This Is Why You Don't Outsource Your Network Security

10% discount when you pay in Monero (XMR)

MentalOutlaw

As a former Cisco engineer, I still crack myself thinking about the switch model where if you conected an ethernet cable to the console port, the cable would push the power buttons located next to the port, immediately switching off the device.

xanaxor

Just wanted to point out that every single on-site pentest I did where they used a cisco switch the "cisco:cisco" credentials never failed, it's like smoke alarm chirp for corporations, you would be amazed

ybsb

When I hear about network administrators making basic mistakes like this, I feel like I should be making 100k more than I do now.

jer

I worked for a startup for about a year some time ago.
They did outsorce their "security research" to somebody else.
First week of actually looking into what they had in their repos, found 3 obvious RCE exploits... You know who fixed them? The same guy doing the research.
Two of them turned from RCE to RegExp DoS (a flawed string-searching method that scaled exponentially in time the more characters you added, pretty bad stuff).
Believe me, outsourcing anything "security" is asking yourself for trouble. Either opensource the thing and charge for service or do the job yourself.

shapelessed

Same thing for your home security system.
If a third party can push updates to your router or alarm system without your consent, your system is compromised.

Dcmbr

Any incompetent IT people are welcome to come to Denmark and get reeducated into the construction sector or adjacent crafts, we have a big shortage of workers in this area, also care home workers. Enjoy a luxurious Danish middleclass lifestyle, with a high median income, a good work/life balance, and if you are the type that enjoys honesty from your peers then you'll enjoy the Danes for being very direct with you when there is anything they'd like to have a word with you about. Come to Denmark now!

chralexNET

"That brother should flip burgers"
- Hackers to the sys admins that configured the login panel to the public internet

danielelombardo

Unfortunately, at this point in time, a smart circular saw with connection to the internet doesn't sound like a total joke

Tidwillshare

I know an IT guy who doesn't even know what a VLAN is. He somehow has a better paying job than most of us in his circle. He is lazy, patronizing, and arrogant and puts no effort into his work. Only problem here is he manages a large Hospital's IT infrastructure. So, just use your imagination on what could go wrong. By the way his got this "negative energy" so none of his colleagues actually like him. Also he doesn't listen to advice.

trevorelvis

Security flaws, vulnerabilities, and hacking are just sucking all the fun out of what use to be a challenging but rewarding career. I am so burnt out on the chasing of tails to cover the latest big flaw or compromise. I know there are some out there that love this stuff, but I go into IT to design and implement infrastructure and make the blinkies blink. Dealing with this crap is just exhausting.

hgbugalou

I'm glad you commented on it; anyone busted through this should have never touched these devices.

All this stuff is outsourced and dumbed down to the most useless people because they see IT as a cost instead of looking at IT as the only reason their entire company can make money.

An IT security professional I studied under said, "If you want IT to be funded properly, you make every team that uses the service take from their budget to fund what they use." The only way to make sure IT doesn't turn into a mess.

domg

Circa 2004, we disabled the web UI "by default" on Cisco switches and routers and only allowed ssh.. this kept internal idiots from doing stupid things, NM external idiots...

YerBrwnDogAteMyRabit

Regarding why an HTTP server would be accessible to the Internet, it's about more than just making the administration interface accessible. It is common for these types of devices to offer clientless VPN access which utilizes an HTTP server of some kind.

The problem with this approach is that HTTP servers are inherently complicated. So it's more likely that an RCE could be hidden in all that code. Add in the fact that many administrators don't think about these systems as full blown web servers, and you have a recipe for disaster.

navv

I'm just gonna say here that using the web interface it completely fine, especially when you're working in a small branch or company with maybe 3 Cisco devices, however you should never expose that interface to an untrusted network. In fact you probably only want to expose it to a specific VLAN that really only your machine is part of.

Edit: Note I prefer the CLI most of the time but sometimes the web UI is faster and easier. I also went through CCNA training and Cisco REALLY pushes the web interface on you nowadays.

hummel

Any time Jayson is on the court it’s a security vulnerability for the defense! Thanks for another video, looking forward to seeing another great season from you.

remsee

I have no classical IT training whatsoever but I saw this setting on my personal router and even I thought "Why is this here? Who would need this?"

beatre

At what point do we have to start thinking about accountability and administering justice against companies/entities that fuck up this badly? Undoubtedly government systems are vulnerable as a result and that’s a risk to us the people. We can’t accept this

whirled_peas

"10/10 critical"
HOO BOY HERE WE GO

panqueque

My dad used to work at Cisco, there are a ton of really, really talented engineers who USED to work there… but I get the impression from every Cisco employee I talk to that their priorities are far more social justice oriented than making good products oriented

WillMoon