Selasa, 30 September 2008

Alarm sounded on second-hand kit

eBay sale page
The server allows privileged access to a network from afar

For less than a pound a security expert has got front-door access to a council's internal network.

Andrew Mason from security firm Random Storm bought some network hardware from auction site eBay for 99p.

When he switched it on and plugged it in, the device automatically connected to the internal network of Kirklees Council in West Yorkshire.

Kirklees council called the discovery "concerning" but said its data had not been compromised.


Privileged access

For 99p Mr Mason bought what is known as a virtual private network (VPN) server made by the firm Cisco Systems that automates all the steps needed to get remote access to a network.

Many staff working overseas or off-site use a VPN to connect back to corporate systems.

On powering it his new hardware Mr Mason expected that the device would need network settings to be input but, without prompting, it connected to the last place it was used.

Subsequent investigation found that the internet, or IP, address to which it connected was owned by Cap Gemini, in a range of addresses allocated to Kirklees Council.

"It is like having a long ethernet cable from the Council office to anywhere where I connected the device," said Mr Mason.

A connection such as this allows privileged access to networks. In the wrong hands, such as criminally-minded hackers, it would allow them to conduct reconnaissance and find out if the network had any vulnerabilities worth exploiting.





USB stick, SPL

High profile cases have underlined the dangers of losing data





view all

Tidak ada komentar:

Posting Komentar