ISS researcher quits job to detail Cisco flaws

IDG News Service - Internet Security Systems Inc. (ISS) research analyst Michael Lynn quit his job to provide information on a serious Cisco Systems Inc. router vulnerability at this week's Black Hat USA conference, after his company decided not to give a presentation on the flaw.
Lynn felt compelled to quit his job Wednesday morning so that he could give the talk, because the Cisco security issues are of vital importance to the Internet's health. "This is the right thing to do," he said, speaking to Black Hat attendees, who punctuated his talk with applause. "When you attack the router, you gain control of the network."
Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, as well as the steps he used to gain control of a router. Although Cisco was informed of the flaw by ISS and patched its firmware in April, users running older versions of the company's software are at risk, he said.
Cisco was unhappy with his talk and had put pressure on both ISS and the Black Hat conference to stop the presentation, Lynn alleged. Cisco could not be reached for comment.
By giving his presentation, Lynn said he hoped to clear up the misconception that Cisco's products are somehow less vulnerable to the kinds of attacks that frequently affect widely used software like the Windows operating system.
"IOS is the Windows XP of the Internet," he said.
After six months of research work, Lynn discovered a way to shut down a Cisco router so that it could not be restarted. In light of the 2004 theft of Cisco's IOS source code, it was possible that attackers could create a devastating worm attack that could shut down many Internet routers, he said.
A recent decision to include a technical feature called "virtual processes," in upcoming versions of IOS would make it easier to create a "routing worm that breaks every router in the world," Lynn said. "When they come out with a version [of their router] with virtual processes, this is a real flaw."

Both Cisco and ISS threatened him with legal action if he gave the presentation, Lynn said. "I'm probably about to be sued into oblivion," he said.

An ISS spokeswoman confirmed that her company asked Black Hat organizers to remove Lynn's presentation, which had included the ISS logo, from the conference materials. Although ISS felt that Lynn's presentation required "further review," the company was not planning legal action against its former employee, the spokeswoman said. "There's been notalk of that," she said.

Show organizers literally ripped out the 31 pages containing Lynn's talk from the 1,200-page book of Black Hat presentations handed out to attendees this week. Whether the written presentation will be made available remained unclear.

During his presentation, Lynn said he understood how ISS might have had a hard time allowing the talk, given Cisco's objections. "They had to do what was right for their shareholders," he said. "But I had to do what was right for the country and the national infrastructure."

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.