Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Council Sells Security Hole On Ebay

CmdrTaco posted about 6 years ago | from the only-as-good-as-your-weakest-link dept.

Security 147

Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"

Sorry! There are no comments related to the filter you selected.

Simply dumb. (1)

davidangel (1337281) | about 6 years ago | (#25194311)

Wipe zeros, stupid.

Layers of Security (5, Insightful)

MyLongNickName (822545) | about 6 years ago | (#25194323)

Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through. Invariably, 80% of the mistakes make it to print.

Re:Layers of Security (5, Insightful)

FireStormZ (1315639) | about 6 years ago | (#25194385)

"Am I the only one who cringes when hearing the phrase "multiple layers of security". It is like a process where you have five people proof read something to check for mistakes, but none of the five bears any responsibility if a typo goes through."

Never, in the history of man has the true process of government been summed up so well!

Re:Layers of Security (2, Funny)

Impy the Impiuos Imp (442658) | about 6 years ago | (#25195019)

You didn't read the rest of the article.

> The council says it is "deeply concerned" by the news, but is confident that
> "multiple layers of security have prevented access to systems and data."

The article continues.

"Indeed, a fax sent by the council to local news outlets later that day confirmed that '[the council's] servers were never breached and we've **CAMILLA P-B IS A HORSEFACE!!!!!!**"

Re:Layers of Security (2, Insightful)

gowen (141411) | about 6 years ago | (#25195175)

Never, in the history of man has the true process of government been summed up so well!

Really? You think thats unique to government? Have you never worked in a private company? Never read TheDailyWTF? Noticed anything happen on Wall Street in the past week?

A massive slice of incompentence and stupidity is the one thing ALL human endeavour together.

Re:Layers of Security (4, Insightful)

FireStormZ (1315639) | about 6 years ago | (#25195309)

"You think thats unique to government?"

Its not unique to government but it is ubiquitous within government!

"Have you never worked in a private company?"

Yup some are like this and some are not.. More often than not the companies which are like this die or, at the very least, change leadership.

"A massive slice of incompentence and stupidity is the one thing ALL human endeavour together."

Aye' but the instituted practice of making people not *responsible* for their stupidity is a pillar of government bodies..

Re:Layers of Security (1)

daem0n1x (748565) | about 6 years ago | (#25195641)

You are sooooo naive.

Re:Layers of Security (1)

hairyfeet (841228) | about 6 years ago | (#25195711)

Oh yeah,this kind of stupid seems to be par for the course. I had a buddy load up on some SCSI hard drives on eBay to outfit some Compaq webservers he got when his company upgraded,and sure enough,half of them still had data on them! He found all kinds of employee records,social security numbers,etc. He of course wiped them after laughing his ass off about how stupid some of the companies were. Did they think when they sold the drives that they were going to be used as paperweights?

And about a year ago one Sunday a friend was driving downtown when he spotted a bunch of PCs dumped next to the trash for pickup by the local phone company building. His had died recently so he loaded them up and brought them to me to see if any could be salvaged. They were all working 1.2-1.8GHz XP Pro machines,and yep,they hadn't bothered to do squat,just chucked them. Customer account info,probably CC numbers,hell there was so much stuff on them it would have taken days just to sort. I wiped and reinstalled but damn,did they not think that Mr. Garbageman might check to see if anything was good?

So this kind of stupid really isn't surprising to me,and why I think we need special fines or something for these braintrusts we read about that leave customer info on unsecured tapes sitting in their car or just dump machines filled with info on the curb. Because most of these data thefts IMHO aren't from some "master hacker" but because these idiots don't show even the barest minimum of common sense.

Re:Layers of Security (1)

jonbryce (703250) | about 6 years ago | (#25196107)

I'm surprised they keep stuff like that on the desktop machines.

Re:Layers of Security (5, Funny)

FredFredrickson (1177871) | about 6 years ago | (#25194387)

By layers of security, I'm sure he meant something along the lines of "Even if you can connect to our network printers on the windows server- you can't use them! Heck, we still can't figure out how to use them. Actually if you figure out how to get them to work, can you get the print jobs started? There's probably a couple hundred print jobs waiting.

Oh and you probably can't access any files on our network, because in this HIGH security office, we don't even have network shares or anything of the like. Nopers, we email documents to eachother. Good luck catching us, dude. LAYERS. LAYERS AND LAYERS of security."

