Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Security Appliances Found To Have Default SSH Keys

Posted by Soulskill on from the invitation-to-misbehave dept.

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.

112 comments

  1. Oh come ON by 93+Escort+Wagon · · Score: 1

    Was THIS the way you finally managed to get off ssh1, Cisco?

    --
    #DeleteChrome
    1. Re:Oh come ON by Anonymous Coward · · Score: 0

      Risk compromising tens of thousands of devices for support reasons? Cough cough... another nsl "bug"... cough.

  2. Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

    Quit whining and learn to configure it yourselves ladies.

    1. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 4, Informative

      Cisco is very much a "configure it yourself" type of deal. In fact their whole certification track above the CCENT level revolves heavily around knowing the IOS command syntax.

      You can substitute their routers for Linux, but NOT their layer 3 switches, unless you really don't give a shit about performance in an enterprise environment.

    2. Re:Using Linux would prevent these Cisco mishaps! by Rigel47 · · Score: 1

      Are there even linux-based switches? I know the router front is doing good with Vyatta, etc, but never heard of linux switches. Doesn't make sense given how (relatively) cheap switches are.

    3. Re:Using Linux would prevent these Cisco mishaps! by Phishcast · · Score: 2

      Here's one, Cumulus Networks. A lot of Cisco switching gear is Linux underneath with a more familiar Cisco CLI.

    4. Re:Using Linux would prevent these Cisco mishaps! by swv3752 · · Score: 2

      http://cumulusnetworks.com/blo...
      http://www.datacenterknowledge...
      http://opennetlinux.org/
      http://www.opencompute.org/
      http://www.wired.com/2013/03/b...

      Get with the times, the Big Iron Networking gear (like usead at Google and Facebook) are switches running Linux.

      --
      Just a Tuna in the Sea of Life
    5. Re:Using Linux would prevent these Cisco mishaps! by silas_moeckel · · Score: 1

      A Cisco Nexus is pretty Linux.

      --
      No sir I dont like it.
    6. Re:Using Linux would prevent these Cisco mishaps! by irving47 · · Score: 1

      Yeah, pretty much all of Ubiquiti's gear is. Edgeswitch, in particular, in this case.

      --
      I had a sucky sig.
    7. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

      You can substitute their routers for Linux, but NOT their layer 3 switches, unless you really don't give a shit about performance in an enterprise environment.

      True, but there are plenty of purpose-built commercial alternatives that don't come with the Cisco Marketing Tax.

    8. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 1

      You mean like everyone who had to replace their Debian-generated SSL keys due to bad (practically nonexistent) PRNG seeding?

    9. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 1

      Juniper's OS is based on freebsd.

    10. Re: Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

      Still orders of magnitude less worse than a known preinstalled ssh key.

    11. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

      A layer 3 switch is a fucking router. It's called a layer 3 switch because it's a fucking shitty router.
      Switches are layer 2.

    12. Re:Using Linux would prevent these Cisco mishaps! by Cramer · · Score: 2

      There are lots of switches running linux. Of course, linux isn't the thing doing the switching.

      The question to ask is can you get to the OS and/or ssh configuration to remove whatever the vendor may have installed? (i.e. remove whatever ssh backdoor keys they left there.) In most cases, the answer is "Hell. No."

    13. Re: Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

      It is a router that can *route* packets among all interfaces at full speed. Get a Linux box with 16 NICs and flood them with traffic. See it sizzling, smoking and crashing.
      Slashdot people: If you are wondering why so many imbeciles buy overpriced gear, then you may be missing something else.

    14. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

      A layer 3 switch is in many ways better than a router because it makes forwarding decisions in hardware. Meanwhile dedicated routers don't offer any big advantages over a layer 3 switch unless you happen to be using old shit like frame relay where you need special WICs and can't use ordinary ethernet or SFP adapters.

    15. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

      Quite a difference between using any old Linux server as a router, and using an actual device that is purpose built for that which includes an ASIC to make faster and more efficient forwarding decisions.

    16. Re: Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

      It is a router that can *route* packets among all interfaces at full speed. Get a Linux box with 16 NICs and flood them with traffic. See it sizzling, smoking and crashing.

