Slashdot Mirror
Cisco Warns of Stolen Web Site Passwords
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
...especially since you require everyone to register in order to get ANY info or ANY software or ANY drivers.
From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords
Dear Cisco Partner,
I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.
You may experience issues with yourlogin to www.cisco.com
You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.
Your Cisco Channel Team
And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.
Also, the "major flaws" could only be referring to two things:
- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or
- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.
In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.
that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com
'Untold'? Is that the latest for 'unknown' ? Or maybe the meaning is 'all'?
As a result, to protect our registered Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords
Proactive resetting? Can someone explain me what this actually means?
This is one company that need to invest in a secureID system that changes password every 30 seconds.
These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.
But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.
One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.
Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.
Jesus saved me from my past. He can save you as well.
this is what Cisco says...Just because you have a huge team of programmers and such doesn't make hacking a "minor inconvenience"
Go to the w3.org and put Slashdot.org through the validator.
"but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers."
Vigilantism. Humanity has come a long way from throwing sticks and stones.
--
The "are you a script" word for today is angelic
Arg. The golden days of tech optimism are over for me. There was a time when news about flawed hardware/software was rare enough to be noteworthy when it came out. Now I get too much. I guess golden boy Cisco being in the Crisco is a big deal, though, considering how fundamentalrouters are to the backbone of the internet. At least I can still shovel. Step on a crack, break the net's back...but fibers can still sit in their shoveled holes.
When I told cisco about clear text passwords on the website, I got an attitude of "who cares?"
Looks like they should have used self defending networks......
g _solutions_white_paper0900aecd801dfec7.shtml
http://www.cisco.com/en/US/netsol/ns478/networkin
When will programmers learn that there is NO good reason to keep passwords in plain text? Just save a one way hash, so you can hash the password they entered and compare. You wouldn't have this problem if the plain text passwords weren't in the database in the first place.
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
I've never liked these register for access websites, they generally seem to me to be for the purpose of 1 or 2 things..
Bragging rights (sysadmins and their userbase stats - give me a break)
Spammation of the nation!
Either way I treat such accounts with contempt and I generally register with the awe inspiring uncrackable password of 123123. Simply because as long as I do not divulge any "classified" information, a hacker impersonating me to download updates from a site is not really going to ruin my life.
123123 FTW!
Gee, I wonder what they'll top this with.
OH NOES, THERE GOES THE INTERNET.
I've had nothing but CCO trouble for the past week. That combined with random problems have been frustrating. The lovely order of events:
1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
6) Tech agrees, sends me a new SUP.
7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.
*Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
>o/r 0x2142
oh. wrong password... oops...
there are two choices. make stuff easy, with very little security. or make things difficult with good security. no matter what choice a comany picks, that should have no bearing on criminal prosecutions. just because site #1 is easier to break into does not mean the punishment should be less for breaking into it.
we either punish thieves, or everyone will have to start carring around time-watch-algorithm generators for when they want to log into their accounts.
okay, i commented on the story. now here is what i really want to talk to the slashdot crowd about. check this out, i went to search for kazaa, just to see if it was still around, and i got this from google:
http://www.google.com/search?hl=en&ie=UTF-8&q=kaza a&spell=1
what makes it so interesting is the notice at the bottom of the page:
In response to a complaint we received under the Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results.
is google now censoring what websites it returns in search requests? is the next great search engine going to be housed outside the USA? and where will good people get their non-copywrited music from?? even emp3world is filled with broken links.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Really?
Because this password is the one you use to download new versions of IOS, so if you are unlucky enough to be running an old version of IOS with IPv6 enabled (ie you are in the east aisia market) then you can not get the patched version of code needed to protect yourself from the defcon vulnerabilities.
So, who's up for an order of bumper (router) stickers? If you only have some crappy routers, you can throw a nice sticker on it that says "My other router is your CRS-1."
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I'm glad I know what's going on now, this morning both of my passwords were killed. I tried using their method of resetting the passwords and the server threw up 30 java errors...
~S
They've got the Black Hat fiasco, this and getting caught actively helping the Chinese police and not giving a flying fuck about it. Is anyone else thinking that Cisco needs to actually do a little bit of institutional introspection and admit the obvious source of their woes: their own damn psychopathic behavior?
Click here or a puppy gets stomped!
From the Slashdot story: "both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn".
I'm amazed at Cisco's lack of social sophistication. From previous dealings with Cisco, I knew they were boorish, but this is much worse than I imagined.
I'm amazed at the sure sense some executives have for creating millions of dollars worth of bad publicity. It's as though they studied how to sink companies, and that is their most professional and creative skill.
It's awesome. In only one afternoon of work, Cisco corporate officers arranged to have Bruce Schneier call them "thugs": "I can't imagine the discussions inside Cisco that led them to act like thugs."
What's even more awesome is that Cisco managed to make the FBI look like it is willing to get involved in political attempts to suppress free speech, making it look like thugs, too.
Is there some competition among executives that I didn't hear about? Are they having a contest to see who can do the most damage to their companies? Is Cisco having a competition with Adobe? Is Cisco trying to outdo the Skylarov incident and the Killustrator incident?
I suppose it doesn't matter to top executives. They can just take their million-dollar golden parachutes and go to another company, leaving the wreckage behind.
I agree exactly and entirely with Mr. Schneier's assessment:
"... this has been a public-relations disaster for Cisco. Now it doesn't matter what they say - we won't believe them. We know that the public-relations department handles their security vulnerabilities [my emphasis], and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."
If I were on the Board of Directors, I would: 1) Fire the President and Vice-President of Cisco immediately, in a highly public way. 2) Do immediate damage control by exhibiting some sophistication about Cisco's relationships with the outside world. I'm guessing that, sadly, the Board of Directors doesn't have anyone who has the necessary social skills.
And all my support accounts would come up shutdown when I reload.
This also had nothing to do with Lynn, even though the media would like to tie them together. It was brought to Cisco's attention by a completely separate company.
Cisco Web Site Hacked 3:18 PM
According to an article at ZDNet, Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story mentions an article at Wired, which has a link to lynn-cisco.pdf
Thong, thong thong thong.. Oh wait, wrong CISCO.
Bad timing? yes
Related? No...
If they removed the IOS images, how would having someone's login enable them to get at something that's no longer there?
Why can't we just have unix style encrypted password and verify if the entered password encrypts to the same thing?
It's appalling that a major company (a major tech company with security product offerings in this case!) website would store passwords in cleartext. Passwords (even usernames) should always be stored in strong one-way hashes like sha-1, so that even if they're stolen, they're close to useless.
So, in that case, how in the hell is making reverse engineering illegal helping anyone?
Well,
What if?
All I'm saying.
Word is the thieves have just as much trouble logging in with these stolen passwords as those who originally created them, and Cisco predicts the thieves will give up on them shortly.
And honestly, even if the thieves could get access to the needed areas of Cisco's TOP SECRET website, what are the chances they could decipher the grid of which firmware goes with which device?
Last time I looked at Cisco's firmware listings (back when they had that exploit affecting all their routers), a co-worker had to pry the gun out of my hands.
What moron developed their firmware version scheme? Please kill this person immediately.
Ironically, the word ironically is often used incorrectly.
If you really want information from them why don't you be one of many to read the Lynn presentation? Here, I've even transcribed Lynn's presentation to text instead of that huge, ugly PDF. As a bonus, the assembly readings are now readable. For all I know, they consider this criminal even though I consider this not only a fair use but a public service. The bad guys already know this stuff; we need to let the legitimate security professionals in on this! Insofar as I can give permission, copy and paste this anywhere you please. It's still probably copyrighted to the ISS, though, but it's Cisco suing over it, even though anyone with a router can get those assembly listings, they're probably fair use since they're such small portions of the router software, and I have no dealings or contracts with Cisco binding me not to release such things (I don't own any Cisco gear), so if anything, only ISS should have grounds to sue me, and they don't seem to care to.
[ Page 1 - The Holy Grail ]
Cisco IOS Shellcode And Exploitation Techniques by Michael Lynn of Internet Security Systems
[ Page 2 - Another Unbreakable System ]
[Editor's note: This page shows a picture of what I presume to be the Titanic.]
[ Page 3 - Why You Should Care ]
* Wide Deployment
- Switches
- Routers
- Access Points
* Keys To The Kingdom (MITM)
- Control the network traffic
- Packet sniff in far off lands
- Modify traffic
- Break weakly authenticated encryption (passwords, etc.)
