ISS defends itself over Cisco flaw

ISS defends itself over Cisco flaw

Summary: Michael Lynn's former employer has insisted it has treated him fairly throughout the Cisco IOS flaw affair, but others in the industry remain unconvinced

SHARE:
TOPICS: Security
2

ISS has hit back at critics who have accused the company of hypocrisy and thuggish behaviour following a former employee's disclosure of a serious vulnerability in Cisco's router operating system.

Kim Duffy, managing director of ISS Australia, said it was "business as usual" because the company had handled the Michael Lynn affair strictly by the book.

Last week, ISS researcher Lynn delivered a presentation on the Cisco flaw at the Black Hat conference in Las Vegas. He outlined how to attack Cisco's Internetworking Operating System (IOS) to gain control over a router. Cisco routers make up the infrastructure of the Internet and a widespread attack could cause extensive damage, according to experts attending the conference. He also told the audience he quit his job in order to deliver his findings.

Both the networking giant and ISS then took legal action against Lynn and the organisers of the conference. The dispute was settled, with Lynn agreeing not to discuss his presentation further.

"ISS has published rules for disclosure and that is what we stick to. We didn't care to publish [the disclosure] because we were not ready. We had not completed the research to our satisfaction so it was not ready to be disclosed," Duffy told ZDNet UK sister site ZDNet Australia.

Asked why Lynn felt the flaw disclosure was so important that he abruptly resigned, Duffy said: "I can't comment on what he felt. It is up to ISS staff to comply with our own rules."

However, influential names in the IT security industry have publicly criticised ISS and Cisco for the way they handled the affair.

The founder and chief executive of Check Point, Gil Shwed, accused ISS of hypocrisy and using the disclosure of vulnerabilities to drum up business. "It's not for research activities, it's not done to promote the community... it's done for marketing, it's done to promote ISS," he said at a Check Point user event in Bangkok, Thailand.

While ISS has painted Lynn as a breakaway rogue, Shwed and Check Point vice chairman Jerry Ungerman said he merely finished what ISS had started: "Lynn was their employee up until the day he wanted to present. He was working for them for six months and they knew all about it," Ungerman said.

On Cisco's view that Lynn infringed its intellectual property, Shwed said: "It's an embarrassing situation, I don't have a good solution". "I think that violating someone's intellectual property is severe... and I think that's something that every company would protect."

Shwed and Duffy agreed on this point.

"We would take action against any employee who was making unauthorised disclosures or stealing proprietary information — as would any other company," said Duffy.

Earlier this week, security experts Richard Forno and Bruce Schneier both attacked the way the affair was handled. Forno said Lynn was subjected to "heavy-handed" treatment while Schneier said Cisco's customers would not appreciate the truth being "stifled".

While Cisco had made a patch for the IOS vulnerability available months prior to Lynn's presentation, Check Point's Schwed said any effort to block Lynn's presentation was understandable. "No vendor would like to highlight [it] when something goes wrong. [But] the problem with a lot of networking gear is ... once you install it you expect it to be there operate reliably and efficiently for years and you don't want to patch it".

That means patch cycles for networking equipment are slower than traditional software applications, a possible reason Cisco wanted to hold details from the public, despite a patch for the vulnerability being available for several months. "At the same time, Cisco is not providing maybe all the tools and all the necessary things to fix, [but that] is a different issue," Shwed said.

On Tuesday, AusCERT sent out an alert to highlight the severity of the vulnerability and urge administrators to install the latest OS in their routers.

Patrick Gray travelled to Bangkok as a guest of Check Point Software.

Munir Kotadia and Patrick Gray reported for ZDNet Australia. For more ZDNet Australia stories, click here.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • The security industry protects it's own. Mike Lynn is one of it's own. As you can see from cisco's site getting hacked the backlash is already occuring. It's only a matter of time till the exploit is reproduced and released into the wild. Using tactics like they're using they deserve nothing less than they get. End of story.
    anonymous
  • Who is it that we believe then?

    http://www.wired.com/news/privacy/
    0,1848,68365,00.html?tw=wn_story_page_prev2
    anonymous