“There are, and always have been, people who know how to crash the Internet but have so far chosen not to do so.” — Stephen Cobb, Certified Information Systems Security Professional and author of Privacy for Business
Not many of us would choose to step in front of a freight train going at full speed, but last month at the Black Hat Briefings conference in Las Vegas a gentleman by the name of Michael Lynn did more or less just that. Roughly two hours after his resignation from the company Internet Security Systems (ISS) he gave an unsanctioned talk on a Cisco router vulnerability.
Make no mistake; this was a big deal because this vulnerability is potentially very serious. If some lunatic were to exploit it he could bring down the entire Internet. I’m not exaggerating.
In front of a rapt audience of security wonks, Lynn announced, “I’m not giving you a road map to an exploit; I’m trying to prove to you that I’ve done it.” He then demonstrated the hack — reportedly a buffer overflow exploit — without revealing the exact details. It is reported that the exploit took all of 5 seconds.
What Lynn demonstrated was that he could remotely access a Cisco router and gain the highest level of access, which gave him the ability to do anything from degrading performance or monitoring traffic to disabling the router completely.
The problem is that because much of the Internet relies on Cisco routers, this is pretty serious stuff. Cisco did fix this issue some months ago, but — of course — many companies have yet to upgrade their router firmware. Lynn said if the router owners “upgrade their firmware, they’ll probably be fine.”
The presentation had apparently previously been approved by Cisco and ISS, but, according to various sources, Cisco got cold feet and wanted the presentation canceled, and ISS acquiesced. But Lynn saw a higher calling, because recently (for the second time) the source code for IOS, the operating system that runs Cisco routers, was stolen.
Lynn asked his audience, “Can anyone think why you would steal [the source code] if not to hack it?” He continued, “I’m probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret.”
Whether vulnerabilities should be revealed has been a hot topic over the last few years, and that is precisely the reason that Lynn’s discussion of the IOS vulnerability was equivalent to him jumping in front of a freight train. As a result of going public with this information Lynn faces litigation from Cisco and ISS. And even the organizers of the Black Hat event are being sued.
It doesn’t take a mental giant to see there is no value in keeping vulnerabilities like this secret.
In fact, there’s actually a profound, tangible risk that a disaster could well be lying in wait from our ignorance.
Do you hear a whistle? Tellbackspin @gibbs.com.