Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security

Council Sells Security Hole On Ebay 147

Posted by CmdrTaco
from the only-as-good-as-your-weakest-link dept.
Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"
This discussion has been archived. No new comments can be posted.

Council Sells Security Hole On Ebay

Comments Filter:
  • Layers of Security (Score:5, Insightful)

    by MyLongNickName (822545) on Monday September 29, 2008 @10:37AM (#25194323) Journal

    Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

    • by FireStormZ (1315639) on Monday September 29, 2008 @10:43AM (#25194385)

      "Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

      Never, in the history of man has the true process of government been summed up so well!

      • You didn't read the rest of the article.

        > The council says it is "deeply concerned" by the news, but is confident that
        > "multiple layers of security have prevented access to systems and data."

        The article continues.

        "Indeed, a fax sent by the council to local news outlets later that day confirmed that '[the council's] servers were never breached and we've **CAMILLA P-B IS A HORSEFACE!!!!!!**"

      • Re: (Score:2, Insightful)

        by gowen (141411)

        Never, in the history of man has the true process of government been summed up so well!

        Really? You think thats unique to government? Have you never worked in a private company? Never read TheDailyWTF? Noticed anything happen on Wall Street in the past week?

        A massive slice of incompentence and stupidity is the one thing ALL human endeavour together.

        • by FireStormZ (1315639) on Monday September 29, 2008 @12:09PM (#25195309)

          "You think thats unique to government?"

          Its not unique to government but it is ubiquitous within government!

          "Have you never worked in a private company?"

          Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

          "A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

          Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

        • by hairyfeet (841228)

          Oh yeah,this kind of stupid seems to be par for the course. I had a buddy load up on some SCSI hard drives on eBay to outfit some Compaq webservers he got when his company upgraded,and sure enough,half of them still had data on them! He found all kinds of employee records,social security numbers,etc. He of course wiped them after laughing his ass off about how stupid some of the companies were. Did they think when they sold the drives that they were going to be used as paperweights?

          And about a year ago one

          • by jonbryce (703250)

            I'm surprised they keep stuff like that on the desktop machines.

            • Yeah. It's not like the good old days when all you had to do was dumpster dive in any department store's unsecured trash for credit card carbons. In the 80s that was what most credit card fraud stemmed from, even up into the early 90s. Then they finally got smart and either did away with the carbon copies, or shredded them before throwing them out.
    • by FredFredrickson (1177871) * on Monday September 29, 2008 @10:43AM (#25194387) Homepage Journal
      By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

      Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."
    • by darkmeridian (119044) <{moc.liamg} {ta} {gnauhc.mailliw}> on Monday September 29, 2008 @10:51AM (#25194493) Homepage

      It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

      • That's actually a really good statement. Treating every layer as 'the only layer' rather than saying 'oh, it's fine, we still have (x-1) layers left' is a good security practice, I think. Otherwise, you end up with a slippery slope, and no protection.

      • by steelfood (895457)

        It's like having on multiple condoms, but each with a hole in it somewhere. It might be a little more difficult, but one of the little buggers is bound to get through one day, and then there's no turning back from there.

    • by Nos. (179609)

      Of course there should be multiple layers of security. Do you trust that your firewall will block all malicious traffic and leave all your accounts password free? Do you turn off anti-virus on the desktop because you run it on the mail server?

      Yes, there has to be proper acknowledgment when any one piece fails, even if it doesn't result in any kind of breach.

      • Re: (Score:3, Insightful)

        I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

        • I definitely see your point, but this is exactly what the layer model should allow.

          If there was a massive breach of our firewall, but due to careful network configuration nobody was able to get in, I'd feel pretty damn good about myself.

          Of course, I would then fix the issue with the firewall... which is really the critical step.

      • by DrSkwid (118965)

        Yes and Yes

    • by Fx.Dr (915071) <exterminans@@@pa ... helosthour...com> on Monday September 29, 2008 @11:06AM (#25194633)
      ...but none of the five bears...

      I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.
      • by andrikos (1114853)
        Can't you "bear" the thrill?
      • I'm not trying to be a spelling/grammar nazi as I make more mistakes than anyone I know... But, it's funny that as I was reading the post my eyes caught the word bear before finishing the sentence. I immediately stopped reading and skipped to that part to see how bears were involved. I was disappointed.

        Oh well.

      • Re: (Score:3, Funny)

        by fyoder (857358) *

        The three bear security system had proven inadequate.

