Cisco Statement on Wired Magazine Article
December 6, 2005
On December 6, 2005, Wired Magazine posted an article on alleged Cisco vulnerabilities entitled "Firm Allegedly Hiding Cisco Bugs."
Cisco Systems' response to this article is:
- Cisco takes each security vulnerability report very seriously, including this one. We investigate each one to where we have credible
information and take the proper steps in each situation to help customers protect their networks and protect critical infrastructures.
- Cisco has always maintained an open communications path for working with security researchers and third-party organizations
on product vulnerability research.
- We request that all researchers and organizations with any information about Cisco product vulnerabilities work directly with our
Product Security Incident Response Team (PSIRT) so that any such issue can be addressed in a timely and effective manner.
August 3, 2005
Cisco Systems, Inc. was made aware of a vulnerability of a search tool on Cisco.com that could expose passwords for registered users.
Registered users of Cisco.com consist of employees, customers, partners, and other third-party users.
Cisco has since researched this issue and has taken the necessary steps to correct it.
Cisco is taking precautionary measures to protect our registered Cisco.com users, including resetting registered user passwords.
Because of a large number of requests, registered Cisco.com users may
experience delays in receiving the new passwords.
The vulnerability in our search tool was brought to our attention by a third party security research organization.
We would like to thank them for contacting us so we could take appropriate action to protect our customers, partners and employees.
Cisco Systems is investigating the incident and will work with outside agencies as appropriate.
This incident does not appear to be due to a weakness in Cisco products or technologies.
Cisco Response To Presentation At Black Hat Conference On July 27, 2005
Update: July 28, 2005
Cisco Systems' response to the Federal District Court's issuance of a permanent injunction against Michael Lynn and Black Hat, Inc. from further disclosure of code and code pointers that could aid in the development of an exploitation of a network infrastructure:
We are gratified with the court’s actions. Cisco and ISS took action only as a last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information.
Cisco’s actions with Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco’s opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet.
The court’s order includes reference to the fact that ISS and Cisco had prepared an alternative presentation designed to discuss Internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit the flaw, but were informed they would not be allowed to present that presentation at the conference. Once the stipulated permanent injunction is entered by the Court, Cisco and ISS will execute and file a dismissal of the Action against Michael Lynn and Black Hat, Inc.
In accordance with industry guidelines, Cisco, like other companies, generally does not release security notices until enough information exists to allow customers to make a reasonable determination as to whether or not they are at risk and how to mitigate possible risk. To clarify confusion caused by Lynn’s irresponsible disclosure and resulting customer concerns, the company is following its standard process for disclosing security concerns. Cisco plans to communicate with its customers and partners by issuing a security advisory within the next day.
July 27, 2005
Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners.
It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers.
As per Cisco’s best practices guidelines, we recommend customers upgrade their software to the latest available versions.
Customers should contact their account managers and sales engineers with questions and request for more information.
For press inquiries, contact Mojgan Khalili (business press) 408-489-4015 or John Noh (industry trade press) 408-242-3852.
For industry analyst inquiries, contact Lisa Caywood 408-857-3642.
Illegal Posting of IOS source code
Update: May 9, 2005
We are aware that a person has been detained in Sweden related to the IOS source code theft and are encouraged by this action.
Cisco enlisted the help of many law enforcement agencies after the incident which occurred prior to May 15, 2004. Throughout the investigation, Cisco cooperated fully with all law enforcement agencies and will continue to work with them on this matter as necessary.
We will continue our development in innovative technologies in the area of security and are committed to helping our customers protect their networks.
Cisco IOS source code is both copyrighted and protected as proprietary material. It is illegal to post it, make it available to others, download it or use it. Cisco will take all appropriate legal actions to protect its intellectual property.
September 17, 2004
As we have previously reported, Cisco continues to cooperate with law enforcement agencies on this matter, and we are encouraged that an arrest has been made. We view the arrest as what will likely be one of many steps in this matter. We will take every measure to protect our intellectual property.
May 20, 2004
Cisco is aware that just prior to the weekend of May 15, 2004, a portion of Cisco's Internetworking Operating System (Cisco IOS) code was illegally copied and subsequently posted on the Internet.
As a matter of policy, Cisco takes information security very seriously and continues to take active measures to protect its proprietary information as well as employee, customer, and partner information. Where appropriate, this includes working with law enforcement agencies.
A full investigation has been launched and Cisco is cooperating with the Federal Bureau of Investigations and other law enforcement agencies on this matter. Questions about the ongoing investigation should be directed to the appropriate contacts at the FBI.
Cisco is providing the following information, based on preliminary findings:
- Just prior to the weekend of May 15, 2004, a portion of Cisco's Internetworking Operating System (Cisco IOS) code was illegally copied and taken outside of Cisco's internal systems.
- Code was available on a foreign website for several days. It has subsequently been removed.
- Cisco believes that the improper publication of this information does not create increased risk to customers Cisco equipment.
- It appears this occurrence was not the result of any exploitation of a vulnerability in any product or service offered by Cisco to its customers and partners.
- Cisco has no reason to believe that this situation was the result of any malicious action initiated by any Cisco employee or contractor.
- Cisco does not believe any customer information, partner information or financial systems were involved.
Cisco will continue to closely monitor this matter and provide updates as appropriate to this site (www.cisco.com/security/ ).
Consistent with the past, Cisco continues to recommend all customers and partners follow best practices when designing, building, maintaining and optimizing a secure network. Additional resources can be found at www.cisco.com.
Cisco remains dedicated and focused on providing secure, intelligent networking systems to its customers and partners.
Back to Top
Cisco.com Phishing Issue
May 11, 2004
Some Cisco customers and employees have received a forged email which appears to be coming from a Cisco Systems, Inc., -owned domain name, asking them to reply with their user name and password or else it will be reset. This is a common practice known as "Phishing". The email has all the characteristic signs: misspelled words, incorrect punctuation, fake website (which actually redirected people to Cisco's legitimate site) and a request for a reply.
Cisco's Position on the Matter
"Phishing" is unfortunately a common phenomenon in today's Internet-based communications environment. At Cisco Systems, Inc., the security of your accounts and personal information is our top priority.
- "Phishing" is not a new method of gaining confidential information from individuals
- Cisco has successfully shut down the offending site.
- Cisco.com was never in any danger and is not "under attack". This email scam was directed at stealing user accounts, not Cisco.com.
Reporting a Suspicious Email
Cisco Systems, Inc. will never request personal information from customers via email. If you have entered personal information in response to a suspicious email, or suspicious Web site claiming to be affiliated with Cisco Systems, Inc., send an email outlining the request received and the information you sent to: Customer Advocacy Business Controls at firstname.lastname@example.org.
1Q) What is phishing?
1A) Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known organizations, phishers are able to convince a certain percentage of recipients to respond to them.
2Q) What is Cisco's policy on user names, passwords and account log-in requests?
2A) Cisco should not ask for account information from customers using email.
Cisco treats this information as highly confidential and asks that customers do the same.
If you have entered personal information in response to a suspicious email or website claiming to be affiliated to Cisco, please send an email outlining the request received and the information you sent to email@example.com.
3Q) What are the consequences for responding to this request?
3A) If a customer or employee responded to this email and divulged their user name and password, they need to act immediately to remedy the situation. The password and user name should be changed as soon as possible to avoid any misuse of the account. Users may also want to consider changing any other on-line accounts with the same user name and password to avoid any other unauthorized uses of accounts. If you have responded to this request, please contact Cisco's Customer Advocacy Business Controls team at firstname.lastname@example.org, and we will assist you in securing your account.
4Q) Is Cisco.com under attack?
4A) No. Cisco.com was never in danger and is not under attack. This attack was directed at stealing user account information, not at the environment itself.
Back to Top