& cplSiteName &

Cisco Reveals 'Black Hat' Flaw

Light Reading
News Analysis
Light Reading
7/29/2005

The security flaw outed by former researcher Michael Lynn at this week's Black Hat Briefings conference in Las Vegas is now the subject of a formal security advisory from Cisco.

Posted this morning, the advisory notes an "IPv6 Crafted Packet Vulnerabilty" in Cisco's Internetwork Operating System (IOS) that can open a router to "an arbitrary code execution attack." Cisco knew about the bug and issued a patch in April but without fanfare.

The flaw could be used to launch a denial-of-service attack, as is the case with most IOS vulnerabilities discovered lately. More chilling, though, is the "code execution" part, meaning that a hacker could take over the router completely (see Cisco Faces Security Flap).

The Cisco advisory notes that the attack only works if a router is "specifically configured" for IPv6.

Cisco and ISS had sponsored Lynn's talk but at the last minute asked him to change topics. Lynn didn't comply, quitting his ISS job just before going on stage to demonstrate the security flaw. He did not reveal details of how to exploit the flaw.

Since then, Cisco and ISS have been granted a court order preventing Lynn and the Black Hat organizers from further discussing the flaw. "Cisco and ISS were granted a permanent injunction against Michael Lynn and Black Hat on terms that all parties agreed to," a Cisco spokesman says.

Lynn might also face an FBI investigation, according to some reports.

— Craig Matsumoto, Senior Editor, Light Reading

(34)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 4   >   >>
uguess
uguess
12/5/2012 | 3:06:56 AM
re: Cisco Reveals 'Black Hat' Flaw
Cisco IOS code sucks, period. They tried to hide the fact and destroyed a researcher's life, which sucks even more.
mr zippy
mr zippy
12/5/2012 | 3:06:55 AM
re: Cisco Reveals 'Black Hat' Flaw
http://www.schneier.com/blog/a...

.
.
Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we won't believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen.

And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.
.
.
.


san_guy
san_guy
12/5/2012 | 3:06:54 AM
re: Cisco Reveals 'Black Hat' Flaw
Help me understand this opinion. If I figured out how to crash an airplane with my Ipaq, which would you prefer:
1) I go to the effected manufactures and provide them an opportunity to resolve the problem before publicly announcing it
2) I go to a training camp for people interested in crashing planes and I explain to them how to do it in order to raise awareness of the problem
I feel a whole lot better knowing that there are bunches of researcher out there trying to figure out if the stuff I use on a day to day basis has issues. Sure I would prefer if those issues didn't exist, but when they do, the industries established way of dealing with them seems like the way which best serves my interest as an end user. Until I lose faith in that system, which has historically worked for me, I hope researchers continue to use it.
mr zippy
mr zippy
12/5/2012 | 3:06:51 AM
re: Cisco Reveals 'Black Hat' Flaw
I go to the effected manufactures and provide them an opportunity to resolve the problem before publicly announcing it

From what I've read, Cisco were notified about this in April. They were even willing to be associated with the presentation up until the last minute, as were this researcher's former employer ISS.

The controversy isn't the flaw itself or its existance, it is the way that Cisco have handled it, in particular in this day and age. Vendors' trying to supress knowledge of security flaws in their products, irrespective of whether they were given a heads up and time to provide a remedy before the knowledge was released to the wider community, is so "5 or more years ago".

Vendors' arguments about completely supressing this information are usually based on one or more invalid and flawed assumptions :

(a) their products are so good that they're flawless
(b) nobody will ever work out how to exploit those "non-existant" flaws
(c) even if one whitehat hacker works out how to exploit the flaw, nobody else will
(d) that nobody else worked out how to exploit the flaw and kept silent about it (or distributed the knowledge to the "underground") before this whitehat hacker developed the exploit and notified the vendor

Marketing people might generally believe this, as probably do a vendor's lawyers. Most people who actually deal with technology and therefore know how flawed it can be would usually never be so naive.

Sure I would prefer if those issues didn't exist, but when they do, the industries established way of dealing with them seems like the way which best serves my interest as an end user. Until I lose faith in that system, which has historically worked for me, I hope researchers continue to use it.

The common name for this policy is "Full Disclosure". While there are general variations, the basic idea is to give the vendor time to prepare remedies or mitigations, yet also provide a threat to release the information at a later date, regardless of whether the vendor fixes it or not, as vendors would naturally prefer that their products are not known by customers to be flawed.

A couple of links on the topic of Full Disclosure :

Wikipedia article
http://en.wikipedia.org/wiki/F...

Bruce Schneier's discussion on it
http://www.schneier.com/crypto...

Rain Forest Puppy's Policy (a well known "whitehat" hacker)
http://www.wiretrip.net/rfp/po...

