Stepping in front of the freight train

“There are, and always have been, people who know how to crash the Internet but have so far chosen not to do so.” — Stephen Cobb, Certified Information Systems Security Professional and author of Privacy for Business

Not many of us would choose to step in front of a freight train going at full speed, but last month at the Black Hat Briefings conference in Las Vegas a gentleman by the name of Michael Lynn did more or less just that. Roughly two hours after his resignation from the company Internet Security Systems (ISS) he gave an unsanctioned talk on a Cisco router vulnerability.

Make no mistake; this was a big deal because this vulnerability is potentially very serious. If some lunatic were to exploit it he could bring down the entire Internet. I’m not exaggerating.

In front of a rapt audience of security wonks, Lynn announced, “I’m not giving you a road map to an exploit; I’m trying to prove to you that I’ve done it.” He then demonstrated the hack — reportedly a buffer overflow exploit — without revealing the exact details. It is reported that the exploit took all of 5 seconds.

What Lynn demonstrated was that he could remotely access a Cisco router and gain the highest level of access, which gave him the ability to do anything from degrading performance or monitoring traffic to disabling the router completely.

The problem is that because much of the Internet relies on Cisco routers, this is pretty serious stuff. Cisco did fix this issue some months ago, but — of course — many companies have yet to upgrade their router firmware. Lynn said if the router owners “upgrade their firmware, they’ll probably be fine.”

The presentation had apparently previously been approved by Cisco and ISS, but, according to various sources, Cisco got cold feet and wanted the presentation canceled, and ISS acquiesced. But Lynn saw a higher calling, because recently (for the second time) the source code for IOS, the operating system that runs Cisco routers, was stolen.

Lynn asked his audience, “Can anyone think why you would steal [the source code] if not to hack it?” He continued, “I’m probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret.”

Whether vulnerabilities should be revealed has been a hot topic over the last few years, and that is precisely the reason that Lynn’s discussion of the IOS vulnerability was equivalent to him jumping in front of a freight train. As a result of going public with this information Lynn faces litigation from Cisco and ISS. And even the organizers of the Black Hat event are being sued.

It doesn’t take a mental giant to see there is no value in keeping vulnerabilities like this secret.

In fact, there’s actually a profound, tangible risk that a disaster could well be lying in wait from our ignorance.

QuickLink: 057748

Do you hear a whistle? Tellbackspin @gibbs.com.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now