| |
Wired News: Cisco Security Hole a Whopper
by Rattle at 7:13 pm EDT, Jul 27, 2005 |
Wired just posted the best article so far.. Here are some of the highlights:Lynn likened IOS to Windows XP, for its ubiquity. "But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?" "Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret." "There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience. During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute. "In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
|
| |
RE: Wired News: Cisco Security Hole a Whopper
by noteworthy at 7:56 am EDT, Jul 28, 2005 |
Rattle wrote:
Wired just posted the best article so far.. Here are some of the highlights:
The Wired News article seems hastily reported and not fact-checked. Zetter refers to "Internet Security Solutions". A single visit to www.iss.net would have indicated otherwise. This is basic. Zetter also refers to IOS as "infrastructure operating system". A visit to cisco.com would show that IOS actually stands for Internetworking Operating System. The "subtle" attacks postulated in the article, such as "reading email" on a router, would dramatically reduce the forwarding capacity of the router. Besides, a router is not responsible for end-to-end data integrity and confidentiality. If your email traffic is properly protected by an application-layer or network-layer tunnel, none of these "subtle" attacks are applicable. Of course, the present fact of the matter is that a lot of Internet email passes through the core in the clear. But this situation is not Cisco's fault, and their direct responsibility for an implementation flaw in IOS is distorted when it is conflated with the collective inaction of the majority who neglect to implement end-to-end security for mission critical applications. The SecurityFocus article has less of this hype, but the editor still missed an error at the end of the article, where "Rather then" should be "Rather than". The SearchSecurity article makes the same error. It must be contagious. I don't know where ComputerWire got the idea that IOS is "supposedly unhackable." Several of their quotes are missing words. (The CRN article is more specific; it reports that IOS was "perceived as impervious to remote execution of arbitrary code from stack and heap overflows." The ComputerWire editors must have decided that description was too complicated for their readers.) There are also discrepancies in the reporting regarding the size of the presentation. One report calls it a 10-page presentation while another says it was 30 pages long. Perhaps it was 30 slides, printed in 3-up handout mode with room for notes? |
|
| |
RE: Wired News: Cisco Security Hole a Whopper
by Dagmar at 11:36 am EDT, Jul 29, 2005 |
Well, here's some news... We're still trying to confirm things, but it appears that the FBI has now begun a *criminal* investigation into Mike Lynn, and we're suspecting that *ISS* (his former employer) is behind it. More details as they become available. |
|
Mike Lynn telling it how it is
by Acidus at 7:20 pm EDT, Jul 27, 2005 |
"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?" Lynn decided to speak now, he said, because the source code for Cisco IOS was recently stolen for the second time, and he felt he could no longer remain silent. "Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."
|
Wired News: Cisco Security Hole a Whopper
by skullaria at 10:14 pm EDT, Jul 27, 2005 |
Wired just posted the best article so far.. Here are some of the highlights:Lynn likened IOS to Windows XP, for its ubiquity. "But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?" "Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret." "There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience. During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute. "In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
lolol@ the name recognition. :) I've seen one of those dudes running around here on memestreams somewhere....now, where'd he go? |
Memestreamer Abaddon Quits Job to Expose Cisco Security Hole at Black Hat Conference
by Elonka at 11:48 am EDT, Jul 28, 2005 |
LAS VEGAS -- A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.
. . .
Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here.
. . .
Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job. "In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."
Michael Lynn is a fellow Memestreamer, Abaddon. Pretty gutsy move, quitting his job to give the talk. Speaking of Black Hat, and Def Con, I'm getting ready myself to head to the airport, as I write this. See y'all in Vegas! Elonka :) |
There are redundant posts not displayed in this view from the following users: Dr. Nanochick, wilpig, Neoteric, Dagmar, Opheria.
|
|
