| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Comments on the Cisco Debacle | (2005/08/04 14:30) |
Update: I just read that Cisco had paid ISS to do the research, if this is true, the following doesn't apply. I've only heard it from one source though. Michael Lynn released some information on reliable exploitation of Cisco IOS vulnerabilities at this year's Blackhat. He did so over the objection of the company that paid him to do the research and also against Cisco's wishes. Firstly, some links, with full background: Boing Boing's coverage Schneier's comments Tom's comments My opinion is that Cisco has made some huge mistakes in handling this incident. Firstly, they sued a security researcher. That's definitely going to cause them a huge amount of pain over the next weeks and months as more and more researchers go after them. Outside of branding your products "Unbreakable", suing researchers is the fastest way to paint a giant bullseye on your back. Secondly, they tried to cover up the research. Everyone close to the industry knows that pretty much any type of vulnerability is exploitable given time. Most are aware that this isn't the first Cisco IOS overflow. FX of Phoenolit spoke a couple of years about exploiting them. The only difference is that Michael was able to prevent the box from rebooting by killing off the heap checker and spawn a shell. If Cisco had just kept their mouths shut, this would have gotten almost no press. I was planning on skipping the talk entirely (because I saw FX's talk) until I heard about Cisco's efforts to suppress it. Cisco has also managed to annoy various government agencies that are concerned with critical infrastructure protection. Cisco had an obligation to disclose information like that revealed in Lynn's talk and it's clear that they didn't notify a large number of interested agencies. ISS has also managed to severely damage themselves. They basically asked one of their researchers to do some outstanding work and then, at the last minute, caved to a vendor over a presentation that didn't actually release new vulnerability information. That's the truly insane part. All of this uproar is over someone saying that you can exploit Cisco hardware. Something anyone involved in security has had to assume since Cisco started shipping gear and that most people knew was confirmed 2 years ago. Despite this, ISS demonstrated that they were willing to kowtow to a vendor over a well known fact. ISS's credibility as a vulnerability research organization is pretty much gone. I predict that a large number of their employees will leave over the next year. Tom argues that ISS had no choice in the matter. I disagree. I don't see why Cisco has a case against them at all. Security companies do security research all the time and release the results. They didn't have to agree to be quiet in the first place. It was only after they agreed to quash the research that they ran into trouble. They also make it easier for future companies to pull the same trick. Next time ISS is about to release an advisory, the vendor just says that they'll sue and watch as ISS drops it.. As for Lynn, I'm pretty sure that he did the right thing. As he saw it, Cisco had this huge vulnerability that they were about to make much worse (by deploying a feature that would make worms trivial to write) and they were obviously willing to hide the research from thousands of security professionals and government agencies that had a need to know. He did violate his NDA with ISS, but I would have thought that ISS's stance on the issue would be much different. Caving in to vendor pressure like this damages them enormously. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Running WindowsXP with no services | (2005/08/04 13:10) |
Slashdot pointed out some new work by Mark Russinovich of SysInternals. Mark managed to successfully kill off all services except System and Csrss and leave the system in a stable state. Read Running Windows With No Services |
| +digg | +del.icio.us | [Microsoft ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |