Feeds

eBayed VPN kit hands over access to council network

'It's like putting an access hub in the car park'

HP ProLiant Gen8: Integrated lifecycle automation

Updated An item of networking kit bought from eBay for just 99p ($1.79) gave privileged access to an internal network at an English county council.

The security risks posed by unwiped computer discs - which are often offered for sale on auction sites and sometimes even obtainable from council rubbish dumps - are well documented, but the purchase of VPN 3002 remote access kit by Andrew Mason, CTO at security services firm Random Storm, shows the same sort of problems also apply to second-hand networking equipment.

Mason bought the remote access kit for his business, but was surprised when it automatically connected to the internal network of Kirklees Council in Yorkshire as soon as it was switched on and connected to the internet. He'd bought many items of networking kit before and this was the first time he'd come across the issue. Normally the kit would need to be configured before access to anything was possible.

"The issue is similar to the problem of disposing of unwiped discs but even worse in some ways, because in the case of discs you have a snapshot of data while in this case hackers are given access to a network with live data. Once inside the network miscreants would be able to raise their privileges and potentially gain access to more sensitive systems," said Mason, who has worked in penetration testing.

He noted that the TJX hackers had gained access to a database of credit card records after compromising an insecure wireless network to connect to a corporate LAN. "Once you are inside the network there is all sorts of mischief you can do."

He added that the Kirklees breach was akin to providing an access hub that gave internal network access to all and sundry in the council car park.

A spokesman for Kirklees Council described the issue as a concern, but stressed that none of its data was compromised by the breach. Mason said he didn't do anything more than obtain a screenshot, which proved that internal access had been obtained. "It's lucky for them I bought it, rather than a black-hat hacker," he said.

Networking kit no longer needed by Kirklees Council was taken away by a third-party contractor, which sold it for a pittance on eBay. Even after paying £10 postage Mason picked up kit that would normally cost £400 for just £11.

"Kirklees Council needs to have a secure disposal policy. The equipment needs to be decommissioned and user logins revoked. As it was, they hadn't even reset passwords," Mason told El Reg.

The VPN Mason bought connected to an internet address owned by consulting firm Cap Gemini and allocated to Kirklees Council. A spokesman for Cap Gemini said that the consulting firm had run the network for the five years leading up to May 2005, when the council decided to take the job of running its network back in-house, the BBC reports.

In a statement, Kirklees Council acknowledged the issue but downplayed its significance. "The council is deeply concerned with this report but is confident that multiple layers of security have prevented access to systems and data.

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken."

Cisco told the BBC that it supplied guidelines on how to reset networking equipment to restore factory default settings.

®

Update

Mason bought the VPN server in August from eBay seller selectronicstore. A BBC investigation tracked this back to Manga-Fu, a firm which specialises in the disposal of electronic, and quoted Manga-Fu managing director Gary Cronnolley in its report.

After running an audit on its records, Manga-Fu is adamant that the VPN router didn't come through them. In a statement issued on 15 October, Manga-Fu said the BBC story was inaccurate and that the kit must have been bought from someone else. Mason bought many items of VPN kit, it said.

The article alleged that a third party purchased a VPN router from us which when plugged in showed data from Kirklees Council.

We have identified the sources of all VPN routers passing through Manga-Fu’s hands within the last 12 months and NONE of them have come from Kirklees Council.

Manga-Fu maintains that it follows the highest standards in the secure disposal and recycling of electronic kit.

Whenever a VPN system is re-sold, we follow Cisco’s guidelines when resetting back to factory default settings. Manga-Fu operates to the highest of standards when it comes to the secure disposal of materials or products which hold or store data. Even where materials or products are sold or re-used, Manga-Fu’s systems and processes ensure that there can be no compromise or disclosure of data of previous users

To ensure the efficacy and integrity of our processes, products such as the VPN router in question are subject to three separate checks. Each check is such that it would reveal any failure to reset the product back to its factory settings and/or to leave data on the product.

Reducing security risks from open source software

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
Carbon tax repeal won't see data centre operators cut prices
Rackspace says electricity isn't a major cost, Equinix promises 'no levy'
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.