Welcome to Medary.com Sunday, January 29 2023 @ 02:25 AM CST

A day in network security

  • Contributed by:
  • Views: 3,128
Tom Liston is my hero.

Item: Cisco is having a bad month . . .

Cisco CCO Password Issue
Ever have one of those days? Looks like Cisco is having one of those months... It appears that something has happened to compromise the passwords for their Cisco Connection Online service. What exactly happened? Cisco isn't saying.

Attempting to log into CCO brings up the following terse message:

IMPORTANT NOTICE:
* Cisco has determined that Cisco.com password protection has been compromised.
* As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
* If you do not receive your new password within five minutes, please contact the Technical Support Center.
* This incident does not appear to be due to a weakness in Cisco products or technologies.

Note: I do, indeed, know what caused this issue, but I've been enjoined from disclosing it until next year's Black Hat.

Gotta love that last bullet point... It reinforces that old security maxim: All the technology in the world won't save you from doing something dumb.

Update: A tip o' the always stylish Handler-On-Duty propeller beanie goes out to Scott who wondered whether Cisco is having Pancho check for differences in the "From:" and "Reply-To:" addresses on messages to cco-locksmith@cisco.com before sending out a password. He is...

Next, Tom discusses idiot vendors and the idiotic things they do with his contact information:

It Takes a Village...
Just yesterday, I received a canned message from a vendor:

Hey,
I'm updating my address book. Please take a moment to update your latest contact information. Your information is stored in my personal address book and will not be shared with anyone else. Plaxo is free, if you'd like to give it a try."

This was followed by a listing of my contact information that he'd sent to Plaxo and a link where I could sign up for his wonderful free service too.

No, I'd rather not, thank you.

Over the past few years, I've noticed the rising tide of online "communities." And like some sort of unholy sludge, they've increasingly been floating across the Internet and seeping their way into my inbox.

Stop it.

Stop it now.

Both Plaxo and the recently discovered (for me) sms.ac entice users to "import and invite" their contacts. They make it easy, giving the clueless noobs step-by-step instructions on how to upload the contents of their contact lists.

Don't.

Just don't.

If you happen to have someone's contact information, that person gave that contact information to you. If they wanted their information given to Plaxo or sms.ac, they would give it to them. Do you go around posting your friend's phone numbers on bathroom walls? Do you walk up to strangers on the street and give them Aunt Mildred's P.O. Box? How about your teenage daughter's IM identity?

Needless to say, Mr. Vendor (and his boss) got a quick phone call from me, wherein I pointed out my belief that some village somewhere must be missing its idiot.

Don't follow in his footsteps. Your village needs you...