As reported on the Register at the end of September, a switch formerly used by the UK's air-traffic service that still held networking configurations and passwords has been sold on eBay, raising a number of security concerns.
The £20.00 Cisco Catalyst switch, says John Leyden of the newswire, was bought by security consultant Michael Kemp, co-founder at Xiphos Research Labs, who quickly discovered that it has been used at the National Air Traffic Services (NATS) centre in Prestwick.
“Data on the switch included supervisor credentials, internal VLAN and other networking configurations and upstream switch addresses as well as domains, gateways and syslogs”, noted the newswire.
In fact, says Lieberman, the newswires have been peppered with reports of kits containing high-value data being sold on eBay for several years. And, he says, that hardware can contain highly sensitive details about the former owner's infrastructure thrown in for good measure. Whether it’s a hard drive configured with cloned passwords or an enterprise network device with its default login still in place, they could all spell potential disaster for the incautious.
BT, he said, discovered an Aladdin’s cave of valuable data gleaned from over 300 pieces of hardware bought at computer auctions, computer fairs and via eBay, with researchers at the telecoms giant recovering a variety of sensitive information, including bank account details, medical records, confidential business plans, financial company data, personal ID numbers, and job descriptions.
This problem is not just confined to the UK he asserts, as according to the 2009 research carried out by BT of computer equipment sourced globally – from the UK, US, Australia, France and Germany – 34% f the hardware examined contained "information of either personal data that could be identified to an individual or commercial data identifying a company or organisation".
Researchers also found that a "surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey".
Lieberman said these incidents prove that – regardless of the security policies in place – the urge to recycle and the current thrifty economy means that a lot of computer hardware will be sold near the end of its economic lifetime for a few pounds.
And, he explained, anyone armed with suitable data analysis software – or even the lists of default logins easily obtained from the internet – can extract sensitive information and potentially turn it to their advantage.
It is, said Lieberman, perhaps fortunate for UK national security that the £20 Cisco Catalyst switch was bought by security consultant Michael Kemp – the co-founder at Xiphos Research Labs – who discovered that it had been used at the National Air Traffic Services (NATS) centre in Prestwick.
“Had it been bought by anyone with allegiances to a criminal or terrorist group, the security of the NATS operation centre in Prestwick could have been compromised,” he said.
“It's very easy to be over-dramatic about these types of situations, but the brutal reality is that elementary data security mistakes can hand critical infrastructure data over to dangerous individuals. Nearly all data has a value to someone, so there is a clear risk that embedded credentials stored on discarded hardware – which can be used to attack the former owner – can cause real problems,” he said.