Should Michael Lynn have kept his mouth shut?

Responsible disclosure is again the hot topic as the infosecurity community debates whether a Black Hat presenter should have divulged a potentially catastrophic flaw.

One can only imagine what raced through Michael Lynn's mind the moment before he saved or sacrificed our nation's

critical infrastructure, depending on your take of the researcher's Black Hat Briefings presentation this week.

Lynn's the guy who quit his job at Atlanta-based Internet Security Systems Inc. and defied legal threats from Cisco Systems Inc. to divulge (without much detail) how he reverse-engineered Cisco's Internetwork Operating System [IOS] software to exploit a known flaw in the networking giant's routers. He and Black Hat conference founder Jeff Moss are now off the legal hook, with the two men and two companies having reached an accord late Thursday.

But what happened, and why, continues to confound the security community. Initially, ISS consented for Lynn, then with its X-Force research team, to discuss his findings at the annual Las Vegas conference, especially given a patch to prevent the attack had been out for three months. ISS apparently had been working with Cisco on this problem for at least that long. Then Cisco got involved, belatedly, and deployed staff to cut Lynn's PowerPoint pages from 2,300 conference handbooks. Wednesday it issued a restraining order against Black Hat organizers and Lynn. On Thursday, Cisco distributed abridged CDs of proceedings to 2,500 conventioneers.

"Considering how important Cisco routers are to the Internet, I can somewhat understand their concerns," Steve Fletcher, a security specialist for a security consulting firm in central Illinois, said in an e-mail exchange. "However, I believe they went to extremes, considering that a patch is supposedly available."

A videotape of the presentation-purging and subsequent scuttlebutt guaranteed Lynn a rapt audience. Black Hat and its sibling, DefCon, remain widely popular -- and controversial -- for precisely these kinds of talks from hackers of all hat colors. By learning how the bad guys do it, corporate and government IT administrators can harden their networks. But, as everyone who remembers the arrest of DefCon presenter Dmitry Skylarov three years ago knows, such disclosures can come at great personal and professional costs.

In this instance, Lynn believed exposing his IOS exploit was paramount to protecting our national security since Cisco's equipment is heavily embedded in networks that run the country's critical infrastructure. Its routers also are responsible for directing a vast majority of Internet traffic. And, the source code for IOS has twice been stolen, making the threat more imminent.

It's no surprise support within Las Vegas's Caesar's Palace was squarely with Lynn, who joked during the presentation, "I'm probably about to be sued to oblivion." But the same sentiment immediately erupted in security blogs and other online forums, including a SearchSecurity.com discussion forum. Some questioned Lynn's motives and integrity and believe he needlessly put more enterprises at risk. But the vast major have expressed outrage with Cisco's reaction and frustration with other vendors that dictate patching schedules (and therefore flaw releases) that can leave networks vulnerable while manufacturers figure out a fix.

"I am afraid that this controversy will be a setback for security researchers and the full disclosure concept," Fletcher said. "I understand the fact that companies need to have time to patch problems before they are released to the entire world, but it is also important that the world receive this notification within a reasonable time period of the discovery."

"Many of the people working in the trenches to keep our networks secure are very frustrated at the lack of support from their vendors and their employers when it comes to plugging holes like this one," said Stephen Cobb, author of Privacy for Business.

Cobb isn't surprised at ISS's and Cisco's initial hard-line approach. "They are listening to their lawyers and not their employees and customers," he said Thursday morning. "The heavy consolidation within the security industry means that no company can any longer afford to take a stand on its own. ISS has to stay friends with Cisco or its sales will be hurt. The same was true when @stake fired Dan Geer in 2003 for putting his name to a report, 'CyberInsecurity: The Cost of Monopoly,' that was critical of Microsoft. And, of course, Cisco has its market share and shareholder interests to defend."

Brett Osborne, a CISSP and senior systems engineer for an international systems integrator, believes the spotlight currently cast on this case is warranted. "Regardless of whether you have Cisco or not, you probably connect to somebody who has Cisco and use a portion of the Internet that is based on Cisco," he said. "You probably have business partners who are using Cisco, even if you're using somebody else. The ubiquity of it is beyond all belief. And from what I've read it appears this kind of attack is on a magnitude that Cisco's hardly, if ever, seen."

Osborne supports Lynn's position and said there's also a silver lining to the black cloud that's hung over this presentation.

"The results from him making a presentation and now all the publicity is that people who may have been slow in getting the patch applied will have to get out of their comfortable chair and go apply a patch which was already available," he said. "That's the good thing that's supposed to come out of these types of presentations."

This story originally appeared on SearchSecurity.com.

Dig deeper on Enterprise information security management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close