Re:Layers of Security (4, Insightful)

darkmeridian (119044) | about 6 years ago | (#25194493)

It also is concerning because if you get used to failure as acceptable then each layer is going to become increasingly compromised until you have no protection at all. You will have multiple layers of protection only if you maintain each and every layer as though it were the only layer of protection.

Re:Layers of Security (1)

PunkOfLinux (870955) | about 6 years ago | (#25196115)

That's actually a really good statement. Treating every layer as 'the only layer' rather than saying 'oh, it's fine, we still have (x-1) layers left' is a good security practice, I think. Otherwise, you end up with a slippery slope, and no protection.

Re:Layers of Security (1)

Nos. (179609) | about 6 years ago | (#25194613)

Of course there should be multiple layers of security. Do you trust that your firewall will block all malicious traffic and leave all your accounts password free? Do you turn off anti-virus on the desktop because you run it on the mail server?

Yes, there has to be proper acknowledgment when any one piece fails, even if it doesn't result in any kind of breach.

Re:Layers of Security (2, Insightful)

MyLongNickName (822545) | about 6 years ago | (#25194631)

I will agree with you very much. However in practice I hear it used to shrug off any concerns about one "layer" failing. Perhaps it is just my experience.

Re:Layers of Security (1)

Lobster Quadrille (965591) | about 6 years ago | (#25194959)

I definitely see your point, but this is exactly what the layer model should allow.

If there was a massive breach of our firewall, but due to careful network configuration nobody was able to get in, I'd feel pretty damn good about myself.

Of course, I would then fix the issue with the firewall... which is really the critical step.

Re:Layers of Security (1)

DrSkwid (118965) | about 6 years ago | (#25195191)

Yes and Yes

Re:Layers of Security (5, Funny)

Fx.Dr (915071) | about 6 years ago | (#25194633)

...but none of the five bears...

I dunno, five bears can be pretty scary. I'd be sure to stay away from that network.

Re:Layers of Security (0)

Anonymous Coward | about 6 years ago | (#25194735)

Slowly back away from the honeypot...

Re:Layers of Security (1)

andrikos (1114853) | about 6 years ago | (#25194747)

Can't you "bear" the thrill?

Re:Layers of Security (1)

shawn(at)fsu (447153) | about 6 years ago | (#25195215)

I'm not trying to be a spelling/grammar nazi as I make more mistakes than anyone I know... But, it's funny that as I was reading the post my eyes caught the word bear before finishing the sentence. I immediately stopped reading and skipped to that part to see how bears were involved. I was disappointed.

Oh well.

Re:Layers of Security (2, Funny)

fyoder (857358) | about 6 years ago | (#25196111)

The three bear security system had proven inadequate.

Defense in Depth (1, Informative)

bunratty (545641) | about 6 years ago | (#25194665)

No, it's defense in depth [wikipedia.org] . It's like having locks on your house, and also having an alarm system. That's more secure that having just locks or just an alarm system. On a computer, it's like using a secure browser and also having a firewall and also anti-virus software.

Re:Defense in Depth (4, Insightful)

MyLongNickName (822545) | about 6 years ago | (#25194787)

Your lock/alarm analogy is fair. In this case however, it seems that they have locks they don't lock because of the alarm system. And they have an alarm system they don't turn on because of the locks.

Re:Defense in Depth (1)

bunratty (545641) | about 6 years ago | (#25194835)

From the article, it seems like the VPN device gave access to the network, but the systems and data on that network are protected by another layer of security. I'm guessing they're referring to passwords. It's like a lock on a server room door in addition to the lock on the door to the offices.

Re:Defense in Depth (1)

the_B0fh (208483) | about 6 years ago | (#25195149)

And with full access to the network, it is impossible to get a password or login?! What are you smoking, and can you share?

Re:Defense in Depth (1)

bunratty (545641) | about 6 years ago | (#25195443)

No, I never said it's impossible to get a password or login. It's just that with an additional line of security, network access does not automatically mean access to systems and data. In my analogy, a thief can steal a key to the office, but then he would have to also pick the lock on the server room door.

Re:Defense in Depth (4, Insightful)

Kent Recal (714863) | about 6 years ago | (#25195227)

Well, given how carelessly they treat their first layer of defense (VPN access) I wouldn't put much confidence in their other layers (if any) either. This whole story just screams INCOMPETENCE in bold and all caps. I doubt very much that the same people who are stupid enough to sell critical hardware on eBay are in any way capable of maintaining a secure network, even if their life depended on it.

Re:Defense in Depth (1)

bunratty (545641) | about 6 years ago | (#25195465)

I agree completely. Having defense in depth is no excuse for incompetence. On the other hand, incompetence does exist, and having defense in depth can save the day when it rears its ugly head. In other words, you confidence in your competence should not be an excuse not to have defense in depth.

Re:Defense in Depth (1)

Sancho (17056) | about 6 years ago | (#25195947)

Yeah, someone screwed up, but that someone was a person, and not necessarily the same person who set up the other security measures.

Re:Defense in Depth (1)

Kent Recal (714863) | about 6 years ago | (#25196083)

Well, yes that's probably the exact lame excuse that they will make.

In reality security is a process and their processes are obviously broken. No person (no matter whether it is the one who set up their network or not) should be allowed to just go pick up a router and sell it on eBay. If they feel a need to cash in on their old hardware then there must be a clear process for that which includes "make really sure that all sensitive data is wiped from any device you intend to sell".

Anyways, what happened here is likely the same old story:

Clueless-Bob asks Clueless-Joe: "Hey, what do we do with this old router?"
Clueless-Joe: "No idea, just give it to secretary Jane and tell her to get rid of it anyhow"

The bittersweet ending is usually that if someone gets fired over this then it will be Jane. Not Bob, not Joe, and most certainly not their supervisors who are responsible for the broken/missing processes in first place.

Re:Layers of Security (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#25194817)

No. If they are worth anything (doubtful from their mistake), then multiple layers of security means that they treat their inside like the outside, so even if you have the vpn device it doesn't get you that far.
Plus, now that they know what's happened, they should have been able to revoke rights for the vpn device. Stop trying to be such chicken little security weiners, slashdot posers. You are not as cool as you wish you were.

Re:Layers of Security (2, Interesting)

AndGodSed (968378) | about 6 years ago | (#25194957)

I tooled around on a client of our's network the other day. We installed a server there and at their request (needed to add that to cover my butt) I had to load a file on one of their pc's for a guy to install.

(The only main difference between this scenario and mine was I had a Linux (running gentoo) server on their lan. Here the guy had vpn access and thus he could VPN in and have a linux box on their lan.)

My problem was that I had no idea what the IP address of the laptop was where I needed to place the file (a printer driver) so I pulled out a few really beginner tools to get my job done.

(I will not post actual output here since most linux geeks will know what I would see.)

nmap -sP to scan for active IP adresses.Next to the output you will see the name of the network drevice (the maker of the actual network card). Using this info I could make a guess as to what is a printer (they had an HP network printer) and their router. The rest had to be the computers/laptops.

Next up I ran nmblookup -A against some of the IP adresses until I found the one I was looking for.

At this point I ran into a possible hitch - password for a share.

I ran smbclient -L against the chosen IP address and PRESTO - open windows "Shared Documents"

So, for a "security expert" or hacker having VPN access can afford one a lot of information and opportunity for doing nasty stuff.

I had with these three tools: A list of all the devices on the network, a means to determine all the open shares, find out computer names (using these you can often determine usernames and guess passwords - "password" is still quite common), find out the workgroup/domain name, send print jobs to the printer if I chose to, access the router and harves the dsl username and password, place worms and trojans on the "Shared Documents" folders of several computers and infect a whole lan!

Layers of security my left foot.

nah (1)

nimbius (983462) | about 6 years ago | (#25195613)

id like to know when we started comparing things as serious as safety and security to candybars...but since im american, "council" means immediately nothing to me.

ps: s/bears/bares/

my 2 pence (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#25194345)

I could really go for some shaved beaver right about now.

Re:my 2 pence (2, Funny)

Missing_dc (1074809) | about 6 years ago | (#25195537)

I could really go for some shaved beaver right about now.

This being slashdot, finding beavers here is rare, shaved even more so, but an earlier post mentioned Bears. Perhaps they will do for you?

(I know we should not feed the trolls, but this one sounds really hungry)

Typo in the summary (5, Insightful)

zappepcs (820751) | about 6 years ago | (#25194347)

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data.""

but is confident that "multiple layers of security have prevented the council from knowing if anyone has had or does have access to systems and data.""

There.. that's better
 

Is anyone really suprised by this still? (0)

AmonEzhno (1276076) | about 6 years ago | (#25194361)

I mean back in the nineties I remember hearing about so and so bought a second hand laptop and it had 4000 CC#'s on it, or so and so bought a desktop and had all the passwords for company X's servers. Really it seems kind of overblown for this to make news, it was just a dumb mistake.

