Cisco Faces Security Flap

A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole.
Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.
Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.
While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.
Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.
But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.
U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.
According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.
Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."
Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).
— Craig Matsumoto, Senior Editor, Light Reading
Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.
Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.
While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.
Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.
But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.
U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.
According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.
Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."
Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).
— Craig Matsumoto, Senior Editor, Light Reading
EDUCATIONAL RESOURCES
sponsor supplied content
Educational Resources Archive
FEATURED VIDEO
UPCOMING LIVE EVENTS
February 7-9, 2023, Virtual Event
February 15, 2023, Virtual Event
March 15-16, 2023, Embassy Suites, Denver, CO
March 21, 2023, Virtual Event
May 15-17, 2023, Austin, TX
December 6-7, 2023, New York City
UPCOMING WEBINARS
February 9, 2023
Optical Networking Digital Symposium - Day 2
February 14, 2023
Heavy Reading Open RAN Platforms and Architectures Service Provider Survey 2022 Results
February 14, 2023
Achieve Your Growth Potential with Next-Gen Content Delivery
February 15, 2023
Digital Divide Digital Symposium
February 16, 2023
SCTE® LiveLearning for Professionals Webinar™ Series: Getting the Edge on Edge Computing
Webinar Archive
PARTNER PERSPECTIVES - content from our sponsors
How 5G Thrives ASEAN Digital Economy
By Huawei
Capitalizing On 5G Innovation To Deliver Breakthroughs At The Edge
By Kerry Doyle, sponsored by ZTE
All Partner Perspectives