Network News

X My Profile
View More Activity

Black Hat Day 1: Update on Cisco-gate

Blackhat_wpni_2 LAS VEGAS, July 27 -- I promised earlier that I would follow up on this morning's pre-dawn post about one of the most eagerly awaited presentations here at Black Hat -- a talk to be given by Michael Lynn of Internet Security Systems about a previously undisclosed flaw purportedly present in nearly all Cisco Systems routers, the devices that direct a large portion of the Internet's Web traffic and e-mail.

According to several conference organizers, Lynn had tentatively agreed not to give his talk under pressure from ISS and Cisco officials. On the way to Lynn's talk, a conference attendee showed me a video he recorded of Black Hat organizers tearing out the pages of Lynn's presentation from the conference materials in the hours before the books were handed out to attendees.

According to several people who made it on time to the 9 a.m. presentation, Lynn began his talk with a discussion about security issues surrounding services that allow people to make Internet-based telephone calls. Then, they said, Lynn suddenly changed topics and began discussing the highly technical details of his research into the Cisco flaw, saying he would rather quit his job at ISS than keep the information from conference attendees.

In a nutshell, those in the room said Lynn demonstrated how attackers might use the security flaw to gain complete control over Cisco routers. He declined to be interviewed by me following the presentation, but security experts who heard the talk said Lynn could possibly be sued by Cisco, and perhaps even his former employer.

Paul Proctor, vice president of research at Gartner Inc., said Lynn called attention to a flaw deeply embedded in Cisco's hardware. Proctor said the flaw could not easily be fixed but that Cisco could develop a patch that would prevent attackers from gaining the access needed to exploit the vulnerability.

"Merely suggesting that this flaw exists is going to cause a lot of people to focus their research on this problem area," Proctor said. "I'm guessing Lynn is not going to like some of the legal headaches he'll get as a result of talking about this."

Cisco issued a statement saying "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."

The Cisco statement, offered by Mojgan Khalili, senior manager for corporate public relations, went on to encourage customers to "upgrade their software to the latest available versions." 

And the statement continued:  "Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners. It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained. We appreciate the cooperation we have received from ISS in this matter. We are working with ISS to continue our joint research in the area of security vulnerabilities."

A spokesman for ISS confirmed that Lynn was no longer employed with the security research firm, adding that ISS didn't want Lynn to go public with his information because the company is still working with Cisco to develop a solution to the problem.

"ISS and Cisco have been working on this in the background and didn't feel at this time that the material was ready for publication," ISS spokesman Roger Fortier said. "The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."

An interesting first day at Black Hat so far. Stay tuned for more.

By  |  July 27, 2005; 4:23 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Black Hat Day 1: A Cover Up?
Next: Black Hat: The Latest on Lynn and Cisco


Sounds like Michael Lynn is first a crook and secondly a major-league jerk: he's employed by ISS, cooperating with Cisco in study of security flaws in Cisco routers, and he wants to go public with the information w/o permission from ISS or Cisco.

I'd prefer criminal charges against him under any available U.S. laws. His behavior will cost companies a great deal. He looks like another nerd sociopath with a huge ego.

Posted by: Hairy | July 28, 2005 12:43 PM | Report abuse

It doesn't sound like Lynn is a jerk, it sounds like Cisco are trying to avoid being sued for NOT fixing a problem that Cisco had known about for 6 months!

Add in the fact that the source code for the Cisco routers has stolen TWICE, and all that Lynn is doing is whistleblowing.

The crackers that would use this to cause damage already had the information they needed.

Cisco should have fixed this problem as soon as they heard about it, upgraded all of the affected hardware for free, and then announced what had happened. Then they'd be looked on as heroes not zeroes.

Posted by: Pissed off Computer user | July 28, 2005 1:05 PM | Report abuse

what are you talking about? this dude probably saved the entire internet by making this public.

Posted by: Anonymous | July 28, 2005 1:28 PM | Report abuse

Nice copy and paste job there Hairy. Hairy is an ASStro-turfer, take a look:

Posted by: maggot | July 28, 2005 2:59 PM | Report abuse

Hairy, when you want people charged under law without knowing what the charge should be, it is typiclally a good indication you're a zealot, an idiot, or in the pay of someone who doesn't like Mr. Lynn much right now. So, whatever ones apply -- take a hike.

Posted by: TD | July 28, 2005 4:19 PM | Report abuse

Michael Lynn just wanted the fame behind this exploit. Even though he used resources from ISS and information Cisco trusted to ISS to get to this point. If Cisco and ISS would have been able to present this vulnerability in a correct manor, Mr. Lynn would have not been as famous to the security community as he currently is via this stunt. Instead he put his want to fame over our national security. I hope they throw the book at him...try reverse-engineering from San Quentin Mr. Lynn. I'm sure Bubba will launch a shell exploit in you're a**

If he was an independent researcher that mentioned this to Cisco and they done nothing to fix it, then this would be different.

Posted by: Anonymous | July 29, 2005 6:55 PM | Report abuse

.."Hairy" is the Dilbert kinda PHB or just a PHB-wannabe?

Posted by: Arnt Karlsen | July 30, 2005 6:26 AM | Report abuse

.."Hairy" is the Dilbert kinda PHB or just a PHB-wannabe?

Posted by: Arnt Karlsen | July 30, 2005 6:27 AM | Report abuse

Or quite possibly a guy who got sick of Cisco dragging their heels when it came to fixing this critical bug, and decided to light the fire under their collective asses by making it public.

Either way, this had to come out, and it has to be fixed.

Posted by: Alan | August 2, 2005 1:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company