      Oh fuck off with that bullshit. Routing packets takes minimal CPU, so fuck off with your sizzling and smoking horse shit. Full fledged routers are much more capable than "layer 3 switches".

    17. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

      A "layer 3 switch" has minimal routing features and is only a "great router" if you don't need to do much routing and thus don't want to spend money on an actual router.

    18. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

      Dedicated routers offer same-or-better performance and capacity of a "layer 3 switch", and give you FULL layer 3 traffic control, not the half-assed firewalling, prioritization, etc. that "layer 3 switches" provide (at slow fucking speed).

      "Layer 3 Switch" is a marketing term for "half-assed router", and nothing more. If they were as capable as routers they'd be called routers because they'd fucking be routers. It's just like "smart managed switch", which means you get a semi-functional web interface (and maybe a semi-functional serial interface), good enough to do basic filtering, authentication, and VLANing, but it's no where near as capable as a true managed switch.

      Saying a layer 3 switch is better than a router is like saying a spork is better than a spoon, fork, and knife.

    19. Re: Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

      Unskilled and unaware of it.

    20. Re: Using Linux would prevent these Cisco mishaps! by buchanmilne · · Score: 1

      Except the 'security appliance' line does not run IOS. These are servers (originally re-badged Dell PowerEdge, but now Cisco UCS C-class rack-mounts) running AsyncOS (a proprietary FreeBSD-based platform), which used to be branded as Ironport.

      It doesn't seem to affect any IOS flavour (IOS, IOS-XE which is Linux-based, IOS-XR) or the Nexus NX-OS (Linux-based).

    21. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

      Wow. Not only is everything you said way wrong (way way way WAY wrong,) but it's also approaching retardation.

      In fact, I strongly recommend there be a restraining order to prevent you from going anywhere within a mile of any enterprise grade network. You're of those guys who talks down to other employees at IT shops while always being the biggest cause of down time. 100% Dunning-Kruger.

    22. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 0

      Actually HP enterprise Procurve out performs Cisco in just about every test for significantly less money, lifetime hardware warrantee, support and FREE updates. There very popular for syadmins in the know, VoIP shops and even on the international space station. In fact HP has had a major part in designing open standards protocols such as LLDP and LLAC. In terms of capabilities they are not quite as full featured as Cisco high end layer 3 switch maybe 85% of the features but I run into VERY few shops that actual use more than 10% of the features on a Cisco layer 3 switch anyway. For instance a few years ago they only supported 128 vs 256 vlans on a single switch but I have only seen 1 network in hundreds where that mattered anyway.

      I serous recommend any Cisco shop evaluate HP Procurve. If it fits your needs you will have a faster, equally reliable and flexible network for nearly half the price over 3 years, bye bye SmartNet . That means more money for IT projects people actually will notice.

    23. Re:Using Linux would prevent these Cisco mishaps! by smartfart · · Score: 1

      I've forgotten the name of the company now, but there was a presentation at the Linux conference last year (two years ago, maybe?) in New Orleans that talked about this very topic, and they (or someone else that approached me afterward because I asked a question about it) said that their company was making switching hardware that did stuff in kernel-space, maybe with a proprietary module. This is key here... you can stuff a bunch of NICs in a box and use brtables or whatever and make a switch, but that's going to be dog-slow. ASICs are needed, and at least that one Linux company is making them.

      --
      Need a Linux consultant in New Orleans?
  3. Beware 'appliances' by Junta · · Score: 1

    This is the example of precisely how disciplined the 'appliances' you get from vendors are constructed.

    This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

    Think about that next time you save a few seconds of your time buying an appliance or even pulling down something from dockerhub instead of just installing the platform.

    Of course the software industry has gone to town with appliances, meaning they spend no time properly packaging things anymore because an 'appliance' will take care of all of it.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Beware 'appliances' by Anonymous Coward · · Score: 0

      If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.

      If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.

    2. Re:Beware 'appliances' by myowntrueself · · Score: 5, Interesting

      If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.

      If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.

      Are you kidding? This was done for support reasons; to support the NSA.

      --
      In the free world the media isn't government run; the government is media run.
    3. Re:Beware 'appliances' by ShaunC · · Score: 2

      This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

      "Goof?" I'm not convinced. It's just as likely that this was engineered into the products intentionally.

      News broke last year that NSA was intercepting Cisco equipment enroute to customers and making a few tweaks. Cisco made a big production a few months ago about how they were suddenly willing to ship to random addresses to avoid NSA interdiction. Perhaps that's because whatever NSA needs is already built in, and always has been, and the whole story about NSA physically yanking packages from carriers was misdirection. Put that story out there and people who are able to control the delivery chain will have a strong, but very false, sense of security.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    4. Re: Beware 'appliances' by Anonymous Coward · · Score: 0

      Cisco ACE hardware is more unstable than most servers, so I don't see it as an honest offering. It's gold plated shit that stupid people buy.

      They fail in very peculiar ways, and require reboots every couple months. Cisco does nothing.

      I haven't seen a good quality Cisco product in 15 years, and even then the switch I'm thinking about ran hot as an oven.

    5. Re:Beware 'appliances' by Lunix+Nutcase · · Score: 1

      Why invent some NSA conspiracy when Cisco clearly said it was intentional for support purposes?

      The default key apparently was inserted into the software for support reasons.

    6. Re: Beware 'appliances' by Anonymous Coward · · Score: 1

      Excatly. Key is right where NSA told Cisco to put it.

      It's a *feature,* not a bug.

    7. Re:Beware 'appliances' by idontgno · · Score: 2

      for support reasons

      You're not asking the correct question.

      "To support whom?"

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    8. Re: Beware 'appliances' by Anonymous Coward · · Score: 0

      Cisco ACE has been phased out since 2013. Your Cisco account manager already told you to buy F5 or Citrix Netscaler.

      Sorry, did you say you bought your ACEs in the Gray market??

    9. Re:Beware 'appliances' by gtall · · Score: 1

      Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

    10. Re:Beware 'appliances' by myowntrueself · · Score: 2

      Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

      I don't get the impression that the NSA really think things like this through to that extent.

      --
      In the free world the media isn't government run; the government is media run.
    11. Re:Beware 'appliances' by Anonymous Coward · · Score: 0

      Bingo. Many of these "bugs" are indeed bugs. Cisco well knows you don't secretly insert back doors into government and enterprise hardware for "support" reasons. It's unfortunately the article doesn't mention Captain Obvious but at least your score of five shows those that used to be called tinfoil hatters are finally being taken seriously by many.

    12. Re:Beware 'appliances' by Anonymous Coward · · Score: 1

      No way in Hades would Cisco "accidentally" insert a secret backdoor into so much enterprise hardware unless forced to do so. Putting aside layers upon layers of code review for something that big to happen Cisco management well know you don't do that to enterprise customers. I'm surprised post-Snowden so many people are still in denial the NSA is indeed trying to put backdoors in everything. It's not tinfoilhat.

    13. Re:Beware 'appliances' by Anonymous Coward · · Score: 0

      It's just too obvious to be an NSA conspiracy. An NSA backdoor would be far more clever.

      You really overestimate these companies' processes.

    14. Re: Beware 'appliances' by chromeronin799 · · Score: 1

      You do realise the NSA is a government organization. This means stupid ideas are almost guaranteed.

  4. Well well well by Anonymous Coward · · Score: 0

    NSA conspiracy theory in 3... 2... 1...

    But seriously, WTF? This level of incompetence is as good as NSA-level malice.

    1. Re:Well well well by Anonymous Coward · · Score: 1

      Anyone that doesn't think the NSA was involved is extremely gullible. Cisco is the biggest networking company in the world. They serve governments and large corporations around the planet which all expect transparency and security. Cisco's management, engineers, programmers and it their cats could speak.... all know beyond a shadow of a doubt you don't insert secret default backdoors into enterprise hardware. Code review would have detected such a glaringly obvious "bug" long before it was inserted into the firmware of billions of dollars of enterprise hardware effecting billions of users and trillions of dollars of commerce. There is no way this was done accidentally. Zero chance. Nada. Zilch.

  5. NSA? by Laguerre · · Score: 4, Insightful

    There might be reasons other than "support" for universal access SSH keys.

