Council Sells Security Hole On Ebay

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

Layers of Security

[MyLongNickName (822545)]

Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

Re:Layers of Security

[FireStormZ (1315639)]

"Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

Never, in the history of man has the true process of government been summed up so well!

Re:Layers of Security

[FireStormZ (1315639)]

"You think thats unique to government?"

Its not unique to government but it is ubiquitous within government!

"Have you never worked in a private company?"

Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

"A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

Re:Layers of Security

[FredFredrickson (1177871)]

By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."

Re:Layers of Security

[TobyWong (168498)]

Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.

Re:Layers of Security

[darkmeridian (119044)]

It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

Re:Layers of Security

[Fx.Dr (915071)]

...but none of the five bears...

I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.

Re:

[fyoder (857358)]

The three bear security system had proven inadequate.

Defense in Depth

[bunratty (545641)]

No, it's defense in depth [wikipedia.org]. It's like having locks on your house, and also having an alarm system. That's more secure that having just locks or just an alarm system. On a computer, it's like using a secure browser and also having a firewall and also anti-virus software.

Re:Defense in Depth

[MyLongNickName (822545)]

Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

Re:

[bunratty (545641)]

From the article, it seems like the VPN device gave access to the network, but the systems and data on that network are protected by another layer of security. I'm guessing they're referring to passwords. It's like a lock on a server room door in addition to the lock on the door to the offices.

Re:Defense in Depth

[Kent Recal (714863)]

Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

Re:

[Sancho (17056)]

In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.

Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were proba

Re:

[jonbryce (703250)]

But usually the VPN password and the server password are the same.

Re:

[AndGodSed (968378)]

I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.

(The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)

My problem was that I had no idea what the IP address of the laptop was where I needed to place the f

Re:

[MyLongNickName (822545)]

I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

Re:

[Lobster Quadrille (965591)]

I definitely see your point, but this is exactly what the layer model should allow.

If there was a massive breach of our firewall, but due to careful network configuration nobody was able to get in, I'd feel pretty damn good about myself.

Of course, I would then fix the issue with the firewall... which is really the critical step.

Typo in the summary

[zappepcs (820751)]

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

There.. that's better
 

excuse me???

[confused one (671304)]

"multiple layers of security have prevented access to systems and data."

the fact is that the guy already had access to the systems. Were they not paying attention?

Re:

[Alwin Henseler (640539)]

the fact is that the guy already had access to the systems.

Access to a normally inaccessible private network is not the same as access to systems on that private network.

Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).

Re:excuse me???

[confused one (671304)]

wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

Re:excuse me???

[Nursie (632944)]

Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

Erm...Layers?

[Sj0 (472011)]

Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

Re:

[hubie (108345)]

Zone Alarm! :)

Actually what is left are a handful of machines that aren't regularly patched or have passwords because they figured they were safe behind the firewall.

Re:

[Brigadier (12956)]

well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

Re:

[Richard_at_work (517087)]

The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

Anyone keeping count?

[xaxa (988988)]

+1 to the UK government data breach tally.

Re:

[clare-ents (153285)]

the count now reads -2 147 483 647

Just like beer

[Spatial (1235392)]

[Nomenumbra] 1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it wround, 0 bottles of beer on the wall.
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Re:

[crunch_ca (972937)]

[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Yay, I can hardly wait for the 64-bit port of this application!

Re:

[xaxa (988988)]

[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Yay, I can hardly wait for the 64-bit port of this application!

Hopefully it's open source, or I'm in trouble:

0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.

I don't know...

[flynt (248848)]

Would a security expert really by "stunned" by this? Sounds like business as usual to me.

Re:I don't know...

[russotto (537200)]

Would a security expert really by "stunned" by this? Sounds like business as usual to me.

Never seen Casablanca, have you?

Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.

VPN Access Not The End of the World

[Kaboom13 (235759)]

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

Re:VPN Access Not The End of the World

[Attaturk (695988)]

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

Re:

[alta (1263)]

Agreed.

We have a dozen are so users on the VPN. How many of them do you think have access to any services just based on the fact they are 'on the network.' Frankly the only thing you can do once you're on the network is ping other machines on the network. You must still authenticate as a valid user with appropriate access rights to get to any data. Once you get that far, if what you are wanting is in any ways sensitive, you either need the password or key to unencrypt the file, or if it's a web service

What's the weirdest story like this?

[Beryllium Sphere(tm) (193358)]

A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

The passwords were for a Department of Energy facility with nuclear activities.

I bet someone here has heard of an even weirder event.

Re:

[mikael_j (106439)]

Well, what happened to me wasn't really that weird but it was kind of interesting...

I purchased a couple of old Indigo2s a few years back, paid something like $50 each for them, and when I tried booting the first one I found out that the root password was "root" and that it automatically mounted several NFS mounts belonging to the previous owner, a special effects company in California.

In retrospective I should probably have either alerted them of the problem or at least snooped around just a little more,

Re:

[Colonel Korn (1258968)]

Even weirder? How about an anonymous coward requesting citation from a non-anon?

set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.

The passwords were for a Department of Energy facility with nuclear activities.

Citation needed. How was it known to be DOE?

Based on my experience at Goodwill at and DOE sites, I'd say this is quite plausible, though statistically unlikely. Passwords to a router running in a DOE lab are pretty much useless, though.

Britain's socialist government at your service

[David Gerard (12369)]

Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats! [today.com]

The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. [bbc.co.uk] This is hopefully more than security theatre itself.

Crypto without a "zeroize" button.

[Animats (122034)]

The problem is that this is a crypto box without a "zeroize" button.

A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

Re:

[Nursie (632944)]

Actually, Cisco reported that they provide extensive instructions on exactly how to do thi sort of thing, and that the blame lies squarely with whatever admin just gave it away.

Council explanation?

[Bill, Shooter of Bul (629286)]

I only sort of understand what a Council is. Its a local governmental body, but what is it analogous to in the United states? Is it more like a State, County, or Township government, in its size and exercise of power? It would add some meaning to the story. I wouldn't be at all surprised if that happened on the county level or lower, here in the States. There is also a great deal of variance in the size and competency of County governments depending on the county. Is that also true in the UK? If so, where

Re:

[u38cg (607297)]

It covers what would be roughly a county in the US, area wise. They are fairly toothless beings, in that their roles are fairly clearly spelt out for them and their purse strings are fairly tightly held by central government (thank goodness). They run most of the government services you would expect to interact with regularly, like schools, road maintainance, parks, inspecting eateries, that kind of thing.

The incompetence of councils is limited, because they are overseen quite closely by central governm

Missed opportunity

[Rob T Firefly (844560)]

Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.

Council fo 13?

[Darth_brooks (180756)]

Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.

Security expert my ass

[Toll_Free (1295136)]

Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?

I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.

And posting it to Slashdot should cost him his professional reputation.

Stupidity at it's finest.

--Toll_Free

Re:

[grnbrg (140964)]

Yeah, I agree!

I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

Oh, wait...

I am not sure what the point of this is

[jfinke (68409)]

It was a used device that the previous owner did not clear properly. Their policies and processes for destruction and sanitization are apparently lacking. This happens at a lot of places.

It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.

Re:

[Missing_dc (1074809)]

I could really go for some shaved beaver right about now.

This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?

(I know we should not feed the trolls, but this one sounds really hungry)