Cisco Systems Inc. would have the world believe that security researcher Michael Lynn is a bad guy. Late last month at the Black Hat conference in Las Vegas, Lynn outlined a method of attack on Cisco routers that could allow hackers to take control of unpatched Cisco boxes.
Instead of being tarred and feathered, Lynn should be hailed a hero. He put his livelihood on the line to expose a serious flaw in Cisco gear that runs not only the networks of most major companies in Canada, the U.S. and the rest of the world, but also provides the underpinnings of the Internet.
Cisco and others have argued that by publicly talking about the flaw, Lynn gave hackers a roadmap showing them how to cripple Cisco networks. Instead of being tarred and feathered, Lynn should be hailed a hero.Text The problem with that argument is that much of Lynn’s research was based on public postings, he said, from Chinese hacker boards. So the attack method wasn’t a huge secret. In fact, Lynn didn’t even give specifics of the attack in his presentation, restricting himself to discussing the general method.
Also, Cisco already knew about the weakness and had issued an IOS patch that fixed the problem months ago. Until shortly before the Black Hat conference, Cisco and partner Internet Security Systems (ISS), where Lynn worked, had supported the idea of Lynn discussing the attack at Black Hat.
At the last minute, however, the companies pulled their support. Lynn was set to speak instead about voice over IP. But Lynn decided to discuss the attack method anyway, stating that he felt he’d be helping would-be hackers by keeping his knowledge a secret.
Just before his Black Hat presentation, Lynn resigned from ISS. After his session, he was sued by Cisco and ISS and has since reached an agreement with the two companies. Legally speaking, Lynn did violate non-disclosure agreements about the exploit, so he didn’t have much of a leg to stand on.
But morally speaking he did the right thing.
The question shouldn’t be why Lynn decided to publicly discuss an attack that could potentially cripple or expose thousands of networks around the world, but why Cisco didn’t do a better job of letting its customers know about the problem.
An IOS patch issued by Cisco several months ago addressed the problem discussed by Lynn, according to the company. But unpatched routers would still be vulnerable. After Lynn’s revelations and the resulting firestorm, Cisco issued a security advisory for unpatched routers.
Perhaps Cisco felt that letting all of its customers know about the potential weakness would make the exploit too public and give hackers an edge. But since it appears some hackers had already discovered the attack method, or were on their way to discovering it, keeping customers in the dark seems a dangerous strategy. If customers had been aware of the severity of the problem, it’s likely a lot of those unpatched routers would have been patched and safe from attack.
Keeping potential security breaches secret makes sense until a solution, such as a patch, has been created. After that companies like Cisco should do everything in their power to make sure their customers know about the potential breach and how to plug it. Pretending a problem doesn’t exist at all helps no one except the hackers.