ISS defends itself over Cisco flaw

Michael Lynn's former employer has insisted it has treated him fairly throughout the Cisco IOS flaw affair, but others in the industry remain unconvinced

ISS has hit back at critics who have accused the company of hypocrisy and thuggish behaviour following a former employee's disclosure of a serious vulnerability in Cisco's router operating system.

Kim Duffy, managing director of ISS Australia, said it was "business as usual" because the company had handled the Michael Lynn affair strictly by the book.

Last week, ISS researcher Lynn delivered a presentation on the Cisco flaw at the Black Hat conference in Las Vegas. He outlined how to attack Cisco's Internetworking Operating System (IOS) to gain control over a router. Cisco routers make up the infrastructure of the Internet and a widespread attack could cause extensive damage, according to experts attending the conference. He also told the audience he quit his job in order to deliver his findings.

Both the networking giant and ISS then took legal action against Lynn and the organisers of the conference. The dispute was settled, with Lynn agreeing not to discuss his presentation further.

"ISS has published rules for disclosure and that is what we stick to. We didn't care to publish [the disclosure] because we were not ready. We had not completed the research to our satisfaction so it was not ready to be disclosed," Duffy told ZDNet UK sister site ZDNet Australia.

Asked why Lynn felt the flaw disclosure was so important that he abruptly resigned, Duffy said: "I can't comment on what he felt. It is up to ISS staff to comply with our own rules."

However, influential names in the IT security industry have publicly criticised ISS and Cisco for the way they handled the affair.

The founder and chief executive of Check Point, Gil Shwed, accused ISS of hypocrisy and using the disclosure of vulnerabilities to drum up business. "It's not for research activities, it's not done to promote the community... it's done for marketing, it's done to promote ISS," he said at a Check Point user event in Bangkok, Thailand.

While ISS has painted Lynn as a breakaway rogue, Shwed and Check Point vice chairman Jerry Ungerman said he merely finished what ISS had started: "Lynn was their employee up until the day he wanted to present. He was working for them for six months and they knew all about it," Ungerman said.

On Cisco's view that Lynn infringed its intellectual property, Shwed said: "It's an embarrassing situation, I don't have a good solution". "I think that violating someone's intellectual property is severe... and I think that's something that every company would protect."

Shwed and Duffy agreed on this point.

"We would take action against any employee who was making unauthorised disclosures or stealing proprietary information — as would any other company," said Duffy.

Earlier this week, security experts Richard Forno and Bruce Schneier both attacked the way the affair was handled. Forno said Lynn was subjected to "heavy-handed" treatment while Schneier said Cisco's customers would not appreciate the truth being "stifled".

While Cisco had made a patch for the IOS vulnerability available months prior to Lynn's presentation, Check Point's Schwed said any effort to block Lynn's presentation was understandable. "No vendor would like to highlight [it] when something goes wrong. [But] the problem with a lot of networking gear is ... once you install it you expect it to be there operate reliably and efficiently for years and you don't want to patch it".

That means patch cycles for networking equipment are slower than traditional software applications, a possible reason Cisco wanted to hold details from the public, despite a patch for the vulnerability being available for several months. "At the same time, Cisco is not providing maybe all the tools and all the necessary things to fix, [but that] is a different issue," Shwed said.

On Tuesday, AusCERT sent out an alert to highlight the severity of the vulnerability and urge administrators to install the latest OS in their routers.

Patrick Gray travelled to Bangkok as a guest of Check Point Software.

Munir Kotadia and Patrick Gray reported for ZDNet Australia. For more ZDNet Australia stories, click here.