Apophis

For those of you out there interested in network/Internet security related topics:

Michael Lynn was a former employee of ISS. While employed at ISS he discovered a critical vulnerability in Cisco's IOS that is largely responsible for the backbone operation of the Internet. This vulnerability allowed an attacker to get full administrative/root (in Cisco land, called "enable") rights to network devices.

Lynn was scheduled to present this information this past week at Black Hat and was warned by his employer, ISS, not to present his findings. Lynn summarily quit his job at ISS in order to be able to present these findings.

Cisco and ISS responded by suing Lynn and the Black Hat organizers hours after his presentation on Wednesday and forced Black Hat to remove sections of conference book that included notes on the vulnerability as well as a copy of his talk.

On Saturday, I watched Raven Alder's presentation on "Hacking the Backbone" and she had some very harsh comments towards Cisco:

"Cisco, you are really screwing up. Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."

How do you feel about these actions taken by Cisco? In this day and age, many companies are only as concerned about security as they are forced to be. Security vulnerabilities exist in all sorts of software products and hardware appliances that are never touched until the public becomes aware of them and force the manufacturers to fix the flaws. As long as a security hole remains hidden, most companies don't bother to fix them.


Some Articles:
Cisco hits back at flaw researcher

Hackers rally behind Cisco flaw finder

Black Hat Day 1: Update on Cisco-Gate

A video clip of Cisco/ISS and Black Hat reps tearing out Lynn's section of the Black Hat Briefings book:
Book Destruction Video

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

leejo

I'm just saying that the guy is clearly willing to throw his job away for something he thinks is "right", in this case exposing a backbone vulnerability. What if he's working for me and finds some hole in our processes (not that we have any....HA!)? Will he feel compelled to announce it to the world over our objections? Seems so.

Rahn

This wasn't just a "hackers" conference, law enforcement was there also...

Edit: And not in the way your probably thinking.

__________________
I'm not the Killer Man...
I'm the Killer Man's son...
But I'll do the killing...
Until the Killer Man comes...

Apophis

Cisco DID know about this issue and failed to properly remedy it. In many cases, software and hardware manufacturers don't put the time and money into resolving these issues until the point at which they feel it becomes a public threat.

Nothing was disclosed telling people exactly how to exploit this vulnerability. The only reason anyone should be concerned about hiring Michael Lynn is if they wish to practice security by obscurity and not to take the appropriate steps as soon as possible to remedy issues such as this.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Apophis

There was quite a large law enforcement / DOD presence at both Black Hat and DEFCON this year.

Although I don't think it was any LEO or DOD employee that poured the Kool-Aid in Pool #3 on Friday night.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Buck Fush

To me, this is akin to shooting the messenger. My company utilizes (2) very expensive (More than $100k) Cisco routers and we cannot afford any downtime as our routers are used to provide closed captioning to live TV broadcasts and we will be fined, no matter the reason. Just as I don't trust Cisco anymore to identify vulnerabilites, I cannot trust them to provide a reliable fix or work around as quickly as I might need it. As is usually the case, providing this information to world at large is more likely to produce a quick fix than waiting on the manufacturer. I think the whistleblower laws should protect people like this also.

Buck Fush

Exactly.

TheFeniX

It's Cisco.... I mean... are you really surprised they pulled this? I would be shocked if they didn't.

Cisco is the only company I know that sells a 100 Mb hub for $300 US. Last year it was $600.

They'd probably squeeze school-children to death if they thought silicon would come out of them.

Plus the food at their confrences sucks.

__________________

rs_al

According to the article:

I wonder what his motivations were for disclosing this flaw? Cisco acknowledged and fixed it, but not everyone may have patched yet. It's one thing to inform the people that there is a very bad flaw that needs patching and that has an available patch, it's another to describe how to exploit the flaw. I think Lynn was just trying to make himself out to be a hot shot.

This has nothing to do with security by obscurity. Cisco patched it, and tried to protect their customers by stopping Lynn. From what I see, I don't think there's anything wrong with that.

rs_al

Actually, from one of the articles
This is security by obscurity.

But it's important to note that, despite how the flaw was discovered, Cisco did patch it. Lynn quit his job at ISS because they didn't want to present their research yet, and he presented their research anyway. Any company that has an NDA should be concerned about hiring Lynn, because it's pretty obvious that doesn't mean anything to him.

The bottom line is, everyone involved in this whole mess was doing something wrong.

Buck Fush

Is there a reason why he shouldn't be able to talk about what he's discovered and gain notoriety for it? The day you can make people stop talking about the truth by suing them is a very sad day.

leejo

A non-disclosure agreement would be one excellent reason why he shouldn't talk about what he's discovered. When you sign your name to a contract it should mean something.

rs_al

What he's discovered? He was an employee of Internet Security Systems. What he presented was THEIR work, not his.

It's like if I send you the source code for a class I wrote at work last week. Is there a reason why I shouldn't be able to talk about what I wrote? Yes. It's called an NDA, a legally binding contract I signed when I was hired stating that I would not do that.

Apophis

It has not been completely fixed. The underlying priviledge escalation issue is still in the IOS, AFAIK. They rollout of the patch was also pretty cheap on Cisco's part. But that's another story in itself.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Apophis

This was indeed Lynn's research.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.