- 10 open source companies to watch
- Mythbuster busts his own tale
- $208 million petascale computer gets green light
- Sony recalls 73,000 Vaio laptops
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
"There are, and always have been, people who know how to crash the Internet but have so far chosen not to do so."
- Stephen Cobb, Certified Information Systems Security Professional and authorof Privacy for Business
Not many of us would choose to step in front of a freight train going at full speed, but last week at the Black Hat Briefings conference in Las Vegas a gentleman by the name of Michael Lynn did more or less just that. Roughly two hours after his resignation from the company Internet Security Systems (ISS) he gave an unsanctioned talk on a Cisco router vulnerability (see story and discuss in our Lynch/Cisco forum ).
Make no mistake; this was a big deal because this vulnerability is potentially very serious. If some lunatic were to exploit it he could bring down the entire Internet. Sure, go back and read that last sentence again. I'm not exaggerating.
In front of a rapt audience of security wonks, Lynn announced, "I'm not giving you a road map to an exploit; I'm trying to prove to you that I've done it." He then demonstrated the hack - reportedly a buffer overflow exploit - without revealing the exact details. It is reported that the exploit took all of 5 seconds.
What Lynn demonstrated was that he could remotely access a Cisco router and gain the highest level of access, which gave him the ability to do anything from degrading performance or monitoring traffic to disabling the router completely.
The problem is that because much of the Internet relies on Cisco routers, this is pretty serious stuff. Cisco did fix this issue some months ago, but - of course - many companies have yet to upgrade their router firmware. Lynn said if the router owners "upgrade their firmware, they'll probably be fine."
Now you might be saying, "But we don't rely on Cisco routers, so we're OK . . . aren't we?" I'm afraid not, my friend, because you do business with other companies (for example, your banks, your partners, your suppliers, your customers) that do use Cisco routers, and if they go offline, then for all intents and purposes so do you. So do we all.
The presentation had apparently previously been approved by Cisco and ISS, but, according to various sources, Cisco got cold feet and wanted the presentation canceled, and ISS acquiesced. But Lynn saw a higher calling, because recently (for the second time) the source code for IOS, the operating system that runs Cisco routers, was stolen.
Rss FeedRss Feed
Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...
Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment