Picture this : Let's say you bought a new house for your family, bought some quality furniture and appliances, and installed some anti-burglar equipment like alarms and surveillance camera to ensure the safety of your home. Only to find out that most of your security facilities are useless because your door locks that comes with the house are defective. How would that make you feel?
A couple of weeks back, Internet Security Systems (ISS) and Cisco Systems filed a joint request to the U.S. District Court in San Francisco to prevent a former ISS employee named "Michael Lynn" from further disseminating a research on how computer hackers could compromise Cisco routers. The legal action forced Lynn not to talk about the matter again which drew mix reactions from the Internet community.
Just to give you a brief background: During his stint at ISS, Michael Lynn and his collegues discovered a way to exploit a Cisco software vulnerability through its InternetWork Operating System (IOS) in order to seize control of a router. Cisco patched the flaw in April, but Lynn showed that Cisco did not fix the problem totally, that the same technique could be used to exploit other vulnerabilities in Cisco routers. A router determines the next network point to which a data packet should be forwarded enroute toward its destination. In layman's term - a router can be compared to the reception area of a building accepting people or visitors, checking them over and letting them in and letting people out.
In an interview with WiredNews, Lynn said that on January 26, Cisco announced a vulnerability called "Multiple Crafted IPv6 Packets Cause Router Reload" which is different from what Lynn discovered. ISS wanted to protect their customers against the problem so they called up Cisco to get some more details but Cisco refused to give more information to ISS. So ISS asked Lynn to disassemble IOS by "Reverse Engineering" to find out what the vulnerability really is.
Lynn research revealed that the problem is actually way worse than what Cisco reported. ISS informed Cisco about Lynn's research but Cisco said that it is impossible to execute shell codes on Cisco IOS. Lynn also said that Cisco even cooperated in finding vulnerabilities and confirming them but not in the reverse engineering work. Cisco engineer witnessed Lynn's work June 14 and was even impressed by it. Then came the Black Hat Conference (a conference for computer security professionals) in Las Vegas.
ISS submitted Lynn's work to the Black Hat Conference and asked Lynn to do the presentation. Lynn didn't want to make it public and even resign from work. ISS talked Lynn out of the resignation by agreeing to give him control over who could see or have the exploit. Lynn agreed. Cisco was aware of the presentation (months before the conference) and Lynn was told that Cisco might even come onto the stage with him. Lynn also said that Cisco already released information about his discovery and a fix but didn't clarify to their customers how serious the flaw was.
Everything took a 360-degree turn when Lynn was told by ISS and Cisco to remove the reverse engineering topic from his talk or cancel the presentation altogether. If not, he would be fired and a case will be filed against him. Cisco didn't want the information disclosed until next year when a new version of the operating system is available. Lynn quit his job at ISS and proceeded with his disclosing the flaw at Black Hat briefing. Lynn demonstrated what hackers could do to a router if they exploited the flaw, but did not reveal technical details on how to exploit it. Prior to the talk, Cisco hired temporary workers to rip out pages from a conference book that contained images from Lynn's presentation. They also replaced the conference CD with a new disc with Lynn's presentation excluded. This was done with the agreement from the conference organizers.
Cisco and ISS made good their threat. After Lynn's presentation, they filed a restraining order preventing Lynn from saying anything else about the flaw. Lynn signed a settlement with Cisco and ISS releasing him from civil liability in exchange for meeting several conditions. But a criminal investigation came just hours after the settlement. A complaint was filed against Lynn but the Federal Bureau of Investigation (FBI) refused to give any additional information. (Lynn's lawyer Jennifer Granick said the complaint was probably about intellectual property and that it most likely came from Cisco or ISS).
Cisco said in its website that "Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners. It is important to note that the information presented at the Black Hat Conference was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers." Cisco urged its customers to upgrade their software to the latest available versions.
Now here's my two cents worth about this matter on the premise that everything stated is factual: Let's start with Cisco's point of view. Cisco is correct in stopping the presentation if it's intention was to protect the Internet world from being attack due to its product vulnerability. I can only surmised that most of the world's vital Internet installations are powered by Cisco routers. So once compromised, an attacker can bring down the world's critical infrastructure. With great power comes great responsibility right?
If we are going to believe what Lynn said, Cisco has all the time to correct the problem. But they chose not to believe Lynn's findings and resorted to legal actions. Wait for next year? Cisco should know that a year is eternity in cyberspace. What is the restraining order for? Because Cisco knows that once Lynn's findings is proven right, it will hurt Cisco's business reputation and integrity. Lawsuits may even be filed by their clients. Cisco cannot stop the problem by keeping it a secret. Cisco's website indicated that the IPv6 Crafted Packet Vulnerability patch was published July 29. How secure is the patch? Only Cisco can tell.
Now why did Lynn decided to go public with the Cisco bug? He said he had to do what's right for the country and the national infrastructure. Some says Lynn wants fame and fortune for his expose, I don't buy that. He simply did what he was asked to do. And he did, but he was not taken seriously. It's a case of what should comes first - National Interest or Business Interest?
All I am saying is this : Users pay good money for I.T. solutions. Most of them believe and trust I.T. vendor's recommendations. It's not a client/vendor relationship but a partnership right? Security is a process and not a product, but how will customers know what's the right step to take if something is kept secret to them? Think about it.
I tried calling Cisco Philippines to ask their opinion about the issue at hand, but most of them were out attending an event. Anyway, to Luigi and Oscar, Reality Bites will wait for your response.
Am logging off for now. God Bless us all!!!
*****
Announcement :
We would like to invite our readers to attend the Microsoft Office 2003 Powertips seminar on September 14, 2005 at the Makati Shangrila Hotel. Simply register online at http://www.microsoft.com/philippines/powertips/ or you can buy your tickets at all SM TicketNet outlets.
For your questions, comments, suggestions, press releases and stories, please e-mail techtvhost@yahoo.com or visit www.infochat.com.ph for more articles.
**********
