Security researcher causes furor by releasing flaw in Cisco Systems IOS — Holy crap! This is a good one. Apparently the entire net is now at risk.
This came across my desk shortly after it was reported. Certain forces are trying to supress this info. Should be fun to watch this unfold.
LAS VEGAS — A security researcher caused quite an opening day buzz at the Black Hat Briefings security conference when he released a potential vulnerability in Cisco Systems’ routers that could, if exploited to its potential by a malicious attacker, bring down the entire Internet.
Michael Lynn, a former employee with Internet Security Systems, stated that he quit his position with ISS two hours before his discussion and faced litigation from both Cisco Systems and ISS for divulging the information in his presentation.
As ever, it’s a shame when you have to look for a new job — for telling the truth.
It isn’t clear to me what Cisco’s objection is, given that this is an already well known vulnerability in IOS. I thought talking about this sort of thing was what Black Hat was all about. What does Cisco want Black Hat to be — a bunch of computer security people getting together and jerking each other off?
I’ve been concerned about this sort of thing, because if the entire Internet is so dependent on one company we have big problems.
I found this, Sophos Is Latest Anti-Virus Vendor With Vulnerabilities.
The story said, “Sophos credited Alex Wheeler, an independent security researcher, with the discovery.”
I guess the issue of who gets the credit depends on a bunch of legal stuff. I doubt that vulnerabilities could be protected as intellectual property. 3Com plans to pay security researchers for information on vulnerabilities and award bonuses to prolific flaw finders. This could change the entire Internet. Imagine Cisco paying this guy a bonus instead of trying to shut him down. iDefense is doubling its pricing structure for vulnerability submissions. iDefense was bought by VeriSign for $40 Million
http://news.zdnet.com/2100-1009_22-5787653.html
I guess the vunerability business is booming. I just wonder why we haven’t seen Google Security along with all the other Google offerings. If Google can help tighten up security for users, it should see financial benefits. A security and search toolbar might be a good start. Google collects so much information on the Internet, so you would think they would have tons of data on vulnerabilites. If Google doesn’t make the Internet more secure, it will have problems down the road. Google is a big player on the Internet and if Microsoft has taught the world anything, it is that security is a powerful marketing tool. If Google can position itself as the “secure search” and talk up security it may win new users. Maybe Google can host a find the malicious code jam with prizes and cash bonuses. Tell him what he’s won John! By the way, Oracle Products Contain Multiple Vulnerabilities. Various Oracle products and components are affected by multiple vulnerabilities. Technical Cyber Security Alert TA05-194A. The impacts of these vulnerabilities include unauthenticated, remote code execution, information disclosure, and denial of service if anybody cares.
Start looking for malicious web scripts. Somebody should pay you something for them. Maybe it will be Google, maybe it won’t. I don’t know!
Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites http://www.cert.org/tech_tips/malicious_code_FAQ.html
I don’t understand why you wouldn’t want to hide this. I have never been very much of jumping up and down when there are problems. After it’s solved you can cause all the negative press you want, but I would with out question keep quiet until then.
On the other hand this wouldn’t by any means be the first time, and I doubt it would be the last (unless by entire you actually mean entire and not just the sites that never ever go down like Amazon, Google, Yahoo, and such).
An interesting comment from a PC Mag competitor. This kind of explains it in a nutshell.
“In this instance, Lynn believed exposing his IOS exploit was paramount to protecting our national security since Cisco’s equipment is heavily embedded in networks that run the country’s critical infrastructure. Its routers also are responsible for directing a vast majority of Internet traffic. And, the source code for IOS has twice been stolen, making the threat more imminent.”
…
“Stephen Cobb, author of Privacy for Business isn’t surprised at ISS’s and Cisco’s initial hard-line approach. “They are listening to their lawyers and not their employees and customers,” he said Thursday morning. “The heavy consolidation within the security industry means that no company can any longer afford to take a stand on its own. ISS has to stay friends with Cisco or its sales will be hurt. The same was true when @stake fired Dan Geer in 2003 for putting his name to a report, ‘CyberInsecurity: The Cost of Monopoly,’ that was critical of Microsoft. And, of course, Cisco has its market share and shareholder interests to defend.”
If an Engineer at General Motors revealed to the public a safety problem, could General Motors sue him for theft of proprietary information? Because it is in the public good and could probably save someone’s life or severe property damage, the answer is no.
If a software engineer releases a flaw to the public, could he also be sued for disclosing proprietary information? I don’t believe so as again, it is in the public good and could possibly save someone’s life and or severe property damage. PLUS Cisco announced this very flaw three months ago and issued a patch. Knowing that however won’t pay your lawyer bills to defend yourself.
I think Cisco might have wounded itself more by its actions here.
The diffrence is people don’t exploit flaws in cars, and even if they do it doesn’t have nearly the same overall effect.
Maybe Cisco was just ignoring the obvious.
http://www.cio.com/archive/041505/it_work.html
Maybe what Lynn was saying was too obvious for these corporate minded people to deal with. The whole thing sort of reminds me of John DeLorean and General Motors. Maybe Lynn will create a start up and start making better stuff than Cisco and Cisco will go out of business. It could happen. I know it is a long shot, but that’s business. Look at the General Motors mess today. Life is short, if you can find a better router buy it.
It looks like more problems for Cisco. Cisco’s customer portal has left customers scrambling to get new passwords after some sort of security breach. I wonder how long it takes for Cisco to go into a meltdown, tailspin or something. I’m finding that there is a lot of anger out there. I think the censorship is what gets people angry. Cisco came off as being authoritarian and people just don’t like that and won’t tolerate it. There should be plenty of knives sharpened by now. There may be a new lack of confidence in Cisco by their customers. If there isn’t, maybe there should be. Christ you know it ain’t easy.
“Censorship reflects a society’s lack of confidence in itself. It is a hallmark of an authoritarian regime . . . .” — Supreme Court Justice Potter Stewart, dissenting Ginzberg v. United States, 383 U.S. 463 (1966)