Two corporate giants in the world of Internet Security, Cisco Systems and Internet Security Systems (ISS), jointly cancelled a scheduled presentation at the annual Black Hat security conference in Las Vegas last week because it would have disclosed a security flaw in Cisco's flagship router products. In response to the cancellation, the presenter, Michael Lynn, an employee of ISS, resigned from the company, gave his presentation in defiance, and announced to the audience that he was in the market for a job.
Many serious programmers were surprised and disappointed by Cisco's attempt to silence Lynn. In some programming circles, it is widely believed that Cisco has been lucky over the past decade, because while remote shell exploits have long been available for operating systems like Windows and for some routers, none have been available for Cisco's product line. At the same time, most programmers understand, this luck has had a downside: Cisco has not developed software that allows its routers to automatically download and install security patches or other software updates. That failure may leave the company in a dangerous place. Hackers have been attacking Windows-based computers because that's what they have the most experience with, but if they turn their attention to the network infrastructure, companies like Cisco and their customers will have a lot of catch-up work to do. And squelching discussion of Cisco vulnerabilities is unlikely to encourage anyone to start that work. Here's what happened in Las Vegas.
Michael Lynn, a researcher at ISS, had developed a technique for exploiting buffer-overflow and flaws in Cisco's IOS router operating system that would allow an attacker to remotely take over and reprogram a running router. Such a technique could be used to selectively disrupt communications to individual businesses or to large regions of the global Internet. It could also be used to eavesdrop on an organization's Internet traffic.
Although previous buffer overflows have been found in Cisco's operating system, this is the first time that an exploit has been demonstrated for the common programming flaw. Lynn's attack, reportedly the result of 6 months of work, allowed him to take control of a router and shut it down so that it could not be restarted.
Lynn worked for the ISS X-Force research and development team, whose charter is to find security vulnerabilities. The information is then shared with ISS customers and manufacturers. Lynn reported the flaw to Cisco in April, but while the company quickly patched the flaw, network operators rarely download and install new router operating systems, making it likely that many routers on the Internet today remain vulnerable to the attack. Perhaps more importantly, Lynn's work could be used as a blueprint for turning many bugs in Cisco's operating system into remote exploits.
Lynn created a presentation, titled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," and submitted it more than a month ago to Black Hat USA, which accepted it and included the presentation in the conference proceedings. The conference organizers also put the presentation on the conference CDROM. Two weeks ago, the planned presentation became a hot topic on blogs and Internet chat groups, sparking a larger debate about whether publication of exploit details leads to better security, or to better hacks.
Then on Monday, July 25th, after conferring with Cisco, ISS announced that they would cancel the presentation. Cisco reportedly sent razorblade-wielding employees to Las Vegas to cut Lynn's 15-page presentation.
Lynn was having none of it. On Wednesday, July 27th, he resigned from ISS and delivered his presentation at the conference. Cisco and ISS responded quickly, filing suit against Black Hat and demanding that the company halt distribution of the presentation's video and other information pertaining to Lynn's work. Since that filing, Cisco has backed off the lawsuit and persuaded Lynn to promise not to disclose the details of his attack. Efforts to stem publication of the exploit were, however, less than successful, and Lynn's slides were posted on the Internet and sent to several mailing lists. Cisco's attorneys have served at least one Web site with an injunction, but the slides can be easily found with a few minutes of searching.
Lynn may have a much harder time finding a new job. At the conclusion of his talk, the programmer looked into the audience and asked that people please take a look at his resume. Lynn told Wired News that he "had to quit to give this presentation because ISS and Cisco would rather the world be at risk...They had to do what's right for their shareholders;" he said. "I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."