Slashdot Mirror

← Back to Stories (view on slashdot.org)

Council Sells Security Hole On Ebay

Posted by CmdrTaco on from the only-as-good-as-your-weakest-link dept.

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

36 of 147 comments (clear)

  1. Layers of Security by MyLongNickName · · Score: 5, Insightful

    Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Layers of Security by FireStormZ · · Score: 5, Insightful

      "Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

      Never, in the history of man has the true process of government been summed up so well!

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
    2. Re:Layers of Security by FredFredrickson · · Score: 5, Funny

      By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

      Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."

      --
      Belief? Hope? Preference?The Existential Vortex
    3. Re:Layers of Security by darkmeridian · · Score: 4, Insightful

      It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    4. Re:Layers of Security by MyLongNickName · · Score: 2, Insightful

      I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    5. Re:Layers of Security by Fx.Dr · · Score: 5, Funny

      ...but none of the five bears...

      I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.

    6. Re:Layers of Security by AndGodSed · · Score: 2, Interesting

      I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.

      (The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)

      My problem was that I had no idea what the IP address of the laptop was where I needed to place the file (a printer driver) so I pulled out a few really beginner tools to get my job done.

      (I will not post actual output here since most linux geeks will know what I would see.)

      nmap -sP to scan for active IP adresses.Next to the output you will see the name of the network drevice (the maker of the actual network card). Using this info I could make a guess as to what is a printer (they had an HP network printer) and their router. The rest had to be the computers/laptops.

      Next up I ran nmblookup -A against some of the IP adresses until I found the one I was looking for.

      At this point I ran into a possible hitch - password for a share.

      I ran smbclient -L against the chosen IP address and PRESTO - open windows "Shared Documents"

      So, for a "security expert" or hacker having VPN access can afford one a lot of information and opportunity for doing nasty stuff.

      I had with these three tools: A list of all the devices on the network, a means to determine all the open shares, find out computer names (using these you can often determine usernames and guess passwords - "password" is still quite common), find out the workgroup/domain name, send print jobs to the printer if I chose to, access the router and harves the dsl username and password, place worms and trojans on the "Shared Documents" folders of several computers and infect a whole lan!

      Layers of security my left foot.

      --

      Seven Days with Ubuntu Unity

    7. Re:Layers of Security by Impy+the+Impiuos+Imp · · Score: 2, Funny

      You didn't read the rest of the article.

      > The council says it is "deeply concerned" by the news, but is confident that
      > "multiple layers of security have prevented access to systems and data."

      The article continues.

      "Indeed, a fax sent by the council to local news outlets later that day confirmed that '[the council's] servers were never breached and we've **CAMILLA P-B IS A HORSEFACE!!!!!!**"

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    8. Re:Layers of Security by gowen · · Score: 2, Insightful

      Never, in the history of man has the true process of government been summed up so well!

      Really? You think thats unique to government? Have you never worked in a private company? Never read TheDailyWTF? Noticed anything happen on Wall Street in the past week?

      A massive slice of incompentence and stupidity is the one thing ALL human endeavour together.

      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    9. Re:Layers of Security by FireStormZ · · Score: 4, Insightful

      "You think thats unique to government?"

      Its not unique to government but it is ubiquitous within government!

      "Have you never worked in a private company?"

      Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

      "A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

      Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
    10. Re:Layers of Security by fyoder · · Score: 2, Funny

      The three bear security system had proven inadequate.

      --
      Loose lips lose spit.
    11. Re:Layers of Security by TobyWong · · Score: 4, Funny

      Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.

      --
      - Toby
  2. Typo in the summary by zappepcs · · Score: 5, Insightful

    The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

    but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

    There.. that's better
     

    --
    Support NYCountryLawyer RIAA vs People
  3. Erm...Layers? by Sj0 · · Score: 5, Insightful

    Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

    --
    It's been a long time.
    1. Re:Erm...Layers? by Brigadier · · Score: 2, Insightful

      well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

    2. Re:Erm...Layers? by Richard_at_work · · Score: 2, Insightful

      The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

  4. Re:Anyone keeping count? by clare-ents · · Score: 2, Funny

    the count now reads -2 147 483 647

    --
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
  5. VPN Access Not The End of the World by Kaboom13 · · Score: 4, Insightful

    While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

    1. Re:VPN Access Not The End of the World by Attaturk · · Score: 4, Insightful

      While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

      Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

      People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

      The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

  6. What's the weirdest story like this? by Beryllium+Sphere(tm) · · Score: 5, Interesting

    A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

    The passwords were for a Department of Energy facility with nuclear activities.