    • Defense in Depth (Score:2, Informative)

      by bunratty (545641)
      No, it's defense in depth [wikipedia.org]. It's like having locks on your house, and also having an alarm system. That's more secure that having just locks or just an alarm system. On a computer, it's like using a secure browser and also having a firewall and also anti-virus software.
      • by MyLongNickName (822545) on Monday September 29, 2008 @11:19AM (#25194787) Journal

        Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

        • by bunratty (545641)
          From the article, it seems like the VPN device gave access to the network, but the systems and data on that network are protected by another layer of security. I'm guessing they're referring to passwords. It's like a lock on a server room door in addition to the lock on the door to the offices.
          • by the_B0fh (208483)

            And with full access to the network, it is impossible to get a password or login?! What are you smoking, and can you share?

            • by bunratty (545641)
              No, I never said it's impossible to get a password or login. It's just that with an additional line of security, network access does not automatically mean access to systems and data. In my analogy, a thief can steal a key to the office, but then he would have to also pick the lock on the server room door.
              • by Xiaran (836924)
                Ill extend your analogy a little. Once inside the office and out of side of casual observation, he can open the server room door with a sledge hammer.
          • by Kent Recal (714863) on Monday September 29, 2008 @12:01PM (#25195227)

            Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

            • by bunratty (545641)
              I agree completely. Having defense in depth is no excuse for incompetence. On the other hand, incompetence does exist, and having defense in depth can save the day when it rears its ugly head. In other words, you confidence in your competence should not be an excuse not to have defense in depth.
            • by Sancho (17056) *
              Yeah, someone screwed up, but that someone was a person, and not necessarily the same person who set up the other security measures.
              • Well, yes that's probably the exact lame excuse that they will make.

                In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

                Anyways, what happened here

                • Re: (Score:3, Insightful)

                  by Sancho (17056) *

                  In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

                  Of course it's a process, but it's a human process. Mistakes are made. Repeat mistakes of this nature should absolutely be a grounds for termination. Yet for some reason, commentators on Internet forums insist on dehumanizing the entire process and calling for the head of anyone who slips up.

                  Want to know what probably happened? A bunch of equipment was being replaced, and the rest trashed. Someone knew this and grabbed some of it to sell on eBay, hoping to make a quick quid. The devices were proba

                  • I really don't understand why people keep making excuses like that.
                    Yes, ofcourse someone screwed up (intentional or not) and that someone was a human.

                    Processes, and especially security processes, exist to prevent that very situation.

                    Why was the process of trashing the equipment not properly monitored?
                    How can it happen that a critical device goes out of the inventory without a supervised cleansweep?
                    Why did nobody feel responsible for signing off the now missing hardware?

                    Well, obviously because nothing of tha

          • Re: (Score:3, Insightful)

            by jonbryce (703250)

            But usually the VPN password and the server password are the same.

    • Re: (Score:3, Interesting)

      by AndGodSed (968378)

      I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.

      (The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)

      My problem was that I had no idea what the IP address of the laptop was where I needed to place the f

    • by nimbius (983462)
      id like to know when we started comparing things as serious as safety and security to candybars...but since im american, "council" means immediately nothing to me.

      ps: s/bears/bares/
      • by mpe (36238)
        but since im american, "council" means immediately nothing to me.

        A Q&D translation would be "Local Government".
    • by autocracy (192714)

      Wrong way to look at it. You have water in a bin, and then several bins around that one. As long as you keep the water off your floor, you've done (more or less) right.

      Much like walking into the front lobby of a bank after hours when the cameras are broken, there's still a vault in your way.

  • by zappepcs (820751) on Monday September 29, 2008 @10:40AM (#25194347) Journal

    The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

    but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

    There.. that's better
     

  • I mean back in the nineties I remember hearing about so and so bought a second hand laptop and it had 4000 CC#'s on it, or so and so bought a desktop and had all the passwords for company X's servers. Really it seems kind of overblown for this to make news, it was just a dumb mistake.
  • "multiple layers of security have prevented access to systems and data."

    the fact is that the guy already had access to the systems. Were they not paying attention?

    • Re: (Score:2, Insightful)

      the fact is that the guy already had access to the systems.

      Access to a normally inaccessible private network is not the same as access to systems on that private network.

      Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).