While it isn't an absolute rule, releasing information about security flaws is usually better than not. Security is the sort of area where the more people learn, the better they become at doing it. Learning from other peoples' security mistakes is a far better approach than having to have each person learn by making their own. Even vendors benefit from this, as they can then design better and more secure products than their competitors, which then also results in the security and reliability of an industry's products as a whole improving, to the benefit of the industry's customers.


nobody-sem
nobody-sem
12/5/2012 | 3:06:50 AM
re: Cisco Reveals 'Black Hat' Flaw
I am suprised they didn't turn his family, friends and the entire IT industry against him.

Cisco has 21 Billion dollars to hire the best harassment team .... I am certain his life will be miserable according to Cisco.
nobody-sem
nobody-sem
12/5/2012 | 3:06:49 AM
re: Cisco Reveals 'Black Hat' Flaw
Cisco IOS code is hackable by anybody. This Iraq scenario is a little absurd; the topic is Cisco IOS how easily itGs compromised. Think about itGǪwhen Microsoft has a security hole(s), more than not GǪits fully disclosed and the customer can easily download the patch. When Cisco has a security issue, theyGll pay millions of dollars to destroy that personGs life and try to hide the fact. Hey Cisco GǪlets not behave like Mob-thugs and fix the damn problem.
nobody-sem
nobody-sem
12/5/2012 | 3:06:49 AM
re: Cisco Reveals 'Black Hat' Flaw
You better believe Cisco has federal, judicial judge(s)...law enforcement period... on their payroll. It's an extreme case of thugs.

If their products have flaws ... the customer is entitled to full disclosure. Why would they attack a IT resource....why attack any it resource for that matter ?
turing
turing
12/5/2012 | 3:06:49 AM
re: Cisco Reveals 'Black Hat' Flaw
Help me understand this opinion. If I figured out how to crash an airplane with my Ipaq, which would you prefer:
1) I go to the effected manufactures and provide them an opportunity to resolve the problem before publicly announcing it


Even Cisco admits it was given due notice. In fact, they have a fix for the problem, they claim. Mike's issue was that they didn't make a big deal out of it, so admins wouldn't upgrade their code, and they claim that IOS is invulnerable to such attack types, which is clearly false. Mike also said in the presentation that the IOS source code has been stolen twice already, and that some of his techniques he got from Chinese websites about hacking IOS.

So to use your analogy, Mike's position is the bad guys already know or are very close to knowing how to crash the airplane with the ipaq, that the airplane manufacturer was told in advance and fixed it but did not make it an important security issue to the airlines, thus the airlines don't know that it's bad enough to want to use the fix.

It is also not clear if Cisco actually fixed the hole, ir just changed the code enough so that Mike's particular attack vector won't succeed as it is written.
nobody-sem
nobody-sem
12/5/2012 | 3:06:46 AM
re: Cisco Reveals 'Black Hat' Flaw
"The problem is that companies like Cisco can't guarantee that everyone will follow those responsible disclosure mechanisms, and I object to them trying to enforce them through THUGGERY."

I agree 100% with this statement. There is no absolute secrecy even in societies sworn to absolute secrecy. Most companies are extremely prone to leaks because the cost of establishing secrecy is prohibitive to their industry.

However, I think we also need to be careful about an eager-beaver phenomenon. There are many many reasons why someone hired by a security company and given clearance (perhaps their first job) might be motivated to violate the clearance arrangement after only a year or two. That is usually why there is a rigorous evaluation period prior to awarding any sort of significant clearance. We have to wonder if ISS is doing this due-diligence before they provide exactly the kind of experience and information that a motivated young security engineer might use to question the principles of their employer. And if this leads to a volatile relationship between ISS and their partners they really need to do self-analysis and consider why their own practices encourage their engineers to escape and disclose in the most public forum possible.

I am not saying that disclosure should be stifled through more stringent business practices, but rather that experience in security often brings perspective on when/how to disclose vulnerabilities in order to actually lessen the threat(s). I am not convinced that sound reasoning, a firm grasp on ethics, or years of difficult incident handling are prerequisites for clearance at some of these vulnerability research firms. They usually appear to just expect their researchers to be really talented at finding flaws and reporting them...

Anyway, what always stands out in most of these "hey, we're not ready yet" cases is that the person disclosing immediately has their motives questioned, and the company being exposed cries foul play. Lynn shows his predisposition to marketing hype and overstatement by calling out references to Pearl Harbor. At least he didn't go all the way to trying to create a soundbyte somehow related to Hitler. But Cisco really takes the cake for hysteria and illogical thinking because they "hired workers this week to yank related pages from handouts and substitute conference CDs". Sheesh. What better way to pour fuel on the BlackHat fire than try to overtly censor a speaker. Lynn could not have orchestrated a better press-op if he had tried.

