Michael Lynn and Cisco: Stepping in front of the freight train

"There are, and always have been, people who know how to crash the Internet but have so far chosen not to do so."- Stephen Cobb, Certified Information Systems Security Professional and authorof Privacy for Business

Not many of us would choose to step in front of a freight train going at full speed, but last week at the Black Hat Briefings conference in Las Vegas a gentleman by the name of Michael Lynn did more or less just that. Roughly two hours after his resignation from the company Internet Security Systems (ISS) he gave an unsanctioned talk on a Cisco router vulnerability (see story and discuss in our Lynch/Cisco forum ).

Make no mistake; this was a big deal because this vulnerability is potentially very serious. If some lunatic were to exploit it he could bring down the entire Internet. Sure, go back and read that last sentence again. I'm not exaggerating.

In front of a rapt audience of security wonks, Lynn announced, "I'm not giving you a road map to an exploit; I'm trying to prove to you that I've done it." He then demonstrated the hack - reportedly a buffer overflow exploit - without revealing the exact details. It is reported that the exploit took all of 5 seconds.

What Lynn demonstrated was that he could remotely access a Cisco router and gain the highest level of access, which gave him the ability to do anything from degrading performance or monitoring traffic to disabling the router completely.

The problem is that because much of the Internet relies on Cisco routers, this is pretty serious stuff. Cisco did fix this issue some months ago, but - of course - many companies have yet to upgrade their router firmware. Lynn said if the router owners "upgrade their firmware, they'll probably be fine."

Now you might be saying, "But we don't rely on Cisco routers, so we're OK . . . aren't we?" I'm afraid not, my friend, because you do business with other companies (for example, your banks, your partners, your suppliers, your customers) that do use Cisco routers, and if they go offline, then for all intents and purposes so do you. So do we all.

The presentation had apparently previously been approved by Cisco and ISS, but, according to various sources, Cisco got cold feet and wanted the presentation canceled, and ISS acquiesced. But Lynn saw a higher calling, because recently (for the second time) the source code for IOS, the operating system that runs Cisco routers, was stolen.

Lynn asked his audience, "Can anyone think why you would steal [the source code] if not to hack it?" He continued, "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret."

Whether vulnerabilities should be revealed has been a hot topic over the last few years, and that is precisely the reason that Lynn's discussion of the IOS vulnerability was equivalent to him jumping in front of a freight train. His personal train is labeled Cisco and ISS.

As a result of going public with this information Lynn faces litigation from Cisco and ISS. And even the organizers of the Black Hat event (which thought Lynn's presentation was going to be about VoIP) are being sued.

It doesn't take a mental giant to see there is no value in keeping vulnerabilities like this secret. In fact, there's actually a profound, tangible risk that a disaster could well be lying in wait from our ignorance. You know the old saying: "It is what you don't know that hurts you."

Lynn has done us all a great service. What we need are whistle-blower laws for IT to protect people who step forward like this. Unfortunately, when you're in the path of a freight train as Lynn is, it doesn't matter what you know or not. You're going to get hurt.

Do you hear a whistle? Tell backspin@gibbs.com. And check Gearblog for items mentioned in this column. A special thanks to Stephen Cobb for his input.

Learn more about this topic

Researcher at center of Cisco router-exploit controversy speaks out

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022