Cisco Passwords Get Makeover
Partners and customers attempting to log on to Cisco.com today were greeted by a notice saying all passwords had been reset by Cisco. The reason: a flaw on the site that could have been used to expose those passwords.
"Cisco has determined that Cisco.com password protection has been compromised. As a precautionary measure, Cisco has reset your password," states one of the logon notices. "This incident does not appear to be due to a weakness in Cisco products or technologies."
Users on the North American Network Operators' Group (NANOG) mailing list were reporting little success today in getting their new passwords. "Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords," the Cisco warning helpfully points out.
Cisco has corrected the flaw, which was in the search engine used on the Cisco site and doesn't appear to stem from Cisco's routers or its Internetwork Operating System (IOS) software, a Cisco spokesman says. The problem was disclosed by "a third-party research organization," he says.
Cisco is describing the password reset as a precautionary measure. "We don't believe there have been any active exploitations" of the vulnerability, the spokesman says.
Speculation on the NANOG mailing list is that the password resets are related to last week's Black Hat Briefings controversy, where researcher Michael Lynn showed that it's possible to take over a Cisco router that's running IOS. But Cisco doesn't believe there's a connection, the spokesman notes (see Cisco Faces Security Flap and Cisco Reveals 'Black Hat' Flaw).
At the same time, it seems likely that the Lynn case has sparked new interest in hacking Cisco's network to get at some IOS code, something that has previously been accomplished (see Cisco's IOS Code 'Compromised', Cisco Code Hacker Arrested, and Black Market Offers Cisco's PIX). "We're fully aware there's increased activity, so we've taken every measure to protect our networks," the spokesman says.
Lynn has settled with Cisco and his former employer, , agreeing not to discuss the matter any further.
Meanwhile, Websites posting what appears to be Lynn's presentation claim they're being hit with cease-and-desist orders from DLA Piper Rudnick Gray Carey, a law firm representing ISS. One such site, infowarrior.org, has replaced the presentation with a copy of the cease-and-desist letter from the firm. Attorney Andrew Valentine, who purportedly sent the letter, did not return a call for comment.
— Craig Matsumoto, Senior Editor, Light Reading