Slashdot Mirror
Council Sells Security Hole On Ebay
Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"
Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""
but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""
There.. that's better
Support NYCountryLawyer RIAA vs People
I mean back in the nineties I remember hearing about so and so bought a second hand laptop and it had 4000 CC#'s on it, or so and so bought a desktop and had all the passwords for company X's servers. Really it seems kind of overblown for this to make news, it was just a dumb mistake.
Five people checking for typos is one thing.. making sure you're not selling access to your company for 99p on ebay is.. crazy!! Whoever works there and has access to sell them should know better. What really gets my goat is if I'd of bid on it the thing would of cost me £60 with £100 P+P. (Ebay if you're reading this - I HATE You!)
"multiple layers of security have prevented access to systems and data."
the fact is that the guy already had access to the systems. Were they not paying attention?
Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?
It's been a long time.
+1 to the UK government data breach tally.
Would a security expert really by "stunned" by this? Sounds like business as usual to me.
While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.
A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.
The passwords were for a Department of Energy facility with nuclear activities.
I bet someone here has heard of an even weirder event.
Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats!
The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. This is hopefully more than security theatre itself.
http://rocknerd.co.uk
99 pence for a Cisco 3002 is an astonishingly good price, even if it is end-of-lifed! Even now most 3002s on eBay are going for $200 or more.
Is 99p correct? Or is the media distorting the facts in order to sensationalize the story?
If 99p is the correct price, I'll take 50 of them. Ta!
The problem is that this is a crypto box without a "zeroize" button.
A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.
Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.
No, it's defense in depth. It's like having locks on your house, and also having an alarm system. That's more secure that having just locks or just an alarm system. On a computer, it's like using a secure browser and also having a firewall and also anti-virus software.
What a fool believes, he sees, no wise man has the power to reason away.
I only sort of understand what a Council is. Its a local governmental body, but what is it analogous to in the United states? Is it more like a State, County, or Township government, in its size and exercise of power? It would add some meaning to the story. I wouldn't be at all surprised if that happened on the county level or lower, here in the States. There is also a great deal of variance in the size and competency of County governments depending on the county. Is that also true in the UK? If so, where is this local council, and could it really have been expected to be smarter?
Well.. maybe. Or Maybe not. But Definitely not sort of.
Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.
Slashdot Burying Stories About Slashdot Media Owned
Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.
There are some people that if they don't know, you can't tell 'em.
[Nomenumbra] 1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it wround, 0 bottles of beer on the wall.
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?
I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.
And posting it to Slashdot should cost him his professional reputation.
Stupidity at it's finest.
--Toll_Free
It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.
n/t
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
One "IT expert" told me that he doesn't bother to do a forensic wipe of hard drives on machines he's donating (or that his clients are) because he doesn't want the hassle of reinstalling the OS and because he "never makes mistakes" when he selectively cleans off sensitive data. Yeah, right. That guy is going to be on the front page of the Wall Street Journal someday with a very sad look on his face.
Used devices need to be scrubbed as completely as possible if they are leaving the organization. Even if they're merely being disposed of.
-B-
Sure, the saved login credentials is a problem, but I think there is a side problem as well. A "security expert" plugged in a VPN concentrator he bought of "Ebay" into his corporate network without cleaning it up in the first place. That is a problem too
I could really go for some shaved beaver right about now.
This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?
(I know we should not feed the trolls, but this one sounds really hungry)
How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
offer a VPN for sale on eBay
"accidentally" leave it configured for connection
wait for connection
pwn the connecting machine...
here's a tip: configure your network hardware before actually connecting it to a network
id like to know when we started comparing things as serious as safety and security to candybars...but since im american, "council" means immediately nothing to me.
ps: s/bears/bares/
Good people go to bed earlier.
We know how to get into your bank. Payup or we will sell to the criminals.
If you have a setup where there's an "inside/outside" arrangement and everything on the inside trusts everything else on the inside then sure. However that's often not the case.
For example I work at a university, and we've got a campus VPN here. To access various things in our department from off campus, you need to VPN in. However, that doesn't get you past all security. All it does is get you a campus IP address, not even a departmental IP. So, you are still outside our firewall, however it lets more things through (for example you can use our SMTP server to send mail). Even we changed it up and installed a VPN in the department, that'd only get you by the border firewall. Systems themselves still have firewalls running on them.
Now firewalls aside, there's other security. Our systems don't just let anyone who happens to have a departmental IP do anything. They require proper credentials for what you are trying to do. Nearly all the protocols you might use are encrypted, too. For example you can't telnet to the UNIX systems, it isn't turned on, you have to SSH even internally. Not that it would do you a whole lot of good, the entire network is switched, you aren't seeing any traffic that isn't for you.
So you can plug something in to our physical network, and still not be able to get access to anything unless you have an account on our system. The VPN is just a layer of security, and is basically to get you past the campus firewall (which we don't control) and to allow us to open up ports to a limited IP space.
That's layers of security, and it isn't uncommon. There isn't a single point that is a "if you get by here, you have full access" kind of thing. There are various layers of security, various levels of trust.
Dude, even if you manage to log into our network you can't steal our data. Because we have security cameras watching the building.
Love many, trust a few, do harm to none.
The cretins that did not wipe the device before resale...
: and some blame to Cisco for not having a huge "Wipe this Device so [Y]our ass is clean(TM)" button in it's OS?
# ~: no sigs today
So you can magically VPN in and get an IP address. Maybe its even on the core. 10 quid says that you can go to a local Job Centre, fire up your laptop, and connect wirelessly, TO THE SAME NETWORK. Either way, you won't know what to do when you get in, you can't snoop traffic, and unless you find some password that's "12345" (although that does seem likely) you're not actually going to be able to do anything.
I want to delete my account but Slashdot doesn't allow it.
The guy's just lucky the council didn't set the cops on to him for 'hacking' their network!
This could never happen in San Francisco...
So this so-called security expert buys an ex-council device on ebay for 99p (incredulous in itself; I used to work for a UK council and I can tell you it is NOT standard practice to flog ex-council kit on ebay), and finds this "security hole" which the council themselves have not confirmed.
Oh, by the way, the freelance security expert in question has also written a book about the very device used in the "attack". What are the chances of that?
This piece is nothing but self-publicising bullshit.
Super Awesome Broadband