      • Re:excuse me??? (Score:5, Insightful)

        by confused one (671304) on Monday September 29, 2008 @11:22AM (#25194813)
        wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?
        • by Sancho (17056) *
          And this is just one of many reasons why passwords should not be recoverable from devices like this. On a general purpose computer, it's hard to prevent, but I bet that it's nontrivial to modify the software on that device to give up the password.
          • by TheLink (130905)
            "I bet that it's nontrivial to modify the software on that device to give up the password"

            I suspect it might involve nontrivial stuff like clicking "Backup Config", and downloading the config to your computer ;).
    • Re:excuse me??? (Score:5, Insightful)

      by Nursie (632944) on Monday September 29, 2008 @11:09AM (#25194691)

      Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

  • Erm...Layers? (Score:5, Insightful)

    by Sj0 (472011) on Monday September 29, 2008 @10:42AM (#25194377) Homepage Journal

    Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

    • by hubie (108345)

      Zone Alarm! :)

      Actually what is left are a handful of machines that aren't regularly patched or have passwords because they figured they were safe behind the firewall.

    • Re: (Score:3, Insightful)

      by Brigadier (12956)

      well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

      • by the_B0fh (208483)

        And you have no open shares, and anonymous browsing of your windows network is turned off, etc? I agree more with your #3 statement.

    • Re: (Score:2, Insightful)

      The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.
      • by jimicus (737525)

        The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

        Not quite sure how well this will prevent anything - as soon as the user's authenticated with the DMZ border gateway then any viruses can traverse the VPN tunnel.

    • If you have a setup where there's an "inside/outside" arrangement and everything on the inside trusts everything else on the inside then sure. However that's often not the case.

      For example I work at a university, and we've got a campus VPN here. To access various things in our department from off campus, you need to VPN in. However, that doesn't get you past all security. All it does is get you a campus IP address, not even a departmental IP. So, you are still outside our firewall, however it lets more thin

  • +1 to the UK government data breach tally.

    • Re: (Score:3, Funny)

      by clare-ents (153285)

      the count now reads -2 147 483 647

      • [Nomenumbra] 1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it wround, 0 bottles of beer on the wall.
        [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.
        • Re: (Score:3, Funny)

          by crunch_ca (972937)

          [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

          Yay, I can hardly wait for the 64-bit port of this application!

          • Re: (Score:3, Funny)

            by xaxa (988988)

            [Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

            Yay, I can hardly wait for the 64-bit port of this application!

            Hopefully it's open source, or I'm in trouble:

            0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.

  • Would a security expert really by "stunned" by this? Sounds like business as usual to me.

  • by Kaboom13 (235759) <kaboom108@@@bellsouth...net> on Monday September 29, 2008 @10:47AM (#25194439)

    While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

    • by Attaturk (695988) on Monday September 29, 2008 @11:19AM (#25194781) Homepage

      While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

      Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

      People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

      The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

    • by alta (1263)

      Agreed.

      We have a dozen are so users on the VPN. How many of them do you think have access to any services just based on the fact they are 'on the network.' Frankly the only thing you can do once you're on the network is ping other machines on the network. You must still authenticate as a valid user with appropriate access rights to get to any data. Once you get that far, if what you are wanting is in any ways sensitive, you either need the password or key to unencrypt the file, or if it's a web service

    • by Paralizer (792155)
      There are other security concerns besides physical devices. Getting into the network via VPN seems like that hardest part to me if you wanted to steal some information. Once you are in and can at least connect to a server on the private network you can call any poor HR/accounting/payroll/etc person who isn't very knowledgeable about security threats and con your way into some login credentials.

      Also the notion of a Cisco device being extremely easy to configure is pretty funny. After you get comfortable
    • by DrSkwid (118965)

      network printers with Postscript, ph34r my remote !factorial attacks!

      some of them also do email and can be owned for more attacks, some are phone/fax/copier/printers giving you the scope for spam faxing and premium rate dialling attacks.

      Plus do you really want remote access to print queues at a UK govt. dept.

      HP Printers FTP Server Denial Of Service [seclists.org]

      Should network printers be patched? [techtarget.com]

      Idle scanning using a network printer & nmap [nmap.org]

      I am heartened by your blasé approach, there's plenty of fun waiting out t

  • by Beryllium Sphere(tm) (193358) on Monday September 29, 2008 @10:47AM (#25194445) Homepage Journal

    A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

    The passwords were for a Department of Energy facility with nuclear activities.

