgement of receipt of information

e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

Yes

Thank you. We appreciate your assistance towards supporting New Zealand's security.

Please record the reference number nnnnnn. This number is unique to your contribution and should be referenced in circumstances where further communication is required. The nature of the information you have provided will determine whether we seek further contact.

For security reasons we recommend closing this webpage browser.

Leak analysis work flow status reporting

e.g. Has anyone actually looked at what the whistleblower has submitted ?

No

Private message box

e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.

No

Domain Name Resilience

The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:

Domain Name Registrar

http://dia.govt.nz

New Zealand Domain Name Registry Limited

Government Registrar, Department of Internal Affairs

Extremely unlikely that will be any legal injunctions etc. which affect this New Zealand government website

Multiple Internet Service Providers, in different legal jurisdictions ?

No

TelstraClear Ltd

New Zealand

Domain Name Server(s) & jurisdiction(s)

ns2.dns.govt.nz

ns1.dns.govt.nz

New Zealand

Alternate Domain Name aliases

No

Actual Physical Mirrors of the website:

No

Content available via BitTorrent etc P2P etc.

No

Personal tools