On NPR’s ‘Fresh Air’ this week, Richard Clarke made some great points, in particular with the logic bomb scenarios of sneaking in code and untrustworthy hardware. While this is old news, it’s still a very real threat — recall that Chisco devices were discovered on US government networks and disclosed back in 2008.
With Richard Clarke’s story in mind, I think it’s worth re-visiting the “Chisco” problem. This article below is from three years ago, yet this same Chisco eBay seller mentioned, “Sincere Networking” is still up and running (ya gotta love that name, no?). Bear in mind this is just one of many Chisco eBay stores — that is, there are plenty of others moving all types of Chisco gear on eBay, including routers, firewalls, switches. We are way beyond WAN NIC interfaces folks.
Why can’t these get shut down?
This counterfeit gear has already landed on plenty of networks, and it’s likely to continue. Just like the FBI’s conclusion on slide 10, I agree that a huge risk in this area stems from small ‘mom n’ pop’ subcontractor outfits that choose to purchase this gear on the cheap from eBay, and then charge-back their own clients for the list price on CCO. Of course, that dirty network engineer in your organization could do a swap-out with Chisco gear during your next change management window — and in these economic times perhaps merely to re-sell the valuable real card rather than backdoor the organization’s network.
That said, recent security conference presentations, such as CanSecWest’s “Can you still trust your network card” should be at the forefront of the discussion when this Chisco topic comes up.
I know this is a dirty subject. It’s so dirty that very few folks even want to discuss it. It’s a nightmare. But like it or not, it’s going to be up to you to make sure that your gear is legitimate, especially if you’re on a US government network as according to the FBI’s presentation on slide 40, “Cisco’s Brand Protection does NOT coordinate with Cisco’s Government Sales”
Here’s a few links to hopefully get you started on the right path.
Comments with additional resources are most welcome.