Cisco to be under scrutiny again at Black Hat

IDG News Service - Cisco Systems Inc.'s products will again come under scrutiny at this year's Black Hat USA 2006 conference, which kicks off later this month in Las Vegas.

Conference organizers say that 15 new exploits will be discussed at this year's event and that two of them target NAC (Network Admission Control) and VoIP vulnerabilities that affect products from a number of vendors, including Cisco.

Security researchers, no longer as focused on digging up bugs in core Windows components, are looking for green fields, said Black Hat Director Jeff Moss.

Last year, Cisco sued Black Hat conference organizers after security researcher Michael Lynn demonstrated a method for running unauthorized code on a Cisco router. It was a difficult technical achievement that had been considered impossible by some, but Cisco saw it to be a dangerous disclosure of information that could be used to harm the Internet's infrastructure.

Black Hat and Cisco settled the lawsuit after conference organizers promised not to disseminate information on Lynn's research. Lynn is not listed among this year's presenters.

However, it is unlikely that Cisco will be suing the conference this year, given that neither of the exploits target Cisco specifically. Instead they relate to underlying technologies that are used by a large number of products including Cisco's NAC and VoIP (voice Ooer Internet Protocol) products.

One researcher, Ofir Arkin, the chief technology officer of Insightix Inc. will be speaking about NAC technologies "and ways to bypass them," he said in an e-mail interview. Information on Arkin's presentation can be found on the Black Hat site.

A second presentation, given by researchers at 3Com Corp. and SecureLogix Corp. will examine the SIP (Session Initiation Protocol) used by VoIP systems. "In it, we describe and demonstrate many real-world VOIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.)," the presenters wrote in a description of their talk. That description can also be found on the Black Hat site.

Researchers will disclose three exploits that take advantage of bugs in the Linux-based Asterisk PBX (private branch exchange) telephony software, conference organizers said. And as previously reported, wireless security researchers David Maynor and Jon Ellch plan to show a way of running unauthorized software on a laptop computer by manipulating buggy code in the system's wireless device driver.

Products from perennial favorites Microsoft Corp. and Oracle Corp. will also be discussed, with three Oracle exploits and four Microsoft exploits being disclosed, Black Hat said. There will also be discussion of two Linux exploits and one relating to Xerox Corp.'s products.

Researchers will also demonstrate 25 new hacking tools at the show, which will also be noteworthy for its degree of friendly cooperation with technology vendors. Cisco itself is a platinum sponsor at the show, and Microsoft employees will be speaking at a track devoted entirely to the company's upcoming Windows Vista operating system.

Black Hat's Moss credits Lynn with inspiring new research work in the area of embedded devices, which be one of the hottest areas of research at this year's conference. By showing how Cisco's routers could be hacked and made to run unauthorized code just like a PC, Lynn helped change the way researchers think about many of these devices. "Once he did that, it really opened people's eyes," Moss said. "The amount of people who are now beating up on embedded devices has changed. Now the floodgates are opened."