[154586] in North American Network Operators' Group
Re: Cisco Update
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Fri Jul 6 00:12:27 2012
In-Reply-To: <201207060101.q6611bIB086234@aurora.sol.net>
Date: Thu, 5 Jul 2012 23:11:48 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Joe Greco <jgreco@ns.sol.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 7/5/12, Joe Greco <jgreco@ns.sol.net> wrote:
> It'll get real interesting when Cisco's cloud database is breached and
> some weakness in the password encryption is discovered.
[snip]
Will the users' passwords even matter, if a compromise of the
database allows an intruder to make a system-wide change to end users'
equipment, such as delivering a compromising configuration change, or
a "patched" firmware update that deactivates cloud service and
turns them all into botnet nodes under exclusive control of the
compromiser ?
Hopefully Cisco thought that stuff out, but password encryption
weaknesses at least are easily addressed by forcing all users to reset
pw, and requiring a proof of physical access to the unit.
--
-JH
