Cisco's Black Hat Actions Spark Mixed Reactions

July 29, 2005

By Elizabeth Millard,1895,1841834,00.asp

The wrangle between Cisco and a former ISS researcher has caused mixed reactions about responsible disclosure, Cisco's security patch policies, and even the strength of the Internet itself.

The ongoing drama started during the Black Hat Briefings conference held this week in Las Vegas. Internet Security Systems Inc. researcher Michael Lynn was scheduled to reveal a serious flaw in Cisco Systems Inc.'s IOS (Internet Operating System), and when Cisco and ISS tried to prevent him from speaking, Lynn quit his job and gave the speech anyway.

Lynn's presentation seems to have revived the now-classic debate over whether security vulnerabilities should be publicly disclosed, and what role vendors like Cisco should take.

"What purpose does it serve to reveal flaws publicly?" asked David McClure, president and CEO of the U.S. Internet Industry Association. "I think you have to ask about Lynn's motivations. If he's trying to make the point that software and hardware systems can be vulnerable, that's really old news."

McClure believes that relaying information about the IOS flaws is simply a way of encouraging more people to launch attacks.

Others disagree, and see Lynn as a victim of Cisco's heavy-handed approach to control its security information.

"I admire the guy for being brave," said Lisa Bickford, president of InReach Internet, and a board member of the California ISP Association. "It's not easy to quit your job, but he stood by his principles. I think Cisco has some egg on its face."

The presentation has also raised issues about whether Cisco is being diligent enough about patching its vulnerabilities.

Although the IOS issue covered by Lynn was patched, the scrap has caused some ISPs to see Cisco differently.

"It seems a little ironic that Cisco, which is well known for fixing things and paying attention, tried to stifle this guy who was talking about a flaw that's been patched," said Bickford. "I run a Cisco shop, so I have to be honest, it makes me a little concerned."

Others are not as wary of how Cisco is doing its security. Forrester analyst Laura Koetzle pointed out, "When Cisco issues a patch, it works. And that goes a long way."

"Cisco does release its vulnerability information responsibly and with some frequency. So it's not a surprise that they're releasing [notice of] a code execution point vulnerability to be fixed," said said Bill Woodcock, research director with the nonprofit Internet routing education group Packet Clearing House. "Now, was Cisco pushed into it? Who knows? Perhaps [it] would have released a fix in a week or two later if [Lynn] hadn't said something about it."

"The unfortunate thing is perhaps Cisco would have been able to do more testing on it. And there aren't any known exploits of this [vulnerability]. When there are exploits then everyone has to act in a hurry. But when there aren't known exploits, then it's better to have everything locked up solidly before announcing the vulnerability," he said.

"All in all, this isn't really a bad vulnerability. The potential risk is high but the chance of it ever being exploited is very low—it's rather complex to take advantage of. Any code execution vulnerability is very hardware dependent and OS dependent. Cisco has so many different versions of OS and hardware that [an attacker] almost have to know the exact configuration [he or she] would be attacking to get anywhere with it," Woodcock said.

Historically, Cisco has a somewhat mixed record when it comes to security patching, according to Burton Group analyst Fred Cohen, who wrote a major report last year on the company's security practices.

Like many other large companies, Cisco has some poorly trained software development staff, and inadequate change control processes, Cohen said.

Although the company has very reliable routers that run large portions of the Internet, it is not yet able to completely fend off malicious attackers, he added.

Another notable discussion point stemming from Lynn's presentation is the security level of the Internet.

On this point there seems to be the most agreement, as many in the industry note that more security is needed.

"Are we secure enough?" said McClure. "Absolutely not. We need to do a much better job in many areas, including the user level, the server level, and in global cooperation."

But there does not seem to be widespread belief that a single attacker is going to bring the Internet to its knees.

"The Internet is not doomed," said Koetzle. "So, that's good news."

main page ATTRITION feedback