Cisco mostly silent on when and what it knew about malicious WebEx wipeout

Anyone can make infosec mistakes, but Cisco isn't anyone

Comment Cisco this week launched a version of WebEx Classrooms, a version of its online collaboration suite tweaked for educational purposes and promised to enable “secure hybrid learning”.

Assuming nobody deletes the Classrooms from Cisco’s cloud.

Which may sound like an outlandish thing to have happen, save for the fact that last week we learned that the September 2018 WebEx Teams outage was caused by a former employee who was able to access Cisco’s AWS account five months after leaving the networking giant and deleted chunks of its cloud infrastructure.

Anyone can make an infosec mistake.

But this was three mistakes: the staffer should not have been able to get in, the deletion of 450-plus VMs should have been stopped by tools like Cisco’s own performance monitoring product AppDynamics, and disaster recovery should have required hours, not weeks.

And Cisco is not just anyone.

Indeed, Cisco is not just the networking market leader, it’s also the networking market leader that increasingly suggests cloud-hosted tools are the best way to manage its products.

Which matters because the manufacturer has not handled this incident well.

Two beer glasses clash and splash frothy beer into the air. Cheers! Photo by Shutterstock

Oh dear, what a pity! It seems you can't join the directors at the Zoom meeting today


Back in 2018, your humble hack asked Cisco about the WebEx teams outage, and the IT titan told me: “The service interruption was the result of an automated script running on our Webex Teams platform which deleted the virtual machines hosting the service.”

“This was a process issue, not a technical issue,” Cisco added at the time. “We continue to investigate the causes of the script being run, however we are confident that this is an isolated incident and processes are in place to prevent any recurrence.”

The words Cisco chose in 2018 could have been a faithful description of what it knew at the time. Well, it's now 2020 and I’ve not seen Cisco admit the real reason for the outage – deliberate sabotage – to customers. The world had to wait for a court case involving an ex-employee to emerge before being able to join the dots.

Because Cisco did not proactively disclose to customers what it now knows, nor when it knew it, I asked the company this month why it chose to inform users that automation-gone-wrong was the reason for the outage, why it maintained that line, how the employee retained valid AWS credentials for so long, and whether Cisco has since enacted measures to stop this sort of thing happening again.

Here’s what a Cisco spokesperson told me.

  • “Our immediate focus in September 2018 was to address the issue as quickly as possible, ensure no customer information was compromised, and implement additional safeguards.”
  • “We brought the issue to law enforcement and it was determined an individual used knowledge as a former employee to gain unauthorized access to protected systems and initiate the script that resulted in the disruption.”
  • “This was an isolated incident and processes and safeguards were put in place to prevent any recurrence.”

To your humble hack’s mind, those are not particularly satisfactory answers because they don’t explain what Cisco knew, when it knew it, nor how it chose to communicate with customers. Maybe Cisco decided not to discuss the incident while it was under investigation, but it would not be the first company to proactively explain why it was silent for so long.

Cisco has probably tightened up its CloudOps since this incident and has certainly made security a prominent part of its pandemic-purchasing pitch for WebEx and the new WebEx classrooms.

Cisco restores evidence of its funniest FAIL – ethernet cable presses switch's reset button


But Switchzilla hasn’t said what they are, a position that contrasts strongly with the verbose incident explanations offered by major clouds and the often red-faced admissions of failure in its own field notices.

Which brings us to this new, won’t-somebody-think-of-the-children moment.

It’s clear that Cisco is thinking how to turn them into cash. But it is unclear if it has really thought hard about how to stop its Classrooms crashing out of existence. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021