Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security News

Cisco Warns of Stolen Web Site Passwords 165

Posted by samzenpus from the are-you-you dept.
An anonymous reader writes "Cisco warned customers today that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com, according stories at News.com and Washingtonpost.com. Cisco says the problem is unrelated to flaws in its hardware, but both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn, who last week revealed major flaws in Cisco routers. There is also a growing thread at Nanog where network admins are complaining of not being able to get new passwords."
This discussion has been archived. No new comments can be posted.

Cisco Warns of Stolen Web Site Passwords More

Cisco Warns of Stolen Web Site Passwords

Comments Filter:

  • Thanks, Cisco.... (Score:5, Insightful)

    by SamMichaels ( 213605 ) on Wednesday August 03, 2005 @08:52PM (#13236872)
    ...especially since you require everyone to register in order to get ANY info or ANY software or ANY drivers.
    • Well the question there is whether they keep any personally identifiable information with that registration, which can now be accessed by whoever stole the logins.

      Even for people who use the same username and password everywhere, this shouldn't be a problem since the passwords should be stored in a manner that is encrypted and can't be reverse-engineered. They wouldn't be stupid enough to store the passwords, right?
      • "Even for people who use the same username and password everywhere, this shouldn't be a problem since the passwords should be stored in a manner that is encrypted and can't be reverse-engineered. They wouldn't be stupid enough to store the passwords, right?"

        I think it's not safe to store MD5 password hashes, many of the ones below like 12 characters can be recovered using the rainbow attack(basically using look up on a big ass database full of precomputed md5 hashes).

        • That's what "salting" is for - you add a certain marker to each pass before hashing...

        • Re:Thanks, Cisco.... (Score:3, Informative)

          by thogard ( 43403 )
          So you don't store the md5 of the password but an md5 of a a salt, an extra key and your password...
          So you md5("$password") but more of md5("ciscoCCO$UID$password")
          To make it even more fun, drop the last 4 or 8 bytes off the md5 since your hash should never have more bits than your unique secret data
          • What's to stop the cracker targetting one user specifically (who knows maybe stealing everyones details was a sneaky way to look untargeted), building his own database with the beowulf cluster they built in their mums basement, and doing a prefix search? Eh?

            It's not like this individual has anything better to do.
          • On a more serious note to my sister post, truncating just produces a better chance of hash collision for authentication purposes.

            Not a problem if your web app limits the number of attempts to login, but isn't less computational power needed to generate a collision exactly why some ciphers have stopped using MD5/SHA1 as a component?
      • They wouldn't be stupid enough to store the passwords, right?

        You're new to this business, right? ;-)

        (The industry is full of security errors that were quite well understood 20 or 30 years ago. The fact that something is well-documented in "the literature" doesn't mean that it's known or used inside major corporations.)

        • Re:Thanks, Cisco.... (Score:2, Informative)

          by Lanboy ( 261506 )
          I wouldn't be shocked if they stored the passwords.

          This CCO login is a REALLY old system. It was the first html based login I ever used, and I havent changed my password since 1994, becaue I let all my co-workers use it to download IOS for patches, read bug reports, etc.

          It didn't use to matter as it used to only be cisco's weak attempt to lock down new versions of IOS to customers with a service contract. To thier credit, Cisco never went nuts trying to shut out users who didn't change them.

    • Re:Thanks, Cisco.... (Score:2, Informative)

      by BWindle ( 54348 )
      Actually, when they find major bugs (usually security related) they give away fixed versions of IOS for free (Without registering.)

    • You can have THIS info sans registering! (Score:2, Informative)

      by Anonymous Coward
      If you really want information from them why don't you be one of many to read the Lynn presentation? Here, I've even transcribed Lynn's presentation to text instead of that huge, ugly PDF. As a bonus, the assembly readings are now readable. For all I know, they consider this criminal even though I consider this not only a fair use but a public service. The bad guys already know this stuff; we need to let the legitimate security professionals in on this! Insofar as I can give pe
    • God you gotta love the irony of a security-centric corp losing data.. Looks like they should have used the money earned from their over-priced hardware to hire better web devs. Too bad they spent it on a 10 foot glass elephant that now graces their main office lobby but doesn't do a damn thing about stolen passwords.
      • God you gotta love the irony of a security-centric corp losing data..

        Cisco is NOT a security-centric corporation. They build routers and switches (damn fine ones I might add) and their security product line was more of an afterthought. This is one of the primary reasons I can never recommend their perimeter protection products to anyone unless they have a stronger firewall behind it in a layered fashion.

    • THe funny thing is the person probly used the recent flaws found a la Black Hat Conf to sniff for the needed data to get that data. Not expliotable? Heh.

  • Solution and comments (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Wednesday August 03, 2005 @08:52PM (#13236875)
    From: Kim Christensen (kichrist) [mailto:kichrist@cisco.com%5D [mailto]
    Sent: Wednesday, August 03, 2005 11:58 AM
    Subject: CISCO - CCO Passwords

    Dear Cisco Partner,

    I'd like to bring your attention to an issue thatmay cause minor inconvenience for customers and partners.

    You may experience issues with yourlogin to www.cisco.com

    You will be required to reset your password, please send an email to cco-locksmith@cisco.com from the same email address that is associated with your CCO userid. Within a few minutes you should receive a new working password back to that same email address.

    Please note that when you send an email to cco-locksmith@cisco.com - the only requirement is that the email is sent from the same email address associated with your userid to receive the return email with the new password. Once this is received you should be able to reset your password to one of your own choosing.

    It ispossible that you are not impacted by this issue but I wanted to ensure you are aware of this in the event you have a problem logging into CCO today.

    Your Cisco Channel Team

    And Mike Lynn already settled with Cisco [eweek.com], but I suppose it's par for the course to get in one more jab.

    Also, the "major flaws" could only be referring to two things:

    - flaws that have already been long fixed (six months before Black Hat), that Lynn, in his opinion, didn't believe Cisco identified as "critical enough" to its customers, but nonetheless, as I already said, are fixed; or

    - general IOS flaws that will only materialize for architectural reasons in the next major iteration of Cisco's routers that Lynn felt it was important enough to have a frank discussion about, but are not yet shipping.

    In other words, Cisco's technical response was such that the vulnerabilities in shipping products are already fixed, and the vulnerability Lynn claims is a real killer allegedly exists in products that aren't even shipping yet and won't be for some time; it flies in the face of logic to believe that Cisco would ignore such vulnerabilities in yet-to-ship products, once identified. Yes, Cisco didn't believe it at first, but it sent engineering staff, and were proven wrong. One can only assume the engineer Cisco sent for the very purpose of confirming this general issue in turn confirmed to Cisco that the problem was indeed real.

    Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot. Ironically, several members of the government, including possibly Air Force OSI and/or NSA congratulated Lynn after his talk at Black Hat, even giving him a challenge coin [globalsecurity.org] for his work. Don't worry: Lynn's work isn't lost on those who value security, but don't presume that there is a huge conspiracy just because someone was willing to quit his job to reveal the secrets of a sometime-competitor. A little more of the Cisco/ISS background in this issue - including what I would consider fairly questionably motivated references by ISS about this flaw being Cisco's "Witty" [wikipedia.org] - is provided in the earlier Wired interview [wired.com].
    • However, experts say that while the security holes are unpatched and undisclosed, they put companies and individuals at risk. "We're making reverse engineering code illegal, but criminals don't follow the law. They reverse engineer code and find the holes," said Paller.


      So, in that case, how in the hell is making reverse engineering illegal helping anyone?

    • Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot.

      It is not moot. The fact cisco was a cock enough to file a criminal complaint speaks volumes, and is highly relevant to the discussion at hand.

      Cisco knew the shitstorm that would ensue should they try to file it, knew there was no basis to the complain, and they went and filed it anyway. It also speaks volumes about cisco's stupid

    • No amount of mincing words covers up the fact that the exploit (which was demo'd on a live Cisco router) can be done in the wild, and customers were not worried about it and not patching even with the old patch, because nobody was keeping the customers informed of this serious issue.

      What was at stake here was whether it's ok for Cisco to hide security flaws in products the world trusts.

      • Re:Solution and comments (Score:2, Interesting)

        by Cramer ( 69040 )
        I think the trust level you are assuming is a bit overstated. While a great many networks are dependant on Cisco technology, I know of none that "trust" Cisco to any measure. IOS is very closed source; customers have zero control over what it does. And today, they have even less control over what capabilities it has -- Cisco reduced the number of builds from several dozen to about 7 to "reduce confusion".

        (I call bullshit on this one as that alphabet-soup version string has been readily and correctly docu

    • Furthermore, it's likely that Lynn broke no law (save possible civil violations of contract and/or trade secret provisions), so any FBI investigation, if not over already, is moot.

      Have you heard of the Patriot Act or are you living in a box? Anyone can be detained for any length of time without due process. I don't think an FBI investigation is moot.
  • that someone had broken in and stolen an untold number of passwords and usernames that its customers and employees use to login at Cisco.com

    'Untold'? Is that the latest for 'unknown' ? Or maybe the meaning is 'all'?

    As a result, to protect our registered Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords

    Proactive resetting? Can someone explain me what this actually means?
    • Sadly this type of post is starting to be normal here. Youo know what it means and you're just being nitpicking.
      • Sadly this type of post is starting to be normal here. Youo know what it means and you're just being nitpicking.

        Who is "Youo" and what does being a nitpicking mean? ;)

        Sorry, I couldn't resist.
    • 'Untold'? Is that the latest for 'unknown' ?

      Nah; it means "We know but we're not telling."

      s a result, to protect our registered Cisco.com users, we're taking the proactive step of resetting Cisco.com passwords

      Proactive resetting? Can someone explain me what this actually means?

      It probably means that they're setting all the passwords to a single string, or if they're a tiny bit more sophisticated, to a simple function of the user id. This is to make it easy for all of us to log in to any of their accounts.
      • The poster is referring to the adjective used: proactive.

        Cisco are reacting to events, they are not being proactive.

        • But proactive makes it almost sound like they didn't drop the ball.
        • Word usage. In that usage, it could be deemed correct. They are saying they are being proactive because they are resetting your user password before you do. They ARE being proactive to the USER's actions, not the hackers. Just clever PR wording but still technically correct, but they just spun it to focus on the "we are helping out are users before anything further happens" as opposed to "we messed up, so we are trying to fill the holes before the ship sinks".
    • I'm glad I know what's going on now, this morning both of my passwords were killed. I tried using their method of resetting the passwords and the server threw up 30 java errors...

      ~S
    • ...stolen an untold number of...

      Probably means more then one, but not all. It also means "We don't know, but we'll make up a more palletable number, soon."

      ...the proactive step of resetting....

      Actually, it is rather oxymoronic. If the step were in fact "proactive", it would have taken place prior to there being an actual indication of unauthorized access.

      If they were correct in using their market jargon, they would have said "the retroactive step of resetting.....", but that doesn't sound nearly as good. O
    • we're taking the proactive step of resetting Cisco.com passwords
      What a bunch of crap! That's not proactive, it's reactive. Once the passwords are gone then their customers are screwed. How many of those passwords will work at other sites like banks and credit card companies? I'd bet quite a few. From a company that came up with the 3 A's, you would expect them to at least know how one-way hashes work.
    • Actually, that would be wrong. It's retroactive. To be proactive, they would have had to reset it before they were hacked. Unless, of course, they mean proactive as in before they get hacked again. But retroactive seems to fit better here.

  • SecureID (Score:2, Insightful)

    by superpulpsicle ( 533373 )
    This is one company that need to invest in a secureID system that changes password every 30 seconds.

    • Why? So I can have another password token for just a single site? No thanks. I have enough trouble not losing one Safeword card.
    • This is for their website only. This includes people who work for Cisco as well as anyone who ever bought a Cisco device.
    • Oooh, if needing SecurID to log into cisco.com got modified insightful, I'm gettin' me some karma while the gettin's good!

      Why stop there? How about requiring a freshly-notarized affidavit proving your identity before logging into E-Bay?

