Cisco Warns of Stolen Web Site Passwords 165
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
Thanks, Cisco.... (Score:5, Insightful)
Re:Thanks, Cisco.... (Score:3, Interesting)
Even for people who use the same username and password everywhere, this shouldn't be a problem since the passwords should be stored in a manner that is encrypted and can't be reverse-engineered. They wouldn't be stupid enough to store the passwords, right?
Re:Thanks, Cisco.... (Score:1)
I think it's not safe to store MD5 password hashes, many of the ones below like 12 characters can be recovered using the rainbow attack(basically using look up on a big ass database full of precomputed md5 hashes).
Re:Thanks, Cisco.... (Score:1)
Re:Thanks, Cisco.... (Score:3, Informative)
So you md5("$password") but more of md5("ciscoCCO$UID$password")
To make it even more fun, drop the last 4 or 8 bytes off the md5 since your hash should never have more bits than your unique secret data
Re:Thanks, Cisco.... (Score:2)
It's not like this individual has anything better to do.
Re:Thanks, Cisco.... (Score:2)
Not a problem if your web app limits the number of attempts to login, but isn't less computational power needed to generate a collision exactly why some ciphers have stopped using MD5/SHA1 as a component?
Re:Thanks, Cisco.... (Score:2)
Once you have access to someones e-mail you have access to alot of online accounts.
Re:Thanks, Cisco.... (Score:2)
You're new to this business, right?
(The industry is full of security errors that were quite well understood 20 or 30 years ago. The fact that something is well-documented in "the literature" doesn't mean that it's known or used inside major corporations.)
Re:Thanks, Cisco.... (Score:2, Informative)
This CCO login is a REALLY old system. It was the first html based login I ever used, and I havent changed my password since 1994, becaue I let all my co-workers use it to download IOS for patches, read bug reports, etc.
It didn't use to matter as it used to only be cisco's weak attempt to lock down new versions of IOS to customers with a service contract. To thier credit, Cisco never went nuts trying to shut out users who didn't change them.
Re:Thanks, Cisco.... (Score:2, Informative)
You can have THIS info sans registering! (Score:2, Informative)
Re:You can have THIS info sans registering! (Score:2)
More importantly,
So if someone replies to my post tomorrow, and I reply to it after I've replied to some other reply to another of my posts, I still have to wait - even though nobody is posting any more to the particular discussion.
So, in effect, answering your "/. email" basically requires waiting two minutes between each reply.
Which is a PITA,
Since nobody is posting to the discussion a day later, why the hell does it matter how fre
Re:Thanks, Cisco.... (Score:1)
Re:Thanks, Cisco.... (Score:2)
Cisco is NOT a security-centric corporation. They build routers and switches (damn fine ones I might add) and their security product line was more of an afterthought. This is one of the primary reasons I can never recommend their perimeter protection products to anyone unless they have a stronger firewall behind it in a layered fashion.
Re:Thanks, Cisco.... (Score:2)
Want to share laptop files [thefilehighclub.com]?
Re:Thanks, Cisco.... (Score:1)
Solution and comments (Score:5, Informative)
Sent: Wednesday, August 03, 2005 11:58 AM
Subject: CISCO - CCO Passwords
Dear Cisco Partner,
I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.
You may experience issues with yourlogin to www.cisco.com
You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.
Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.
It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.
Your Cisco Channel Team
And Mike Lynn already settled with Cisco [eweek.com], but I suppose it's par for the course to get in one more jab.
Also, the "major flaws" could only be referring to two things:
- flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or
- general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.
In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin [globalsecurity.org] for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" [wikipedia.org] - is provided in the earlier Wired interview [wired.com].
oh this is rich... from the eWeek article (Score:2, Insightful)
So, in that case, how in the hell is making reverse engineering illegal helping anyone?
Re:Solution and comments (Score:2)
It is not moot. The fact cisco was a cock enough to file a criminal complaint speaks volumes, and is highly relevant to the discussion at hand.
Cisco knew the shitstorm that would ensue should they try to file it, knew there was no basis to the complain, and they went and filed it anyway. It also speaks volumes about cisco's stupid
Re:Solution and comments (Score:2)
No amount of mincing words covers up the fact that the exploit (which was demo'd on a live Cisco router) can be done in the wild, and customers were not worried about it and not patching even with the old patch, because nobody was keeping the customers informed of this serious issue.
