Air traffic control data found on eBayed network gear A switch formerly used by the UK's air-traffic service which still held networking configurations and passwords has been sold on eBay, raising security concerns. The £20 Cisco Catalyst switch was bought by security consultant Michael Kemp, co-founder at Xiphos Research Labs, who quickly discovered that it has been used at the …
" We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online."
"A NATS spokesman told Channel 4 News that unspecified actions taken since the breach came to light"
Hopefully the actions were the removal of certain appendages attached to the disposal contractors, which is why they remain unspecified.
The disposal firm should be named and shamed, what they did was fraudulant and dangerous.
"We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online."
Destruction certificate should equal "this kit has been irrevocably folded, spindled, mutilated and minced"; if the firm has certified that and then gone on to sell it, that could well be a criminal matter.
It's one thing to discard it without thinking (which certainly happens too often) - it's quite another to have thought about it and paid money to have it purged/destroyed/etc and then found out that the folks you paid the money to have not only failed to do their job, but in a way that nets them more money and makes your security more vulnerable than if you'd taken five minutes and gone out to the parking lot with a hammer and some pent-up frustration.
This case (if it is as reported) is effectively one of criminal theft.
We buy and resell network gear. This is a regular occurrence with almost every piece of router or switch we purchase, regardless of the source.
Most recyclers focus on data destruction from hard drives and other media. Very few invest in the quality staff you would need to research and perform factory reset or data erasure from the disparate network gear they get from public sector and private sector sources. The result is that almost every piece of network gear purchased from eBay or directly from recyclers will have the config info for the company they were removed from intact.
This lax attitude has been going on since computers and suchlike got into the common workplace. In the late 80's I was asked by a colleague to purchase a redundant AT machine for him, and set it up with DOS and some apps so he could use it as a word processor. The IT bod assured me that the disk had been scrubbed, or at the very least formatted. Well as we know formatting isn't enough and that's all that had been done. I poked the disk contents with Peeka (iirc) which allowed me to see raw data in clusters on the disk. Sure enough this revealed sensitive legal and financial information, which, if I had wanted to, I could have easily recovered and spliced back into workable files. It taught me a lesson in wiping disks clean. But I was shocked that an amateur with an interest in computers such as myself could retrieve the data quite so easily.
Our throw-away, modern age of consumerism has some bearing I'm sure but IT peeps really should have all this covered. A logged and certificated system with names on it should accompany each individual part, even if the chances of it holding sensitive data are minimal. The cost of carrying this out, compared to the unrealized costs of the data falling into the wrong hands should be a no-brainer. Heads must roll.
Well, in this case if they flagged this stuff for "destruction" (or at least secure erasing) and it wasn't done, it sounds like a contractor fail. But I can tell you...
When I worked at a university surplus, we did a 3-pass DOD wipe on hard drives*, we checked copiers and so on to make sure they did not have information stored in them. If devices were marked for secure disposal (or a spot check revealed they *should* have been), they were physically destroyed. But I can tell you what does happen -- departments were supposed to wipe info before it came in, especially on machines that would have sensitive information. What happens in actuality is the new kit comes in and the old has to go, they assume the surplus will take care of it. We had an absolutely alarming number of spot checks where the department got a call back for leaving all kinds of info that, lets just say, could have led to large fines if it had leaked (this is why I'm posting anonymously, I don't want to "name and shame" this place when in fact nothing leaked out.)
*Our* surplus department was vigilant but when we toured other ones, *they* assumed the departments were doing it. We were the only one we found that had dedicated DBAN stations for instance, as well as a tracking system to make sure unchecked equipment didn't slip through -- the equipments make, model, and serial number was scanned in when it came in to be wiped, a barcode printed and affixed. This barcode was scanned when it was wiped and scanned again at sale. This way, if something tried to slip through, it would not have the barcode and could not be sold.
*customized DBAN so we didn't have to hit a key to start wiping, with 48 hard drive bays in total for IDE or SATA, plus some extra kit to handle SAS and some SCSI variants.
I purchased a Cisco router in Australia a couple of years ago that had a full config, incuding dial-on-demand config and routing protocols for Air Services Australia. It was configured to dial into a Melbourne number, and form an routing protocol adjacency (dont remember exactly which one), and included passwords (in reversable hash format.)
I didnt inform them, but I had no ill intents, but imagine if someone with such intents got their hands on it? They had all the details they needed to start poking around inside a potentially critical network!
I also purchased another router maybe a year ago that had full configuration for Coca Cola Amatil on it. Looked like the router from their Brisbane office. It also contained service IDs for WAN circuits linking to their other offices...
Amazing how much of this stuff is out there!
I bought 2 Cisco routers off Fleabay a couple of years ago - to practice on while doing my CCNA. They still had the full confg for the branch of Alliance+Leicester they'd been taken out of, access control lists, ISDN numbers, the lot.
Perhaps managers think that data only goes through network kit so it doesn't need wiping......?
Bought a Cisco 2621 router motherboard as a replacement for a failed one in my lab. Took the old one out, put the new one in, and booted it up. It came up with a full config for a prominent UK online hotel booking firm and it looked like it had been removed from their head office judging by the SNMP location strings.
I dropped them a polite email telling them this with a copy of the config attached, and had a phonecall within 10 minutes from their head of IT security who sounded more than a little shocked on the phone. She asked for the details of where and when I'd got it, which turned out to be their "designated" disposal partner (who was reselling the stuff on ebay). They asked for the board back, which I sent them, and they sent me another one back in exchange with no config on it.
Happy (and quiet) ending for all concerned, but could have been a lot worse if I had malicious intent. All of the other 5 Cisco devices bar one I've bought on ebay have had configs on, but they looked more like old lab configs with no usernames/passwords or SNMP details.
To be honest I don't know how people can forget to wipe them - the commands needed to do so are trivial, especially for the routers. My previous day job involved network support for a major government department, we used to wipe any devices for disposal remotely, and then our contracted engineers would put them through a sanitization regime before they went back into stock for spares or reuse. We never managed to leave a config on by accident, probably because our own names went on the disposal forms when we erased stuff. There was always a paper trail back to someone if they had failed to erase it properly.
I've just passed my CCNA exam less than a week ago, as part of my studying and preparation for it I bought a few CISCO routers and switches from ebay all of which came with full configs containing passwrods, VLAN configurations etc.
In my last job we actually bought 2 pallets of 3com switches for resale, we got these from our local council, they all came with asset tags saying where they came from (mainly colleges) and again included full configs.
If it's important enough ... DO IT YOURSELF. Not just data destruction, but software development, equipment maintenance (Railtrack?) and every other safety or privacy critical component of your business.
All of these major failures are, in the end, due to a manager who streamlined something, making the business slightly more efficient, getting a fat bonus, and going on to do the same at other businesses with an ever expanding CV of 'successes', with none of the consequent failures ever catching up with them.
As the story says, I would like to point out that the switch with the configs on and the other 12 were all marked for secure deconstruction by a third party contractor, and a certificate legally "proving" same was issued. Thus if the switch had been shredded as intended this data would not have leaked. Admittedly if the configs were wiped on this one switch as well then the problem would never have happened.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
