Slashdot Mirror
Cisco Warns of Stolen Web Site Passwords
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
...especially since you require everyone to register in order to get ANY info or ANY software or ANY drivers.
From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords
Dear Cisco Partner,
I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.
You may experience issues with yourlogin to www.cisco.com
You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.
Your Cisco Channel Team
And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.
Also, the "major flaws" could only be referring to two things:
- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or
- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.
In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.
These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.
But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.
One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.
Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.
Jesus saved me from my past. He can save you as well.
Looks like they should have used self defending networks......
g _solutions_white_paper0900aecd801dfec7.shtml
http://www.cisco.com/en/US/netsol/ns478/networkin
I've never liked these register for access websites, they generally seem to me to be for the purpose of 1 or 2 things..
Bragging rights (sysadmins and their userbase stats - give me a break)
Spammation of the nation!
Either way I treat such accounts with contempt and I generally register with the awe inspiring uncrackable password of 123123. Simply because as long as I do not divulge any "classified" information, a hacker impersonating me to download updates from a site is not really going to ruin my life.
123123 FTW!
Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?
I've had nothing but CCO trouble for the past week. That combined with random problems have been frustrating. The lovely order of events:
1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
6) Tech agrees, sends me a new SUP.
7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.
*Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
>o/r 0x2142
oh. wrong password... oops...
So, who's up for an order of bumper (router) stickers? If you only have some crappy routers, you can throw a nice sticker on it that says "My other router is your CRS-1."
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
From the Slashdot story: "both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn".
I'm amazed at Cisco's lack of social sophistication. From previous dealings with Cisco, I knew they were boorish, but this is much worse than I imagined.
I'm amazed at the sure sense some executives have for creating millions of dollars worth of bad publicity. It's as though they studied how to sink companies, and that is their most professional and creative skill.
It's awesome. In only one afternoon of work, Cisco corporate officers arranged to have Bruce Schneier call them "thugs": "I can't imagine the discussions inside Cisco that led them to act like thugs."
What's even more awesome is that Cisco managed to make the FBI look like it is willing to get involved in political attempts to suppress free speech, making it look like thugs, too.
Is there some competition among executives that I didn't hear about? Are they having a contest to see who can do the most damage to their companies? Is Cisco having a competition with Adobe? Is Cisco trying to outdo the Skylarov incident and the Killustrator incident?
I suppose it doesn't matter to top executives. They can just take their million-dollar golden parachutes and go to another company, leaving the wreckage behind.
I agree exactly and entirely with Mr. Schneier's assessment:
"... this has been a public-relations disaster for Cisco. Now it doesn't matter what they say - we won't believe them. We know that the public-relations department handles their security vulnerabilities [my emphasis], and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."
If I were on the Board of Directors, I would: 1) Fire the President and Vice-President of Cisco immediately, in a highly public way. 2) Do immediate damage control by exhibiting some sophistication about Cisco's relationships with the outside world. I'm guessing that, sadly, the Board of Directors doesn't have anyone who has the necessary social skills.
The poster is referring to the adjective used: proactive.
Cisco are reacting to events, they are not being proactive.
This also had nothing to do with Lynn, even though the media would like to tie them together. It was brought to Cisco's attention by a completely separate company.
Cisco Web Site Hacked 3:18 PM
According to an article at ZDNet, Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story mentions an article at Wired, which has a link to lynn-cisco.pdf
It's appalling that a major company (a major tech company with security product offerings in this case!) website would store passwords in cleartext. Passwords (even usernames) should always be stored in strong one-way hashes like sha-1, so that even if they're stolen, they're close to useless.
So, in that case, how in the hell is making reverse engineering illegal helping anyone?
Word is the thieves have just as much trouble logging in with these stolen passwords as those who originally created them, and Cisco predicts the thieves will give up on them shortly.
And honestly, even if the thieves could get access to the needed areas of Cisco's TOP SECRET website, what are the chances they could decipher the grid of which firmware goes with which device?
Last time I looked at Cisco's firmware listings (back when they had that exploit affecting all their routers), a co-worker had to pry the gun out of my hands.
What moron developed their firmware version scheme? Please kill this person immediately.
Ironically, the word ironically is often used incorrectly.
