Feeds

eBayed VPN kit hands over access to council network

'It's like putting an access hub in the car park'

3 Big data security analytics techniques

Updated An item of networking kit bought from eBay for just 99p ($1.79) gave privileged access to an internal network at an English county council.

The security risks posed by unwiped computer discs - which are often offered for sale on auction sites and sometimes even obtainable from council rubbish dumps - are well documented, but the purchase of VPN 3002 remote access kit by Andrew Mason, CTO at security services firm Random Storm, shows the same sort of problems also apply to second-hand networking equipment.

Mason bought the remote access kit for his business, but was surprised when it automatically connected to the internal network of Kirklees Council in Yorkshire as soon as it was switched on and connected to the internet. He'd bought many items of networking kit before and this was the first time he'd come across the issue. Normally the kit would need to be configured before access to anything was possible.

"The issue is similar to the problem of disposing of unwiped discs but even worse in some ways, because in the case of discs you have a snapshot of data while in this case hackers are given access to a network with live data. Once inside the network miscreants would be able to raise their privileges and potentially gain access to more sensitive systems," said Mason, who has worked in penetration testing.

He noted that the TJX hackers had gained access to a database of credit card records after compromising an insecure wireless network to connect to a corporate LAN. "Once you are inside the network there is all sorts of mischief you can do."

He added that the Kirklees breach was akin to providing an access hub that gave internal network access to all and sundry in the council car park.

A spokesman for Kirklees Council described the issue as a concern, but stressed that none of its data was compromised by the breach. Mason said he didn't do anything more than obtain a screenshot, which proved that internal access had been obtained. "It's lucky for them I bought it, rather than a black-hat hacker," he said.

Networking kit no longer needed by Kirklees Council was taken away by a third-party contractor, which sold it for a pittance on eBay. Even after paying £10 postage Mason picked up kit that would normally cost £400 for just £11.

"Kirklees Council needs to have a secure disposal policy. The equipment needs to be decommissioned and user logins revoked. As it was, they hadn't even reset passwords," Mason told El Reg.

The VPN Mason bought connected to an internet address owned by consulting firm Cap Gemini and allocated to Kirklees Council. A spokesman for Cap Gemini said that the consulting firm had run the network for the five years leading up to May 2005, when the council decided to take the job of running its network back in-house, the BBC reports.

In a statement, Kirklees Council acknowledged the issue but downplayed its significance. "The council is deeply concerned with this report but is confident that multiple layers of security have prevented access to systems and data.

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken."

Cisco told the BBC that it supplied guidelines on how to reset networking equipment to restore factory default settings.

®

Update

Mason bought the VPN server in August from eBay seller selectronicstore. A BBC investigation tracked this back to Manga-Fu, a firm which specialises in the disposal of electronic, and quoted Manga-Fu managing director Gary Cronnolley in its report.

After running an audit on its records, Manga-Fu is adamant that the VPN router didn't come through them. In a statement issued on 15 October, Manga-Fu said the BBC story was inaccurate and that the kit must have been bought from someone else. Mason bought many items of VPN kit, it said.

The article alleged that a third party purchased a VPN router from us which when plugged in showed data from Kirklees Council.

We have identified the sources of all VPN routers passing through Manga-Fu’s hands within the last 12 months and NONE of them have come from Kirklees Council.

Manga-Fu maintains that it follows the highest standards in the secure disposal and recycling of electronic kit.

Whenever a VPN system is re-sold, we follow Cisco’s guidelines when resetting back to factory default settings. Manga-Fu operates to the highest of standards when it comes to the secure disposal of materials or products which hold or store data. Even where materials or products are sold or re-used, Manga-Fu’s systems and processes ensure that there can be no compromise or disclosure of data of previous users

To ensure the efficacy and integrity of our processes, products such as the VPN router in question are subject to three separate checks. Each check is such that it would reveal any failure to reset the product back to its factory settings and/or to leave data on the product.

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.