Council Sells Security Hole On Ebay 147
Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"
Layers of Security (Score:5, Insightful)
Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.
Re:Layers of Security (Score:5, Insightful)
"Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."
Never, in the history of man has the true process of government been summed up so well!
Re: (Score:2, Funny)
You didn't read the rest of the article.
> The council says it is "deeply concerned" by the news, but is confident that
> "multiple layers of security have prevented access to systems and data."
The article continues.
"Indeed, a fax sent by the council to local news outlets later that day confirmed that '[the council's] servers were never breached and we've **CAMILLA P-B IS A HORSEFACE!!!!!!**"
Re: (Score:2, Insightful)
Really? You think thats unique to government? Have you never worked in a private company? Never read TheDailyWTF? Noticed anything happen on Wall Street in the past week?
A massive slice of incompentence and stupidity is the one thing ALL human endeavour together.
Re:Layers of Security (Score:5, Insightful)
"You think thats unique to government?"
Its not unique to government but it is ubiquitous within government!
"Have you never worked in a private company?"
Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.
"A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."
Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm surprised they keep stuff like that on the desktop machines.
Re: (Score:2)
Re:Layers of Security (Score:5, Funny)
Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."
Re:Layers of Security (Score:5, Funny)
Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.
Re:Layers of Security (Score:5, Insightful)
It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.
Re: (Score:2)
That's actually a really good statement. Treating every layer as 'the only layer' rather than saying 'oh, it's fine, we still have (x-1) layers left' is a good security practice, I think. Otherwise, you end up with a slippery slope, and no protection.
Re: (Score:2)
It's like having on multiple condoms, but each with a hole in it somewhere. It might be a little more difficult, but one of the little buggers is bound to get through one day, and then there's no turning back from there.
Re: (Score:1)
Of course there should be multiple layers of security. Do you trust that your firewall will block all malicious traffic and leave all your accounts password free? Do you turn off anti-virus on the desktop because you run it on the mail server?
Yes, there has to be proper acknowledgment when any one piece fails, even if it doesn't result in any kind of breach.
Re: (Score:3, Insightful)
I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.
Re: (Score:2)
I definitely see your point, but this is exactly what the layer model should allow.
If there was a massive breach of our firewall, but due to careful network configuration nobody was able to get in, I'd feel pretty damn good about myself.
Of course, I would then fix the issue with the firewall... which is really the critical step.
Re: (Score:2)
Let me start a new meme on Slashdot: I agree with you.
Re: (Score:2)
Nah, that'll never work.
Re: (Score:2)
Yes and Yes
Comment removed (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
I'm not trying to be a spelling/grammar nazi as I make more mistakes than anyone I know... But, it's funny that as I was reading the post my eyes caught the word bear before finishing the sentence. I immediately stopped reading and skipped to that part to see how bears were involved. I was disappointed.
Oh well.
Re: (Score:3, Funny)
The three bear security system had proven inadequate.
Defense in Depth (Score:2, Informative)
Re:Defense in Depth (Score:5, Insightful)
Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.
Re: (Score:2)
Re: (Score:2)
And with full access to the network, it is impossible to get a password or login?! What are you smoking, and can you share?
Re: (Score:2)
Re: (Score:2)
Re:Defense in Depth (Score:5, Insightful)
Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, yes that's probably the exact lame excuse that they will make.
In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".
Anyways, what happened here
Re: (Score:3, Insightful)
In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".
Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.
Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were proba
Re: (Score:2)
I really don't understand why people keep making excuses like that.
Yes, ofcourse someone screwed up (intentional or not) and that someone was a human.
Processes, and especially security processes, exist to prevent that very situation.
Why was the process of trashing the equipment not properly monitored?
How can it happen that a critical device goes out of the inventory without a supervised cleansweep?
Why did nobody feel responsible for signing off the now missing hardware?
Well, obviously because nothing of tha
Re: (Score:3, Insightful)
But usually the VPN password and the server password are the same.
Re: (Score:3, Interesting)
I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.
(The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)
My problem was that I had no idea what the IP address of the laptop was where I needed to place the f
Re: (Score:2)
Re: (Score:2)
A Q&D translation would be "Local Government".
Re: (Score:2)
Wrong way to look at it. You have water in a bin, and then several bins around that one. As long as you keep the water off your floor, you've done (more or less) right.
Much like walking into the front lobby of a bank after hours when the cameras are broken, there's still a vault in your way.
