Council sells security hole on Ebay
By Matthew Sparkes
Posted on 29 Sep 2008 at 12:21
A security expert discovered a VPN device bought on Ebay automatically connected to a local council's confidential servers.
Andrew Mason bought the Cisco VPN 3002 Concentrator - a device on which he has written a tutorial book - on Ebay for only 99 pence, with the intention of using it at work.
However, when he plugged it in it automatically connected him directly to Kirklees Council's central servers, circumventing security with the login details which had been carelessly left on the device.
"It instantly connected me, and I had full network access," explains Mason. "I understand the law extremely well and at that point disconnected," adds the intrusion-detection professional.
Despite contacting the council about the matter, no action was taken. "They ignored me at first," says Mason, before explaining that following coverage on the BBC website, access from the device has been shut off.
He admits that there could well be more devices out there, from which access is still possible, and exceedingly simple. "The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really," says Mason.
The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data."
"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken," says a statement released by the council.
Top 5 stories on PC Pro
1. Government admits massive enrgy waste
2. GNU creator lashes out at web services
3. Third Phorm trial starts tomorrow
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk