
A simple command allows the CIA to commandeer vulnerable Cisco switches - rbanffy
https://arstechnica.com/security/2017/03/a-simple-command-allows-the-cia-to-commandeer-318-models-of-cisco-switches/
======
rl3
Critical vulnerabilities in Cisco products that the CIA can exploit?

 _" Cisco vice president of services Mike Quinn, a former CIA operations
officer, ..."_ [0]

 _"... Cisco's recent acquisition of In-Q-Tel-backed security company
ThreatGRID ..."_ [1]

 _" After retiring with 30+ years of service from the Agency, I spent several
years as adviser to Cisco System’s Chief Security Officer, and I found Cisco
was doing great work; they’re one of the backbones of the internet."_ [2]

Imagine that.

[0] [http://www.networkworld.com/article/2223473/data-
center/cisc...](http://www.networkworld.com/article/2223473/data-center/cisco-
vp-to-memo-leaker--finding-you-is-now--my-hobby-.html)

[1]
[http://www.networkworld.com/article/2358453/security/cisco-p...](http://www.networkworld.com/article/2358453/security/cisco-
purchase-of-cia-funded-company-may-fuel-distrust-abroad.html)

[2] [https://www.forbes.com/sites/realspin/2012/10/12/what-do-
for...](https://www.forbes.com/sites/realspin/2012/10/12/what-do-former-cia-
spies-do-when-they-quit-the-spy-game/)

~~~
linkregister
1\. The vulnerability was probably exploited before the CIA guy joined Cisco.
The Vault 7 cache contains some seriously legacy docs.

2\. Why would the ex-CIA guy hurt his _current employer_ to help his former?
Don't people do it the other way around?

3\. Good luck finding a single Fortune 500 company that doesn't employ someone
that used to be in the Intelligence Community.

4\. Telnet options are pretty arcane. It seems like an easy bug to write. The
_modus operandi_ of U.S. backdoor attempts in the past matches a different
model. U.S. backdoor attempts fit two models: backdoor dependent on secret key
(Dual_EC RNG), and backdoor dependent on physical sabotage (interdiction).
This is stuff available in the Snowden docs and related news reports.

It's a common HN meme that Cisco and Microsoft help the U.S. government spy,
but there isn't credible evidence supporting it. They actively resist
government espionage attempts.

Yahoo, RSA, et. al. deserve the negative attention, not companies that fight
the good fight.

~~~
rl3
The edit window just expired as I attempted to amend my original comment, so
I'll amend it here:

Those links were the result of a few cursory Google searches. It wasn't
intended as a comprehensive representation of Cisco's CIA ties, nor to imply
that anyone mentioned was directly involved in backdoors. Rather, the point
was that when a security-oriented organization employs ex-spooks, it increases
the likelihood of spooky things happening. At the very minimum it fosters
distrust.

> _2\. Why would the ex-CIA guy hurt his current employer to help his former?
> Don 't people do it the other way around?_

While I didn't mean to imply any specific individual, I'll address the
underlying rationale: When someone's former employer is a powerful government
spy agency built on secrets, the loyalty dynamic is a bit different than that
of normal private sector job hopping.

Moreover, I'm sure the CIA isn't stupid and tends to maintain
relationships—intentionally or not—with former employees that cross over to
private sector work, especially high-level people since they're already
trusted, reliable, and may be taking positions that later prove to be
beneficial to CIA interests in the future.

> _3\. Good luck finding a single Fortune 500 company that doesn 't employ
> someone that used to be in the Intelligence Community._

This is a fair point. Given the nature of Cisco's products, and combined with
recent leaks detailing the pervasive nature of US offensive cyber efforts, it
should raise more suspicion than normal when former IC people go to work for a
company dealing with network hardware.

That said, I'm not sure how you'd quantify the number of former IC people
Cisco hires versus a normal Fortune 500 company. For all I know it could even
be lower than average.

> _... and backdoor dependent on physical sabotage (interdiction) ..._

This approach is far superior to baking vulnerabilities into entire product
ranges (or even standards). It doesn't compromise the private sector in the
process, beyond perhaps supply chain integrity. The flipside of course is that
physical implants don't really scale well, but at least the blowback is
relatively minimal when things go wrong. Not to mention it's just badass in a
_James Bond_ kind of way.

