Michael Lynn was a security researcher for Internet Security Systems (ISS) until last week when he resigned. Having provided Cisco with a report that clearly outlined a security flaw in its router operating system last April, Lynn was reportedly frustrated with the networking giant’s slow response and decided the right thing to do was to expose a core vulnerability in the internet’s infrastructure. And that’s just what he did at the Black Hat security conference.
In a conference session, Lynn demonstrated how one could exploit a known security flaw on Cisco routers, in effect taking them over and potentially disrupting traffic on the internet, by executing arbitrary code on the Cisco equipment. Lynn told the session attendees that he had quit his job at ISS after the company decided to cancel the previously scheduled session. Session notes for Lynn’s presentation, “The Holy Grail: Cisco IOS Shellcode and Remote Execution,” were removed from the conference proceedings, reportedly by Cisco employees. “I feel I had to do what’s right for our country and the national infrastructure,” said Lynn, addressing the Black Hat conference attendees. “It has been confirmed that bad people are working on this [compromising Cisco’s IOS router operating system]. The right thing to do here is to make sure that everyone knows that it’s vulnerable.”
Internet Security Systems representatives told CNET that Lynn’s presentation was cancelled because “it wasn’t ready yet.” That’s apparently not the full story. “[A] source close to the Black Hat organization said that it wasn’t ISS and Lynn who wanted to cancel the presentation, but Cisco,” according to the CNET report. “The research is very important, and the underlying work is important, but we need to work with Cisco to determine the full impact,” ISS chief technology officer Chris Rouland told the online technology news publication.
As a result of Lynn’s presentation, Cisco and ISS jointly filed for a temporary restraining order preventing Lynn and Black Hat security conference organizers from “further disclosing proprietary information belonging to Cisco and ISS.” A Cisco representative told CNET, “the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights.” According to Security Focus, the court filing was the end-result of “three weeks of intense discussions between ISS, researcher Lynn, Cisco, and conference management.”
Later, Lynn said in a press conference that he had reached a settlement with Cisco and agreed to a permanent injunction barring him from talking publicly any more about the research. So we’ll never know just what law’s Cisco thought Lynn broke. Under the order Black Hat security conference management agreed to surrender videos and printed copies of Lynn’s presentation. Lynn reiterated that he believed his actions helped protect the national infrastructure.
Proving that no good work goes unpunished, Lynn’s reward for this courageous act is apparently an FBI investigation. Kim Zetter, writing for Wired News, reports that Lynn is being investigated by the FBI for violating trade secrets belonging to Internet Security Systems, his former employer.
News of Lynn’s public-interest disclosure traveled quickly across the internet and this interesting whistle-blower profile would end here except for the fact that BusinessWeek decided to amplify Cisco’s corporate line, publishing a wildly inaccurate (and still uncorrected) account of the events. Steve Hamm, writing for BusinessWeek reports that Michael Lynn was fired from Internet Security Systems. Lynn resigned. Hamm reports that Lynn should have informed Cisco of the vulnerability. Lynn did, in fact, inform the networking giant of the flaw in its operating system—four months ago. Finally, Hamm opines that “anybody who plans this sort of caper in the future might think better of it.” Lynn’s a hero and should be applauded for his actions. We need more like him. Cisco needs to fix its software and BusinessWeek needs to find some journalists with a clue. Hamm’s story should be retracted and an apology issued to Lynn. And BusinessWeek wonders why no one takes corporate media seriously any longer.
The fact remains Lynn’s research reveals that Cisco’s routers are vulnerable to exploits, that Cisco knows this, and has for four months failed to fix it. It’s important to realize that what Lynn demonstrated was not a new exploit; it was merely a new way to exploit a known vulnerability that Cisco had supposedly already addressed. As one Slashdot reader commented, it’s time that public companies disclose their activities in these areas with all the accuracy and timeliness required for corporate financial filings.
0 responses. Comments closed for this article.