    1. Re:NSA? by Anonymous Coward · · Score: 0

      Nah this wasn't a mandated inclusion, it was an oversight that they happily took advantage of. Many on *nixes tend to prevent the root from being able to ssh via configuration and thus RARELY THINK TO DO ANYTHING with root's keys. Our ignorance and negligence on the matters of security are their bread and butter.

    2. Re:NSA? by SoftwareArtist · · Score: 1

      Yes, that's exactly what they said. It was added to support the NSA. Oh, did you think "support reasons" meant support for their customers? How quaint! ;)

      --
      "I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
  6. Interesting eggcorn by Anonymous Coward · · Score: 0

    Why is it that people are tempted to write "free reign"? Sure, horses are scarce nowadays, but so is monarchy.

    1. Re:Interesting eggcorn by bigfinger76 · · Score: 1, Troll

      Do you drag every conversation you hear down with this pedantic garbage every time you hear a figure of speech? You must be a blast at parties.

    2. Re:Interesting eggcorn by Anonymous Coward · · Score: 0

      "Free reign" is not a figure of speech. Never was. It's just an interesting error, for studiable linguistic reasons.

    3. Re:Interesting eggcorn by cbiltcliffe · · Score: 1

      Just out of curiosity, what do you think the proper homonym phrase is for this?

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    4. Re:Interesting eggcorn by Anonymous Coward · · Score: 0

      In this case the exploit gives the attacker root permissions, so it could be a pun.

    5. Re: Interesting eggcorn by clovis · · Score: 2

      It should be "free rein". It refers to the reins used to direct the travel of a horse similarly to the way "steering wheels" were used to direct the motion of automobiles before Google acquired a majority stake on the US Supreme court and self-driving cars became mandatory.
      Anyway, If you were to release your grip on the reins, then the horse may theorectically feel free to travel in any direction. In practice the horse generally returned to the barn after scraping the rider off on the nearest tree.

    6. Re:Interesting eggcorn by David_Hart · · Score: 1

      Just out of curiosity, what do you think the proper homonym phrase is for this?

      From grammarist.com it should be "free rein" as in a horse being able to do what they want because the reins are free. "reign" is a recent misspelling that is being used more often.

    7. Re:Interesting eggcorn by Anonymous Coward · · Score: 0

      The correct figure of speech is "free rein". It referred to loosening your hold on the reins to let the horse have its head. Nothing to do with reigning.

    8. Re: Interesting eggcorn by LunaticTippy · · Score: 2

      The correct figure of speech is "free rain." Nobody alive remembers when rain fell freely where I'm living, so this has corrupted over the years into horses and monarchs and whatnot.

      --
      Man, you really need that seminar!
    9. Re: Interesting eggcorn by aynoknman · · Score: 1

      The correct figure of speech is "free rain."

      Nope, the correct figure of speech is "Free Ryan.":
      From Wikipedia: "In September 2013, the first book about the Ryan Ferguson case was released: Free Ryan Ferguson: 101 Reasons Why Ryan Ferguson Should Be Released, by Brian D'Ambrosio."

      --
      We need a "+1 -- nice sig" moderation.
    10. Re:Interesting eggcorn by Anonymous Coward · · Score: 0

      good question, my money is on 'free reign' being the origin, unless you believe horses were free before we had kings and bandits?

      but i think this might be realistically hard to prove?

      i definately believe it's free reign
      free reign
      free rein
      free range
      free rain... this is just silly

      i just don't see how any affirmation of this would be possible other than a simply age comparison.

      free reign, free rein, and free range.

    11. Re:Interesting eggcorn by Anonymous Coward · · Score: 0

      You are freaking illiterate. "Free rein" was the only spelling until well after Eternal September.

  7. How by koan · · Score: 2

    is this a bug?

    default, authorized SSH keys

    --
    "If any question why we died, Tell them because our fathers lied."
  8. Barracuda Backup, too! by ffsnjb · · Score: 1

    https://techlib.barracuda.com/...

    You can't change the keys, so if you want to use SSHFS to backup systems that aren't agent supported, you've potentially given root access to anyone who's extracted the private key from the appliance (and leaked it to the internet). I wouldn't be surprised if the agents used the same craptastic cryptographic fail.

