Black Hat Day 1: Update on Cisco-gate
LAS VEGAS, July 27 -- I promised earlier that I would follow up on this morning's pre-dawn post about one of the most eagerly awaited presentations here at Black Hat -- a talk to be given by Michael Lynn of Internet Security Systems about a previously undisclosed flaw purportedly present in nearly all Cisco Systems routers, the devices that direct a large portion of the Internet's Web traffic and e-mail.
According to several conference organizers, Lynn had tentatively agreed not to give his talk under pressure from ISS and Cisco officials. On the way to Lynn's talk, a conference attendee showed me a video he recorded of Black Hat organizers tearing out the pages of Lynn's presentation from the conference materials in the hours before the books were handed out to attendees.
According to several people who made it on time to the 9 a.m. presentation, Lynn began his talk with a discussion about security issues surrounding services that allow people to make Internet-based telephone calls. Then, they said, Lynn suddenly changed topics and began discussing the highly technical details of his research into the Cisco flaw, saying he would rather quit his job at ISS than keep the information from conference attendees.
In a nutshell, those in the room said Lynn demonstrated how attackers might use the security flaw to gain complete control over Cisco routers. He declined to be interviewed by me following the presentation, but security experts who heard the talk said Lynn could possibly be sued by Cisco, and perhaps even his former employer.
Paul Proctor, vice president of research at Gartner Inc., said Lynn called attention to a flaw deeply embedded in Cisco's hardware. Proctor said the flaw could not easily be fixed but that Cisco could develop a patch that would prevent attackers from gaining the access needed to exploit the vulnerability.
"Merely suggesting that this flaw exists is going to cause a lot of people to focus their research on this problem area," Proctor said. "I'm guessing Lynn is not going to like some of the legal headaches he'll get as a result of talking about this."
Cisco issued a statement saying "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."
The Cisco statement, offered by Mojgan Khalili, senior manager for corporate public relations, went on to encourage customers to "upgrade their software to the latest available versions."
And the statement continued: "Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners. It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained. We appreciate the cooperation we have received from ISS in this matter. We are working with ISS to continue our joint research in the area of security vulnerabilities."
A spokesman for ISS confirmed that Lynn was no longer employed with the security research firm, adding that ISS didn't want Lynn to go public with his information because the company is still working with Cisco to develop a solution to the problem.
"ISS and Cisco have been working on this in the background and didn't feel at this time that the material was ready for publication," ISS spokesman Roger Fortier said. "The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."
An interesting first day at Black Hat so far. Stay tuned for more.
Posted by: Hairy | July 28, 2005 12:43 PM | Report abuse
Posted by: Pissed off Computer user | July 28, 2005 1:05 PM | Report abuse
Posted by: Anonymous | July 28, 2005 1:28 PM | Report abuse
Posted by: maggot | July 28, 2005 2:59 PM | Report abuse
Posted by: TD | July 28, 2005 4:19 PM | Report abuse
Posted by: Anonymous | July 29, 2005 6:55 PM | Report abuse
Posted by: Arnt Karlsen | July 30, 2005 6:26 AM | Report abuse
Posted by: Arnt Karlsen | July 30, 2005 6:27 AM | Report abuse
Posted by: Alan | August 2, 2005 1:34 PM | Report abuse
The comments to this entry are closed.