Network News

X My Profile
View More Activity

Black Hat: The Latest on Lynn and Cisco

Blackhat_wpni_1_1LAS VEGAS, July 27 -- The Michael Lynn story keeps getting more interesting. The computer security researcher lost his job at Internet Security Systems today after he briefed Black Hat conference attendees about a flaw in the software that powers Internet routers made by Cisco Systems. The latest is that Lynn has been served with a temporary restraining order designed to prevent him from discussing any more details about the flaw.

In the order, which was jointly filed by ISS and Cisco, Lynn is said to have illegally reverse-engineered Cisco source code and that he stands to profit from this research. A copy of the document, obtained by washingtonpost.com, reads: "Cisco believes that Lynn is also disclosing ISS and Cisco proprietary information outside of the context of a formal presentation as well."

Reading over the papers faxed to him in his hotel room, Lynn called the accusations ridiculous.

"I'm probably going to go bankrupt because of what I did today," Lynn said. "I mean, I have car payments that I'm afraid I'm not going to be able to make now."

Cisco routers are used on nearly every major segment of the Internet infrastructure. By exploiting the flaws described in his talk today, Lynn said attackers could crash those systems or intercept Internet communications. An automated attack against the router flaw -- delivered through an Internet worm, for example -- could effectively darken much of the Internet, he said.

According to people who heard the presentation today, Lynn demonstrated how the flaw could be exploited but obscured much of the technical details that an attacker would need to know to pull it off. The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat. But on Monday, Cisco asked conference organizers to pull Lynn's presentation from the conference materials handed out to attendees.

Lynn said several people familiar with the legal proceedings told him Cisco and ISS also were seeking to have the local sheriff's office seize his laptop computer and other equipment. A spokeswoman for Cisco said she did not believe the restraining order included a request for Lynn's possessions. Lynn is scheduled to appear in federal district court at 8:00 a.m. Thursday.

It remains unclear whether Lynn will face criminal or civil charges for his talk today. But from the injunction application filed today, in which the companies cited previous cases involving the theft of trade secrets, the two companies hinted at the former, saying "there should be no bond requirement or the bond requirement should be minimal."

Lynn said he quit his job at ISS and went ahead with his presentation because he felt that the Cisco flaw is extremely serious. He said he intends to take a stand in court so that other security researchers aren't bullied into burying their findings when the companies they're researching decide not to publicly address serious security flaws in their products.

"They're trying to intimidate and scare me, and I'll be honest it's working a little bit, but not enough. People who know me will tell you I have a long history of not being afraid of people I should."

See my previous post for Cisco's official line on Lynn.

By Brian Krebs  |  July 27, 2005; 11:31 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Black Hat Day 1: Update on Cisco-gate
Next: Pranks, Parties and Personalities

Comments

Sounds to me like Mr. Lynn best have a good lawyer. The law is often not fair nor make any sense to common citizens, but we are bound by it. Mr. Lynn may believe he did "the right thing", but that is VERY different than "the legal thing".

Unfortunately, Cisco has much deeper pockets than Mr. Lynn and can afford a posse of lawyers to bury him.

Posted by: Jasen | July 28, 2005 11:45 AM | Report abuse

Mike,
where is your leagal fund set up at? I'll donate what I can...

Posted by: Mike | July 28, 2005 12:34 PM | Report abuse

This is going to piss off a lot of the people who are responsible for keeping those routers running smoothly. Black Hat is a big deal and has a lot of respect. Cisco should know better than to shit where they eat, and ISS should know better than to sell out and backstab one of their employees.

Posted by: phybre | July 28, 2005 12:55 PM | Report abuse

I hope you guys put a copy of the presentation up (video or at least a transcript). One interesting thing is that BlackHat had a page from Lynn on June 16th that shows up on Google and is now gone. Coverup, indeed..

As a network geek, it'd be nice to know what the vulnerability is and which IOS is affected. Upgrading IOS is not something that is fun to do on larger hardware when you are using various complex features and numerous port adapters. Finding a stable IOS that works with the features you need and the hardware you have can be a very interesting ride...

Posted by: Chris | July 28, 2005 12:55 PM | Report abuse

What if the cisco "flaw" is actually a
backdoor provided to NSA/DOD/FBI/CIA or
combination of the above agencies for
covert surveillance of internet traffic?
Or could it be a marketing feature for
sales of routers to the Chinese
government, to facilitate their control
of domestic internet traffic?
Or am I just paranoid?

Posted by: Bob | July 28, 2005 1:34 PM | Report abuse

As if geekdom has no flipping clue to what was decided in the MGM vs. Grokster decision that innovation is no protection against illegal behavior. From most of the posts I read on this subject so goes the same cavaleir attitude about how the big bad corporations are trying to silence a crusader for freedom of information.

What a load of bull. I teach copyright and IP law and work on the side of the IT consumer in Washington when it comes to trying to create a fair balance when it comes to content providers and the consumers. Everytime some self important crusader has a bout of mouth flatulance such as what has happened here we get a whole new slew of legislation thrown through congress to further inhibit our rights as consumers and expand the dominant position of the content providers.

Time to grow up geekdom, being a martyer for the cause has about as much effrect here as what it does for other radical jihadists. Great, now Lynn gets his 15 minutes of fame and people like me who understand how to work the system have months of damage control to try to do to keep a new flood of legal ramifications from effecting the rest of us negitively.

Mike Lynn has my most sincere thanks for doing what in his own self inflated opinion was the right thing. Of course not really understanding the full ramifications of what his actions will incur. Quite personally I do hope his past employer and Cisco both nail his ass to the tree.

Posted by: drfez | July 28, 2005 2:15 PM | Report abuse

I am not sure whether or not he is violating the tacit agreement to not go public with the information before a reasonable time is up. For software it is one month unless you agree to hold it under your hat a little longer (this is an ETHICAL decision, not a legal one since you are not bound to not disclose the problem immediately) but the Cisco problem sounds like a firmware problem which can be software and probably is. Regardless, it sounds like a Red-Herring issue. Black Hat purged the pages didn't they? He didn't divulge all of the technical aspects, and from the sounds of it, Cisco is balking at the fix for what ever reason. This is yet another example of the weak being shafted by the rich and powerful, and in this case they (Cisco AND Internet Security Systems) aren't even kicking it up a gear or two to get the problem fixed. It sounds an awful lot like the giant Microsoft that on the one hand are purportedly against spyware, but at the same time are buying one of the biggest adware companies out there. Yes, I block that company's sites with a blocking hosts file that maps their names to 127.0.0.1 (no place like ... thank's for the sig Mike Burgess).

I strongly advise Cisco to drop the strong arming and if not, Bay Networks, Asco-Timeplex and others please get ready for increased business. If people get the idea that Cisco is now a big baddie that has no concern about the security of their products, they should vote with their pocket book and take their business elsewhere.

HHH

Posted by: hhhobbit | July 28, 2005 3:20 PM | Report abuse

"What politicians are talking about when they talk about the Digital Pearl Harbor is a network worm. That's what we could see in the future, if this isn't fixed." - Michael Lynn

While reading translated Chinese hacker sites that alluded to the issue, Mr. Lynn discovered that attackers were actively exploiting a previously unknown Cisco IOS flaw. The attackers most likely discovered the issue shortly after the theft of the Cisco Source code in May 2004, which was just one of a large series of coordinated attacks and intrusions. Cisco refused to admit that the issue was exploitable. After demonstrating that the threat was real by developing an internal, unpublished proof-of-concept exploit for the issue, he and his former employer ISS notified Cisco. Cisco patched the issue silently in April but refused to issue an advisory to their customers or the government.

The critical information infrastructure is under attack but not by security researchers like Mr. Lynn. He is an ethical, hard working individual and was concerned for the safety of both his nation and the Internet at large. Thanks to Mr. Lynn, we are more secure. Mr. Lynn and ISS worked with Cisco through established mechanisms of responsible disclosure to fix the issue. Cisco sought to bury the issue in order to avoid unwanted press. The debacle clearly demonstrates that Cisco does not care about the security of the critical information infrastructure (CII). Internet engineers, the soldiers in the trenches of this modern information war, have expressed widespread support for Mike via the NANOG list. In discussions with attendees at the presentation, those who work in national defense expressed sincere appreciation for the efforts of Mr. Lynn to protect the critical information infrastructure.

"The Critical Infrastructure Protection directive (PDD-63) calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States." - Excerpt from Presidential Directive 63

Attackers share information and by preventing legitimate researchers from doing the same, we do ourselves a vast disservice. Security through obscurity, the ostrich approach, never works. It only leaves us vulnerable to attack and possessed of a false sense of security.


References:

Thomas, T. "Like Adding Wings to the Tiger: Chinese Information War Theory and Practice." Foreign Military Studies Office.
http://www.iwar.org.uk/iwar/resources/china/iw/chinaiw.htm

Leyden, J. "Cisco probes source code theft" The Register. May 17th 2004.
http://www.theregister.co.uk/2004/05/17/cisco_code_leak/

Leyden, J. "Cisco source code theft part of 'mega-hack'" May 10th 2005.
http://www.theregister.co.uk/2005/05/10/cisco_hack_investigation/

Presidential Decision Directive 63. "PROTECTING AMERICA'S CRITICAL INFRASTRUCTURES" 1998. http://www.fas.org/irp/offdocs/pdd-63.htm

Posted by: Robert Guess | July 28, 2005 4:06 PM | Report abuse

As an information security engineer who supports the gutsy stance that Mike has taken, I will be embarking on an economic boycott of both Cisco and ISS solutions. My economic boycott will exist as long as Cisco and ISS continue to postulate that what Mike presented was wrong.
This argument strikes at the heart of information security. If Cisco's tactics are successful- the field of information security loses- to the detriment of netizens worldwide.
I hope others agree with my analysis and promote such an economic boycott until such short sided thinking by Cisco/ISS stops. For those that don't agree, feel free to continue to place your faith in manner in which Cisco has handled these vulnerabilities and this matter. They've had a long time to review and fix these problems first noted in previous Black Hat cons over years ago by a german hacking group.

Posted by: Disenfranchised with Cisco | July 28, 2005 5:57 PM | Report abuse

Cisco should take massive steps to fix their bad code. Maybe they could train their lawyers as programmers and get with it. The world is tired of half witted IT products and strong arm tactics to provide a smoke screen coverup. WAKE UP before it's too late!

Posted by: Jim | July 29, 2005 12:37 AM | Report abuse

Mr. Lynn, no doubt, is a good researcher but did ISS curbed him like other firm does with dozen on the agreement bonds.
The agreement should remain like incompetent one that could restrain him to release his 0day exploit even after he resigned from the company. I wonder how the big company like ISS haven't thought about it. Take example of the recent hire of the MS executives by google.

That could have restrain him taking this 15 minutes media fame and could have avoid the possible disaster if 0day have gone underground. Indeed This will create havoc!
On the other CISCO should bring some new plan such as to pay researchers for information about unannounced vulnerabilities in major systems and software and will add bonuses for prolific flaw finders.

Posted by: npguy | July 29, 2005 1:48 AM | Report abuse

A further curse on ISS and Cisco.

Posted by: Johann | July 29, 2005 10:49 AM | Report abuse

I would imagine he'll have several offers for probono legal help. No press is bad press.

Posted by: Jason | July 29, 2005 12:06 PM | Report abuse

it's a shame that someone who reveals a flaw in something that could be so seriously damaging to literally thousands gets the hand of "MegaCorp" across his face for trying to help. What if someone found your car had a serious flaw that could damage you and other people in traffic, would you want that person to be inprisoned aswell by "MegaCorp" aswell?

Something interesting for both sides is that Cisco stated the flaw was found by reversing the source code. This clearly makes it sound like if this wasn't done then there would be no problem. Now i don't care if that is illegal or legal, because here it sounds like Cisco is in belief that their products are 100% secure through propietary non-open source software.

One thing is for sure that is hard to disagree with, Cisco currently doesn't have code that is competent enough for the open source reprising.

Posted by: Yougy | July 30, 2005 1:47 PM | Report abuse

We have setup a donation site for Mikes legal fund here: http://www.phreaknic.info/pn9/mikelynn.html

Mike has a FANTASTIC lawyer: Jennifer Granick, http://cyberlaw.stanford.edu/blogs/granick/

Posted by: dc0de | July 30, 2005 4:52 PM | Report abuse

Cisco has had problem after problem after problem with code security. As a Security Engineer I am fed-up with patching my routers every week. Cisco should fix the code. The code is broken!! Hackers and security experts find new security holes every month. What if some hacker finds a hole that the security teams don't find or that Cisco keeps quite. We will have a real problem. Cisco, get the code fixed or we will buy competent products from Nortel, Juniter, etc, etc...

Posted by: Jack | August 2, 2005 9:47 AM | Report abuse

Brian, your statement about Active RFID got it backwards. Because Active RFID emits its own power, it can be detected at very long distances if necessary, depending on the power supply. Passive RFID on the other hand can usually only be detected at very short distances because it relies on reflecting or absorbing (and using) power supply from the RFID reader device, and such power drops off as a square of the distance between them -- not good. That's why the Passive RFID results were impressive, because they got long distances without having to go to an Active RFID approach.

For more information, see http://www.autoid.org/2002_Documents/sc31_wg4/docs_501-520/520_18000-7_WhitePaper.pdf

Posted by: Bah Humbug | August 2, 2005 4:58 PM | Report abuse

Cisco has determined that Cisco.com password protection has been compromised.
As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
If you do not receive your new password within five minutes, please contact the Technical Support Center.
This incident does not appear to be due to a weakness in Cisco products or technologies.

Posted by: anonymous | August 3, 2005 1:33 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company