Slashdot Mirror
Cisco Says Vegas Conference Attendees' Information Was Leaked
Julie188 writes "Thousands of people got a nasty e-mail this morning from Cisco. The company was warning people that its attendee registration database for its Cisco Live 2010 event was hacked. Cisco Live 2010 is the company's annual user conference, held last week in Las Vegas with an estimated 18,000 in attendance. If it's not embarrassing enough for a company that sells security gear to get hacked, the e-mail also went out to people who didn't register and didn't attend the event. That raises questions about exactly what database was pried open and how bad the damage is. Cisco's e-mail said the hole was quickly closed and only business-card type information was exposed."
the e-mail also went out to people who didn't register and didn't attend the event.
That's even more embarassing than a security breach -- it's a routing error. From Cisco.
#fuckbeta #iamslashdot #dicemustdie
We hope you have returned home safely and are back into your normal routine after a busy week at Cisco Live 2010.
We are contacting you because on the final afternoon of Cisco Live, one of our vendors identified an unexpected attempt to access attendee information through ciscolive2010.com. The ability to access this information was quickly removed, but not before some conference listings were accessed.
Cisco Live takes the security of attendee information very seriously and immediately elevated this matter to our chief security officer. His team completed a thorough review and as a result we believe your registration information – specifically your Cisco Live badge number, name, title, company address and email address– was accessed. No other information was available or accessed.
Although these details are commonly accessed by our World of Solutions partners and often freely provided by Cisco Live attendees, we felt it was our responsibility to inform you as quickly as possible. As we cannot yet confirm the information was accessed by an authorized Cisco Live partner, we encourage you to consider the appropriate precautions to protect against any unwanted email.
Please accept our apologies for any inconvenience that may result and feel free to contact us directly at support@ciscolive2010.com if you have any additional questions or information.
We hope you enjoyed your Cisco Live experience and we look forward to welcoming you to Las Vegas in 2011.
Regards,
I can't think of anything less important than seeing phonebook-style data made public. Losing credit card numbers or bank account numbers for large groups is bad; losing email addresses is not.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
They could stay quiet about it.
It was just a website hack into a low-security-data backend database. It's not like someone actually subverted any of their products.
Emotions! In your brain!
Honest honey! I was no where near Vegas that week!
Can someone paste the header to see if the email from "Cisco" is legit or fraudulent? I attended Cisco Live and received no such email, and people who didn't attend received the mail, the Cisco Live team has a database of everyone who registered for the event so if the email was legit I would have expected to see it get sent to the correct audience?
It is good that a company which got hacked informs possible collateral victims. Yes, at first glance it appears to be particularly embarrassing for a company to get hacked if it advertises to security conscious people -- until you realize that there is no perfect security and every worthwhile target eventually gets hacked. How you deal with it when it happens is what separates the pros from the amateurs.
the e-mail also went out to people who didn't register and didn't attend the event.
. . . I met a man, who wasn't there.
He wasn't there again today . . . I think he's from the CIA . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Do you really think Cisco is going to be happy if their customer list falls into the hands of their competitors? If this data has profile info like "How much Cisco equipment have you bought in the last year" then it could be VERY VERY useful to their competitors.
Cisco collected that information so they and their "partners" could spam you: "... we believe your registration information - specifically your Cisco Live badge number, name, title, company address and email address- was accessed. No other information was available or accessed. Although these details are commonly accessed by our World of Solutions partners".... Their "partner locator" finds 16601 partners in the United States, 3241 in China, 998 in Russia, 427 in Romania. 330 in Nigeria, and 12 in Afghanistan. So just about anybody who wants that data could get it.
They're just irked that someone who didn't pay for their mailing list might spam you.
This isn't a non-event being blown into a mountain by a trade rag that wants web hits, is it?
does NOT stay in Vegas
Cisco, being a typical giant US corporation... its left hand hasn't got a clue whatever the fuck its right hand is doing.
This is outrages. I have been a long time implementer of Cisco products and I didn't receive one of these emails!
Do they not value my business enough to include me in this database!
...damn lies, and sales opportunities.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
"Thousands of people got a nasty e-mail this morning from Cisco" I read the email, maybe I'm missing something but it didn't seem too nasty to me. Which begs the question, why would the submitter try to unfairly bias the reader who didn't follow the link against Cisco?
Where has reason in the world gone? Have we abandoned it in favor of power and politics?
This is going to make it much harder for them to now push security at the conference. Plus they better have an all hands meeting with all the staff running the conference to make sure everyone's story is straight that could be terrible Public Relations for Cisco. They could turn this around and have a session about the compromised device and explain how they fixed it and give tips to the customer to avoid having the same situation happen to them. We will see how Cisco handles this.
http://www.thetechnologygeek.org
Cisco Partner != Cisco World of Solutions Partner
these conferences always look like they are run by someone other than the company or companies owning the show. For the Cisco Live 2010 conference, Wingateweb.com ran the registration or it looks like they did because they own the domain( ciscolive2010.com ). When I looked up who owned that domain and then looked at their website( wingateweb.com ) and this is what it says:
Trusted Technology
World-class Delivery
Event organizers around the world rely on WingateWeb’s event management software and services to deliver the world’s top conferences, conventions and trade shows. Optimize your strategy, maximize your audience and deliver perfect events every time with WingateWeb.
So before people blame Cisco for someone getting into the database and getting attendee data dumps you might want to ask who really was to blame. And FYI, very often the on site software for registering and checking in is not only run on Windows laptops but they are very poorly done. Way to many times redundant information was requested and don't even try to use tab completion for city, state, etc, tab navigation, or the space bar for button activation. I would not doubt that many many other conference databases have been hacked but this Cisco conference hack was found out because they are very security minded and looked into it.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
yo, this is SOP for these conferences and anyone with a clue knows that all the vendors at the show can have access to the attendee list if they pay the $$ for it. They can also rent machines from the conference organizers which lets attendees cards be scanned at the booth and that list is provided to the vendor either on the spot or via a data dump.
I'm afraid of the boogie-man just as much as the next guy but this stuff people are drumming up here is nothing but a witch hunt. There's nothing here so stop trying to scare yourself and others.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
what happens when you leave the root login as "root" on the database. I mean Cisco and security? LOL. Oh and Hayley Williams was "hacked" too.
Seven puppies were harmed during the making of this post.
Cisco's entire worldwide partner ecosystem != Cisco Live! World of Solutions, which was a vendor booth exhibition at Cisco Live in Las Vegas last week.
I'm not sure how many partners were in World of Solutions but there were perhaps 200. Companies like EMC, APC, CA, etc. You want a light-up rubber ball or blinking shot glass or whatever shiny object they were giving away at their booths, you let them scan your badge. Some had booth babes running around with scanners, which was fairly effective at a conference where 95% of the attendees are men.
Every conference I've ever attended has worked this way.
Eagles may soar, but weasels don't get sucked into jet engines.
What happens in Vegas *doesn't* stay in Vegas?
Does this strike anybody but me as a little bit "Uplink"ish?
-Hacker only gained access long enough to copy some of the data
-Data could be used to screw people over
-It's Cisco
I mean, this sounds exactly like the sort of thing I'd do in Uplink just to be a bastard.
So before people blame Cisco for someone getting into the database and getting attendee data dumps you might want to ask who really was to blame.
Cisco is to blame for contracting an incompetent.
It's their conference, it's their fault.
What's next, BP's CEO bears no responsibility for the spill? Er, wait...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I have worked for Cisco recently. I was surprised to see that most of the employees use IE-6 and the BU's send regular newsletter style emails that is not visible unless you have HTML rendering enabled, and much more. Fun part is they look at you as you gave grown horns on your head when you try to tell them these things are not very secure and Cisco is supposed to be a security aware company. Go figure!
yo Francis, when we see that Cisco knew what was going on and continued to let it happen then you can go and blame them for who was running the event registration.
Regarding the BP comment, have you not read anything of how a BP employee was on the DWH and was directing operations to use unsafe measures? The CEO can say all he wants that he's not to blame but his direct employees caused the problems. But of course, it also appears they hired contractors who sidesteps minor things like BOP systems failures and continued drilling. But even here, we don't know if the BP employees told them to continue only 50% system status and questionable test results.
From what I've seen, Cisco has been very upfront with this and they were the ones who dug into the issue and found access was made. They seem to be doing what an upfront company would do.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
it was a gamble.