'Hard-To-Fix' Cisco Flaw Puts Work Email At Risk (bbc.com) 47
An anonymous reader quotes a report from the BBC: Security researchers have discovered serious vulnerabilities affecting dozens of Cisco devices. The flaws allow hackers to deceive the part of the product hardware that checks whether software updates come from legitimate sources. Experts believe this could put emails sent within an organization at risk as they may use compromised routers. Messages sent externally constitute less of a risk, however, as they tend to be encrypted. The California-based firm said it is working on "software fixes" for all affected hardware.
"We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything." Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website. "We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University. "It could cost Cisco a lot of money." Security firm Red Balloon has set up a website with more details on the vulnerabilities, which they are calling "Thrangycat."
"We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything." Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website. "We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University. "It could cost Cisco a lot of money." Security firm Red Balloon has set up a website with more details on the vulnerabilities, which they are calling "Thrangycat."
Re: Please let it kill internal email (Score:4, Informative)
Re: (Score:2)
First, forget about changing the people, it's futile to try. You need to find a solution that works for you under the current situation.
Second, never ever put something in writing what you wouldn't want to have to explain at court. There's no reason for it. Be offensive as you like face to face, in meeting or on the phone, but always the voice of reason in mails or chat. Never take part of bad-mouthing people in written communications, you si
Re: (Score:1)
At this point the NSA doesn't have to plant shit anymore. As a society we've thoroughly ostracized the competent and the ethical enough that there isn't anyone left on the front lines who knows how not to leave backdoors in everything accidentally.
Re: NSA? (Score:2)
But competent people are expensive, and ethical people could really impede their business plans.
Re: (Score:3, Funny)
Good job they didn't buy Huawei... Oh wait.
Re: (Score:1, Insightful)
Yea I gotta wonder what they seriously think Huawei hardware can do that is any worse than what Cisco has been doing to us all along.
Re: (Score:3)
That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy
I hope the US government finally warns other governments about allowing these dangerous, obviously deliberately backdoored products into their 5G infrastructure, and instead directs them to vendors with better track recods, like Huawei.
Re: (Score:2)
Emails are an easy target because they are usually unencrypted, both at rest and in transit on corporate networks. Web traffic is increasingly hard to capture due to HTTPS being used everywhere, but not email.
Re: (Score:1)
Calm down, it Requires Root Privileges... (Score:5, Insightful)
Not that that makes it a "good" vulnerability. But I don't generally get excited about exploits that require the attacker to already have my root credentials. If s/he's got that I am already screwed.
Root is the easy part (Score:1)
This is a two part attack. Gaining root is the easy part. The second part achieves persistence despite the presence of a TPM / UEFI type of chip on the board.
https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
The lesson to be learned is that TPM / UEFI schemes don't work. Chip embedded management engines don't work either.
Trust is not an option anymore. We need the ability to view and verify our entire systems. We need open hardware specifications coupled with open software solutions
Re: Root is the easy part (Score:2)
"We need open hardware specifications coupled with open software solutions."
But how will that guarantee outsize profits for well-connected megacorps, while eroding civil rights?
What's in a name (Score:2)
... the vulnerabilities, which they are calling "Thrangycat."
Y tho?
Re: (Score:2)
Y ask Y?
Re: What's in a name (Score:2)
Try Bud Dry.
Misleading headline (Score:2)
The headline is total bullshit; this is only remotely related to email.
TL;DR: Cisco implements a "hardware" security device based around an FPGA, and the unencrypted FPGA bitstream is vulnerable to remote tampering.
The real WTFs are that (a) the bitstream is unencrypted and (b) is stored in flash that's accessible to the main CPU.