Followers

Tuesday, September 30, 2008

Alarm sounded on second-hand kit

By Jason Palmer
Technology reporter, BBC News

eBay sale page
The server allows privileged access to a network from afar

For less than a pound a security expert has got front-door access to a council's internal network.

Andrew Mason from security firm Random Storm bought some network hardware from auction site eBay for 99p.

When he switched it on and plugged it in, the device automatically connected to the internal network of Kirklees Council in West Yorkshire.

Kirklees council called the discovery "concerning" but said its data had not been compromised.

Privileged access

For 99p Mr Mason bought what is known as a virtual private network (VPN) server made by the firm Cisco Systems that automates all the steps needed to get remote access to a network.

Many staff working overseas or off-site use a VPN to connect back to corporate systems.

On powering it his new hardware Mr Mason expected that the device would need network settings to be input but, without prompting, it connected to the last place it was used.

Subsequent investigation found that the internet, or IP, address to which it connected was owned by Cap Gemini, in a range of addresses allocated to Kirklees Council.

"It is like having a long ethernet cable from the Council office to anywhere where I connected the device," said Mr Mason.

A connection such as this allows privileged access to networks. In the wrong hands, such as criminally-minded hackers, it would allow them to conduct reconnaissance and find out if the network had any vulnerabilities worth exploiting.

USB stick, SPL
High profile cases have underlined the dangers of losing data

Internal network access permitted the credit card detail theft from retailers TK Maxx last year and Cotton Traders in June.

A spokesman for consulting firm Cap Gemini said it managed Kirklees Council's network from 2000 to the end of May 2005. At that point, he said, control was handed back to the council which had decided to manage the network itself.

A Kirklees council spokesperson said: "The council is deeply concerned with this report but is confident that multiple layers of security have prevented access to systems and data.

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken."

Data danger

A spokesperson for Cisco Systems said that "we do provide clear guidelines that explain how to reset products to their factory default settings.

"If followed correctly, these processes eliminate both the configuration and backup configuration of the product preventing subsequent users from connecting with a previous user's configuration."

According to Mr Mason the last change to the connection details on the server were made in November 2006, after Cap Gemini's involvement with the council's network ended.

Mr Mason bought the bought the server in August from an eBay seller called selectronicstore which deals in second-hard hardware.

VPN screenshot
The server connected to an IP address registered to the council

The eBay selling account selectronicstore is registered to Cheshire-based Manga-Fu, a firm that specialises in the destruction of mass storage devices such as hard drives.

Manga-Fu managing director Gary Cronnolley was unable to trace the origins of the server, as the company does not track the serial numbers of low-value equipment.

However, he says that clients are told to remove data such as passwords and connection details from devices like the VPN server, which has no such mass storage.

"We've done our job 100% to what we've been requested to do, to the book," Mr Cronnolley says.

Robert Winter, chief engineer of data recovery at Kroll OnTrack, said that sensitive data that leaked out from a company could easily prove damaging in the wrong hands.

"Every company should have a proper data disposal process," he said. "I don't think there's any reason why a company would not have that in place now."

Original here

No comments: