By Simon Duddy
Cisco has sued an internet security researcher in a tough response to his publishing a Cisco router security bug against its wishes. The issue has generated furious debate in the world of internet security.
Cisco has sued an internet security researcher for publishing a Cisco router security flaw against its wishes. Researcher Michael Lynn was an employee of security firm ISS when he uncovered the flaw.
ISS and Cisco refused Lynn permission to disclose the flaw but Lynn resigned from his post at ISS and gave a presentation on the flaw at the Black Hat Briefings conference on 27 July in Las Vegas. The presentation gave a demonstration of how to exploit the flaw.
The issue has assumed importance because of Lynn’s insistence that he was acting out of concern for national security. This is not as far fetched as it might seem, as a large percentage of internet traffic relies on Cisco routers to reach its destination.
Cisco has responded in two ways, one by taking legal action against Lynn and secondly by releasing a security advisory for the flaw, which can be found at www.cisco.com/en/US/products/products_security_advisory09186a00804d82c9.....
In a statement, Cisco said the Federal District Court’s issuance of a permanent injunction against Michael Lynn and Black Hat was to prevent further disclosure of code and code pointers that could aid in the development of an exploitation of a network infrastructure.
Cisco said that it did not object to a flaw being identified but took action because Lynn and Black Hat “chose to address the issue outside of established industry practices and procedures for responsible disclosure… [which] was not in the best interest of protecting the internet.”
Cisco’s legal action has generated furious debate in the world of internet security, and highlights the tension between vendors and the security researchers uncovering and disclosing flaws. Indeed, even many observers sympathetic to Cisco’s plight, have said that the legal action was counter-productive.
Hatem Al-Sibai, the chief information officer (CIO) at the Al Ghurair Group, felt that the action will attract the attention of hackers who will find it rewarding to write malicious code for this exploit.
“Furthermore, Cisco's legal action against Mr Lynn rewards him by giving him instant fame of global magnitude, which may very well be the real motive behind the disclosure. I think Mr. Lynn's disclosure is an irresponsible but legal behavior,” he stated.
On the question of whether network professionals deserved to know about the bug, Al-Sibai felt this was a difficult question to answer but strongly favours controlled release of security flaw information.
“The ideal situation for network mangers is to be able to patch routers before public disclosure of the exploit. This means that Cisco would keep a lid on this exploit until they have concrete plans for the roll-out of patches to affected customers around the world. At that time, Cisco should disclose complete information about the exploit and urge users to patch affected products according a predetermined and simple procedure. This would shorten the time between public exposure of the exploit and patching affected routers thus reducing the possibility of malicious code to appear,” he explained.
Other commentators have voiced concerns that the action could gag potential whistle blowers and that un-disclosed flaws could prove more dangerous to the internet in the long run.
“This certainly puts a chill on having those professional researchers who care about their clients and about the ethics of disclosure,” said security consultant Robert Hillery.
“But I do not believe that is the only problem. It will mean that the network and security community may be reluctant to reveal vulnerabilities that large vendors wish to keep under wraps. This will create a false sense of security because these vulnerabilities will remain obscure only to the defenders, not the attackers, who will be handed a greater advantage.”