99p for a bag of chips (1)

intothemiddle (1142025) | about 6 years ago | (#25194365)

Five people checking for typos is one thing.. making sure you're not selling access to your company for 99p on ebay is.. crazy!! Whoever works there and has access to sell them should know better. What really gets my goat is if I'd of bid on it the thing would of cost me £60 with £100 P+P. (Ebay if you're reading this - I HATE You!)

excuse me??? (1)

confused one (671304) | about 6 years ago | (#25194367)

"multiple layers of security have prevented access to systems and data."

the fact is that the guy already had access to the systems. Were they not paying attention?

Re:excuse me??? (2, Insightful)

Alwin Henseler (640539) | about 6 years ago | (#25194557)

the fact is that the guy already had access to the systems.

Access to a normally inaccessible private network is not the same as access to systems on that private network.

Although with IT staff this incompetent, I'd expect any next step(s) to be trivial with a real hacker behind the steering wheel (as opposed to a white hat guy like in this case).

Re:excuse me??? (4, Insightful)

confused one (671304) | about 6 years ago | (#25194813)

wanna bet that the username and password that got him into the vpn in the first place is a valid username and password in the domain?

Re:excuse me??? (1)

Sancho (17056) | about 6 years ago | (#25195977)

And this is just one of many reasons why passwords should not be recoverable from devices like this. On a general purpose computer, it's hard to prevent, but I bet that it's nontrivial to modify the software on that device to give up the password.

Re:excuse me??? (4, Insightful)

Nursie (632944) | about 6 years ago | (#25194691)

Actually, I'm suprised that this so-called "Security Expert" plugged it into his network and allowed it to do that without first looking at what went on when he started it up in isolation.

good call (1)

DrSkwid (118965) | about 6 years ago | (#25195219)

n/t

Erm...Layers? (5, Insightful)

Sj0 (472011) | about 6 years ago | (#25194377)

Once someone has a VPN tunnel directly into your network, any protection from outside attacks is automatically bypassed. What's left? A collection of passwords?

Re:Erm...Layers? (1)

hubie (108345) | about 6 years ago | (#25194457)

Zone Alarm! :)

Actually what is left are a handful of machines that aren't regularly patched or have passwords because they figured they were safe behind the firewall.

Re:Erm...Layers? (2, Insightful)

Brigadier (12956) | about 6 years ago | (#25194737)

well most vpns just create a secure access to the tcp level. If it is a windows network you still have to log into the network itself. It is understood though that that the fact vpn access is requires probably means there are a few open servers and user machines that have unprotected shares because of the false security of the VPN.

Re:Erm...Layers? (1)

the_B0fh (208483) | about 6 years ago | (#25195271)

And you have no open shares, and anonymous browsing of your windows network is turned off, etc? I agree more with your #3 statement.

Re:Erm...Layers? (2, Insightful)

Richard_at_work (517087) | about 6 years ago | (#25194805)

The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

Re:Erm...Layers? (1)

Paul server guy (1128251) | about 6 years ago | (#25195591)

Um, Did you forget that these are the same highly trained security professionals that dumped the unit with all of the keys in the first place? I would be surprised if it didn't lead straight to the DB server - Or the ladies restroom.

Re:Erm...Layers? (1)

jimicus (737525) | about 6 years ago | (#25195761)

The VPN puts people into a DMZ for precisely this reason, and then you have to authenticate with the DMZ border gateway (firewall in other words) for any access to backend resources. Never, ever, should a VPN put you directly onto the trusted LAN - you don't ever trust the other end of the VPN, the 'dumb' office worker may have a virus infested home network.

Not quite sure how well this will prevent anything - as soon as the user's authenticated with the DMZ border gateway then any viruses can traverse the VPN tunnel.

Depends on the VPN (1)

Sycraft-fu (314770) | about 6 years ago | (#25195735)

If you have a setup where there's an "inside/outside" arrangement and everything on the inside trusts everything else on the inside then sure. However that's often not the case.

For example I work at a university, and we've got a campus VPN here. To access various things in our department from off campus, you need to VPN in. However, that doesn't get you past all security. All it does is get you a campus IP address, not even a departmental IP. So, you are still outside our firewall, however it lets more things through (for example you can use our SMTP server to send mail). Even we changed it up and installed a VPN in the department, that'd only get you by the border firewall. Systems themselves still have firewalls running on them.

Now firewalls aside, there's other security. Our systems don't just let anyone who happens to have a departmental IP do anything. They require proper credentials for what you are trying to do. Nearly all the protocols you might use are encrypted, too. For example you can't telnet to the UNIX systems, it isn't turned on, you have to SSH even internally. Not that it would do you a whole lot of good, the entire network is switched, you aren't seeing any traffic that isn't for you.

So you can plug something in to our physical network, and still not be able to get access to anything unless you have an account on our system. The VPN is just a layer of security, and is basically to get you past the campus firewall (which we don't control) and to allow us to open up ports to a limited IP space.

That's layers of security, and it isn't uncommon. There isn't a single point that is a "if you get by here, you have full access" kind of thing. There are various layers of security, various levels of trust.

Anyone keeping count? (1)

xaxa (988988) | about 6 years ago | (#25194379)

+1 to the UK government data breach tally.

Re:Anyone keeping count? (2, Funny)

clare-ents (153285) | about 6 years ago | (#25194437)

the count now reads -2 147 483 647

Just like beer (1)

Spatial (1235392) | about 6 years ago | (#25194869)

[Nomenumbra] 1 bottle of beer on the wall, 1 bottle of beer, you take 1 down, pass it wround, 0 bottles of beer on the wall.
[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Re:Just like beer (3, Funny)

crunch_ca (972937) | about 6 years ago | (#25195083)

[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Yay, I can hardly wait for the 64-bit port of this application!

Re:Just like beer (2, Funny)

xaxa (988988) | about 6 years ago | (#25195181)

[Nomenumbra] 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 4294967295 bottles of beer on the wall.

Yay, I can hardly wait for the 64-bit port of this application!

Hopefully it's open source, or I'm in trouble:

0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, pass it around, 18446744073709551615 bottles of beer on the wall.

Re:Just like beer (1)

Paul server guy (1128251) | about 6 years ago | (#25195629)

As much as I appreciate the joke, I thought this would be a good time to interject the real ending...
"No more bottles of bear on the wall, No more bottles of beer,
Go to the store, buy some more, 99 bottles of beer on the wall."

Let the wails commence...

But I still like the joke.

I don't know... (1)

flynt (248848) | about 6 years ago | (#25194391)

Would a security expert really by "stunned" by this? Sounds like business as usual to me.

Re:I don't know... (4, Funny)

russotto (537200) | about 6 years ago | (#25194467)

Would a security expert really by "stunned" by this? Sounds like business as usual to me.

Never seen Casablanca, have you?

Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.

Re:I don't know... (0)

Anonymous Coward | about 6 years ago | (#25195393)

You may know this stuff goes on, but it's always kind of a nasty shock to actually encounter it without even looking for it.

VPN Access Not The End of the World (4, Insightful)

Kaboom13 (235759) | about 6 years ago | (#25194439)

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world. You should never be assuming traffic coming from the LAN side is "safe" anyways, and require additional authentication every step of the way. Lots of orgs give their home employees/remote offices VPN access and these machines can generally be easily compromised. TFA is short on details but if the admins have been doing their job he probably would not have been able to compromise anything more then some network printers. That said, their disposal department needs a good slapping, wiping configs from Cisco devices is ussually very easy.

Re:VPN Access Not The End of the World (4, Insightful)

Attaturk (695988) | about 6 years ago | (#25194781)

While this was a security fuckup, if your network is designed right someone having VPN access is not the end of the world.

Point being this was a local government network. The chances of it being designed right, let alone thoroughly maintained, are slim to none. Professionals outside IT must be educated not to rely on our l337 sysadmin skills else IT people will always carry the can when the shit hits the fan. I know it's a mixed metaphor but it rhymes so screw you. ;)

People, in and outside of IT, need to understand (read: be taught) that government networks are not only vulnerable but also highly attractive to spammers, scammers, identity fraudsters and the like. This means that meatspace security is even more, not less, important in these environments.

The strongest wall-safe in the world is useless if you leave the combination on a piece of paper on your desk. If you believe that noone could get past the formidable building security to read what's on your desk, your safe is probably already bare.

Re:VPN Access Not The End of the World (1)

alta (1263) | about 6 years ago | (#25194791)

Agreed.

We have a dozen are so users on the VPN. How many of them do you think have access to any services just based on the fact they are 'on the network.' Frankly the only thing you can do once you're on the network is ping other machines on the network. You must still authenticate as a valid user with appropriate access rights to get to any data. Once you get that far, if what you are wanting is in any ways sensitive, you either need the password or key to unencrypt the file, or if it's a web service your browser has to have the client key installed before it can communicate with the server.