[ Page 4 - Some Review: Basic Techniques ]
* Stack Overflows
- Overwrite return address on the stack
* Heap Overflows (Pointer Exchange)
- Tranditionally we use heap chunk linkage
- Any linked list will do
Typical linked list delink looks like:
foo->prev->next = foo->next; foo->next->prev = foo->prev;
[ Page 5 - Misconceptions ]
* Routers And Switches Are Just Hardware
* It Is Not Possible To Overthrow Buffers On IOS
* There Is Now Way To Exploit Buffer Overflows On IOS
* Every Router Is So Different That An Exploit Might Work On One Router But Never Another
[ Page 6 - Wrong! ]
* Routers And Switches Run Software On General Purpose CPUs
* Buffers Do Exist And It Is Not So Rare That They Overrun
* Exploitation Is Possible
* Exploitation Can Be Made Reliable And Cross Platform (more on this later)
[ Page 7 - IOS Basics ]
* Monolithic
- No loadable modules (yet)
- All addresses are static
- All addresses are different per build
* Real Time OS
- If you are running you own the CPU (mostly)
- We have to exit or yeild properly or we will crash
- Once our code is running we have won any race
* Stability
- IOS tends to favor rebooting over correcting errors
[ Page 8 - A Word On Code Quality ]
* Much Better Than Most Platforms
- They check heap linkage
- They are very aware of integer issues
- They almost never use the stack
- They have a process to check all heaps
- Very old, very well tested code
* Bugs Exist Anyways
- Green pastures
- We can get around some checks
- Will will use some of these checks against them
[ Page 9 - The Dreaded Check Heaps Process ]
* Walks All Heaps Looking For Bad Linkage
- Even if our chunk is not freed check heaps will detect bad linkage
- Is run every 30 to 60 seconds depending on load
* This Is the Main Reason Heap Overflows Can Be Hard
[ Page 10 - Rules of Engagement ]
* Stack Overflows
- Rare, but if we find one, its fair game
* Heap Overflows
- They check next and previous pointers
- We either have to beat check heaps or not offend it
- We must either know the values for the previous pointer or we must get around this somehow
* Monolithic Architecture
- For heap overf
1)probably a bit more to the exploits out there than what is commonly known and 2)the government uses a ton of cisco routers. They probably think it's pretty fair to bend the rules a little to keep them protected because they have no choice in the matter. They aren't going to open themselves up to major haxoring just to keep "pure".
Why on earth are passwords a/ being kept in plaintext form and b/ being kept on a server that is available directly from the internet?
Totally clueless!
Cisco has supposedly been cutting a lot of their IT infrastructure maintenance over to their operations in India. Plus, in the States these days, they mostly bring in either newhires from India, or L1B's from Wipro.
Needless to say, Cisco's apparently been having lots of problems.
From what I've heard from people on the inside, there have been a lot of boneheaded problems. The worst ones are those which ought to take 5 minutes to get solved if they were in the States; but which involve at minimum 24 hours before you get a reply.
I'm not surprised that they are having problems. From the sounds of it, I don't expect this to be the last either.
So here's my question... if this presentation provided details of how to hack cisco routers...
Other than getting cisco to fix their routers, what good could have come from it?
If I came up with a surefire method to steal the gold in Ft. Knox and decided to disclose it in a public forum. Should I expect the gov't to step in and keep me from telling the world?
Of course I would.
If Cisco told the professor, "You're full of BS, there's no way to hack a router..." Then their hubris and ignorance deserves a bit of this...
Why doesn't the government provide access to methods to create BIO,CHEM, Nuclear weapons?
I wonder if Cisco will go after Slashdot now that someone is posting a transcription of his PDF here?
A company like cisco is unable to manage something as simple as encrypting stored passwords?
http://illhostit.com/ - Webhosting
Ya know, Cisco took it up the ass in security issues the last two weeks and they are *still* trying to make this all sound like business as usual. They need to concentrate on security and a little less on capitalism.
Join the Slashcott! Feb 10 thru Feb 17!
Parent is a troll; GP is not.
/me hugs my Linksys router... "You'll keep me safe, Boo-Boo, won't you? Cisco let the bad man hurt people. You'll protect me, though. I love you Linksys Boo-Boo!" *KISSES*
I8-D
so i wonder how many people read the 1st 3 lines of that email and binned it because it looks like a phishing email?
There is also a growing thread at Nanog where network admins are
complaining of not being able to get new passwords. guess what they say about doctors is also true about admins...