> _It 's a common HN meme that Cisco and Microsoft help the U.S. government
> spy, but there isn't credible evidence supporting it. They actively resist
> government espionage attempts._

While that's true, it's also possible a company can publicly say or do one
thing—genuine or not—and actively do another because of either connections, or
that they're being compelled against their will by NSLs. It's also possible to
have factions or even individual employees within a company that are actively
subverting security with the addition of backdoors, unbeknownst to management.

~~~
andreyf
> At the very minimum it fosters distrust.

why? how is someone who has been vetted by the IC as a trustworthy keeper of
_their_ secrets become less trustworthy?

> CIA isn't stupid and tends to maintain relationships with former employees
> that cross over to private sector work

what kind of "relationships" are you talking about here?

~~~
rl3
> _why? how is someone who has been vetted by the IC as a trustworthy keeper
> of their secrets become less trustworthy?_

Because their loyalties may lie with their former employer. National security
matters tend to take priority over private sector loyalty for many people, and
I'd imagine especially so for former IC types since they tend to be extremely
patriotic. I mean that as a compliment, not an insult.

> _what kind of "relationships" are you talking about here?_

Personal relationships. Say Joe retires for private sector work. He's good
friends with Bill, who's a case officer. Later when some national security
matter comes down the pipe requiring access at Company Y, Bill knows Joe who
works there. Seeing that Bill and Joe have been through some shit together,
that relationship is probably going to supersede loyalty to any private sector
employer _when there are underlying national security motivations involved_.

It's not tinfoil hat conspiracy allegations, just basic human dynamics.

~~~
linkregister
Again, I'm glad you're engaging. I'm not down voting you.

> Because their loyalties may lie with their former employer.

By that logic, Apple shouldn't hire any employees from Google, because they
might reveal iOS secrets.

> Personal relationships... that relationship is probably going to supersede
> loyalty to any private sector employer

Sure, anything could happen. In your example, Joe gets nothing except enormous
risk of public humiliation and expensive litigation in exchange for the favor
to Bill. Any employee that is involved in this would almost certainly speak to
someone. This isn't like a National Security Letter; there's no force of law
to compel silence. It would be a foolish move for Joe.

Then Bill gets a call on his gray phone from his boss. "Why is the CIA in the
newspapers for attempted backdooring of Cisco products?" We don't hear about
this stuff because it doesn't happen like this.

People that are so loyal to the CIA don't leave for a pure private sector
company. They go to a contractor so they can stay in the ecosystem. People
going to Cisco are (1) physically moving away from Northern Virginia, (2)
losing access to secrets.

Besides, it doesn't sound very patriotic to insert backdoor that's not even
protected by a secret (e.g. key escrowed Clipper Chip, P and Q in Dual_EC)
that goes into hardware purchased by more Americans than anyone else in the
world.

~~~
rl3
> _By that logic, Apple shouldn 't hire any employees from Google, because
> they might reveal iOS secrets._

Apple and Google are on the same playing field though. They're fundamentally
the same type of entity. An intelligence agency vs a pure private-sector
company is not.

> _Any employee that is involved in this would almost certainly speak to
> someone. This isn 't like a National Security Letter; there's no force of
> law to compel silence. It would be a foolish move for Joe._

While certainly risky, I'm not saying Joe wouldn't be legally protected. His
favor very well could be under the auspices of an official program. Heck,
IANAL but it possibly could even be in the form of an NSL. As far as I'm aware
they're the legal equivalents of blank slates and don't necessarily require
informing the upper echelon of a company of their issuance, but I could be
wrong on that. I know that it is at least customary to do so, however.

Either way, let's say the government wants to issue a NSL requesting a very
specific, perhaps even temporary backdoor to a Bay Area company. The normal
route would likely start a veritable war with that company's legal department,
and runs a non-insignificant chance of being leaked by those who know about
it.

Contrast that scenario to issuing the NSL directly to Joe, who they know in
advance is solid. If Joe happens to be an engineer, mission accomplished. If
he isn't technical, then maybe he just happens to bring a USB stick to the
office one day and plugs it in.

If that sounds far-fetched, keep in mind that the NSA compromised Google's
internal network during the course of their operations, so network
exploitation against U.S. companies isn't even off the table.

> _People that are so loyal to the CIA don 't leave for a pure private sector
> company. They go to a contractor so they can stay in the ecosystem. People
> going to Cisco are (1) physically moving away from Northern Virginia, (2)
> losing access to secrets._

All good points, but it doesn't mean they're cutting ties and shunning their
former life either.

