A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.

http://www.wired.com/news/privacy/0,1848,68328,00.html?tw=rss.TOP
Wired News: Cisco Security Hole a Whopper

more or less a follow up on the Cisco part to my post on Black Hat here...

http://www.antionline.com/showthread.php?s=&postid=851803#post851803
AntiOnline - Black Hat and Antivirus

Restraining Order...

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman.

"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.

http://news.com.com/Cisco+hits+back+at+flaw+researcher/2100-1002_3-5807551.html?part=rss&tag=5807551&subj=news
Cisco hits back at flaw researcher | CNET News.com

Security through obscurity strikes again.

Hi zencoder,

:D I guess Cisco doesn't appreciate having that kind of information leaked...or having someone publically point out it's own insecurities :D

Eg ;)

I'm curious what the real backstory is here. It sounds like this vulnerability was reported and fixed, but Cisco put pressure on ISS/Blackhat to pull the presentation anyway. I wonder what the motivation was...I mean, the vulnerability had already been disclosed, right? Perhaps they glossed it over in the description of the IOS update to save face, and Lynn's presentation was going to blow their cover.

I can understand if they are working to supress someone who is trying to share a vulnerability that they are actively working on, but hasn't been fixed yet. That would be unethical on Lynn's part...but it sounds like this was already fixed.

So what is their motivation, besides saving face?

Hi zencoder,

So what is their motivation, besides saving face?
I think you're right-on...it's just about saving face...they want to keep their secrets secret :D

Eg ;)

Alright, after doing some more reading, it sounds like only some of the *MANY* weaknesses he uncovered had been patched, and the demonstration he gave was attacking one of the vulnerabilities that Cisco had already patched. However, it seems like Lynn is not happy with the pace of Cisco's fixing of these problems, or something...

Source (http://www.boingboing.net/2005/07/27/security_researcher_.html) boing-boing post, and it's parent article at Security Focus (http://online.securityfocus.com/news/11259)
Lynn had found a buffer overflow exploit that lets an attacker take absolute control over Cisco routers. He sent the details to Cisco in April, but they still have not fully repaired the vulnerability. Since many of the world's key routers are supplied by Cisco, this means Cisco's foot-dragging places large parts of the world's information infrastructure at grave risk of collapse.
From Cory Doctorow's post covering this event. I don't think the 'foot dragging' statement is a direct quote, so it could be considered supposition.

I don't want to take the big business, corporate oligarchy unfeeling 'we will crush you' position, but I get the impression he got impatient and let the cat out of the bag... for what reason, I can't say, but I can guess. I'll not list them just to disparage Mr. Lynn, but I do question his motivation.

He gave the information to Cisco in April (as an ISS employee, I take it), but decided to announce it at Blackhat because...why? Cisco has been 'draggin their feet', as Cory says in the boing-boing article. Are there internal politics that are affecting the resolution of a technical vulnerability? That might be justification for going public, if stupid politics and save-face-ery is the cause of the delays in resolving ALL of the problems. But if Cisco simply hasn't made progress on all the problems, and are trying earnestly to fix them, this is a grave breach of ethical practice by Lynn.

As I said before... without having inside info, who can tell?

Hi zencoder,

His motivation is hard to say...maybe he was angry over some issue with Cisco...maybe he just wanted to inform the public on how insecure their security is...maybe he thought Cisco wasn't doing enough or was getting too laid back about their security...
it's hard to say what motivated him...

but Cisco's motivation is easier...keep secrets secret...if someone let's the cat out of the bag then save face by painting the person as the bad guy...take the focus off us and put it on him...

the ancient art of redirection....in modern terminology: Spin.

Eg ;)

After some email discussion with one of the journalists who covered this, it appears that the problem, and probably Mr. Lynns impetus to resign and 'go public' with this info, is a lack of apparent progress by Cisco in addressing the underlying architectural and design flaws, and simply patching the problem. Please don't quote me OR Mr. Lynn on this, it's just a theory.

So yes, spin would be a good guess for Cisco's reasoning. Will they actually fix this? Who knows...companies sell software with buffer overflow vulnerabilities all the time.

Catch... "Don't buy software that sucks" about sums it up, doncha think? But does it suck, or is it mearly broken, and is being fixed now that we all know it's broken?

Update!
Boing-Boing post (http://www.boingboing.net/2005/07/27/security_researcher_.html) has been updated by Cory D

"It is important to note and propogate that Lynn did go through the corrrect channels for release: he contacted the vendor, the vendor issued a fix. At this point, normally, public release would be allowed and expected."