Unfortunately all these fireworks pull us away from the real issues about trying to establish a common system and forum with clear guidelines for evaluating risk and establishing "fairness" for interested parties. It has always been somewhat implicit in the security profession what constitutes reasoned behavior, but that obviously gets tested more and more every day as more people join the profession with competing opinions and values. The courts have spent so much time debating things like "unsafe at any speed" that I expect it is only a matter of time before testimony like John's above will help real precedents be written to help us all understand when/how disclosures should be handled and who bears the cost of remediation. Back to the Cisco issue itself, it's true you have to often buy expensive hardware upgrades before you can upgrade software to patch known vulnerabilities but that is true almost everywhere in technology...and no one so far has been able to force companies to leave out new functionality in deference for security when the old harware can not accomodate the new software.

So who really gets to decide what is the "right thing to do for the country and for the national critical infrastructure". All of us? And if we are all meant to be so responsible, then are we ready to take responsibility? Should we be expected to have any related qualifications, experience, etc. and be able to confer with an independent authority that has some level of representation/validation mechanism? Incident response and vulnerability research disciplines are really still in their infancy, which is what makes security so challenging and fun.

Posted by: Davi Ottenheimer at July 29, 2005 02:05 PM

nobody-sem
nobody-sem
12/5/2012 | 3:06:46 AM
re: Cisco Reveals 'Black Hat' Flaw
"The problem is that companies like Cisco can't guarantee that everyone will follow those responsible disclosure mechanisms, and I object to them trying to enforce them through THUGGERY."

I agree 100% with this statement. There is no absolute secrecy even in societies sworn to absolute secrecy. Most companies are extremely prone to leaks because the cost of establishing secrecy is prohibitive to their industry.

However, I think we also need to be careful about an eager-beaver phenomenon. There are many many reasons why someone hired by a security company and given clearance (perhaps their first job) might be motivated to violate the clearance arrangement after only a year or two. That is usually why there is a rigorous evaluation period prior to awarding any sort of significant clearance. We have to wonder if ISS is doing this due-diligence before they provide exactly the kind of experience and information that a motivated young security engineer might use to question the principles of their employer. And if this leads to a volatile relationship between ISS and their partners they really need to do self-analysis and consider why their own practices encourage their engineers to escape and disclose in the most public forum possible.

I am not saying that disclosure should be stifled through more stringent business practices, but rather that experience in security often brings perspective on when/how to disclose vulnerabilities in order to actually lessen the threat(s). I am not convinced that sound reasoning, a firm grasp on ethics, or years of difficult incident handling are prerequisites for clearance at some of these vulnerability research firms. They usually appear to just expect their researchers to be really talented at finding flaws and reporting them...

Anyway, what always stands out in most of these "hey, we're not ready yet" cases is that the person disclosing immediately has their motives questioned, and the company being exposed cries foul play. Lynn shows his predisposition to marketing hype and overstatement by calling out references to Pearl Harbor. At least he didn't go all the way to trying to create a soundbyte somehow related to Hitler. But Cisco really takes the cake for hysteria and illogical thinking because they "hired workers this week to yank related pages from handouts and substitute conference CDs". Sheesh. What better way to pour fuel on the BlackHat fire than try to overtly censor a speaker. Lynn could not have orchestrated a better press-op if he had tried.

Unfortunately all these fireworks pull us away from the real issues about trying to establish a common system and forum with clear guidelines for evaluating risk and establishing "fairness" for interested parties. It has always been somewhat implicit in the security profession what constitutes reasoned behavior, but that obviously gets tested more and more every day as more people join the profession with competing opinions and values. The courts have spent so much time debating things like "unsafe at any speed" that I expect it is only a matter of time before testimony like John's above will help real precedents be written to help us all understand when/how disclosures should be handled and who bears the cost of remediation. Back to the Cisco issue itself, it's true you have to often buy expensive hardware upgrades before you can upgrade software to patch known vulnerabilities but that is true almost everywhere in technology...and no one so far has been able to force companies to leave out new functionality in deference for security when the old harware can not accomodate the new software.

So who really gets to decide what is the "right thing to do for the country and for the national critical infrastructure". All of us? And if we are all meant to be so responsible, then are we ready to take responsibility? Should we be expected to have any related qualifications, experience, etc. and be able to confer with an independent authority that has some level of representation/validation mechanism? Incident response and vulnerability research disciplines are really still in their infancy, which is what makes security so challenging and fun.

Posted by: Davi Ottenheimer at July 29, 2005 02:05 PM

Page 1 / 4   >   >>
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events