> _Again, I 'm glad you're engaging. I'm not down voting you._

Thanks. :)

~~~
linkregister
> Apple and Google are on the same playing field though. They're fundamentally
> the same type of entity. An intelligence agency vs a pure private-sector
> company is not.

Good point; my analogy fails.

> NSA compromised Google's internal network

News stories that used that phrasing were being inaccurate; the collection was
of plaintext traffic between international Google datacenters. The Intercept
explains it pretty well.

> As far as I'm aware they're the legal equivalents of blank slates and don't
> necessarily require informing the upper echelon of a company of their
> issuance, but I could be wrong on that. I know that it is at least customary
> to do so, however.

The point I'm making is that it's rational for people not well-versed in the
minutiae of foreign intelligence regulations to think that intelligence
agencies can and do intrude however they please on private companies. In
reality, its with great caveats and with a (perhaps insufficient) legal
process that introduces friction. It is far more overt and less cloak-and-
dagger than would ordinarily be desired. The most clandestine way possible to
spy would be with the badass methods we talked about earlier.

> Either way, let's say the government wants to issue a NSL requesting a very
> specific, perhaps even temporary backdoor to a Bay Area company. The normal
> route would likely start a veritable war with that company's legal
> department, and runs a non-insignificant chance of being leaked by those who
> know about it.

NSLs aren't a magic spell that gives the government whatever it wants. They go
through a company's legal department and are subject to limitations. Several
companies have successfully defeated the gag order portions of their NSLs.
Having an inside man wouldn't be particularly advantageous since the company
lawyers must get involved (the U.S. hasn't yet prohibited a person's legal
representative from viewing writs).

At the end of the day, the government has a monopoly on violence and can sent
the Army to invade Cisco or anyone else it doesn't like. But due to the
conscientious individuals that make up the government, and the public
relations and legal risks that are involved, this is unlikely to happen. What
I'm describing is a series of norms that are unlikely to be broken in the
course of spying business. There are far cheaper, easier, and less risky ways
to accomplish espionage than a covert, mass-distributed, plaintext backdoor.

I do wish that the credibility of U.S. companies was taken into account more
often when espionage decisions are made. The terrible optics behind PRISM made
it look like companies were volunteering information, when the government was
coercing them through the NSL program.

~~~
rl3
> _News stories that used that phrasing were being inaccurate; the collection
> was of plaintext traffic between international Google datacenters._

A US intelligence agency targeting a portion of a US company's infrastructure
that just happens to be international still constitutes a breach of trust.
Whether that means they'd go as far as compromising an office network located
in the United States is another matter, but I seem to recall a talk given by a
security chief at Google discussing their use of custom RISC-V silicon for
security due to their threat model including nation-state actors, with
explicit mention of Western intelligence agencies. I wish I could find the
link.

> _The point I 'm making is that it's rational for people not well-versed in
> the minutiae of foreign intelligence regulations to think that intelligence
> agencies can and do intrude however they please on private companies._

The mental gymnastics[0] that the NSA already uses to legally justify domestic
collection on US citizens doesn't really inspire confidence that the IC
wouldn't stoop to similar antics when it came to private companies.

> _Having an inside man wouldn 't be particularly advantageous since the
> company lawyers must get involved ..._

Must they? My point was that legally compelling an insider who's already on
your side might serve as an interesting loophole. Especially if they're not
required to inform counsel and have no intention of doing so. Like I said
though, IANAL.

> _... (the U.S. hasn 't yet prohibited a person's legal representative from
> viewing writs)._

It's worth noting that in the early days that wasn't so clear:

 _" CONAN: And they are roughly equivalent to subpoenas.

Mr. LICHTBLAU: Yes and no. There are differences - one of the key differences
is that for a long time the recipient was not even allowed to tell you when
they received such a letter.

CONAN: Even their own lawyer.

Mr. LICHTBLAU: There was debate about whether or not you could even get a
lawyer."_ [1]

> _I do wish that the credibility of U.S. companies was taken into account
> more often when espionage decisions are made. The terrible optics behind
> PRISM made it look like companies were volunteering information, when the
> government was coercing them through the NSL program._

Agreed.

[0]
[https://news.ycombinator.com/item?id=10605489](https://news.ycombinator.com/item?id=10605489)

[1]
[http://www.npr.org/templates/transcript/transcript.php?story...](http://www.npr.org/templates/transcript/transcript.php?storyId=6885103)

~~~
rl3
> _I wish I could find the link._

Eric Grosse at 5th RISC-V Workshop, 2016:

[https://www.youtube.com/watch?v=0knR6vXba7g](https://www.youtube.com/watch?v=0knR6vXba7g)

Slides: [https://riscv.org/wp-
content/uploads/2016/12/Tue1330-RISC-V-...](https://riscv.org/wp-
content/uploads/2016/12/Tue1330-RISC-V-Google-Keynote.pdf)

------
minsight
"We are shocked that the CIA has the ability to use the command that we left
in our firmware for them..."

------
walrus01
If you're exposing telnet to the public internet on anything you need to
rethink whether you're competent to run internet infrastructure.