      Maybe Amazon should have a representative cruise by for an at-home visit to verify your shipping address (and make sure your mailbox is big enough) before they send you a book?

      If match.com required a DNA test to log in, I bet that would save a lot of "he's really a she" emba
    • I'm not paying $50 just to have a CCO account. Wha? If I get my CCIE do I get a token for free?

      • Re:SecureID (Score:2, Informative)

        by scottv67 ( 731709 )
        $50? It's more like $100 a head to use SecurID (not counting server hardware) becuase each $60 token also needs a corresponding $40 license on the ACE/Server.

        Every remote user who gets an RSA hardware (or software) token at the company I work for costs the company $100. This doesn't count the cost of administering the remote access accounts. We like to keep this figure handy for managers who request an RSA token (hard or soft) for everyone in their entire department. After they hear the cost, the number

  • This? This isn't a big deal (Score:3, Informative)

    by ReformedExCon ( 897248 ) <reformed.excon@gmail.com> on Wednesday August 03, 2005 @08:57PM (#13236905)
    These things can be fixed pretty easily. All current members with valid logins will just get new passwords assigned to them and the world will keep spinning like it always does.

    But it points to a completely different, much more significant problem. That is of using the same password for every login. I admit that I do it too because it is much easier to remember one or two basic passwords than trying to remember a different password for each site that I log in to. But as this latest breach of security shows us, doing that jeopardizes all other logins on other sites.

    One can only hope that they don't keep the passwords in a plaintext file and that a strong one-way encryption scheme is used to scramble the passwords in the database.

    Also, I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.
    • I wonder if someone could leverage a major breakin at one general or specialist Internet site with low protection due to perceived lack of value of accounts (I don't know, a large message board community or something) and then parlay that to account disclosures on a site with significant value -- say, Amazon or Paypal or somewhere you can actually monetize the data. When you're talking about sites which have some measurable percentage of the entire population of the Internet as users, it seems like you cou
    • Only hashes of passwords would be stored. Since good encryption uses a random salt to obscure the results from being the same everytime, you can feel pretty good about them not being usable elsewhere.
    • Because this password is the one you use to download new versions of IOS, so if you are unlucky enough to be running an old version of IOS with IPv6 enabled (ie you are in the east aisia market) then you can not get the patched version of code needed to protect yourself from the defcon vulnerabilities.

    • I wonder who thinks it is useful to hack these sites in retaliation for some perceived wrong against a stranger? The hackers at fault here prove no point, present no agenda, and generally smear the image of computer enthusiasts in the public eye. I'd rather they find a better way to protest than to attack private property.

      Retaliation? Really? That's a great story to tell affected customers, but since we can only speculate as to motives, I've got a better idea.

      What better way is there to get a shortl

    • That is of using the same password for every login.
      I have three different passwords, a ten character 'public' password for things I don't really care about, the one I use for /.

      Then I have a private password that I use for only a few accounts.

      Then I have a secure password that I only use as the password for the encryption key that encrypts my other keys.

      Everything after that uses encryption keys.

    • Re:This? This isn't a big deal (Score:1, Informative)

      by Anonymous Coward
      Use PasswordSafe [sourceforge.net] to keep track of all your passwords, and also to generate secure passwords. The program was first created by Bruce Schneier, cryptography expert.
  • Comment removed based on user account deletion

  • Looks like they should have used..... (Score:5, Funny)

    by rolfwind ( 528248 ) on Wednesday August 03, 2005 @09:10PM (#13236972)
    Looks like they should have used self defending networks......

    http://www.cisco.com/en/US/netsol/ns478/networking _solutions_white_paper0900aecd801dfec7.shtml [cisco.com]
  • When will programmers learn that there is NO good reason to keep passwords in plain text? Just save a one way hash, so you can hash the password they entered and compare. You wouldn't have this problem if the plain text passwords weren't in the database in the first place.