Oh, you wanted access to the full social and credit card numbers? Not even the intranet site does that, you'll need SA access to SQL to get that. goodluckwiththat.

Re:VPN Access Not The End of the World (0)

Anonymous Coward | about 6 years ago | (#25194913)

So... What do you think the odds are that an IT department that would sell off a spare VPN concentrator that's configured to automatically connect to their networks without wiping the configs would actually have a properly designed network?

Re:VPN Access Not The End of the World (1)

Paralizer (792155) | about 6 years ago | (#25195135)

There are other security concerns besides physical devices. Getting into the network via VPN seems like that hardest part to me if you wanted to steal some information. Once you are in and can at least connect to a server on the private network you can call any poor HR/accounting/payroll/etc person who isn't very knowledgeable about security threats and con your way into some login credentials.

Also the notion of a Cisco device being extremely easy to configure is pretty funny. After you get comfortable with Cisco it is fairly straight forward to configure (I like it anyway), but Cisco is by no means "extremely easy" compared to other devices out there.

Re:VPN Access Not The End of the World (1)

DrSkwid (118965) | about 6 years ago | (#25195307)

network printers with Postscript, ph34r my remote !factorial attacks!

some of them also do email and can be owned for more attacks, some are phone/fax/copier/printers giving you the scope for spam faxing and premium rate dialling attacks.

Plus do you really want remote access to print queues at a UK govt. dept.

HP Printers FTP Server Denial Of Service [seclists.org]

Should network printers be patched? [techtarget.com]

Idle scanning using a network printer & nmap [nmap.org]

I am heartened by your blasé approach, there's plenty of fun waiting out there for inquiring minds.

What's the weirdest story like this? (5, Interesting)

Beryllium Sphere(tm) (193358) | about 6 years ago | (#25194445)

A colleague where I live bought a set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

The passwords were for a Department of Energy facility with nuclear activities.

I bet someone here has heard of an even weirder event.

Re:What's the weirdest story like this? (-1, Troll)

Anonymous Coward | about 6 years ago | (#25194591)

I've heard of a weirder event:

So ur with ur honey and yur making out wen the phone rigns. U anser it n the vioce is "wut r u doing wit my daughter?" U tell ur girl n she say "my dad is ded". THEN WHO WAS PHONE?

Re:What's the weirdest story like this? (1)

Anonymous Coward | about 6 years ago | (#25194929)

Spelling all the words in your dumb story in a weird way does not make the story itself weird, it just makes you look illiterate.

Re:What's the weirdest story like this? (0)

Anonymous Coward | about 6 years ago | (#25194601)

Even weirder? How about an anonymous coward requesting citation from a non-anon?

set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.

The passwords were for a Department of Energy facility with nuclear activities.

Citation needed. How was it known to be DOE?

Re:What's the weirdest story like this? (1)

sp332 (781207) | about 6 years ago | (#25194677)

I've seen plenty of old, crappy computer equipment at Goodwill.

Re:What's the weirdest story like this? (1)

Colonel Korn (1258968) | about 6 years ago | (#25194797)

Even weirder? How about an anonymous coward requesting citation from a non-anon?

set of routers from Goodwill and found not only default programming but a sheet of paper stuck inside with passwords.

I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.

The passwords were for a Department of Energy facility with nuclear activities.

Citation needed. How was it known to be DOE?

Based on my experience at Goodwill at and DOE sites, I'd say this is quite plausible, though statistically unlikely. Passwords to a router running in a DOE lab are pretty much useless, though.

Re:What's the weirdest story like this? (0)

Anonymous Coward | about 6 years ago | (#25195085)

I've never seen computing equipment, let alone routers at goodwill, and yes, I shop there.

Just do a Google [austincomputerworks.org] search [goodwillpitt.org] next time.

Re:What's the weirdest story like this? (1)

mikael_j (106439) | about 6 years ago | (#25194919)

Well, what happened to me wasn't really that weird but it was kind of interesting...

I purchased a couple of old Indigo2s a few years back, paid something like $50 each for them, and when I tried booting the first one I found out that the root password was "root" and that it automatically mounted several NFS mounts belonging to the previous owner, a special effects company in California.

