Tag Archives: Cisco

US Cyber Command Spends 90% on Offensive Cyber

Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.

Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how.  Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.

Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks.  Then they had to craft a warning to customers regarding the 300 products affected.  Finally, they had to come up with fixes, test them and get them into the distribution channel.

Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).

So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.

This has been the argument since the creation of USCYBERCOM.  USCYBERCOM is headed by the same person as the NSA –  Admiral Mike Rogers.

The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S.  In case of a ‘conflict of interest’, who wins?

The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.)  In fact, there were conversations about President Obama separating the two toward the end of his term.  This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper.  President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful.  We have no idea what President Trump thinks about the subject.

Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.

According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.

President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS.  Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.

Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.

In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.

In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret.  Almost any serious cyber bug could be said to have clear national security or law enforcement value.

In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies.  Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it?  Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.

Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.

From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.

This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.

 

Information for this post came fro Reuters.

Facebooktwitterredditlinkedinmailby feather

Cisco, Juniper Hardware Flaw May “Brick” Firewalls in 18-36 Months

First it was Cisco; now it is Juniper and apparently there are a number of other vendors who will be affected by this flaw.

While no one is saying who the vendor of the flawed hardware inside Cisco and Juniper products is, it is believed that it is Intel’s Atom C2000 chip.  Intel has acknowledged problems with that chip which seem to match the description that Cisco and Juniper are saying exists in their hardware.  Stay tuned.

Cisco has set aside $125 million to pay for repairs for faulty equipment.

So what, exactly, is the problem?

Juniper and Cisco are saying that there is a flaw in a hardware clock component that is used in their switches, routers and security devices that may cause the device to crash and die starting about 18 months.  The device is not rebootable and not recoverable.  It is, as we geeks like to say, “bricked”.

Cisco says certain models of its series 4000 Integrated Service Routers, ASA security devices, Nexus 9000 switches and other devices are affected.

Juniper said that 13 models of switches, routers and other products are affected.

Juniper says it is not possible to fix the devices in the field.  They also said that they started using this component in January 2016, so the 18 month lifetime is rapidly approaching.  They say they are working with affected customers.

HP has announced that some of their products use the Intel C2000 and may be affected as well.   Expect more manufacturers to make announcements as they analyze their product lines.

For users, it seems like if your product is under warranty or a service contract dated as of November 16, 2016, Cisco will replace the device proactively.  They say that they expect the failure rate to have limited failures at 18 months, but a more significant failure rate as it reaches the three year age range.

For customers that are not under warranty or a service contract, well ……… I think you may be on your own.

If you have products that use this component, you should work with your suppliers to understand the risk and figure out how to mitigate it.

 

Information for this post came from Network World and CIO.

[TAG:ALERT]

Facebooktwitterredditlinkedinmailby feather

Follow On To Last Week’s Posts On Patching And CERT Alert

As a follow on to last week’s posts on why patching is critical and the CERT alert on The Shadow Broker’s release of a whole raft of firewall hacks, this week Cisco is announcing that their software is vulnerable to attack, there is no workaround and they are working on patches.  BUT, there is a silver lining.

First, the problem.  There is a bug in their implementation of the IKE key exchange protocol that is used by their VPN access routines.

Now the good news.

  • The bug affects IOS XR versions 4.3.x to 5.2.x, but releases 5.3 x and newer are not affected
  • The bug also affects PIX firewalls version 6.x and prior, but versions 7.0 and later are not affected.

IOS XR 5.3 was released last January.

Cisco PIX has reached end of life status and is not supported anymore.

So first, we are already seeing fallout from the Shadow Broker release and Cisco, at least, is starting to issue patches.

Second, if you are being good about patches and not running obsolete software,  at least in this case, you would not be vulnerable to this particular exploit.

This just reinforces my comment from last week to be religious about patching.  It is critical.

Information for this post came from Network World.

For a complete list of all software affected, read the Cisco announcement here.

 

Facebooktwitterredditlinkedinmailby feather

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.

 

The CERT advisory can be found here.

A Wired article on the issue can be found here.

[TAG:ALERT]

[TARG:TIP]

Facebooktwitterredditlinkedinmailby feather

Cisco ASA Firewall Critical Vulnerability

In the last couple of months we have seen attacks on all of the major cyber security infrastructure products.  Juniper.  Cisco. Fortinet.

Is this because something magic happened and opened the vulnerabilities flood gates?  Unlikely.

Is this because the hackers and/or intelligence community opened their kimonos and started sharing their zero-day vulnerabilities with us?  Also unlikely.

What is likely is that these vulnerabilities have always been there and for some reason the security research community is looking harder after the first domino fell.

What we don’t know – and likely never will know – is who knew about these bugs when and who was using them to attack us when.  We know, for example, that the Juniper vulnerability was around since 2012 – over three years ago.  In that time, who knew about it and who used it?  Good guys?  Bad guys?  Unclear.  Uncomfortable for sure.

Sorry for the long preamble, but the setup is important.  This week Cisco revealed another vulnerability in their flagship security product called the ASA or Adaptive Security Appliance.  It comes in several models and even runs in some of their switches and firewalls.

However, it was revealed that by merely sending it a specially crafted packet, you can execute arbitrary code in the ASA, take full control of the system or even reload it.

Let that sink in for a minute.  Think of the ASA as the guards on the wall of the castle.  These guards didn’t just get overwhelmed;  they went over to the other side.

If someone was aware of this attack – as the entire hacker world is now – one packet and I own your entire network.

Cisco rates this vulnerability as a TEN on a 1-10 scale.  If they could make it an ELEVEN, they likely would.

The Internet Storm Center at SANS has reported seeing “a large increase” in probes looking for this vulnerability.

If you are running the ASA software in your company – and it is very popular – and have not patched it yet, you need to do that as soon as you possibly can because the hackers now now the secret and are out there looking for systems that have not been patched.

 

Information for this post came from Cisco and Network World.

Facebooktwitterredditlinkedinmailby feather

China Stops Buying Western Brands

Reuters is reporting that the Chinese government has removed a number of Western technology vendors products from the approved list.

Whether this is due to Western surveillance or just due to their desire to support local companies is not clear – they are not saying.

What they are saying is that Chinese companies “offer more product guarantees that overseas rivals”.  Translating that, we can look at their code and hardware to see if we like it.

Cisco used to have 42 products on the approved list.  Now they have none.  Bloomberg reports that Cisco did about $2 Billion in sales in China out of about $48 billion worldwide.

Apple and Intel have also been dropped off the approved list.  In fact, the number of Western companies has fallen by one third and the number of Western companies selling security products has fallen by half.

There are many very smart Chinese engineers.  For the government to use their smarts with the government’s money to control the software and hardware that secures their infrastructure makes perfect sense.

Microsoft is off the list as well, but since most Microsoft software used in China is pirated, that probably won’t impact usage of Microsoft products.

This is a bit of a double whammy.  Obviously it impacts sales for companies like Cisco.  Cisco has announced it will layoff around 6,000 employees or 8 percent of it’s workforce this year.  That will have a ripple effect on the economy.

The other part is that the NSA has already figured out how to hack Cisco products, so now they have to go back to work to figure out how to hack the Chinese products.  The good news is that this is likely not hard since many Chinese network products look like a clone of Cisco gear.  If you put a network engineer in front of some Chinese network equipment, they would not know that they are not working on a piece of Cisco gear. 🙂

 

Mitch

Facebooktwitterredditlinkedinmailby feather