Council sells security hole on Ebay

 

Gallery

Posted on 29 Sep 2008 at 12:21

A security expert discovered a VPN device bought on Ebay automatically connected to a local council's confidential servers.

Andrew Mason bought the Cisco VPN 3002 Concentrator - a device on which he has written a tutorial book - on Ebay for only 99 pence, with the intention of using it at work.

However, when he plugged it in it automatically connected him directly to Kirklees Council's central servers, circumventing security with the login details which had been carelessly left on the device.

"It instantly connected me, and I had full network access," explains Mason. "I understand the law extremely well and at that point disconnected," adds the intrusion-detection professional.

Despite contacting the council about the matter, no action was taken. "They ignored me at first," says Mason, before explaining that following coverage on the BBC website, access from the device has been shut off.

He admits that there could well be more devices out there, from which access is still possible, and exceedingly simple. "The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really," says Mason.

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data."

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken," says a statement released by the council.

Top 5 stories on PC Pro

1. Government admits massive enrgy waste

2. GNU creator lashes out at web services

3. Third Phorm trial starts tomorrow

4. New web watchdog to protect children

5. Mobile phones become radiation detectors

Author: Matthew Sparkes