Council Sells Security Hole On Ebay

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

Layers of Security

Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

Re:Layers of Security

"Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

Never, in the history of man has the true process of government been summed up so well!

Re:Layers of Security

"You think thats unique to government?"

Its not unique to government but it is ubiquitous within government!

"Have you never worked in a private company?"

Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

"A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

Re:Layers of Security

By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."

Re:Layers of Security

Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.

Re:Layers of Security

It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

Re:Layers of Security

...but none of the five bears...

I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.

Re:

I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.

(The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)

My problem was that I had no idea what the IP address of the laptop was where I needed to place the f

Re:

I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

Re:Defense in Depth

Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

Re:Defense in Depth

Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

Typo in the summary

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

There.. that's better
 

Erm...Layers?

Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

Re:

well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

VPN Access Not The End of the World

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

Re:VPN Access Not The End of the World

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

What's the weirdest story like this?

A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

The passwords were for a Department of Energy facility with nuclear activities.

I bet someone here has heard of an even weirder event.

Crypto without a "zeroize" button.

The problem is that this is a crypto box without a "zeroize" button.

A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

Missed opportunity

Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.

Re:

the count now reads -2 147 483 647

Re:

[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Yay, I can hardly wait for the 64-bit port of this application!

Re:I don't know...

Would a security expert really by "stunned" by this? Sounds like business as usual to me.

Never seen Casablanca, have you?

Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.

Re:excuse me???

Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

Re:excuse me???

wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

Re:

Yeah, I agree!

I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

Oh, wait...