~~~
Johnny555
I doubt that many Cisco shops expose telnet to the public internet, but I bet
plenty of them have it exposed on a "secure" internal network since they know
that no outside attacker can possibly reach it.

~~~
walrus01
99% that I know of have _at least_ disabled telnet even on internal. SSH2
only. And/or access via secured bastion/console server to a login prompt via
RS232 9600-8N1 connection.

------
6stringmerc
ArsTechnica article as of this posting:

> _Cisco Systems said that more than 300 models of switches it sells contain a
> critical vulnerability that allows the CIA to use a simple command to
> remotely execute malicious code that takes full control of the devices.
> There currently is no fix._

Text on Cisco Support Site linked on ArsTechnica:

> _This vulnerability affects the following Cisco devices when running a
> vulnerable Cisco IOS software release and configured to accept incoming
> Telnet connections: [Models list]_

Put aside for a moment the 'desireability' of the outcome, but from what I
gather on Cisco's site, by turning off incoming Telnet connections, the
vulnerability can be fixed. I'm rather confused about this.

~~~
tvon
Disabling the service is a way to protect you from the vulnerability, but it
is not a fix for the vulnerability. A fix for the vulnerability would allow
you to continue using the service.

~~~
chousuke
The article kind of makes it sound like telnet is somehow necessary and that
disabling it hasn't been a best practice for years.

Maybe there are still old devices that don't support SSH and you literally
have no option, but really, what other reason is there to have telnet enabled?

~~~
6stringmerc
That's what I was thinking about. On the Cisco support site Telnet gets barely
a mention. It is apparently not the flagship feature of these switches and
whatnot. Okay maybe it's customary to leave it open but there's a lot of lazy
practices that result in bad security, not just headline "vulnerabilities"
that affect - gasp - 300+ models!

So, basically I think Ars Technica's sub-par quality strikes again, in that a
tech site gets a fundamental understanding of technology wrong. If something
isn't mission critical, can be turned off, and alleviates a vulnerability,
then that's a way to fix it. Plain fucking English.

~~~
peterwwillis
No, that is a workaround. Telnet is still broken until they patch the security
hole.

------
madmulita
Thank god only the CIA knows the "simple command".

~~~
mtgx
It was probably that simple on purpose, knowing Cisco's ties to intelligence
agencies.

~~~
linkregister
What are those ties? Besides speculation and the fact they sell equipment to
intelligence agencies (and everyone else).

------
busterarm
Shameless plug for my old buddy Ang's product, Symbiote Defense. Definitely
watch the DEFCON talk about this.

[https://www.redballoonsecurity.com/](https://www.redballoonsecurity.com/)
[https://www.youtube.com/watch?v=HyEiMyyrfyE](https://www.youtube.com/watch?v=HyEiMyyrfyE)

------
Lazare
Headline is pretty click-baity.

It looks like a better version might be "Some older Cisco switches are
vulnerable to a simple telnet-based exploit." And then buried deep in the body
it could be noted that, while the CIA should probably be expected to be aware
of any vulnerabilities, we actually know that they are aware of this one in
particular due to some leaks.

(Whereas the existing headline suggests that ONLY the CIA can use this
vulnerability, which was false even before the leak.)

But then, an article about how you shouldn't expose telnet to the public
internet wouldn't be very newsworthy would it? :)

------
ajamesm
s/CIA/arbitrary third party/

Headline makes it sound like the Cisco routers come with a CIA SSH key baked
in.

------
nthcolumn
It is one thing to try penetrate a system (solely for the purposes of,..&c.)
that to all appearances seems impermeable to your meagre skills but once you
know that these impregnable walls you face can and do become doors placed
there by like-purposed if not necessarily like-minded individuals then what a
filip! What more encouragement to keep you fuzzing just that little bit longer
and who knows maybe you will stumble upon it! That sir, is the damage.
Software can be patched. Trust cannot. (And this is what I sound like from my
high horse apparently).

------
lawless123
"Computer Scientists Hate Him"

------
ue_
> and organizations get unfairly accused.

I understand people, but why organisations? Capitalist firms literally thrive
on the exploitation of labour, disregard for the environment and otherwise
reckless pursuit of profit.

~~~
linkregister
Capitalist firms employ people, who support families. They may have relocated
to a region where they can't find alternate work if the company folds.