    • Re:Plain Text Passwords (Score:4, Informative)

      by skeeball ( 820126 ) on Wednesday August 03, 2005 @09:19PM (#13237008)
      Cisco doesn't use plain text passwords for CCO. They use RADIUS authentication, more than likely back to their CNS [cisco.com] product. The question is, if those passwords were stored in a database on a *nix server behind the firewall what exactly got comprimised here?
      • CiscoSecure stores passwords in plaintext. It's necessary to support CHAP authentication. However, if you don't care about CHAP, you can certainly config it to encrypt (ala crypt()) the password.

        I wouldn't be a bit surprised if they were plaintext. CCO's rather old, and not exactly Top Secret(tm), so there wouldn't be a great deal of focus on full security. Gez, it's still http basic authentication... via http; you do the math, err sniffing.
    • Comment removed based on user account deletion
    • When will programmers learn that there is NO good reason to keep passwords in plain text?

      In my 20+ years programming experience, I've never seen a programmer that wanted to store a plain-text password. Rather, each time I've seen it done, it was a business-type making it a requirement.
      • I've seen lots of "programmers" do it... it's easier to cout >> password >> endl; than encrypt it or even rot13 it. In fact, in my 20 years, I've not seen anyone encrypt passwords that weren't beat over the head to force them into it. In fact, Cisco IOS only recently (2-3 years ago in the 12.0S line) gained support for non-reversible password encrytion.

        Funny story... USR's idea of "encryption" was xor 0x80. No shit. I didn't even realize the passwords were encrypted for a while... I used les

  • Raises the debate of usefulness of registering (Score:2, Interesting)

    by Anonymous Coward
    I've never liked these register for access websites, they generally seem to me to be for the purpose of 1 or 2 things..

    Bragging rights (sysadmins and their userbase stats - give me a break)

    Spammation of the nation!

    Either way I treat such accounts with contempt and I generally register with the awe inspiring uncrackable password of 123123. Simply because as long as I do not divulge any "classified" information, a hacker impersonating me to download updates from a site is not really going to ruin my life.

    12
    • www.bugmenot.com grab the firefox extension, too.

    • Re:Raises the debate of usefulness of registering (Score:3, Funny)

      by Anonymous Coward
      I generally register with the awe inspiring uncrackable password of 123123
      Holy crap that is the combination to my luggage.
    • "Interesting"? Wow! The mods are generous today.

      What about the case where you have to register for a website to VERIFY THAT YOU ARE A CUSTOMER WITH AN ACTIVE SUPPORT CONTRACT?

      I use my CCO login to download software that I should not have access to *unless* I have a valid support contract in place. I don't expect Cisco to give away new versions of software and firmware for free. Those "products" should go only to the people who are paying for them.
    • Apparently you don't have a valid support contract with Cisco, nor have you opened any cases with Cisco, or you would know that they store historical case information in your account. Then again...

  • Cisco Trouble for the Past Week (Score:4, Insightful)

    by pyite ( 140350 ) on Wednesday August 03, 2005 @09:25PM (#13237037)
    I've had nothing but CCO trouble for the past week. That combined with random problems have been frustrating. The lovely order of events:

    1) A SUP (well, MSFC) dies in one of our 6000s. I try to open a TAC case.
    2) I try to login to CCO. It doesn't really work. I login, but it tells me I'm not logged in. After a bunch of clicking and such, I can open a TAC case.
    3) Since Cisco can't get its Smartnet act together, I need to jump through hoops to get the right contract on my account, again.
    4) Finally open a case. Tech diagnoses immediately as an MSFC bug. Sends me a new SUP.
    5) After a day of messing with the new SUP and wondering if I'm crazy, I decide they've sent me a DOA SUP.
    6) Tech agrees, sends me a new SUP.
    7) Try to use the RMA POWR tool to print mailing labels for the pair of bad SUPs fails. The tool has been down for three days now. Completely down.
    8) Try to login to CCO for something else today and run into the password problem. Combine that with their password reset tool not working and I'm *very* *very* annoyed.

    *Sigh* Guess all companies have bad weeks, but this is particularly sucky for Cisco.

