Cisco Security Hole a Whopper

Quote:

---

A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.

---

http://www.wired.com/news/privacy/0,...tml?tw=rss.TOP
Wired News: Cisco Security Hole a Whopper

more or less a follow up on the Cisco part to my post on Black Hat here...

http://www.antionline.com/showthread...803#post851803
AntiOnline - Black Hat and Antivirus

Restraining Order...

Quote:

---

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman.

"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.

---

http://news.com.com/Cisco+hits+back+...7551&subj=news
Cisco hits back at flaw researcher | CNET News.com

Security through obscurity strikes again.

Hi zencoder,

:D I guess Cisco doesn't appreciate having that kind of information leaked...or having someone publically point out it's own insecurities :D

Eg ;)

I'm curious what the real backstory is here. It sounds like this vulnerability was reported and fixed, but Cisco put pressure on ISS/Blackhat to pull the presentation anyway. I wonder what the motivation was...I mean, the vulnerability had already been disclosed, right? Perhaps they glossed it over in the description of the IOS update to save face, and Lynn's presentation was going to blow their cover.

I can understand if they are working to supress someone who is trying to share a vulnerability that they are actively working on, but hasn't been fixed yet. That would be unethical on Lynn's part...but it sounds like this was already fixed.

So what is their motivation, besides saving face?

Hi zencoder,

Quote:

---

So what is their motivation, besides saving face?

---

I think you're right-on...it's just about saving face...they want to keep their secrets secret :D

Eg ;)

Alright, after doing some more reading, it sounds like only some of the *MANY* weaknesses he uncovered had been patched, and the demonstration he gave was attacking one of the vulnerabilities that Cisco had already patched. However, it seems like Lynn is not happy with the pace of Cisco's fixing of these problems, or something...

Quote:

---

Source boing-boing post, and it's parent article at Security Focus
Lynn had found a buffer overflow exploit that lets an attacker take absolute control over Cisco routers. He sent the details to Cisco in April, but they still have not fully repaired the vulnerability. Since many of the world's key routers are supplied by Cisco, this means Cisco's foot-dragging places large parts of the world's information infrastructure at grave risk of collapse.
From Cory Doctorow's post covering this event. I don't think the 'foot dragging' statement is a direct quote, so it could be considered supposition.

---

I don't want to take the big business, corporate oligarchy unfeeling 'we will crush you' position, but I get the impression he got impatient and let the cat out of the bag... for what reason, I can't say, but I can guess. I'll not list them just to disparage Mr. Lynn, but I do question his motivation.

He gave the information to Cisco in April (as an ISS employee, I take it), but decided to announce it at Blackhat because...why? Cisco has been 'draggin their feet', as Cory says in the boing-boing article. Are there internal politics that are affecting the resolution of a technical vulnerability? That might be justification for going public, if stupid politics and save-face-ery is the cause of the delays in resolving ALL of the problems. But if Cisco simply hasn't made progress on all the problems, and are trying earnestly to fix them, this is a grave breach of ethical practice by Lynn.

As I said before... without having inside info, who can tell?

Hi zencoder,

His motivation is hard to say...maybe he was angry over some issue with Cisco...maybe he just wanted to inform the public on how insecure their security is...maybe he thought Cisco wasn't doing enough or was getting too laid back about their security...
it's hard to say what motivated him...

but Cisco's motivation is easier...keep secrets secret...if someone let's the cat out of the bag then save face by painting the person as the bad guy...take the focus off us and put it on him...

the ancient art of redirection....in modern terminology: Spin.

Eg ;)

After some email discussion with one of the journalists who covered this, it appears that the problem, and probably Mr. Lynns impetus to resign and 'go public' with this info, is a lack of apparent progress by Cisco in addressing the underlying architectural and design flaws, and simply patching the problem. Please don't quote me OR Mr. Lynn on this, it's just a theory.

So yes, spin would be a good guess for Cisco's reasoning. Will they actually fix this? Who knows...companies sell software with buffer overflow vulnerabilities all the time.

Catch... "Don't buy software that sucks" about sums it up, doncha think? But does it suck, or is it mearly broken, and is being fixed now that we all know it's broken?

Update!
Boing-Boing post has been updated by Cory D

Quote:

---

"It is important to note and propogate that Lynn did go through the corrrect channels for release: he contacted the vendor, the vendor issued a fix. At this point, normally, public release would be allowed and expected."

---

I never realized "Full disclosure" was such a filthy expression. :sourface:

"The conference and Lynn's employer agreed to yank the presentation, and Cisco employees spent eight hours ripping Lynn's research out of the printed program books before they were handed out to attendees. "

See it for yourself.

-Maestr0

Hi Maestr0,

Where'd you get that...it looks just like the department heads of Cisco :D

Eg ;)














Except there should be a bubble above their heads saying: ' @*&$%&& Lynn @$#&^%&&%&&^%^&&% Lynn %$$#^&&*^!!!!!!! ' :D