If you really want information from them why don't you be one of many to read the Lynn presentation? Here, I've even transcribed Lynn's presentation to text instead of that huge, ugly PDF. As a bonus, the assembly readings are now readable. For all I know, they consider this criminal even though I consider this not only a fair use but a public service. The bad guys already know this stuff; we need to let the legitimate security professionals in on this! Insofar as I can give permission, copy and paste this anywhere you please. It's still probably copyrighted to the ISS, though, but it's Cisco suing over it, even though anyone with a router can get those assembly listings, they're probably fair use since they're such small portions of the router software, and I have no dealings or contracts with Cisco binding me not to release such things (I don't own any Cisco gear), so if anything, only ISS should have grounds to sue me, and they don't seem to care to.
[ Page 1 - The Holy Grail ]
Cisco IOS Shellcode And Exploitation Techniques by Michael Lynn of Internet Security Systems
[ Page 2 - Another Unbreakable System ]
[Editor's note: This page shows a picture of what I presume to be the Titanic.]
[ Page 3 - Why You Should Care ]
* Wide Deployment
- Switches
- Routers
- Access Points
* Keys To The Kingdom (MITM)
- Control the network traffic
- Packet sniff in far off lands
- Modify traffic
- Break weakly authenticated encryption (passwords, etc.)
[ Page 4 - Some Review: Basic Techniques ]
* Stack Overflows
- Overwrite return address on the stack
* Heap Overflows (Pointer Exchange)
- Tranditionally we use heap chunk linkage
- Any linked list will do
Typical linked list delink looks like:
foo->prev->next = foo->next; foo->next->prev = foo->prev;
[ Page 5 - Misconceptions ]
* Routers And Switches Are Just Hardware
* It Is Not Possible To Overthrow Buffers On IOS
* There Is Now Way To Exploit Buffer Overflows On IOS
* Every Router Is So Different That An Exploit Might Work On One Router But Never Another
[ Page 6 - Wrong! ]
* Routers And Switches Run Software On General Purpose CPUs
* Buffers Do Exist And It Is Not So Rare That They Overrun
* Exploitation Is Possible
* Exploitation Can Be Made Reliable And Cross Platform (more on this later)
[ Page 7 - IOS Basics ]
* Monolithic
- No loadable modules (yet)
- All addresses are static
- All addresses are different per build
* Real Time OS
- If you are running you own the CPU (mostly)
- We have to exit or yeild properly or we will crash
- Once our code is running we have won any race
* Stability
- IOS tends to favor rebooting over correcting errors
[ Page 8 - A Word On Code Quality ]
* Much Better Than Most Platforms
- They check heap linkage
- They are very aware of integer issues
- They almost never use the stack
- They have a process to check all heaps
- Very old, very well tested code
* Bugs Exist Anyways
- Green pastures
- We can get around some checks
- Will will use some of these checks against them
[ Page 9 - The Dreaded Check Heaps Process ]
* Walks All Heaps Looking For Bad Linkage
- Even if our chunk is not freed check heaps will detect bad linkage
- Is run every 30 to 60 seconds depending on load
* This Is the Main Reason Heap Overflows Can Be Hard
[ Page 10 - Rules of Engagement ]
* Stack Overflows
- Rare, but if we find one, its fair game
* Heap Overflows
- They check next and previous pointers
- We either have to beat check heaps or not offend it
- We must either know the values for the previous pointer or we must get around this somehow
* Monolithic Architecture
- For heap overf
When will programmers learn that there is NO good reason to keep passwords in plain text?
In my 20+ years programming experience, I've never seen a programmer that wanted to store a plain-text password. Rather, each time I've seen it done, it was a business-type making it a requirement.
$50? It's more like $100 a head to use SecurID (not counting server hardware) becuase each $60 token also needs a corresponding $40 license on the ACE/Server.
Every remote user who gets an RSA hardware (or software) token at the company I work for costs the company $100. This doesn't count the cost of administering the remote access accounts. We like to keep this figure handy for managers who request an RSA token (hard or soft) for everyone in their entire department. After they hear the cost, the number of people who really need the tokens often goes down substantially.
Actually, for the record, that's an adjustable value when the token is created. Just tell your salesperson the value you want it to be. You can also request them with more than 6 digits.
I'm not exactly sure why we care that our CCO account names and passwords were stolen. Does it really matter to me if someone downloads IOS while masquerading as me? Or maybe I should care if somebody opens up a TAC case as me, or submits a bug report as me? I really don't see the problem with someone else having access to my account on CCO. The only thing I use it for is to download code (we call TAC directly, or called our dedicated Advanced Services guy for everything else). I'm sure 90% of the people who have CCO accounts also use it solely for the purpose of downloading code/drivers/etc. So am I missing something that is highly private on the site?