Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Warns of Stolen Web Site Passwords

Posted by samzenpus on from the are-you-you dept.

An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."

7 of 165 comments (clear)

  1. Re:This? This isn't a big deal by patio11 · · Score: 2, Interesting
    I wonder if someone could leverage a major breakin at one general or specialist Internet site with low protection due to perceived lack of value of accounts (I don't know, a large message board community or something) and then parlay that to account disclosures on a site with significant value -- say, Amazon or Paypal or somewhere you can actually monetize the data. When you're talking about sites which have some measurable percentage of the entire population of the Internet as users, it seems like you could do a non-trivial amount of damage just by trying every username/password combination you have and just skim the .5% that worked. With a botnet to do the scanning you could spread your millions of invalid logins over 50,000 IPs and a month to not look suspicious on logs, then gradually siphon from the compromised accounts and get lost in the fradulent transactions background noise...

    Scary scenario.

    --
    Help poke pirates in the eyepatch, arr.
  2. Re:Thanks, Cisco.... by TommyBlack · · Score: 3, Interesting

    Well the question there is whether they keep any personally identifiable information with that registration, which can now be accessed by whoever stole the logins.

    Even for people who use the same username and password everywhere, this shouldn't be a problem since the passwords should be stored in a manner that is encrypted and can't be reverse-engineered. They wouldn't be stupid enough to store the passwords, right?

    --
    Why do my serious comments get modded "funny"?
  3. Raises the debate of usefulness of registering by Anonymous Coward · · Score: 2, Interesting

    I've never liked these register for access websites, they generally seem to me to be for the purpose of 1 or 2 things..

    Bragging rights (sysadmins and their userbase stats - give me a break)

    Spammation of the nation!

    Either way I treat such accounts with contempt and I generally register with the awe inspiring uncrackable password of 123123. Simply because as long as I do not divulge any "classified" information, a hacker impersonating me to download updates from a site is not really going to ruin my life.

    123123 FTW!

  4. Cisco: "Thugs". by Futurepower(R) · · Score: 2, Interesting


    From the Slashdot story: "both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn".
    I'm amazed at Cisco's lack of social sophistication. From previous dealings with Cisco, I knew they were boorish, but this is much worse than I imagined.

    I'm amazed at the sure sense some executives have for creating millions of dollars worth of bad publicity. It's as though they studied how to sink companies, and that is their most professional and creative skill.

    It's awesome. In only one afternoon of work, Cisco corporate officers arranged to have Bruce Schneier call them "thugs": "I can't imagine the discussions inside Cisco that led them to act like thugs."

    What's even more awesome is that Cisco managed to make the FBI look like it is willing to get involved in political attempts to suppress free speech, making it look like thugs, too.

    Is there some competition among executives that I didn't hear about? Are they having a contest to see who can do the most damage to their companies? Is Cisco having a competition with Adobe? Is Cisco trying to outdo the Skylarov incident and the Killustrator incident?

    I suppose it doesn't matter to top executives. They can just take their million-dollar golden parachutes and go to another company, leaving the wreckage behind.

    I agree exactly and entirely with Mr. Schneier's assessment:

    "... this has been a public-relations disaster for Cisco. Now it doesn't matter what they say - we won't believe them. We know that the public-relations department handles their security vulnerabilities [my emphasis], and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."

    If I were on the Board of Directors, I would: 1) Fire the President and Vice-President of Cisco immediately, in a highly public way. 2) Do immediate damage control by exhibiting some sophistication about Cisco's relationships with the outside world. I'm guessing that, sadly, the Board of Directors doesn't have anyone who has the necessary social skills.

  5. Re:untold and proactive robbery by jo_ham · · Score: 2, Interesting

    The poster is referring to the adjective used: proactive.

    Cisco are reacting to events, they are not being proactive.

  6. Re:Solution and comments by Cramer · · Score: 2, Interesting

    I think the trust level you are assuming is a bit overstated. While a great many networks are dependant on Cisco technology, I know of none that "trust" Cisco to any measure. IOS is very closed source; customers have zero control over what it does. And today, they have even less control over what capabilities it has -- Cisco reduced the number of builds from several dozen to about 7 to "reduce confusion".

    (I call bullshit on this one as that alphabet-soup version string has been readily and correctly documented for a decade. I defy you to find an experience cisco monkey that doesn't know what most of the codes mean -- or cannot find the docs with google in under 10s. Again, this is cisco being greedy... it takes time and resources to build 56 images; and it takes a great deal more resources to "QA" each of those images.)

  7. and then what? by Zen · · Score: 2, Interesting

    I'm not exactly sure why we care that our CCO account names and passwords were stolen. Does it really matter to me if someone downloads IOS while masquerading as me? Or maybe I should care if somebody opens up a TAC case as me, or submits a bug report as me? I really don't see the problem with someone else having access to my account on CCO. The only thing I use it for is to download code (we call TAC directly, or called our dedicated Advanced Services guy for everything else). I'm sure 90% of the people who have CCO accounts also use it solely for the purpose of downloading code/drivers/etc. So am I missing something that is highly private on the site?