In retrospective I should probably have either alerted them of the problem or at least snooped around just a little more, but I had no sense of adventure so I just unmounted them NFS partitions and removed them from fstab.

/Mikael

Britain's socialist government at your service (1)

David Gerard (12369) | about 6 years ago | (#25194519)

Americans fear that private companies will steal all their data. The British prefer the approach of giving it all away to everyone, in a variety of useful formats! [today.com]

The ineptitude in government at all levels in this country about data security is bloody jawdropping. Interesting news today is that the cabinet official who left some direly secret stuff on a train is getting prosecuted under the Official Secrets Act. [bbc.co.uk] This is hopefully more than security theatre itself.

99p!!!!??? (0)

Anonymous Coward | about 6 years ago | (#25194543)

99 pence for a Cisco 3002 is an astonishingly good price, even if it is end-of-lifed! Even now most 3002s on eBay are going for $200 or more.

Is 99p correct? Or is the media distorting the facts in order to sensationalize the story?

If 99p is the correct price, I'll take 50 of them. Ta!

Crypto without a "zeroize" button. (4, Informative)

Animats (122034) | about 6 years ago | (#25194635)

The problem is that this is a crypto box without a "zeroize" button.

A VPN device is, among other things, a crypto unit. Real crypto units are very explicit about key control. Sometimes, the key is in a removable and easy-to-destroy form. On units with internal key storage, there's a guarded "zeroize" button that clears all keys to zero.

Cisco didn't provide either a "zeroize" button or a removable key. So there's no easy way to scrub the thing before selling it, or to be sure it was scrubbed.

Re:Crypto without a "zeroize" button. (1)

Nursie (632944) | about 6 years ago | (#25194719)

Actually, Cisco reported that they provide extensive instructions on exactly how to do thi sort of thing, and that the blame lies squarely with whatever admin just gave it away.

Re:Crypto without a "zeroize" button. (0)

Anonymous Coward | about 6 years ago | (#25194997)

Didn't read the article, so I have no idea what model the Cisco is.

Many Cisco devices have a CF card or USB stick to store the configuration, crypto keys, or whatever else. Obviously in such models there is a removable key.

I have not personally seen a Cisco device with a "zeroize" button, but that doesn't mean they don't make them.

I have seen, however, detailed instructions on how to wipe keys and configs with absolutely every piece of Cisco equipment I've ever encountered. Setting a Cisco back to factory defaults is typically as simple as a single command.

Obviously whoever was responsible for disposing of these devices did not do their job. If there was a physical key, it was not removed. If there was a "zeroize" button, it was not pressed. And the working configuration was obviously not wiped.

Council explanation? (1)

Bill, Shooter of Bul (629286) | about 6 years ago | (#25194695)

I only sort of understand what a Council is. Its a local governmental body, but what is it analogous to in the United states? Is it more like a State, County, or Township government, in its size and exercise of power? It would add some meaning to the story. I wouldn't be at all surprised if that happened on the county level or lower, here in the States. There is also a great deal of variance in the size and competency of County governments depending on the county. Is that also true in the UK? If so, where is this local council, and could it really have been expected to be smarter?

Re:Council explanation? (0)

Anonymous Coward | about 6 years ago | (#25194903)

it is the bit of local government at county level. We don't have the "state" bit in between country and county.

Re:Council explanation? (1)

Bill, Shooter of Bul (629286) | about 6 years ago | (#25195347)

So there isn't a separate governmental agency for England, Wales, Scotland, or Northern Ireland?

Re:Council explanation? (1)

Ragzouken (943900) | about 6 years ago | (#25195783)

England, Wales, Scotland and Northern Ireland are countries in their own right.

Re:Council explanation? (2, Informative)

u38cg (607297) | about 6 years ago | (#25195367)

It covers what would be roughly a county in the US, area wise. They are fairly toothless beings, in that their roles are fairly clearly spelt out for them and their purse strings are fairly tightly held by central government (thank goodness). They run most of the government services you would expect to interact with regularly, like schools, road maintainance, parks, inspecting eateries, that kind of thing.

The incompetence of councils is limited, because they are overseen quite closely by central government, who can and do step in and roll heads if there are systemic failures. That said, most of the really egregious examples of corruption in the UK tend to come from local government.

Re:Council explanation? (1)

Bill, Shooter of Bul (629286) | about 6 years ago | (#25195473)

Very interesting. On one hand that would be great if a more responsible entity could step in and crack heads for gross negligence. Chicago's cook county government is pretty corrupt. But the state government is just as corrupt if not more. It seems like the federal government does a good job of sending our governors to prison for corruption, but the county is absolutely untouchable.

