Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Cisco Security Hole a Whopper

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171

    Cisco Security Hole a Whopper

    A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.
    http://www.wired.com/news/privacy/0,...tml?tw=rss.TOP
    Wired News: Cisco Security Hole a Whopper

    more or less a follow up on the Cisco part to my post on Black Hat here...

    http://www.antionline.com/showthread...803#post851803
    AntiOnline - Black Hat and Antivirus

    Restraining Order...

    The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

    The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman.

    "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

    Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.
    http://news.com.com/Cisco+hits+back+...7551&subj=news
    Cisco hits back at flaw researcher | CNET News.com

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Security through obscurity strikes again.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi zencoder,

    I guess Cisco doesn't appreciate having that kind of information leaked...or having someone publically point out it's own insecurities

    Eg

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    If it were only that simple...

    I'm curious what the real backstory is here. It sounds like this vulnerability was reported and fixed, but Cisco put pressure on ISS/Blackhat to pull the presentation anyway. I wonder what the motivation was...I mean, the vulnerability had already been disclosed, right? Perhaps they glossed it over in the description of the IOS update to save face, and Lynn's presentation was going to blow their cover.

    I can understand if they are working to supress someone who is trying to share a vulnerability that they are actively working on, but hasn't been fixed yet. That would be unethical on Lynn's part...but it sounds like this was already fixed.

    So what is their motivation, besides saving face?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi zencoder,

    So what is their motivation, besides saving face?
    I think you're right-on...it's just about saving face...they want to keep their secrets secret

    Eg

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Alright, after doing some more reading, it sounds like only some of the *MANY* weaknesses he uncovered had been patched, and the demonstration he gave was attacking one of the vulnerabilities that Cisco had already patched. However, it seems like Lynn is not happy with the pace of Cisco's fixing of these problems, or something...

    Source boing-boing post, and it's parent article at Security Focus
    Lynn had found a buffer overflow exploit that lets an attacker take absolute control over Cisco routers. He sent the details to Cisco in April, but they still have not fully repaired the vulnerability. Since many of the world's key routers are supplied by Cisco, this means Cisco's foot-dragging places large parts of the world's information infrastructure at grave risk of collapse.
    From Cory Doctorow's post covering this event. I don't think the 'foot dragging' statement is a direct quote, so it could be considered supposition.
    I don't want to take the big business, corporate oligarchy unfeeling 'we will crush you' position, but I get the impression he got impatient and let the cat out of the bag... for what reason, I can't say, but I can guess. I'll not list them just to disparage Mr. Lynn, but I do question his motivation.

    He gave the information to Cisco in April (as an ISS employee, I take it), but decided to announce it at Blackhat because...why? Cisco has been 'draggin their feet', as Cory says in the boing-boing article. Are there internal politics that are affecting the resolution of a technical vulnerability? That might be justification for going public, if stupid politics and save-face-ery is the cause of the delays in resolving ALL of the problems. But if Cisco simply hasn't made progress on all the problems, and are trying earnestly to fix them, this is a grave breach of ethical practice by Lynn.

    As I said before... without having inside info, who can tell?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi zencoder,

    His motivation is hard to say...maybe he was angry over some issue with Cisco...maybe he just wanted to inform the public on how insecure their security is...maybe he thought Cisco wasn't doing enough or was getting too laid back about their security...
    it's hard to say what motivated him...

    but Cisco's motivation is easier...keep secrets secret...if someone let's the cat out of the bag then save face by painting the person as the bad guy...take the focus off us and put it on him...

    the ancient art of redirection....in modern terminology: Spin.

    Eg

  8. #8
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    After some email discussion with one of the journalists who covered this, it appears that the problem, and probably Mr. Lynns impetus to resign and 'go public' with this info, is a lack of apparent progress by Cisco in addressing the underlying architectural and design flaws, and simply patching the problem. Please don't quote me OR Mr. Lynn on this, it's just a theory.

    So yes, spin would be a good guess for Cisco's reasoning. Will they actually fix this? Who knows...companies sell software with buffer overflow vulnerabilities all the time.

    Catch... "Don't buy software that sucks" about sums it up, doncha think? But does it suck, or is it mearly broken, and is being fixed now that we all know it's broken?

    Update!
    Boing-Boing post has been updated by Cory D

    "It is important to note and propogate that Lynn did go through the corrrect channels for release: he contacted the vendor, the vendor issued a fix. At this point, normally, public release would be allowed and expected."
    I never realized "Full disclosure" was such a filthy expression. :sourface:
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    "The conference and Lynn's employer agreed to yank the presentation, and Cisco employees spent eight hours ripping Lynn's research out of the printed program books before they were handed out to attendees. "

    See it for yourself.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Maestr0,

    Where'd you get that...it looks just like the department heads of Cisco

    Eg














    Except there should be a bubble above their heads saying: ' @*&$%&& Lynn @$#&^%&&%&&^%^&&% Lynn %$$#^&&*^!!!!!!! '

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •