On-Prem

Networks

Networking giant in hot water for selling US govt buggy spy kit? Huawei again? No, it's Cisco

American tech giant coughs up $9m for shipping vulnerable crates of crap to Uncle Sam


Cisco finds its bank balance $8.6m lighter after it agreed to settle a False Claims Act lawsuit in the US over its video surveillance software.

On Wednesday, attorneys for whistleblower James Glenn announced that the networking giant's payout would settle the first ever US False Claims Act case to involve information security. For his trouble, Glenn (and his lawyers) stands to pocket $1.6m from the payout, while US states grab the other $7m.

Glenn, a former Cisco contractor, filed the whistleblower complaint in 2011, accusing Switchzilla of knowingly selling Uncle Sam, including all four branches of its military and FEMA, as well as fifteen US states, copies of its Video Surveillance Manager (VSM) suite without disclosing a critical design flaw.

The complaint alleged Cisco knew the hole was present from 2008 to 2011 but did not warn its customers. While the details of the bug have not been shared, the complaint stated that a successful exploit would potentially allow for a complete network takeover.

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it's Cisco again

READ MORE

"The most critical flaw in the Cisco VSM allows the user of any video observation point, no matter how restricted, to gain access to the full contents of the system to which the central server is connected," a copy (PDF) of the complaint obtained by The Register reads.

"Many of Cisco’s customers have the surveillance system’s central media server installed on a computer that is connected to the same Local Area Network (LAN) as the rest of their computers. Due to the vulnerability in Cisco’s surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorized access to the entire network of a federal agency."

Glenn claimed that not only did Cisco try to keep the VSM vulnerability under wraps, but Switchzilla also fired Glenn when, in 2008, he tried to warn Cisco and his then-employer, a local Cisco distributor in Denmark called NetDesign.

"Based on the circumstances of his firing, [Glenn] believes, and on that basis alleges, that he was fired in retaliation for alerting Cisco and NetDesign to the flaws in the Cisco VSM product," the complaint reads.

"After he was fired, Relator continued to monitor Cisco’s public pronouncements about its Video surveillance system, hoping to see that Cisco had fixed the problem or at least informed its customers of the vulnerability."

Cisco, for its part, says that the VSM products at issue have not been sold since 2014 and the flaw can actually be traced back to the original development of the software by Broadware, a company Cisco assimilated back in 2007.

"Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented. Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached," wrote Cisco executive VP and general counsel Mark Chandler earlier today.

"In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us." ®

Send us news
21 Comments

US may sanction those rumored to be in covert Huawei chip network

Crouching entity list candidate, hidden semiconductor ... or that's the idea, anyway

Ker-Splunk! Cisco closes $28 billion analytics acquisition

Job one: Splunkify Talos threat intelligence, then do the same all over the Cisco portfolio

Sun Microsystems co-founder charged with insider trading

Andreas Bechtolsheim is paying out less than $1M to SEC amid allegations he illegally bought options

You got legal trouble? Better call SauLM-7B

Cooked in a math lab, here's an open source LLM that knows the law

Cloud server host Vultr rips user data ownership clause from ToS after web outrage

We know the average customer doesn't have a law degree, CEO tells us

Amazon finishes pumping $4B into AI darling Anthropic

Adds $2.75B to the ML sweepstakes ante and is counting on Claude

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Labor watchdog wants SpaceX's gag clauses to disintegrate like its exploding rockets

This is why Big Biz wants to dismantle America's crucial regulators

Congress votes unanimously to ban brokers selling American data to enemies

At least we can all agree on something

UN: E-waste is growing 5x faster than it can be recycled

Right to Repair should be the Obligation to Repair, if we want to avoid drowning in trashed electronics

Stalkerware usage surging, despite data privacy concerns

At least 31,031 people affected last year

UK tech titan Mike Lynch's US fraud trial begins today

13-year saga continues as jury set to hear claims on both sides of HP's Autonomy acquisition disaster