Slashdot Mirror
Cisco Warns of Stolen Web Site Passwords
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
...especially since you require everyone to register in order to get ANY info or ANY software or ANY drivers.
From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords
Dear Cisco Partner,
I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.
You may experience issues with yourlogin to www.cisco.com
You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.
Your Cisco Channel Team
And Mike Lynn already settled with Cisco, but I suppose it's par for the course to get in one more jab.
Also, the "major flaws" could only be referring to two things:
- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or
- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.
In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" - is provided in the earlier Wired interview.
Looks like they should have used self defending networks......
g _solutions_white_paper0900aecd801dfec7.shtml
http://www.cisco.com/en/US/netsol/ns478/networkin
Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?
I've had nothing but CCO trouble for the past week. That combined with random problems have been frustrating. The lovely order of events:
1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
6) Tech agrees, sends me a new SUP.
7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.
*Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman