back to article NSA's Cisco PIX exploit leaks

Cisco PIX firewalls can be made to cough up their VPN configurations and RSA private keys, allowing network eavesdroppers to decrypt secure connections. The NSA's Equation Group exploit code – leaked online this week – includes a tool called BENIGNCERTAIN that crafts and sends a special Internet Key Exchange (IKE) packet to …

  1. Anonymous Coward
    Childcatcher

    No! This can't be!

    NSA doesn't have backdoors. NSA needs backdoors. They keep on and on saying so... so it must be true! Probably doubleplustrue by now!

    Shirley you must be thinking of Huawei Reg?

  2. Anonymous Coward
    Anonymous Coward

    On Friday, Cisco confirmed that PIX versions 6.x and prior are vulnerable to BENIGNCERTAIN, while version 7.0 and later are not. It's worth noting that Cisco fully discontinued support for its PIX gear in 2013.

    Spooky! ;o)

    It was nice of the NSA to have told Cisco about these holes. Er, wait.

    Told Cisco about these holes? Or NSA told Cisco exactly where to put these holes?

    Not sure "nice" would have been my adjective of choice...

    1. Anonymous Coward
      Anonymous Coward

      Looking at how many developers work, NSA really don't need to tell where to put holes, just has to look for them, quite easy if it also has access to source code.

      I had a quite heated discussion with a developer a few weeks ago because he didn't want to put some checks in the code I explicitly asked for. Because he thought a "normal" application wouldn't need them (note: the application is a service running with elevated privileges, thereby very dangerous if compromised).

      Just, you have to protect from "abnormal" situations where an attacker try to subvert normal execution paths. Many developer lacks the "lateral thinking" needed to understand how your code can be bent to do what it is not designed for. And many try to write code with the minimum effort. Bugs like these are often the result.

      1. Alan Brown Silver badge

        " And many try to write code with the minimum effort."

        Not only that but the culture extends to expending minimum effort fixing bugs too.

        (FWIW: I'm currently banging heads against Huawei on this very issue. Cisco and chums aren't the only ones guilty, it's just that the NSA has access to their source code.)

        Experience (with Suse and Redhat, amongst others) runs like this:

        You've got this hole. There may be others.

        "Fixed."

        Tested, You've got this other hole. There may be others.

        "Fixed"

        Tested, You've got this other hole. There may be others. Have you bothered actually checking this stuff?

        "You're a wanker and I won't work with you anymore. We refuse any more bug reports from you"

        Some months later media reports the same holes in various bits of software they haven't bothered checking and there's a mad panic to fix it before the script kiddies all pile in.

  3. Version 1.0 Silver badge
    Big Brother

    So we're safe if we upgrade?

    Version 7.0 probably just has a different venerability - wait for the leak of REALLYCERTAIN.

  4. sitta_europea Silver badge

    Wouldn't it be nice if governments actually tried to look after our interests? :)

    1. Fatman
      Joke

      "Whose" interests?

      <quote>Wouldn't it be nice if governments actually tried to look after our interests? :)</quote>

      Are you speaking of Joe Sixpack, or the businessmen that have bought the politicians?

      1. Richard 12 Silver badge

        Re: "Whose" interests?

        In the case of the NSA, either of those would do.

        Companies don't want the NSA snooping around their stuff either.

    2. Mark 85
      Coffee/keyboard

      Wouldn't it be nice if governments actually tried to look after our interests? :)

      See Icon... Best belly laugh since the last time I watched the 3 Stooges. Oh ... wait.. government is more hilarious than the 3 Stooges, but they are a lot more dangerous than those 3 lads.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon