Slashdot Mirror

← Back to Stories (view on slashdot.org)

Council Sells Security Hole On Ebay

Posted by CmdrTaco on from the only-as-good-as-your-weakest-link dept.

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

21 of 147 comments (clear)

  1. Layers of Security by MyLongNickName · · Score: 5, Insightful

    Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Layers of Security by FireStormZ · · Score: 5, Insightful

      "Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

      Never, in the history of man has the true process of government been summed up so well!

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
    2. Re:Layers of Security by darkmeridian · · Score: 4, Insightful

      It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    3. Re:Layers of Security by MyLongNickName · · Score: 2, Insightful

      I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    4. Re:Layers of Security by gowen · · Score: 2, Insightful

      Never, in the history of man has the true process of government been summed up so well!

      Really? You think thats unique to government? Have you never worked in a private company? Never read TheDailyWTF? Noticed anything happen on Wall Street in the past week?

      A massive slice of incompentence and stupidity is the one thing ALL human endeavour together.

      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    5. Re:Layers of Security by FireStormZ · · Score: 4, Insightful

      "You think thats unique to government?"

      Its not unique to government but it is ubiquitous within government!

      "Have you never worked in a private company?"

      Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

      "A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

      Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
  2. Typo in the summary by zappepcs · · Score: 5, Insightful

    The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

    but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

    There.. that's better
     

    --
    Support NYCountryLawyer RIAA vs People
  3. Erm...Layers? by Sj0 · · Score: 5, Insightful

    Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

    --
    It's been a long time.
    1. Re:Erm...Layers? by Brigadier · · Score: 2, Insightful

      well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

    2. Re:Erm...Layers? by Richard_at_work · · Score: 2, Insightful

      The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

  4. VPN Access Not The End of the World by Kaboom13 · · Score: 4, Insightful

    While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

    1. Re:VPN Access Not The End of the World by Attaturk · · Score: 4, Insightful

      While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

      Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

      People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

      The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

  5. Re:excuse me??? by Alwin+Henseler · · Score: 2, Insightful

    the fact is that the guy already had access to the systems.

    Access to a normally inaccessible private network is not the same as access to systems on that private network.

    Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).

  6. Re:excuse me??? by Nursie · · Score: 4, Insightful

    Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

  7. Re:Defense in Depth by MyLongNickName · · Score: 4, Insightful

    Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  8. Re:excuse me??? by confused+one · · Score: 4, Insightful

    wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

  9. Security expert my ass by Toll_Free · · Score: 2, Insightful

    Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?

    I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.

    And posting it to Slashdot should cost him his professional reputation.

    Stupidity at it's finest.

    --Toll_Free

    1. Re:Security expert my ass by grnbrg · · Score: 2, Insightful

      Yeah, I agree!

      I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

      Oh, wait...

  10. Re:Defense in Depth by Kent+Recal · · Score: 4, Insightful

    Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

  11. Re:Defense in Depth by jonbryce · · Score: 2, Insightful

    But usually the VPN password and the server password are the same.

  12. Re:Defense in Depth by Sancho · · Score: 2, Insightful

    In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

    Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.

    Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were probably already off of inventory by this time, so no one was the wiser, but the guy (or girl) who took the equipment didn't know about the security procedure.

    I base that off of my understanding of Cisco contracts. A friend works for a company which uses Cisco gear. In the contract, they are supposed to destroy most of the gear they get from Cisco (after it's no longer in use), and in return, they get discounts on replacements. They're subject to various financial penalties (not the least of which is the cessation of the discount) if any employees are found to have sold equipment on the secondary market. The idea is that Cisco doesn't want to flood the market with old gear that's still perfectly serviceable, but they don't want to take the time to refurbish it or destroy it themselves.

    I could easily see something similar being the case here.