Actually, I bought my router (2002) before Cisco bought Linksys (2003).
I am sad to report, though, that Linksys Boo-Boo actually died early last month. I'll eventually throw away the router, but I'll keep the box if I find it again. The box probably still works as a box. The router, unfortunately, does not work as a router.
I8-D
whats with the linksys page being down as well?
www.linksys.com
This incident does not appear to be due to a weakness in Cisco products or technologies.
except the ones used for the search tool...
"We are all geniuses when we dream"
- E.M. Cioran
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
I'm assuming that once someone does this, the ability to reset you password this way is then removed?
Otherwise if you send a mail and make it look like it comes from an email address you know was used to register the account, even if the return to mail address doesnt exist, you can have plenty of fun periodically resetting people passwords.
Or, even if they do remove the ability once it's used, there is then the opportunity to reset all the passwords that havent been done yet.
And somewhere, theres a list of all these users....
Darwin Hawking Blackmore
Oh could I get one of the passwords I need to upgrade one of my switches?
I think many people are overlooking the issue. Cisco has there thumbs up there ***. If they don't know how the password got compromised in the first place, how do they expect to prevent it from reoccurring? So everyone changes their passwords, the same exploit or hack is utilized again, and we are back to where we started... This just goes to show that even the security provider isn't secure, no one is safe, nothing is secure and its time to take security seriously.
Find the root of the problem... and cut it off at its knees...
Mine changes every 60 seconds. Maybe I need to upgrade to the more secure version :)
SearchIRC - Now with live chat directory!
This happened Tuesday afternoon. I had opened a TAC case online just after 1:30PM and by 4PM I no longer had access to my account. My first try to get my password reset got a response from the locksmith saying that my account was not active. My second try yesterday morning said my account did not exist. My third try, directly to the CCO Team instead of the locksmith, immediately after that response has not been answered. Sounds like some serious problems.
Cisco has determined that Cisco.com password protection has been compromised.
As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords.
This incident does not appear to be due to a weakness in Cisco products or technologies.
If you receive a request for additional information it is because there are more than one User ID in the Cisco.com database associated with your email address. Please follow the instructions provided.
I'm not exactly sure why we care that our CCO account names and passwords were stolen. Does it really matter to me if someone downloads IOS while masquerading as me? Or maybe I should care if somebody opens up a TAC case as me, or submits a bug report as me? I really don't see the problem with someone else having access to my account on CCO. The only thing I use it for is to download code (we call TAC directly, or called our dedicated Advanced Services guy for everything else). I'm sure 90% of the people who have CCO accounts also use it solely for the purpose of downloading code/drivers/etc. So am I missing something that is highly private on the site?
You too can have this level of service for the low low price of several hundred dollars per device per year.
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
Cisco says the problem is unrelated to flaws in its hardware
I though the issue of the week was a flaw in their software...
and actually on the presales team, the US ones are getting bigger, however, they are hiring mostly idiots, even more idiots if you know Spanish.
I had to explain how DNS works to my tech lead and goto, and in fact most of the people don't know how DNS works. (let alone something moderately complex)
But of course when they pay you minimum wages (10hr) what do you expect, you can hold signs at construction sites for better bay and benefits.
I'm no idiot have been a Sys admin but I didn't have any cisco knowledge before. So I just figured it was training for a couple of months so I can get a real job.
But Utah is a sucky place to look for any job, let alone a technical one.
Cisco should be stamped be the government for the following reason (And Juniper).
I am tired, tired tired of getting IOS from friends to fix security. I understand CCO/SmartNet/TAC support should cost money to protect the hardware, but when your software is deployed as much as IOS, JUNOS and Extreme and Foundry's OS, they should be FORCED to publicly provide free updates. Even MSFT provides free updates for Windows.
These networking companies are basically holding the entire free world's security hostage by demanding a tithe to fix BROKEN CODE in their IOS.
What if you bought the router new and had SmartNet a few years back? CISCO actually says with its policy, its ok for evil ones to use our equipment and software to destroy your network and other collaterally because you refused to pay our mafia protection fee.
TAC is becoming horrible. Fresh out of school know nothings at this point.
Incidentally, I once begged Juniper to give me an update to JUNOS - and they did. The seem far more interested and making network guys happier rather than their corporate bean counters.
Legalize the constitution. Think for yourself question authority.