    --
    "Why do you consent to live in ignorance and fear?" - Bad Religion
    1. Re:Barracuda Backup, too! by OverlordQ · · Score: 1

      To be fair, they allow you to use non-root users. And if you dont have a firewall rule to only allow SSH from the backup master, then you're an idiot.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Barracuda Backup, too! by Anonymous Coward · · Score: 0

      Supposedly barracuda uses unique ssh keys for each device. They have copies of the private keys of all of them of course and can look them up using the serial number, but it's not quite as bad as this Cisco one sounds like.

      Also, they are a lot more upfront about it.

  9. the password by Anonymous Coward · · Score: 0

    I hear it's 12345.

  10. Cisco is for Luddites. by Anonymous Coward · · Score: 0

    Modern app appers secure their apps with App Apps, not Luddite Cisco!

    Apps!

  11. Odd how little criticism they get by jones_supa · · Score: 1

    It's odd how companies like Microsoft get criticized a lot about their malice and monopoly position, but Cisco gets a free pass even when they are the dominant player in enterprise networking gear. Why is this? I'm sure that even this message goes through mountains of Cisco hardware when I send it.

    1. Re:Odd how little criticism they get by Atticka · · Score: 1

      Its because of the "no one has ever lost a job buying Cisco" attitude that is so prevalent in the industry, many engineers drank the cool aid long ago and don't want to admit that Cisco is not completely infallible.

      Almost every network engineer I know has some sort of Cisco certification, people have to continue to justify the heft price for the hardware and the expensive certifications.

      --
      No sig here...
    2. Re:Odd how little criticism they get by aaarrrgggh · · Score: 1

      Quite honestly, I think a lot of people understand they are complete, overpriced shit. Unfortunately, the competitors appear to be mainly moderately or reasonably priced shit from a security perspective. The question comes down to accountability for the person purchasing/configuring it: can you at least say it was a best-of-breed device and was properly configured for an appropriate level of security, or will you need to say that the purchasing decision was made to save $400 and buy something else...

      It seems the only solid approach now is security in depth... which gets expensive quickly. I can just imagine my small business trying to manage our network like a fortune-500 company (should). There are limits as to what you can do, and you hit them quickly when the vendors you select are inept.

  12. Similar to having default passwords by davidwr · · Score: 1

    How many home routers have default passwords that aren't forcibly changed when the router is first set up?

    It's the same principle, with the only difference being it is something that has to be discovered by someone, once, rather than guessed like so many easy-to-guess default passwords ("admin", "password", etc.).

    The other difference is that one should expect better from a device that is specifically marketed as a security device. But that's a social issue not a technical one.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Similar to having default passwords by Anonymous Coward · · Score: 0

      at least home routers nowadays have remote access to admin disabled by default; you have to be on the local net to access.

      what is a more threatening thing for home users are the dangerous paid links found on google, bing, yahoo, etc. for router manufacturers' names, leading to tech support scam sites or even bogus router login pages for routers (e.g. phishing via r0uterl0gin vs the legit routerlogin for netgear hardware).

  13. Ball on the Implamentation by Anonymous Coward · · Score: 0

    Dropped. Glass shatters, children scream, NSA listens, system designer resigns, the management offers blue spectacles to the largest clients. And then they do it again.

  14. You just can't trust those chinese manufacturers!! by Anonymous Coward · · Score: 0

    America - the insecure.

  15. You must have the source code! by anwyn · · Score: 5, Interesting
    This so-called bug is only possible because users do not have access to the source code. From the user's perspective it does not matter if this was done because of pressure from NSA or convenience of maintenance techs!

    This class of bug is unknown in the free software world because your project will forked.

    All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.

    All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.

    There is no security without the source code.

    1. Re:You must have the source code! by PRMan · · Score: 5, Insightful

      This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:You must have the source code! by Anonymous Coward · · Score: 0

      This so-called bug is only possible because users do not have access to the source code

      How would having the source code help?
      The problem is a public key, a file, sitting on the file system, aka a document.

      If having the source makes you feel better however:

      foreach F in [dir /certificates/*.pem] {
          LoadCert $F
      }

      This is like blaming the contents of my spreadsheet on the fact you don't have the source to Excel.