    I bet someone here has heard of an even weirder event.

  7. Re:I don't know... by russotto · · Score: 4, Funny

    Would a security expert really by "stunned" by this? Sounds like business as usual to me.

    Never seen Casablanca, have you?

    Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
    [a croupier hands Renault a pile of money]
    Croupier: Your winnings, sir.

  8. Re:excuse me??? by Alwin+Henseler · · Score: 2, Insightful

    the fact is that the guy already had access to the systems.

    Access to a normally inaccessible private network is not the same as access to systems on that private network.

    Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).

  9. Crypto without a "zeroize" button. by Animats · · Score: 4, Informative

    The problem is that this is a crypto box without a "zeroize" button.

    A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

    Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

  10. Re:excuse me??? by Nursie · · Score: 4, Insightful

    Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

  11. Missed opportunity by Rob+T+Firefly · · Score: 3, Funny

    Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  12. Re:Defense in Depth by MyLongNickName · · Score: 4, Insightful

    Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  13. Re:excuse me??? by confused+one · · Score: 4, Insightful

    wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

  14. Security expert my ass by Toll_Free · · Score: 2, Insightful

    Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?

    I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.

    And posting it to Slashdot should cost him his professional reputation.

    Stupidity at it's finest.

    --Toll_Free

    1. Re:Security expert my ass by grnbrg · · Score: 2, Insightful

      Yeah, I agree!

      I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

      Oh, wait...

  15. Re:Just like beer by crunch_ca · · Score: 3, Funny

    [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

    Yay, I can hardly wait for the 64-bit port of this application!

  16. Re:Just like beer by xaxa · · Score: 2, Funny

    [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

    Yay, I can hardly wait for the 64-bit port of this application!

    Hopefully it's open source, or I'm in trouble:

    0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.

  17. Re:Defense in Depth by Kent+Recal · · Score: 4, Insightful

    Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

  18. Re:Council explanation? by u38cg · · Score: 2, Informative
    It covers what would be roughly a county in the US, area wise. They are fairly toothless beings, in that their roles are fairly clearly spelt out for them and their purse strings are fairly tightly held by central government (thank goodness). They run most of the government services you would expect to interact with regularly, like schools, road maintainance, parks, inspecting eateries, that kind of thing.

    The incompetence of councils is limited, because they are overseen quite closely by central government, who can and do step in and roll heads if there are systemic failures. That said, most of the really egregious examples of corruption in the UK tend to come from local government.

    --
    [FUCK BETA]
  19. Re:my 2 pence by Missing_dc · · Score: 2, Funny

    I could really go for some shaved beaver right about now.

    This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?

    (I know we should not feed the trolls, but this one sounds really hungry)

    --
    How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
  20. Re:Defense in Depth by jonbryce · · Score: 2, Insightful

    But usually the VPN password and the server password are the same.

  21. Re:Defense in Depth by Sancho · · Score: 2, Insightful

    In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

    Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.

    Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were probably already off of inventory by this time, so no one was the wiser, but the guy (or girl) who took the equipment didn't know about the security procedure.

    I base that off of my understanding of Cisco contracts. A friend works for a company which uses Cisco gear. In the contract, they are supposed to destroy most of the gear they get from Cisco (after it's no longer in use), and in return, they get discounts on replacements. They're subject to various financial penalties (not the least of which is the cessation of the discount) if any employees are found to have sold equipment on the secondary market. The idea is that Cisco doesn't want to flood the market with old gear that's still perfectly serviceable, but they don't want to take the time to refurbish it or destroy it themselves.

    I could easily see something similar being the case here.