Typo in the summary (Score:5, Insightful)
The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""
but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""
There.. that's better
Is anyone really suprised by this still? (Score:1)
excuse me??? (Score:2)
"multiple layers of security have prevented access to systems and data."
the fact is that the guy already had access to the systems. Were they not paying attention?
Re: (Score:2, Insightful)
the fact is that the guy already had access to the systems.
Access to a normally inaccessible private network is not the same as access to systems on that private network.
Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).
Re:excuse me??? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I suspect it might involve nontrivial stuff like clicking "Backup Config", and downloading the config to your computer
Re:excuse me??? (Score:5, Insightful)
Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.
good call (Score:2)
n/t
Erm...Layers? (Score:5, Insightful)
Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?
Re: (Score:2)
Zone Alarm! :)
Actually what is left are a handful of machines that aren't regularly patched or have passwords because they figured they were safe behind the firewall.
Re: (Score:3, Insightful)
well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.
Re: (Score:2)
And you have no open shares, and anonymous browsing of your windows network is turned off, etc? I agree more with your #3 statement.
Re: (Score:2, Insightful)
Re: (Score:2)
The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.
Not quite sure how well this will prevent anything - as soon as the user's authenticated with the DMZ border gateway then any viruses can traverse the VPN tunnel.
Re: (Score:2)
The DMZ border gateway is application layer aware (it can proxy for multiple services behind it, rather than simply either routing requests or passing requests back). It sanitises all traffic to and from the VPN - if theres no reason for a VPN client to be doing something (scanning all your ports, sending out traffic to any machine other than a server for example) then theres no reason to actually allow it.
Ah, fair point, I hadn't thought of that.
Though with so much malware spreading through perfectly legitimate means of communication (eg. email, existing Windows shares), I can't help but think that this would be of limited value in the real world.
Depends on the VPN (Score:2)
If you have a setup where there's an "inside/outside" arrangement and everything on the inside trusts everything else on the inside then sure. However that's often not the case.
For example I work at a university, and we've got a campus VPN here. To access various things in our department from off campus, you need to VPN in. However, that doesn't get you past all security. All it does is get you a campus IP address, not even a departmental IP. So, you are still outside our firewall, however it lets more thin
Re: (Score:2)
You can read the article, or you can get (+5, insightful) for a relatively useless comment that anyone could've made. I stand by my choice. The more work and thought that go into a comment, the less likely it is to be modded up.
Re: (Score:2)
After my tour in Iraq, I was promoted to the Admiralty.
Admiral Obvious.
Anyone keeping count? (Score:2)
+1 to the UK government data breach tally.
Re: (Score:3, Funny)
the count now reads -2 147 483 647
Just like beer (Score:2)
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Re: (Score:3, Funny)
Yay, I can hardly wait for the 64-bit port of this application!
Re: (Score:3, Funny)
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Yay, I can hardly wait for the 64-bit port of this application!
Hopefully it's open source, or I'm in trouble:
0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.
I don't know... (Score:2)
Would a security expert really by "stunned" by this? Sounds like business as usual to me.
Re:I don't know... (Score:5, Funny)
Never seen Casablanca, have you?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
VPN Access Not The End of the World (Score:5, Insightful)
While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.
Re:VPN Access Not The End of the World (Score:5, Insightful)
Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)
People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.
The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.
Re: (Score:2)
Agreed.
We have a dozen are so users on the VPN. How many of them do you think have access to any services just based on the fact they are 'on the network.' Frankly the only thing you can do once you're on the network is ping other machines on the network. You must still authenticate as a valid user with appropriate access rights to get to any data. Once you get that far, if what you are wanting is in any ways sensitive, you either need the password or key to unencrypt the file, or if it's a web service
Re: (Score:2)
Also the notion of a Cisco device being extremely easy to configure is pretty funny. After you get comfortable
Re: (Score:2)
network printers with Postscript, ph34r my remote !factorial attacks!
some of them also do email and can be owned for more attacks, some are phone/fax/copier/printers giving you the scope for spam faxing and premium rate dialling attacks.
Plus do you really want remote access to print queues at a UK govt. dept.
HP Printers FTP Server Denial Of Service [seclists.org]
Should network printers be patched? [techtarget.com]
Idle scanning using a network printer & nmap [nmap.org]
I am heartened by your blasé approach, there's plenty of fun waiting out t
What's the weirdest story like this? (Score:5, Interesting)
A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.
The passwords were for a Department of Energy facility with nuclear activities.
