Submitting a review for consideration is easy; please first read Slashdot's book review guidelines. Updated: 2008114 by samzenpus
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Layers of Security (Score:5, Insightful)
Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.
Re:Layers of Security (Score:5, Insightful)
"Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."
Never, in the history of man has the true process of government been summed up so well!
Parent
Re:Layers of Security (Score:5, Insightful)
"You think thats unique to government?"
Its not unique to government but it is ubiquitous within government!
"Have you never worked in a private company?"
Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.
"A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."
Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..
Parent
Re:Layers of Security (Score:5, Funny)
Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."
Parent
Re:Layers of Security (Score:5, Funny)
Ahh yes, the infamous PC LOAD LETTER firewall! Impervious to all but the most clever hackers.
Parent
Re:Layers of Security (Score:5, Insightful)
It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.
Parent
Re:Layers of Security (Score:5, Funny)
I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.
Parent
Re: (Score:3, Funny)
The three bear security system had proven inadequate.
Defense in Depth (Score:2, Informative)
Re:Defense in Depth (Score:5, Insightful)
Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.
Parent
Re: (Score:2)
Re:Defense in Depth (Score:5, Insightful)
Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.
Parent
Re: (Score:3, Insightful)
In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".
Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.
Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were proba
Re: (Score:3, Insightful)
But usually the VPN password and the server password are the same.
Re: (Score:3, Interesting)
I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.
(The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)
My problem was that I had no idea what the IP address of the laptop was where I needed to place the f
Re: (Score:3, Insightful)
I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.
Re: (Score:2)
I definitely see your point, but this is exactly what the layer model should allow.
If there was a massive breach of our firewall, but due to careful network configuration nobody was able to get in, I'd feel pretty damn good about myself.
Of course, I would then fix the issue with the firewall... which is really the critical step.
Typo in the summary (Score:5, Insightful)
The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""
but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""
There.. that's better
excuse me??? (Score:2)
"multiple layers of security have prevented access to systems and data."
the fact is that the guy already had access to the systems. Were they not paying attention?
Re: (Score:2, Insightful)
the fact is that the guy already had access to the systems.
Access to a normally inaccessible private network is not the same as access to systems on that private network.
Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).
Re:excuse me??? (Score:5, Insightful)
Parent
Re:excuse me??? (Score:5, Insightful)
Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.
Parent
Erm...Layers? (Score:5, Insightful)
Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?
Re: (Score:2)
Zone Alarm! :)
Actually what is left are a handful of machines that aren't regularly patched or have passwords because they figured they were safe behind the firewall.
Re: (Score:3, Insightful)
well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.
Re: (Score:2, Insightful)
Anyone keeping count? (Score:2)
+1 to the UK government data breach tally.
Re: (Score:3, Funny)
the count now reads -2 147 483 647
Just like beer (Score:2)
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Re: (Score:3, Funny)
Yay, I can hardly wait for the 64-bit port of this application!
Re: (Score:3, Funny)
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
Yay, I can hardly wait for the 64-bit port of this application!
Hopefully it's open source, or I'm in trouble:
0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.
I don't know... (Score:2)
Would a security expert really by "stunned" by this? Sounds like business as usual to me.
Re:I don't know... (Score:5, Funny)
Never seen Casablanca, have you?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Parent
VPN Access Not The End of the World (Score:5, Insightful)
While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.
Re:VPN Access Not The End of the World (Score:5, Insightful)
Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)
People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.
The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.
Parent
Re: (Score:2)
Agreed.
We have a dozen are so users on the VPN. How many of them do you think have access to any services just based on the fact they are 'on the network.' Frankly the only thing you can do once you're on the network is ping other machines on the network. You must still authenticate as a valid user with appropriate access rights to get to any data. Once you get that far, if what you are wanting is in any ways sensitive, you either need the password or key to unencrypt the file, or if it's a web service
What's the weirdest story like this? (Score:5, Interesting)
A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.
The passwords were for a Department of Energy facility with nuclear activities.
I bet someone here has heard of an even weirder event.
Re: (Score:2)
Well, what happened to me wasn't really that weird but it was kind of interesting...
I purchased a couple of old Indigo2s a few years back, paid something like $50 each for them, and when I tried booting the first one I found out that the root password was "root" and that it automatically mounted several NFS mounts belonging to the previous owner, a special effects company in California.
In retrospective I should probably have either alerted them of the problem or at least snooped around just a little more,
Re: (Score:2)
Even weirder? How about an anonymous coward requesting citation from a non-anon?
set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.
I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.
The passwords were for a Department of Energy facility with nuclear activities.
Citation needed. How was it known to be DOE?
Based on my experience at Goodwill at and DOE sites, I'd say this is quite plausible, though statistically unlikely. Passwords to a router running in a DOE lab are pretty much useless, though.
Britain's socialist government at your service (Score:2)
Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats! [today.com]
The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. [bbc.co.uk] This is hopefully more than security theatre itself.
Crypto without a "zeroize" button. (Score:5, Informative)
The problem is that this is a crypto box without a "zeroize" button.
A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.
Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.
Re: (Score:2)
Actually, Cisco reported that they provide extensive instructions on exactly how to do thi sort of thing, and that the blame lies squarely with whatever admin just gave it away.
Council explanation? (Score:2)
Re: (Score:3, Informative)
The incompetence of councils is limited, because they are overseen quite closely by central governm
Missed opportunity (Score:4, Funny)
Council fo 13? (Score:2)
Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.
Security expert my ass (Score:2, Insightful)
Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?
I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.
And posting it to Slashdot should cost him his professional reputation.
Stupidity at it's finest.
--Toll_Free
Re: (Score:3, Insightful)
Yeah, I agree!
I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.
Oh, wait...
I am not sure what the point of this is (Score:2)
It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.
Re: (Score:3, Funny)
I could really go for some shaved beaver right about now.
This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?
(I know we should not feed the trolls, but this one sounds really hungry)