  • how to by-pass password (Score:3, Funny)

    by blew_fantom ( 809889 ) on Wednesday August 03, 2005 @09:26PM (#13237041)
    >o/r 0x2142

    oh. wrong password... oops...
  • So, who's up for an order of bumper (router) stickers? If you only have some crappy routers, you can throw a nice sticker on it that says "My other router is your CRS-1."
  • They've got the Black Hat fiasco, this and getting caught actively helping the Chinese police and not giving a flying fuck about it [blogs.com]. Is anyone else thinking that Cisco needs to actually do a little bit of institutional introspection and admit the obvious source of their woes: their own damn psychopathic behavior?

  • Cisco: "Thugs". (Score:3, Interesting)

    by Futurepower(R) ( 558542 ) on Wednesday August 03, 2005 @09:49PM (#13237146) Homepage

    From the Slashdot story: "both stories note that Cisco's latest troubles are likely fallout from their legal battles with researcher Mike Lynn".
    I'm amazed at Cisco's lack of social sophistication. From previous dealings with Cisco, I knew they were boorish, but this is much worse than I imagined.

    I'm amazed at the sure sense some executives have for creating millions of dollars worth of bad publicity. It's as though they studied how to sink companies, and that is their most professional and creative skill.

    It's awesome. In only one afternoon of work, Cisco corporate officers arranged to have Bruce Schneier call them "thugs": "I can't imagine the discussions inside Cisco that led them to act like thugs." [smh.com.au]

    What's even more awesome is that Cisco managed to make the FBI look like it is willing to get involved in political attempts to suppress free speech, making it look like thugs, too.

    Is there some competition among executives that I didn't hear about? Are they having a contest to see who can do the most damage to their companies? Is Cisco having a competition with Adobe? Is Cisco trying to outdo the Skylarov incident and the Killustrator incident?

    I suppose it doesn't matter to top executives. They can just take their million-dollar golden parachutes and go to another company, leaving the wreckage behind.

    I agree exactly and entirely with Mr. Schneier's assessment:

    "... this has been a public-relations disaster for Cisco. Now it doesn't matter what they say - we won't believe them. We know that the public-relations department handles their security vulnerabilities [my emphasis], and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen."

    If I were on the Board of Directors, I would: 1) Fire the President and Vice-President of Cisco immediately, in a highly public way. 2) Do immediate damage control by exhibiting some sophistication about Cisco's relationships with the outside world. I'm guessing that, sadly, the Board of Directors doesn't have anyone who has the necessary social skills.
    • You need to go take a few MBA classes to see just why all of this is a "good thing". I'm sure its good, this sort of protection is clearly documented in ivory tower text books as being good and never annoying the customers to the point where they jump ship. Of course I bought my last cisco gear and I'm not looking back. (Anyone got dumps of the nvram for a 2621xm? mine is all FFFF and with not service contract, there is no way to get it repaired according to cisco)

      Maybe its time for the idiots to take a

    • Re:Cisco: "Thugs". (Score:3, Insightful)

      by demachina ( 71715 )
      "Cisco corporate officers arranged to have Bruce Schneier call them "thugs"

      This one is pretty easy to explain. though its kind of a long proof, follow along.

      You may recall John Chambers, Cisco CEO, a while ago said:

      "What we're trying to do is outline an entire strategy of becoming a Chinese company"

      The people running China are now in fact no longer Communist. There is a prerequisite that there be state ownership of Capital to be Communist/Socialist. When China started transferring control of capital to pr

  • Get your stories straight... (Score:3, Insightful)

    by homerskid ( 725428 ) <<homerskid> <at> <gmail.com>> on Wednesday August 03, 2005 @10:00PM (#13237200)
    If you are reporting news, try to get the story correct: No passwords were compromised, Cisco took a proactive stance to remedy something that had the possibility of occuring.
    "It has been brought to our attention that there is an issue in a Cisco.com search tool that
    could expose passwords for registered users,"

    This also had nothing to do with Lynn, even though the media would like to tie them together. It was brought to Cisco's attention by a completely separate company.

