[Dailydave] Cisco's chickens come home to roost

Dave Aitel dave at immunityinc.com
Mon May 19 11:31:03 EDT 2014


Cisco's executive team posted a blog and went on record to the news last
week about being annoyed that the USG installed backdoors in routers as
they were shipped.
http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy/


So I wanted to point out that there's a difference between whining about
how your government does something, and building a secure ecosystem. For
example, from the blog post:
"When we learn of a security vulnerability, we respond by validating it,
informing our customers, and fixing it."

On the contrary, Cisco is notorious for posting vague and misleading
advisories. Likewise, a modern secure device needs to be transparent:
you need to allow your customers the correct tools to validate both your
hardware and software. Cisco is nowhere on this, as far as I can tell.
Perhaps Marty can educate us on how this is working better since his
arrival (which I would expect), but nobody having read a Cisco advisory
for the past ten years thinks they have a leg to stand on. Every RCE
issue is "potential DoS", and it's either duplicitous (towards their
customer set and the public both) or incompetent (which is probably
worse). Compare that to the work Microsoft does with explaining, rating,
and cataloging their vulnerabilities. Those two pictures are a world apart.

Cisco even coming out to talk about this stuff is silly, since the US
Govt is hardly the last word in supply side interdiction for any real
company. Are there tools available that help a company validate that
their router they configured in the home office in Dallas and then
shipped to Hong Kong for deployment was not modified in Hong Kong? No
there are not. And that's a much more likely scenario.

The blog has some additional naive suggestions:
"

  * Governments should have policies requiring that product security
    vulnerabilities that are detected be reported promptly to
    manufacturers for remediation, unless a court finds a compelling
    reason for a temporary delay.  By the same token, governments should
    not block third parties from reporting such vulnerabilities to
    manufacturers.

"

Remember when Cisco sued Michael Lynn and Blackhat and ISS all at once
about releasing security issues in their routers? Well, this is those
particular chicken's coming home to roost.
http://www.infoworld.com/d/security-central/black-hat-leaked-cisco-slides-pulled-after-legal-threats-156



Dave Aitel
Immunity, Inc.

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140519/d25215e6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140519/d25215e6/attachment.sig>


More information about the Dailydave mailing list