What was at stake here was whether it's ok for Cisco to hide security flaws in products the world trusts.
Re:Solution and comments (Score:2, Interesting)
(I call bullshit on this one as that alphabet-soup version string has been readily and correctly docu
Re:Solution and comments (Score:2)
Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot.
Have you heard of the Patriot Act or are you living in a box? Anyone can be detained for any length of time without due process. I don't think an FBI investigation is moot.
untold and proactive robbery (Score:2)
'Untold'? Is that the latest for 'unknown' ? Or maybe the meaning is 'all'?
As a result, to protect our registered Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords
Proactive resetting? Can someone explain me what this actually means?
Re:untold and proactive robbery (Score:1)
Re:untold and proactive robbery (Score:2)
Who is "Youo" and what does being a nitpicking mean?
Sorry, I couldn't resist.
Re:untold and proactive robbery (Score:2)
Nah; it means "We know but we're not telling."
s a result, to protect our registered Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords
Proactive resetting? Can someone explain me what this actually means?
It probably means that they're setting all the passwords to a single string, or if they're a tiny bit more sophisticated, to a simple function of the user id. This is to make it easy for all of us to log in to any of their accounts.
Re:untold and proactive robbery (Score:3, Interesting)
Cisco are reacting to events, they are not being proactive.
Re:untold and proactive robbery (Score:2)
Re:untold and proactive robbery (Score:1)
Re:untold and proactive robbery (Score:2)
Reacting is "that guy stole the passwords, so I'd better change them because they have been compromised".
It has been pointed out that a clever PR trick would be to say that the adjective refers to changing the passwords before they can be abused rather than refer to measures taken to prevent them being taken in the first place.
I guess proactive is used like criteria or myriad - one of those words that people know, but
Re:untold and proactive robbery (Score:2)
Defined as "creating or controlling a situation by causing something to happen rather than reacting to it"
Passwords already compromised: result, cisco changes them.
It is a grammar issue. The wrong word was used to describe their actions, regardless of the semantics used to try and make it fit. It was simply incorrect.
Both my accounts are screwed (Score:2)
~S
Re:untold and proactive robbery (Score:1)
Probably means more then one, but not all. It also means "We don't know, but we'll make up a more palletable number, soon."
Actually, it is rather oxymoronic. If the step were in fact "proactive", it would have taken place prior to there being an actual indication of unauthorized access.
If they were correct in using their market jargon, they would have said "the retroactive step of resetting.....", but that doesn't sound nearly as good. O
Re:untold and proactive robbery (Score:1)
Re:untold and proactive robbery (Score:1)
SecureID (Score:2, Insightful)
Re:SecureID (Score:1)
Re:SecureID (Score:2)
Re:SecureID (Score:2)
Why stop there? How about requiring a freshly-notarized affidavit proving your identity before logging into E-Bay?
Maybe Amazon should have a representative cruise by for an at-home visit to verify your shipping address (and make sure your mailbox is big enough) before they send you a book?
If match.com required a DNA test to log in, I bet that would save a lot of "he's really a she" emba
Re:SecureID (Score:2)
Re:SecureID (Score:2, Informative)
Every remote user who gets an RSA hardware (or software) token at the company I work for costs the company $100. This doesn't count the cost of administering the remote access accounts. We like to keep this figure handy for managers who request an RSA token (hard or soft) for everyone in their entire department. After they hear the cost, the number
Re:SecureID (Score:2, Informative)
Actually, for the record, that's an adjustable value when the token is created. Just tell your salesperson the value you want it to be. You can also request them with more than 6 digits.
This? This isn't a big deal (Score:3, Informative)
But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.
One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.
Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.
Re:This? This isn't a big deal (Score:3, Interesting)
Re:This? This isn't a big deal (Score:1)
Actually this is a pain.... (Score:1)
Re:This? This isn't a big deal (Score:1)
Retaliation? Really? That's a great story to tell affected customers, but since we can only speculate as to motives, I've got a better idea.