  • I posted this first with a little different twist (Score:3, Informative)

    by geekp0wer ( 516841 ) on Wednesday August 03, 2005 @10:06PM (#13237228) Homepage
    Cisco Web Site Hacked 3:18 PM

    According to an article [zdnet.com] at ZDNet [zdnet.com], Cisco's web site has been hacked and they are advising users to change their passwords. As someone who was at Ciscogate (Michael Lynn's Blackhat presentation) I can not go without wondering if this event is related. Lynn stated in his presentation last week that the older IOS archives were removed from the download site due to his research. That begs the question, did someone hack Cisco's site in an attempt to get at those versions of IOS? BTW, if you are still looking for the orginal presentation this previous slashdot story [slashdot.org] mentions an article at Wired [wired.com], which has a link to lynn-cisco.pdf [cryptome.org]
  • Thong, thong thong thong.. Oh wait, wrong CISCO.
  • Why can't we just have unix style encrypted password and verify if the entered password encrypts to the same thing?

  • No site should ever store passwords (Score:3, Insightful)

    by vicaya ( 838430 ) on Wednesday August 03, 2005 @10:25PM (#13237321)
    It's appalling that a major company (a major tech company with security product offerings in this case!) website would store passwords in cleartext. Passwords (even usernames) should always be stored in strong one-way hashes like sha-1, so that even if they're stolen, they're close to useless.
  • Well,
    What if?
    All I'm saying.

  • Don't worry (Score:4, Funny)

    by That's Unpossible! ( 722232 ) * on Wednesday August 03, 2005 @11:33PM (#13237544)
    Word is the thieves have just as much trouble logging in with these stolen passwords as those who originally created them, and Cisco predicts the thieves will give up on them shortly.

    And honestly, even if the thieves could get access to the needed areas of Cisco's TOP SECRET website, what are the chances they could decipher the grid of which firmware goes with which device?

    Last time I looked at Cisco's firmware listings (back when they had that exploit affecting all their routers), a co-worker had to pry the gun out of my hands.

    What moron developed their firmware version scheme? Please kill this person immediately.
  • Why on earth are passwords a/ being kept in plaintext form and b/ being kept on a server that is available directly from the internet?

    Totally clueless!
    • If you use some kind of challenge-response mechanism (e.g. POP3/CRAM-MD5) passwords need to be stored in plain text on the server.


      That does not hold for simple HTTP-auth, of course.

  • So here's my question... if this presentation provided details of how to hack cisco routers...

    Other than getting cisco to fix their routers, what good could have come from it?

    If I came up with a surefire method to steal the gold in Ft. Knox and decided to disclose it in a public forum. Should I expect the gov't to step in and keep me from telling the world?

    Of course I would.

    If Cisco told the professor, "You're full of BS, there's no way to hack a router..." Then their hubris and ignorance deserves a bit of
  • A company like cisco is unable to manage something as simple as encrypting stored passwords?
  • Ya know, Cisco took it up the ass in security issues the last two weeks and they are *still* trying to make this all sound like business as usual. They need to concentrate on security and a little less on capitalism.

  • Ahem (Score:2)

    by MECC ( 8478 ) *
    This incident does not appear to be due to a weakness in Cisco products or technologies.

    except the ones used for the search tool...

  • Cisco has determined that Cisco.com password protection has been compromised.
    As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
    Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords.
    This incident does not appear to be due to a weakness in

  • and then what? (Score:2, Interesting)

    by Zen ( 8377 )
    I'm not exactly sure why we care that our CCO account names and passwords were stolen. Does it really matter to me if someone downloads IOS while masquerading as me? Or maybe I should care if somebody opens up a TAC case as me, or submits a bug report as me? I really don't see the problem with someone else having access to my account on CCO. The only thing I use it for is to download code (we call TAC directly, or called our dedicated Advanced Services guy for everything else). I'm sure 90% of the peop
  • Cisco should be stamped be the government for the following reason (And Juniper).

    I am tired, tired tired of getting IOS from friends to fix security. I understand CCO/SmartNet/TAC support should cost money to protect the hardware, but when your software is deployed as much as IOS, JUNOS and Extreme and Foundry's OS, they should be FORCED to publicly provide free updates. Even MSFT provides free updates for Windows.

    These networking companies are basically holding the entire free world's security hostage by d

Slashdot Top Deals

No spitting on the Bus! Thank you, The Mgt.

Close