Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Warns of Stolen Web Site Passwords

Posted by samzenpus on from the are-you-you dept.

An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."

13 of 165 comments (clear)

  1. Thanks, Cisco.... by SamMichaels · · Score: 4, Insightful

    ...especially since you require everyone to register in order to get ANY info or ANY software or ANY drivers.

    1. Re:Thanks, Cisco.... by TommyBlack · · Score: 3, Interesting

      Well the question there is whether they keep any personally identifiable information with that registration, which can now be accessed by whoever stole the logins.

      Even for people who use the same username and password everywhere, this shouldn't be a problem since the passwords should be stored in a manner that is encrypted and can't be reverse-engineered. They wouldn't be stupid enough to store the passwords, right?

      --
      Why do my serious comments get modded "funny"?
  2. Solution and comments by daveschroeder · · Score: 5, Informative

    From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
    Sent: Wednesday, August 03, 2005 11:58 AM
    Subject: CISCO - CCO Passwords

    Dear Cisco Partner,

    I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.

    You may experience issues with yourlogin to www.cisco.com

    You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.

    Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.

    It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.

    Your Cisco Channel Team

    And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.

    Also, the "major flaws" could only be referring to two things:

    - flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or

    - general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.

    In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.

    Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.

  3. This? This isn't a big deal by ReformedExCon · · Score: 3, Informative

    These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.

    But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.

    One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.

    Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.

    --
    Jesus saved me from my past. He can save you as well.
  4. Looks like they should have used..... by rolfwind · · Score: 4, Funny

    Looks like they should have used self defending networks......

    http://www.cisco.com/en/US/netsol/ns478/networking _solutions_white_paper0900aecd801dfec7.shtml

  5. Re:Plain Text Passwords by skeeball · · Score: 4, Informative

    Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?

  6. Cisco Trouble for the Past Week by pyite · · Score: 4, Insightful

    I've had nothing but CCO trouble for the past week. That combined with random problems have been frustrating. The lovely order of events:

    1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
    2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
    3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
    4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
    5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
    6) Tech agrees, sends me a new SUP.
    7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
    8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.

    *Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.

    --

    "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

  7. how to by-pass password by blew_fantom · · Score: 3, Funny

    >o/r 0x2142

    oh. wrong password... oops...

  8. Re:Raises the debate of usefulness of registering by Anonymous Coward · · Score: 3, Funny
    I generally register with the awe inspiring uncrackable password of 123123
    Holy crap that is the combination to my luggage.
  9. Get your stories straight... by homerskid · · Score: 3, Insightful
    If you are reporting news, try to get the story correct: No passwords were compromised, Cisco took a proactive stance to remedy something that had the possibility of occuring.
    "It has been brought to our attention that there is an issue in a Cisco.com search tool that could expose passwords for registered users,"

    This also had nothing to do with Lynn, even though the media would like to tie them together. It was brought to Cisco's attention by a completely separate company.
  10. I posted this first with a little different twist by geekp0wer · · Score: 3, Informative

    Cisco Web Site Hacked 3:18 PM

    According to an article at ZDNet, Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story mentions an article at Wired, which has a link to lynn-cisco.pdf

  11. No site should ever store passwords by vicaya · · Score: 3, Insightful

    It's appalling that a major company (a major tech company with security product offerings in this case!) website would store passwords in cleartext. Passwords (even usernames) should always be stored in strong one-way hashes like sha-1, so that even if they're stolen, they're close to useless.

  12. Don't worry by That's+Unpossible! · · Score: 3, Funny

    Word is the thieves have just as much trouble logging in with these stolen passwords as those who originally created them, and Cisco predicts the thieves will give up on them shortly.

    And honestly, even if the thieves could get access to the needed areas of Cisco's TOP SECRET website, what are the chances they could decipher the grid of which firmware goes with which device?

    Last time I looked at Cisco's firmware listings (back when they had that exploit affecting all their routers), a co-worker had to pry the gun out of my hands.

    What moron developed their firmware version scheme? Please kill this person immediately.

    --
    Ironically, the word ironically is often used incorrectly.