What better way is there to get a shortl
Re:This? This isn't a big deal (Score:1)
I have three different passwords, a ten character 'public' password for things I don't really care about, the one I use for
Then I have a private password that I use for only a few accounts.
Then I have a secure password that I only use as the password for the encryption key that encrypts my other keys.
Everything after that uses encryption keys.
Re:This? This isn't a big deal (Score:1, Informative)
Re: (Score:1)
Looks like they should have used..... (Score:5, Funny)
http://www.cisco.com/en/US/netsol/ns478/networkin
Plain Text Passwords (Score:2)
Re:Plain Text Passwords (Score:4, Informative)
Re:Plain Text Passwords (Score:1)
I wouldn't be a bit surprised if they were plaintext. CCO's rather old, and not exactly Top Secret(tm), so there wouldn't be a great deal of focus on full security. Gez, it's still http basic authentication... via http; you do the math, err sniffing.
Re: (Score:1)
Re:Plain Text Passwords (Score:3, Insightful)
In my 20+ years programming experience, I've never seen a programmer that wanted to store a plain-text password. Rather, each time I've seen it done, it was a business-type making it a requirement.
Re:Plain Text Passwords (Score:1)
Funny story... USR's idea of "encryption" was xor 0x80. No shit. I didn't even realize the passwords were encrypted for a while... I used les
Raises the debate of usefulness of registering (Score:2, Interesting)
Bragging rights (sysadmins and their userbase stats - give me a break)
Spammation of the nation!
Either way I treat such accounts with contempt and I generally register with the awe inspiring uncrackable password of 123123. Simply because as long as I do not divulge any "classified" information, a hacker impersonating me to download updates from a site is not really going to ruin my life.
12
Re:Raises the debate of usefulness of registering (Score:2, Informative)
Re:Raises the debate of usefulness of registering (Score:3, Funny)
Re:Raises the debate of usefulness of registering (Score:2, Insightful)
What about the case where you have to register for a website to VERIFY THAT YOU ARE A CUSTOMER WITH AN ACTIVE SUPPORT CONTRACT?
I use my CCO login to download software that I should not have access to *unless* I have a valid support contract in place. I don't expect Cisco to give away new versions of software and firmware for free. Those "products" should go only to the people who are paying for them.
Re:Raises the debate of usefulness of registering (Score:2)
Oh yeah, because the updates are not totally useless if you don't actually own the hardware
Remember we're talking active support contracts. Once your in you can lookup the list of devices for a site get the serial numbers then open a case for RMA for some piece of equipment that it died and then to say oh yea I need this shipped to address such and such not the address on the list.So how useless are the updates now?
Re:Raises the debate of usefulness of registering (Score:2)
Cisco Trouble for the Past Week (Score:4, Insightful)
1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
6) Tech agrees, sends me a new SUP.
7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.
*Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.
Re:Cisco Trouble for the Past Week (Score:1, Flamebait)
Ah Cisco (Score:2)
how to by-pass password (Score:3, Funny)
oh. wrong password... oops...
need a very long console cable. (Score:1)
Bumper Stickers? (Score:2, Funny)
Re: (Score:1)
So is anything going right for Cisco lately? (Score:2)
Re:So is anything going right for Cisco lately? (Score:2)
Re:So is anything going right for Cisco lately? (Score:2)
Re:So is anything going right for Cisco lately? (Score:2)
Cisco: "Thugs". (Score:3, Interesting)
From the Slashdot story: "both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn".
I'm amazed at Cisco's lack of social sophistication. From previous dealings with Cisco, I knew they were boorish, but this is much worse than I imagined.
I'm amazed at the sure sense some executives have for creating millions of dollars worth of bad publicity. It's as though they studied how to sink companies, and that is their most professional and creative skill.
It's awesome. In only one afternoon of work, Cisco corporate officers arranged to have Bruce Schneier call them "thugs": "I can't imagine the discussions inside Cisco that led them to act like thugs." [smh.com.au]
What's even more awesome is that Cisco managed to make the FBI look like it is willing to get involved in political attempts to suppress free speech, making it look like thugs, too.
Is there some competition among executives that I didn't hear about? Are they having a contest to see who can do the most damage to their companies? Is Cisco having a competition with Adobe? Is Cisco trying to outdo the Skylarov incident and the Killustrator incident?