    3. Re:You must have the source code! by Anonymous Coward · · Score: 0

      This so-called bug is only possible because users do not have access to the source code.

      Wat? Yes I do. My Cisco switches run NXos, which is linux and my Cisco mail hubs run AsyncOS, which is FreeBSD. And the keys are exposed and readable anyway.

      This class of bug is unknown in the free software world because your project will forked.

      Wat? OK, you be trollin.

    4. Re:You must have the source code! by Anonymous Coward · · Score: 0

      amen

    5. Re:You must have the source code! by Anonymous Coward · · Score: 0

      And they keep making the same mistake over and over again.

      I don't blame average NSA employees for this. They are just doing their job. Not everyone can stand up the boss like Snowden (especially not when you are staring down the most powerful surveillance organization in the world that has the ability to destroy you, your family, your friends, and practically anything else you care about). The main problem is NSA leadership and the politicians that support them. Its not even a left right thing. There majority of both the left and right politicians (with a few notable exceptions) supported this oppressive Orwellian behavior.

    6. Re:You must have the source code! by behrooz0az · · Score: 1

      Build the OS from source code the way you build Linux-From-Scratch, then we can talk about this.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    7. Re:You must have the source code! by Anonymous Coward · · Score: 0

      This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.

      This is not an encryption backdoor. It won't allow an attacker to read encrypted documents or to access encrypted HDs. It's a serious breach, but it's much closer to a default root password than a systematic corruption of AES

    8. Re:You must have the source code! by DaveHowe · · Score: 1

      I suspect in this particular case, it won't be needed. the devices in question are virtual appliances, and are some sort of *nix (probably bsd) under the hood. I haven't tried this yet, but it would make sense that booting from a rescue disk would let you go mess with the ssh keys and config directly.. now, all these boxes have a remote support functionality built in. I am suspecting (also) that this uses the key to get a true ssh shell (a bash prompt, again presumably) so they can do fixes at the os level. So, if we can find these new fixed keys, we may be able to hop onto the boxes, assign a new, better keypair, and have os level access ourselves for repairs :D

      --
      -=DaveHowe=-
    9. Re: You must have the source code! by Anonymous Coward · · Score: 0

      It is a proprietary FreeBSD, so no, you don't have the source.

  16. Just put it on the ROM - what could go wrong? by Anonymous Coward · · Score: 0

    Company bakes duplicate keys into entire product line to save production costs - color me surprised.

    It's all too tempting to just drop a key into the stock image and just replicate that onto everything rolling off the factory floor. That same key is probably baked into their end-of-line test harness just before they pop on the polystyrene and stick it in a shipping box.

  17. *scoff* Bug. by Anonymous Coward · · Score: 0

    Sure.

  18. "free rein", not "free reign" by Anonymous Coward · · Score: 0

    One day, Slashdot will post an article without language errors... but perhaps not in my lifetime. :/

  19. Bug???? by gstoddart · · Score: 5, Insightful

    This bug is about as serious as they come for enterprises

    This isn't a bug.

    The default key apparently was inserted into the software for support reasons.

    This is crap security by design.

    And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.

    Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

    --
    Lost at C:>. Found at C.
    1. Re:Bug???? by Anonymous Coward · · Score: 0

      Or maybe Cisco is a big company and some dickwad engineering team cut corners, violated corporate security standards, and deserves to be fired. But won't be because without the ability to show intent they're just incompetent. I wouldn't attribute this to malice when incompetence is sufficient.

    2. Re:Bug???? by Anonymous Coward · · Score: 1

      "And you can probably bet that the NSA and the Chinese have these keys"

      We know at minimum the NSA has them.,.. because it was the NSA that told Cisco to put them there!

      This isn't like accidentally spilling a coffee. The firmware of hundreds of thousands of devices doesn't "accidentally" get secret backdoors. Cisco wouldn't jeopardize billions in future sales without being forced to do so by an NSA. What I'm curious to know is the real story behind why they are suddenly telling us now? (rather than the scripted BS the NSA tells them to say). If I had to guess what actually happened, the NSA discovered some other foreign government got a hold of that SSH key, so they created a cover story to get rid of the exploit they themselves put there. (something I would bet money they'd done several times before on all sorts of equipment and software)

    3. Re:Bug???? by Protongeek · · Score: 0

      Or maybe Cisco is a big company and some dickwad engineering team cut corners, violated corporate security standards, and deserves to be fired. But won't be because without the ability to show intent they're just incompetent. I wouldn't attribute this to malice when incompetence is sufficient.