Missed opportunity (3, Funny)

Rob T Firefly (844560) | about 6 years ago | (#25194729)

Shame they didn't think to advertise the stored login on the item's eBay description. They could probably have gotten more than 99p for it.

Council fo 13? (1)

Darth_brooks (180756) | about 6 years ago | (#25194771)

Was it the council of 13's confidential servers? cause I'd really like to know who off'd Jonas Venture Sr.

Re:Council fo 13? (1)

aronschatz (570456) | about 6 years ago | (#25194923)

Spoiler for the third season...

It was Kano... that's why he is a mute...

Security expert my ass (2, Insightful)

Toll_Free (1295136) | about 6 years ago | (#25194889)

Anyone else wonder why the fuck a so called "security expert" plugged a device blindly into his network?

I mean, really now. I haven't done any security work in a long time now, but still... Buying something for around 2 to 3 dollars (a security device, no less) off EBay then just "plugging it in" to a production network should cost this idiot his job.

And posting it to Slashdot should cost him his professional reputation.

Stupidity at it's finest.

--Toll_Free

Re:Security expert my ass (2, Insightful)

grnbrg (140964) | about 6 years ago | (#25195037)

Yeah, I agree!

I mean, at very least, he should have plugged it in to a secure network, and sniffed it a bit to see if it phoned home, or something.

Oh, wait...

Re:Security expert my ass (1)

Toll_Free (1295136) | about 6 years ago | (#25195645)

I dunno about others, but I don't plug them into ANY network.

I plug a xover cable in, telnet / ssh / whatever into the box, and see the config.

OR, better yet, FIRST just do a default, factory reset.

I mean, it's cool to see if you can get into someone elses network with their stupidity, but what happens if the reverse was true, and it dialed into a malware / etc. type server, and gave some idiots carte blanch into his network?

Yeah, real bright. Just like buying a VPN device for a couple bucks on EBay and trusting it implicitly.

--Toll_Free

I am not sure what the point of this is (1)

jfinke (68409) | about 6 years ago | (#25194915)

It was a used device that the previous owner did not clear properly. Their policies and processes for destruction and sanitization are apparently lacking. This happens at a lot of places.

It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell.

Re:I am not sure what the point of this is (1)

multisync (218450) | about 6 years ago | (#25195357)

It would be one thing if this was straight into the DoD, but this is some little town council from what I can tell

I didn't bother to RTFA, but the council in question wouldn't be located in San Francisco [slashdot.org] , would they?

Re:I am not sure what the point of this is (1)

jfinke (68409) | about 6 years ago | (#25195607)

No, I think it is some little English town council. Again, there is no security flaw, etc. There are just bad policies in place, or someone wasn't doing their job.

Doesn't anybody clean anymore? (1)

bschorr (1316501) | about 6 years ago | (#25195345)

I'm not the least bit surprised; I see PCs and other equipment regularly donated or handed off without being wiped or with only a cursory wiping and plenty of potentially dangerous data still included.

One "IT expert" told me that he doesn't bother to do a forensic wipe of hard drives on machines he's donating (or that his clients are) because he doesn't want the hassle of reinstalling the OS and because he "never makes mistakes" when he selectively cleans off sensitive data. Yeah, right. That guy is going to be on the front page of the Wall Street Journal someday with a very sad look on his face.

Used devices need to be scrubbed as completely as possible if they are leaving the organization. Even if they're merely being disposed of.

The problem is with the "security expert"? (1)

root777 (1354883) | about 6 years ago | (#25195417)

Sure, the saved login credentials is a problem, but I think there is a side problem as well. A "security expert" plugged in a VPN concentrator he bought of "Ebay" into his corporate network without cleaning it up in the first place. That is a problem too

so did anyone see the exploit? (1)

blair1q (305137) | about 6 years ago | (#25195541)

offer a VPN for sale on eBay

"accidentally" leave it configured for connection

wait for connection

pwn the connecting machine...

here's a tip: configure your network hardware before actually connecting it to a network

Form of blackmail (1)

zymano (581466) | about 6 years ago | (#25195723)

We know how to get into your bank. Payup or we will sell to the criminals.

Security guy (1)

Krneki (1192201) | about 6 years ago | (#25195799)

Dude, even if you manage to log into our network you can't steal our data. Because we have security cameras watching the building.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?