Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Systems Will Be Auditing Their Code For Backdoors (cisco.com)

Posted by timothy on from the soapy-watre-in-the-hose dept.

An anonymous reader writes: In the wake of the discovery of two backdoors on Juniper's NetScreen firewall devices, Cisco Systems has announced that they will be reviewing the software running on their devices, just in case. Anthony Grieco, a Senior Director of the Security and Trust Organization at Cisco, made sure to first point out that the popular networking equipment manufacturer has a "no backdoor" policy. According to Grieco, Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. The reviewers will be looking for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.

16 of 128 comments (clear)

  1. You mean by Anonymous Coward · · Score: 5, Insightful

    They havent been already?

    1. Re:You mean by NatasRevol · · Score: 2

      I think this is what bothers me more than anything.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:You mean by Nutria · · Score: 2

      Security analysis is a long and tedious process performed by specialists. Is it really any wonder that so few projects have it done?

      --
      "I don't know, therefore Aliens" Wafflebox1
    3. Re:You mean by kheldan · · Score: 2
      Allow me to translate:

      Cisco systems will pretend to audit their firmware for backdoors -- while simultaneously be reaching behind them for their NSA/CIA/FBI payout for their 'services to their Country'

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    4. Re:You mean by Anonymous Coward · · Score: 5, Insightful

      No, time and again their products have exploits that had fixes for a long time. No one should use cisco products, they aren't secure.

      You're an idiot. If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching. IF Cisco (or Juniper) were as insecure as you claim, the entire internet would have been completely owned long ago.

      Yes, there have been issues at times with various specific product lines. But neither Cisco's primary IOS nor Juniper's Junos have ever had a large-scale issue in regards to security, and what issues have shown up over the years have been simple to mitigate or render moot, and are fixed quickly... usually long before the media ever gets wind of it. Most of the problems show up in the crappier low-end product lines, or platforms that are already end of life.

      There's no good reason you should even have the device's management interface directly exposed to the public internet. Period. If you want to be able to remotely manage your equipment, you setup a VPN which will then give access to your internal, privately addressed (i.e. not publicly routable) management network, and access the equipment from the inside. You should ***NEVER*** be able to directly open a connection, either via SSH or any other method, from the 'wild' internet... it's just flat out stupid even if there are no flaws in your equipment.

    5. Re:You mean by davester666 · · Score: 3, Insightful

      They also need to check if any the employee's with code change privileges have been getting outside bonus's from the NSA.

      --
      Sleep your way to a whiter smile...date a dentist!
    6. Re:You mean by fizzer06 · · Score: 3, Funny

      Up until now, they have been auditing their backdoor for code.

    7. Re:You mean by sphealey · · Score: 2

      = = = You're an idiot. If you're a Carrier network or large Enterprise, you have two options- Juniper or Cisco. Nobody else makes hardware that even comes close when you're talking routing and switching. = = =

      A bit of an exaggeration, but reasonably correct.

      = = =IF Cisco (or Juniper) were as insecure as you claim, the entire internet would have been completely owned long ago.= = =

      I think at this point we have to accept that the entire Internet being owned is a fact, and probably has been since the first malicious sniffer was found on the backbone (around 1994 IIRC, although the memory is a bit dim). It seems reasonable to think that all the world's major sigint agencies have operatives/moles deep inside the major equipment and software providers and that all core infrastructure is cracked and spewing our information.

      sPh

    8. Re:You mean by Nutria · · Score: 2

      In relation to the assets protected

      That requires long-term thinking.

      My guess is it is so rare because they do not ...

      want to spend the money. I've been in the computer world -- first as a programmer, and then as a DBA -- for 25+ years, mostly for Very Large Businesses, and there's one undeniable truth: bean counters rule the roost.

      --
      "I don't know, therefore Aliens" Wafflebox1
  2. Good PR I suppose by The-Ixian · · Score: 4, Insightful

    But what happens if they DO actually find something? Will they reveal it? I am guessing not.

    --
    My eyes reflect the stars and a smile lights up my face.
  3. Re:Let's not by Anonymous Coward · · Score: 2, Insightful

    Sure, until the NSA hands the CIO a NSL prohibitting him from announcing the new backdoor they've been required to install. (and the same goes for Juniper and PaloAlto and anyone else with an office in the U.S.)

  4. So what by NotInHere · · Score: 2

    Now they waste a lot of money for auditing, and if they really find something, I guess NSA will send them a gag order. Then cisco knows that they sell spyware, but what has changed for the customer? Nothing. Cisco will perhaps raise prices or deliver a less quality product because they wasted all that money with the audits. Well perhaps at least they will detect chinese backdoors if there are any. But my guess is that if china has placed backdoors, they place them in the silicon, because that's hard to detect or remove.

  5. Thank goodness... by krashnburn200 · · Score: 5, Funny

    All our back doors are working fine!

  6. Why we need access to the *complete* set of code by Anonymous Coward · · Score: 5, Informative

    As one of the developers behind similar devices I can say we need access to the complete set of code and we don't have it. Even if Cisco does an audit they won't be able to ensure the complete set of code isn't back-doored. I work for a company that designs and manufactures routers, switches, and similar gear. There are at least a few bits which we don't have the complete sources for. For example all the devices with 802.11ac chips in them. If any one of these peices contain a backdoor we wouldn't know it. It is a major major security issue. Any number of parties besides the NSA might be backdooring *every* device and because there are nonly a very small handful of companies with the code for these pieces it is highly likely that all of our systems are backdoored. Desktops, laptops, tablets, and most routers. There are probably only a few exceptions to this where the complete set of sources are available. I'd suggest checking out www.librecmc.org for consumer routers as it's the only embedded distribution I can confirm is back-door free for those devices which are supported.

  7. But will they analyze the C compiler? by Nutria · · Score: 3, Insightful

    And will it make a difference?

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:But will they analyze the C compiler? by Nutria · · Score: 2

      Or maybe it was a bit hidden and called debug_testinterface(); //don't forget comment me out.

      That's exactly how the Juniper backdoor was compromised. The argument to the strcmp call is ..., which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code.

      Why would anyone go to the effort of compromising a compiler?

      The NSA doesn't do HUMINT. Backdooring the C compiler is exactly the kind of thing they'ed do when these other channels of operation are closed.

      --
      "I don't know, therefore Aliens" Wafflebox1