A former coworker of mine who works in industrial automation told me that Siemens had to give US authorities access to their source code; I would not be surprised if that source code had "leaked" to the intelligence services.
Though, it's worth noting that the NSA actually two roles: 1) ensuring the security of US Government communications systems and 2) conducting signals intelligence against other foreign communications systems. People focus so much on the former that they often forget the latter.
Given their defensive role, being "done" with these exploits may mean simply having patched/secured all their systems against them.
Probably not true. You can see from the leaked shadow brokers tools that they had to develop exploits to get on the devices, they didn't just have free access.
I don’t follow. In most cases, you still have to develop exploits to “exploit” vulnerabilities. Very few of them just offer you a login prompt over the internet.
What don't you follow? If 3 letter agencies had been given backdoor access by Cisco, why would the 3 letter agencies need to develop exploits that take advantage of flaws in the software? Cisco could have just added port knocking instead of adding additional accounts and logic errors and hoping nobody except the US govt finds it.
I’m sure the NSA and other extreme security organizations knew about some of them. Is what you’re asking whether they have control or influence with Cisco regarding the release, other than choosing to not report?
> boils down to there being a "hidden command in the affected software", according to Cisco itself.
It always amazes me that we continually release software with these backdoors in them. What is the thought process that's going on? Do they think security by obscurity really works? They must or else they wouldn't keep doing this. Cisco isn't a small company, they have the people-power, processes, and money to not do this. It literally saves no time or money when you figure in the cost to fixing the issue. US government conspiracy theories aside, I'm guessing it's just lazy developers, incompetent managers, or potentially intentional maliciousness from foreign governments or competitors.
I feel like software reverse engineering should be done in more curriculums so developers can see just how easy it is to find backdoors as a relatively unskilled attacker.
Whilst I think it would be useful, you're not teaching the more general lessons (such as not relying solely on security by obscurity).
I suspect the kind of person who left in that backdoor would, after going through the course, simply make a slightly harder-to-find backdoor. (If anything, they might be more likely because they think they've taken into account THE vulnerability, when it is only a vulnerability).
I've admittedly not worked on a project team as large as the ones you'll find at Cisco, but a lot of the time it comes down to deadlines and a team biting off more than they can chew rather than active maliciousness. Never attribute to malice what can adequately be explained by stupidity, and all that.
Not so. The company processes are responding to a marketplace which allows products to ship with minimal security effort, thereby translating poor security into profit thanks to a more or less uninterested public. Nothing will change until legislation. For many kinds of companies they in fact cannot change until legislation.
"There are two things I am sure of after all these years: there is a growing societal need for high assurance software, and market forces are never going to provide it." - Earl Boebert
Ross Anderson has a good reply to your statement in the 7th chapter of his book, 'Security Engineering'. [1]
For Cisco there's really not a great deal of incentive.
I've seen the networking gear sales world.
A huge % of customers just buy Cisco ... just because. It's a matter of fact. So if you're Cisco, there's no incentive. "Nobody ever got fired for buying IBM" is as much "Nobody ever got fired for buying Cisco".
It used to be that buying from the likes of Cisco, IBM, hp, etc was simply referred to as buying the worlds largest diaper so that when the proverbial shite hit the fan, you could simply ask the vendor to take the blame... This isn't true as much anymore and if it's still applicable in your firm, you may want to re-evaluate if this really where you want stay and grow.
> "It was not immediately clear whether or not the company has released any patches for this, with the page on its website merely referring readers to a login-protected page."
Or as I learned in the last week with Cisco, it doesn't even matter if you have an account! You can't download software updates to the hardware they sold you unless you pay extra for a Service Contract!
Leaving security holes in the software? Well gosh, we're real sorry about that. How 'bout you cough up a nominal fee for each of those "Security Appliances" you bought so we can give you the privilege of fixing our mistakes. Thanks!
That is completely untrue. You can open a case and get access to downloads outside your support contract if you reference a vulnerability that’s affecting your current hardware.
> open a case and get access [...] if you reference a vulnerability that’s affecting your current hardware.
Ok, but that's bullshit, isn't it? Not all customers are going to be proactive/attentive enough to know their hardware is vulnerable. Cisco knows there is vulnerable gear in the wild, knows there is a fix, but withholds the fix until people come begging? Almost feels like the sort of thing that should be illegal (or at least on the losing end of a civil suit).
"I'm not holding you hostage and demanding $20k, you can instead just give me your first born child!"
Holy crap does anybody actually think that's remotely acceptable behavior? I get better support on discounted Chinese routers I've bought in back alleys - they at least put out their patches for free.
Most security-critical devices are moving in the direction of auto-updating. I'm not super into that, but I see the justification. You're telling me that Cisco is so far in the opposite direction that if I want to patch a device, I can't download the firmware myself, I have to open a service request saying, "I'd like the latest security patches", and then answer the question, "Why? What specifically are you worried about?"
That is not the setup of a company that cares about security.
Putting firmware patches behind any kind of account authentication is mind-boggling to me. I wouldn't have guessed that there's a hardware company that does that.
HPE is like that too. I see lots of their servers show up on Craigslist, but hell if I would buy one when I can't get BIOS updates, especially in the post-Meltdown/Spectre world.
All of the meltdown/spectre mitigations will be added by un up to date kernel even without the BIOS doing it, during the normal boot up process.
If untrusted code can patch the kernel after that, then it's already ten kinds of game over. Also, if this attacker can patch the kernel, then it can patch firmware, as they run at the same security context.
This all sounds very dramatic but I'm pretty sure that to take over the system is not that easy. Most vulnerabilities, if they are mediocre, have zero probability and most scenarios are pretty unlikely
35 comments
[ 3.2 ms ] story [ 35.0 ms ] thread> Likely. Considering the three letter agencies get early access to these things from other vendors: https://arstechnica.com/information-technology/2013/06/nsa-g...
Though, it's worth noting that the NSA actually two roles: 1) ensuring the security of US Government communications systems and 2) conducting signals intelligence against other foreign communications systems. People focus so much on the former that they often forget the latter.
Given their defensive role, being "done" with these exploits may mean simply having patched/secured all their systems against them.
If you're like me, check this out: https://www.todayifoundout.com/index.php/2010/09/why-a-baker...
It always amazes me that we continually release software with these backdoors in them. What is the thought process that's going on? Do they think security by obscurity really works? They must or else they wouldn't keep doing this. Cisco isn't a small company, they have the people-power, processes, and money to not do this. It literally saves no time or money when you figure in the cost to fixing the issue. US government conspiracy theories aside, I'm guessing it's just lazy developers, incompetent managers, or potentially intentional maliciousness from foreign governments or competitors.
I suspect the kind of person who left in that backdoor would, after going through the course, simply make a slightly harder-to-find backdoor. (If anything, they might be more likely because they think they've taken into account THE vulnerability, when it is only a vulnerability).
Ross Anderson has a good reply to your statement in the 7th chapter of his book, 'Security Engineering'. [1]
[1] https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c07.pdf
I've seen the networking gear sales world.
A huge % of customers just buy Cisco ... just because. It's a matter of fact. So if you're Cisco, there's no incentive. "Nobody ever got fired for buying IBM" is as much "Nobody ever got fired for buying Cisco".
Or as I learned in the last week with Cisco, it doesn't even matter if you have an account! You can't download software updates to the hardware they sold you unless you pay extra for a Service Contract!
Leaving security holes in the software? Well gosh, we're real sorry about that. How 'bout you cough up a nominal fee for each of those "Security Appliances" you bought so we can give you the privilege of fixing our mistakes. Thanks!
Ok, but that's bullshit, isn't it? Not all customers are going to be proactive/attentive enough to know their hardware is vulnerable. Cisco knows there is vulnerable gear in the wild, knows there is a fix, but withholds the fix until people come begging? Almost feels like the sort of thing that should be illegal (or at least on the losing end of a civil suit).
Of course Microsoft also released some free security updates beyond the date too.
Holy crap does anybody actually think that's remotely acceptable behavior? I get better support on discounted Chinese routers I've bought in back alleys - they at least put out their patches for free.
Please go on and let me know where I can open this case.
I am not sarcastic, I really need that fixed.
Most security-critical devices are moving in the direction of auto-updating. I'm not super into that, but I see the justification. You're telling me that Cisco is so far in the opposite direction that if I want to patch a device, I can't download the firmware myself, I have to open a service request saying, "I'd like the latest security patches", and then answer the question, "Why? What specifically are you worried about?"
That is not the setup of a company that cares about security.
Putting firmware patches behind any kind of account authentication is mind-boggling to me. I wouldn't have guessed that there's a hardware company that does that.
If untrusted code can patch the kernel after that, then it's already ten kinds of game over. Also, if this attacker can patch the kernel, then it can patch firmware, as they run at the same security context.