Slashdot Mirror
Cisco Warns of Stolen Web Site Passwords
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords
Dear Cisco Partner,
I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.
You may experience issues with yourlogin to www.cisco.com
You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.
Your Cisco Channel Team
And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.
Also, the "major flaws" could only be referring to two things:
- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or
- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.
In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.
These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.
But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.
One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.
Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.
Jesus saved me from my past. He can save you as well.
Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?
www.bugmenot.com grab the firefox extension, too.
I wouldn't be shocked if they stored the passwords.
This CCO login is a REALLY old system. It was the first html based login I ever used, and I havent changed my password since 1994, becaue I let all my co-workers use it to download IOS for patches, read bug reports, etc.
It didn't use to matter as it used to only be cisco's weak attempt to lock down new versions of IOS to customers with a service contract. To thier credit, Cisco never went nuts trying to shut out users who didn't change them.
So you don't store the md5 of the password but an md5 of a a salt, an extra key and your password...
So you md5("$password") but more of md5("ciscoCCO$UID$password")
To make it even more fun, drop the last 4 or 8 bytes off the md5 since your hash should never have more bits than your unique secret data
Cisco Web Site Hacked 3:18 PM
According to an article at ZDNet, Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story mentions an article at Wired, which has a link to lynn-cisco.pdf
Actually, when they find major bugs (usually security related) they give away fixed versions of IOS for free (Without registering.)
If you really want information from them why don't you be one of many to read the Lynn presentation? Here, I've even transcribed Lynn's presentation to text instead of that huge, ugly PDF. As a bonus, the assembly readings are now readable. For all I know, they consider this criminal even though I consider this not only a fair use but a public service. The bad guys already know this stuff; we need to let the legitimate security professionals in on this! Insofar as I can give permission, copy and paste this anywhere you please. It's still probably copyrighted to the ISS, though, but it's Cisco suing over it, even though anyone with a router can get those assembly listings, they're probably fair use since they're such small portions of the router software, and I have no dealings or contracts with Cisco binding me not to release such things (I don't own any Cisco gear), so if anything, only ISS should have grounds to sue me, and they don't seem to care to.
[ Page 1 - The Holy Grail ]
Cisco IOS Shellcode And Exploitation Techniques by Michael Lynn of Internet Security Systems
[ Page 2 - Another Unbreakable System ]
[Editor's note: This page shows a picture of what I presume to be the Titanic.]
[ Page 3 - Why You Should Care ]
* Wide Deployment
- Switches
- Routers
- Access Points
* Keys To The Kingdom (MITM)
- Control the network traffic
- Packet sniff in far off lands
- Modify traffic
- Break weakly authenticated encryption (passwords, etc.)
[ Page 4 - Some Review: Basic Techniques ]
* Stack Overflows
- Overwrite return address on the stack
* Heap Overflows (Pointer Exchange)
- Tranditionally we use heap chunk linkage
- Any linked list will do
Typical linked list delink looks like:
foo->prev->next = foo->next; foo->next->prev = foo->prev;
[ Page 5 - Misconceptions ]
* Routers And Switches Are Just Hardware
* It Is Not Possible To Overthrow Buffers On IOS
* There Is Now Way To Exploit Buffer Overflows On IOS
* Every Router Is So Different That An Exploit Might Work On One Router But Never Another
[ Page 6 - Wrong! ]
* Routers And Switches Run Software On General Purpose CPUs
* Buffers Do Exist And It Is Not So Rare That They Overrun
* Exploitation Is Possible
* Exploitation Can Be Made Reliable And Cross Platform (more on this later)
[ Page 7 - IOS Basics ]
* Monolithic
- No loadable modules (yet)
- All addresses are static
- All addresses are different per build
* Real Time OS
- If you are running you own the CPU (mostly)
- We have to exit or yeild properly or we will crash
- Once our code is running we have won any race
* Stability
- IOS tends to favor rebooting over correcting errors
[ Page 8 - A Word On Code Quality ]
* Much Better Than Most Platforms
- They check heap linkage
- They are very aware of integer issues
- They almost never use the stack
- They have a process to check all heaps
- Very old, very well tested code
* Bugs Exist Anyways
- Green pastures
- We can get around some checks
- Will will use some of these checks against them
[ Page 9 - The Dreaded Check Heaps Process ]
* Walks All Heaps Looking For Bad Linkage
- Even if our chunk is not freed check heaps will detect bad linkage
- Is run every 30 to 60 seconds depending on load
* This Is the Main Reason Heap Overflows Can Be Hard
[ Page 10 - Rules of Engagement ]
* Stack Overflows
- Rare, but if we find one, its fair game
* Heap Overflows
- They check next and previous pointers
- We either have to beat check heaps or not offend it
- We must either know the values for the previous pointer or we must get around this somehow
* Monolithic Architecture
- For heap overf
$50? It's more like $100 a head to use SecurID (not counting server hardware) becuase each $60 token also needs a corresponding $40 license on the ACE/Server.
Every remote user who gets an RSA hardware (or software) token at the company I work for costs the company $100. This doesn't count the cost of administering the remote access accounts. We like to keep this figure handy for managers who request an RSA token (hard or soft) for everyone in their entire department. After they hear the cost, the number of people who really need the tokens often goes down substantially.
Actually, for the record, that's an adjustable value when the token is created. Just tell your salesperson the value you want it to be. You can also request them with more than 6 digits.