Cisco Warns of Stolen Web Site Passwords

An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."

Solution and comments

[daveschroeder]

From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords

Dear Cisco Partner,

I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.

You may experience issues with yourlogin to www.cisco.com

You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.

Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.

It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.

Your Cisco Channel Team

And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.

Also, the "major flaws" could only be referring to two things:

- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or

- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.

In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.

Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.

This? This isn't a big deal

[ReformedExCon]

These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.

But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.

One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.

Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.

Re:Plain Text Passwords

[skeeball]

Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?

I posted this first with a little different twist

[geekp0wer]

Cisco Web Site Hacked 3:18 PM

According to an article at ZDNet, Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story mentions an article at Wired, which has a link to lynn-cisco.pdf