I never realized "Full disclosure" was such a filthy expression. :sourface:

"The conference and Lynn's employer agreed to yank the presentation, and Cisco employees spent eight hours ripping Lynn's research out of the printed program books before they were handed out to attendees. "

See it for yourself.

-Maestr0

Hi Maestr0,

Where'd you get that...it looks just like the department heads of Cisco :D

Eg ;)














Except there should be a bubble above their heads saying: ' @*&$%&& Lynn @$#&^%&&%&&^%^&&% Lynn %$$#^&&*^!!!!!!! ' :D

Would it be safe to put this IOS Patching off until Monday?

I was at the presentation, and applaud Mike for what he did.

He also pointed out that anyone who has kept their systems up to date with patches is not at risk. However Cisco have some stuff in the pipeline that may make the attack vectors for Cisco a little different (i.e. rather then having to recompile a worm for each version of IOS, one worm will work for all).

A Patch was issued in April that fixed the Vulnerability, but they were just going to keep it to themseleves that it fixes a major bung hole? Am I understanding this correctly?

Well, the other issue seems to be that, while this specific vulnerability has been patched, the underlying deficient code development processes may have created vulnerabilities in other portions of the IOS code.

And as said, other product offerings and changes might be vulnerable.

Hi zencoder,

Looks like he buckled under the pressure...

" Cisco, security researcher settle dispute "

Michael Lynn, who left his job at Internet Security Systems Inc. hours before his speech, agreed never to repeat the information he gave at the Black Hat conference in Las Vegas on Wednesday.

He also must return any proprietary Cisco source code in his possession.

http://www.sanluisobispo.com/mld/sanluisobispo/business/12248404.htm
AP Wire | 07/28/2005 | Cisco, security researcher settle dispute

as you said...
That flaw was patched in April, but it's possible that the same technique could be used to exploit other vulnerabilities in Cisco routers. Lynn said the technique also could lead to the creation of a worm that targets routers, particularly when coupled with an upcoming version of Cisco's operating system.

Eg ;)

Well, you could say buckled. I like to think more optimisticly and say he chose to agree to their terms, rather than face a lengthy and/or expensive legal proceeding. Besides, it doesn't really matter to him now...he's already made his point and shared the information. He can easily say "I won't repeat it again" with complete satisfaction that his point has been shared and will be repeated by others now.

;)

If anyone has seen and reviewed his (Lynn's) information - what impact does/would this have on the Cisco security products such as the PIX? I can only guess that the underlying IOS is similar in some respects and therefore vulnerable as well.

Shame, I would have liked to read his report and seen this for myself.

"Shame, I would have liked to read his report and seen this for myself."

www.cryptome.org will help you

Mike did raise the point that for the hole to be used for a worm in the current environment would require a worm to be about 40mb in size...so don`t be too concerned just yet. Cisco are looking at using virtual processes which is going to dratsically alter this and a generic worm could be developed.

The hole affects the Cisco IOS in general, so anything using it is at risk.

And I don`t think he buckled, it was was either that or be sued by ISS and Cisco.

Hi R0n1n,
And I don`t think he buckled, it was was either that or be sued by ISS and Cisco.
Isn't that the very definition of buckling? Folding under pressure? He was under the heat and he took the easy way out....I'm not faulting him for that...no sense fighting a war you can't win...still...he caved under the pressure...under the circumstances it was probably the smart thing to do...but the result is the same.

Eg ;)

I think we're taking exception to the words "buckled" and "caved". He was being sued. He was, by the letter of the law, wrong, I bet. So he did the smart, correct thing.

Just because he was in violation of his contract/code of conduct/NDA/whatever with ISS and Cisco, doesn't make what he did morally wrong...but the words you've used tend to have a negative connotation, and some of us are up in arms about that, it seems. :)

Perhaps 'acquiesced' is a better way to put it? Really, it doesn't matter. We all agree, I believe. He stood up and said what he felt needed to be shared, despite Cisco's bullying and his employer's caving to the big C.

It might him in the future with some potential employers, but I am certain others will be happy to bring him aboard.

Hi zencoder,

I'm sure the guy won't be lacking employment offers...like we spoke about before...we can't be sure of his motives, they might not have been as altruistic as he implies...could be he was intending to leave anyways and wanted to place himself in the limelight to secure other opportunities...or just get his 15 minutes of fame...I tend to think he had some ulterior motive only because of how quickly he ' acquiesced '...
there were already funds being set up for his defense...by supporters and admirers...

the latest news on this saga...the FBI is investigating him for violating trade secrets...

http://www.wired.com/news/privacy/0,1848,68356,00.html?tw=rss.TOP
Wired News: Whistle-Blower Faces FBI Probe

Eg ;)