I bet someone here has heard of an even weirder event.
Re: (Score:2)
Well, what happened to me wasn't really that weird but it was kind of interesting...
I purchased a couple of old Indigo2s a few years back, paid something like $50 each for them, and when I tried booting the first one I found out that the root password was "root" and that it automatically mounted several NFS mounts belonging to the previous owner, a special effects company in California.
In retrospective I should probably have either alerted them of the problem or at least snooped around just a little more,
Re: (Score:1)
I've seen plenty of old, crappy computer equipment at Goodwill.
Re: (Score:2)
Even weirder? How about an anonymous coward requesting citation from a non-anon?
set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.
I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.
The passwords were for a Department of Energy facility with nuclear activities.
Citation needed. How was it known to be DOE?
Based on my experience at Goodwill at and DOE sites, I'd say this is quite plausible, though statistically unlikely. Passwords to a router running in a DOE lab are pretty much useless, though.
Britain's socialist government at your service (Score:2)
Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats! [today.com]
The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. [bbc.co.uk] This is hopefully more than security theatre itself.
Crypto without a "zeroize" button. (Score:5, Informative)
The problem is that this is a crypto box without a "zeroize" button.
A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.
Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.
Re: (Score:2)
Actually, Cisco reported that they provide extensive instructions on exactly how to do thi sort of thing, and that the blame lies squarely with whatever admin just gave it away.
Re: (Score:2)
So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.
Bull shit. I can't tell if you're defending the admin who let this go or not, but it kinda sounds like you're blaming the vendor for this. No fucking way is it acceptable for something like this to happen, even if Cisco came out and said "there is absolutely no way to scrub this device, it will retain it's configuration forever no matter what you do." Don't sell the device. Put it in a closet and write "destroy" on it with a sharpie. Or just fucking telnet into it and wipe the config! Jesus, if you need a
Re: (Score:2)
> Jesus, if you need a button to make sure your networking devices are configured
> correctly, I truly hope you don't actually manage a network.
Then you truly hope that most of those who do manage networks didn't. And so do I.
Council explanation? (Score:2)
Re: (Score:3, Informative)
The incompetence of councils is limited, because they are overseen quite closely by central governm
Re: (Score:2)
Re: (Score:2)
Essentially, councils do everything below central government level, but it varies depending on where you live. Where I live, I have a borough council, which does all the local stuff - mainly roads excluding motorways and some A roads, education, social care, bins, trading standards, planning permission, building control, environmental health. Then the next level up is Gordon Brown's government at Westminster. It covers the central area of a fairly large town, but not some of the suburbs, which are covere
Re: (Score:2)
Re: (Score:2)
"Interestingly", there is devolved Government for Wales, Scotland and Northern Ireland, but not England. Having said this, greater London does have some autonomy due to having an elected Mayor.
Missed opportunity (Score:4, Funny)
Council fo 13? (Score:2)
Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.
Re: (Score:1)
Spoiler for the third season...
It was Kano... that's why he is a mute...
Security expert my ass (Score:2, Insightful)
Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?
I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.
And posting it to Slashdot should cost him his professional reputation.
Stupidity at it's finest.
--Toll_Free
Re: (Score:3, Insightful)
Yeah, I agree!
I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.
Oh, wait...
Re: (Score:2)
It doesn't say that he plugged it into his production network, just that he plugged it into /some/ network. If I got a great deal on one of these things I (1) wouldn't ever trust it for anything truly sensitive, out of general paranoia, but (2) would probably throw it on a non-sensitive network (e.g., external network outside of my firewall) to play around with it. There's no evidence at all that Mr. Mason did anything differently.
I am not sure what the point of this is (Score:2)
It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.
Re: (Score:2)
I didn't bother to RTFA, but the council in question wouldn't be located in San Francisco [slashdot.org], would they?
Re: (Score:2)
Re: (Score:2)
Well, largest Metropolitan Borough Council that isn't a City.
http://en.wikipedia.org/wiki/Kirklees_Council [wikipedia.org]
so did anyone see the exploit? (Score:2)
offer a VPN for sale on eBay
"accidentally" leave it configured for connection
wait for connection
pwn the connecting machine...
here's a tip: configure your network hardware before actually connecting it to a network
Lucky he's not in a cell (Score:2)
Re: (Score:3, Funny)
I could really go for some shaved beaver right about now.
This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?
(I know we should not feed the trolls, but this one sounds really hungry)