Council Sells Security Hole On Ebay 147
Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"
Crypto without a "zeroize" button. (Score:5, Informative)
The problem is that this is a crypto box without a "zeroize" button.
A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.
Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.
Defense in Depth (Score:2, Informative)
Re:Council explanation? (Score:3, Informative)
The incompetence of councils is limited, because they are overseen quite closely by central government, who can and do step in and roll heads if there are systemic failures. That said, most of the really egregious examples of corruption in the UK tend to come from local government.