Slashdot Mirror
Researcher Resigns Over New Cisco Router Flaw
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN.
Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
but couldn't he at least have waited a few weeks to see how Cisco responds
Cisco seems to suffer from the same stupidity that most other large corporations do. They'll take a report, and sit on it for weeks, and sometimes months. Full Disclosure is usually the only way to get them to actually fix the issues in a timely manner.
In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?
Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...
Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"
Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..
Companies like Cisco, Microsoft, etc. are generally made to look really bad when security flaws are exposed in their products.
The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.
Then they get to look super-secure, since they were "too quick" for the bad hackers.
Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked.
Unfortunately, when you're dealing with some giant businesses cost/benefit analysis, the only thing that can get them to take notice is a little carnage.
Is it worth it? I dunno, but it's certainly arguable.
Yes, he could. But then again, I suspect he already did. The traditional approach was to tell the vendor, and announce the flaw publicly 28 days later. That gave a vendor sufficient time to code and test a patch. However, many vendors (and Cisco seem to be particularly bad about this) sit on problems like this for several months and take no immediate action. I'd be far from surprised to hear Cisco were notified of this 3 months ago, hence Lynn's frustration and his decision to publicly talk about the flaw. I don't actually know what happened, and the above is just speculation. I suspect there's more than a grain of truth to it, though.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I must have missed the "master password" thing.
As far as Cisco going down hill I don't really agree with that. Currently Cisco is expanding their product offerings into new unexplored territories such as IP Telephony. I have installed and supported several of these systems. As long as you follow thier design, install, and support guidelines they are as robust and as problem free as any other platform that i've worked with.
I think most people on Slashdot understand the complexities of the internet world. A minor change here can have a huge, uexpected, impact across the network or application. However, if time tested procedures for upgrades and testing are followed nothing has really changed. I think what may be giving a Cisco a bad name is all of the under qualified people out there installing their systems. The MS world of patch it, reboot, and go about your business does not fly when you critical systems are involved.
Yes, he could. But then again, I suspect he already did.
From the article:
"The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."
In other words, the research was not even finished yet. Isn't that a little impatient, and might there be a little chance that the researcher in question would have liked the attention he would've gotten if he presented this information at Black Hat, which was part of why he made the decision to pull out the information anyway ?
- Leon Mergen
http://www.solatis.com
How do you apt-get hardware?
The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.
That said you have firmware that controls the hardware which could be "apt-get" though in reality I'd rather see an open source firmware that was also provided as binary images you could just upload.
Do you really want some MCSE throw-back building a firmware image when they can hardly manage cmd.exe?
hehehee sick.
Tom
Someday, I'll have a real sig.
Well if you worked for the Secret service and knew that the president was having young girls kidnapped so he could rape them would you keep your mouth shut? It's about scruples. These flaws seriousally bother this man to the point that he is willing to give up his career and life as he knows it to get the information out.
this means it is very big, probably one of those one person can disable the whole net easily or snoop on all internet traffic without traceability.
I know of people that quit their jobs to blow the whistle and these men and women need to be held up as the heros of our time as they are the ones who not only have lots more guts that the rest of us, but are certianly more driven to not violate their core values.
I commend this man, he should be look up to.
Do not look at laser with remaining good eye.
I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.
Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).
They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.
All that makes sense, since we are really talking about essential infrastructure.
Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.
If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.
Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.
Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.
Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.
Seems pretty clear to me.
Is it just my observation, or are there way too many stupid people in the world?
Contradiction?
... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.
Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."
Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."
If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.
In my humble opinion its new when first made public.
If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.
If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.
-:) Oh no - not again.
www.rednebula.com
I dont believe in keeping an exploit away from the public until the vendor gets his thumbs out of the dark place that smells funny. First of all i really think much more work needs to be put down into securing the systems before they are released, this includes various linux vendors. Its insane today with the user being the Q&A and security department for the vendors.
Full disclosure is a nice cushion for people who really didnt do their job in the first place. It doesnt in no way help the users. Before the exploit is released publicly you can bet your backside its used for company spying and other shoddy activities.
A company shouldnt be afraid of scriptkiddies, theyre harmless compared to their competitors armed with their most secret info. Full disclosure makes it possible for a company to atlest try to mitigate that threat. Other disclosure puts them in the whims of the vendors.
HTTP/1.1 400
Personally, I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.
Here's what I do: Bitty Browser & Andromeda
Months? There are outstanding issues on their 2900 switches that have been unfixed there for years.
I don't buy cisco gear anymore.
But it only became "wide open" with the public disclosure of exactly how to exploit it.
c'mon... you're telling me that out of 5+ billion people on this planet, that only the person that found the exploit is the one that knows about it?
surely you're not that niaeve?
It seems like a pretty basic concept, but I guess it should be pointed out that just because an exploit hasn't been presented by a security professional at Black Hat doesn't mean there aren't some sleazy Croatian identity thieves (for example) who are abusing this vulnerability left and right.
As long as it's a secret that only a few seriously malicious hackers know, the cost to Cisco is virtually nill. "Oh, your network got hacked? Well, it sure wasn't through your Cisco routers: check it out - we've got zero unpatched known vulnerabilities!" When security holes remain a secret, there is DEFINITELY a cost, but it's shouldered by the users of the product, not the designers. In general, the best way to get the designers to care is to demonstrate to the general public that Cisco is putting their networks at risk.
Not hypothetically, not a month ago, but now. Your networks are being hacked right this minute because Cisco hires sloppy firmware programmers.
Sad, but true.
I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.
Your preference suffers from the flawed (although typically wide-spread) assumtion that only one person is smart enough to discover the flaw.
If a white hat can discover it, then a black hat can too - and black hats are constantly looking. Vulnerabilities need to be *FIXED*, not discussed for weeks in private meetings.
This is not a problem of disclosing a major vulnerabilty before the vulnerable company could react.
The flaw had been privately disclosed a few months ago. Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?
Obviously, Michael Lynn couldn't live with the idea of leaving this flaw open, and decided to disclose it publicly, thus forcing Cisco to aknowledge it and fix it. Also obviously, this wasn't the only reason. He seemed disgusted by the industry's approach to this kind of problem.
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
I'm always amazed that companies think they have, or do have the right to sue someone for pointing out a flaw in their product. "Only in the software industry". If Chevy sells a new pickup that has seatbelts that don't work properly in a crash, and I find out, damn straight i'm telling the whole world. And if chevy tried to sue me for it they'd get laughed out of court. There should be absolutely no legal grounds for a company to sue someone over pointing out the flaws in their product. It's their own damn fault for not making a secure product in the first place.
Ok, how's this, its perfectly reasonable to put out publically his E-mail address at work, but I expect nobody to post photos or personal addresses or wife's name, or anything like that.
... "
*Personal* attacks should never be used, even against someone who might deserve it; it misrepresents our ideology.
However, a personal complaint about corporate policy is perfectly reasonable.
"Why is it that you, representing Cisco said that
- Michael T. Babcock (Yes, I blog)
As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.
Four months ago.
However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>
Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?
It is, needless to say, impossible to prove a negative.
If you're not living on the edge, you're just taking up space!