Skip Links

How a thorn in Cisco's side bluffed his way into their bash

By Paul McNamara on Tue, 08/08/06 - 11:08am.

Last Thursday my Network World colleague Ellen Messmer filed an unusual story from the Black Hat conference in Las Vegas about Juniper security researcher Michael Lynn crashing an invitation-only party put on by his employer's arch rival.
At last year's Black Hat affair, Lynn, then in the employ of Internet Security Systems, ticked off both ISS and Cisco by delivering a presentation revealing a vulnerability in Cisco gear -- a presentation the companies had gone to extraordinary lengths to squelch.
Since last week's story ran it has generated not only thousands of page views but also a good deal of chatter -- some questioning whether the episode really happened -- but much of it centered on one question: How exactly did Lynn manage to crash the bash? Turns out it wasn't anything cloak-and-daggerish, but Messmer knows because she was there, literally standing behind Lynn in line waiting to gain admittance to the Pure Nightclub at Caesar's Palace.
Here's her account:
"Yes, there is curiosity about the way he bluffed his way in," Messmer reports. "The official term for what he did in security parlance is 'social engineering.' "

"Basically what happened is the Cisco party had a line in which each person who wanted to enter had to give his or her name to a young woman sitting at a table with a list. She then crossed the name off and the person could go into the party. If your name wasn't on the list, you wouldn't be given immediate access."

"When Lynn's turn in line came, she asked him three times what his name was. He appeared a bit panicky, and wouldn't answer. Then he put his finger on the sheet with the names and said, 'That's me.' The woman didn't make any response but just checked off a name. And Lynn went into the party."
"His name wasn't on the list."

"The irony is had Lynn decided to give his real name, it's unlikely Cisco would have turned him away. Lynn has friends at Cisco who wanted him to attend the party, and although he wasn't officially invited, Cisco would probably not kept him out."
Ah, but discovering and exploiting a security flaw is so much more fun.

(Update: Lynn, Juniper stick by their story.)