Slashdot Mirror

← Back to Stories (view on slashdot.org)

Council Sells Security Hole On Ebay

Posted by CmdrTaco on from the only-as-good-as-your-weakest-link dept.

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

20 of 147 comments (clear)

  1. Layers of Security by MyLongNickName · · Score: 5, Insightful

    Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Layers of Security by FireStormZ · · Score: 5, Insightful

      "Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

      Never, in the history of man has the true process of government been summed up so well!

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
    2. Re:Layers of Security by FredFredrickson · · Score: 5, Funny

      By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

      Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."

      --
      Belief? Hope? Preference?The Existential Vortex
    3. Re:Layers of Security by darkmeridian · · Score: 4, Insightful

      It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    4. Re:Layers of Security by Fx.Dr · · Score: 5, Funny

      ...but none of the five bears...

      I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.

    5. Re:Layers of Security by FireStormZ · · Score: 4, Insightful

      "You think thats unique to government?"

      Its not unique to government but it is ubiquitous within government!

      "Have you never worked in a private company?"

      Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

      "A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

      Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

      --
      "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
    6. Re:Layers of Security by TobyWong · · Score: 4, Funny

      Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.

      --
      - Toby
  2. Typo in the summary by zappepcs · · Score: 5, Insightful

    The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

    but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

    There.. that's better
     

    --
    Support NYCountryLawyer RIAA vs People
  3. Erm...Layers? by Sj0 · · Score: 5, Insightful

    Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

    --
    It's been a long time.
  4. VPN Access Not The End of the World by Kaboom13 · · Score: 4, Insightful

    While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

    1. Re:VPN Access Not The End of the World by Attaturk · · Score: 4, Insightful

      While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

      Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

      People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

      The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

  5. What's the weirdest story like this? by Beryllium+Sphere(tm) · · Score: 5, Interesting

    A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

    The passwords were for a Department of Energy facility with nuclear activities.

    I bet someone here has heard of an even weirder event.

  6. Re:I don't know... by russotto · · Score: 4, Funny

    Would a security expert really by "stunned" by this? Sounds like business as usual to me.

    Never seen Casablanca, have you?

    Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
    [a croupier hands Renault a pile of money]
    Croupier: Your winnings, sir.

  7. Crypto without a "zeroize" button. by Animats · · Score: 4, Informative

    The problem is that this is a crypto box without a "zeroize" button.

    A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

    Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

  8. Re:excuse me??? by Nursie · · Score: 4, Insightful

    Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

  9. Missed opportunity by Rob+T+Firefly · · Score: 3, Funny

    Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  10. Re:Defense in Depth by MyLongNickName · · Score: 4, Insightful

    Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  11. Re:excuse me??? by confused+one · · Score: 4, Insightful

    wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

  12. Re:Just like beer by crunch_ca · · Score: 3, Funny

    [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

    Yay, I can hardly wait for the 64-bit port of this application!

  13. Re:Defense in Depth by Kent+Recal · · Score: 4, Insightful

    Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.