An item of networking kit bought from eBay for just 99p ($1.79) gave privileged access to an internal network at an English county council. The security risks posed by unwiped computer discs - which are often offered for sale on auction sites and sometimes even obtainable from council rubbish dumps - are well documented, but the …
CTRL C CTRL V
Have you? Formatting on this article is awful, almost like you'd cut and pasted it directly from the Beeb's website but El Reg would never do that would you?
It doesn't just show up lack of policy in terms of disposing of equipment, it also shows a lack of rigid access controls.
The buyer's IP shouldn't have been able to even try and authenticate the VPN
Wow talk about coincidences! A senior employee of a security firm apparently finds a piece of insecure hardware on eBay which actively when plugged in proactively creates a tunnel to its previous network (never mind that the peer IP and local network subnet wouldve changed).
What are the chances?
Well you pays peanuts...
I have worked with council outsourced CapGem guys before and they are mostly clueless and intelligence free.
re Darren Coleman
What are the chances? Higher than you'd think.
Security admins often set up IPSec gateways in aggressive mode using a domain name or user ID rather than IP address as identifier. Couple that with a VPN router with active DHCP server and you indeed have a piece of hardware that when plugged in calls straight home and establishes a tunnel.
I also wouldn't be surprised if said security admins configured the VPN to allow full access from the remote site too.
Cisco 3002 VPN devices
If you're going to comment on technology issues and access-control issues it helps to know something about the technology you're commenting on. The routable IP and local network range are irrelevant with Cisco 3002 endpoints. These work like a vpn client in a box. They're designed to be put on small sites with dynamic ips to allow the site to connect to an endpoint at the other end such as a PIX/ASA or 3000 series vpn concentrator. Basically they eliminate the need to install the cisco vpn client on every pc at that site, the box acts like a tunnel endpoint, and it gets assigned a dynamic local ip from a pool defined on the far site's config. Everything from the 3002 site gets hidden behind that.
Think of it like a road warrior dialling in from his laptop. They'd get that kind of access. Except lots of folk going across the one tunnel.
These things didn't sell because they cost about the same as a PIX 501, had similar vpn ability, but had no firewall, no (rubbish) IDS, no anything else that device has. So basically no'one bought them. They were crap. The real question is why blokey wanted to buy one from ebay, given how pish they are, not why it could access the council ...
Cisco VPN 3002
Good comments. The VPN 3002 is quite a good little piece of kit that sold real well in the US due to PPPoE, just not so good in the UK although I still stand behind the technology.
The VPN 3002 has a great firewall that is configured from the central site device. Just have to know how to use it.
PPPoE made DHCP on the outside interface a possibility hence why the device automatically connected.
I bought the device as I needed to connect a remote office in a shared environment to a central site ASA. If anybody has any better ideas of what to use for 99p I would love to hear them :)
I'm not surprised...
I bought two Cisco 1600s off Ebay to practise ny CCNA course on. Both still had their original configs on (ISDN, access lists, the whole lot) from the building society they'd been taken out of. One quick password recovery later and I could read the whole lot (which I erased, obviously).
Thing is companies just trust external contractors to get rid, there's no checks and no comeback. Frightening thing is the same goes for the Govt. It used to be that you could only delegate actions, not responsibility, now it seems you can abdicate responsibility completely by passing the dead bodies onto someone else and then denying all knowledge. Outsourcing really does benefit someone - higher management!
Another local council outsourcing triumph
Crap Gemini will have
- bought the kit using Kirklees Council's money, probably with a 10% CG 'service charge' on top,
- got the local council techies to do the actual configuration and maintenance whilst the CG 'consultants' supervised and directed them from the nearest hotel bar on full expenses,
- and then will have charged Kirklees even more for implementing their 'secure disposal policy' (eg rip it out and flog it on Ebay).
Mind you I'm rather surprised to learn that there are some people employed by Cap Gemini who know enough about computers to be able to sell the gear through Ebay ... maybe they outsource that bit of the operation to Bangalore ...
not laughing (really)
as a resident of Kirklees NOTHING about this surprises me
basically there is no way Kirklees would pay enough for even a halfway decent network engineer let alone someone who understands security is not about technology (note to "M" not "CapGem guys" - please RTFM before posting)
what is really worrying is that these fools are to be trusted with access to this "Contact Point" system, frightening really . . .especially as the salary for being part of the team running this is a magnificent £16,536 - £18,430 . . not even enough to buy your own peanuts! (and you wonder why MPs excluded their own kids?)
Joke icon, well because as a council Kirklees are only good at patting themselves on the back (we need an icon for blowing sunshine up their own arses please)
PS [and this is not a joke] as well as being generally hopeless Kirklees is a VERY stupid name as Kirklees Hall is in Calderdale - a different council area completely - muppets
What about setting it up correctly in the first place?
Surely VPN access should be locked down by IP address when creating router to router tunnels??
Paris 'cause even she knows to check caller id before picking up.
multiple layers of security
Second hand kit being sold within 4 weeks of its last logon - thats fast for anyone - for a Local Authority its white lightning speed.
Unless Kirklees isn't insisting on password changes every 4 weeks either - surely not - as they say - they have "multiple layers of security".
I would love to know how come everyone else seems to get good deals on eBay! I never seem to.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- Apple cored: Samsung sells 10 million Galaxy S4 in a month
- BBC suspends CTO after it wastes £100m on doomed IT system