      Or maybe this was a company Cisco bought which was already using this practice of using ssh to have access to the WSA when the customer called in a case so we CSEs could investigate issues remotely. Oh wait yeah thats right Ironport was bought by Cisco and this practice was in use before Cisco.

  20. Not a bug by gweihir · · Score: 1

    I believe the problem here is that they thought they could get away including the "lawful interception" (i.e. "immoral and dangerous backdoor") key just by the ordinary mechanism instead of compiling it into the sshd binary.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  21. Exactly by s.petry · · Score: 3, Insightful

    Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?

    Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.

    It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  22. Time to yank NSA's leash by sshir · · Score: 4, Interesting

    Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!

    1. Re:Time to yank NSA's leash by Protongeek · · Score: 1

      If the NSA has our ssh keys then I am not sure why they keep opening support cases with us. I work for Cisco and support the WSA. If this is so easy to intercept and steal the ssh private key from Cisco devices then why has it not already been done ? I have worked for Cisco for 5 years supporting this device and have yet to see anyone compromise the WSA. The SSH key is loaded for us CSEs to gain access to the back end of the OS which customers do not have access to. I understand the argument why is it a closed system ? Well we have enough customers that know enough to be dangerous to there devices. If customers had root access to the WSA they would try adding modules or removing them. Actions such as these would result in customer creating a ton of RMAs. I for one have wondered why we do not open it up to customers. But over the years I can now see why we do not.

    2. Re:Time to yank NSA's leash by Protongeek · · Score: 0

      Wait your blaming Cisco for the Federal Governments inept ability to secure its data ?

    3. Re: Time to yank NSA's leash by Anonymous Coward · · Score: 0

      That shouldn't be your call. If I buy something I want access to all the features, not the features you think I need. That's BS.

  23. Cisco security appliances contain default SSH keys by nickweller · · Score: 1

    And why was this?

  24. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  25. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  26. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  27. my vote? free queen / free reign is older by Anonymous Coward · · Score: 0

    liberum regnum is english - french - latin
    free is germanic/PIE priya/friya/vri

    certainly free rein was coined in the 1800s
    but can...

    more than that - queen in hindi is Rani?
    and queen in french is reine?
    i can see free rein being a mispelling
    but are there older non english references to free queen ?
    free reign
    free rein.

  28. Re: Using Linux would prevent these Cisco mishaps by Anonymous Coward · · Score: 0

    Take your time and find out how much bandwidth all these NICs world require. It's not about the CPU. The PCI bus will "protect" the CPU... in a colossal traffic jam.
    You can stack 10 low end Cisco switches and you will have 480 ports routing - pay attention- routing @100 Gb/s.

    Poverty = ignorance. Have you ever touched anything not sold in Bestbuy?

  29. Re: Using Linux would prevent these Cisco mishaps by ArmoredDragon · · Score: 1

    Poverty = ignorance. Have you ever touched anything not sold in Bestbuy?

    I think it's worse than that. He's a real life Nelson "Big Head" Bighetti. Makes himself look knowledgeable but is really just fucking worthless.

  30. Get a grip guys by Anonymous Coward · · Score: 1

    WSA, ESA and SMA all came from the Ironport acquisition. At that time, Ironport was considered the model for success, and their management team basically acquired Cisco security. As a result, their products never got the full inspection for vulnerabilities and this was simply missed. This was not an NSA trick, just human error.

  31. Occams Electric Shaver by ThatsNotPudding · · Score: 1

    Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

    Never attribute activity to nefarious government agencies to what can be more easily explained by clueless MBA PHBs demanding their own personal screendoor.

  32. Read the back story to PGP - all will be clear by Anonymous Coward · · Score: 0

    PGP was originally exported in a book for this same reason.
    Behaviour (like the original article) has been going on for a long time. Any device/encryption method of any real use, exported from USA, is required by law to have a back door due to 'national security' aka perving.