Capitalist firms are owned by asshole billionaires, nice billionaires, pension
funds, individual investors, and retirement funds. They're still owned by and
made up of people.

Instead of inventing false accusations about them, debate them on their
merits.

~~~
ue_
>Capitalist firms employ people, who support families.

The feudal lord supports families by giving them a place to live while the
workers pay tribute with the fruit of their labour. The idea that the workers
ought to be grateful for being exploited is, in my opinion, silly. Capitalist
firms pay for the labour-time, which includes the cost of (i) the worker
staying in the work force (ii) the worker "recharging" with a moderate amount
of sleep and entertainment (iii) the worker adding more to the workforce via
reproduction, so the children are also paid for.

The worker is an expense, the family is an expense. The family is an expense
because if it was not paid for, the workers could not work or the supply of
workers becomes more scarce.

So yes, while the capitalist firm may employ people who provide for the
family, so does the slave owner, for the purpose of future slaves. And as soon
as the worker is not profitable, what happens to that support for the family?
It disappears.

So the merits are thus: people are kept in servitude by virtue of their status
of being a worker, with just enough income to pay to replenish the work force
and stay motivated. That's the merits of the capitalist firm.

Edit: if the downvoters would like to ask questions or respond, it would be
nice to know where I'm going wrong, thanks :)

~~~
cmdrfred
You seem to not be a fan of capitalism. Do you live in China, Cuba, Vietnam,
Laos or North Korea? If not, why not?

~~~
ue_
>China, Cuba, Vietnam

These are capitalist countries, in which wage labour is the primary way by
which workers sustain themselves; property is privately owned (and yes, the
government can privately own property).

>North Korea

North Korea is an ethno-nationalist dictatorship run by a hereditary monarchy.

What's your point?

~~~
cmdrfred
Others disagree with your sentiment:
[http://www.thenewstrack.com/top-5-communist-countries-in-
the...](http://www.thenewstrack.com/top-5-communist-countries-in-the-world/)

Where is an example of a good system then?

~~~
ue_
People disagreeing with me does not mean that I'm wrong. Communism is defined
as a stateless, classless and monelyess and anarchistic society in which
peolpe are not paid with wages for work. Even in Socialism, the means of
production are owned by the workers. None of the countries in this post have
either of these qualities.

However they all exhibit the fundamental properties of capitalism: the primacy
of wage labour, private ownership of capital and the means of production, and
production is for exchange value to be maximised over use value.

I am an anarcho-Communist. I believe in the demolishing of the state and all
unjustified hierarchical relations, including but not limited to the
government and the bourgeoisie, to advance toward a society in which the means
of production are collectively owned by the workers. Distributed networks of
councils of workers, each of which implementing direct democracy to decide
what is made and in what quantity. The workers take home the products of their
labour, or agree to have them distributed to those who are unable to work,
again via direct democracy.

My system is the abolishment of exploitation of the workers and with it the
system of oppression aided by capitalism's power structures, including
misogyny, racism, homophobia etc.

~~~
cmdrfred
Anarchism - belief in the abolition of all government and the organization of
society on a voluntary, cooperative basis without recourse to force or
compulsion.

Communism - a political theory derived from Karl Marx, advocating class war
and leading to a society in which all property is publicly owned and each
person works and is paid according to their abilities and needs.

If there is no government, who distributes things based on needs? Why don't I
just kill you and take everything you own? Communism is total government,
Anarchism is no government. Its oil and water.

~~~
rblatz
That why it's the best system to support in Internet forums! You can just pick
the parts from each that work for the argument you are making. Since they are
polar opposites you have a lot of ground to pick ideals from. Thus winning the
argument.

~~~
ue_
On what evidence do you proclaim that Communism works with a state? Or that
there is wage labour? Can you find any quotation at all from Marx or Engels in
support of the state? How do you explain the existence of anarcho-Communism if
you believe Communism has a state?

There is no need to be snarky. You could have just come out and said the
point, vacuous as it is.

------
samstave
jesus christ you guys; I have been telling you about this since 1997

~~~
Nomentatus
Scope of "this" ?

~~~
tedunangst
CIA ECHELON GOLD BOMB.

~~~
MrZongle2
...which isn't a terribly poor XKCD pass-phrase.

------
benevol
So a couple of years after Snowden's revelations, we're again being told _"
use US tech, be the bitch of the powerful"_.

And - honest question - why and how exactly would that ever become a thing of
the past?

~~~
lallysingh
Your best bet is open hardware and open source software.