    I bet someone here has heard of an even weirder event.

    • by mikael_j (106439)

      Well, what happened to me wasn't really that weird but it was kind of interesting...

      I purchased a couple of old Indigo2s a few years back, paid something like $50 each for them, and when I tried booting the first one I found out that the root password was "root" and that it automatically mounted several NFS mounts belonging to the previous owner, a special effects company in California.

      In retrospective I should probably have either alerted them of the problem or at least snooped around just a little more,

  • Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats! [today.com]

    The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. [bbc.co.uk] This is hopefully more than security theatre itself.

  • by Animats (122034) on Monday September 29, 2008 @11:06AM (#25194635) Homepage

    The problem is that this is a crypto box without a "zeroize" button.

    A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

    Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

    • by Nursie (632944)

      Actually, Cisco reported that they provide extensive instructions on exactly how to do thi sort of thing, and that the blame lies squarely with whatever admin just gave it away.

    • So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

      Bull shit. I can't tell if you're defending the admin who let this go or not, but it kinda sounds like you're blaming the vendor for this. No fucking way is it acceptable for something like this to happen, even if Cisco came out and said "there is absolutely no way to scrub this device, it will retain it's configuration forever no matter what you do." Don't sell the device. Put it in a closet and write "destroy" on it with a sharpie. Or just fucking telnet into it and wipe the config! Jesus, if you need a

      • > Jesus, if you need a button to make sure your networking devices are configured
        > correctly, I truly hope you don't actually manage a network.

        Then you truly hope that most of those who do manage networks didn't. And so do I.

  • I only sort of understand what a Council is. Its a local governmental body, but what is it analogous to in the United states? Is it more like a State, County, or Township government, in its size and exercise of power? It would add some meaning to the story. I wouldn't be at all surprised if that happened on the county level or lower, here in the States. There is also a great deal of variance in the size and competency of County governments depending on the county. Is that also true in the UK? If so, where
    • Re: (Score:3, Informative)

      by u38cg (607297)
      It covers what would be roughly a county in the US, area wise. They are fairly toothless beings, in that their roles are fairly clearly spelt out for them and their purse strings are fairly tightly held by central government (thank goodness). They run most of the government services you would expect to interact with regularly, like schools, road maintainance, parks, inspecting eateries, that kind of thing.

      The incompetence of councils is limited, because they are overseen quite closely by central governm

      • Very interesting. On one hand that would be great if a more responsible entity could step in and crack heads for gross negligence. Chicago's cook county government is pretty corrupt. But the state government is just as corrupt if not more. It seems like the federal government does a good job of sending our governors to prison for corruption, but the county is absolutely untouchable.
    • by jonbryce (703250)

      Essentially, councils do everything below central government level, but it varies depending on where you live. Where I live, I have a borough council, which does all the local stuff - mainly roads excluding motorways and some A roads, education, social care, bins, trading standards, planning permission, building control, environmental health. Then the next level up is Gordon Brown's government at Westminster. It covers the central area of a fairly large town, but not some of the suburbs, which are covere

  • by Rob T Firefly (844560) on Monday September 29, 2008 @11:13AM (#25194729) Homepage Journal
    Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.
  • Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.

  • Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?

    I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.

    And posting it to Slashdot should cost him his professional reputation.

    Stupidity at it's finest.

    --Toll_Free

    • Re: (Score:3, Insightful)

      by grnbrg (140964)

      Yeah, I agree!

      I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

      Oh, wait...

    • by dachshund (300733)

      It doesn't say that he plugged it into his production network, just that he plugged it into /some/ network. If I got a great deal on one of these things I (1) wouldn't ever trust it for anything truly sensitive, out of general paranoia, but (2) would probably throw it on a non-sensitive network (e.g., external network outside of my firewall) to play around with it. There's no evidence at all that Mr. Mason did anything differently.

  • It was a used device that the previous owner did not clear properly. Their policies and processes for destruction and sanitization are apparently lacking. This happens at a lot of places.

    It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.

  • offer a VPN for sale on eBay

    "accidentally" leave it configured for connection

    wait for connection

    pwn the connecting machine...

    here's a tip: configure your network hardware before actually connecting it to a network

  • The guy's just lucky the council didn't set the cops on to him for 'hacking' their network!

To restore a sense of reality, I think Walt Disney should have a Hardluckland. -- Jack Paar

Working...