Channel warned on eBay risks

The channel has been warned to be very wary when using the popular auction site for business purposes after it was found that a Cisco VPN bought for 99p from eBay automatically connected to Kirklees Council in Yorkshire.

Andrew Mason, an employee of security firm Random Storm, picked up the bargain basement hardware in August from an eBay account run by Cheshire-based data recovery and disposal outfit, Manga-Fu, but discovered on booting that the device connected to the council’s network, allowing intimate access to potentially valuable data.

In this case none of Kirklees Council’s information was compromised.

Cisco provides detailed instructions on how to erase previous configurations and restore a VPN device’s original factory settings, but it seems that these were not followed on this occasion.

Manga-Fu managing director Gary Cronnolley told the BBC that he had followed Cisco’s guidelines to the letter but admitted he did not track Cisco serial numbers and therefore had been unaware of the VPN device’s origins.

Rod Haddrell, managing director of refurbished hardware and Cisco specialist Tin Direct said it was “mind-boggling” that such slip-ups kept occurring.

“People at the end-user level must understand that they need to be dealing with reputable companies when they sell kit on,” he said. “We’re dealing [in many cases] with high-value items that require considerable expertise. I don’t think eBay is the place to conduct this kind of business.”

Speaking to MicroScope sister publication ComputerWeekly, NEC general manager for enterprise solutions at NEC, Richard Farnworth, said: “Protecting networking equipment and network topology is just as important as preventing data security breaches involving laptops, CDs and memory sticks.