I suppose it doesn't matter to top executives. They can just take their million-dollar golden parachutes and go to another company, leaving the wreckage behind.
I agree exactly and entirely with Mr. Schneier's assessment:
"... this has been a public-relations disaster for Cisco. Now it doesn't matter what they say - we won't believe them. We know that the public-relations department handles their security vulnerabilities [my emphasis], and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."
If I were on the Board of Directors, I would: 1) Fire the President and Vice-President of Cisco immediately, in a highly public way. 2) Do immediate damage control by exhibiting some sophistication about Cisco's relationships with the outside world. I'm guessing that, sadly, the Board of Directors doesn't have anyone who has the necessary social skills.
Re:Cisco: "Thugs". (Score:2)
Maybe its time for the idiots to take a
Re:Cisco: "Thugs". (Score:3, Insightful)
This one is pretty easy to explain. though its kind of a long proof, follow along.
You may recall John Chambers, Cisco CEO, a while ago said:
"What we're trying to do is outline an entire strategy of becoming a Chinese company"
The people running China are now in fact no longer Communist. There is a prerequisite that there be state ownership of Capital to be Communist/Socialist. When China started transferring control of capital to pr
Get your stories straight... (Score:3, Insightful)
This also had nothing to do with Lynn, even though the media would like to tie them together. It was brought to Cisco's attention by a completely separate company.
I posted this first with a little different twist (Score:3, Informative)
According to an article [zdnet.com] at ZDNet [zdnet.com], Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story [slashdot.org] mentions an article at Wired [wired.com], which has a link to lynn-cisco.pdf [cryptome.org]
Re:I posted this first with a little different twi (Score:1)
Related? No...
If they removed the IOS images, how would having someone's login enable them to get at something that's no longer there?
CISCO (Score:1)
Why does one need to store clear text password? (Score:1)
No site should ever store passwords (Score:3, Insightful)
Phish?? Anyone?? (Score:1)
What if?
All I'm saying.
Re:Phish?? Anyone?? (Score:1)
Don't worry (Score:4, Funny)
And honestly, even if the thieves could get access to the needed areas of Cisco's TOP SECRET website, what are the chances they could decipher the grid of which firmware goes with which device?
Last time I looked at Cisco's firmware listings (back when they had that exploit affecting all their routers), a co-worker had to pry the gun out of my hands.
What moron developed their firmware version scheme? Please kill this person immediately.
dumb,stupid,etc (Score:2)
Totally clueless!
Re:dumb,stupid,etc (Score:1)
That does not hold for simple HTTP-auth, of course.
Anything good from the presentation? (Score:2)
Other than getting cisco to fix their routers, what good could have come from it?
If I came up with a surefire method to steal the gold in Ft. Knox and decided to disclose it in a public forum. Should I expect the gov't to step in and keep me from telling the world?
Of course I would.
If Cisco told the professor, "You're full of BS, there's no way to hack a router..." Then their hubris and ignorance deserves a bit of
encryption? (Score:1)
Obfuscation in action (Score:1)
Ahem (Score:2)
except the ones used for the search tool...
From Cisco's site. (Score:2)
As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords.
This incident does not appear to be due to a weakness in
and then what? (Score:2, Interesting)
Cisco - threat to national security. (Score:2)
I am tired, tired tired of getting IOS from friends to fix security. I understand CCO/SmartNet/TAC support should cost money to protect the hardware, but when your software is deployed as much as IOS, JUNOS and Extreme and Foundry's OS, they should be FORCED to publicly provide free updates. Even MSFT provides free updates for Windows.
These networking companies are basically holding the entire free world's security hostage by d
Re:easy enough... (Score:2)
Well, actually, Kazaa Lite [slashdot.org]. Close enough.
Re:easy enough... (Score:2)
Well, actually, Kazaa Lite. Close enough.
thanks for the link. :)
Re:easy enough... (Score:1)
Re:easy enough... (Score:2)
what makes it so interesting is the notice at the bottom of the page:
In response to a complaint we received under the Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results.
What strikes me as odd here is that google has a straightforward way of handling such things without the need of legal threats.
First, they honor robots.txt files. If you