TMCnet News

Cisco, Security Researcher Settle Dispute
[July 28, 2005]

Cisco, Security Researcher Settle Dispute


(AP) Cisco, Security Researcher Settle Dispute
By MATTHEW FORDAHL
AP Technology Writer
SAN JOSE, Calif.
Cisco Systems Inc. and a network security firm reached a settlement Thursday with a researcher who quit his job so he could deliver a speech on a serious flaw in Cisco software that routes data over the Internet.

Michael Lynn, who left his job at Internet Security Systems Inc. hours before his speech, agreed never to repeat the information he gave at the Black Hat conference in Las Vegas on Wednesday.

He also must return any proprietary Cisco source code in his possession.

Cisco, the leading maker of Internet equipment, was supposed to join Lynn on stage. But the company and ISS changed course late last week and tried to cancel the session, going so far as to hire workers this week to yank pages from conference handouts and seek a court order.



The companies claimed the research was "premature" and would be presented at a later security conference. Lynn, however, said he felt obliged to report the problem before it was exploited in attacks that could endanger the Internet.

"Not to sensationalize, but it would be the digital Pearl Harbor we've heard about," Lynn said in an interview Thursday. "I felt it was the right thing to do for the country and for the national critical infrastructure."


The incident highlights the thorny issue of when to go public with a security problem. Security firms and computer vendors generally agree to do so when there's a patch -- or fix -- available.

But it's not always so simple. In the latest case, Lynn and other researchers at Atlanta-based Internet Security Systems discovered a technique that could allow someone to seize control of a Cisco router by exploiting a vulnerability in its operating system.

That flaw was patched in April, but it's possible that the same technique could be used to exploit other vulnerabilities in Cisco routers. Lynn said the technique also could lead to the creation of a worm that targets routers, particularly when coupled with an upcoming version of Cisco's operating system.

Cisco said it encourages independent security research but said in a statement that it felt Lynn's presentation "was presented prematurely and did not follow proper industry disclosure rules."

Chris Rouland, chief technology officer at ISS, said his company and Cisco agreed the research was premature. Rouland said Cisco did not pressure ISS.

But Lynn, who said it was never clear to him who was pressuring ISS, said it was important to get word out now.

Worms -- malicious programs that spread automatically -- are less likely in today's version of Cisco's operating system because the underlying software is different enough for each device. That will change in the next release, making it possible to attack a wide swath of routers without adjusting the malware for each unique configuration.

Such attacks, Lynn said, could modify routers en masse so that they cannot receive updates so they are always infected. Worse, attackers could erase instructions that tell the machine how to turn on.

"The purpose of doing this presentation was to prevent a worm from being made," he said.

His Las Vegas demonstration was stripped of any information that would lead anyone to figure out how the technique works, Lynn said.

He also said he decided to defy his employer because Cisco's operating system source code had been stolen and posted on a hacker Web site. Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities posted on Web sites for Chinese hackers.

"Cisco has never told anybody that it was possible to take over one of their routers," Lynn said. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now."

Such information is one of the key points of the Black Hat conference, said organizer Jeff Moss. The event attracts thousands of computer security experts from business, academia and government.

"The point of the talk was to demonstrate there's a problem -- that you need to update all your software as soon as you can because of these types of problems," said Moss. "It wasn't a roadmap to world destruction."

As part of the settlement reached Thursday in San Francisco federal court, Black Hat also agreed to return any video of Lynn's presentation.

It's not clear why the decision to cancel the presentation was made only a few days before the conference was to begin. Moss said ISS first contacted Black Hat several weeks ago about the possibility of pulling presentation material from the handouts given to every attendee.

Until last week, ISS never followed through with a request to actually remove the material.

That changed when Cisco and ISS hired a team of temporary workers to yank about 20 pages from thousands of conference binders and replace compact discs with presentation materials.

"The speech had been vetted like two or three times through ISS's PR department. Everything was great, and ISS was contacting the media telling them to come see this talk," Moss said. "Then last Thursday or last Friday there was a total about-face on ISS's part."

[ Back To TMCnet.com's Homepage ]