Hackers Working On Cisco Exploit

Late Friday, a law firm representing Internet Security Systems (ISS), the Atlanta security firm whose former employee disclosed a new attack technique on Cisco routers, forced some Web sites to pull copies of the worker's analysis.

And over the weekend, the Reuters wire service reported that hackers have started to work on a Cisco router exploit using former ISS employee Michael Lynn's information.

As expected, some sites were served Friday with legal letters demanding that the PDF copy of Lynn's Black Hat presentation be removed, and have complied. The hard copy of the 35-slide presentation, however, is still available elsewhere on the Internet.

Richard Forno, who hosts the Infowarrior site, posted a copy of the fax he received from ISS attorney Andrew Valentine.

"I write to inform you that you are currently hosting website content that contains proprietary information of ISS that was stolen by a former employee," Valentine wrote. "We demand that you take down the posting immediately.

"If the posting is not withdrawn immediately, ISS will be forced to pursue its legal remedies," the fax continued.

Forno complied with the order and removed the PDF from public access.

Other Web sites, however, continue to host the information. As of mid-day Monday, sites such as Cryptome.org, and headissue GmBH, a German consulting firm, offer the file for downloading.

A notice on the Crytome.org site claimed it had not received a "cease and desist" e-mail from ISS, but that may be due to the site's anti-spam filters. "No matter, I never comply with emailed demands like that based on legal advice that most emailed demands are bluffs, and they do come in about once a month," wrote an unnamed representative of Crytome.org on a Q&A page. "Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here -- or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored," the posting continued.

Lynn's briefing on Wednesday of last week on potential exploits of existing vulnerabilities in Cisco's IOS (Internetwork Operating System) led to an injunction against him and the Black Hat conference sought by Cisco and ISS. Thursday, a settlement was reached that required Black Hat to destroy video of the talk and Lynn to hand over all reference materials. Lynn was also forbidden to discuss the exploit technique in the future.

But over the weekend, the Reuters news service reported that security experts and hackers at the DefCon conference, a more informal follow-on to the Black Hat conference, were working on an exploit using Lynn's information.

"The reason we're doing this is because someone said you can't," one hacker told Reuters on condition of anonymity.

Some experts think that the effort will likely be fruitless.

"There wasn't enough [in Lynn's presentation] to craft an exploit easily," said Ken Dunham, senior engineer for the VeriSign/iDefense intelligence team. VeriSign had security employees at the presentation, said Dunham.

"The fact that it made so much news draws attention to Cisco," said Dunham, "and that's a cause for concern. What's out there that we don't know about? But from the information disclosed, it's nothing serious."

Other security experts pointed out that the whole affair shows how far some vendors, such as Cisco, have to go in meeting enterprises' needs for information about potential vulnerabilities and possible exploits.

Although Cisco releases patches for its products -- it put out fixes back in April for the vulnerability Lynn used in his Black Hat demo -- it doesn't regularly issue security advisories that tell customers why the patch is necessary, or what bug is being fixed. Only on Friday, for instance, and because of the Black Hat flap, did Cisco post an advisory on the April vulnerability.

Gartner research director John Pescatore thinks that's the wrong way to handle security.

"Cisco's approach is very common, but it's not the best way to go," he said. "It's much better to give system administrators the right information so that they patch quickly, than to think that disclosing will give the bad guys more information."

Microsoft, said Pescatore, has set the security bar with its predictable patch release schedule, security advisories that tell administrators why they need to patch (or why they don't), and early warnings about potential problems before a patch is available.

"But Microsoft was driven to do that," noted Pescatore. "Microsoft learned the hard way four years ago, with Code Red and Nimda."

Will the Black Hat brouhaha convince Cisco to follow Microsoft's lead? Pescatore says don't count on it.

"It's really expensive to do things like Microsoft's doing them. And it took huge events to get Microsoft to change," said Pescatore. "Cisco can say 'we've never had such a thing happen.'"

Not that that makes it right.

"Microsoft's method has really turned into the exception," concluded Pescatore, "but their way is the way everyone will eventually have to go. Customers will demand it."