RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?)
First of all, there -is- a bug in the Catalyst Supervisor software revision 5.4.1 which basically disables the functionality of the enable password. If someone has the login password to the router, they can use the same
There was no implication of 'dirty little secrets' intended; on the contrary, Cisco have been great to deal with on issues of this type, and very prompt to disseminate security-related information. I have no problem with Cisco, quite the opposite. What I have a problem with is people who point the finger and shout "J'accuse!" from the sidelines. You folks at Cisco are extremely forthcoming, and your efforts in this sphere are much appreciated. ----------------------------------------------------------- Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice -----Original Message----- From: Paul Ferguson [mailto:ferguson@cisco.com] Sent: Friday, April 28, 2000 4:44 PM To: Roland Dobbins Cc: nanog@merit.edu Subject: Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Well, yes, we have been trying to do "due diligence to ensure that we publicly notify our customers, and the public at-large, of any known security problems with our products. These are not dirty little secrets -- we believe that our customers deserve to know, as soon as possible, when we have found vulnerabilities in out products. As stated in most on the advisories, we post these security advisories to: cust-security-announce@cisco.com bugtraq@securityfocus.com first-teams@first.org (includes CERT/CC) cisco@spot.colorado.edu comp.dcom.sys.cisco Various internal Cisco mailing lists Secondly, and to the best of my knowledge, I know of no instance where the Catalyst enable password vulnerability has been used by an attacker to exploit a customer's network. For further information, see: http://www.cisco.com/warp/public/707/advisory.html and http://www.cisco.com/warp/public/707/sec_incident_response.shtml Cheers, - paul At 02:16 PM 04/28/2000 -0700, Roland Dobbins wrote: password
to get to enable mode. Yes, someone has to either a) get his password sniffed internally or b) re-use the password on some external network which allows it to get sniffed or c) use a weak and/or easily-guessable password for this exploit to be used. But your blanket statement about the enable password on Cisco switches is incorrect. And while shared segments are generally a Bad Thing, there are certain instances in which they make sense.
See http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml for more details.
Secondly, there's also a bug in the Cisco telnet daemon for IOS 11.3AA, 12.0(2)-12.0(6) and 12.0(7), excluding 12.0(7)S, 12.0(7)T, and 12.0(7)XE, which allows a very easy DoS attacks against routers and switches running those revs. The bug ID is CSCdm70743, and more information can be found at http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml .
Thirdly, 12-series IOSes can make use of ssh, but there are a lot of other issues with the 12.x revs (see the above paragraph for an example) which have prevented their wide-scale adoption. Kerberos is certainly an option, and a good one, but Monday-morning quarterbacking is really easy, especially when one doesn't have direct knowledge of all the various factors involved, nor any responsibility for maintaining the network in question.
At 05:36 PM 04/28/2000 -0700, Roland Dobbins wrote:
There was no implication of 'dirty little secrets' intended; on the contrary, Cisco have been great to deal with on issues of this type, and very prompt to disseminate security-related information.
I have no problem with Cisco, quite the opposite. What I have a problem with is people who point the finger and shout "J'accuse!" from the sidelines.
You folks at Cisco are extremely forthcoming, and your efforts in this sphere are much appreciated.
Thank you. - paul
Now that this topic has been brought up, I have a question to the list in general. I have suggested to Susan Harris (who does a FANTASTIC job of putting the NANOG meeting agenda together) that it might be interesting to have a panel session at the Albuqureque NANOG consisting of several folks (including popular trade press journalists) to discuss the "damage factor" in disinformation. I have personally been appalled at the lack of accuracy in the more recent reports of service provider outages that have been erroneously reported as being due to "hacker attacks" or DoS attacks. This has led to excessive fear-mongering & FUD, and tends to reduce the confidence in the service provider community, and in my humble opinion, needs to be addressed. What does the list, in general, think about this proposal? Thanks, - paul At 09:33 PM 04/28/2000 -0400, Paul Ferguson wrote:
At 05:36 PM 04/28/2000 -0700, Roland Dobbins wrote:
There was no implication of 'dirty little secrets' intended; on the contrary, Cisco have been great to deal with on issues of this type, and very prompt to disseminate security-related information.
I have no problem with Cisco, quite the opposite. What I have a problem with is people who point the finger and shout "J'accuse!" from the sidelines.
You folks at Cisco are extremely forthcoming, and your efforts in this sphere are much appreciated.
Thank you.
- paul
On Fri, 28 Apr 2000, Paul Ferguson wrote:
Now that this topic has been brought up, I have a question to the list in general.
I have suggested to Susan Harris (who does a FANTASTIC job of putting the NANOG meeting agenda together) that it might be interesting to have a panel session at the Albuqureque NANOG consisting of several folks (including popular trade press journalists) to discuss the "damage factor" in disinformation.
I have personally been appalled at the lack of accuracy in the more recent reports of service provider outages that have been erroneously reported as being due to "hacker attacks" or DoS attacks.
The AboveNet report I saw on Computerworld: http://www.computerworld.com/home/print.nsf/(frames)/000427D962?OpenDocument&~f Says the FBI is looking for a DoS attacker, calls the incident a DoS attack, and generally leaves no room for the uneducated reader to understand that their ISP is not in imminent danger of being blown off the 'net by a copycat ... DESPITE a variety of concise, easily understandable quotes from Paul Vixie which dismiss this possibility.
This has led to excessive fear-mongering & FUD, and tends to reduce the confidence in the service provider community, and in my humble opinion, needs to be addressed.
What does the list, in general, think about this proposal?
If we were to educate the press, it would require something closer to full disclosure in the event of an incident on any of our networks. Reporters aren't going to pay any attention to what is discussed at a panel at NANOG if the next incident doesn't include enough information that they don't have to speculate wildly about the cause. Any decent reporter is not going to be happy with an intentionally-vague press release from the PR department, and they will print incorrect information rather than nothing at all. AboveNet should be thanked for their response to this incident ... and if we all responded the same way it would be possible to get accurate information in trade rags. There is a price to pay for full-disclosure, however, since it tends to *really* piss off PR and corporate managers.
Thanks,
- paul
-travis
participants (3)
-
Paul Ferguson
-
Roland Dobbins
-
Travis Pugh